insights into nextcloud’s user management - linux-tage · 2018. 3. 14. · nextcloud gmbh 15 how...
TRANSCRIPT
![Page 2: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/2.jpg)
Nextcloud GmbH 2
What is it about?
![Page 3: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/3.jpg)
Nextcloud GmbH 3
Agenda
● Architectural Overview● Component Specifcs● Use Cases
![Page 4: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/4.jpg)
Nextcloud GmbH 4
What is Nextcloud?
● Secure data● Private clouds● Cross-cloud sharing● Audio & video chat
![Page 5: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/5.jpg)
Architectural Overview
![Page 6: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/6.jpg)
Nextcloud GmbH 6
FrontendController
Architecture
User Manager & User Object
(Security) Middleware
FrontendController
LoginController
FrontendControllers
Database(UserInterface)
User_LDAP(UserInterface)
myCustomBase(UserInterface)
BusinessLogic
![Page 7: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/7.jpg)
Nextcloud GmbH 7
What is a user?
● Loginname(s), UserID, Displaynames– UserID happens to be a custom, but unique string– UserID is immutable
● Set of features (e.g. emails, quota, avatar)● Bound to a backend
![Page 8: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/8.jpg)
Nextcloud GmbH 8
Backend: \OCP\UserInterface ● implementsActions()● deleteUser()● getUsers()● userExists()● getDisplayName● getDisplayNames()● hasUserListings()
● checkPassword()● createUser()● countUsers()● setDisplayName()● setPassword()● getHome()● canChangeAvatar()
![Page 9: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/9.jpg)
Nextcloud GmbH 9
Service: \OCP\IUserManager
● Backend handling (adding, removing, listing)● User checks, retrieval, listing and searches● User auth● User modifcation (create)● Iterating over “seen” users
![Page 10: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/10.jpg)
Nextcloud GmbH 10
User object: \OCP\IUser
● Querying data (uid, display name, email, avatar, directory, quota)
● Manipulation (display name, password, state, quota; deletion)– As proxy for DB APIs or Backend APIs
● Capability detection (canChangeAvatar, -Password, -DisplayName)
![Page 11: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/11.jpg)
Nextcloud GmbH 11
User data in database tables
Database LDAP SAML
User list / mapping users ldap_user_mapping user_saml_users
User features preferences
User profiles accounts
![Page 12: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/12.jpg)
Component Specifcs
![Page 13: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/13.jpg)
Nextcloud GmbH 13
Database backend in a nutshell
● Native, always-on user backend● Managed in Nextcloud● Loginname is case insensitive UserID
![Page 14: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/14.jpg)
Nextcloud GmbH 14
LDAP Backend principles
● up to date, but performing● read-only, but opt-in password change● fne-tuned control per flters and bases● feature detection instead of fngerprinting
– as vendor agnostic as possible
● ofers a Provider for other apps to hook in
![Page 15: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/15.jpg)
Nextcloud GmbH 15
How does an LDAP user go into the cloud
● LDAP confguration must exist● Search op against LDAP returns user record data
– Triggered e.g. on sharing dialogue, users page or login
● If not a known user, create a UserID, map against DN and UUID– Includes UserID collision checks (appends random number in case)
![Page 16: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/16.jpg)
Nextcloud GmbH 16
How does an LDAP user leave the cloud
● We fgure out when a user cannot be read from LDAP– Looping background job
● We don’t know why, though● Everything is kept in place, until manual deletion● occ ldap:
– show-remnants– check-user [--force] $userid
![Page 17: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/17.jpg)
Nextcloud GmbH 17
How LDAP got pluggable write support
● Cheers to Vinicius Brand and his friends at eita
● Channels: IRC (optional), Github
● Feature merged with PR 5321 �
Problem
discuss solution
Code & Review
Win :)
![Page 18: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/18.jpg)
Use Cases
![Page 19: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/19.jpg)
Nextcloud GmbH 19
Access Control
● Apps ofer pages and APIs● Annotations are used to
direct Middleware● No boilerplate code needed● Strict by default
![Page 20: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/20.jpg)
Nextcloud GmbH 20
Auto-completing Users
● An app wants to ofer user to share with or to mention
● → AutoComplete endpoint● core/Controller/
AutoCompleteController.php
![Page 21: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/21.jpg)
Nextcloud GmbH 21
Working with a specifc user
![Page 22: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/22.jpg)
Nextcloud GmbH 22
Working with a set of users
![Page 23: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/23.jpg)
Nextcloud GmbH 23
Working with the current user
● IUserSession instance contains information● … and does some validation● returns IUser or null
![Page 24: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/24.jpg)
Nextcloud GmbH 24
Reacting to Hooks● preLogin, postLogin● preRememberedLogin● logout, postLogout● preCreateUser, postCreateUser● preDelete, postDelete● preSetPassword, postSetPassword● changeUser
● \OC\Hooks\EmitterTrait contains code for listening and emitting
● No public API yet �
![Page 25: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/25.jpg)
Nextcloud GmbH 25
Reacting to Hooks contd.
![Page 26: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/26.jpg)
Nextcloud GmbH 26
Emitting Hooks
![Page 27: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/27.jpg)
Nextcloud GmbH 27
Devop: Provisioning API
● Provides all means of user creation and modifcation
● Base endpoint: https://nextcloud.server/ocs/v2.php/cloud/users[/userid[/action]]
● Similar API for groups, apps
open-collaboration-services.org
![Page 28: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/28.jpg)
Nextcloud GmbH 28
Give an LDAP user admin privileges
![Page 29: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/29.jpg)
Nextcloud GmbH 29
Requiring a second factor for login
● Or is “12E456” secure enough?
● Another token to protect against guessed, brute-forced or stolen paroles
● TOTP and U2F available
![Page 30: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/30.jpg)
Nextcloud GmbH 30
The road to your 2FA Provider
● Create a new app● Impement OCP\Authentication\TwoFactorAuth\IProvider
● Announce in info.xml
![Page 31: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/31.jpg)
Nextcloud GmbH 31
Example: TOTP Challenge
![Page 32: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/32.jpg)
Nextcloud GmbH 32
App passwords● 2FA is available on web login
only● Easy way for third party apps or
devices to use Nextcloud● … and revoke them● Forced with 2FA● token_auth_enforced in confg.php
![Page 33: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/33.jpg)
Nextcloud GmbH 33
Mobile/Desktop application needs access● Obtain an app password via
web login: “Login Flow”● User logs in as normal the frst
time, and can revoke password any time
● If you need userid, request ocs/v2.php/cloud/user subsequentially
App
/login/fow
Login screen
regular login
(loginname + app password)
| denial
Webview
![Page 34: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/34.jpg)
Nextcloud GmbH 34
Reference examples● Android app/Java
– New weblogin fow– https://github.com/nextcloud/android/pull/1148
● Desktop Client/C++– Add weblogin fow for NC > 12– https://github.com/nextcloud/client/pull/75
● IOS/Swift & Objectiv-C– Commit: login fow– https://github.com/nextcloud/ios/commit/64d7c7dbfa6603069bf40100e4430f670c5fd6
![Page 35: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/35.jpg)
Nextcloud GmbH 35
Resources
● Website https://nextcloud.com● Source repositories https://github.com/nextcloud/ ● Developer documentation
https://docs.nextcloud.com/server/13/developer_manual/ ● Forum https://help.nextcloud.com/● IRC #[email protected]
![Page 36: Insights into Nextcloud’s User Management - Linux-Tage · 2018. 3. 14. · Nextcloud GmbH 15 How does an LDAP user go into the cloud LDAP confguration must exist Search op against](https://reader035.vdocuments.site/reader035/viewer/2022071211/60238beb535bba4f2d353bdb/html5/thumbnails/36.jpg)
Nextcloud GmbHHauptmannsreute 44A70192 Stuttgart
Germany
nextcloud.com
A safe home for all your data