From 14127bec2ab5353e32eb3083c2004ca80d0784f7 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 13 Jun 2017 21:47:06 +0200 Subject: [PATCH] document LDAP API Signed-off-by: Arthur Schiwon --- admin_manual/configuration_user/index.rst | 1 + .../configuration_user/user_auth_ldap_api.rst | 252 ++++++++++++++++++ 2 files changed, 253 insertions(+) create mode 100644 admin_manual/configuration_user/user_auth_ldap_api.rst diff --git a/admin_manual/configuration_user/index.rst b/admin_manual/configuration_user/index.rst index 18ac09090..f3d3a9170 100644 --- a/admin_manual/configuration_user/index.rst +++ b/admin_manual/configuration_user/index.rst @@ -13,4 +13,5 @@ User Management user_auth_ftp_smb_imap user_auth_ldap user_auth_ldap_cleanup + user_auth_ldap_api user_provisioning_api diff --git a/admin_manual/configuration_user/user_auth_ldap_api.rst b/admin_manual/configuration_user/user_auth_ldap_api.rst new file mode 100644 index 000000000..82c97c5ce --- /dev/null +++ b/admin_manual/configuration_user/user_auth_ldap_api.rst @@ -0,0 +1,252 @@ +====================== +LDAP Configuration API +====================== + +Any used method requires the a header "OCS-APIREQUEST" set to "true". And any method takes an optional "format" parameter, which accepts "xml" (default) or "json". + +Methods +======= + +Creating a configuration +------------------------ + +Creates a new and empty LDAP configuration. It returns its ID. Authentication is done by sending a +basic HTTP authentication header. + +**Syntax: ocs/v2.php/apps/user_ldap/api/v1/config** + +* HTTP method: POST + +Example +^^^^^^^ + +* POST ``https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config`` -H "OCS-APIREQUEST: true" +* Creates a new, empty configuration + +XML Output +^^^^^^^^^^ + +.. code-block:: xml + + + + + ok + 200 + OK + + + s01 + + + + +Deleting a configuration +------------------------ + +Deletes a given LDAP configuration. Authentication is done by sending a basic HTTP authentication header. + +**Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}** + +* HTTP method: DELETE + +Example +^^^^^^^ + +* DELETE ``https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02 -H "OCS-APIREQUEST: true"`` +* deletes the LDAP configuration + +XML Output +^^^^^^^^^^ + +.. code-block:: xml + + + + + ok + 200 + OK + + + + + +Reading a configuration +----------------------- + +Returns all keys and values of the specified LDAP configuration. Authentication is done by sending a basic HTTP authentication header. + +**Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}** + +* HTTP method: GET +* url argument: showPassword - int, optional, default 0, whether to return the password in clear text + +Example +^^^^^^^ + +* GET ``https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02?showPassword=1 -H "OCS-APIREQUEST: true"`` +* fetches the LDAP configuration + +XML Output +^^^^^^^^^^ + +.. code-block:: xml + + + + + ok + 200 + OK + + + ldap://ldap.server.tld + 389 + + + ou=Department XLII,dc=example,dc=com + ou=users,ou=Department XLII,dc=example,dc=com + ou=Department XLII,dc=example,dc=com + cn=root,dc=example,dc=com + Secret + 1 + 0 + + displayname + uid + gidNumber + inetOrgPerson + + (&(objectclass=nextcloudUser)(nextcloudEnabled=TRUE)) + 1 + (&(|(objectclass=nextcloudGroup))) + 0 + nextcloudGroup + + memberUid + cn + (&(|(objectclass=inetOrgPerson))(uid=%uid)) + 0 + 0 + 1 + + + 20 MB + mail + 600 + auto + auto + + 1 + uid;sn;givenname + + 0 + attr:mail + + 1 + 1 + + + + 0 + 0 + 500 + 1 + + + + + +Modifying a configuration +------------------------- + +Updates a configuration with the provided values. Authentication is done by sending a basic HTTP authentication header. + +**Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}** + +* HTTP method: PUT +* url argument: configData - array, see table below for the fields. All fields are optional. The values must be url-encoded. + +Example +^^^^^^^ + +* PUT ``https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s01 -H "OCS-APIREQUEST: true" -d "configData[ldapHost]=ldap%3A%2F%2Fldap.server.tld &configData[ldapPort]=389"`` +* fetches the LDAP configuration + +XML Output +^^^^^^^^^^ + +.. code-block:: xml + + + + + ok + 200 + OK + + + + +Configuration Keys +================== + + +-------------------------------+------+----------+-----------------------------------------------------------------------------------------------------------------------+ + | Key | mode | required |description | + +-------------------------------+------+----------+-----------------------------------------------------------------------------------------------------------------------+ + | ldapHost | rw | yes | LDAP server host, supports protocol | + | ldapPort | rw | yes | LDAP server port | + | ldapBackupHost | rw | no | LDAP replica host | + | ldapBackupPort | rw | no | LDAP replica port | + | ldapOverrideMainServer | rw | no | Whether replica should be used instead | + | ldapBase | rw | yes | Base | + | ldapBaseUsers | rw | no | Base for users, defaults to general base if not specified | + | ldapBaseGroups | rw | no | Base for groups, defaults to general base if not specified | + | ldapAgentName | rw | no | DN for the (service) user to connect to LDAP | + | ldapAgentPassword | rw | no | Password for the service user | + | ldapTLS | rw | no | Whether to use StartTLS | + | turnOffCertCheck | rw | no | Turns off certificate validation for TLS connections | + | ldapIgnoreNamingRules | rw | no | Backwards compatibility, do not set it. | + | ldapUserDisplayName | rw | yes | Attribute used as display name for users | + | ldapUserDisplayName2 | rw | no | Additional attribute, if set show on brackets next to the main attribute | + | ldapGidNumber | rw | no | group ID attribute, needed for primary groups on OpenLDAP (and compatible) | + | ldapUserFilterObjectclass | rw | no | set by the Settings Wizard (web UI) | + | ldapUserFilterGroups | rw | no | set by the Settings Wizard (web UI) | + | ldapUserFilter | rw | yes | LDAP Filter used to retrieve user | + | ldapUserFilterMode | rw | no | used by the Settings Wizard, set to 1 for manual editing | + | ldapAttributesForUserSearch | rw | no | attributes to be matched when searching for users. separate by ; | + | ldapGroupFilter | rw | no | LDAP Filter used to retrieve groups | + | ldapGroupFilterMode | rw | no | used by the Settings Wizard, set to 1 for manual editing | + | ldapGroupFilterObjectclass | rw | no | set by the Settings Wizard (web UI) | + | ldapGroupFilterGroups | rw | no | set by the Settings Wizard (web UI) | + | ldapGroupMemberAssocAttr | rw | no | attribute that indicates group members, one of: member, memberUid, uniqueMember, gidNumber | + | ldapGroupDisplayName | rw | no | Attribute used as display name for groups, required if groups are used | + | ldapAttributesForGroupSearch | rw | no | attributes to be matched when searching for groups. separate by ; | + | ldapLoginFilter | rw | yes | LDAP Filter used to authenticate users | + | ldapLoginFilterMode | rw | no | used by the Settings Wizard, set to 1 for manual editing | + | ldapLoginFilterEmail | rw | no | set by the Settings Wizard (web UI) | + | ldapLoginFilterUsername | rw | no | set by the Settings Wizard (web UI) | + | ldapLoginFilterAttributes | rw | no | set by the Settings Wizard (web UI) | + | ldapQuotaAttribute | rw | no | LDAP attribute containing the quote value (per user) | + | ldapQuotaDefault | rw | no | Default Quota, if specified quota attribute is empty | + | ldapEmailAttribute | rw | no | LDAP attribute containing the email address (takes first if multiple are stored) | + | ldapCacheTTL | rw | no | How long results from LDAP are cached, defaults to 10min | + | ldapUuidUserAttribute | r | no | set in runtime | + | ldapUuidGroupAttribute | r | no | set in runtime | + | ldapConfigurationActive | rw | no | whether this configuration is active. 1 is on, 0 is off. | + | ldapExperiencedAdmin | rw | no | used by the Settings Wizard, set to 1 for manual editing | + | homeFolderNamingRule | rw | no | LDAP attribute to use a user folder name | + | hasPagedResultSupport | r | no | set in runtime | + | hasMemberOfFilterSupport | r | no | set in runtime | + | useMemberOfToDetectMembership | rw | no | Whether to use memberOf to detect group memberships | + | ldapExpertUsernameAttr | rw | no | LDAP attribute to use as internal username. Might be modified (e.g. to avoid name collisions, character restrictions) | + | ldapExpertUUIDUserAttr | rw | no | override the LDAP servers UUID attribute to identify LDAP user records | + | ldapExpertUUIDGroupAttr | rw | no | override the LDAP servers UUID attribute to identify LDAP group records | + | lastJpegPhotoLookup | r | no | set in runtime | + | ldapNestedGroups | rw | no | Whether LDAP supports nested groups | + | ldapPagingSize | rw | no | Number of results to return per page | + | turnOnPasswordChange | rw | no | Whether users are allowed to change passwords (hashing must happen on LDAP!) | + | ldapDynamicGroupMemberURL | rw | no | URL for dynamic groups | + | ldapDefaultPPolicyDN | rw | no | PPolicy DN for password rules | + +-------------------------------+------+----------+-----------------------------------------------------------------------------------------------------------------------+