kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-29 04:23:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/roles/docker-nextcloud/IAM.md

2.2 KiB
Raw Blame History

Identity and Access Management

IAM(Identity and Access Management) is setup via Keycloak and LDAP.

OpenID Connect (OIDC) Support 🔐

OIDC is supported in this role—for example, via Keycloak. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.

Verify OIDC Configuration

docker compose exec -u www-data application /var/www/html/occ config:app:get sociallogin custom_providers

LDAP

More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html

Get LDAP Configuration

docker compose exec -u www-data application php occ ldap:show-config

Get all relevant entries except password

SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap_agent_password";

Update User with LDAP values

docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}

Update LDAP Sync

docker compose exec -u www-data application php occ user:sync-account-data

Update Each User

If you want to update every LDAP user, run:

for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
    docker compose exec -u www-data application php occ ldap:check-user --update "$user"
done

Unlink All

for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
    echo "Unlinking user from LDAP: $user"
    echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done

Reset LDAP Links for Orphaned Users

Run this corrected script:

for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
    echo "Resetting LDAP link for user: $user"
    echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done

Federation

If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.