Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions modules/admin_manual/pages/configuration/envvars/envvars.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@
Override the desktop client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]).
- `OWNCLOUD_CUSTOMCLIENT_IOS=` +
Override the iOS client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]).
- `OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS=` +
Groups whose members have the Custom Groups app hidden from their personal settings. Comma-separated list of group names (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior[documentation]).
- `OWNCLOUD_CUSTOMGROUPS_DISALLOW_ADMIN_ACCESS_ALL=` +
When set to `true`, ownCloud admins are denied access to custom groups they are not a member of (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior[documentation]).
- `OWNCLOUD_DAV_CHUNK_BASE_DIR=` +
Define the DAV chunk base directory (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-dav-chunk-base-directory[documentation]).
- `OWNCLOUD_DAV_ENABLE_ASYNC=` +
Expand Down Expand Up @@ -164,6 +168,8 @@
ownCloud Enterprise License Key (see xref:installation/installing_with_docker.adoc#enterprise-license-keys[documentation]).
- `OWNCLOUD_LOGIN_ALTERNATIVES=` +
Define additional login buttons on the logon screen (see xref:configuration/server/config_sample_php_parameters.adoc#define-additional-login-buttons-on-the-logon-screen[documentation]).
- `OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP=` +
Group login policy rules as a JSON-encoded map keyed by login type (e.g. `password`, `token`), each holding `allowOnly`/`reject` lists of group names, e.g. `{"password":{"reject":["admin"]}}`. Requires the group login policy in `OWNCLOUD_LOGIN_POLICY_ORDER` (see xref:configuration/user/login_policies.adoc[documentation]).
- `OWNCLOUD_LOGIN_POLICY_ORDER=` +
Ordered list of login policy class names. Comma-separated (see xref:configuration/server/config_sample_php_parameters.adoc#order-of-login-policies[documentation]).
- `OWNCLOUD_LOG_CONDITIONS=` +
Expand Down Expand Up @@ -220,6 +226,8 @@
Define connection options for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-connection-options-for-memcached[documentation]).
- `OWNCLOUD_MEMCACHED_PORT=11211` +
Defines the ports for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-server-details-for-memcached-servers-to-use-for-memory-caching[documentation]).
- `OWNCLOUD_MEMCACHED_SERVERS=` +
Define multiple memcached servers as a JSON-encoded list of `[host, port]` or `[host, port, weight]` tuples, e.g. `[["mem1",11211,33],["mem2",11211]]`. Overrides the single-server `OWNCLOUD_MEMCACHED_HOST`/`OWNCLOUD_MEMCACHED_PORT` pair when set (see xref:configuration/server/config_sample_php_parameters.adoc#define-server-details-for-memcached-servers-to-use-for-memory-caching[documentation]).
- `OWNCLOUD_MEMCACHED_STARTUP_TIMEOUT=180` +
Time to wait for a successful connection to the memcached service on container startup.
- `OWNCLOUD_MEMCACHE_LOCAL=${OWNCLOUD_CACHING_CLASS:-\\OC\\Memcache\\APCu}` +
Expand Down Expand Up @@ -266,6 +274,8 @@
Maximum number of concurrent UploadPart operations allowed during the multipart upload (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]).
- `OWNCLOUD_OBJECTSTORE_AVAILABLE_STORAGE=` +
Indicates available storage size in the objectstore in bytes (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]).
- `OWNCLOUD_OPENID_CONNECT=` +
OpenID Connect (`openid-connect`) app configuration as a JSON-encoded object, e.g. `{"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}`. Supports the full nested structure (`provider-params`, `auto-provision`, ...) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[documentation]).
- `OWNCLOUD_OPENSSL_CONFIG=` +
Path to a custom `openssl.cnf` file, e.g. when using a custom PKI or CA in the container (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-cipher-for-encrypting-files[documentation]).
- `OWNCLOUD_OPERATION_MODE=` +
Expand Down Expand Up @@ -442,6 +452,8 @@
Define whether or not to enable automatic update of market apps (see xref:configuration/server/config_sample_php_parameters.adoc#define-whether-or-not-to-enable-automatic-update-of-market-apps[documentation]).
- `OWNCLOUD_USE_RELATIVE_DOMAIN_NAME=` +
Use only the short hostname (no FQDN) in `status.php` (see xref:configuration/server/config_sample_php_parameters.adoc#show-or-hide-the-server-hostname-in-status-php[documentation]).
- `OWNCLOUD_USER_BACKENDS=` +
External user authentication backends as a JSON-encoded list of `{"class":..., "arguments":[...]}` objects (provided by the `user_external` app), e.g. `[{"class":"OC_User_IMAP","arguments":["{imap.example.com:993/imap/ssl}"]}]` (see xref:configuration/user/user_auth_ftp_smb_imap.adoc[documentation]).
- `OWNCLOUD_USER_LDAP_ENABLE_MEDIAL_SEARCH=` +
Enable medial search in the LDAP user backend (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-ldap[documentation]).
- `OWNCLOUD_USER_SEARCH_MIN_LENGTH=` +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ CAUTION: ownCloud provides many configuration options for Redis, including enhan

=== Memcached Configuration

If you select Memcached, you must enable it via environment variables. The example value for the host setting assumes that you have used the ownCloud Docker Compose deployment example. Adapt this value for your setup.
If you select Memcached, you must enable it via environment variables. The example value for the host setting assumes that you have used the ownCloud Docker Compose deployment example. Adapt the values for your setup. Note that this example assumes you only have one Memcached server:

[source,.env]
----
Expand All @@ -178,14 +178,14 @@ OWNCLOUD_MEMCACHED_HOST=memcached
OWNCLOUD_MEMCACHED_PORT=11211
----

////
[NOTE]
====
If you are using multiple memcached servers, omit `OWNCLOUD_MEMCACHED_PORT` and use the following notation:
If you need to configure multiple Memcached servers, use the following example. Compared to the above example, you need to configure a tuple in the following format for each server `[host, port, weight]`, where weight is optional:

`OWNCLOUD_MEMCACHED_HOST="'host_1',port_1,'host_2',port_2"`
====
////
[source,.env]
----
OWNCLOUD_MEMCACHED_SERVERS=[["memcached_1",11211,33],["memcached_2",11211,34]]
----

NOTE: Only one of the two configuration options must be used.

Additional memcached options can be set with the environment variable `OWNCLOUD_MEMCACHED_OPTIONS`.

Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
= Custom Groups App
:toc: right

:toclevels: 3
:description: With Custom Groups, users are able to define their own groups and manage contributing users themselves.

== Introduction

{description} When the xref:configuration/user/guests_app.adoc[Guest App] has been enabled, you can also add external guests to custom groups.

== Installation
== Enable the App

Enable the `Custom Groups` app if not already done so. The Custom Groups app requires the email settings to be configured in your ownCloud setup, because you need to be able to invite the group members by email.
If not already done so, enable the `Custom Groups` app. This app requires you to configure the email settings in your ownCloud setup because you need to be able to invite group members by email.

== Configuration

Expand All @@ -29,21 +29,18 @@ Depending on your custom groups and ownCloud's global settings, configured by th

* Disable administration of custom groups by ownCloud administrators:
+
[source,php]
[source,.env]
----
'customgroups.disallow-admin-access-all' => true,
OWNCLOUD_CUSTOMGROUPS_DISALLOW_ADMIN_ACCESS_ALL=true
----

==== Hide Custom Groups App Based on Group Membership

The app can be hidden from a user's personal settings page if the user belongs to one or more disallowed groups.
To specify the disallowed groups, list them against the `customgroups.disallowed-groups` key in `config/config.php` as in the following example.
If the user belongs to one or more disallowed groups, the app can be hidden from their personal settings page. The disallowed groups can be specified by listing them against the `OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS` environment variable, as shown in the following example, which hides the Custom Groups app for users in the groups `'no_guest_app_users'` and `'project5'`:

[source,php]
[source,.env]
----
// Hide the Custom Groups app for users in the
// 'no_guest_app_users' and 'project5' group.
'customgroups.disallowed-groups' => ['no_guest_app_users', 'project5'],
OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS='no_guest_app_users','project5'

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Format consistency: this example uses OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS='no_guest_app_users','project5' (single-quoted, comma-separated), while the corresponding envvars.adoc entry describes it as a plain "comma-separated list of group names" and the other new multi-value envvars in this PR use JSON arrays. Can you confirm the container actually expects this quoted-CSV form (and not e.g. no_guest_app_users,project5 or a JSON array)? The three formats introduced across this PR (JSON arrays, quoted CSV, plain CSV) should each match what the entrypoint parses.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Intentionally, a reminder to the admin to avoid parsing special characters wrong

----

==== Set Custom Group Admins
Expand Down
34 changes: 11 additions & 23 deletions modules/admin_manual/pages/configuration/user/login_policies.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@

Login policies will emit a `failed login` event if the user isn't allowed to log in.

// if there will be no one envvar for loginPolicy.groupLoginPolicy.forbidMap , we need to add: include::partial$manual_config_file.adoc[]

== Use Cases

Login policies can be used to restrict members of particular groups to use only particular login types. This is especially true for guest users as they do not have an ownCloud account and cannot be validated via OpenID Connect but can log in using their email and password.
Expand All @@ -30,16 +28,13 @@ To enable login policies, use the following example. Multiple values are comma s
OWNCLOUD_LOGIN_POLICY_ORDER='OC\Authentication\LoginPolicies\GroupLoginPolicy'
----

After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The key definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy]:
After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The value definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy].

Here is a template how the scheme looks like:

[source,php]
[source,.env]
----
'loginPolicy.groupLoginPolicy.forbidMap' => [
'<loginType>' => [
'allowOnly' => ['<group1>', ......, '<groupN>'],
'reject' => ['<group1>', ........, '<groupN>'],
],
],
OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={"<loginType>":{"allowOnly|reject":["<group1>","<group2>"]}}
----

The following example gives an idea of how to configure the `Group Login Policy`:
Expand All @@ -49,18 +44,11 @@ The following example gives an idea of how to configure the `Group Login Policy`
* If a user is a member of both an allowOnly group and a reject group, rejection will take priority. This means that even if user1 is a member of group1 he won't be able to access if he's also a member of group3.
* Only members of group4 can log in using OIDC.

[source,php]
[source,.env]
----
loginPolicy.groupLoginPolicy.forbidMap => [
'password' => [
'allowOnly' => ['group1, group2'],
'reject' => ['group3'],
],
'token' => [
'reject' => ['admin'],
],
'OCA\OpenIdConnect\OpenIdConnectAuthModule' => [
'allowOnly' => ['group4'],
],
]
OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={\
"password":{"allowOnly":["group1","group2"],"reject":["group3"]},\
"token":{"reject":["admin"]},\
"OCA\OpenIdConnect\OpenIdConnectAuthModule":{"allowOnly":["group4"]}\
}
----
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,16 @@ TIP: It is recommended to first figure out all configurations on a test system a

Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic.

==== Example config.php
==== Example Setup

An example snippet that can be added to `config.php` is shown below.
The example snippet below can be added to the environment variables. Both environment variables listed below need to be added.

The following environment variable is used as template. It must be adapted according to the classic key scheme shown one step below.

[source,.env]
----
OWNCLOUD_OPENID_CONNECT={"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}
----

[source,php]
----
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,9 +98,9 @@ TIP: It is recommended to first figure out all configurations on a test system a
Follow this link to read more about the
xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic.

==== Example config.php Setup
==== Example Setup

An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud.
The example snippet below can be added to the environment variables. Both environment variables listed below need to be added. The example assumes that login users have already been created in ownCloud.

Use these links to see the corresponding configuration section for:

Expand All @@ -109,6 +109,14 @@ Use these links to see the corresponding configuration section for:
* xref:api-scope[YOUR-APPLICATION-ID-SCOPE-URI/owncloud]
* xref:client-id[YOUR-CLIENT-ID]

The following environment variables are used as templates. They must be adapted according to the classic key scheme shown one step below.

[source,.env]
----
OWNCLOUD_HTTP_COOKIE_SAMESITE=None
OWNCLOUD_OPENID_CONNECT={"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}
----

[source,php]
----
'http.cookie.samesite' => 'None',
Expand Down
46 changes: 7 additions & 39 deletions modules/admin_manual/pages/configuration/user/oidc/oidc.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -64,37 +64,6 @@ See xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-

* Service discovery for the xref:owncloud-desktop-and-mobile-clients[ownCloud Desktop and Mobile Apps]

=== Save Settings in the Database

If you run a clustered setup, the following method configuring the OpenID Connect app is preferred, because it is stateless. The app checks for settings in the database first. If none are found, it falls back to the settings stored in `config.php`. The settings are stored as a JSON formatted string with the following keys and values:

[width="50%",cols="40%,50%",options="header"]
|===
| Key
| Value

| appid
| 'openidconnect'

| configkey
| 'openid-connect'

| configvalue
| _JSON-String_
|===

If a malformed JSON string is found, an error is logged. The _key->value_ pairs are the same as when storing them to the `config.php` file. This task has to be done by invoking an occ command, see the following example. Use the occ commands `config:app:get` to view the current setting or `config:app:delete` to delete it. See the xref:configuration/server/occ_command.adoc#config-commands[Config Command Set] for more details.

[source,bash,subs="attributes+"]
----
{occ-command-example-prefix-docker} config:app:set \
openidconnect \
openid-connect \
--value='{"provider-url":"https:\/\/idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}'
----

NOTE: Only set either the database or the config.php keys but not both for the OpenID Connect app.

== Set Up Service Discovery

. Webserver Service Discovery Information
Expand Down Expand Up @@ -125,13 +94,12 @@ To make the endpoint available under the static service discovery path, it is re
OWNCLOUD_ENABLE_OIDC_REWRITE_URL=true
----

This variable sets the following rule in the embedded `.htaccess` file:
[NOTE]
====
This variable sets the following rule in the embedded `.htaccess` file on container startup:

`RewriteRule ^/.well-known/openid-configuration /index.php/apps/openidconnect/config`

TIP: Depending on the respective infrastructure setup there can be other ways to solve this. In any case, please make sure _not to use redirect rules_ as this will violate the OpenID Connect specification.

IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to manually add that rewrite rule again after any ownCloud upgrade.
====
--

. Once service discovery is available as described above, the ownCloud clients will attempt to connect via OpenID Connect.
Expand All @@ -140,17 +108,17 @@ IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to

All IdPs have their own setup, but often share common ways of configuring things. Although not identical, the xref:example-setup-using-kopano-konnect[Kopano Konnect] example may be a good starting point for the specific configuration of your setup. As Microsoft with Azure AD is different, it has its own example section.

== Example Setup Using Kopano Konnect
=== Example Setup Using Kopano Konnect

Follow this link to see
xref:configuration/user/oidc/kopano-setup.adoc[Example Setup Using Kopano Konnect].

== Example Setup Using Microsoft Azure AD
=== Example Setup Using Microsoft Azure AD

Follow this link to see
xref:configuration/user/oidc/ms-azure-setup.adoc[Example Setup Using Microsoft Azure AD].

== Example Setup Using OneLogin
=== Example Setup Using OneLogin

Follow this link to see
xref:configuration/user/oidc/onelogin-setup.adoc[Example Setup Using OneLogin].
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,24 @@ TIP: It is recommended to first figure out all configurations on a test system a
Follow this link to read more about the
xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic.

==== Example config.php Setup
==== Example Setup

An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud.
The example snippet below can be added to the environment variables. Both environment variables listed below need to be added. The example assumes that login users have already been created in ownCloud.

Use these links to see the corresponding configuration section for:

* xref:client-secret[YOUR-CLIENT-SECRET]
* xref:client-id[YOUR-CLIENT-ID]
* xref:issuer-url[YOUR-ISSUER-URL]

The following environment variables are used as templates. They must be adapted according to the classic key scheme shown one step below.

[source,.env]
----
OWNCLOUD_HTTP_COOKIE_SAMESITE=None
OWNCLOUD_OPENID_CONNECT={"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}
----

[source,php]
----
'http.cookie.samesite' => 'None',
Expand Down
Loading