khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-02 17:59:36 +07:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup admin manual from enterprise apps

Browse Source
This commit is contained in:
Joas Schilling
2016-07-13 17:59:00 +02:00
parent 2d35309f90
commit f28c228322
68 changed files with 15 additions and 2333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
admin_manual/configuration_database/linux_database_configuration.rst
View File

@@ -13,12 +13,12 @@ The MySQL or MariaDB databases are the recommended database engines.
Requirements
------------
Choosing to use MySQL / MariaDB, PostgreSQL, or Oracle (ownCloud Enterprise
edition only) as your database requires that you install and set up the server
software first.
(Oracle users, see :doc:`../enterprise_installation/oracle_db_configuration`.)
Choosing to use MySQL / MariaDB, PostgreSQL, or Oracle as your database
requires that you install and set up the server software first.
.. note:: The steps for configuring a third party database are beyond the scope of this document. Please refer to the documentation for your specific database choice for instructions.
.. note:: The steps for configuring a third party database are beyond the
scope of this document. Please refer to the documentation for your specific
database choice for instructions.
.. _db-binlog-label:

2
admin_manual/configuration_files/big_file_upload_configuration.rst
View File

@@ -124,7 +124,7 @@ will return memory-related errors:
* ``output_buffering = 0``
Configuring Nextcloud
--------------------
---------------------
As an alternative to the ``upload_tmp_dir`` of PHP (e.g. if you don't have access to your
``php.ini``) you can also configure a temporary location for uploaded files by using the

2
admin_manual/configuration_files/federated_cloud_sharing_configuration.rst
View File

@@ -55,7 +55,7 @@ is a few steps on the originating server.
You may disconnect the share at any time by clicking the trash can icon.
Configuring Trusted Nextcloud Servers
------------------------------------
-------------------------------------
You may create a list of trusted Nextcloud servers for Federation sharing. This
allows your linked Nextcloud servers to share user directories, and to auto-fill

8
admin_manual/configuration_files/file_versioning.rst
View File

@@ -41,11 +41,3 @@ Additional options are:
* ``disabled``
Disable Versions; no files will be deleted.
Enterprise File Retention
-------------------------
Enterprise customers have additional tools for managing file retention
policies; see :doc:`../enterprise_file_management/files_tagging`.

16
admin_manual/contents.rst
View File

@@ -17,19 +17,3 @@ Table of Contents
maintenance/index
operations/index
issues/index
Enterprise Edition Only
-----------------------
.. toctree::
:maxdepth: 2
enterprise_installation/index
enterprise_clients/index
enterprise_server_branding/index
enterprise_external_storage/index
enterprise_user_management/index
enterprise_file_management/index
enterprise_logging/index
enterprise_firewall/index
enterprise_troubleshooting

47
admin_manual/enterprise_clients/creating_branded_apps.rst
View File

@@ -1,47 +0,0 @@
==============================================
Creating Branded Client Apps (Enterprise Only)
==============================================
Overview
--------
ownBrander is an ownCloud build service that is exclusive to Enterprise
customers for creating branded Android and iOS ownCloud sync apps, and branded
ownCloud desktop sync clients. You build your apps with the
ownBrander app on your `Customer.owncloud.com
<https://customer.owncloud.com/owncloud/>`_ account, and within 24-48 hours
the completed, customized apps are loaded into your account. You must supply
your own artwork, and you'll find all the specifications and required elements
in ownBrander.
.. image:: ../images/ownbrander-1.png
Building a Branded Desktop Sync Client
--------------------------------------
See `Building Branded ownCloud Clients (Enterprise Only)`_ for instructions on
building your own branded desktop sync client, and for setting up an automatic
update service.
Your users may run both a branded and un-branded desktop sync client
side-by-side. Both clients run independently of each other, and do not share
account information or files.
Building a Branded iOS App
--------------------------
Building and distributing your branded iOS ownCloud app involves a large number
of interdependent steps. The process is detailed in the `Building Branded
ownCloud Clients (Enterprise Only)`_ manual. Follow these instructions exactly
and in order, and you will have a nice branded iOS app that you can distribute
to your users.
Building an Android App
-----------------------
Building and distributing your branded Android ownCloud app is fairly simple,
and the process is detailed in
`Building Branded ownCloud Clients (Enterprise Only)`_.
.. _Building Branded ownCloud Clients (Enterprise Only):
https://doc.owncloud.com/branded_clients/

6
admin_manual/enterprise_clients/custom_client_repos.rst
View File

@@ -1,6 +0,0 @@
===================================
Custom Client Download Repositories
===================================
See :doc:`../configuration_server/custom_client_repos` to learn how test and
configure custom download repository URLs for your branded clients.

11
admin_manual/enterprise_clients/index.rst
View File

@@ -1,11 +0,0 @@
==================================
Creating Branded Nextcloud Clients
==================================
.. toctree::
:maxdepth: 3
creating_branded_apps
custom_client_repos

54
admin_manual/enterprise_external_storage/enterprise_only_auth.rst
View File

@@ -1,54 +0,0 @@
======================================
Enterprise-Only Authentication Options
======================================
In ownCloud 9.0+, there are five authentication backends for external storage
mounts:
* Username and password
* Log-in credentials, save in session
* Log-in credentials, save in database
* User entered, store in database
* Global credentials
The first two are common to all editions of ownCloud, and the last three are
only in the Enterprise edition. These are available to:
* FTP
* ownCloud
* SFTP
* SMB/CIFS
* WebDAV
* Windows Network Drive
Username and password
This is the default; a login entered by the admin when the external mount is
created. The login is stored in the database, which allows sharing, and
background jobs, such as file scanning, to operate.
Log-in credentials, save in session
Credentials are only stored in the session and not captured in the database.
Files cannot be shared, as credentials are not stored.
Log-in credentials, save in database
Credentials are stored in the database, and files can be shared.
User entered, store in database
Users provide their own login credentials, rather than using admin-supplied
credentials. User credentials are stored in the database, and files can be
shared.
Global credentials
Re-usable credentials entered by the admin, files can be shared.
Global credentials are entered in a separate form.
.. figure:: images/auth_backends-2.png
:alt: Global credentials form.
Use the dropdown selector to choose the authentication backend when you create a
new external mount.
.. figure:: images/auth_backends.png
:alt: Authentication dropdown selector.

BIN
admin_manual/enterprise_external_storage/images/app-sharepoint-enable.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
admin_manual/enterprise_external_storage/images/auth_backends-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.6 KiB

BIN
admin_manual/enterprise_external_storage/images/auth_backends.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.8 KiB

BIN
admin_manual/enterprise_external_storage/images/ldap-home-connector-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
admin_manual/enterprise_external_storage/images/ldap-home-connector-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 124 KiB

BIN
admin_manual/enterprise_external_storage/images/ldap-home-connector-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 125 KiB

BIN
admin_manual/enterprise_external_storage/images/sharepoint-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
admin_manual/enterprise_external_storage/images/sharepoint-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
admin_manual/enterprise_external_storage/images/sharepoint-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
admin_manual/enterprise_external_storage/images/sharepoint-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.2 KiB

BIN
admin_manual/enterprise_external_storage/images/sharepoint-drive-config.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 KiB

BIN
admin_manual/enterprise_external_storage/images/wnd-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
admin_manual/enterprise_external_storage/images/wnd-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
admin_manual/enterprise_external_storage/images/wnd-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB

14
admin_manual/enterprise_external_storage/index.rst
View File

@@ -1,14 +0,0 @@
==================================
External Storage (Enterprise only)
==================================
.. toctree::
:maxdepth: 2
enterprise_only_auth
ldap_home_connector_configuration
sharepoint-integration_configuration
windows-network-drive_configuration
s3_swift_as_primary_object_store_configuration
jive_configuration

503
admin_manual/enterprise_external_storage/jive_configuration.rst
View File

@@ -1,503 +0,0 @@
================
Jive Integration
================
.. toctree::
:maxdepth: 2
:hidden:
The Jive application allows Jive users to access files stored in Jive
from a mobile device, tablet, or desktop client. Users have complete access
through ownCloud Enterprise edition to upload, edit or download their files.
Jive can be configured as a data storage location for ownCloud, which means
files saved in Jive appear in folders within ownCloud. Jive remains the system
of record while ownCloud acts as a proxy, providing end-to-end file access for
users at their desks and on the go.
Configuration
=============
The Jive application is installed under the owncloud/apps directory on the server and enabled via the ownCloud
admin screen. This app is only available for ownCloud EE v6 or higher. Go to the ownCloud admin screen section
“Jive backend parameters” to configure the app to match your Jive server system parameters.
.. image:: ../images/jive_config.png
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Parameter | Description | Values |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Https | Verify the https server certificate. Certificate must be installed on the system. | Checkbox enabled/disable |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Authentication | Chose the Authentication mechanism to use against Jive | basic OR oAuth |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive api url | URL string pointing to the Jive API | Example: https://mycompany.jiveon.com/api/core/v3/ |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive FS mount point | Folder where the Jive File share will be mounted | String value up to 10 characters max |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive category filter | List of categories that files have to be shown | Jive categories list, or blank |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive category separator | Separator for Jive categories list | Comma by default or any single character |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive tag filter | Tag to use for private stuff in jive | Jive tag or blank |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive forbidden extensions | List of forbidden extensions | Examples include: .exe,.zip |
| | | |
| | These will not be allowed for upload or download with Jive. | |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive forbidden extensions separator | Use this character to separate the list of extensions | Comma by default or any single character |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive maximum upload filesize | Maximum file size allowed in MB. This includes upload and downloads. | Numeric value |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive private folder | Folder name for private stuff in Jive | String value up to 250 characters max |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Activate large file sharing for Jive | Enable the large file sharing subsystem. This allows storage of files that are too large for Jive to be stored on the ownCloud server and available via the ownCloud web, mobile and desktop interfaces. | Checkbox enable/disable |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Jive large file sharing FS mount point | Folder where the Jive large sharing File Share will be mounted | String value up to 10 characters max |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
| Show groups of which you are a member | If this is not checked, the plugin will show all available groups for you matching the filter, even groups that you are not a member | Enable/disable |
| | | |
+----------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------+
Use Cases
=========
The ownCloud Jive plugin can be used in various ways to extend the access to the Jive content across multiple devices.
Web Client Use Cases
--------------------
.. image:: ../images/jive_2.png
:width: 3.2398in
:height: 2.9898in
* Create a folder in the “Jive File Share” Web Client folder to create a new Jive Group.
* Verify the Group is created in Jive.
* Create a new Group in Jive and upload a file to that Group.
* Check the Web Client and download the file.
* Verify that file is the same as the uploaded file.
* Upload a file in the “Too Big For” Jive folder, and create the link in a Jive document.
* Verify that file link is in Jive.
* Download the file via the link, and verify it is the same as the uploaded file.
* Upload a file to the private “My Jive” Web Client folder.
* Check your Jive content and make sure the file has been uploaded.
* Download the file and verify it is the same as the uploaded file.
Mobile Client Use Cases (iOs and Android)
-----------------------------------------
Create a new folder in the Mobile Client to create a new Jive Group.
Upload a file in the Web Client folder, and see that file in the corresponding Jive Group.
Desktop Client Use Cases
------------------------
Create a folder in the Desktop Client to create a new Jive Group.
Upload a file in the Desktop Client folder, and see that file in the corresponding Jive Group.
The ownCloud folder structure hierarchy matches the Jive Groups the user can access. Sub folders under the Jive Group
folders that are created on the desktop will not sync to ownCloud or Jive because they will not match the Jive “Group”
view. If a sub folder is created under the Jive Group desktop folder, the desktop client will display an error that
this operation is not allowed. For example; if the folder structure is “JiveFileShare/GroupA”, any sub folder under
GroupA will not be synced to ownCloud or Jive.
Configuring the Jive app
========================
This section explains how each configuration parameter changes the behavior of the app.
Verify https certificate
------------------------
If your Jive server is under https, it must provide a https certificate when a client connects to it. Curl (the client
that ownCloud is using to connect to Jive) usually verify that certificate, but to do that you must somehow supply
a CA cert so curl can verify against.
This feature is usually turn off to make the Jive app easier to use, because in this case curl won't verify the
certificate, so you don't need to have installed the CA cert. However, turning this off could be a security issue:
you could be connecting to a fake Jive server without notice.
If you want to turn on this feature, you must get the CA cert of the server (check “
`http://curl.haxx.se/docs/sslcerts.html <http://curl.haxx.se/docs/sslcerts.html>`_
” for more information about how you can get the file you need)
and install it in your ownCloud server.
In order to know where you should install the CA cert, you can run
curl -v
`https://yourserver.com/ <https://yourserver.com/>`_
You should look the output for a line with the CA path:
* successfully set certificate verify locations:
* CAfile: none
* CApath: /etc/ssl/certs
That's the place where you should install the CA cert.
Once you have installed the CA cert, you should run again the same curl:
curl -v
`https://yourserver.com/ <https://yourserver.com/>`_
And look for:
* Server certificate:
* subject: *********
* start date: ***********
* expire date: *********
* subjectAltName: ***********
* issuer: **********
* SSL certificate verify ok.
If the SSL is verified correctly (“SSL certificate verify ok.”), you just need to activate the checkbox.
Curl usually comes installed with some CA certs by default, so all the previous steps might not be needed. Just check
that curl can connect to your Jive server, and if so, activate this feature.
Authentication mechanism to use against Jive
--------------------------------------------
To be able to access to Jive, the ownCloud plugin needs to use some kind of authentication. At this time, the plugin
supports basic and oAuth authentication.
Basic authentication
^^^^^^^^^^^^^^^^^^^^
In order to use basic authentication, you should take into account the following things:
* The credentials used to access to ownCloud must match the ones used to connect to Jive. This means that if you
access to ownCloud with a user “PeterP” and password “PeterPassword”, the same user must exist in Jive with the same
password. Otherwise, the user won't be able to access to Jive.
* If the credentials (typically the password) changes in one side, it must change in the other. You'll need to this manually.
The usage of basic authentication isn't recommended due to the following reasons:
* We need to store the password and be able to recover it. Although the password is stored encrypted, this is
not strictly secure.
* Passwords are sent to the server in almost plain text. In fact it's a base64 encoded string of user and password,
but that's all the security the authentication provides.
If you plan to use basic authentication, at least make sure you connect through HTTPS protocol and inside a local LAN if possible.
oAuth authentication
^^^^^^^^^^^^^^^^^^^^
First of all, make sure Jive is prepared to support this authentication.
The usage of this authentication method solves the issue of having the same credentials in both ownCloud and Jive
server. This means that the ownCloud user “PeterP” with password “PeterPassword” can access to the contents of the Jive
user “John” with password “John007”. It's also possible that another ownCloud user “AliceK” access to the contents of
the Jive user “John” too at the same time.
Keep in mind that this isn't insecure: any ownCloud user that wants to access to John's Jive content (following
this little example) MUST know his Jive password.
If this authentication method is set, we don't store passwords BUT we still need to store some other things. These things are stored in plain text.
These are the steps to make it work (if your Jive server support this authentication):
#. Activate the oAuth authentication in the ownCloud admin settings (just the admin can do this)
#. Go to the ownCloud web interface, in the files app. A popup will appear.
#. Click on the link that appear in the popup
#. You'll get redirected to a Jive page asking for your Jive credentials. If this is not the case, it's recommended
to clean the browser cache and start again (to point 2) because you might be accessing to Jive with another user.
#. After entering your Jive credentials, you get redirected a page with an activation code. If you entered the
wrong credentials, you might not get redirected to that page. If this is the case click
in the link again in the ownCloud popup (point 3) which will redirect you to the activation code page.
#. Copy the activation code into the ownCloud popup,
and click in the “send code” button. If there is no error, you're done.
WARNING:
Not all the oAuth flows are covered by the plugin. The expiration of the access token is handled automatically by
the plugin, so it will request a new access token if needed. HOWEVER, the expiration of the refresh token isn't
covered, so the plugin will likely stop working for that user (we won't be able to get more access tokens)
[Ask for info to know how to solve this issue?]
It's very important that the user access to ownCloud through the web interface first, so the user goes through
the oAuth flow for the first time (as described with the steps above) to get an access token. Otherwise, the
plugin won't get an access token and the user won't be able to get the files from Jive.
Jive API URL
------------
You'll need to enter the full URL of the Jive API. This includes the protocol (HTTP or HTTPS) and the port (if any).
An example of API URL could be: “
`https://myjiveserver.com/api/core/v3/ <https://myjiveserver.com/api/core/v3/>`_
Notice the following things:
* You must specify a protocol that is understandable by curl. Under normal circumstances, the protocol is limited to HTTP or HTTPS.
* If your server is under a port different than the 80, you'll need to specify it. Take “
`https://jserver.prv:9999/api/core/v3/ <https://jserver.prv:9999/api/core/v3/>`_
” as an example
* If your server isn't under the root URL, you can also specify the correct path: “
`https://myserver.prv:8888/path/to/jive/api/core/v3/ <https://myserver.prv:8888/path/to/jive/api/core/v3/>`_
* The API URL should end with “/api/core/v3/” (be careful with the slash at the end)
Filters
-------
The Jive plugin comes with a set of filters that the admin can set to filter the content the users can access
through ownCloud. The drawback of using filters is that there isn't any performance gain because the filtering
is mainly done in the ownCloud side, and even can degrade performance in some cases. We'll explain the filters
one by one, and tell you what consequences have each one.
Category filter and separator
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can filter files using one or several categories. This filter applies only to groups and files
inside those groups.
Your private files won't be affected by this filter.
In order to set this filter, you can provide a list of categories, all in one line. In order to separate the
different categories, you must use the separator set in the “category separator” text box.
Jive category filter : syncWithMe,sync,syncMe
Jive category separator : ,
You can also achieve the same behavior with:
Jive category filter : syncWithMe#sync#syncMe
Jive category separator : #
The plugin will show all groups which have ALL those categories set. If there is a group with any of the
categories missing, that group won't be shown. Anyway, you should only need to set one category.
It's important to notice that, although you can set only one category or leave the text box empty, the
category separator MUST always be set. In fact, you shouldn't need to change the default value of the category separator.
Files shown inside those groups will be also affected by this filter. This means that all the files
shown inside those groups must have all the categories too.
Files uploaded through ownCloud to those groups will have all the categories set in Jive automatically.
If you want to add more categories to those files, you'll need to do it manually through Jive.
The usage of the category filter can degrade the performance a lot.
We need to make extra calls to Jive to get the categories for each group, one extra call per group returned by Jive in the first place.
There is also the limitation of not having more than 25 categories set per group.
Use this filter with extreme caution.
You can “disable” this filter just by setting the category filter empty. This will prevent the extra call from
being made, and will show all available groups.
Tag filter
^^^^^^^^^^
This filter works only for private files. Files inside groups won't be affected by this filter.
You can only set one tag for the files that will be shown in ownCloud. Make sure you set one of the tags from Jive
as they're shown there. It's highly recommended to use only lowercase letters to set the tag to prevent possible
issues when the tag is set in Jive.
The usage of this filter won't alter significantly the performance
It's important to notice that the filter will be applied to all users. Users won't be able to set their own tag to sync their own files.
This filter can also be “disabled” by setting the filter empty.
Forbidden extensions filter and separator
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This filter is set the same way as the category filter: you provide a list of extensions that are separated
by the char set in the separator text box.
Jive forbidden extensions: .exe,.zip,.tar.gz
Jive forbidden extensions separator : ,
You can also achieve the same behavior with:
Jive forbidden extensions: .exe#.zip#.tar.gz
Jive forbidden extensions separator: #
Keep in mind that the filter is performed against the end of the filename, that's why the “.” is important. If
you set “exe” as a forbidden extension, a file named “texe” or “f1.lexe” will be affected by this filter.
You must also take into account that, by using only the filename, we avoid to download the file, so the
performance isn't significantly degraded.
On the other hand, we cannot verify that a “.png” file is what it claims to be.
This filter works for any file, and for uploads and downloads through ownCloud. This means that you won't be able to
upload a file with any of those extensions from onwCloud and the Jive files which have those extensions won't
be shown (and consequently they won't be downloaded). Of course, you can still upload the files from Jive
(if Jive allows it) and have them there.
Maximum upload file size
^^^^^^^^^^^^^^^^^^^^^^^^
This filter allows you to limit the size of the files that will go through ownCloud. All files uploads and
downloads will be affected by this filter. You won't be able to upload files bigger than the file size limit
and the Jive files bigger than the limit won't be shown in ownCloud (and consequently they won't be downloaded)
Under normal circumstances, you want to match the limit with the one Jive has.
This way you can notify errors regarding the file size faster because the files won't reach the Jive server, and
at the same time you allow the users to upload up to the maximum limit that Jive allows.
(Note: we can't know this limit from ownCloud, so we can't provide a sensitive default value, plus the value can
change among Jive instances. You might need to adjust the value manually).
You can also set the limit to a lower value than what it's in Jive, so only small files will be delivered from ownCloud.
Show groups of which you are member
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Under normal circumstances, you can see all available groups in Jive, including open, member-only and private
groups, only secrets groups are outside. Even if you're not a member of those groups, you can still see their contents.
For small Jive installations (less than 100 available groups per user) this is usually enough, and it has an
acceptable performance. However, for larger installations, with more than 500 groups available per user, the
performance is degraded a lot.
For these larger installations, this checkbox comes in handy.
Again, under normal circumstances, it's common that a user is member of just a few groups (let's say less than 25)
even if there are thousand of groups available that the user can see. It usually makes sense to show the contents
of only those 25 groups, not every group available.
By activating this checkbox, the user will see only those 25 groups instead of
all available groups.
This will increase the performance a lot, specially for larger installations, as long as each user isn't member
of too many groups. Anyway, if there are user who are member of too many groups, the performance will still be degraded.
FS mount points
---------------
This Jive plugin mounts one (or two) virtual filesystems on the normal one in a transparent way.
From a user point of view, these virtual filesystems appear as new folders inside the root one.
From the settings page, you can change the mount points names. The folders will change accordingly.
Jive FS mount point
^^^^^^^^^^^^^^^^^^^
The name of the folder that will hold the Jive virtual FS. The name shouldn't collide with any existing name in the root folder to prevent possible issues.
The virtual FS will be mounted inside the root folder of the ownCloud FS.
As said, the contents of the folder will be the groups that the user can access through ownCloud (recheck the “filters” section).
Jive private folder
^^^^^^^^^^^^^^^^^^^
The folder where your private Jive files will be stored. The name of the folder will be the same for all users, although the contents will likely differ.
This private folder will be inside
the Jive mount point, as if it were another group.
Files inside this folder will be only visible to you, but they will be stored in Jive. They won't be visible neither for ownCloud users nor Jive users.
In order to prevent collisions with other groups, the folder name might be changed automatically by adding “(private)” to the end of the folder name
if it's needed
.
Large file sharing subsystem
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The large file sharing allow you to share files over the Jive limits (typically size limits). You can enable
or disable this subsystem by checking or un-checking the checkbox, and provide the corresponding mount point.
Use a non-existent folder name to prevent issues.
Files inside that folder will be stored inside the ownCloud server. However those files can be shared by link to Jive.
The process is like the following:
#. Upload a file (or folder) inside the large file sharing folder (by default named as “Too Big For”)
#. Once the file is uploaded, click in the “share” action, and then click in the “Share link” checkbox
#. By default the share link will expire after 1 week. You can change the value and / or protect the link by password
#. Click the “Submit to Jive” button (the name can be changed depending on the actual Jive folder name)
#. A new browser tab should appear with the Jive draft ready to be edited (you might need to enter your
Jive credentials first). The draft will have some predefined text, but you can edit it to your needs.
Once you publish the document, it's done.
Notifications
-------------
This Jive plugin runs a connectivity check between ownCloud and Jive whenever the web page is loaded. This
check allows you to know some potential issues between the ownCloud Jive connection.
When a potential issue is detected, a notification will be shown, so you'll know what's happening.
You can control the time the notification is shown in the “notification time for the connectivity check”
configuration. The time is in seconds.

62
admin_manual/enterprise_external_storage/ldap_home_connector_configuration.rst
View File

@@ -1,62 +0,0 @@
===================
LDAP Home Connector
===================
The LDAP Home Connector App enables you to configure your ownCloud server
to display your users' Windows home directories on their Files pages,
just like any other folder. Typically, Windows home directories are stored
on a network server in a root folder, such as Users, which then contains
individual folders for each user.
You must already have the LDAP app enabled and a working LDAP/Active Directory
configuration in ownCloud.
Next, configure the root Windows home directory to be mounted on your ownCloud
server. Then use the LDAP Home Connector and LDAP app to connect it to ownCloud.
Mount Home Directory
--------------------
Create an entry in :file:`/etc/fstab` for the remote Windows root home
directory mount. Store the credentials to access the home directory in a
separate file, for example :file:`/etc/credentials`, with the username and
password on separate lines, like this::
username=winhomeuser
password=winhomepassword
Then add a line like this to :file:`/etc/fstab`, substituting your own server
address and filenames::
//192.168.1.58/share /mnt/share cifs credentials=/etc/credentials,uid=33,gid=33
Configure the LDAP Home Connector
---------------------------------
Enable the LDAP Home Connector app. Then go to the LDAP Home Connector form
on your ownCloud admin page. In the **Display folder as:** field enter the name
as you want it to appear on your users' File pages.
Then in the **Attribute name:** field enter the LDAP attribute name that will
contain the home directory. Use any LDAP attribute that is not already in use,
then save your changes.
.. image:: images/ldap-home-connector-1.png
:alt: LDAP Home Connector configuration.
Configure the LDAP Server
-------------------------
In Active Directory, open the user profile. Scroll to the **Extensions**
section and open the **Attribute Editor** tab
.. image:: images/ldap-home-connector-2.png
:alt: Active Directory Attribute editor.
Scroll to the attribute being used (UserSharedFolder in this instance), and
click **Edit**. Enter the users home directory.
.. image:: images/ldap-home-connector-3.png
:alt: Editing the LDAP attribute.
Save your changes, and you are finished.

134
admin_manual/enterprise_external_storage/s3_swift_as_primary_object_store_configuration.rst
View File

@@ -1,134 +0,0 @@
=============================================================
Configuring S3 and OpenStack Swift Objects as Primary Storage
=============================================================
In ownCloud Enterprise edition, you can configure S3 objects as primary
storage. This replaces the default ownCloud ``owncloud/data`` directory. You may
still need to keep the ``owncloud/data`` directory for these reasons:
* The ownCloud log file is saved in the data directory
* Legacy apps may not support using anything but the ``owncloud/data`` directory
You can move your logfile by changing its location in ``config.php``. You may still need
``owncloud/data`` for backwards compatibility with some apps.
Implications
------------
ownCloud in object store mode expects exclusive access to the object store
container, because it only stores the binary data for each file. The metadata
are kept in the local database for performance reasons.
The current implementation is incompatible with any app that uses
direct file I/O and circumvents the ownCloud virtual filesystem. That includes
Encryption and Gallery. Gallery stores thumbnails directly in the
filesystem, and Encryption causes severe overhead because key files need
to be fetched in addition to any requested file.
Configuration
-------------
Look in ``config.sample.php`` for a example configurations. Copy the
relevant part to your ``config.php`` file. Any object store needs to implement
``\\OCP\\Files\\ObjectStore\\IObjectStore`` and can be passed parameters in the
constructor with the ``arguments`` key:
::
'objectstore' => [
'class' => 'Implementation\\Of\\OCP\\Files\\ObjectStore\\IObjectStore',
'arguments' => [
...
],
],
Amazon S3
~~~~~~~~~
The S3 backend mounts a bucket of the Amazon S3 object store
into the virtual filesystem. The class to be used is ``OCA\ObjectStore\S3``:
::
'objectstore' => [
'class' => 'OCA\ObjectStore\S3',
'arguments' => [
// replace with your bucket
'bucket' => 'owncloud',
'autocreate' => true,
// uncomment to enable server side encryption
//'serversideencryption' => 'AES256',
'options' => [
// version and region are required
'version' => '2006-03-01',
// change to your region
'region' => 'eu-central-1',
'credentials' => [
// replace key and secret with your credentials
'key' => 'EJ39ITYZEUH5BGWDRUFY',
'secret' => 'M5MrXTRjkyMaxXPe2FRXMTfTfbKEnZCu+7uRTVSj',
],
],
],
],
Ceph S3
~~~~~~~
The S3 backend can also be used to mount the bucket of a ceph object store via the s3 API
into the virtual filesystem. The class to be used is ``OCA\ObjectStore\S3``:
::
'objectstore' => [
'class' => 'OCA\ObjectStore\S3',
'arguments' => [
// replace with your bucket
'bucket' => 'owncloud',
'autocreate' => true,
'options' => [
// version and region are required
'version' => '2006-03-01',
'region' => '',
// replace key, secret and bucket with your credentials
'credentials' => [
// replace key and secret with your credentials
'key' => 'EJ39ITYZEUH5BGWDRUFY',
'secret' => 'M5MrXTRjkyMaxXPe2FRXMTfTfbKEnZCu+7uRTVSj',
],
// replace the ceph endpoint with your rgw url
'endpoint' => 'http://cephhost:8000/',
// Use path style when talking to ceph
'command.params' => [
'PathStyle' => true,
],
],
],
],
OpenStack Swift
~~~~~~~~~~~~~~~
The Swift backend mounts a container on an OpenStack Object Storage server
into the virtual filesystem. The class to be used is ``\\OC\\Files\\ObjectStore\\Swift``:
::
'objectstore' => [
'class' => 'OC\\Files\\ObjectStore\\Swift',
'arguments' => [
'username' => 'demo',
'password' => 'password',
'container' => 'owncloud',
'autocreate' => true,
'region' => 'RegionOne',
'url' => 'http://devstack:5000/v2.0',
'tenantName' => 'demo',
'serviceName' => 'swift',
// url Type, optional, public, internal or admin
'urlType' => 'internal'
],
],

112
admin_manual/enterprise_external_storage/sharepoint-integration_configuration.rst
View File

@@ -1,112 +0,0 @@
==================================
Configuring SharePoint Integration
==================================
Native SharePoint support has been added to the ownCloud Enterprise edition as a
secondary storage location for SharePoint 2007, 2010 and 2013. When this is
enabled, users can access and sync all of their SharePoint content via ownCloud,
whether in the desktop sync, mobile or Web interfaces. Updated files are
bi-directionally synced automatically. SharePoint shares are created by the
ownCloud admin, and optionally by any users who have SharePoint credentials.
The ownCloud SharePoint plugin uses SharePoint document lists as remote storage
folders. ownCloud respects SharePoint access control lists (ACLs), so ownCloud
sharing is intentionally disabled for SharePoint mountpoints. This is to
preserve SharePoint ACLs and ensure content is properly accessed as per
SharePoint rules.
The plugin uses the Simple Object Access Protocol (SOAP) and WebDAV for the
uploads and downloads to talk to SharePoint servers. Your ownCloud server must
have ``php-soap`` or ``php5-soap`` installed. Linux packages and ownCloud
appliances will install ``php5-soap`` as a required dependency.
The supported authentication methods are:
* Basic Auth
* NTLM (Recommended)
Creating a Sharepoint Mount
---------------------------
Enable the Sharepoint app, and then enter the ``Admin`` panel to set up
SharePoint connections in the ``SharePoint Drive Configuration`` section.
Enter your SharePoint Listing credentials. These credentials are not
stored in the database, but are used only during plugin setup to list the
Document Libraries available per SharePoint site.
.. figure:: images/sharepoint-1.png
:alt: Listing and global credentials.
``Global credentials`` is optional. If you fill in these fields, these
credentials will be used on on all SharePoint mounts where you select: **Use
global credentials** as the authentication credentials.
.. figure:: images/sharepoint-2.png
:alt: Creating a new mountpoint.
Enter your ownCloud mountpoint in the ``Local Folder Name`` column. This is the
name of the folder that each user will see on the ownCloud filesystem. You may
use an existing folder, or enter a name to create a new mount point
Select who will have access to this mountpoint, by default **All users**, or a
user or a group.
Enter your SharePoint server URL, then click the little refresh icon to the left
of the ``Document Library`` field. If your credentials and URL are correct
you'll get a dropdown list of available SharePoint libraries. Select the
document library you want to mount.
.. figure:: images/sharepoint-3.png
:alt: Selecting auth credentials.
Select which kind of Authentication credentials you want to use for this
mountpoint. If you select **Custom credentials** you will have to enter the
the credentials on this line. Otherwise, the global credentials or the user's
own credentials will be used. Click Save, and you're done
.. Please see ``Connecting to SharePoint`` in the User Manual to learn how to
.. use your new SharePoint connections.
Enabling Users
--------------
You may allow your users to create their own Sharepoint mounts on their
Personal pages, and allow sharing on these mounts.
.. figure:: images/sharepoint-4.png
:alt: Allow user Sharepoint mounts.
Note
----
Speed up load times by disabling file previews in ``config.php``, because the
previews are generated by downloading the remote files to a temp file. This
means ownCloud will spend a lot of time creating previews for all of your
SharePoint content. To disable file previews, add the following line to the
ownCloud config file found in ``/owncloud/config/config.php``::
'enable_previews' => false,
Troubleshooting
---------------
SharePoint unsharing is handled in the background via Cron. If you remove the
sharing option from a Sharepoint mount, it will take a little time for the
share to be removed, until the Cron job runs
Turn on Sharepoint app logging by modifying the following line in
:file:`apps/sharepoint/lib/sharepoint.php` to ``TRUE``::
private static $enableLogs = TRUE;
Global mount points can't be accessed: You have to fill out your SharePoint
credentials as User on the personal settings page, or in the popup menu. These
credentials are used to mount all global mount points.
Personal mount points can't be accessed: You have to fill your SharePoint
credentials as User on the personal settings page in case your personal mount
point doesn't have its own credentials.
A user can't update the credentials: Verify that the correct credentials are
configured, and the correct type, either global or custom.

139
admin_manual/enterprise_external_storage/windows-network-drive_configuration.rst
View File

@@ -1,139 +0,0 @@
========================================================
Installing and Configuring the Windows Network Drive App
========================================================
The Windows Network Drive app creates a control panel on your Admin page for
seamless mounting of SMB/CIFS file shares on ownCloud servers.
Any Windows file share, and Samba servers on Linux and other Unix-type operating
systems use the SMB/CIFS file-sharing protocol. The files and directories on the
SMB/CIFS server will be visible on your Files page just like your other ownCloud
files and folders. They are labeled with a little four-pane Windows-style icon,
and the left pane of your Files page includes a Windows Network Drive filter.
Figure 1 shows a new Windows Network Drive share marked with red warnings.
These indicate that ownCloud cannot connect to the share because it requires
the user to login, it is not available, or there is an error in the
configuration.
.. figure:: images/wnd-1.png
:alt: Windows Network Drive share on your Files page.
*Figure 1: Windows Network Drive share on your Files page.*
Files are synchronized bi-directionally, and you can create, upload, and delete
files and folders. ownCloud server admins can create Windows Network Drive
mounts, and optionally allow users to create their own personal Windows Network
Drive mounts.
Depending on the authentication method, passwords for each mount are encrypted
and stored in the ownCloud database, using a long random secret key stored in
``config.php``, which allows ownCloud to access the shares when the users who
own the mounts are not logged in. Or, passwords are not stored and available
only for the current session, which adds security.
Installation
------------
Enable the Windows Network Drive app on your ownCloud Apps page. Then there are
a few dependencies to install.
You must install the ownCloud ``php5-libsmbclient`` binary; please refer to the README in
your `customer.owncloud.com <https://customer.owncloud.com/>`_ account for instructions
on obtaining it.
You also need the Samba client installed on your Linux system. This is included in
all Linux distributions; on Debian, Ubuntu, and other Debian derivatives this
is ``smbclient``. On SUSE, Red Hat, CentOS, and other Red Hat derivatives it is
``samba-client``.
Creating a New Share
--------------------
When you create a new WND share you need the login credentials for the share,
the server address, the share name, and the folder you want to connect to.
1. First enter the ownCloud mountpoint for your new WND share. This must not be
an existing folder.
2. Then select your authentication method; See :doc:`enterprise_only_auth` for
complete information on the five available authentication methods.
.. figure:: images/wnd-2.png
:alt: WND mountpoint and auth.
*Figure 2: WND mountpoint and authorization credentials.*
3. Enter the address of the server that contains the WND share.
4. The Windows share name.
5. The root folder of the share. This is the folder name, or the
``$user`` variable for user's home directories. Note that the LDAP
``Internal Username Attribute`` must be set to the ``samaccountname`` for
either the share or the root to work, and the user's home directory needs
to match the ``samaccountname``. (See
:doc:`../configuration_user/user_auth_ldap`.)
6. Login credentials.
7. Select users or groups with access to the share. The default is all users.
8. Click the gear icon for additional mount options. Note that encryption is
enabled by default, while sharing is not. Sharing is not available for all
authorization methods; see :doc:`enterprise_only_auth`.
.. figure:: images/wnd-3.png
:alt: WND server and credentials.
*Figure 3: WND server, credentials, and additional mount options.*
Your changes are saved automatically.
.. note:: When you create a new mountpoint using Login credentials you must log
out of ownCloud, and then log back in so you can access the share. You
only have to do this the first time.
Personal WND Mounts
-------------------
Users create their own personal WND mounts on their Personal pages. These are
created the same way as Admin-created shares. Users have four options for
login credentials:
* Username and password
* Log-in credentials, save in session
* Log-in credentials, save in database
* Global credentials
libsmclient Issues
------------------
If your Linux distribution ships with ``libsmbclient 3.x``, which is included in
the Samba client, you may need to set up the HOME variable in Apache to prevent
a segmentation fault. If you have ``libsmbclient 4.1.6`` and higher it doesn't
seem to be an issue, so you won't have to change your HOME variable.
To set up the HOME variable on Ubuntu, modify the ``/etc/apache2/envvars``
file::
unset HOME
export HOME=/var/www
In Red Hat/CentOS, modify the ``/etc/sysconfig/httpd`` file and add the
following line to set the HOME variable in Apache::
export HOME=/usr/share/httpd
By default CentOS has activated SELinux, and the ``httpd`` process can not make
outgoing network connections. This will cause problems with the ``curl``,
``ldap``
and ``samba`` libraries. You'll need to get around this in order to make
this work. First check the status::
getsebool -a | grep httpd
httpd_can_network_connect --> off
Then enable support for network connections::
setsebool -P httpd_can_network_connect 1
In openSUSE, modify the ``/usr/sbin/start_apache2`` file::
export HOME=/var/lib/apache2
Restart Apache, open your ownCloud Admin page and start creating SMB/CIFS
mounts.

67
admin_manual/enterprise_file_management/files_drop.rst
View File

@@ -1,67 +0,0 @@
============================================================
Enabling Anonymous Uploads with Files Drop (Enterprise Only)
============================================================
The Files Drop application, introduced in ownCloud 8.0.3 Enterprise
Subscription, allows anyone to upload files with the click of a button to the
directory of your choosing, without needing a login, and they cannot see or
change the contents of the directory. It is the perfect replacement for
attaching large files to email, maintaining an FTP server, and commercial
file-sharing services.
When files are uploaded to your Files Drop directory, you can manage them just
like any other ownCloud share: you may share them, restrict access, edit, and
delete them.
Setting Up the Files Drop App
-----------------------------
Setting up Files Drop is a matter of a few clicks. First go to your Apps page
and enable it.
.. image:: images/files-drop-1.png
:alt: Enabled Files Drop app.
Now your users will see a configuration section on their Personal pages.
.. image:: images/files-drop-2.png
:alt: Files Drop button.
Click the **Choose** button to open a dialog to select your upload directory.
You may wish to first create a special upload directory (on your Files page),
which in the following example is name **upload**.
.. figure:: images/files-drop-3.png
:alt: Folder chooser.
On your Personal page you should now see a URL for your upload directory. Share
this URL with anyone you want to allow uploads to your File Drop folder. Note
that the maximum upload size in this example is 512MB. (The default
ownCloud upload file size limit is 512MB. See
:doc:`../configuration_files/big_file_upload_configuration` to learn how to
customize this.)
.. image:: images/files-drop-4.png
:alt: Files Drop URL.
Using the Files Drop App
------------------------
Uploading files via the Files Drop app is simple. Open your Web browser to the
share URL created by ownCloud:
.. figure:: images/files-drop-5.png
:alt: Click to Upload File button.
Click the **Click to upload file** button. This opens a file picker, and you
select the file or directory you want to upload.
.. figure:: images/files-drop-6.png
:alt: Upload file picker.
When your upload is completed, you'll see a confirmation message with the
filenames.
.. figure:: images/files-drop-7.png
:alt: Upload confirmation.

92
admin_manual/enterprise_file_management/files_tagging.rst
View File

@@ -1,92 +0,0 @@
=============================================================
Advanced File Tagging With the Workflow App (Enterprise only)
=============================================================
New in ownCloud 9.0, the Workflow App provides advanced management of file
tagging. The app has three parts: Tag Manager, Automatic Tagging, and Retention.
The Workflow App should be enabled by default (Apps page), and the three
configuration modules visible on your ownCloud Admin page.
See `Tagging Files
<https://doc.owncloud.com/server/9.0/user_manual/files/access_webgui.html>`_ in
the ownCloud User manual to learn how to apply and filter tags on files.
Tag Manager
-----------
The Tag Manager is for creating new tags, editing existing tags, and deleting
tags. Tags may be made **Visible and assignable by all users**,
**Not-assignable by normal users**, or **Invisible to normal users**.
**Visible and assignable all users** means that users may see, rename. and
apply admin-created tags to files and folders.
**Not-assignable by normal users** means tags are read-only, and users cannot
assign them to files or folders.
**Invisible to normal users** means visible only to ownCloud admins.
.. figure:: images/workflow-1.png
:alt: Tag Manager.
Automatic Tagging
-----------------
The Automatic Tagging module operates on newly-uploaded files. Create a set of
conditions, and then when a file or folder matches those conditions it is
automatically tagged. The tag must already have been created with the Tag
Manager.
For example, you can assign the invisible tag **iOS Uploads** to all files
uploaded from iOS devices. This tag is visible only to admins.
.. figure:: images/workflow-2.png
:alt: Automatic tagging.
When files with this tag are shared with you, you can view them with the Tags
filter on the Files page.
.. figure:: images/workflow-3.png
:alt: Viewing tagged files.
Automatic Tagging is especially useful with the Retention module.
Retention
---------
The Retention module is your housecleaning power tool, because it automatically
deletes files after a time period that you specify. Select which tag to
set a time limit on, and then set your time limit. File age is calculated from
the file mtime (modification time).
.. figure:: images/workflow-4.png
:alt: Setting retention times via tag.
For best performance, retention tags should be applied high in your file
hierarchy. If subfolders have the same tags as their parent folders, their tags
must also be processed, so it will take a little longer.
Retention Engines
-----------------
There are two retention engines that further allow you to fine-tune your
retention settings: **TagBasedRetention** and **UserBasedRetention**.
**TagBasedRetention** is the default.
**TagBasedRetention**: This checks files that have a particular tag
assigned. Then it checks (depth-first) the children of the tagged item, before
continuing with the other tagged items. Children that have already been checked
will not be checked a second time.
This is optimised for processing smaller numbers of files that have multiple
retention tags.
**UserBasedRetention**: Examines files per user. It first iterates over all
files and folders (siblings first), then examines the tags for those items and
checks their respective retention periods. This is optimised for many files with
few retention tags.
To select UserBasedRetention, add this line to your ee.config.php::
'workflow.retention_engine' => userbased,

BIN
admin_manual/enterprise_file_management/images/files-drop-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
admin_manual/enterprise_file_management/images/files-drop-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.5 KiB

BIN
admin_manual/enterprise_file_management/images/files-drop-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
admin_manual/enterprise_file_management/images/files-drop-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
admin_manual/enterprise_file_management/images/files-drop-5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 86 KiB

BIN
admin_manual/enterprise_file_management/images/files-drop-6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

BIN
admin_manual/enterprise_file_management/images/files-drop-7.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 56 KiB

BIN
admin_manual/enterprise_file_management/images/workflow-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
admin_manual/enterprise_file_management/images/workflow-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
admin_manual/enterprise_file_management/images/workflow-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
admin_manual/enterprise_file_management/images/workflow-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

10
admin_manual/enterprise_file_management/index.rst
View File

@@ -1,10 +0,0 @@
============================================
Enterprise File Management (Enterprise Only)
============================================
.. toctree::
:maxdepth: 2
files_drop
files_tagging

188
admin_manual/enterprise_firewall/file_firewall.rst
View File

@@ -1,188 +0,0 @@
===============================
File Firewall (Enterprise only)
===============================
The File Firewall GUI enables you to create and manage firewall rule sets from
your ownCloud admin page. The File Firewall gives you finer-grained control of
access and sharing, with rules for allowing or denying access, and restrictions
per group, upload size, client devices, IP address, time of day, and many more
criteria. For additional flexibility the File Firewall also supports regular
expressions.
Each rule consists of one or more conditions. A request matches a rule if
all conditions evaluate to true. If a request matches at least one of the
defined rules, the request is blocked and the file content can not be read or
written.
.. note::
As of ownCloud 9.0, the File Firewall app cannot lock out administrators from the Web interface when rules are misconfigured.
Figure 1 shows an empty firewall configuration panel. Set your logging level to
**Failures Only** for debugging, and create a new ruleset by clicking the **Add
Group** button. After setting up your rules you must click the **Save Rules**
button.
.. figure:: images/firewall-1.png
:alt: Empty File Firewall configuration panel.
*Figure 1: Empty File Firewall configuration panel*
Figure 2 shows two rules. The first rule, **No Support outside
office hours**, prevents members of the support group from logging into the
ownCloud Web interface from 5pm-9am, and also blocks client syncing.
The second rule prevents members of the qa-team group from accessing the Web UI
from IP addresses that are outside of the local network.
.. figure:: images/firewall-2.png
:alt: Two example rules that restrict logins per user group.
*Figure 2: Two example rules that restrict logins per user group*
All other users are not affected, and can log in anytime from anywhere.
Available Conditions
--------------------
User Group
The user (is|is not) a member of the selected group.
User Agent
The User-Agent of the request (matches|does not match) the given string.
User Device
A shortcut for matching all known (``android`` | ``ios`` | ``desktop``) sync clients by
their User Agent string.
Request Time
The time of the request (has to|must not) be in a single range from beginning
time to end time.
Request URL
The **full page URL** (has to|must not) (match|contain|begin with|end) with a
given string.
Request Type
The request (is|is not) a (WebDAV|public share link|other) request.
Request IP Range (IPv4) and IP Range (IPv6)
The request's ``REMOTE_ADDR`` header (is|is not) matching the given IP range.
Subnet (IPv4) and Subnet (IPv6)
The request's ``SERVER_ADDR`` header (is|is not) matching the given IP range.
File Size Upload
When a file is uploaded the size has to be (less|less or equal|greater|greater
or equal) to the given size.
File Mimetype Upload
When a file is uploaded the mimetype (is|is not|begins with|does not begin
with|ends with|does not end with) the given string.
System File Tag
One of the parent folders or the file itself (is|is not) tagged with a System
tag.
Regular Expression
The File Firewall supports regular expressions, allowing you to create custom
rules using the following conditions:
* IP Range (IPv4)
* IP Range (IPv6)
* Subnet (IPv4)
* Subnet (IPv6)
* User agent
* User group
* Request URL
You can combine multiple rules into one rule. E.g., if a rule applies to both
the support and the qa-team you could write your rule like this::
Regular Expression > ^(support|qa-team)$ > is > User group
No Manual Editing
-----------------
We do not recommend modifying the configuration values directly in your
``config.php``. These use JSON encoding, so the values are difficult to read
and a single typo will break all of your rules.
Controlling Access to Folders
-----------------------------
The easiest way to block access to a folder, starting with ownCloud 9.0, is to use a
system tag. A new rule type was added which allows you to block access to
files and folders, where at least one of the parents has a given tag. Now you
just need to add the tag to the folder or file, and then block the tag with the
File Firewall.
This example blocks access to any folder with the tag "Confidential".
Block by System Tag::
System file tag: is "Confidential"
Subnet IPv4: is not "255.255.255.0/24"
.. figure:: images/firewall-3.png
:alt: Protecting files tagged with "Confidential" from outside access
Custom Configuration for Branded Clients
----------------------------------------
If you are using :doc:`branded ownCloud clients <../enterprise_clients/index>`,
you may define ``firewall.branded_clients`` in your ``config.php`` to identify
your branded clients in the firewall **"User Device"** rule.
The configuration is a ``User-Agent`` => ``Device`` map. ``Device`` must be one
of the following:
* android
* android_branded
* ios
* ios_branded
* desktop
* desktop_branded
The ``User-Agent`` is always compared all lowercase. By default the agent is
compared with ``equals``. When a trailing or leading asterisk, ``*``, is found,
the agent is compared with ``starts with`` or ``ends with``. If the agent has
both a leading and a trailing ``*``, the string must appear anywhere. For
technical reasons the ``User-Agent`` string must be at least 4 characters
(including wildcards). (When you build your branded client you have the option
to create a custom User Agent.)
In this example configuration you need to replace the example User Agent
strings, for example ``'android_branded'``, with your own User Agent strings::
// config.php
'firewall.branded_clients' => array(
'my ownbrander android user agent string' => 'android_branded',
'my ownbrander second android user agent string' => 'android_branded',
'my ownbrander ios user agent string' => 'ios_branded',
'my ownbrander second ios user agent string' => 'ios_branded',
'my ownbrander desktop user agent string' => 'desktop_branded',
'my ownbrander second desktop user agent string' => 'desktop_branded',
),
The Web UI dropdown then expands to the following options:
* Android Client - always visible
* iOS Client - always visible
* Desktop Client - always visible
* Android Client (Branded) - visible when at least one ``android_branded`` is defined
* iOS Client (Branded) - visible when at least one ``ios_branded`` is defined
* Desktop Client (Branded) - visible when at least one ``desktop_branded`` is defined
* All branded clients - visible when at least one of ``android_branded``,
``ios_branded`` or ``desktop_branded`` is defined
* All non-branded clients - visible when at least one of ``android_branded``,
``ios_branded`` or ``desktop_branded`` is defined
* Others (Browsers, etc.) - always visible
Then these options operate this way:
* The ``* Client`` options only match ``android``, ``ios`` and ``desktop`` respectively.
* The ``* Client (Branded)`` options match the ``*_branded`` agents equivalent.
* ``All branded clients`` matches: ``android_branded``, ``ios_branded`` and
``desktop_branded``
* ``All non-branded clients`` matches: ``android``, ``ios`` and ``desktop``

BIN
admin_manual/enterprise_firewall/images/firewall-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
admin_manual/enterprise_firewall/images/firewall-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 34 KiB

BIN
admin_manual/enterprise_firewall/images/firewall-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

8
admin_manual/enterprise_firewall/index.rst
View File

@@ -1,8 +0,0 @@
=====================================
Enterprise Firewall (Enterprise only)
=====================================
.. toctree::
:maxdepth: 2
file_firewall

12
admin_manual/enterprise_installation/index.rst
View File

@@ -1,12 +0,0 @@
===============================
Enterprise Installation
===============================
.. toctree::
:maxdepth: 2
linux_installation
supported_apps_installation
license_keys_installation
oracle_db_configuration

31
admin_manual/enterprise_installation/license_keys_installation.rst
View File

@@ -1,31 +0,0 @@
============
License Keys
============
Introduction
------------
You'll need to install a license key to use ownCloud Enterprise Edition. There
are two types of license keys: one is a free 30-day trial key. The other is a
full license key for Enterprise customers.
You can `download and try ownCloud Enterprise for 30 days for free
<https://owncloud.com/download/>`_, which auto-generates a free 30-day key. When
this key expires your ownCloud installation is not removed, so when you become
an Enterprise customer you can enter your new key to regain access. See `How to
Buy ownCloud <https://owncloud.com/how-to-buy-owncloud/>`_ for sales and
contact information.
Configuration
-------------
Once you get your Enterprise license key, it needs to be copied to your
ownCloud configuration file,
``config/config.php`` file like this example::
'license-key' => 'test-20150101-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-YYYYYY,
Each running instance of ownCloud requires a license key. Keys will work across
upgrades without issue, so new keys will not be required when you upgrade your
ownCloud Enterprise to a new version.

31
admin_manual/enterprise_installation/linux_installation.rst
View File

@@ -1,31 +0,0 @@
==================================================
Installing & Upgrading ownCloud Enterprise Edition
==================================================
The recommended method for installing and maintaining your ownCloud Enterprise
edition is with your Linux package manager. Configure your package manager
to use the ownCloud Enterprise repository, import the signing key,
and then install and update ownCloud packages like any other software package.
Please refer to the ``README - ownCloud Package Installation.txt`` document in
your account at `Customer.owncloud.com
<https://customer.owncloud.com/owncloud/>`_ account for instructions on setting
up your Linux package manager.
After you have completed your initial installation of ownCloud as detailed in
the README, follow the instructions in
:doc:`../installation/installation_wizard` to finish setting up ownCloud.
To upgrade your Enterprise server, refer to
:doc:`../maintenance/upgrade`.
Manual Installation
-------------------
Download the ownCloud archive from your account at https://customer.owncloud.com/owncloud, then follow the instructions at :doc:`../installation/source_installation`.
SELinux
-------
Linux distributions that use SELinux need to take some extra steps so that
ownCloud will operate correctly under SELinux. Please see
:doc:`../installation/selinux_configuration` for some recommended configurations.

214
admin_manual/enterprise_installation/oracle_db_configuration.rst
View File

@@ -1,214 +0,0 @@
=====================
Oracle Database Setup
=====================
.. toctree::
:maxdepth: 2
:hidden:
This document will cover the setup and preparation of the ownCloud server to
support the use of Oracle as a backend database. For the purposes of testing,
we are using Oracle Enterprise Linux as both the Web server that
will host ownCloud, and as a host for the Oracle Database.
Outline of Steps
================
This document will cover the following steps:
* Setup of the ownCloud user in Oracle: This involves setting up a user space
in Oracle for setting up the ownCloud database.
* Installing the Oracle Instant Client on the Web server (facilitating the
connection to the Oracle Database).
* Compiling and installing the Oracle PHP Plugin oci8 module
* Pointing ownCloud at the Oracle database in the initial setup process
The document assumes that you already have your Oracle instance running, and
have provisioned the needed resources. It also assumes that you have installed
ownCloud with all of the prerequisites.
Configuring Oracle
==================
Setting up the User Space for ownCloud
--------------------------------------
Step one, if it has not already been completed by your :abbr:`DBA (DataBase Administrator)`, provision a user
space on the Oracle instance for ownCloud. This can be done by logging in as a
DBA and running the script below:
::
CREATE USER owncloud IDENTIFIED BY password;
ALTER USER owncloud DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA unlimited ON users;
GRANT create session, create table, create procedure, create sequence, create trigger, create view, create synonym, alter session TO owncloud;
Substitute an actual password for ``password``. Items like TableSpace, Quota etc. will be determined by your DBA.
Downloading and Installing the Oracle Instant Client
----------------------------------------------------
As our example system is Oracle Enterprise Linux, it is
necessary to go to the Oracle site and download the `Oracle Instant Client`_ for
your OS Distribution.
.. _Oracle Instant Client: http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html
.. note:: Download the instant client and the instant client SDK and place them
in a directory on the server, in this example they are RPM packages.
* Install the basic client from the RPM. Use the ``rpm ivh`` command
* Install the SDK RPM package. Use the ``rpm ivh`` command
At this point, the Oracle Instant client is installed on the ownCloud Host (in
the home directory).
Install the OCI8 PHP Extension:
-------------------------------
The next step is to compile and install the OCI8 PHP extension for connectivity to the Oracle Database.
* Create a folder for these bits on your server.
* Download the latest version of the extension from `http://pecl.php.net/package/oci8 <http://pecl.php.net/package/oci8>`_.
* Unpack the OCI8 PHP extension and copy it over to the server.
* There should be two things in the folder:
* ``package.xml`` file
* ``oci8-*.*.*`` folder (folder will change based on version of the extension you downloaded).
* Build the OCI8 module.
* Change (``cd``) to the folder where you have copied the downloaded and uncompressed OCI8 bits.
* Run the following command (there will be a significant amount of output)::
pecl build
* Eventually the output will stop and ask for the *Oracle Home Directory*, just press enter.
* Change directory::
cd oci8-<version number>
* Type the following command::
./configure with-oci8=instantcleint,/usr/lib/oracle/<version number>/client64/lib
* Again, there will be significant output
* Enter the following command to compile: ``make``
* At this time there should be a folder called modules in the ``oci8-<version_>`` folder.
Within this folder exists the ``oci8.so`` file.
* Copy this to the directory where the modules are stored in the PHP install. It depends on
your distribution. This is the path for RHEL 6 and OEL 6::
cp oci8.so /usr/lib64/php/modules
* Create an ``.ini`` file
* Navigate to the ``php.d`` directory: ``cd /etc/php.d``
* Edit a file called oci8.ini: ``vi oci8.ini``
* Make the file look as follows::
; Oracle Instant Client Shared Object
extension=oci8.so
* Save the document
Configure ownCloud
==================
The next step is to configure the ownCloud instance to point to the Oracle Database, again this document assumes
that ownCloud has previously been installed.
Configuration Wizard
--------------------
.. image:: ../images/oracle-1.png
:width: 5.778in
:height: 7.4165in
Database user
~~~~~~~~~~~~~
This is the user space created in step 2.1.
In our Example this would be owncloud.
Database password
~~~~~~~~~~~~~~~~~
Again this is defined in the script from section 2.1 above, or pre-configured and provided to you by your DBA.
Database Name
~~~~~~~~~~~~~
Represents the database or the service that has been pre-configured on the TSN Listener on the Database Server.
This should also be provided by the DBA.
In this example, the default setup in the Oracle install was orcl (there is a TSN Listener entry for orcl on our database server).
This is not like setting up with MySQL or SQL Server, where a database based on the name you give is created.
The oci8 code will call this specific service and it must be active on the TSN Listener on your Oracle Database server.
Database Table Space
~~~~~~~~~~~~~~~~~~~~
Provided by the DBA.
In this example the users table space (as is seen in the user creation script above), was used.
Configuration File
------------------
Assuming all of the steps have been followed to completion, the first run wizard should complete successfully, and an operating instance of ownCloud should appear.
The configuration file should look something like this:
::
<?php
$CONFIG = array (
'instanceid' => 'abcdefgh',
'passwordsalt' => '01234567890123456789',
'datadirectory' => '/var/data',
'dbtype' => 'oci',
'version' => '8.2.x.y',
'dbname' => 'orcl',
'dbhost' => '192.168.1.57',
'dbtableprefix' => 'oc_',
'dbuser' => 'owncloud1',
'dbpassword' => '********',
'installed' => true,
);
Useful SQL Commands
-------------------
**Is my Database Reachable?**
On the machine where your Oracle database is installed, type::
sqlplus username
::
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE 11.2.0.2.0 Production
TNS for Linux: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production
SQL> exit
**Show Database Users**::
Oracle : SELECT * FROM all_users;
**Show available Databases**::
Oracle : SELECT name FROM v$database; (requires DBA privileges)
**Show ownCloud Tables in Database**::
Oracle : SELECT table_name FROM user_tables;
**Quit Database**::
Oracle : quit

9
admin_manual/enterprise_installation/supported_apps_installation.rst
View File

@@ -1,9 +0,0 @@
==========================================
Supported ownCloud Enterprise Edition Apps
==========================================
See :doc:`../installation/apps_supported` for a list of supported apps.
.. note:: 3rd party and unsupported apps must be disabled before performing a
system upgrade. Then install the upgraded versions, and after the
upgrade is complete re-enable them.

21
admin_manual/enterprise_logging/enterprise_logging_apps.rst
View File

@@ -1,21 +0,0 @@
=======================
Enterprise Logging Apps
=======================
The **Log user and file sharing actions** app (``apps/admin_audit``) records the
file sharing activity of your users, file tagging, and user logins and logouts.
.. figure:: images/logging-1.png
:alt: Enterprise logging app on the Apps page.
Your logging level must be set to at least **Info, warnings, errors, and fatal
issues** on your ownCloud admin page, or ``'loglevel' => 1`` in ``config.php``.
View your logfiles on your admin page. Click the **Download logfile** button to
dump the plain text log, or open the logfile directly in a text editor. The
default location is ``owncloud/data/owncloud.log``.
See :doc:`../configuration_server/logging_configuration` and
:doc:`../enterprise_file_management/files_tagging` for more information on
logging and tagging.

BIN
admin_manual/enterprise_logging/images/logging-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

8
admin_manual/enterprise_logging/index.rst
View File

@@ -1,8 +0,0 @@
=========================================
Enterprise Logging Apps (Enterprise only)
=========================================
.. toctree::
:maxdepth: 2
enterprise_logging_apps

65
admin_manual/enterprise_server_branding/enterprise_server_branding.rst
View File

@@ -1,65 +0,0 @@
=========================================
Custom Theming ownCloud (Enterprise only)
=========================================
Overview
--------
ownBrander is an ownCloud build service that is exclusive to Enterprise
edition customers for creating branded ownCloud clients and servers. You
may brand your ownCloud server using ownBrander to easily build a custom theme,
using your own logo and artwork. ownCloud has always been theme-able, but it was
a manual process that required editing CSS and PHP files. Now Enterprise
customers can use ownBrander, which provides an easy graphical wizard.
You need an Enterprise subscription, an account on
`Customer.owncloud.com <https://customer.owncloud.com/owncloud>`_, and the
ownBrander app enabled on your account. When you
complete the steps in the wizard the ownBrander service builds your new branded
theme, and in 24-48 hours you'll see it in your account.
.. figure:: ../images/ownbrander-1.png
:alt: ownBrander app button is on the top left of your ownCloud Web GUI,
after clicking the down arrow at the right of the ownCloud logo
When you open the ownBrander app, go to the Web tab. You will see an
introduction and the wizard, which starts with uploading your logo. You will
need a number of images in specific sizes and formats, and the wizard tells you
what you need. Example images are on the right, and you can click to enlarge
them.
.. figure:: ../images/webbrander-1.png
:alt: ownBrander wizard with instructions, upload buttons for your custom
branded images, and example screenshots
.. note:: If you see errors when you upload SVG files, such as "Incorrect
extension.File type image/svg+xml is not correct", "This SVG is invalid",
or "Error uploading file: Incorrect size", try opening the file in
`Inkscape <https://inkscape.org/en/>`_ then save as "Plain SVG" and
upload your SVG image again.
The wizard has two sections. The first section contains all the required
elements: logos and other artwork, colors, naming, and your enterprise URL. The
Suggested section contains optional items such as additional logo placements
and custom URLs.
When you are finished, click the **Generate Web Server** button. If you want to
change anything, go ahead and change it and click the **Generate Web Server**
button. This will override your previous version, if it has not been created
yet.In 24-48 hours you'll find your new branded theme in the **Web** folder in
your `Customer.owncloud.com <https://customer.owncloud.com/owncloud>`_ account.
Inside the **Web** folder you'll find a **themes** folder. Copy this to your
``owncloud/themes`` directory. You may name your **themes** folder anything you
want, for example ``myBrandedTheme``. Then configure your ownCloud server to
use your branded theme by entering it in your ``config.php`` file::
"theme" => "myBrandedTheme"
If anything goes wrong with your new theme, comment out this line to re-enable
the default theme until you fix your branded theme. The branded theme follows
the same file structure as the default theme, and you may further customize it
by editing the source files.
.. Note:: Always edit only your custom theme files. Never edit the default
theme files.

8
admin_manual/enterprise_server_branding/index.rst
View File

@@ -1,8 +0,0 @@
============================================
Enterprise Server Branding (Enterprise only)
============================================
.. toctree::
:maxdepth: 2
enterprise_server_branding

21
admin_manual/enterprise_troubleshooting.rst
View File

@@ -1,21 +0,0 @@
==========================
Enterprise Troubleshooting
==========================
When you have problems with your ownCloud Enterprise installation, refer to
:doc:`../issues/general_troubleshooting` to see if you can resolve your issue
without opening a support ticket. If you need to open a support ticket, use the
Open Ticket button in your account on
`<https://customer.owncloud.com/owncloud/>`_.
Bug reports and trouble tickets usually need a copy of your ownCloud server
configuration report. You have two ways to generate a configuration report.
#. Use the :ref:`occ config command <config_commands_label>`.
#. Use the **Enterprise license key** app on your ownCloud Admin page to
generate the report with the click of a button.
.. figure:: images/config-report-1.png
:alt: Enterprise license key app
Both methods automatically obscure passwords and secrets.

8
admin_manual/enterprise_user_management/index.rst
View File

@@ -1,8 +0,0 @@
=================================
User Management (Enterprise only)
=================================
.. toctree::
:maxdepth: 2
user_auth_shibboleth

402
admin_manual/enterprise_user_management/user_auth_shibboleth.rst
View File

@@ -1,402 +0,0 @@
========================================
Shibboleth Integration (Enterprise only)
========================================
Introduction
------------
The ownCloud Shibboleth user backend application integrates ownCloud with a
Shibboleth Service Provider (SP) and allows operations in federated and
single-sign-on (SSO) infrastructures. Setting up Shibboleth has two big steps:
1. Enable and configure the Apache Shibboleth module.
2. Enable and configure the ownCloud Shibboleth app.
The Apache Shibboleth module
----------------------------
Currently supported installations are based on the `native Apache integration`_.
The individual configuration of the service provider is highly dependent on
the operating system, as well as on the integration with the Identity
Providers (IdP), and require case-by-case analysis and installation.
A good starting point for the service provider installation can be found in
`the official Shibboleth Wiki`_.
A successful installation and configuration will populate Apache environment
variables with at least a unique user id which is then used by the ownCloud
Shibboleth app to login a user.
See the `documentation Wiki <https://github.com/owncloud/documentation/wiki/Shibboleth-example-configurations>`_ for more configuration examples.
Apache Configuration
^^^^^^^^^^^^^^^^^^^^
This is an example configuration as installed and operated on a Linux server
running the Apache 2.4 Web server. These configurations are highly operating system
specific and require a high degree of customization.
The ownCloud instance itself is installed in ``/var/www/owncloud/``. The
following aliases are defined in an Apache virtual host directive:
::
# non-Shibboleth access
Alias /owncloud /var/www/owncloud/
# for Shibboleth access
Alias /oc-shib /var/www/owncloud/
Further Shibboleth specific configuration as defined in
``/etc/apache2/conf.d/shib.conf``::
#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
#
# Ensures handler will be accessible.
#
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
#
# Configure the module for content.
#
#
# Besides the exceptions below, this location is now under control of
# Shibboleth
#
<Location /oc-shib>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders Off
ShibExportAssertion On
require valid-user
</Location>
#
# Shibboleth is disabled for the following location to allow non
# shibboleth webdav access
#
<Location ~ "/oc-shib/remote.php/nonshib-webdav">
AuthType None
Require all granted
</Location>
#
# Shibboleth is disabled for the following location to allow public link
# sharing
#
<Location ~ \
"/oc-shib/(status.php$\
|index.php/s/\
|public.php$\
|cron.php$\
|core/img/\
|index.php/apps/files_sharing/ajax/publicpreview.php$\
|index.php/apps/files/ajax/upload.php$\
|apps/files/templates/fileexists.html$\
|index.php/apps/files/ajax/mimeicon.php$\
|index.php/apps/files_sharing/ajax/list.php$\
|themes/\
|index.php/apps/files_pdfviewer/\
|apps/files_pdfviewer/)">
AuthType None
Require all granted
</Location>
#
# Shibboleth is disabled for the following location to allow public gallery
# sharing
#
<Location ~ \
"/oc-shib/(index.php/apps/gallery/s/\
|index.php/apps/gallery/slideshow$\
|index.php/apps/gallery/.*\.public)">
AuthType None
Require all granted
</Location>
#
# Shibboleth is disabled for the following location to allow public link
# sharing
#
<Location ~ "/oc-shib/.*\.css">
AuthType None
Require all granted
</Location>
#
# Shibboleth is disabled for the following location to allow public link
# sharing
#
<Location ~ "/oc-shib/.*\.js">
AuthType None
Require all granted
</Location>
#
# Shibboleth is disabled for the following location to allow public link
# sharing
#
<Location ~ "/oc-shib/.*\.woff">
AuthType None
Require all granted
</Location>
Depending on the ownCloud Shibboleth app mode, you may need to revisit this
configuration.
The ownCloud Shibboleth App
---------------------------
After enabling the Shibboleth app on your Apps page, you need to choose the app
mode and map the necessary Shibboleth environment variables to ownCloud user
attributes on your Admin page.
.. figure:: ../images/shib-gui5.png
:alt: Shibboleth configuration screen.
*figure 1: Enabling Shibboleth on the ownCloud Admin page*
Choosing the App Mode
^^^^^^^^^^^^^^^^^^^^^
After enabling the app it will be in **Not active** mode, which ignores a
Shibboleth session and allows you to login as an administrator and inspect the
currently available Apache environment variables. Use this mode to set up the
environment mapping for the other modes, and in case you locked yourself out of
the system. You can also change the app mode and environment mappings by using
the ``occ`` command, like this example on Ubuntu Linux::
$ sudo -u www-data php occ shibboleth:mode notactive
$ sudo -u www-data php occ shibboleth:mapping --uid login
In **Single sign-on only** mode the app checks if the environment variable for
the Shibboleth session, by default **Shib-Session-Id**, is set. If that is the
case it will take the value of the environment variable as the ``uid``, by
default ``eppn``, and check if a user is known by that ``uid``. In effect, this
allows another user backend, eg. the LDAP app, to provide the ``displayname``,
``email`` and ``avatar``.
.. note:: As an example the IdP can send the **sAMAccountName** which the
Apache Shibboleth module writes to a custom Apache environment variable
called ``login``. The ownCloud Shibboleth app reads that ``login``
environment variable and tries to find an LDAP user with that ``uid``. For
this to work the LDAP backend also needs to be configured to use the
**sAMAccountName** as the **Internal Username Attribute** in the
:doc:`LDAP expert settings <../configuration_user/user_auth_ldap>`.
.. note:: In many scenarios Shibboleth is not intended to hide the user's
password from the service provider, but only to implement SSO. If that is
the case it is sufficient to protect the ownCloud base url with Shibboleth.
This will send Web users to the IdP but allow desktop and mobile clients to
continue using username and password, preventing popups due to an expired
Shibboleth session lifetime.
In **Autoprovision Users** mode the app will not ask another user backend, but
instead provision users on the fly by reading the two additional environment
variables for display name and email address.
.. figure:: ../images/shib-gui6.png
:alt: Dropdowns for mapping Shibboleth environment configuration variables to ownCloud user attributes.
*figure 2: Mapping Shibboleth environment configuration variables to ownCloud
user attributes*
In ownCloud 8.1 the Shibboleth environment variable mapping was stored in
``apps/user_shibboleth/config.php``. This file was overwritten on upgrades,
preventing a seamless upgrade procedure. In ownCloud 8.2+ the variables are
stored in the ownCloud database, making Shibboleth automatically upgradeable.
Shibboleth with Desktop and Mobile Clients
------------------------------------------
The ownCloud Desktop Client can interact with an
ownCloud instance running inside a Shibboleth Service Provider by using built-in
browser components for authentication against the IdP.
The regular ownCloud Android and iOS mobile apps do not work with Shibboleth.
However, customers who create
:doc:`branded mobile apps with ownBrander
<../enterprise_clients/creating_branded_apps>`
have the option to enable SAML authentication in ownBrander.
Enterprise customers also have the option to request a regular ownCloud
mobile client built to use Shibboleth from their ownCloud account
representatives.
The ownCloud desktop sync client and mobile apps store users' logins, so
your users only need to enter their logins the first time they set up their
accounts.
.. note:: The ownCloud clients may use only a single Shibboleth login per
ownCloud server; multi-account is not supported with Shibboleth.
These screenshots show what the user sees at account setup. Figure 1
shows a test Shibboleth login screen from
`Testshib.org <https://www.testshib.org/index.html>`_ on the ownCloud desktop
sync client.
.. figure:: ../images/shib-gui1.png
:alt: First client login screen.
*figure 3: First login screen*
Then after going through the setup wizard, the desktop sync client displays the
server and login information just like it does for any other ownCloud server
connections.
.. figure:: ../images/shib-gui4.png
:alt: The ownCloud client shows which server you are connected to.
*figure 4: ownCloud client displays server information*
To your users, it doesn't look or behave differently on the desktop sync
client, Android app, or iOS app from an ordinary ownCloud account setup. The
only difference is the initial setup screen where they enter their account
login.
WebDAV Support
--------------
Users of standard WebDAV clients can use an alternative
WebDAV Url, for example ``https://cloud.example.com/remote.php/nonshib-webdav/``
to log in with their username and password. The password is generated on the
Personal settings page.
.. image:: ../images/shibboleth-personal.png
.. note:: In **Single sign-on only** mode the alternative WebDAV Url feature
will not work, as we have no way to store the WebDAV password. Instead the
normal WebDAV endpoint can be omittet from the Shibboleth authentication,
allowing WebDAV clients to use normal username and password based
authentication. That includes the desktop and mobile clients.
For provisioning purpose an OCS API has been added to revoke a generated
password for a user:
Syntax: ``/v1/cloud/users/{userid}/non_shib_password``
* HTTP method: DELETE
Status codes:
* 100 - successful
* 998 - user unknown
Example:
::
$ curl -X DELETE "https://cloud.example.com/ocs/v1.php/cloud/users/myself@testshib.org/non_shib_password" -u admin:admin
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>100</statuscode>
<message/>
</meta>
<data/>
</ocs>
Known Limitations
-----------------
Encryption
^^^^^^^^^^
File encryption can only be used together with Shibboleth when the
:ref:`master key-based encryption <occ_encryption_label>` is used because the
per- user encryption requires the user's password to unlock the private
encryption key. Due to the nature of Shibboleth the user's password is not known
to the service provider.
Other Login Mechanisms
^^^^^^^^^^^^^^^^^^^^^^
You can allow other login mechanisms (e.g. LDAP or ownCloud native) by creating
a second Apache virtual host configuration. This second location is not
protected by Shibboleth, and you can use your other ownCloud login mechanisms.
Session Timeout
^^^^^^^^^^^^^^^
Session timeout on Shibboleth is controlled by the IdP. It is not possible to
have a session length longer than the length controlled by the IdP. In extreme
cases this could result in re-login on mobile clients and desktop clients every
hour.
The session timeout can be overridden in the service provider, but this
requires a source code change of the Apache Shibboleth module. A patch can be
provided by the ownCloud support team.
UID Considerations and Windows Network Drive compatibility
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When using ``user_shibboleth`` in **Single sign-on only** mode, together with
``user_ldap``, both apps need to resolve to the same ``uid``.
``user_shibboleth`` will do the authentication, and ``user_ldap`` will provide
user details such as ``email`` and ``displayname``. In the case of Active
Directory, multiple attributes can be used as the ``uid``. But they all have
different implications to take into account:
**sAMAccountName**
* *Example:* jfd
* *Uniqueness:* Domain local, might change e.g. marriage
* *Other implications:* Works with ``windows_network_drive`` app
**userPrincipalName**
* *Example:* jfd@owncloud.com
* *Uniqueness:* Forest local, might change on eg. marriage
* *Other implications:* TODO check WND compatibility
**objectSid**
* *Example:* S-1-5-21-2611707862-2219215769-354220275-1137
* *Uniqueness:* Domain local, changes when the user is moved to a new domain
* *Other implications:* Incompatible with ``windows_network_drive`` app
**sIDHistory**
* *Example:* Multi-value
* *Uniqueness:* Contains previous objectSIDs
* *Other implications:* Incompatible with ``windows_network_drive`` app
**objectGUID**
* *Example:* 47AB881D-0655-414D-982F-02998C905A28
* *Uniqueness:* Globally unique
* *Other implications:* Incompatible with ``windows_network_drive`` app
Keep in mind that ownCloud will derive the home folder from the ``uid``, unless
a home folder naming rule is in place. The only truly stable attribute is the
``objectGUID``, so that should be used. If not for the ``uid`` then at least as
the home folder naming rule. The tradeoff here is that if you want to use
``windows_network_drive`` you are bound to the ``sAMAccountName``, as that is
used as the login.
Also be aware that using ``user_shibboleth`` in **Autoprovision Users** mode
will not allow you to use SSO for additional ``user_ldap`` users,
because ``uid`` collisions will be detected by ``user_ldap``.
.. _the official Shibboleth wiki:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall
.. _native Apache integration:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
.. _WebDAV and Shibboleth:
https://wiki.shibboleth.net/confluence/display/SHIB2/WebDAV
.. Github references
.. update shibboleth doc, restructure some sections, add occ commands
.. https://github.com/owncloud/documentation/pull/2116/
.. Shibboleth configuration in 8.2.1
.. https://github.com/owncloud/enterprise/issues/981

4
admin_manual/installation/command_line_installation.rst
View File

@@ -1,6 +1,6 @@
=========================================
==========================================
Installing Nextcloud from the Command Line
=========================================
==========================================
It is now possible to install Nextcloud entirely from the command line. This is
convenient for scripted operations, headless servers, and sysadmins who prefer

8
admin_manual/installation/deployment_recommendations.rst
View File

@@ -293,8 +293,7 @@ Authentication via an existing LDAP or Active Directory server, or SAML.
* Authentication
User authentication via one or several LDAP or Active Directory
servers, or SAML/Shibboleth. (See `User Authentication with LDAP`_ and
`Shibboleth Integration`_.)
servers, or SAML/Shibboleth. (See `User Authentication with LDAP`_.)
* LDAP
Read-only slaves should be deployed on every application server for
@@ -493,9 +492,6 @@ References
https://nextcloud.com/enterprise/
.. _F5 Big-IP: https://f5.com/products/big-ip/
.. _Shibboleth Integration:
https://docs.nextcloud.org/server/9/admin_manual/enterprise_user_management/
user_auth_shibboleth.html
.. _Memcache StorageService:
https://wiki.shibboleth.net/confluence/display/SHIB2/
NativeSPStorageService#NativeSPStorageService-MemcacheStorageService
@@ -509,4 +505,4 @@ References
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-redis-server
-as -a-session-handler-for-php-on-ubuntu-14-04
.. _HAProxy documentation:
http://www.haproxy.org/#docs
http://www.haproxy.org/#docs

6
admin_manual/installation/linux_installation.rst
View File

@@ -77,12 +77,6 @@ If you wish to track a specific major release, such as 8.2 or 9.0, then use
that repo. That way you won't accidentally find yourself looking at an upgrade
to the next major release before you're ready.
Installing ownCloud Enterprise Edition
--------------------------------------
See :doc:`../enterprise_installation/linux_installation` for instructions on
installing ownCloud Enterprise edition.
Downgrading Not Supported
-------------------------

6
admin_manual/installation/nginx_nextcloud_9x.rst
View File

@@ -1,6 +1,6 @@
=================================================
==================================================
Nginx Configuration for the Nextcloud 9.x Branches
=================================================
==================================================
The following configuration should be used when Nextcloud is placed in the
webroot of your Nginx installation. Be careful about line breaks if you copy
@@ -13,7 +13,7 @@ Thanks to `@josh4trunks <https://github.com/josh4trunks>`_ for providing /
creating these configuration examples.
Nextcloud in the webroot of nginx
--------------------------------
---------------------------------
The following config should be used when Nextcloud is placed in the webroot of
your nginx installation.

3
admin_manual/installation/source_installation.rst
View File

@@ -2,9 +2,6 @@
Manual Installation on Linux
============================
.. note:: Enterprise customers should refer to
:doc:`../enterprise_installation/linux_installation`
If there are no packages for your Linux distribution, or you prefer installing
from the source tarball, you can setup Nextcloud from scratch using a classic
LAMP stack (Linux, Apache, MySQL/MariaDB, PHP). This document provides a

2
admin_manual/maintenance/restore.rst
View File

@@ -8,7 +8,7 @@ restore:
#. The configuration directory
#. The data directory
#. The database
# The theme directory
#. The theme directory
.. note:: You must have both the database and data directory. You cannot
complete restoration unless you have both of these.

4
admin_manual/maintenance/upgrade.rst
View File

@@ -17,10 +17,6 @@ There are three ways to upgrade your ownCloud server:
files, except ``data/`` and ``config/`` files, on your hosting account. Then
transfer the new ownCloud files to your hosting account, again
preserving your existing ``data/`` and ``config/`` files.
* Enterprise customers will use their Enterprise software
repositories to maintain their ownCloud servers, rather than the Open Build
Service. Please see :doc:`../enterprise_installation/linux_installation` for
more information.
When an update is available for your ownCloud server, you will see a
notification at the top of your ownCloud Web interface. When you click the