Skip to content

enhance: do not try to create demo users with Keycloak and LDAP enabled #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
schweigisito wants to merge 1 commit into from
Closed

enhance: do not try to create demo users with Keycloak and LDAP enabled #109

schweigisito wants to merge 1 commit into from

Conversation

@schweigisito
Copy link
Contributor

@schweigisito schweigisito commented Oct 7, 2025
edited
Loading

If idm/ldap-keycloak.yml is used to deploy Keycload and LDAP service, it doesn't start the opencloud service if the .env file also contains DEMO_USERS=true.

To avoid this conflicting situation, idm/ldap-keycloak.yml disables creating demo users by explicitly setting IDM_CREATE_DEMO_USERS: "false".

@schweigisito schweigisito requested a review from micbar October 7, 2025 08:20
@schweigisito schweigisito self-assigned this Oct 7, 2025
@micbar
Copy link
Contributor

micbar commented Oct 7, 2025

Interesting, the variable is needed even when the IDM service is not running? That feels more like a bug in opencloud. @rhafer

@schweigisito
Copy link
Contributor Author

schweigisito commented Oct 7, 2025

@rhafer suggested to give it a try using DEMO_USERS: "" within the ldap-keycloak.yml, but this didn't help as the DEMO_USERS=true from the .env file seems to override the .yml file. Therefore I chose the actual service variable IDM_CREATE_DEMO_USERS.

@rhafer
Copy link
Contributor

rhafer commented Oct 7, 2025
edited
Loading

Interesting, the variable is needed even when the IDM service is not running? That feels more like a bug in opencloud. @rhafer

The variable is also used by the settings service. It checks for that to figure our whether to create the default role assignments. The settings service does not reliably know whether the idm service is enabled or not.

It's debatable whether the settings service should actually evaluate the IDM_CREATE_DEMO_USERS setting (but that would mainly be a naming issue OCIS_CREATE_DEMO_USERS (which we don't have currently) vs IDM_CREATE_DEMO_USERS I rather keep that as it is.

I think the fix is fine. The ldap compose file already forces the OC_ADMIN_USER_ID to be empty, which conflicts with the DEMO_USERS=true from .env. To work correctly, IDM_CREATE_DEMO_USERS needs to be empty as well.

@micbar
Copy link
Contributor

micbar commented Oct 7, 2025

Then please add a code comment with the reasoning.

@rhafer
Copy link
Contributor

rhafer commented Oct 7, 2025
edited
Loading

@schweigisito I just noticed, that instead of unsetting IDM_CREATE_DEMO_USERS (or setting it to false) you might just want to set SETTINGS_SETUP_DEFAULT_ASSIGNMENTS=false it basically has the same effect but is more to the point and specific to the settings service. If present, SETTINGS_SETUP_DEFAULT_ASSIGNMENTS takes precedence over IDM_CREATE_DEMO_USERS.

Scratch that. SETTINGS_SETUP_DEFAULT_ASSIGNMENTS is already present. Which is weird, something might be wrong with the precedence of the different env vars there. Need to check.

@rhafer rhafer mentioned this pull request Oct 7, 2025
Merged
@rhafer
Copy link
Contributor

rhafer commented Oct 7, 2025

opencloud-eu/opencloud#1625 this should fix the problem without any changes to the compose file.

@schweigisito
Copy link
Contributor Author

schweigisito commented Oct 7, 2025

I will close this PR without merging as the underlying issue has been fixed by opencloud-eu/opencloud#1625

@schweigisito schweigisito deleted the fix/disable-demo-users-with-keycloak branch October 7, 2025 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@micbar micbar Awaiting requested review from micbar

Assignees

@schweigisito schweigisito

Labels

Type:Enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@schweigisito @micbar @rhafer