---
services:
  traefik:
    networks:
      opencloud-net:

  opencloud:
    environment:
      # Ldap IDP specific configuration
      OC_LDAP_URI: ldaps://ldap-server:1636
      OC_LDAP_INSECURE: "true"
      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
      OC_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
      OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
      OC_LDAP_GROUP_SCHEMA_ID: "entryUUID"
      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
      OC_LDAP_USER_SCHEMA_ID: "entryUUID"
      OC_LDAP_DISABLE_USER_MECHANISM: "none"
      GRAPH_LDAP_SERVER_UUID: "true"
      GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=opencloud,dc=eu"
      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
      OC_LDAP_SERVER_WRITE_ENABLED: "false" # assuming the external ldap is not writable
      # OC_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
      OC_EXCLUDE_RUN_SERVICES: idm

  ldap-server:
    image: bitnami/openldap:2.6
    networks:
      opencloud-net:
    entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
    environment:
      BITNAMI_DEBUG: true
      LDAP_TLS_VERIFY_CLIENT: never
      LDAP_ENABLE_TLS: "yes"
      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
      LDAP_ROOT: "dc=opencloud,dc=eu"
      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
    ports:
      - "127.0.0.1:389:1389"
      - "127.0.0.1:636:1636"
    volumes:
      - ./config/ldap/ldif:/ldifs
      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
      - ldap-certs:/opt/bitnami/openldap/share
      - ldap-data:/bitnami/openldap
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

volumes:
  ldap-certs:
  ldap-data:

networks:
  opencloud-net:
