Configure Seafile to use LDAP¶
Note: This documentation is for the Community Edition. If you're using Pro Edition, please refer to the Seafile Pro documentation.
How does LDAP User Management work in Seafile¶
When Seafile is integrated with LDAP, users in the system can be divided into two tiers:
-
Users within Seafile's internal user database. Some attributes are attached to these users, such as whether it's a system admin user, whether it's activated.
-
Users in LDAP server. These are all the intended users of Seafile inside the LDAP server. Seafile doesn't manipulate these users directly. It has to import them into its internal database before setting attributes on them.
When Seafile counts the number of users in the system, it only counts the activated users in its internal database.
Basic LDAP Integration¶
The only requirement for Seafile to use LDAP for authentication is that there must be a unique identifier for each user in the LDAP server. This id should also be user-friendly as the users will use it as username when login. Below are some usual options for this unique identifier:
- Email address: this is the most common choice. Most organizations assign unique email address for each member.
- UserPrincipalName: this is a user attribute only available in Active Directory. It's format is
user-login-name@domain-name, e.g.john@example.com. It's not a real email address, but it works fine as the unique identifier.
Note, the identifier is stored in table social_auth_usersocialauth to map the identifier to internal user ID in Seafile. When this ID is changed in LDAP for a user, you only need to update social_auth_usersocialauth table.
Basic configuration items¶
Add the following options to seahub_settings.py. Examples are as follows:
ENABLE_LDAP = True
LDAP_SERVER_URL = 'ldap://192.168.0.1' # The URL of LDAP server
LDAP_BASE_DN = 'ou=test,dc=seafile,dc=ren' # The root node of users who can
# log in to Seafile in the LDAP server
LDAP_ADMIN_DN = 'administrator@example.com' # DN of the administrator used
# to query the LDAP server for information.
# For OpenLDAP, it maybe cn=admin,dc=example,dc=com
LDAP_ADMIN_PASSWORD = 'yourpassword' # Password of LDAP_ADMIN_DN
LDAP_PROVIDER = 'ldap' # Identify the source of the user, used in
# the table social_auth_usersocialauth, defaults to 'ldap'
LDAP_LOGIN_ATTR = 'userPrincipalName' # User's attribute used to log in to Seafile.
# It should be a unique identifier for the user in LDAP server.
# Learn more about this id from the descriptions at begining of this section.
LDAP_CONTACT_EMAIL_ATTR = '' # LDAP user's contact_email attribute
LDAP_USER_ROLE_ATTR = '' # LDAP user's role attribute
LDAP_USER_FIRST_NAME_ATTR = 'givenName' # For sync user's first name
LDAP_USER_LAST_NAME_ATTR = 'sn' # For sync user's last name
LDAP_USER_NAME_REVERSE = False # Whether to reverse the user's first and last name
LDAP_FILTER = 'memberOf=CN=testgroup,OU=test,DC=seafile,DC=ren' # Additional filter conditions,
# users who meet the filter conditions can log in, otherwise they cannot log in
Tips for choosing LDAP_BASE_DN and LDAP_ADMIN_DN:
-
To determine the
LDAP_BASE_DN, you first have to navigate your organization hierachy on the domain controller GUI.-
If you want to allow all users to use Seafile, you can use
cn=users,dc=yourdomain,dc=comasLDAP_BASE_DN(with proper adjustment for your own needs). -
If you want to limit users to a certain OU (Organization Unit), you run
dsquerycommand on the domain controller to find out the DN for this OU. For example, if the OU isstaffs, you can rundsquery ou -name staff. More information can be found here.
-
-
AD supports
user@domain.nameformat for theLDAP_ADMIN_DNoption. For example you can use administrator@example.com forLDAP_ADMIN_DN. Sometime the domain controller doesn't recognize this format. You can still usedsquerycommand to find out user's DN. For example, if the user name is 'seafileuser', rundsquery user -name seafileuser. More information here.
Advanced LDAP Integration Options¶
Multiple BASE¶
Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the LDAP_BASE_DN option. The DNs are separated by ";", e.g.
LDAP_BASE_DN = 'ou=developers,dc=example,dc=com;ou=marketing,dc=example,dc=com'
Additional Search Filter¶
Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting LDAP_FILTER option. The value of this option follows standard LDAP search filter syntax (https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx).
The final filter used for searching for users is (&($LOGIN_ATTR=*)($LDAP_FILTER)). $LOGIN_ATTR and $LDAP_FILTER will be replaced by your option values.
For example, add below option to seahub_settings.py:
LDAP_FILTER = 'memberOf=CN=group,CN=developers,DC=example,DC=com'
The final search filter would be (&(mail=*)(memberOf=CN=group,CN=developers,DC=example,DC=com))
Note that the case of attribute names in the above example is significant. The memberOf attribute is only available in Active Directory.
Limiting Seafile Users to a Group in Active Directory¶
You can use the LDAP_FILTER option to limit user scope to a certain AD group.
-
First, you should find out the DN for the group. Again, we'll use the
dsquerycommand on the domain controller. For example, if group name is 'seafilegroup', rundsquery group -name seafilegroup. -
Add below option to
seahub_settings.py:
LDAP_FILTER = 'memberOf={output of dsquery command}'
Using TLS connection to LDAP server¶
If your LDAP service supports TLS connections, you can configure LDAP_SERVER_URL as the access address of the ldaps protocol to use TLS to connect to the LDAP service, for example:
LDAP_SERVER_URL = 'ldaps://192.168.0.1:636/'