Bug
When IDM_SVC_PASSWORD is set as an env var during opencloud init, the value is written to IDM's bolt-store for the libregraph system user — but opencloud.yaml is populated with a separate, randomly generated value in both graph.identity.ldap.bind_password and idm.service_user_passwords.idm_password. Services read from the yaml; IDM compares to the bolt store; bind fails.
User-visible symptom: web login appears to succeed (admin password works against IDM), then the SPA lands on "Not logged in" because the graph service's post-auth profile lookup fails with LDAP Result Code 49 "Invalid Credentials" binding as uid=libregraph,ou=sysusers,o=libregraph-idm.
Reproduce
- Fresh install of
opencloudeu/opencloud-rolling:latest (verified on the image pulled 2026-05-18).
- Compose with
IDM_ADMIN_PASSWORD, IDM_SVC_PASSWORD, IDP_ADMIN_PASSWORD, OC_ADMIN_PASSWORD all set to known values via env.
opencloud init runs at first boot.- From inside the container, bind as
uid=libregraph,ou=sysusers,o=libregraph-idm with the value from IDM_SVC_PASSWORD env → succeeds.
- Bind as the same DN with the value from
opencloud.yaml's graph.identity.ldap.bind_password → fails with LDAP Result Code 49 "Invalid Credentials".
Expected
All three IDM_* env vars should be written consistently to both the bolt store and the generated yaml, the way IDM_ADMIN_PASSWORD is. (Verified IDM_ADMIN_PASSWORD works correctly; IDP_ADMIN_PASSWORD appears to be ignored on the env side but stays self-consistent because IDM takes the yaml's random.)
Observed yaml/IDM cross-table (one install)
| env var |
applied to IDM |
applied to yaml |
consistent? |
IDM_ADMIN_PASSWORD |
yes |
yes |
✓ |
IDM_SVC_PASSWORD |
yes |
no — yaml gets random |
✗ |
IDP_ADMIN_PASSWORD |
no — env ignored; bolt gets yaml's random |
random |
✓ (env was a no-op) |
Workaround
Don't set IDM_SVC_PASSWORD (or the related IDM_*SVC_PASSWORD family) via env. Let init generate, then read the resulting password back from opencloud.yaml for storage in a secret manager.
To recover an already-broken install: patch graph.identity.ldap.bind_password and idm.service_user_passwords.idm_password in opencloud.yaml so both equal whatever value was in IDM_SVC_PASSWORD when init ran (or whatever IDM has stored — confirmed by a successful LDAP bind), then restart.
Environment
- Image:
opencloudeu/opencloud-rolling:latest (pulled ~2026-05-18)
- Deployment: docker-compose, single container, single-node
STORAGE_USERS_BACKEND: ocisOC_URL: https://docs.onesource.cloud (TLS terminated by upstream Caddy)init: true, user: "568:568" (host UID match), no other unusual flags
Bug
When
IDM_SVC_PASSWORDis set as an env var duringopencloud init, the value is written to IDM's bolt-store for thelibregraphsystem user — butopencloud.yamlis populated with a separate, randomly generated value in bothgraph.identity.ldap.bind_passwordandidm.service_user_passwords.idm_password. Services read from the yaml; IDM compares to the bolt store; bind fails.User-visible symptom: web login appears to succeed (admin password works against IDM), then the SPA lands on "Not logged in" because the
graphservice's post-auth profile lookup fails withLDAP Result Code 49 "Invalid Credentials"binding asuid=libregraph,ou=sysusers,o=libregraph-idm.Reproduce
opencloudeu/opencloud-rolling:latest(verified on the image pulled 2026-05-18).IDM_ADMIN_PASSWORD,IDM_SVC_PASSWORD,IDP_ADMIN_PASSWORD,OC_ADMIN_PASSWORDall set to known values via env.opencloud initruns at first boot.uid=libregraph,ou=sysusers,o=libregraph-idmwith the value fromIDM_SVC_PASSWORDenv → succeeds.opencloud.yaml'sgraph.identity.ldap.bind_password→ fails withLDAP Result Code 49 "Invalid Credentials".Expected
All three
IDM_*env vars should be written consistently to both the bolt store and the generated yaml, the wayIDM_ADMIN_PASSWORDis. (VerifiedIDM_ADMIN_PASSWORDworks correctly;IDP_ADMIN_PASSWORDappears to be ignored on the env side but stays self-consistent because IDM takes the yaml's random.)Observed yaml/IDM cross-table (one install)
IDM_ADMIN_PASSWORDIDM_SVC_PASSWORDIDP_ADMIN_PASSWORDWorkaround
Don't set
IDM_SVC_PASSWORD(or the relatedIDM_*SVC_PASSWORDfamily) via env. Let init generate, then read the resulting password back fromopencloud.yamlfor storage in a secret manager.To recover an already-broken install: patch
graph.identity.ldap.bind_passwordandidm.service_user_passwords.idm_passwordinopencloud.yamlso both equal whatever value was inIDM_SVC_PASSWORDwhen init ran (or whatever IDM has stored — confirmed by a successful LDAP bind), then restart.Environment
opencloudeu/opencloud-rolling:latest(pulled ~2026-05-18)STORAGE_USERS_BACKEND: ocisOC_URL: https://docs.onesource.cloud(TLS terminated by upstream Caddy)init: true,user: "568:568"(host UID match), no other unusual flags