“Hybrid” Settings in User Management
ownCloud customers that integrate their own user management into ownCloud with a backend like LDAP or Open ID can now use only certain fields from the central identity management, fields that are ownCloud-specific can be managed in the ownCloud user management. Admins can define fields that are not changeable through the admin frontend (i.e. the information in these fields will always come from the backend.)
Even though an LDAP/OID provider may provide all necessary information for ownCloud user management, some fields may be “overridden” by local settings; others are necessary, but may not exist in the external authentication backend – like the ownCloud user’s or group’s quota or settings that are individual for Spaces. Check the administration documentation for further details on Open ID Connect (OIDC), the connector used by ownCloud.
In ownCloud, a tiny “lock” symbol in the panel on the right indicates fields whose content cannot be changed by the local administrator, since they are acquired from the authentication backend (e.g. LDAP or OIDC). Figure 1 shows this for user management.
Apart from that, the developers added many other features, including extended batch mode in ownCloud’s user and group administration (Figure 2) and an “Edit Login” button on top that allows easy access to the new features – like removing permission to log in from a user’s account. Especially when combining the new filter interface with batch mode and the new per-user-settings, administrators may save a lot of time in daily work.
Those new filter options make it easier to find users and edit several accounts at the same time. Figure 2 shows the suggestions an administrator is given after he has used filters to find two particular users because he wants to deactivate their accounts. Thanks to batch mode, he can do that with a few mouse clicks.
New side panel for group members
Answering a wish often voiced by customers and users, ownCloud developers added a new side panel that shows all members of a group (Figure 3). Administrators can now more easily access a list of group members and batch edit it.
Administrators using Identity providers like Open ID Connect will know a logout on the client has to be followed by a logout of the user account on all connected servers and services. Because Open ID servers are accomplishing this transparently in the backend, the technical term is “OpenID backchannel logout“. ownCloud developers integrated that in ownCloud; Figure 4 shows how it works.
Administrators can configure Backchannel logout in ownCloud with the GUI of Keycloak (Figure 5)
A logout on a client like ownCloud that is connected through Single-Sign-On (SSO) will now also log the user out of all other sessions that the client is connected to.