I have spun up a Debian 12 vm for use with ownCloud Infinite Scale (latest version).
I have installed OCIS as bare metal with systemd.
OCIS itself works fine apart from there is one major thing which is stopping me from using it.
I have various homelab services and to try and ‘house keep’ a little bit, I would like to use Active Directory (Windows Server 2022) as the Identity Provider for my users.
I have used the example variables for the LDAP setup and I cannot get it to work, the values I think are setup correctly but I cannot get it to work still. Active Directory works fine for my other services so, I know there isn’t a problem with that as such, whatever the issue is, specifically affects OCIS.
Is there anything I am missing? I wanted to be able to create a user in AD, and as soon as they’re created, I wanted OCIS to let them login etc, but this is not the case, no matter what I change, I get a Login Failed error.
I know OCIS is able to talk to my AD server because if I mess with the ldap:// url, I get a HTTP 500 error, if the url is set correctly, I don’t get that error.
I tried looking at the logs (even with the log levels set to debug) but cannot see any errors or anything that resembles any login/ldap errors.
This is abit cheeky, but I wondered if someone could provide me step by step instructions on everything I need to do to get OCIS and Active Directory working? I’ve spent ages browsing the web but cannot find anything, and I love OCIS as a product, so any help in getting this up and running asap is greatly appreciated.
Hi! I’m having the exact same issue here (except for the fact that I am using OpenLDAP instead of AD). Looking through the log files, even if logs are set to “info”, this is the only log message that gets printed when the login button is pressed:
Going back through all the log messages filtered for “idp”, there are not unusual messages and it says the ldap backend is properly setup.
Given that just this one message is being printed on login attempt, it’s almost like the “idp” never gets a login request. Anyone encountered this? Any suggestions on how to debug or at least get some more details from logs?
@paladincorners before AD I was using OpenLDAP but could not get that to work either.
Tonight, I am going to setup a new Authentication VM with OpenLDAP and Authelia and just have OCIS talk to Authelia instead
Wish there was a clearer guide on how to set this up as there is documentation in multiple places, but seems like this is now working at least for the admin role.
To debug it, check the logs on your AD or OpenLDAP server for the query being made. Owncloud was checking if the user is enabled using the default field name “ownCloudUserEnabled”. My users do not have that field.
To fix this, required setting the environmental variable OCIS_LDAP_USER_ENABLED_ATTRIBUTE to any field that would resolve to anything other than false. You may have an error elsewhere, but check the logs on the LDAP server.
Now the user was being authenticated, but can an error in the website saying they were logged out and there were errors in the OCIS logs stating that the user roles could not be obtained.
The issue is that you must clearly specify who the admin user is that can login with LDAP. Make sure OCIS_ADMIN_USER_ID, OCIS_LDAP_USER_SCHEMA_USERNAME, OCIS_LDAP_USER_SCHEMA_ID, IDP_LDAP_LOGIN_ATTRIBUTE and IDP_LDAP_UUID_ATTRIBUTE are set correctly.
Hi @paladincorners ,
Can you tell me the OpenLDAP fields you mapped each of the variables to?
I know your fields are going to be different to mine, but it should point me in the right direction at least
@cjs321 Can you please share your configuration details? Also please share the logs of a failed login attempt with OCIS_LOG_LEVEL set to debug. With that we might be able to figure out what is going wrong.
The above config is what i’m trying to get working with Active Directory - Windows Server 2022.
I’ve tested my AD Config with Proxmox and Proxmox is able to see the users/groups just fine, with the same IP Address and port number, so I am unsure why OCIS is having an issue. I have also set the log level to debug, please see below output for a login attempt i’ve just tried:
Nov 14 12:49:21 CSSVRCLOUD01 ocis[655]: {“level”:“debug”,“service”:“proxy”,“policy”:“ocis”,“method”:“POST”,“prefix”:“/signin/”,“path”:“/signin/v1/identifier//logon",“routeType”:“prefix”,“time”:“2023-11-14T12:49:21.272763249Z”,“line”:“github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:222",“message”:"director found”}
Nov 14 12:49:21 CSSVRCLOUD01 ocis[655]: {“level”:“debug”,“service”:“idp”,“request-id”:“”,“proto”:“HTTP/1.1”,“method”:“POST”,“status”:204,“path”:"/signin/v1/identifier//logon”,“duration”:5.485554,“bytes”:0,“time”:“2023-11-14T12:49:21.27864593Z”,“line”:“github.com/owncloud/ocis/v2/ocis-pkg/middleware/logger.go:27”}
Nov 14 12:49:21 CSSVRCLOUD01 ocis[655]: {“level”:“info”,“service”:“proxy”,“proto”:“HTTP/1.1”,“request-id”:“CSSVRCLOUD01/x6cUvgQTDV-000009”,“remote-addr”:“87.102.113.249”,“method”:“POST”,“status”:204,“path”:“/signin/v1/identifier/_/logon”,“duration”:6.284009,“bytes”:0,“time”:“2023-11-14T12:49:21.27886789Z”,“line”:“github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:31",“message”:"access-log”}
