15308555518/ seafile-admin-docs
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-admin-docs.git synced 2025-12-26 02:32:50 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Remove outdated files

This commit is contained in:
Daniel Pan 2024-10-14 11:12:35 +08:00 committed by skywalker
parent 15ec53ca02
commit 385e517702
5 changed files with 2 additions and 716 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
manual/deploy/using_ldap.md
View File

@ -1,137 +0,0 @@
# Configure Seafile to use LDAP
Note: This documentation is for the Community Edition. If you're using Pro Edition, please refer to [the Seafile Pro documentation](../deploy_pro/using_ldap_pro.md).
For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md).
## How does LDAP User Management work in Seafile
When Seafile is integrated with LDAP/AD, users in the system can be divided into two tiers:
- Users within Seafile's internal user database. Some attributes are attached to these users, such as whether it's a system admin user, whether it's activated. This tier includes two types of users:
* Native users: these users are created by the admin on Seafile's system admin interface. These users are stored in the `EmailUser` table of the `ccnet` database.
* Users imported from LDAP/AD server: When a user in LDAP/AD logs into Seafile, its information will be imported from LDAP/AD server into Seafile's database. These users are stored in the `LDAPUsers` table of the `ccnet` database.
- Users in LDAP/AD server. These are all the intended users of Seafile inside the LDAP server. Seafile doesn't manipulate these users directly. It has to import them into its internal database before setting attributes on them.
When Seafile counts the number of users in the system, it only counts the **activated** users in its internal database.
When Seafile is integrated with LDAP/AD, it'll look up users from both the internal database and LDAP server. As long as the user exists in one of these two sources, they can log into the system.
## Basic LDAP/AD Integration
The only requirement for Seafile to use LDAP/AD for authentication is that there must be a unique identifier for each user in the LDAP/AD server. Seafile can only use email-address-format user identifiers. So there are usually only two options for this unique identifier:
- Email address: this is the most common choice. Most organizations assign unique email address for each member.
- UserPrincipalName: this is a user attribute only available in Active Directory. It's format is `user-login-name@domain-name`, e.g. `john@example.com`. It's not a real email address, but it works fine as the unique identifier.
### Connecting to Active Directory
To use AD to authenticate user, please add the following lines to ccnet.conf.
If you choose email address as unique identifier:
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = administrator@example.local
PASSWORD = secret
LOGIN_ATTR = mail
If you choose UserPrincipalName as unique identifier:
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = administrator@example.local
PASSWORD = secret
LOGIN_ATTR = userPrincipalName
Meaning of each config options:
* HOST: LDAP URL for the host. ldap://, ldaps:// and ldapi:// are supported. You can also include a port number in the URL, like ldap://ldap.example.com:389. To use TLS, you should configure the LDAP server to listen on LDAPS port and specify ldaps:// here. More details about TLS will be covered below.
* BASE: The root distinguished name (DN) to use when running queries against the directory server. **You cannot use the root DN (e.g. dc=example,dc=com) as BASE**.
* USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privilege to access all the nodes under BASE. It's recommended to use a user in the administrator group.
* PASSWORD: Password of the above user.
* LOGIN_ATTR: The attribute used for user's unique identifier. Use `mail` or `userPrincipalName`.
Tips for choosing BASE and USER_DN:
* To determine the BASE, you first have to navigate your organization hierachy on the domain controller GUI.
* If you want to allow all users to use Seafile, you can use 'cn=users,dc=yourdomain,dc=com' as BASE (with proper adjustment for your own needs).
* If you want to limit users to a certain OU (Organization Unit), you run `dsquery` command on the domain controller to find out the DN for this OU. For example, if the OU is 'staffs', you can run 'dsquery ou -name staff'. More information can be found [here](https://technet.microsoft.com/en-us/library/cc770509.aspx).
* AD supports 'user@domain.name' format for the USER_DN option. For example you can use administrator@example.com for USER_DN. Sometime the domain controller doesn't recognize this format. You can still use `dsquery` command to find out user's DN. For example, if the user name is 'seafileuser', run `dsquery user -name seafileuser`. More information [here](https://technet.microsoft.com/en-us/library/cc725702.aspx).
### Connecting to other LDAP servers
Please add the following options to ccnet.conf:
[LDAP]
HOST = ldap://192.168.1.123/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
The meaning of the options are the same as described in the previous section. With other LDAP servers, you can only use `mail` attribute as user's unique identifier.
## Advanced LDAP/AD Integration Options
### Multiple BASE
Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the "BASE" config. The DNs are separated by ";", e.g. `ou=developers,dc=example,dc=com;ou=marketing,dc=example,dc=com`
### Additional Search Filter
Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting "FILTER" config. The value of this option follows standard LDAP search filter syntax (https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx).
The final filter used for searching for users is `(&($LOGIN_ATTR=*)($FILTER))`. `$LOGIN_ATTR` and `$FILTER` will be replaced by your option values.
For example, add the following line to LDAP config:
```
FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com
```
The final search filter would be `(&(mail=*)(memberOf=CN=group,CN=developers,DC=example,DC=com))`
Note that the case of attribute names in the above example is significant. The `memberOf` attribute is only available in Active Directory.
### Limiting Seafile Users to a Group in Active Directory
You can use the FILTER option to limit user scope to a certain AD group.
1. First, you should find out the DN for the group. Again, we'll use the `dsquery` command on the domain controller. For example, if group name is 'seafilegroup', run `dsquery group -name seafilegroup`.
2. Add the following line to LDAP config:
```
FILTER = memberOf={output of dsquery command}
```
### Using TLS connection to LDAP/AD server
To use a TLS connection to the directory server, you should install a valid SSL certificate on the directory server.
The current version of Seafile Linux server package is compiled on CentOS. We include the ldap client library in the package to maintain compatibility with older Linux distributions. But since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS.
The ldap library (libldap) bundled in the Seafile package is of version 2.4. If your Linux distribution is new enough (like CentOS 6, Debian 7 or Ubuntu 12.04 or above), you can use system's libldap instead.
On Ubuntu 14.04 and Debian 7/8, moving the bundled ldap related libraries out of the library path should make TLS connection work.
```
cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
mkdir disabled_libs_use_local_ones_instead
mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 libldap_r-2.4.so.2 disabled_libs_use_local_ones_instead/
```
On CentOS 6, you have to move the libnssutil library:
```
cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
mkdir disabled_libs_use_local_ones_instead
mv libnssutil3.so disabled_libs_use_local_ones_instead/
```
This effectively removes the bundled libraries from the library search path.
When the server starts, it'll instead find and use the system libraries (if they are installed).
This change has to be repeated after each update of the Seafile installation.

158
manual/deploy_pro/ldap_group_sync.md
View File

@ -1,158 +0,0 @@
# Importing Groups from LDAP/AD
Since version 4.1.0, the Pro Edition supports importing (syncing) groups from LDAP or Active Directory.
For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md#setting-up-ldap-group-sync-optional).
## How It Works
The importing or syncing process maps groups from LDAP directory server to groups in Seafile's internal database. This process is one-way.
* Any changes to groups in the database won't propagate back to LDAP;
* Any changes to groups in the database, except for "setting a member as group admin", will be overwritten in the next LDAP sync operation. If you want to add or delete members, you can only do that on LDAP server.
* The creator of imported groups will be set to the system admin.
There are two modes of operation:
* Periodical: the syncing process will be executed in a fixed interval
* Manual: there is a script you can run to trigger the syncing once
## Prerequisite
You have to install python-ldap library in your system.
For Debian or Ubuntu
```
sudo apt-get install python-ldap
```
For CentOS or RedHat
```
sudo yum install python-ldap
```
## Syncing Groups
### Configuration
Before enabling LDAP group sync, you should have configured LDAP authentication. See [Configure Seafile to use LDAP](using_ldap_pro.md) for details.
The following are LDAP group sync related options. They're in the "\[ldap_sync]" section of [ccnet.conf](../config/ccnet-conf.md).
Below are summary of options for syncing groups:
* **ENABLE_GROUP_SYNC**: set to "true" if you want to enable ldap group syncing
* **GROUP_OBJECT_CLASS**: This is the name of the class used to search for group objects. In Active Directory, it's usually "group"; in OpenLDAP or others, you may use "groupOfNames","groupOfUniqueNames" or "posixGroup", depends on your LDAP server. The default value is "group".
* **SYNC_INTERVAL**: The interval to sync. Unit is minutes. You can set it to 60, which means that data is synchronized from the LDAP/AD server every 60 minutes.
* **GROUP_FILTER**: An additional filter to use when searching group objects. If it's set, the final filter used to run search is "(&(objectClass=GROUP_OBJECT_CLASS)(GROUP_FILTER))"; otherwise the final filter would be "(objectClass=GROUP_OBJECT_CLASS)".
* **GROUP_MEMBER_ATTR**: The attribute field to use when loading the group's members. For most directory servers, the attributes is "member", which is the default value.For "posixGroup", it should be set to "memberUid".
* **USER_ATTR_IN_MEMBERUID**: The user attribute set in 'memberUid' option, which is used in "posixGroup".The default value is "uid".
* **DEL_GROUP_IF_NOT_FOUND**: set to "true", will deleted the groups if not found it in LDAP/AD server; need Seafile-pro-6.3.0 and above version
* **SYNC_GROUP_AS_DEPARTMENT**: In 6.3.8 version, a new option SYNC_GROUP_AS_DEPARTMENT is added. If this option is set to "true", the groups will be synced as top-level departments in Seafile, instead of simple groups. Learn more about departments in Seafile [here](https://help.seafile.com/sharing_collaboration/departments/).
* **CREATE_DEPARTMENT_LIBRARY**: If you decide to sync the group as a department, you can set this option to "true". In this way, when the group is synchronized for the first time, a library is automatically created for the department, and the library's name is the department's name.
* **DEFAULT_DEPARTMENT_QUOTA**: If you decide to sync the group as a department, you can set a default space quota for each department when you synchronize a group for the first time. The quota is set to unlimited if this option is not set. Unit is MB.
* **DEPT_NAME_ATTR**: Get the department name. You can set this configuration item to an AD field that represents the "department" name, such as "description". The name of the department created by Seafile will be the department name set in the AD field instead of the OU name. Requires Seafile-pro-7.0.11 and above.
* **DEPT_REPO_PERM**: Set the permissions of the department repo. The default permission is 'rw'. Set permissions for the department repo created during AD synchronization. Requires Seafile-pro-7.0.11 and above.
* **USE_GROUP_MEMBER_RANGE_QUERY**: When a group contains too many members, AD will only return part of them. Set this option to TRUE to make LDAP sync work with large groups.
* **GROUP_UUID_ATTR**: Since Seafile pro 8.0, UUID is used to identify groups in LDAP/AD servers. Before that, group DN is used. So when a group changes name, the old group will be deleted and a new group will be created. This is not a desirable behavior. With the new mechanism, the rename can be detected and the groups in Seafile remains intact. The default attribute is "ObjectGUID", which is available in AD. For other LDAP servers, please refer to https://ldapwiki.com/wiki/Universally%20Unique%20Identifier .
The search base for groups is the "BASE_DN" set in "\[ldap]" section of ccnet.conf.
Some LDAP server, such as Active Directory, allows a group to be a member of another group. This is called "group nesting". If we find a nested group B in group A, we should recursively add all the members from group B into group A. And group B should still be imported a separate group. That is, all members of group B are also members in group A.
In some LDAP server, such as OpenLDAP, it's common practice to use Posix groups to store group membership. To import Posix groups as Seafile groups, set GROUP_OBJECT_CLASS option to posixGroup . A posixGroup object in LDAP usually contains a multi-value attribute for the list of member UIDs. The name of this attribute can be set with the GROUP_MEMBER_ATTR option. It's MemberUid by default. The value of the MemberUid attribute is an ID that can be used to identify a user, which corresponds to an attribute in the user object. The name of this ID attribute is usually uid , but can be set via the USER_ATTR_IN_MEMBERUID option. Note that posixGroup doesn't support nested groups.
### Example Configurations
Here is an example configuration for syncing nested groups in Active Directory:
```
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = administrator@example.local
PASSWORD = secret
LOGIN_ATTR = mail
[LDAP_SYNC]
ENABLE_GROUP_SYNC = true
SYNC_INTERVAL = 60
```
For AD, you usually don't need to configure other options except for "ENABLE_GROUP_SYNC". That's because the default values for other options are the usual values for AD. If you have special settings in your LDAP server, just set the corresponding options.
Here is an example configuration for syncing nested groups (but not PosixGroups) in OpenLDAP:
```
[LDAP]
HOST = ldap://192.168.1.123/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
[LDAP_SYNC]
ENABLE_GROUP_SYNC = true
SYNC_INTERVAL = 60
GROUP_OBJECT_CLASS = groupOfNames
```
## Sync OU as Departments
A department in Seafile is a special group. In addition to what you can do with a group, there are two key new features for departments:
* Department supports hierarchy. A department can have any levels of sub-departments.
* Department can have storage quota.
Seafile supports syncing OU (Organizational Units) from AD/LDAP to departments. The sync process keeps the hierarchical structure of the OUs.
Options for syncing departments from OU:
* **SYNC_DEPARTMENT_FROM_OU**: set to "true" to enable syncing departments from OU.
* **SYNC_INTERVAL**: The interval to sync. Unit is minutes. You can set it to 60, which means that data is synchronized from the LDAP/AD server every 60 minutes.
* **DEL_DEPARTMENT_IF_NOT_FOUND**: If set to "true", sync process will delete a department if the corresponding OU is not found in AD/LDAP server.
* **CREATE_DEPARTMENT_LIBRARY**: set to "true", if you want to automatically create a department library with the OU name.
* **DEFAULT_DEPARTMENT_QUOTA**: default quota for the imported departments in MB. The quota is set to unlimited if this option is not set.
* **DEPT_NAME_ATTR**: Get the department name. You can set this configuration item to an AD field that represents the "department" name, such as "description". The name of the department created by Seafile will be the department name set in the AD field instead of the OU name. Requires Seafile-pro-7.0.11 and above.
* **DEPT_REPO_PERM**: Set the permissions of the department repo. The default permission is 'rw'. Set permissions for the department repo created during AD synchronization. Requires Seafile-pro-7.0.11 and above.
* **GROUP_UUID_ATTR**: Since Seafile pro 8.0, UUID is used to identify groups in LDAP/AD servers. Before that, OU DN is used. So when an OU changes name, the old group will be deleted and a new group will be created. This is not a desirable behavior. With the new mechanism, the rename can be detected and the groups in Seafile remains intact. The default attribute is "ObjectGUID", which is available in AD. For other LDAP servers, please refer to https://ldapwiki.com/wiki/Universally%20Unique%20Identifier .
**NOTE**: Before 6.3.8, an old configuration syntax is used for syncing OU as departments. That syntax is no long supported. The old syntax cannot support syncing both groups and OU from AD/LDAP at the same time. However this is necessary for many situations. With the new syntax, you can sync both.
## Periodical and Manual Sync
Periodical sync won't happen immediately after you restart seafile server. It gets scheduled after the first sync interval. For example if you set sync interval to 30 minutes, the first auto sync will happen after 30 minutes you restarts. To sync immediately, you need to manually trigger it.
After the sync is run, you should see log messages like the following in logs/seafevents.log. And you should be able to see the groups in system admin page.
```
[2015-03-30 18:15:05,109] [DEBUG] create group 1, and add dn pair CN=DnsUpdateProxy,CN=Users,DC=Seafile,DC=local<->1 success.
[2015-03-30 18:15:05,145] [DEBUG] create group 2, and add dn pair CN=Domain Computers,CN=Users,DC=Seafile,DC=local<->2 success.
[2015-03-30 18:15:05,154] [DEBUG] create group 3, and add dn pair CN=Domain Users,CN=Users,DC=Seafile,DC=local<->3 success.
[2015-03-30 18:15:05,164] [DEBUG] create group 4, and add dn pair CN=Domain Admins,CN=Users,DC=Seafile,DC=local<->4 success.
[2015-03-30 18:15:05,176] [DEBUG] create group 5, and add dn pair CN=RAS and IAS Servers,CN=Users,DC=Seafile,DC=local<->5 success.
[2015-03-30 18:15:05,186] [DEBUG] create group 6, and add dn pair CN=Enterprise Admins,CN=Users,DC=Seafile,DC=local<->6 success.
[2015-03-30 18:15:05,197] [DEBUG] create group 7, and add dn pair CN=dev,CN=Users,DC=Seafile,DC=local<->7 success.
```
To trigger LDAP sync manually,
```sh
cd seafile-server-latest
./pro/pro.py ldapsync
```
For Seafile Docker
```sh
docker exec -it seafile /opt/seafile/seafile-server-latest/pro/pro.py ldapsync
```

47
manual/deploy_pro/ldap_role_sync.md
View File

@ -1,47 +0,0 @@
# Importing Roles from LDAP/AD
For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md#importing-roles-from-ldap).
Since version 6.1.5, the Pro Edition supports syncing roles from LDAP or Active Directory.
To enable this feature, add config option `ROLE_NAME_ATTR` to ccnet.conf
```
[LDAP_SYNC]
ROLE_NAME_ATTR = title
```
`ROLE_NAME_ATTR` is the attribute field to configure roles in LDAP .
We provide a user-defined function to map the roleCreate `custom_functions.py` under conf/ and edit it like:
```
#coding=utf-8
import sys
reload(sys)
sys.setdefaultencoding('utf8')
def ldap_role_mapping(role):
if 'staff' in role:
return 'Staff'
if 'guest' in role:
return 'Guest'
if 'manager' in role:
return 'Manager'
```
you can rewrite this function (in python) to make your own mapping rules. If the file or function doesn't exist, all roles in `ROLE_NAME_ATTR` will be synced.
** NOTE: **Make sure that ccnet-server keeps running while doing LDAP role sync.
Note: If you are using 7.1 version or later, and with Python 3, you should remove the following code from \`custom_functions.py\`:
```
import sys
reload(sys)
sys.setdefaultencoding('utf8')
```

368
manual/deploy_pro/using_ldap_pro.md
View File

@ -1,368 +0,0 @@
# Configure Seafile Pro Edition to use LDAP
For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md).
## How does LDAP User Management works with Seafile
When Seafile is integrated with LDAP/AD, users in the system can be divided into two tiers:
* Users within Seafile's internal user database. Some attributes are attached to these users, such as whether it's a system admin user, whether it's activated. This tier includes two types of users:
* Native users: these users are created by the admin on Seafile's system admin interface and are stored in the `EmailUser` table of the `ccnet` database.
* Users imported from LDAP/AD server: When a user in LDAP/AD logs into Seafile, its information will be imported from LDAP/AD server into Seafile's database. These users are stored in the `LDAPUsers` table of the `ccnet` database.
* Users in LDAP/AD server. These are all the intended users of Seafile inside the LDAP server. Seafile doesn't manipulate these users directly. It has to import them into its internal database before setting attributes on them.
When Seafile counts the user number in the system, it only counts the **activated** users in its internal database.
When Seafile is integrated with LDAP/AD, it'll look up users from both the internal database and LDAP server. As long as the user exists in one of these two sources, he/she can log into the system.
## Basic LDAP/AD Integration
The only requirement for Seafile to use LDAP/AD for authentication is that there must be a unique identifier for each user in the LDAP/AD server. Seafile can only use email-address-format user identifiers. So there are usually only two options for this unique identifier:
* Email address: this is the most common choice. Most organizations assign a unique email address for each member.
* UserPrincipalName: this is a user attribute only available in Active Directory. It's format is `user-login-name@domain-name`, e.g. `john@example.com`. It's not a real email address, but it works fine as the unique identifier.
### Connecting to Active Directory
To use AD to authenticate a user, please add the following lines to ccnet.conf.
If you choose email address as unique identifier:
```
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = administrator@example.local
PASSWORD = secret
LOGIN_ATTR = mail
```
If you choose UserPrincipalName as unique identifier:
```
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = administrator@example.local
PASSWORD = secret
LOGIN_ATTR = userPrincipalName
```
Meaning of each config options:
* HOST: LDAP URL for the host. ldap://, ldaps:// and ldapi:// are supported. You can also include port number in the URL, like ldap://ldap.example.com:389. To use TLS, you should configure the LDAP server to listen on LDAPS port and specify ldaps:// here. More details about TLS are covered below.
* BASE: The distinguished name (DN) of the search base when running queries against the directory server. If you want to use the root DN as search base (e.g. dc=example,dc=com), you need to add `FOLLOW_REFERRALS = false` to the configuration. The meaning of this option will be explained in following sections.
* USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privileges to access all the nodes under BASE. It's recommended to use a user in the administrator group.
* PASSWORD: Password of the above user.
* LOGIN_ATTR: The attribute used for user's unique identifier. Use `mail` or `userPrincipalName`.
Tips for choosing BASE and USER_DN:
* To determine the BASE, you first have to navigate your organization hierachy on the domain controller GUI.
* If you want to allow all users to use Seafile, you can use 'cn=users,dc=yourdomain,dc=com' as BASE (with proper adjustment for your own needs).
* If you want to limit users to a certain OU (Organization Unit), you run `dsquery` command on the domain controller to find out the DN for this OU. For example, if the OU is 'staffs', you can run 'dsquery ou -name staff'. More information can be found [here](https://technet.microsoft.com/en-us/library/cc770509.aspx).
* AD supports 'user@domain.name' format for the USER_DN option. For example you can use administrator@example.com for USER_DN. Sometimes the domain controller doesn't recognize this format. You can still use `dsquery` command to find out user's DN. For example, if the user name is 'seafileuser', run `dsquery user -name seafileuser`. More information [here](https://technet.microsoft.com/en-us/library/cc725702.aspx).
### Connecting to other LDAP servers
Please add the following options to ccnet.conf:
```
[LDAP]
HOST = ldap://192.168.1.123/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
```
The meaning of these options is the same as described in the previous section. With other LDAP servers, you can only use `mail` attribute as user's unique identifier.
### Testing your LDAP Configuration
Since 5.0.0 Pro Edition, we provide a command line tool for checking your LDAP configuration.
To use this tool, make sure you have `python-ldap` package installed on your system.
```
sudo apt-get install python-ldap
```
Then you can run the test:
```
cd seafile-server-latest
./pro/pro.py ldapsync --test
```
The test script checks your LDAP settings under the `[LDAP]` section of ccnet.conf. If everything works, it'll print the first ten users of the search results. Otherwise, it'll print out possible errors in your config.
## Setting Up LDAP/AD User Sync (optional)
In Seafile Pro, except for importing users into internal database when they log in, you can also configure Seafile to periodically sync user information from LDAP/AD server into the internal database.
* User's full name, department and contact email address can be synced to internal database. Users can use this information to more easily search for a specific user.
* User's Windows or Unix login id can be synced to the internal database. This allows the user to log in with its familiar login id.
* When a user is removed from LDAP/AD, the corresponding user in Seafile will be deactivated. Otherwise, he could still sync files with Seafile client or access the web interface.
After synchronization is complete, you can see the user's full name, department and contact email on its profile page.
### Active Directory
If you're using Active Directory, add the following options to ccnet.conf:
```
[LDAP]
......
[LDAP_SYNC]
ENABLE_USER_SYNC = true
DEACTIVE_USER_IF_NOTFOUND = true
SYNC_INTERVAL = 60
USER_OBJECT_CLASS = person
ENABLE_EXTRA_USER_INFO_SYNC = true
FIRST_NAME_ATTR = givenName
LAST_NAME_ATTR = sn
UID_ATTR = sAMAccountName
```
Meaning of each options:
* **ENABLE_USER_SYNC**: set to "true" if you want to enable ldap user synchronization
* **DEACTIVE_USER_IF_NOTFOUND**: set to "true" if you want to deactivate a user when he/she was deleted in AD server.
* **SYNC_INTERVAL**: The interval to sync. Unit is minutes. Defaults to 60 minutes.
* **USER_OBJECT_CLASS**: This is the name of the class used to search for user objects. In Active Directory, it's usually "person". The default value is "person".
* **ENABLE_EXTRA_USER_INFO_SYNC**: Enable synchronization of additional user information, including user's full name, department, and Windows login name, etc.
* **FIRST_NAME_ATTR**: Attribute for user's first name. It's "givenName" by default.
* **LAST_NAME_ATTR**: Attribute for user's last name. It's "sn" by default.
* **USER_NAME_REVERSE**: In some languages, such as Chinese, the display order of the first and last name is reversed. Set this option if you need it.
* **UID_ATTR**: Attribute for Windows login name. If this is synchronized, users can also log in with their Windows login name. In AD, the attribute `sAMAccountName` can be used as `UID_ATTR`.
If you choose `userPrincipalName` as the unique identifier for user, Seafile cannot use it as real email address to send notification emails to user. If the users in AD also have an email address attribute, you can sync these email addresses into Seafile's internal database. Seafile can then use them to send emails. The configuration option is:
* **CONTACT_EMAIL_ATTR**: usually you can set it to the `mail` attribute.
### Other LDAP servers
Add the following options to ccnet.conf:
```
[LDAP]
......
[LDAP_SYNC]
ENABLE_USER_SYNC = true
DEACTIVE_USER_IF_NOTFOUND = true
SYNC_INTERVAL = 60
USER_OBJECT_CLASS = userOfNames
ENABLE_EXTRA_USER_INFO_SYNC = true
FIRST_NAME_ATTR = givenName
LAST_NAME_ATTR = sn
UID_ATTR = uid
```
Meaning of each option:
* **ENABLE_USER_SYNC**: set to "true" if you want to enable ldap user synchronization
* **DEACTIVE_USER_IF_NOTFOUND**: set to "true" if you want to deactivate a user when he/she was deleted in LDAP server.
* **SYNC_INTERVAL**: The synchronization interval. Unit is minutes. Defaults to 60 minutes.
* **USER_OBJECT_CLASS**: This is the name of the class used to search for user objects. In OpenLDAP, you can use "userOfNames". The default value is "person".
* **ENABLE_EXTRA_USER_INFO_SYNC**: Enable synchronization of additional user information, including user's full name, department, and Windows/Unix login name, etc.
* **FIRST_NAME_ATTR**: Attribute for user's first name. It's "givenName" by default.
* **LAST_NAME_ATTR**: Attribute for user's last name. It's "sn" by default.
* **USER_NAME_REVERSE**: In some languages, such as Chinese, the display order of the first and last name is reversed. Set this option if you need it.
* **UID_ATTR**: Attribute for Windows/Unix login name. If this is synchronized, users can also log in with their Windows/Unix login name. In OpenLDAP, the attribute `uid` or something similar can be used.
### Importing Users without Activating Them
The users imported with the above configuration will be activated by default. For some organizations with large number of users, they may want to import user information (such as user full name) without activating the imported users. Activating all imported users will require licenses for all users in AD/LDAP, which may not be affordable.
Seafile provides a combination of options for such use case. First, you have to add below option to \[ldap_sync] section of ccnet.conf:
```
ACTIVATE_USER_WHEN_IMPORT = false
```
This prevents Seafile from activating imported users. Second, add below option to `seahub_settings.py`:
```
ACTIVATE_AFTER_FIRST_LOGIN = True
```
This option will automatically activate users when they login to Seafile for the first time.
### Reactivating Users
When you set the \`**DEACTIVE_USER_IF_NOTFOUND**\` option, a user will be deactivated when it's not found in LDAP server. By default, even after this user reappears in the LDAP server, it won't be reactivated automatically. This is to prevent auto reactivating a user that was manually deactivated by the system admin.
However, sometimes it's desirable to auto reactivate such users. So in version 7.1.8 we added a new option to provide this behavior.
```
AUTO_REACTIVATE_USERS = True
```
### Manually Trigger Synchronization
To test your LDAP sync configuration, you can run the sync command manually.
To trigger LDAP sync manually,
```sh
cd seafile-server-latest
./pro/pro.py ldapsync
```
For Seafile Docker
```sh
docker exec -it seafile /opt/seafile/seafile-server-latest/pro/pro.py ldapsync
```
## Advanced LDAP/AD Integration Options
### Multiple BASE
Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the "BASE" config. The DNs are separated by ";", e.g. `ou=developers,dc=example,dc=com;ou=marketing,dc=example,dc=com`
### Additional Search Filter
Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting "FILTER" config. The value of this option follows standard LDAP search filter syntax (<https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx>).
The final filter used for searching for users is `(&($LOGIN_ATTR=*)($FILTER))`. `$LOGIN_ATTR` and `$FILTER` will be replaced by your option values.
For example, add the following line to LDAP config:
```
FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com
```
The final search filter would be `(&(mail=*)(memberOf=CN=group,CN=developers,DC=example,DC=com))`
Note that the cases in the above example is significant. The `memberOf` attribute is only available in Active Directory.
### Limiting Seafile Users to a Group in Active Directory
You can use the FILTER option to limit user scope to a certain AD group.
1. First, you should find out the DN for the group. Again, we'll use `dsquery` command on the domain controller. For example, if group name is 'seafilegroup', run `dsquery group -name seafilegroup`.
2. Add following line to LDAP config:
```
FILTER = memberOf={output of dsquery command}
```
### Using TLS connection to LDAP/AD server
To use TLS connection to the directory server, you should install a valid SSL certificate on the directory server.
To make sure Seafile server successfully connect to the directory server with TLS, you have to choose the right version of Seafile Pro servers.
* If you're using Seafile 9.0 or newer, you should use Docker to run Seafile. There should be no problem connecting with TLS as long as SSL certificate on the directory server is valid.
* If you're using older version of Seafile, you should choose Seafile package based on your OS. For CentOS/RHEL, choose the package for CentOS; for Ubuntu/Debian, choose the package for Ubuntu.
The Seafile server package bundles the version of libldap from the OS where it's built. So libldap will try to locate OpenSSL library in the same path as the buidling OS. Since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS.
When Seafile fails to connect with TLS, you may try to install ldap client libraries on your OS and ask Seafile to use them instead.
On Ubuntu and Debian, moving the bundled ldap related libraries out of the library path should make TLS connection work.
```
cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
mkdir disabled_libs_use_local_ones_instead
mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 libldap_r-2.4.so.2 disabled_libs_use_local_ones_instead/
```
On some CentOS systems, you may have to move the libnssutil library as well:
```
cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
mkdir disabled_libs_use_local_ones_instead
mv libnssutil3.so disabled_libs_use_local_ones_instead/
```
This effectively removes the bundled libraries from the library search path.
When the server starts, it'll instead find and use the system libraries (if they are installed).
This change has to be repeated after each update of the Seafile installation.
### Use paged results extension
LDAP protocol version 3 supports "paged results" (PR) extension. When you have large number of users, this option can greatly improve the performance of listing users. Most directory server nowadays support this extension.
In Seafile Pro Edition, add this option to LDAP section of ccnet.conf to enable PR:
```
USE_PAGED_RESULT = true
```
### Follow referrals
Starting from Pro Edition 4.0.4, Seafile supports auto following referrals in LDAP search. This is useful for partitioned LDAP or AD servers, where users may be spreaded on multiple directory servers. For more information about referrals, you can refer to [this article](https://technet.microsoft.com/en-us/library/cc978014.aspx).
To configure, add following option to ccnet.conf in the \[ldap] section:
```
FOLLOW_REFERRALS = true
```
### Configure Multi-ldap Servers
Since seafile 5.1.4 pro edition, we support multi-ldap servers, that is besides base ldap server info in \[ldap] section, you can set other ldap servers info in \[ldap_multi_1], \[ldap_multi_2] ... \[ldap_multi_9] sections, so you can configure ten ldap servers to work with seafile. Multi-ldap servers mean that, when get or search ldap user, it will iterate all configured ldap servers until a match is found; When listing all ldap users, it will iterate all ldap servers to get all users; For Ldap sync it will sync all user/group info in all configured ldap servers to seafile.
For example I have configured base ldap server in `ccnet.conf` as follow:
```
[LDAP]
HOST = ldap://192.168.1.123/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
```
Then I can configure another ldap server in `ccnet.conf` as follow:
```
[LDAP_MULTI_1]
HOST = ldap://192.168.1.124/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
```
Before 6.3.8, all ldap servers share LOGIN_ATTR, USE_PAGED_RESULT, FOLLOW_REFERRALS attributes in \[ldap] section; For ldap user/group sync, all ldap servers share all ldap sync related attributes in \[ldap_sync] section.
Since seafile 6.3.8 pro, we support more independent config sections for each ldap server. The LOGIN_ATTR, USE_PAGED_RESULT, FOLLOW_REFERRALS options can be set independently in each \[ldap_multi_x] section. Furthermore, independent \[ldap_sync_multi_x] sections can be set for each LDAP server. That is, each LDAP server can use different LDAP sync options.
There are still some shared config options that can only be set in \[ldap_sync] section, which is used for all LDAP servers.
* SYNC_INTERVAL
* DEACTIVE_USER_IF_NOTFOUND
* ACTIVATE_USER_WHEN_IMPORT
* IMPORT_NEW_USER
* DEL_GROUP_IF_NOT_FOUND
These options are used to control synchronization behaviors, so they're shared for all LDAP servers.
NOTE: It is recommended to have a \[ldap_sync_multi_x] section for each \[ldap_multi_x] section. Otherwise the LDAP sync process will use the options in \[ldap_sync] section for that LDAP server.

8
mkdocs.yml
View File

@ -87,12 +87,8 @@ nav:
- Seafile Docker autostart: docker/seafile_docker_autostart.md
- Advanced Setup Options:
- LDAP/AD Integration:
- LDAP Integration: deploy/using_ldap.md
- LDAP Configuration for Seafile Pro: deploy_pro/using_ldap_pro.md
- Importing Groups from LDAP (Pro): deploy_pro/ldap_group_sync.md
- Importing Roles from LDAP (Pro): deploy_pro/ldap_role_sync.md
- LDAP in version 11.0: deploy/ldap_in_11.0.md
- LDAP in version 11.0 (Pro): deploy_pro/ldap_in_11.0.md
- LDAP Integration: deploy/ldap_in_11.0.md
- LDAP Integration (Pro): deploy_pro/ldap_in_11.0.md
- Single Sign On:
- Outline: deploy/single_sign_on.md
- OAuth Authentication: deploy/oauth.md