Tenant

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.5.2
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/cs3org/go-cs3apis v0.0.0-20250703154118-810365dec814
+	github.com/cs3org/go-cs3apis v0.0.0-20250725064958-2d9caef4db2a
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
@@ -64,7 +64,7 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/open-policy-agent/opa v1.6.0
 	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
-	github.com/opencloud-eu/reva/v2 v2.35.0
+	github.com/opencloud-eu/reva/v2 v2.35.1-0.20250805150512-1bcca91111ef
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12

go.sum

@@ -244,8 +244,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
-github.com/cs3org/go-cs3apis v0.0.0-20250703154118-810365dec814 h1:bo0vg45RDYHOJn33XhfRB830gqrlQJoCQjqUkR2fiAk=
-github.com/cs3org/go-cs3apis v0.0.0-20250703154118-810365dec814/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
+github.com/cs3org/go-cs3apis v0.0.0-20250725064958-2d9caef4db2a h1:4IvTz3MUno/nlgngdyZhkyxzJR/w7+H+2ZXoZQKidgg=
+github.com/cs3org/go-cs3apis v0.0.0-20250725064958-2d9caef4db2a/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
 github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
@@ -868,8 +868,8 @@ github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-202505121527
 github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a/go.mod h1:pjcozWijkNPbEtX5SIQaxEW/h8VAVZYTLx+70bmB3LY=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.35.0 h1:lKxGiI9yFD7MTeyFJa68BQD+DiB1rQvhC8QePa/Vlc4=
-github.com/opencloud-eu/reva/v2 v2.35.0/go.mod h1:UVPwuMjfgPekuh7unWavJSiPihgmk1GYF3xct0q3+X0=
+github.com/opencloud-eu/reva/v2 v2.35.1-0.20250805150512-1bcca91111ef h1:hGdTxp1Q4smixC5t8kCoD5ByDArrlMYOWwM2IIfUpjw=
+github.com/opencloud-eu/reva/v2 v2.35.1-0.20250805150512-1bcca91111ef/go.mod h1:/FyYaUWxtllu8TOcIIx53BjChc+hSpcQicBI/OTICjw=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=

services/auth-basic/pkg/config/config.go

@@ -84,6 +84,7 @@ type LDAPProvider struct {
 
 type LDAPUserSchema struct {
 	ID              string `yaml:"id" env:"OC_LDAP_USER_SCHEMA_ID;AUTH_BASIC_LDAP_USER_SCHEMA_ID" desc:"LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID." introductionVersion:"1.0.0"`
+	TenantID        string `yaml:"tenant_id" env:"OC_LDAP_USER_SCHEMA_TENANT_ID;AUTH_BASIC_LDAP_USER_SCHEMA_TENANT_ID" desc:"LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment." introductionVersion:"%%NEXT%%"`
 	IDIsOctetString bool   `yaml:"id_is_octet_string" env:"OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs." introductionVersion:"1.0.0"`
 	Mail            string `yaml:"mail" env:"OC_LDAP_USER_SCHEMA_MAIL;AUTH_BASIC_LDAP_USER_SCHEMA_MAIL" desc:"LDAP Attribute to use for the email address of users." introductionVersion:"1.0.0"`
 	DisplayName     string `yaml:"display_name" env:"OC_LDAP_USER_SCHEMA_DISPLAYNAME;AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME" desc:"LDAP Attribute to use for the displayname of users." introductionVersion:"1.0.0"`

services/auth-basic/pkg/revaconfig/config.go

@@ -77,6 +77,7 @@ func ldapConfigFromString(cfg config.LDAPProvider) map[string]interface{} {
 		"idp":                     cfg.IDP,
 		"user_schema": map[string]interface{}{
 			"id":              cfg.UserSchema.ID,
+			"tenantId":        cfg.UserSchema.TenantID,
 			"idIsOctetString": cfg.UserSchema.IDIsOctetString,
 			"mail":            cfg.UserSchema.Mail,
 			"displayName":     cfg.UserSchema.DisplayName,

services/graph/pkg/config/config.go

@@ -73,6 +73,7 @@ type LDAP struct {
 	UserNameAttribute        string `yaml:"user_name_attribute" env:"OC_LDAP_USER_SCHEMA_USERNAME;GRAPH_LDAP_USER_NAME_ATTRIBUTE" desc:"LDAP Attribute to use for username of users." introductionVersion:"1.0.0"`
 	UserIDAttribute          string `yaml:"user_id_attribute" env:"OC_LDAP_USER_SCHEMA_ID;GRAPH_LDAP_USER_UID_ATTRIBUTE" desc:"LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID." introductionVersion:"1.0.0"`
 	UserIDIsOctetString      bool   `yaml:"user_id_is_octet_string" env:"OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"1.0.0"`
+	UserTenantIDAttribute    string `yaml:"user_tenant_id_attribute" env:"OC_LDAP_USER_SCHEMA_TENANT_ID;GRAPH_LDAP_USER_SCHEMA_TENANT_ID" desc:"LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment." introductionVersion:"%%NEXT%%"`
 	UserTypeAttribute        string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'." introductionVersion:"1.0.0"`
 	UserEnabledAttribute     string `yaml:"user_enabled_attribute" env:"OC_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"1.0.0"`
 	DisableUserMechanism     string `yaml:"disable_user_mechanism" env:"OC_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'." introductionVersion:"1.0.0"`

services/graph/pkg/config/defaults/defaultconfig.go

@@ -96,6 +96,7 @@ func DefaultConfig() *config.Config {
 				// FIXME: switch this to some more widely available attribute by default
 				//        ideally this needs to	be constant for the lifetime of a users
 				UserIDAttribute:           "openCloudUUID",
+				UserTenantIDAttribute:     "",
 				UserTypeAttribute:         "openCloudUserType",
 				UserEnabledAttribute:      "openCloudUserEnabled",
 				DisableUserMechanism:      "attribute",

services/graph/pkg/identity/cs3.go

@@ -10,12 +10,12 @@ import (
 	cs3group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
 	cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	cs3rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/pkg/shared"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/odata"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 )
 
 var (
@@ -44,7 +44,7 @@ func (i *CS3) UpdateUser(ctx context.Context, nameOrID string, user libregraph.U
 }
 
 // GetUser implements the Backend Interface.
-func (i *CS3) GetUser(ctx context.Context, userID string, _ *godata.GoDataRequest) (*libregraph.User, error) {
+func (i *CS3) GetUser(ctx context.Context, nameOrId string, _ *godata.GoDataRequest) (*libregraph.User, error) {
 	logger := i.Logger.SubloggerWithRequestID(ctx)
 	logger.Debug().Str("backend", "cs3").Msg("GetUser")
 	gatewayClient, err := i.GatewaySelector.Next()
@@ -53,22 +53,43 @@ func (i *CS3) GetUser(ctx context.Context, userID string, _ *godata.GoDataReques
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
 	}
 
+	// Try to get the user by username first
 	res, err := gatewayClient.GetUserByClaim(ctx, &cs3user.GetUserByClaimRequest{
-		Claim: "userid", // FIXME add consts to reva
-		Value: userID,
+		Claim: "username", // FIXME add consts to reva
+		Value: nameOrId,
 	})
 
 	switch {
 	case err != nil:
-		logger.Error().Str("backend", "cs3").Err(err).Str("userid", userID).Msg("error sending get user by claim id grpc request: transport error")
+		logger.Error().Str("backend", "cs3").Err(err).Str("nameOrId", nameOrId).Msg("error sending get user by claim id grpc request: transport error")
+		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
+	case res.GetStatus().GetCode() == cs3rpc.Code_CODE_OK:
+		return CreateUserModelFromCS3(res.GetUser()), nil
+	case res.GetStatus().GetCode() == cs3rpc.Code_CODE_NOT_FOUND:
+		// If the user was not found by username, try to get it by user ID
+	default:
+		logger.Debug().Str("backend", "cs3").Err(err).Str("nameOrId", nameOrId).Msg("error sending get user by claim id grpc request")
+		return nil, errorcode.New(errorcode.GeneralException, res.GetStatus().GetMessage())
+
+	}
+
+	// If the user was not found by username, try to get it by user ID
+	res, err = gatewayClient.GetUserByClaim(ctx, &cs3user.GetUserByClaimRequest{
+		Claim: "userid", // FIXME add consts to reva
+		Value: nameOrId,
+	})
+	switch {
+	case err != nil:
+		logger.Error().Str("backend", "cs3").Err(err).Str("nameOrId", nameOrId).Msg("error sending get user by claim id grpc request: transport error")
 		return nil, errorcode.New(errorcode.ServiceNotAvailable, err.Error())
 	case res.GetStatus().GetCode() != cs3rpc.Code_CODE_OK:
 		if res.GetStatus().GetCode() == cs3rpc.Code_CODE_NOT_FOUND {
 			return nil, errorcode.New(errorcode.ItemNotFound, res.GetStatus().GetMessage())
 		}
-		logger.Debug().Str("backend", "cs3").Err(err).Str("userid", userID).Msg("error sending get user by claim id grpc request")
+		logger.Debug().Str("backend", "cs3").Err(err).Str("nameOrId", nameOrId).Msg("error sending get user by claim id grpc request")
 		return nil, errorcode.New(errorcode.GeneralException, res.GetStatus().GetMessage())
 	}
+
 	return CreateUserModelFromCS3(res.GetUser()), nil
 }
 
@@ -167,7 +188,7 @@ func (i *CS3) GetGroups(ctx context.Context, oreq *godata.GoDataRequest) ([]*lib
 
 // CreateGroup implements the Backend Interface. It's currently not supported for the CS3 backend
 func (i *CS3) CreateGroup(ctx context.Context, group libregraph.Group) (*libregraph.Group, error) {
-	return nil, errorcode.New(errorcode.NotSupported, "not implemented")
+	return nil, errNotImplemented
 }
 
 // GetGroup implements the Backend Interface.
@@ -202,25 +223,25 @@ func (i *CS3) GetGroup(ctx context.Context, groupID string, queryParam url.Value
 
 // DeleteGroup implements the Backend Interface. It's currently not supported for the CS3 backend
 func (i *CS3) DeleteGroup(ctx context.Context, id string) error {
-	return errorcode.New(errorcode.NotSupported, "not implemented")
+	return errNotImplemented
 }
 
 // UpdateGroupName implements the Backend Interface. It's currently not supported for the CS3 backend
 func (i *CS3) UpdateGroupName(ctx context.Context, groupID string, groupName string) error {
-	return errorcode.New(errorcode.NotSupported, "not implemented")
+	return errNotImplemented
 }
 
 // GetGroupMembers implements the Backend Interface. It's currently not supported for the CS3 backend
 func (i *CS3) GetGroupMembers(ctx context.Context, groupID string, _ *godata.GoDataRequest) ([]*libregraph.User, error) {
-	return nil, errorcode.New(errorcode.NotSupported, "not implemented")
+	return nil, errNotImplemented
 }
 
 // AddMembersToGroup implements the Backend Interface. It's currently not supported for the CS3 backend
 func (i *CS3) AddMembersToGroup(ctx context.Context, groupID string, memberID []string) error {
-	return errorcode.New(errorcode.NotSupported, "not implemented")
+	return errNotImplemented
 }
 
 // RemoveMemberFromGroup implements the Backend Interface. It's currently not supported for the CS3 backend
 func (i *CS3) RemoveMemberFromGroup(ctx context.Context, groupID string, memberID string) error {
-	return errorcode.New(errorcode.NotSupported, "not implemented")
+	return errNotImplemented
 }

services/graph/pkg/identity/ldap.go

@@ -15,6 +15,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/libregraph/idm/pkg/ldapdn"
 	libregraph "github.com/opencloud-eu/libre-graph-api-go"
+	ctxpkg "github.com/opencloud-eu/reva/v2/pkg/ctx"
 
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/config"
@@ -80,6 +81,7 @@ type LDAP struct {
 type userAttributeMap struct {
 	displayName    string
 	id             string
+	tenantId       string
 	mail           string
 	userName       string
 	givenName      string
@@ -115,6 +117,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger) (*LD
 	uam := userAttributeMap{
 		displayName:    config.UserDisplayNameAttribute,
 		id:             config.UserIDAttribute,
+		tenantId:       config.UserTenantIDAttribute,
 		mail:           config.UserEmailAttribute,
 		userName:       config.UserNameAttribute,
 		accountEnabled: config.UserEnabledAttribute,
@@ -614,7 +617,17 @@ func (i *LDAP) FilterUsers(ctx context.Context, oreq *godata.GoDataRequest, filt
 			i.userAttributeMap.displayName, search,
 		)
 	}
-	userFilter = fmt.Sprintf("(&%s(objectClass=%s)%s%s)", i.userFilter, i.userObjectClass, queryFilter, userFilter)
+
+	// apply tenant filter if applicable
+	var tenantFilter string
+	if i.userAttributeMap.tenantId != "" {
+		currentUser, ok := ctxpkg.ContextGetUser(ctx)
+		if ok && currentUser.Id.GetTenantId() != "" {
+			tenantFilter = fmt.Sprintf("(%s=%s)", i.userAttributeMap.tenantId, ldap.EscapeFilter(currentUser.Id.GetTenantId()))
+		}
+	}
+
+	userFilter = fmt.Sprintf("(&%s(objectClass=%s)%s%s%s)", i.userFilter, i.userObjectClass, queryFilter, userFilter, tenantFilter)
 	searchRequest := ldap.NewSearchRequest(
 		i.userBaseDN, i.userScope, ldap.NeverDerefAliases, 0, 0, false,
 		userFilter,

services/idm/ldif/base.ldif.tmpl

@@ -31,6 +31,7 @@ displayName: Admin
 description: An admin for this OpenCloud instance.
 mail: admin@example.org
 openCloudUUID: {{ .ID }}
+openCloudTenantId: {{ .TenantID }}
 openCloudExternalIdentity:  $ {{ .Issuer }} $ {{ .ID }}
 {{ else -}}
 dn: uid={{ .Name }},ou=sysusers,o=libregraph-idm

services/idm/ldif/demousers.ldif.tmpl

@@ -15,6 +15,7 @@ mail: alan@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7
 openCloudExternalIdentity:  $ {{.}} $ b1f74ec4-dd7e-11ef-a543-03775734d0f7
+openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
 
 dn: uid=lynn,ou=users,o=libregraph-idm
@@ -34,6 +35,7 @@ mail: lynn@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: 60708dda-e897-11ef-919f-bbb7437d6ec2
 openCloudExternalIdentity:  $ {{.}} $ 60708dda-e897-11ef-919f-bbb7437d6ec2
+openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
 
 dn: uid=mary,ou=users,o=libregraph-idm
@@ -53,6 +55,7 @@ mail: mary@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289
 openCloudExternalIdentity:  $ {{.}} $ 056fc874-dd7f-11ef-ba84-af6fca4b7289
+openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
 
 dn: uid=margaret,ou=users,o=libregraph-idm
@@ -72,6 +75,7 @@ mail: margaret@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62
 openCloudExternalIdentity:  $ {{.}} $ 801abee4-dd7f-11ef-a324-83f55a754b62
+openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
 
 dn: uid=dennis,ou=users,o=libregraph-idm
@@ -91,6 +95,7 @@ mail: dennis@example.org
 openCloudUserEnabled: TRUE
 openCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f
 openCloudExternalIdentity:  $ {{.}} $ cd88bf9a-dd7f-11ef-a609-7f78deb2345f
+openCloudTenantId: cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b
 userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
 
 dn: cn=users,ou=groups,o=libregraph-idm

services/idm/pkg/command/server.go

@@ -132,6 +132,7 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro
 		Name     string
 		Password string
 		ID       string
+		TenantID string
 		Issuer   string
 	}
 
@@ -151,12 +152,16 @@ func bootstrap(logger log.Logger, cfg *config.Config, srvcfg server.Config) erro
 	}
 
 	if cfg.AdminUserID != "" {
-		serviceUsers = append(serviceUsers, svcUser{
+		adminUser := svcUser{
 			Name:     "admin",
 			Password: cfg.ServiceUserPasswords.OCAdmin,
 			ID:       cfg.AdminUserID,
 			Issuer:   cfg.DemoUsersIssuerUrl,
-		})
+		}
+		if cfg.CreateDemoUsers {
+			adminUser.TenantID = "cd22ea13-f6b4-4f5f-a2c2-69b5a0f07a8b"
+		}
+		serviceUsers = append(serviceUsers, adminUser)
 	}
 
 	bdb := &ldbbolt.LdbBolt{}

services/users/pkg/config/config.go

@@ -86,6 +86,7 @@ type LDAPDriver struct {
 
 type LDAPUserSchema struct {
 	ID              string `yaml:"id" env:"OC_LDAP_USER_SCHEMA_ID;USERS_LDAP_USER_SCHEMA_ID" desc:"LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID." introductionVersion:"1.0.0"`
+	TenantID        string `yaml:"tenant_id" env:"OC_LDAP_USER_SCHEMA_TENANT_ID;USERS_LDAP_USER_SCHEMA_TENANT_ID" desc:"LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment." introductionVersion:"%%NEXT%%"`
 	IDIsOctetString bool   `yaml:"id_is_octet_string" env:"OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"1.0.0"`
 	Mail            string `yaml:"mail" env:"OC_LDAP_USER_SCHEMA_MAIL;USERS_LDAP_USER_SCHEMA_MAIL" desc:"LDAP Attribute to use for the email address of users." introductionVersion:"1.0.0"`
 	DisplayName     string `yaml:"display_name" env:"OC_LDAP_USER_SCHEMA_DISPLAYNAME;USERS_LDAP_USER_SCHEMA_DISPLAYNAME" desc:"LDAP Attribute to use for the displayname of users." introductionVersion:"1.0.0"`

services/users/pkg/revaconfig/config.go

@@ -79,6 +79,7 @@ func ldapConfigFromString(cfg config.LDAPDriver) map[string]interface{} {
 		"idp":                        cfg.IDP,
 		"user_schema": map[string]interface{}{
 			"id":              cfg.UserSchema.ID,
+			"tenantId":        cfg.UserSchema.TenantID,
 			"idIsOctetString": cfg.UserSchema.IDIsOctetString,
 			"mail":            cfg.UserSchema.Mail,
 			"displayName":     cfg.UserSchema.DisplayName,