Update docs

docs/_static/env-vars/frontend_configvars.md

@@ -1,5 +1,5 @@
 
-2026-03-30-00-05-56
+2026-04-12-00-06-26
 
 # Deprecation Notice
 
@@ -88,13 +88,13 @@ Environment variables for the **frontend** service
 |`OCDAV_OCM_NAMESPACE`<br/>`FRONTENT_OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|`/public`|
 |`OC_URL`<br/>`OCDAV_PUBLIC_URL`<br/>`FRONTENT_OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|`https://localhost:9200`|
 |`OC_INSECURE`<br/>`OCDAV_INSECURE`<br/>`FRONTENT_OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|`false`|
-|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| next |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`|
+|`OCDAV_ENABLE_HTTP_TPC`<br/>`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| 6.0.0 |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`|
 |`OCDAV_GATEWAY_REQUEST_TIME`<br/>`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`|
 |`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`<br/>`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
 |`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`<br/>`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`|
-|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| next |[]string|`List of characters that are not allowed in file or folder names.`|`[  
+|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|`[  
  \]`|
-|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| next |int|`Max length of file or folder names.`|`255`|
+|`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| 6.0.0 |int|`Max length of file or folder names.`|`255`|
 |`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`|
 |`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`|
 |`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|`[]`|

docs/_static/env-vars/ocm_configvars.md

@@ -35,7 +35,7 @@ Environment variables for the **ocm** service
 |`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`|``|
 |`OCM_DIRECTORY_SERVICE_URLS`| 3.5.0 |string|`Space delimited URLs of the directory services.`|``|
 |`OCM_INVITE_ACCEPT_DIALOG`| 3.5.0 |string|`/open-cloud-mesh/accept-invite;The frontend URL where to land when receiving an invitation`|`/open-cloud-mesh/accept-invite`|
-|`OC_INSECURE`<br/>`OCM_CLIENT_INSECURE`| next |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`|
+|`OC_INSECURE`<br/>`OCM_CLIENT_INSECURE`| 6.0.0 |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`|
 |`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|`json`|
 |`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|`/root/.opencloud/storage/ocm/ocminvites.json`|
 |`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|`24h0m0s`|

docs/_static/env-vars/proxy.yaml

@@ -213,6 +213,8 @@ pre_signed_url:
 account_backend: cs3
 user_oidc_claim: preferred_username
 user_cs3_claim: username
+tenant_oidc_claim: ""
+tenant_id_mapping_enabled: false
 machine_auth_api_key: ""
 auto_provision_accounts: false
 auto_provision_claims:

docs/_static/env-vars/proxy_configvars.md

@@ -46,6 +46,8 @@ Environment variables for the **proxy** service
 |`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`|
 |`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`|
 |`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`|
+|`PROXY_TENANT_OIDC_CLAIM`| next |string|`JMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled.`|``|
+|`PROXY_TENANT_ID_MAPPING_ENABLED`| next |bool|`When set to 'true', the proxy will resolve the internal tenant ID from the external tenant ID provided in the OIDC claims by calling the TenantAPI before verifying the tenant. Use this when the external tenant ID in the OIDC token differs from the internal tenant ID stored on the user. Requires 'tenant_oidc_claim' to be set. Only relevant when multi-tenancy is enabled.`|`false`|
 |`OC_MACHINE_AUTH_API_KEY`<br/>`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary to access resources from other services.`|``|
 |`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|`Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.`|`false`|
 |`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the username.`|`preferred_username`|

docs/_static/env-vars/storage-users_configvars.md

@@ -1,5 +1,5 @@
 
-2026-03-30-00-05-56
+2026-04-12-00-06-26
 
 # Deprecation Notice
 

docs/_static/env-vars/users.yaml

@@ -29,6 +29,14 @@ drivers:
     bind_password: ""
     user_base_dn: ou=users,o=libregraph-idm
     group_base_dn: ou=groups,o=libregraph-idm
+    tenant_base_dn: ""
+    tenant_scope: sub
+    tenant_filter: ""
+    tenant_object_class: ""
+    tenant_schema:
+      id: ""
+      external_id: ""
+      name: ""
     user_scope: sub
     group_scope: sub
     user_substring_filter_type: any

docs/_static/env-vars/users_configvars.md

@@ -22,6 +22,13 @@ Environment variables for the **users** service
 |`OC_LDAP_BIND_PASSWORD`<br/>`USERS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``|
 |`OC_LDAP_USER_BASE_DN`<br/>`USERS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`|
 |`OC_LDAP_GROUP_BASE_DN`<br/>`USERS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`|
+|`OC_LDAP_TENANT_BASE_DN`<br/>`USERS_LDAP_TENANT_BASE_DN`| next |string|`Search base DN for looking up LDAP tenants. Only relevant in multi-tenant setups.`|``|
+|`OC_LDAP_TENANT_SCOPE`<br/>`USERS_LDAP_TENANT_SCOPE`| next |string|`LDAP search scope to use when looking up tenants. Supported values are 'base', 'one' and 'sub'. Only relevant in multi-tenant setups.`|`sub`|
+|`OC_LDAP_TENANT_FILTER`<br/>`USERS_LDAP_TENANT_FILTER`| next |string|`LDAP filter to add to the default filters for tenant searches. Only relevant in multi-tenant setups.`|``|
+|`OC_LDAP_TENANT_OBJECTCLASS`<br/>`USERS_LDAP_TENANT_OBJECTCLASS`| next |string|`The object class to use for tenants in the default tenant search filter. Only relevant in multi-tenant setups.`|``|
+|`OC_LDAP_TENANT_SCHEMA_ID`<br/>`USERS_LDAP_TENANT_SCHEMA_ID`| next |string|`LDAP Attribute to use as the unique internal ID for tenants. Only relevant in multi-tenant setups.`|``|
+|`OC_LDAP_TENANT_SCHEMA_EXTERNAL_ID`<br/>`USERS_LDAP_TENANT_SCHEMA_EXTERNAL_ID`| next |string|`LDAP Attribute that holds the external tenant ID as it appears in OIDC claims. Only relevant in multi-tenant setups.`|``|
+|`OC_LDAP_TENANT_SCHEMA_NAME`<br/>`USERS_LDAP_TENANT_SCHEMA_NAME`| next |string|`LDAP Attribute to use for the human-readable name of a tenant. Only relevant in multi-tenant setups.`|``|
 |`OC_LDAP_USER_SCOPE`<br/>`USERS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`|
 |`OC_LDAP_GROUP_SCOPE`<br/>`USERS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`|
 |`LDAP_USER_SUBSTRING_FILTER_TYPE`<br/>`USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`|

docs/_static/env-vars/webfinger_configvars.md

@@ -18,13 +18,13 @@ Environment variables for the **webfinger** service
 |`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``|
 |`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|`[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]`|
 |`OC_URL`<br/>`OC_OIDC_ISSUER`<br/>`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|`https://localhost:9200`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_IOS_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
-|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`<br/>`WEBFINGER_WEB_OIDC_CLIENT_ID`| next |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
-|`OC_OIDC_CLIENT_SCOPES`<br/>`WEB_OIDC_SCOPE`<br/>`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| next |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEBFINGER_IOS_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`|
+|`OC_OIDC_CLIENT_ID`<br/>`WEB_OIDC_CLIENT_ID`<br/>`WEBFINGER_WEB_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be remove in a future release.`|`web`|
+|`OC_OIDC_CLIENT_SCOPES`<br/>`WEB_OIDC_SCOPE`<br/>`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be remove in a future release.`|`[openid profile email]`|
 |`OC_URL`<br/>`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`|
 |`OC_INSECURE`<br/>`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`|