From e0053881487eb5ad67cc2ed65c5c778f15024360 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Mon, 15 Jun 2026 13:17:43 +0200 Subject: [PATCH 1/6] feat: more required changes for oc11 --- .../configuration/server/logging/logging_configuration.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/admin_manual/pages/configuration/server/logging/logging_configuration.adoc b/modules/admin_manual/pages/configuration/server/logging/logging_configuration.adoc index b58a66748..910d3e441 100644 --- a/modules/admin_manual/pages/configuration/server/logging/logging_configuration.adoc +++ b/modules/admin_manual/pages/configuration/server/logging/logging_configuration.adoc @@ -23,7 +23,7 @@ Logging level parameters are set in the config/config.php file, or on the Admin === ownCloud -All log information will be written to a separate log file which can be viewed using the log viewer on your Admin page. By default, a log file named *owncloud.log* will be created in the directory which has been configured by the *datadirectory* parameter in config/config.php. As an example see: +All log information will be written to a separate log file which can be viewed using the log viewer on your Admin page. By default, a log file named *owncloud.log* will be created in the directory which has been configured by the *datadirectory* parameter in config/config.php. The path assigned to the `datadirectory` configuration key is the value of the `OWNCLOUD_VOLUME_FILES` environment variable. @@ -78,7 +78,7 @@ The following example demonstrates how the conditions can look like. [source,.env] ---- OWNCLOUD_LOG_CONDITIONS=\ -'[{"apps":["files_external"],\ +'[{"apps":["comments"],\ 'users':['user1','user2'],\ "loglevel":0},\ 'log_secret':57b58edb6637fe3059b3595cf9c41b9' From e15e39004891d686cae6f687c9912c45122c7e50 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Mon, 15 Jun 2026 19:10:54 +0200 Subject: [PATCH 2/6] fix caching --- .../installation/docker/docker-compose.yml | 12 ++++ .../files/files_locking_transactional.adoc | 3 +- .../server/caching_configuration.adoc | 65 +++++++++++++++++-- .../server/config_sample_php_parameters.adoc | 2 +- 4 files changed, 76 insertions(+), 6 deletions(-) diff --git a/modules/admin_manual/examples/installation/docker/docker-compose.yml b/modules/admin_manual/examples/installation/docker/docker-compose.yml index 31a6de898..6b3cb4c43 100644 --- a/modules/admin_manual/examples/installation/docker/docker-compose.yml +++ b/modules/admin_manual/examples/installation/docker/docker-compose.yml @@ -85,6 +85,18 @@ services: networks: - oc_network +# As alternative to Redis, you can enable Memcached. +# See the caching configuration documentation for more details. + +# memcached: +# image: memcached:latest +# container_name: owncloud_memcached +# restart: always +# ports: +# - "11211:11211" +# networks: +# - oc_network + volumes: oc_files: driver: local diff --git a/modules/admin_manual/pages/configuration/files/files_locking_transactional.adoc b/modules/admin_manual/pages/configuration/files/files_locking_transactional.adoc index 125982f13..113ea88a6 100644 --- a/modules/admin_manual/pages/configuration/files/files_locking_transactional.adoc +++ b/modules/admin_manual/pages/configuration/files/files_locking_transactional.adoc @@ -12,4 +12,5 @@ ownCloud’s Transactional File Locking mechanism locks files to avoid file corr Transactional File locking will not prevent multiple users from editing the same document, nor give notice that other users are working on the same document. Multiple users can open and edit a file at the same time and Transactional File locking does not prevent this. Rather, it prevents simultaneous file saving. -File locking is enabled by default, using the database locking backend. This places a significant load on your database. Using `memcache.locking` relieves the database load and improves performance. Admins of ownCloud servers with heavy workloads should install xref:configuration/server/caching_configuration.adoc[a memory cache] . +File locking is enabled by default, using the database locking backend. This places a significant load on your database. Using `memcache.locking` (OWNCLOUD_MEMCACHE_LOCKING) relieves the database load and improves performance. Admins of ownCloud servers with heavy workloads should install a +xref:configuration/server/caching_configuration.adoc[memory cache]. diff --git a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc index 085df471b..882ad2a59 100644 --- a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc +++ b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc @@ -30,10 +30,15 @@ The caching backends supported by ownCloud are: This is a data cache only and does *not* cache any opcode. APCu is part of the Docker image. * xref:redis[Redis] + This is an in-memory data structure store (cache) for single and multi-server ownCloud installations, which provides file locking and can be set up in local or distributed environments. The required `php-redis` extension is already part of the Docker image. Redis is used of the Docker Compose deployment example. For details see the xref:installation/installing_with_docker.adoc#docker-compose[Installing With Docker] documentation. +* xref:memcached[Memcached] + + This is a distributed cache for multi-server ownCloud installations and has *very limited* file locking capabilities. + + Using Memcached for distributed locking is generally not recommended. Because its nodes do not communicate with each other and data isn't persistent, locks can be released unexpectedly or lost entirely if a server restarts. For reliable locking, Redis is the industry standard. + + + See the following page to learn more about the https://scalegrid.io/blog/redis-vs-memcached-2021-comparison/[Redis vs. Memcached – 2021 Comparison]. [NOTE] ==== -You may use _both_ a local and a distributed cache. The recommended ownCloud caches are APCu and Redis. If you do not install and enable a local memory cache you will see a warning on your ownCloud admin page. If you enable only a distributed cache in your `config.php` (`memcache.distributed`) and not a local cache (`memcache.local`) you will still see the cache warning. +You may use _both_ a local and a distributed cache. The recommended ownCloud caches are APCu and Redis. If you do not install and enable a local memory cache you will see a warning on your ownCloud admin page. If you either enable Redis or Memcached, the distributed cache will be set automatically to the respective backend. ==== === Cache Directory Location @@ -97,13 +102,21 @@ NOTE: Out of the box, every Redis instance supports 16 databases so `` Please read more about the instructions for the {redis_select_url}[select] and {redis_flushdb_url}[flushdb] command. +=== Memcached + +Memcached is a reliable old-timer for shared caching on distributed servers. It performs well with ownCloud with one exception: it is not suitable to use with Transactional File Locking. This is because it does not store locks, and data can disappear from the cache at any time. Given that, Redis is the best memory cache to use. + +NOTE: The `memcached` PHP extension is already embedded in the Docker image and enabled. + == Configuring Memory Caching Memory caches must be provided and explicitly configured in ownCloud by: -. When using Redis, it must be provided by either as described in the xref:installation/installing_with_docker.adoc#docker-compose[Docker Compose] example of the installation documentation or by other means. +. When using Redis or Memcached, it must be provided by either as described in the xref:installation/installing_with_docker.adoc#docker-compose[Docker Compose] example of the installation documentation or by other means. . Configuring the caches used. +Note that the `OWNCLOUD_MEMCACHE_LOCKING` environment variable corresponds to the configuration setting `memcache.locking`. However, there is no counterpart for the setting `memcache.distributed`, as it is set automatically based on the caching type enabled. + See the xref:configuration/server/config_sample_php_parameters.adoc#memory-caching-backend-configuration[Memory caching backend configuration] for an overview of all possible config parameters, as the examples below only show basic configuration settings. @@ -129,10 +142,11 @@ If you select Redis, you must enable it via environment variables. The example v ---- OWNCLOUD_REDIS_ENABLED=true OWNCLOUD_REDIS_HOST=redis +OWNCLOUD_REDIS_PORT=6379 ---- * If Redis is not enabled, none of the other Redis configurations will be taken into account. -* If Redis is enabled, two additional configurations are set automatically. Note that these configs are not configurable via environment variables: +* If Redis is enabled, two additional configurations are set automatically: + -- [source,.php] @@ -151,9 +165,52 @@ OWNCLOUD_FILELOCKING_ENABLED=true OWNCLOUD_MEMCACHE_LOCAL='\OC\Memcache\Redis' ---- - CAUTION: ownCloud provides many configuration options for Redis, including enhanced security features such as password protection. See the Redis security URL and the ownCloud environment variables for more details. +== Memcached Configuration + +If you select Memcached, you must enable it via environment variables. The example value for the host setting assumes that you have used the ownCloud Docker Compose deployment example. Adapt this value for your setup. + +[source,.env] +---- +OWNCLOUD_MEMCACHED_ENABLED=true +OWNCLOUD_MEMCACHED_HOST=memcached +OWNCLOUD_MEMCACHED_PORT=11211 +---- + +//// +[NOTE] +==== +If you are using multiple memcached servers, omit `OWNCLOUD_MEMCACHED_PORT` and use the following notation: + +`OWNCLOUD_MEMCACHED_HOST="'host_1',port1,host_2',port_2"` +==== +//// + +Additional memcached options can be set with the environment variable `OWNCLOUD_MEMCACHED_OPTIONS`. + +* If Memcached is not enabled, none of the other Memcached configurations will be taken into account. +* If Memcached is enabled, two additional configurations are set automatically: ++ +-- +[source,.php] +---- +'memcache.locking' => '\OC\Memcache\Memcached' +'memcache.distributed' => '\OC\Memcache\Memcached' +---- +-- + +=== Clearing the Memcached Cache + +The Memcached cache can be flushed from the command line, using a range of common Linux/Unix tools including netcat and telnet. The following example uses telnet to log in, run the flush_all command, and log out: + +[source,bash] +---- +telnet 11211 +flush_all +quit +---- + == Deployment Type Configuration Examples These examples provide an overview. Adapt them to suit your environment and needs. diff --git a/modules/admin_manual/pages/configuration/server/config_sample_php_parameters.adoc b/modules/admin_manual/pages/configuration/server/config_sample_php_parameters.adoc index b5e2659d5..c35bcca3a 100644 --- a/modules/admin_manual/pages/configuration/server/config_sample_php_parameters.adoc +++ b/modules/admin_manual/pages/configuration/server/config_sample_php_parameters.adoc @@ -1667,7 +1667,7 @@ Server details for one or more memcached servers to use for memory caching .... === Define connection options for memcached -For more details please see http://apprize.info/php/scaling/15.html +For more details please see https://www.php.net/manual/en/memcached.constants.php ==== Code Sample From 96af95775485fd0c64ac8bf0e9bc1bac60d20ab8 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Tue, 16 Jun 2026 21:34:18 +0200 Subject: [PATCH 3/6] mostly the config user section --- .../configuration/server/import_ssl_cert.adoc | 5 +- .../configuration/user/custom_groups_app.adoc | 6 +- .../pages/configuration/user/guests_app.adoc | 8 +- .../configuration/user/login_policies.adoc | 6 +- .../configuration/user/oidc/kopano-setup.adoc | 11 +- .../user/oidc/ms-azure-setup.adoc | 28 +-- .../pages/configuration/user/oidc/oidc.adoc | 74 +++----- .../user/oidc/onelogin-setup.adoc | 8 +- .../user/reset_admin_password.adoc | 29 +-- .../user/reset_user_password.adoc | 9 +- .../configuration/user/user_auth_ldap.adoc | 175 ++++++------------ .../user/user_auth_twofactor.adoc | 12 +- .../configuration/user/user_management.adoc | 35 ++-- .../pages/configuration/user/user_oauth2.adoc | 8 +- .../installation/installing_with_docker.adoc | 14 +- 15 files changed, 173 insertions(+), 255 deletions(-) diff --git a/modules/admin_manual/pages/configuration/server/import_ssl_cert.adoc b/modules/admin_manual/pages/configuration/server/import_ssl_cert.adoc index db6c1b575..b329da56e 100644 --- a/modules/admin_manual/pages/configuration/server/import_ssl_cert.adoc +++ b/modules/admin_manual/pages/configuration/server/import_ssl_cert.adoc @@ -19,12 +19,11 @@ image:configuration/server/import-ssl-cert-2.png[Click 'More information' in Fir == Site-Wide SSL Import -The personal imports only work for individual users. You can enable site-wide SSL certificates for all of your users on your ownCloud admin page. To enable this, you must add this line to your `config.php` file: +The personal imports only work for individual users. You can enable site-wide SSL certificates for all of your users on your ownCloud admin page. To enable this, you must add this environment variable: [source,.env] ---- - -_CERTIFICATE_MANAGEMENT=true +OWNCLOUD_ENABLE_CERTIFICATE_MANAGEMENT=true ---- Then you’ll have an btn:[Import root certificate] button on your admin page, just like the one on your personal page. Navigate to it by clicking menu:Settings[General > SSL Root Certificates] which is located almost at the bottom. diff --git a/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc b/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc index 4d723e369..e8e45494f 100644 --- a/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc +++ b/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc @@ -9,13 +9,13 @@ == Installation -Install and enable the {oc-marketplace-url}/apps/customgroups[Custom Groups] app if not already installed with your bundle. The Custom Groups app requires the email settings to be configured in your ownCloud setup, because you need to be able to invite the group members by email. +Enable the `Custom Groups` app if not already done so. The Custom Groups app requires the email settings to be configured in your ownCloud setup, because you need to be able to invite the group members by email. == Configuration Check your Custom Groups app's configuration in menu:Settings[Admin > Sharing > Custom Groups]. There you can set the following items: -image::configuration/user/custom_groups/custom_groups.png[] +image::configuration/user/custom_groups/custom_groups.png[image, width=350] === Overriding Default Behavior @@ -54,4 +54,4 @@ Assigning custom group admins can only be done via the browser. In case the grou See the following image as example of user related settings and the https://doc.owncloud.com/webui/next/classic_ui/personal_settings/custom_groups.html[Custom Groups] section in the user manual for details: -image::configuration/user/custom_groups/user_settings_custom_groups.png[] +image::configuration/user/custom_groups/user_settings_custom_groups.png[image, width=350] diff --git a/modules/admin_manual/pages/configuration/user/guests_app.adoc b/modules/admin_manual/pages/configuration/user/guests_app.adoc index 61d22f7db..9ea273b3c 100644 --- a/modules/admin_manual/pages/configuration/user/guests_app.adoc +++ b/modules/admin_manual/pages/configuration/user/guests_app.adoc @@ -11,9 +11,9 @@ NOTE: Guest users do not have storage space and can only work on content that is // video::L42PBHgqKVI[youtube,width=640,height=360] -== Installation +== Enable the App -Install and enable the {oc-marketplace-url}/apps/guests[Guests] app if not already installed with your bundle. The Guests app requires the email settings to be configured in your ownCloud setup, because you need to be able to invite your guests by email. +Enable the `Guests` app if not already done so. The Guests app requires the email settings to be configured in your ownCloud setup, because you need to be able to invite your guests by email. == Configuration @@ -21,11 +21,9 @@ Check your Guests app's configuration in menu:Settings[Admin > Sharing]. There y With a blocklist, an admin can block domains for guest invitations: -* Up to Guests 0.12.1, the blocklist entries were a suffix match. An entry like `example.com` would also block `user@otherexample.com` -- this was considered an error and admins relying on this feature must review their blocklists when upgrading to Guests 0.12.2. - * Starting with Guests 0.12.2, the entries in the blocklist are exact matches. That means, that an entry `example.com` blocks `user@example.com`, but `user@mail.example.com` is *not* blocked. Admins are advised to list all possible subdomains explicitly. -image::configuration/user/guest_app/guest_app_settings.png[width=470] +image::configuration/user/guest_app/guest_app_settings.png[width=350] == Troubleshooting diff --git a/modules/admin_manual/pages/configuration/user/login_policies.adoc b/modules/admin_manual/pages/configuration/user/login_policies.adoc index 98db064b3..7bc6c0bf6 100644 --- a/modules/admin_manual/pages/configuration/user/login_policies.adoc +++ b/modules/admin_manual/pages/configuration/user/login_policies.adoc @@ -21,11 +21,11 @@ Login policies are handled via groups that users are members of and maintained v If no login policy is activated in the `loginPolicy.order` list, ownCloud will work normally. Only the policies in the `loginPolicy.order` list are used. -To enable login policies, use the following example: +To enable login policies, use the following example. Multiple values are comma separated without blanks: -[source,php] +[source,.env] ---- -'loginPolicy.order' => ['OC\Authentication\LoginPolicies\GroupLoginPolicy'], +OWNCLOUD_LOGIN_POLICY_ORDER='OC\Authentication\LoginPolicies\GroupLoginPolicy' ---- After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The key definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy]: diff --git a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc index 2cd1a242f..11f7e8c41 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc @@ -35,16 +35,15 @@ TIP: Kopano Konnect can be set up via Docker. Images are available on Docker Hub To set up ownCloud Server to work with OpenID Connect, you have to: -1. Install the {oc-marketplace-url}/apps/openidconnect[OpenID Connect App] -2. Configure `config.php` +1. Enable the OpenID Connect App +2. Configure via environment variables 3. Set up service discovery TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect app on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. ==== List of OpenID Connect config.php Parameters -Follow this link to read more about the -xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Server. +Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Server. ==== Example config.php @@ -65,9 +64,9 @@ An example snippet that can be added to `config.php` is shown below. ], ---- -=== Register ownCloud Clients +=== Register ownCloud Mobile and Desktop App -To allow the ownCloud clients (Web/Desktop/Android/iOS) to interact with the identity provider, you have to register them as clients. In the case of Kopano Konnect, you can do this using Konnect's `identifier-registration.yaml`. The default values for the regular ownCloud clients are shown below. Other environments might require a different set of values. +To allow the ownCloud apps (Web/Desktop/Android/iOS) to interact with the identity provider, you have to register them as clients. In the case of Kopano Konnect, you can do this using Konnect's `identifier-registration.yaml`. The default values for the regular ownCloud clients are shown below. Other environments might require a different set of values. [TIP] ==== diff --git a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc index c95ca8545..0f72a366d 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc @@ -25,63 +25,63 @@ image:configuration/user/oidc/ms-azure-ad/login-with-ms-azure.png[width=200] . Go to menu:Manage Azure Active Directory[]. + -image:configuration/user/oidc/ms-azure-ad/select-manag-azure-ad.png[width=500] +image:configuration/user/oidc/ms-azure-ad/select-manag-azure-ad.png[width=350] . Then go to menu:Properties[Tenant ID] and note your [#tenant-id]#`tenant ID`# for later use. + -image:configuration/user/oidc/ms-azure-ad/portal-tenant-id-ms-azure-ad.png[width=400] +image:configuration/user/oidc/ms-azure-ad/portal-tenant-id-ms-azure-ad.png[width=350] . Then go to menu:App registrations[New registration]. + -image:configuration/user/oidc/ms-azure-ad/new-registration-ms-azure-ad.png[width=500] +image:configuration/user/oidc/ms-azure-ad/new-registration-ms-azure-ad.png[width=350] . Provide all required information. + -image:configuration/user/oidc/ms-azure-ad/provide-required-information-ms-azure-ad.png[width=400] +image:configuration/user/oidc/ms-azure-ad/provide-required-information-ms-azure-ad.png[width=350] . Go to menu:Authentication[Add a platform] and select btn:[Web] in Configure Platforms. + -image:configuration/user/oidc/ms-azure-ad/setup-web-application-ms-azure-ad.png[width=600] +image:configuration/user/oidc/ms-azure-ad/setup-web-application-ms-azure-ad.png[width=350] . Go to menu:Authentication[Configure Web > Redirect URI] and setup your btn:[Redirect URI]. + -image:configuration/user/oidc/ms-azure-ad/setup-redirect-url-ms-azure-ad.png[width=600] +image:configuration/user/oidc/ms-azure-ad/setup-redirect-url-ms-azure-ad.png[width=350] . Go to menu:Certificates & secrets[Add a client secret] and setup the [#client-secret]#`client secret`# for your app. + -image:configuration/user/oidc/ms-azure-ad/setup-client-secret-ms-azure-ad.png[width=500] +image:configuration/user/oidc/ms-azure-ad/setup-client-secret-ms-azure-ad.png[width=350] . Go to menu:Token configuration[Add optional claim] and setup the claims. + -image:configuration/user/oidc/ms-azure-ad/setup-claims-ms-azure-ad.png[width=500] +image:configuration/user/oidc/ms-azure-ad/setup-claims-ms-azure-ad.png[width=350] . Go to menu:API permissions[Configured permissions > Add a permission] and add delegated permissions. + -image:configuration/user/oidc/ms-azure-ad/graph-permission-ms-azure-ad.png[width=600] +image:configuration/user/oidc/ms-azure-ad/graph-permission-ms-azure-ad.png[width=350] . On the same page, do not forget to set menu:Grant admin consent[] to all permissions. + -image:configuration/user/oidc/ms-azure-ad/admin-consent-ms-azure-ad.png[width=600] +image:configuration/user/oidc/ms-azure-ad/admin-consent-ms-azure-ad.png[width=350] . Go to menu:Expose an API[Set the App ID URI] and set the btn:[Application ID URI]. + -image:configuration/user/oidc/ms-azure-ad/app-id-uri-ms-azure-ad.png[width=600] +image:configuration/user/oidc/ms-azure-ad/app-id-uri-ms-azure-ad.png[width=350] . Then on the same page: .. menu:Add a scope[Scope name] give the scope a meaningful name like *owncloud* and .. menu:Add a scope[Who can consent] allow *Admins and users* to consent. You will see the full api [#api-scope]#`scope name`# below your entered scope name. + -image:configuration/user/oidc/ms-azure-ad/scope-consent-ms-azure-ad.png[width=600] +image:configuration/user/oidc/ms-azure-ad/scope-consent-ms-azure-ad.png[width=350] . You get the [#client-id]#`CLIENT-ID`# after you have completed the Microsoft Azure setup process. On the following screen, you find an overview of most settings made. You can get there by clicking on menu:Overview[]. + -image:configuration/user/oidc/ms-azure-ad/overview-screen-ms-azure.png[width=500] +image:configuration/user/oidc/ms-azure-ad/overview-screen-ms-azure.png[width=350] === Microsoft Azure AD and RedirectURI When it comes to use `127.0.0.1` instead of `localhost` as Redirect URI, the task is not straight forward. Microsoft has an own documentation for this describing a workaround, see {ms-ad-redir-url}[Prefer 127.0.0.1 over localhost]. In summary, you have to select in your app menu:Manifest[Manage], then search for `replyUrlsWithType` and either add a new entry with `127.0.0.1` or modify an existing one. -image:configuration/user/oidc/ms-azure-ad/ms-azure-manifest.png[width=500] +image:configuration/user/oidc/ms-azure-ad/ms-azure-manifest.png[width=350] === Configure ownCloud Server diff --git a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc index 6ac2d33d2..559cd91b9 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc @@ -24,9 +24,7 @@ NOTE: ownCloud only supports one configured identity provider which is then valid for all requests. -Click on the -xref:attachment$/configuration/user/oidc/OAuth-code-flow-sequence-diagram.png[OAuth code flow sequence diagram] -link to get more details on the flow sequence. +Click on the xref:attachment$/configuration/user/oidc/OAuth-code-flow-sequence-diagram.png[OAuth code flow sequence diagram] link to get more details on the flow sequence. == Supported Identity Providers @@ -49,19 +47,22 @@ Please get in touch with ownCloud Consulting if you need help with a specific id Setting up ownCloud Server to work with OpenID Connect requires a couple of components to work together: -- An external identity provider configured to work with the ownCloud components -- A distributed memcache setup - such as Redis or Memcached - is required to operate this app. Follow the xref:configuration/server/caching_configuration.adoc[caching documentation] on how to set it up. -- The {oc-marketplace-url}/apps/openidconnect[OpenID Connect App] installed on ownCloud Server -- Configuration settings in `config.php` on ownCloud Server -+ -* `'http.cookie.samesite' \=> 'None',` -+ -See xref:configuration/server/config_sample_php_parameters.adoc#define-how-to-relax-same-site-cookie-settings[config.sample.php] and {schemeful-samesite-url}[Schemeful Same-Site] for examples and details. +* An external identity provider configured to work with the ownCloud components +* A distributed memcache setup - such as Redis or Memcached - is required to operate this app. Follow the xref:configuration/server/caching_configuration.adoc[caching documentation] on how to set it up. +* The `OpenID Connect` app enabled on ownCloud Server. +* Set the environment variable: + +-- +`OWNCLOUD_HTTP_COOKIE_SAMESITE=None` + +See xref:configuration/server/config_sample_php_parameters.adoc#define-how-to-relax-the-same-site-cookie-settings[config.sample.php] and {schemeful-samesite-url}[Schemeful Same-Site] for examples and details. +-- + * Settings for the OpenID Connect App + See xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[config.apps.sample.php] for examples and details or see section xref:save-settings-in-the-database[Save Settings in the Database] below when running clustered setups. -- Service discovery for the xref:owncloud-desktop-and-mobile-clients[ownCloud Clients] + +* Service discovery for the xref:owncloud-desktop-and-mobile-clients[ownCloud Desktop and Mobile Apps] === Save Settings in the Database @@ -116,18 +117,22 @@ https://cloud.example.com/index.php/apps/openidconnect/config . Webserver Rewrite Rule + -To make the endpoint available under the static service discovery path, it is recommended to put a `RewriteRule` in place using in the `VirtualHost` section. The Apache module `rewrite` must be enabled, and if SSL is used, also the modules `proxy`, `proxy_http` and `proxy_connect`: -+ -[source,apache] +-- +To make the endpoint available under the static service discovery path, it is recommended to set the following environment variable: + +[source,.env] ---- -RewriteEngine on -RewriteRule "^/.well-known/openid-configuration" "/index.php/apps/openidconnect/config" [P] -SSLProxyEngine On #This can be omitted if no SSL is used +OWNCLOUD_ENABLE_OIDC_REWRITE_URL=true ---- -+ + +This variable sets the following rule in the embedded `.htaccess` file: + +`RewriteRule ^/.well-known/openid-configuration /index.php/apps/openidconnect/config` + TIP: Depending on the respective infrastructure setup there can be other ways to solve this. In any case, please make sure _not to use redirect rules_ as this will violate the OpenID Connect specification. -+ + IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to manually add that rewrite rule again after any ownCloud upgrade. +-- . Once service discovery is available as described above, the ownCloud clients will attempt to connect via OpenID Connect. @@ -150,30 +155,11 @@ xref:configuration/user/oidc/ms-azure-setup.adoc[Example Setup Using Microsoft A Follow this link to see xref:configuration/user/oidc/onelogin-setup.adoc[Example Setup Using OneLogin]. -== ownCloud Desktop and Mobile Clients - -ownCloud desktop and mobile clients detect whether OIDC is available (service discovery) and use this login method when a new account is created. - -NOTE: The desktop and mobile apps (clients) have a default client ID and secret hard-coded, which are used for ownCloud's oauth2 app. When using Kopano as IdP, it does not pre-define a client ID and secret. You can use the default ones of the client to configure Kopano properly. With some IdPs like MS-Azure, these and other required parameters come from the IdP and must be coded into the client. Note that each IdP has different requirements. Get in touch with ownCloud for a branding subscription to customize the clients according to your needs. +== ownCloud Desktop and Mobile Apps -=== Client Support for OIDC +ownCloud Desktop and Mobile Apps detect whether OIDC is available (service discovery) and use this login method when a new account is created. -[caption=] -.Following owncloud clients support OIDC -[width="60%",cols="40%,60%",options="header"] -|=== -| ownCloud Client -| Release with OIDC support - -| Desktop -| >= 2.7.0 - -| Android -| >= 2.15 - -| iOS -| >= 1.2 -|=== +NOTE: The Desktop and Mobile apps have a default client ID and secret hard-coded, which are used for ownCloud's oauth2 app. When using Kopano as IdP, it does not pre-define a client ID and secret. You can use the default ones of the client to configure Kopano properly. With some IdPs like MS-Azure, these and other required parameters come from the IdP and must be coded into the client. Note that each IdP has different requirements. Get in touch with ownCloud for a branding subscription to customize the clients according to your needs. === Client IDs, Secrets and Redirect URIs @@ -187,7 +173,7 @@ All IdPs can use ownCloud's default _client IDs, secrets and redirect URIs_ with | Key | Server/Web -| as specified in `config.php` +| as specified via environment variables | Desktop | `xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69` @@ -207,7 +193,7 @@ All IdPs can use ownCloud's default _client IDs, secrets and redirect URIs_ with | Key | Server/Web -| as specified in `config.php` +| as specified via environment variables | Desktop | `UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh` diff --git a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc index dd814f877..19f7e6bd2 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc @@ -23,13 +23,13 @@ Follow these steps to configure OneLogin for use with OpenID Connect (OIDC): . Go to menu:Applications[Applications] to manage the registered applications. + -image:configuration/user/oidc/onelogin/onelogin-select-application.png[width=80%] +image:configuration/user/oidc/onelogin/onelogin-select-application.png[width=350] . Click on btn:[Add App] in the upper right corner. . Search for `openid` and select the `OpenId Connect (OIDC)` app + -image:configuration/user/oidc/onelogin/onelogin-select-openid-app.png[width=80%] +image:configuration/user/oidc/onelogin/onelogin-select-openid-app.png[width=350] . Provide a name and configure images if needed. @@ -37,11 +37,11 @@ image:configuration/user/oidc/onelogin/onelogin-select-openid-app.png[width=80%] . Go to menu:Configuration[] and enter values for `Login Url` which points to you system and the `Redirect URI's`, which is the url of you system followed by `/index.php/apps/openidconnect/redirect` + -image:configuration/user/oidc/onelogin/onelogin-oidc-configuration.png[width=90%] +image:configuration/user/oidc/onelogin/onelogin-oidc-configuration.png[width=350] . Go to menu:SSO[] and note the values for [#client-id]#Client ID#, [#client-secret]#Client Secret# and [#issuer-url]#Issuer URL# for later use. + -image:configuration/user/oidc/onelogin/onelogin-oidc-sso.png[width=90%] +image:configuration/user/oidc/onelogin/onelogin-oidc-sso.png[width=350] === Configure ownCloud Server diff --git a/modules/admin_manual/pages/configuration/user/reset_admin_password.adoc b/modules/admin_manual/pages/configuration/user/reset_admin_password.adoc index f015707ca..eda4da26a 100644 --- a/modules/admin_manual/pages/configuration/user/reset_admin_password.adoc +++ b/modules/admin_manual/pages/configuration/user/reset_admin_password.adoc @@ -2,36 +2,21 @@ The normal ways to recover a lost password are: -1. Click the password reset link on the login screen; this appears -after a failed login attempt. This works only if you have entered your -email address on your Personal page in the ownCloud Web interface, so -that the ownCloud server can email a reset link to you. -2. Ask another ownCloud server admin to reset it for you. - -If neither of these is an option, then you have a third option, and that -is using the `occ` command. `occ` is in the `owncloud` directory, for -example `/var/www/owncloud/occ`. `occ` has a command for resetting all -user passwords, `user:resetpassword`. It is best to run `occ` as the -HTTP user, as in this example on Ubuntu Linux: +. Click the password reset link on the login screen; this appears after a failed login attempt. This works only if you have entered your email address on your Personal page in the ownCloud Web interface, so that the ownCloud server can email a reset link to you. + +. Ask another ownCloud server admin to reset it for you. + +If neither of these is an option, then you have a third option, and that is using the `occ` command. `occ` has a command for resetting all user passwords which is: `user:resetpassword`. [source,bash,subs="attributes+"] ---- -$ {occ-command-example-prefix-docker} user:resetpassword admin +{occ-command-example-prefix-docker} user:resetpassword admin + Enter a new password: Confirm the new password: Successfully reset password for admin ---- -If your ownCloud username is not `admin`, then substitute your ownCloud -username. - -You can find your HTTP user in your HTTP configuration file. These are -the default Apache HTTP user:group on Linux distros: - -* Centos, Red Hat, Fedora: `apache:apache` -* Debian, Ubuntu, Linux Mint: `www-data:www-data` -* openSUSE: `wwwrun:www` - See xref:configuration/server/occ_command.adoc[Using the occ Command] to learn more about using the `occ` command. include::partial$configuration/user/update-password-note.adoc[] diff --git a/modules/admin_manual/pages/configuration/user/reset_user_password.adoc b/modules/admin_manual/pages/configuration/user/reset_user_password.adoc index a7c95d048..5f99369c0 100644 --- a/modules/admin_manual/pages/configuration/user/reset_user_password.adoc +++ b/modules/admin_manual/pages/configuration/user/reset_user_password.adoc @@ -1,16 +1,11 @@ = Resetting a User Password -The ownCloud login screen displays a *Wrong password. Reset it?* message -after a user enters an incorrect password, and then ownCloud -automatically resets their password. However, if you are using a -read-only authentication backend such as LDAP or Active Directory, this -will not work. In this case you may specify a custom URL in your -`config.php` file to direct your user to a server than can handle an +The ownCloud login screen displays a *Wrong password. Reset it?* message after a user enters an incorrect password, and then ownCloud automatically resets their password. However, if you are using a read-only authentication backend such as LDAP or Active Directory, this will not work. In this case you may specify a custom URL with an environment variable to direct your user to a server than can handle an automatic reset: [source,php] ---- -'lost_password_link' => 'https://example.org/link/to/password/reset', +OWNCLOUD_LOST_PASSWORD_LINK='https://example.org/link/to/password/reset' ---- include::partial$configuration/user/update-password-note.adoc[] diff --git a/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc b/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc index f3afe7ae9..d06fbda9a 100644 --- a/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc +++ b/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc @@ -33,50 +33,48 @@ The LDAP application supports: == Configuration -First, install the {oc-marketplace-url}/apps/user_ldap[LDAP Integration] app. Then, go to your Admin page to configure it. The LDAP configuration panel has four tabs. A correctly completed first tab ("Server") is mandatory to access the other tabs. A green indicator light appears when the configuration is correct. Hover your cursor over the fields to see some pop-up tooltips. +First, enable the `LDAP Integration` app. Then, go to your Admin page to configure it. The LDAP configuration panel has four tabs. A correctly completed first tab ("Server") is mandatory to access the other tabs. A green indicator light appears when the configuration is correct. Hover your cursor over the fields to see some pop-up tooltips. === Server Tab Start with the Server tab. You may configure multiple servers if you have them. At a minimum, you must supply the LDAP server's hostname. If your server requires authentication, enter your credentials on this tab. -image::apps/user_ldap/ldap-wizard/server-tab.png[LDAP Wizard - Server Tab, width=500] +image::apps/user_ldap/ldap-wizard/server-tab.png[LDAP Wizard - Server Tab, width=350] ==== LDAPS Configuration LDAPS encrypts the connection between your LDAP server and ownCloud via SSL/TLS. For LDAPS you need a LDAP server with certificates:: - -{empty} - ++ +-- . For Windows Server, install the _Active Directory Certificate Services (AD CS)_ role and configure it as a company CA. . Export the CA certificate using this method: .. Open `certutil` with admin privileges and execute the following command where `ca_name` is just a placeholder for the certificate name. Adjust it accordingly. + --- [source,plaintext] ---- certutil -ca.cert ca_name.cer ---- ++ This ensures you have the right certificate for configuring LDAPS. --- + . Copy the certificate `ca_name.cer` to your ownCloud server. . Do the following tasks on the ownCloud server. .. Convert the certificate with: + --- [source,plaintext] ---- openssl x509 -inform der -in ca_name.cer -out certificate.pem ---- --- + .. Double-check with: + --- [source,bash] ---- cat certificate.pem ---- ++ The output is the same one you had with `certutil`. -- @@ -145,16 +143,13 @@ Finally you have LDAPS configured and your LDAP traffic is encrypted with a SSL ==== Server Configurations -Server Configuration:: - Configure one or more LDAP servers. - Click btn:[Delete Configuration] to remove the active configuration. +LDAP Servers:: +Configure one or more LDAP servers. Click btn:[Delete Configuration] to remove the active configuration. Host:: + -- -The hostname or IP address of the LDAP server. -It can also be an `ldaps://` URI. -If you enter the port number, it speeds up server detection. +The hostname or IP address of the LDAP server. It can also be an `ldaps://` URI. If you enter the port number, it speeds up server detection. *Examples:* @@ -212,12 +207,10 @@ Example: Use this to control which LDAP users are listed as ownCloud users on your ownCloud server. In order to control which LDAP users can log in to your ownCloud server, use the Login filter. You may bypass the form fields and enter a raw LDAP filter if you prefer. -image::apps/user_ldap/ldap-wizard/users-tab.png[LDAP Wizard - Users Tab, width=500] +image::apps/user_ldap/ldap-wizard/users-tab.png[LDAP Wizard - Users Tab, width=350] Only those Object Classes:: - ownCloud determines the object classes that are typically available for user objects in your LDAP. - ownCloud automatically selects the object class that returns the highest number of users. - You may select multiple object classes. + ownCloud determines the object classes that are typically available for user objects in your LDAP. ownCloud automatically selects the object class that returns the highest number of users. You may select multiple object classes. Only From those Groups:: + @@ -227,10 +220,7 @@ If your LDAP server supports the `memberof-overlay` in LDAP filters, you can def [NOTE] ==== Group membership is configured by adding `memberUid`, `uniqueMember` or member attributes to an LDAP group see (xref:group-member-association[Group Member association]) below. -To efficiently look up the groups, a user who is a member of the LDAP server must support a `memberof-overlay`. -It allows using the virtual `memberOf` or `isMemberOf` attributes of an LDAP user in the user filter. -If your LDAP server does not support the `memberof-overlay` in LDAP filters, the input field is disabled. -Please contact your LDAP administrator. +To efficiently look up the groups, a user who is a member of the LDAP server must support a `memberof-overlay`. It allows using the virtual `memberOf` or `isMemberOf` attributes of an LDAP user in the user filter. If your LDAP server does not support the `memberof-overlay` in LDAP filters, the input field is disabled. Please contact your LDAP administrator. * Active Directory uses {memberof-url}[memberOf] and is enabled by default. * OpenLDAP uses `memberOf`. {reverse-group-membership-maintenance-url}[Reverse Group Membership Maintenance] needs to be enabled. @@ -298,11 +288,10 @@ The settings in the Login Filter tab determine which LDAP users can log in to yo You may override your User Filter settings on the User Filter tab by using a raw LDAP filter. -image::apps/user_ldap/ldap-wizard/login-attributes-tab.png[LDAP Wizard - Login Attributes Tab, width=500] +image::apps/user_ldap/ldap-wizard/login-attributes-tab.png[LDAP Wizard - Login Attributes Tab, width=350] LDAP Username:: - If this value is checked, the login value will be compared to the username in the LDAP directory. - The corresponding attribute, usually `uid` or `samaccountname` will be detected automatically by ownCloud. + If this value is checked, the login value will be compared to the username in the LDAP directory. The corresponding attribute, usually `uid` or `samaccountname` will be detected automatically by ownCloud. LDAP Email Address:: If this value is checked, the login value will be compared to an email address in the LDAP directory; specifically, the `mailPrimaryAddress` and `mail` attributes. @@ -318,8 +307,7 @@ Disallowing login with LDAP Email Address requires enabling strict login checkin ==== Other Attributes:: - This multi-select box allows you to select other attributes for the comparison. - The list is generated automatically from the user object attributes in your LDAP server. + This multi-select box allows you to select other attributes for the comparison. The list is generated automatically from the user object attributes in your LDAP server. Edit Raw Filter Instead:: + @@ -349,17 +337,13 @@ include::example$configuration/user/user_auth_ldap/username_email.ldif[] By default, no LDAP groups will be available in ownCloud. The settings in the group filter tab determine which groups will be available in ownCloud. You may also elect to enter a raw LDAP filter instead. -image::apps/user_ldap/ldap-wizard/groups-tab.png[LDAP Wizard - Groups Tab, width=500] +image::apps/user_ldap/ldap-wizard/groups-tab.png[LDAP Wizard - Groups Tab, width=350] Only those object classes:: - ownCloud will determine the object classes that are typically available for group objects in your LDAP server. - ownCloud will only list object classes that return at least one group object. - You can select multiple object classes. - A typical object class is `group`, or `posixGroup`. + ownCloud will determine the object classes that are typically available for group objects in your LDAP server. ownCloud will only list object classes that return at least one group object. You can select multiple object classes. A typical object class is `group`, or `posixGroup`. Only From those Groups:: - ownCloud will generate a list of available groups found in your LDAP server. - From these groups, you can select the group or groups that get access to your ownCloud server. + ownCloud will generate a list of available groups found in your LDAP server. From these groups, you can select the group or groups that get access to your ownCloud server. Edit Raw Filter Instead:: + @@ -375,8 +359,7 @@ Example: // <x> --> renders to <x> Groups Found:: - This tells you approximately how many groups will be available in ownCloud. - The number updates automatically after any change. + This tells you approximately how many groups will be available in ownCloud. The number updates automatically after any change. NOTE: Renaming of LDAP-Groups on the LDAP Server is not supported. Changes like renaming groups in LDAP will not be propagated to ownCloud. @@ -392,7 +375,7 @@ The Advanced Settings are structured into three parts: ==== Connection Settings -image::apps/user_ldap/ldap-wizard/advanced-tab-connection-settings.png[LDAP Wizard - Advanced Tab - Connection Settings, width=500] +image::apps/user_ldap/ldap-wizard/advanced-tab-connection-settings.png[LDAP Wizard - Advanced Tab - Connection Settings, width=350] Configuration Active:: Enables or Disables the current configuration. @@ -412,8 +395,7 @@ Example: Backup (Replica) Port:: + -- - The connection port of the backup LDAP server. - If no port is supplied, but only a host, then the main port (as specified above) will be used. +The connection port of the backup LDAP server. If no port is supplied, but only a host, then the main port (as specified above) will be used. Example: @@ -421,11 +403,7 @@ Example: -- Disable Main Server:: - - You can manually override the main server and make ownCloud only connect to the **backup server**. - This is useful for planned downtimes for example **Upgrades or Updates of the Main Server**. - **Backup Server Handling** - When ownCloud is not able to contact the main LDAP server, ownCloud assumes it is offline and will not try to connect again for the time specified in" **Cache Time-To-Live**". + You can manually override the main server and make ownCloud only connect to the **backup server**. This is useful for planned downtimes for example **Upgrades or Updates of the Main Server**. **Backup Server Handling**: when ownCloud is not able to contact the main LDAP server, ownCloud assumes it is offline and will not try to connect again for the time specified in" **Cache Time-To-Live**". Turn off SSL certificate validation:: + @@ -438,8 +416,7 @@ TIP: Use it for testing only! Cache Time-To-Live:: + -- -A cache is introduced to avoid unnecessary LDAP traffic, for example caching usernames so they don't have to be looked up for every page, and speeding up loading of the Users page. Saving the configuration empties the cache. -The time is given in seconds. Note that almost every PHP request requires a new connection to the LDAP server. If you require fresh PHP requests, we recommend defining a minimum lifetime of about 15 seconds or higher, rather than completely eliminating the cache. +A cache is introduced to avoid unnecessary LDAP traffic, for example caching usernames so they don't have to be looked up for every page, and speeding up loading of the Users page. Saving the configuration empties the cache. The time is given in seconds. Note that almost every PHP request requires a new connection to the LDAP server. If you require fresh PHP requests, we recommend defining a minimum lifetime of about 15 seconds or higher, rather than completely eliminating the cache. *Examples:* @@ -451,7 +428,7 @@ See xref:caching[the Caching section below] for detailed information on how the ==== Directory Settings -image::apps/user_ldap/ldap-wizard/advanced-tab-directory-settings.png[LDAP Wizard - Advanced Tab - Directory Settings, width=500] +image::apps/user_ldap/ldap-wizard/advanced-tab-directory-settings.png[LDAP Wizard - Advanced Tab - Directory Settings, width=350] User Display Name Field:: + @@ -504,9 +481,7 @@ If an attribute is not available on a user object, the user will not be listed, Group Display Name Field:: + -- -The attribute that should be used as ownCloud group name. -ownCloud allows a limited set of characters (`a-zA-Z0-9.-_@`). -Once a group name is assigned it cannot be changed. +The attribute that should be used as ownCloud group name. ownCloud allows a limited set of characters (`a-zA-Z0-9.-_@`). Once a group name is assigned it cannot be changed. *Examples:* @@ -516,9 +491,7 @@ Once a group name is assigned it cannot be changed. Base Group Tree:: + -- -The base DN of LDAP, from where all groups can be reached. -This must be a complete DN, regardless of what you have entered for your Base DN in the Basic setting. -You can specify multiple base trees, one in each line. +The base DN of LDAP, from where all groups can be reached. This must be a complete DN, regardless of what you have entered for your Base DN in the Basic setting. You can specify multiple base trees, one in each line. *Examples:* @@ -529,9 +502,7 @@ You can specify multiple base trees, one in each line. Group Search Attributes:: + -- -These attributes are used when a search for groups is done, for example in the share dialogue. -By default the group display name attribute as specified above is used. -Multiple attributes can be given, one in each line. +These attributes are used when a search for groups is done, for example in the share dialogue. By default the group display name attribute as specified above is used. Multiple attributes can be given, one in each line. If you override the default, the group display name attribute will not be taken into account, unless you specify it as well. @@ -562,21 +533,14 @@ Dynamic Group Member URL:: See {config-dynamic-groups-url}[Configuring Dynamic Groups] for more details. Nested Groups:: - This makes the LDAP connector aware that groups could be stored inside existing group records. - By default a group will only contain users, so enabling this option isn't necessary. However, if groups are contained inside groups, and this option is not enabled, any groups contained within other groups will be ignored and not returned in search results. + This makes the LDAP connector aware that groups could be stored inside existing group records. By default a group will only contain users, so enabling this option isn't necessary. However, if groups are contained inside groups, and this option is not enabled, any groups contained within other groups will be ignored and not returned in search results. Paging Chunk Size:: - This sets the maximum number of records able to be returned in a - response when ownCloud requests data from LDAP. If this value is - greater than the limit of the underlying LDAP server (such as 3000 for - Microsoft Active Directory) the LDAP server will reject the request - and the search request will fail. Given that, it is important to set - the requested chunk size to a value no larger than that which the - underlying LDAP server supports. + This sets the maximum number of records able to be returned in a response when ownCloud requests data from LDAP. If this value is greater than the limit of the underlying LDAP server (such as 3000 for Microsoft Active Directory) the LDAP server will reject the request and the search request will fail. Given that, it is important to set the requested chunk size to a value no larger than that which the underlying LDAP server supports. ==== Special Attributes -image::apps/user_ldap/ldap-wizard/advanced-tab-special-attributes.png[LDAP Wizard - Advanced Tab - Special Attributes, width=500] +image::apps/user_ldap/ldap-wizard/advanced-tab-special-attributes.png[LDAP Wizard - Advanced Tab - Special Attributes, width=350] Quota Field:: The name of the LDAP attribute to retrieve the user quota limit from. You have to decide which LDAP attribute you want to use and set a value to it in the Attribute Editor. @@ -602,53 +566,43 @@ Quota Priority:: 3. **ownCloud Default Quota** overrides **Unlimited Quota** Email Field:: - Set the user's email from an LDAP attribute, e.g., `mail`. - Leave it empty for default behavior. + Set the user's email from an LDAP attribute, e.g., `mail`. Leave it empty for default behavior. User Home Folder Naming Rule:: + -- -By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, e.g., `/var/www/owncloud/data/5a9df029-322d-4676-9c80-9fc8892c4e4b`, if your data directory is set to `/var/www/owncloud/data`. +By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, e.g., `/mnt/data/files/5a9df029-322d-4676-9c80-9fc8892c4e4b`. Note that `/mnt/data/files` is the default in the container, part of the Docker volume and can be redifined if required. -It is possible to override this setting and name it after an LDAP attribute value, e.g., `attr:cn`. The attribute can return either an absolute path, e.g., `/mnt/storage43/alice`, or a relative path which must not begin with a `/`, e.g., `CloudUsers/CookieMonster`. This relative path is then created inside the data directory (e.g., `/var/www/owncloud/data/CloudUsers/CookieMonster`). +It is possible to override this setting and name it after an LDAP attribute value, e.g., `attr:cn`. The attribute can return either an absolute path, e.g., `/mnt/storage43/alice`, or a relative path which must not begin with a `/`, e.g., `CloudUsers/CookieMonster`. This relative path is then created inside the data directory (e.g., `/mnt/data/files/CloudUsers/CookieMonster`). -Since ownCloud 8.0.10 and up the home folder rule is enforced. This means that once you set a home folder naming rule (get a home folder from an LDAP attribute), it must be available for all users. If it isn't available for a user, then that user will not be able to login. Also, the filesystem will not be set up for that user, so their file shares will not be available to other users. For older versions you may enforce the home folder rule with the `occ` command, like this example on Ubuntu: +Please note that the home folder rule is enforced. This means that once you set a home folder naming rule (get a home folder from an LDAP attribute), it must be available for all users. If it isn't available for a user, then that user will not be able to login. Also, the filesystem will not be set up for that user, so their file shares will not be available to other users. For older versions you may enforce the home folder rule with the `occ` command, like this example on Ubuntu: [source,bash,subs="attributes+"] ---- {occ-command-example-prefix-docker} config:app:set user_ldap enforce_home_folder_naming_rule --value=1 ---- -Starting with ownCloud 10.0, the home folder naming rule is only applied when first provisioning the user. This prevents data loss due to re-provisioning the users home folder in case of unintentional changes in LDAP. +The home folder naming rule is only applied when first provisioning the user. This prevents data loss due to re-provisioning the users home folder in case of unintentional changes in LDAP. -- === Expert Settings IMPORTANT: Please check both the advanced and expert configurations carefully before using in production. -image::apps/user_ldap/ldap-wizard/expert-tab.png[LDAP Wizard - Expert Tab, width=500] +image::apps/user_ldap/ldap-wizard/expert-tab.png[LDAP Wizard - Expert Tab, width=350] In "*Expert Settings*", fundamental behavior can be adjusted to your needs. The configuration should be well-tested before starting production use. Internal Username:: + -- -The internal username is the identifier in ownCloud for LDAP users. -By default it will be created from the UUID attribute. -The UUID attribute ensures that the username is unique, and that characters do not need to be converted. -Only these characters are allowed: `[\a-\zA-\Z0-\9_.@-]`. -Other characters are replaced with their ASCII equivalents, or are simply omitted. +The internal username is the identifier in ownCloud for LDAP users. By default it will be created from the UUID attribute. The UUID attribute ensures that the username is unique, and that characters do not need to be converted. Only these characters are allowed: `[\a-\zA-\Z0-\9_.@-]`. Other characters are replaced with their ASCII equivalents, or are simply omitted. -The LDAP backend ensures that there are no duplicate internal usernames in ownCloud, i.e., that it is checking all other activated user backends (including local ownCloud users). -On collisions, a random number (between 1000 and 9999) will be attached to the retrieved value. -For example, if "alice" exists, the next username may be `alice_1337`. +The LDAP backend ensures that there are no duplicate internal usernames in ownCloud, i.e., that it is checking all other activated user backends (including local ownCloud users). On collisions, a random number (between 1000 and 9999) will be attached to the retrieved value. For example, if "alice" exists, the next username may be `alice_1337`. -The internal username is the default name for the user home folder in ownCloud. -It is also a part of remote URLs, for instance for all *DAV services. +The internal username is the default name for the user home folder in ownCloud. It is also a part of remote URLs, for instance for all *DAV services. -You can override all of this with the "*Internal Username*" setting. -Leave it empty for default behavior. -Changes will affect only newly mapped LDAP users. +You can override all of this with the "*Internal Username*" setting. Leave it empty for default behavior. Changes will affect only newly mapped LDAP users. *Examples:* @@ -658,17 +612,11 @@ Changes will affect only newly mapped LDAP users. Override UUID Detection:: + -- -By default, ownCloud auto-detects the UUID attribute. -The UUID attribute is used to uniquely identify LDAP users and groups. -The internal username will be created based on the UUID, if not specified otherwise. +By default, ownCloud auto-detects the UUID attribute. The UUID attribute is used to uniquely identify LDAP users and groups. The internal username will be created based on the UUID, if not specified otherwise. -You can override the setting and pass an attribute of your choice. -You must make sure that the attribute of your choice can be fetched for both users and groups and that it is unique. -Leave it empty for default behavior. -Changes will have effect only on newly mapped LDAP users and groups. +You can override the setting and pass an attribute of your choice. You must make sure that the attribute of your choice can be fetched for both users and groups and that it is unique. Leave it empty for default behavior. Changes will have effect only on newly mapped LDAP users and groups. -It also will take effect when a user or group's DN changes and an old UUID was cached, which will result in a new user. -Because of this, the setting should be applied before putting ownCloud in production use and clearing the bindings the (see xref:user-and-group-mapping[User and Group Mapping`] section below). +It also will take effect when a user or group's DN changes and an old UUID was cached, which will result in a new user. Because of this, the setting should be applied before putting ownCloud in production use and clearing the bindings the (see xref:user-and-group-mapping[User and Group Mapping`] section below). *Examples:* @@ -678,17 +626,11 @@ Because of this, the setting should be applied before putting ownCloud in produc Username-LDAP User Mapping:: + -- -ownCloud uses usernames as keys to store and assign data. -In order to precisely identify and recognize users, each LDAP user will have an internal username in ownCloud. -This requires a mapping from an ownCloud username to an LDAP user. +ownCloud uses usernames as keys to store and assign data. In order to precisely identify and recognize users, each LDAP user will have an internal username in ownCloud. This requires a mapping from an ownCloud username to an LDAP user. -The created username is mapped to the UUID of the LDAP user. -Additionally, the DN is cached to reduce LDAP interaction, but it is not used for identification. -If the DN changes, the change will be detected by ownCloud by checking the UUID value. +The created username is mapped to the UUID of the LDAP user. Additionally, the DN is cached to reduce LDAP interaction, but it is not used for identification. If the DN changes, the change will be detected by ownCloud by checking the UUID value. -The same is valid for groups. -The internal ownCloud name is used all over in ownCloud. -Clearing the mappings will have leftovers everywhere. +The same is valid for groups. The internal ownCloud name is used all over in ownCloud. Clearing the mappings will have leftovers everywhere. Never clear the mappings in a production environment, but only in a testing or experimental server. IMPORTANT: Clearing the mappings is not configuration sensitive, it affects all LDAP configurations! @@ -749,11 +691,14 @@ Photos served from LDAP are automatically cropped and resized in ownCloud. This Use these commands to troubleshoot: -Test encrypted connection: +Test the encrypted connection: -`openssl s_client -connect 10.211.55.15:636` +[source,bash] +---- +openssl s_client -connect 10.211.55.15:636 +---- -look for **verify return:1** +and look for **verify return:1** Try an ldapsearch query @@ -768,10 +713,9 @@ ldapsearch \ Check: -`/etc/ldap/ldap.conf` -`/etc/openldap/ldap.conf` +`/etc/ldap/ldap.conf` and `/etc/openldap/ldap.conf` -look for +and look for `TLS_CACERT /etc/ssl/certs/ca-certificates.crt` @@ -785,7 +729,7 @@ Compared to earlier ownCloud versions, no further tweaks need to be done to make === memberOf / Read MemberOf Permissions -If you want to use `memberOf` within your filter you might need to give your querying user the permissions to use it. For Microsoft Active Directory this is described {enumerate-ad-user-groups-permissions-url}[here]. +If you want to use `memberOf` within your filter you might need to give your querying user the permissions to use it. For Microsoft Active Directory this is described {enumerate-ad-user-groups-permissions-url}[here, window=_blank]. === Duplicating Server Configurations @@ -803,8 +747,7 @@ Now you can modify and enable the configuration. === Filter out Deactivated Users -With this filter you can filter out the deactivated users -and show only active users. +With this filter you can filter out the deactivated users and show only active users. [source,plaintext] ---- @@ -833,8 +776,6 @@ There is one trigger which is automatically triggered by a certain background jo Under normal circumstances, all of the users are never loaded at the same time. Typically, the loading of users happens while page results are generated in steps of 30, until the limit is reached or no results are left. -TIP: Please ensure that you're using the minimum supported PHP version ({minimum-php-printed}). - ownCloud remembers which user belongs to which LDAP-configuration. That means each request will always be directed to the right server unless a user is defunct, for example due to a server migration or unreachable server. In this case the other servers will also receive the request. === LDAP Indexing diff --git a/modules/admin_manual/pages/configuration/user/user_auth_twofactor.adoc b/modules/admin_manual/pages/configuration/user/user_auth_twofactor.adoc index aab51a471..42beba746 100644 --- a/modules/admin_manual/pages/configuration/user/user_auth_twofactor.adoc +++ b/modules/admin_manual/pages/configuration/user/user_auth_twofactor.adoc @@ -6,12 +6,12 @@ {description} When users want to sign in, they need to provide two pieces of information (factors): -* the password, -* the six-digit verification code that's automatically displayed on the trusted device or sent to the phone number. +* The password, +* The six-digit verification code that's automatically displayed on the trusted device or sent to the phone number. == Setting Up 2FA -To provide 2FA functionality, the {oc-marketplace-url}/apps/twofactor_totp[2-Factor Authentication] app needs to be installed and enabled. Though there are other apps available, the description and screenshots refer to the named one. +To provide 2FA functionality, the `2-Factor Authentication` app needs to be enabled. Though there are other apps available, the description and screenshots refer to the named one. If the two-factor provider app is enabled: @@ -19,11 +19,11 @@ If the two-factor provider app is enabled: * It can be enforced for all users as default. * Groups of users can be excluded from using 2FA. -image::apps/2fa/2fa-exclude-groups.png[Setup Two-Factor Authentication, width=500] +image::apps/2fa/2fa-exclude-groups.png[Setup Two-Factor Authentication, width=350] Note that when users are forced to use 2FA, they are not able to do the setup process the same way as when using opt-in. For this case on first login after enforcing 2FA, the user is shown a special login screen where the QR code to finalize the 2FA process is displayed. -image::apps/2fa/2fa-init-qr.png[Login Screen with QR Code for Two-Factor Authentication, width=500] +image::apps/2fa/2fa-init-qr.png[Login Screen with QR Code for Two-Factor Authentication, width=350] TIP: For the opt-in and login with enforced 2FA to work, ImageMagick and php-imagick are required to create the QR code. Depending on your operating system, these packages may need to be installed manually. @@ -35,7 +35,7 @@ NOTE: OAuth 2.0 is the recommended authentication method for clients. === Enable OAuth 2.0 App -When using the OAuth 2.0 App, the ownCloud Desktop client will open the login page in the system web browser and ownCloud Mobile Apps will open the login page in an embedded web view. After entering the regular credentials, users will see a second page, where they need to enter the second factor. +When using the OAuth 2.0 App, the ownCloud Desktop app will open the login page in the system web browser and ownCloud Mobile Apps will open the login page in an embedded web view. After entering the regular credentials, users will see a second page, where they need to enter the second factor. For more information see the xref:configuration/user/user_oauth2.adoc[User Auth Open Authentication (OAuth2)] documentation. diff --git a/modules/admin_manual/pages/configuration/user/user_management.adoc b/modules/admin_manual/pages/configuration/user/user_management.adoc index c58ad3463..2d241825e 100644 --- a/modules/admin_manual/pages/configuration/user/user_management.adoc +++ b/modules/admin_manual/pages/configuration/user/user_management.adoc @@ -15,12 +15,11 @@ Note that most user-related tasks can also be managed via xref:configuration/ser The **default view** displays basic information about your users. -image::configuration/user/users-page.png[image] +image::configuration/user/users-page.png[image, width=350] -The **Group filter** on the left sidebar lets you quickly filter users by -their group memberships, and create new groups. +The **Group filter** on the left sidebar lets you quickly filter users by their group memberships, and create new groups. -image::configuration/user/users-page-group-tab.png[image] +image::configuration/user/users-page-group-tab.png[image, width=250] Click the btn:[gear] icon on the lower left sidebar to view the available settings. @@ -30,16 +29,22 @@ image::configuration/user/users-page-gear.png[image] _Login Name (Username)_:: The unique ID of an ownCloud user. Note that it **cannot** be changed after creating the user. The user can log in either using the login name or the e-mail address. + _Full Name_:: The user’s display name that appears on file shares, the ownCloud Web interface and emails. Admins and users may change the full name anytime. If the full name is not set, it defaults to the login name. + _Password_:: The admin sets the new user’s first password. Both the user and the admin can change the user’s password at anytime. + _E-Mail_:: The admin sets the new user’s e-mail. The user then gets an e-mail to set the password. Both the user and the admin can change the user’s e-mail at anytime. + _Groups_:: You may create system (non-LDAP) groups and assign system group memberships to users. By default, new users are not assigned to any groups. + _Group Admin_:: Group admins are granted administrative privileges on system groups and can add new users, edit user properties, and remove existing users from those groups. + _Quota_:: The maximum disk space assigned to each user. Any user that exceeds the quota cannot upload or sync data. You have the option to include external storage in user quotas. @@ -51,7 +56,7 @@ To create a user account: * Optionally, assign *Groups* memberships * Click the btn:[Create] button -image:configuration/user/users-page-new-user.png[image] +image::configuration/user/users-page-new-user.png[image, width=350] Login names may contain letters (a-z, A-Z), numbers (0-9), dashes (-), underscores (_), periods (.) and at signs (@). After creating the user, you may fill in their *Full Name* if it is different from the login name, or leave it for the user to complete. @@ -64,7 +69,7 @@ You cannot recover a user’s password, but you can set a new one: * Enter the user’s new password in the password field, and remember to provide the user with their password -image::configuration/user/users-page-new-password.png[image] +image::configuration/user/users-page-new-password.png[image, width=350] If you have encryption enabled, there are special considerations for user password resets. @@ -82,7 +87,7 @@ To set or change a user’s display name: == Deleting Users -image::configuration/user/delete-user-confirmation.png[The ownCloud delete user confirmation dialog] +image::configuration/user/delete-user-confirmation.png[The ownCloud delete user confirmation dialog, width=350] To delete a user, hover your cursor over their name on the *Users* page and click the trashcan icon that appears at the far right. You’ll then see a confirmation dialog appear, asking if you’re sure that you want to delete the user. @@ -136,9 +141,9 @@ Click the btn:[gear] icon on the lower left pane to set a default storage quota. You now have a configurable option in `config.php` that controls whether external storage is counted against user’s quotas. This is still experimental and may not work as expected. The default is to not counting external storage as part of user storage quotas. If you prefer to include it, then change the default `false` to `true`.: -[source,php] +[source,.env] ---- -'quota_include_external_storage' => false, +OWNCLOUD_QUOTA_INCLUDE_EXTERNAL_STORAGE=false ---- === Storage Space Considerations @@ -168,9 +173,9 @@ When a user clicks on one of these buttons, the admin group will receive an emai == Moving the User Home -Usually, a user's home folder is located in the `data/` directory, the location of which is defined in `config.php` and defaults to `/var/www/owncloud/data`. In smaller installations, the data directory is often mounted on a physical drive of the server. On larger installations, the data directory is usually mounted via NFS. This can be less than ideal for very big installations with thousands of users and/or users with very big space consumption. This can result in a high load on a single mount point. +Usually, a user's home folder is located in the directory defined by the environment variable `OWNCLOUD_VOLUME_FILES` and defaults to the containers internal path `/mnt/data/files`. The directory `mnt/data` is used as Docker volume and mounted locally. In smaller installations, the bind mount is often a physically mounted drive of the server. On larger installations, this directory is usually mounted via NFS. This can be less than ideal for very big installations with thousands of users and/or users with very big space consumption. This can result in a high load on a single mount point. -ownCloud offers moving the home folder location of single users from the default location to another path outside the data directory to distribute the load to different mount points. You can also move back a user's home to the location defined in config.php. +ownCloud offers moving the home folder location of single users from the default location to another path outside the data directory to distribute the load to different mount points. You can also move back a user's home to the default location. NOTE: In general, moving a user's home should be the last step after all optimizations of the mount point have been done. Carefully monitor over a period of time the changes made before moving a user's home. @@ -186,10 +191,10 @@ For details of the occ user commands used below, see the xref:configuration/serv [source,bash,subs="attributes+"] ---- {occ-command-example-prefix-docker} user:list lisa -a home - - lisa: /var/www/owncloud/data/lisa + - lisa: /mnt/data/files/lisa ---- -Here you can see, that the home of user `lisa` is located in `/var/www/owncloud/data/lisa` +Here you can see, that the home of user `lisa` is located in `/mnt/data/files//lisa` -- . Prepare new mounts *in advance* for one or more users: @@ -241,7 +246,7 @@ The following command lists all available user homes. Note a home only gets list [source,bash,subs="attributes+"] ---- {occ-command-example-prefix-docker} user:home:list-dirs - - /var/www/owncloud/data + - /mnt/data/files - /mnt/newhome_1/lisa ---- -- @@ -253,7 +258,7 @@ The following command lists all users from a given home. [source,bash,subs="attributes+"] ---- -{occ-command-example-prefix-docker} user:home:list-users /var/www/owncloud/data +{occ-command-example-prefix-docker} user:home:list-users /mnt/data/files/ - admin - user01 ---- diff --git a/modules/admin_manual/pages/configuration/user/user_oauth2.adoc b/modules/admin_manual/pages/configuration/user/user_oauth2.adoc index df4890fd7..e83c78ae6 100644 --- a/modules/admin_manual/pages/configuration/user/user_oauth2.adoc +++ b/modules/admin_manual/pages/configuration/user/user_oauth2.adoc @@ -5,19 +5,19 @@ OAuth2 (Open Authentication) is the open industry-standard protocol for secure authorization of clients. It can be used as a way for users to grant web services or applications access to their data stored in ownCloud. The use of OAuth2 in ownCloud greatly enhances security while facilitating the integration of third party applications or web services: -* Connect ownCloud clients (Desktop, Android, iOS) through a standardized and secure authorization flow. +* Connect ownCloud apps (Desktop, Android, iOS) through a standardized and secure authorization flow. * Provide a user authorization interface for developers to facilitate the integration of ownCloud in third party applications. == Benefits Provided by the OAuth2 Interface * No user passwords are being stored in ownCloud clients or third party web applications -Instead of connecting clients with username/password, a user only needs to provide the information once in the browser. The respective client is then provided with a unique access token which is used for future connections to the ownCloud server. ownCloud clients or third party applications never get to know the actual login credentials. +Instead of connecting clients with username/password, a user only needs to provide the information once in the browser. The respective client is then provided with a unique access token which is used for future connections to the ownCloud server. ownCloud apps or third party applications never get to know the actual login credentials. -* The use of different access tokens per client provides the ability to selectively revoke user sessions +* The use of different access tokens per client provides the ability to selectively revoke user sessions. When using OAuth2 a unique access token is generated for each device or third party application. Users can check their authorized clients in the personal settings and have the ability to selectively invalidate access tokens when e.g. a device is lost. This strengthens control and access security significantly. == The OAuth2 App -OAuth2 functionality is available in ownCloud via the {oc-marketplace-url}/apps/oauth2[OAuth2] application which is available from the ownCloud Marketplace. For more information on how to set it up, see section xref:configuration/server/security/oauth2.adoc[Open Authentication (OAuth2)] +OAuth2 functionality is available `OAuth2` app which is is shipped with the ownCloud image. For more information on how to set it up, see section xref:configuration/server/security/oauth2.adoc[Open Authentication (OAuth2)] diff --git a/modules/admin_manual/pages/installation/installing_with_docker.adoc b/modules/admin_manual/pages/installation/installing_with_docker.adoc index cd76522f1..7ccb76307 100644 --- a/modules/admin_manual/pages/installation/installing_with_docker.adoc +++ b/modules/admin_manual/pages/installation/installing_with_docker.adoc @@ -202,9 +202,19 @@ a| xref:{config-sample}#override-cli-url[OWNCLOUD_OVERWRITE_CLI_URL] [NOTE] ==== * `ADMIN_USERNAME` and `ADMIN_PASSWORD` + -will not change between deploys even if you change the values in the `.env` file. + -To change them, you will need to issue `docker volume prune`, which *will delete all your data*. +The values will not change between deploys even if you change them in the `.env` file. + +These environment variables are used to the define the admin user *for system setup and first logon*. Once set, the values are fixed. ++ +-- +After the inital logon, you can: + +** Remove the envvars from the deployment, which is highly recommended. + +** xref:configuration/user/reset_admin_password.adoc[Change the admin users password] with standard CLI or webUI methods. + +** Add another admin user and delete this one, which is highly recommended. +-- + * (1) ... `localhost` is always included and cannot be removed by omitting it. It must be used if only one entry is to be defined. + * (2) ... To access ownCloud from your internal network without using an externally resolvable URL, you must add the IP address of the host or an internal resolvable URL running the container. ==== From b7a7bbbc56b1caf081a65306abfe680f543e2718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Wed, 17 Jun 2026 00:14:32 +0200 Subject: [PATCH 4/6] fix: address PR review feedback for oc11 doc changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - user_management: remove doubled slash in /mnt/data/files//lisa and drop inconsistent trailing slash in user:home:list-users example - user_oauth2: fix broken sentence "available `OAuth2` app which is is" - user_auth_ldap: fix typo redifined -> redefined - caching_configuration: use [source,php] instead of non-standard [source,.php], drop trailing whitespace after the memcached NOTE, and fix "Redis is used of" -> "used in" - reset_user_password: label the env var block [source,.env] to match the rest of the oc11 changes - docker-compose: align indentation of the commented memcached service The reported broken xref:memcached anchor and the renamed same-site cookie anchor were verified as correct (idprefix is empty globally, so section titles auto-generate matching IDs) and left unchanged. Co-Authored-By: Claude Opus 4.8 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .../examples/installation/docker/docker-compose.yml | 2 +- .../pages/configuration/server/caching_configuration.adoc | 8 ++++---- .../pages/configuration/user/reset_user_password.adoc | 2 +- .../pages/configuration/user/user_auth_ldap.adoc | 2 +- .../pages/configuration/user/user_management.adoc | 4 ++-- .../pages/configuration/user/user_oauth2.adoc | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/admin_manual/examples/installation/docker/docker-compose.yml b/modules/admin_manual/examples/installation/docker/docker-compose.yml index 6b3cb4c43..a43762511 100644 --- a/modules/admin_manual/examples/installation/docker/docker-compose.yml +++ b/modules/admin_manual/examples/installation/docker/docker-compose.yml @@ -88,7 +88,7 @@ services: # As alternative to Redis, you can enable Memcached. # See the caching configuration documentation for more details. -# memcached: +# memcached: # image: memcached:latest # container_name: owncloud_memcached # restart: always diff --git a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc index 882ad2a59..0f4b3eb99 100644 --- a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc +++ b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc @@ -29,7 +29,7 @@ The caching backends supported by ownCloud are: * xref:apcu[APCu] + This is a data cache only and does *not* cache any opcode. APCu is part of the Docker image. * xref:redis[Redis] + - This is an in-memory data structure store (cache) for single and multi-server ownCloud installations, which provides file locking and can be set up in local or distributed environments. The required `php-redis` extension is already part of the Docker image. Redis is used of the Docker Compose deployment example. For details see the xref:installation/installing_with_docker.adoc#docker-compose[Installing With Docker] documentation. + This is an in-memory data structure store (cache) for single and multi-server ownCloud installations, which provides file locking and can be set up in local or distributed environments. The required `php-redis` extension is already part of the Docker image. Redis is used in the Docker Compose deployment example. For details see the xref:installation/installing_with_docker.adoc#docker-compose[Installing With Docker] documentation. * xref:memcached[Memcached] + This is a distributed cache for multi-server ownCloud installations and has *very limited* file locking capabilities. + Using Memcached for distributed locking is generally not recommended. Because its nodes do not communicate with each other and data isn't persistent, locks can be released unexpectedly or lost entirely if a server restarts. For reliable locking, Redis is the industry standard. @@ -107,7 +107,7 @@ Please read more about the instructions for the {redis_select_url}[select] and { Memcached is a reliable old-timer for shared caching on distributed servers. It performs well with ownCloud with one exception: it is not suitable to use with Transactional File Locking. This is because it does not store locks, and data can disappear from the cache at any time. Given that, Redis is the best memory cache to use. NOTE: The `memcached` PHP extension is already embedded in the Docker image and enabled. - + == Configuring Memory Caching Memory caches must be provided and explicitly configured in ownCloud by: @@ -149,7 +149,7 @@ OWNCLOUD_REDIS_PORT=6379 * If Redis is enabled, two additional configurations are set automatically: + -- -[source,.php] +[source,php] ---- 'memcache.locking' => '\OC\Memcache\Redis' 'memcache.distributed' => '\OC\Memcache\Redis' @@ -193,7 +193,7 @@ Additional memcached options can be set with the environment variable `OWNCLOUD_ * If Memcached is enabled, two additional configurations are set automatically: + -- -[source,.php] +[source,php] ---- 'memcache.locking' => '\OC\Memcache\Memcached' 'memcache.distributed' => '\OC\Memcache\Memcached' diff --git a/modules/admin_manual/pages/configuration/user/reset_user_password.adoc b/modules/admin_manual/pages/configuration/user/reset_user_password.adoc index 5f99369c0..e2b97bd25 100644 --- a/modules/admin_manual/pages/configuration/user/reset_user_password.adoc +++ b/modules/admin_manual/pages/configuration/user/reset_user_password.adoc @@ -3,7 +3,7 @@ The ownCloud login screen displays a *Wrong password. Reset it?* message after a user enters an incorrect password, and then ownCloud automatically resets their password. However, if you are using a read-only authentication backend such as LDAP or Active Directory, this will not work. In this case you may specify a custom URL with an environment variable to direct your user to a server than can handle an automatic reset: -[source,php] +[source,.env] ---- OWNCLOUD_LOST_PASSWORD_LINK='https://example.org/link/to/password/reset' ---- diff --git a/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc b/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc index d06fbda9a..2b0ba3705 100644 --- a/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc +++ b/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc @@ -571,7 +571,7 @@ Email Field:: User Home Folder Naming Rule:: + -- -By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, e.g., `/mnt/data/files/5a9df029-322d-4676-9c80-9fc8892c4e4b`. Note that `/mnt/data/files` is the default in the container, part of the Docker volume and can be redifined if required. +By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, e.g., `/mnt/data/files/5a9df029-322d-4676-9c80-9fc8892c4e4b`. Note that `/mnt/data/files` is the default in the container, part of the Docker volume and can be redefined if required. It is possible to override this setting and name it after an LDAP attribute value, e.g., `attr:cn`. The attribute can return either an absolute path, e.g., `/mnt/storage43/alice`, or a relative path which must not begin with a `/`, e.g., `CloudUsers/CookieMonster`. This relative path is then created inside the data directory (e.g., `/mnt/data/files/CloudUsers/CookieMonster`). diff --git a/modules/admin_manual/pages/configuration/user/user_management.adoc b/modules/admin_manual/pages/configuration/user/user_management.adoc index 2d241825e..e31cf7e10 100644 --- a/modules/admin_manual/pages/configuration/user/user_management.adoc +++ b/modules/admin_manual/pages/configuration/user/user_management.adoc @@ -194,7 +194,7 @@ For details of the occ user commands used below, see the xref:configuration/serv - lisa: /mnt/data/files/lisa ---- -Here you can see, that the home of user `lisa` is located in `/mnt/data/files//lisa` +Here you can see, that the home of user `lisa` is located in `/mnt/data/files/lisa` -- . Prepare new mounts *in advance* for one or more users: @@ -258,7 +258,7 @@ The following command lists all users from a given home. [source,bash,subs="attributes+"] ---- -{occ-command-example-prefix-docker} user:home:list-users /mnt/data/files/ +{occ-command-example-prefix-docker} user:home:list-users /mnt/data/files - admin - user01 ---- diff --git a/modules/admin_manual/pages/configuration/user/user_oauth2.adoc b/modules/admin_manual/pages/configuration/user/user_oauth2.adoc index e83c78ae6..021d18ce0 100644 --- a/modules/admin_manual/pages/configuration/user/user_oauth2.adoc +++ b/modules/admin_manual/pages/configuration/user/user_oauth2.adoc @@ -20,4 +20,4 @@ When using OAuth2 a unique access token is generated for each device or third pa == The OAuth2 App -OAuth2 functionality is available `OAuth2` app which is is shipped with the ownCloud image. For more information on how to set it up, see section xref:configuration/server/security/oauth2.adoc[Open Authentication (OAuth2)] +OAuth2 functionality is available via the `OAuth2` app which is shipped with the ownCloud image. For more information on how to set it up, see section xref:configuration/server/security/oauth2.adoc[Open Authentication (OAuth2)] From d07f062bb4fe58b356a0ba81f6f551b50957bb71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Wed, 17 Jun 2026 00:27:21 +0200 Subject: [PATCH 5/6] fix: address round-2 review feedback for oc11 doc changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - caching_configuration: make Memcached section heading levels symmetric with Redis (=== Memcached Configuration, ==== Clearing the Memcached Cache) so the page structure/TOC nests correctly; fix unbalanced quotes and inconsistent port naming in the commented multi-host example - installing_with_docker: fix typos "used to the define" -> "used to define" and "inital" -> "initial" - user_management: add missing leading slash and article in "/mnt/data is used as a Docker volume" Co-Authored-By: Claude Opus 4.8 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .../pages/configuration/server/caching_configuration.adoc | 6 +++--- .../pages/configuration/user/user_management.adoc | 2 +- .../pages/installation/installing_with_docker.adoc | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc index 0f4b3eb99..4d8c6a4c8 100644 --- a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc +++ b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc @@ -167,7 +167,7 @@ OWNCLOUD_MEMCACHE_LOCAL='\OC\Memcache\Redis' CAUTION: ownCloud provides many configuration options for Redis, including enhanced security features such as password protection. See the Redis security URL and the ownCloud environment variables for more details. -== Memcached Configuration +=== Memcached Configuration If you select Memcached, you must enable it via environment variables. The example value for the host setting assumes that you have used the ownCloud Docker Compose deployment example. Adapt this value for your setup. @@ -183,7 +183,7 @@ OWNCLOUD_MEMCACHED_PORT=11211 ==== If you are using multiple memcached servers, omit `OWNCLOUD_MEMCACHED_PORT` and use the following notation: -`OWNCLOUD_MEMCACHED_HOST="'host_1',port1,host_2',port_2"` +`OWNCLOUD_MEMCACHED_HOST="'host_1',port_1,'host_2',port_2"` ==== //// @@ -200,7 +200,7 @@ Additional memcached options can be set with the environment variable `OWNCLOUD_ ---- -- -=== Clearing the Memcached Cache +==== Clearing the Memcached Cache The Memcached cache can be flushed from the command line, using a range of common Linux/Unix tools including netcat and telnet. The following example uses telnet to log in, run the flush_all command, and log out: diff --git a/modules/admin_manual/pages/configuration/user/user_management.adoc b/modules/admin_manual/pages/configuration/user/user_management.adoc index e31cf7e10..95afb93ff 100644 --- a/modules/admin_manual/pages/configuration/user/user_management.adoc +++ b/modules/admin_manual/pages/configuration/user/user_management.adoc @@ -173,7 +173,7 @@ When a user clicks on one of these buttons, the admin group will receive an emai == Moving the User Home -Usually, a user's home folder is located in the directory defined by the environment variable `OWNCLOUD_VOLUME_FILES` and defaults to the containers internal path `/mnt/data/files`. The directory `mnt/data` is used as Docker volume and mounted locally. In smaller installations, the bind mount is often a physically mounted drive of the server. On larger installations, this directory is usually mounted via NFS. This can be less than ideal for very big installations with thousands of users and/or users with very big space consumption. This can result in a high load on a single mount point. +Usually, a user's home folder is located in the directory defined by the environment variable `OWNCLOUD_VOLUME_FILES` and defaults to the containers internal path `/mnt/data/files`. The directory `/mnt/data` is used as a Docker volume and mounted locally. In smaller installations, the bind mount is often a physically mounted drive of the server. On larger installations, this directory is usually mounted via NFS. This can be less than ideal for very big installations with thousands of users and/or users with very big space consumption. This can result in a high load on a single mount point. ownCloud offers moving the home folder location of single users from the default location to another path outside the data directory to distribute the load to different mount points. You can also move back a user's home to the default location. diff --git a/modules/admin_manual/pages/installation/installing_with_docker.adoc b/modules/admin_manual/pages/installation/installing_with_docker.adoc index 7ccb76307..fda1d158f 100644 --- a/modules/admin_manual/pages/installation/installing_with_docker.adoc +++ b/modules/admin_manual/pages/installation/installing_with_docker.adoc @@ -203,10 +203,10 @@ a| xref:{config-sample}#override-cli-url[OWNCLOUD_OVERWRITE_CLI_URL] ==== * `ADMIN_USERNAME` and `ADMIN_PASSWORD` + The values will not change between deploys even if you change them in the `.env` file. + -These environment variables are used to the define the admin user *for system setup and first logon*. Once set, the values are fixed. +These environment variables are used to define the admin user *for system setup and first logon*. Once set, the values are fixed. + -- -After the inital logon, you can: +After the initial logon, you can: ** Remove the envvars from the deployment, which is highly recommended. + ** xref:configuration/user/reset_admin_password.adoc[Change the admin users password] with standard CLI or webUI methods. + From 3dc070276464233e452459a1e20d868735fe709b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Wed, 17 Jun 2026 00:33:00 +0200 Subject: [PATCH 6/6] fix: address round-3 review feedback for oc11 doc changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - user_management: reword the external-storage quota prose to reference the environment variable instead of config.php (the example was already converted to OWNCLOUD_QUOTA_INCLUDE_EXTERNAL_STORAGE) and fix the malformed ".:" punctuation - user_auth_ldap: trim trailing whitespace and a double space on lines rewritten by this PR Co-Authored-By: Claude Opus 4.8 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .../pages/configuration/user/user_auth_ldap.adoc | 8 ++++---- .../pages/configuration/user/user_management.adoc | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc b/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc index 2b0ba3705..c710d04f2 100644 --- a/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc +++ b/modules/admin_manual/pages/configuration/user/user_auth_ldap.adoc @@ -395,7 +395,7 @@ Example: Backup (Replica) Port:: + -- -The connection port of the backup LDAP server. If no port is supplied, but only a host, then the main port (as specified above) will be used. +The connection port of the backup LDAP server. If no port is supplied, but only a host, then the main port (as specified above) will be used. Example: @@ -626,11 +626,11 @@ It also will take effect when a user or group's DN changes and an old UUID was c Username-LDAP User Mapping:: + -- -ownCloud uses usernames as keys to store and assign data. In order to precisely identify and recognize users, each LDAP user will have an internal username in ownCloud. This requires a mapping from an ownCloud username to an LDAP user. +ownCloud uses usernames as keys to store and assign data. In order to precisely identify and recognize users, each LDAP user will have an internal username in ownCloud. This requires a mapping from an ownCloud username to an LDAP user. The created username is mapped to the UUID of the LDAP user. Additionally, the DN is cached to reduce LDAP interaction, but it is not used for identification. If the DN changes, the change will be detected by ownCloud by checking the UUID value. -The same is valid for groups. The internal ownCloud name is used all over in ownCloud. Clearing the mappings will have leftovers everywhere. +The same is valid for groups. The internal ownCloud name is used all over in ownCloud. Clearing the mappings will have leftovers everywhere. Never clear the mappings in a production environment, but only in a testing or experimental server. IMPORTANT: Clearing the mappings is not configuration sensitive, it affects all LDAP configurations! @@ -715,7 +715,7 @@ Check: `/etc/ldap/ldap.conf` and `/etc/openldap/ldap.conf` -and look for +and look for `TLS_CACERT /etc/ssl/certs/ca-certificates.crt` diff --git a/modules/admin_manual/pages/configuration/user/user_management.adoc b/modules/admin_manual/pages/configuration/user/user_management.adoc index 95afb93ff..ed5ae7eb2 100644 --- a/modules/admin_manual/pages/configuration/user/user_management.adoc +++ b/modules/admin_manual/pages/configuration/user/user_management.adoc @@ -139,7 +139,7 @@ Click the btn:[gear] icon on the lower left pane to set a default storage quota. === External Storage Quota -You now have a configurable option in `config.php` that controls whether external storage is counted against user’s quotas. This is still experimental and may not work as expected. The default is to not counting external storage as part of user storage quotas. If you prefer to include it, then change the default `false` to `true`.: +You have a configurable environment variable that controls whether external storage is counted against user’s quotas. This is still experimental and may not work as expected. The default is to not count external storage as part of user storage quotas. If you prefer to include it, set the value to `true`: [source,.env] ----