mirror of
https://github.com/haiwen/seafile-admin-docs.git
synced 2025-12-26 02:32:50 +00:00
e5716cba11
Some checks are pending
Deploy CI - 13.0 / deploy (push) Waiting to run
* Add changelog for 12.0.10 * Add changelog for 12.0.10 * fix: migrate from non-docker * fix: minimal install for mariadb in backup and recover * fix: fuse content missing in host * opt:adjusting migration strategy * Add changelog for pro 12.0.10 * Update security_features.md Update descriptions for encrypted library. * Update seahub_settings_py.md Update description for encrypted library versions. * docs: update Windows development setup instructions for vcpkg (#471) * Update drive-client-changelog.md 3.0.13 * update seasearch.yml * update * Update shibboleth_authentication.md * Update remote_user.md * fix: backup & restore command mysql -> mariadb * update backup and recovery commands and tip * opt: steps in recovering DB * update link of note of MDEV-30203 note from Mariadb * update link of note of MDEV-30203 note from Mariadb * opt: steps in recovering DB * Add changelog for 12.0.11-pro * Add changelog for v12.0.11 * republish 13.0 * fix: ce binary deployment format error --------- Co-authored-by: Daniel Pan <daniel.pan@seafile.com> Co-authored-by: Daniel Pan <freeplant@gmail.com> Co-authored-by: Jiaqiang Xu <jonathan.xu@seafile.com> Co-authored-by: rumtid <liwei.jiang@seafile.com> Co-authored-by: r350178982 <32759763+r350178982@users.noreply.github.com> Co-authored-by: lian <imwhatiam123@gmail.com>
2.6 KiB
2.6 KiB
SSO using Remote User
Starting from 7.0.0, Seafile can integrate with various Single Sign On systems via a proxy server. Examples include Apache as Shibboleth proxy, or LemonLdap as a proxy to LDAP servers, or Apache as Kerberos proxy. Seafile can retrieve user information from special request headers (HTTP_REMOTE_USER, HTTP_X_AUTH_USER, etc.) set by the proxy servers.
After the proxy server (Apache/Nginx) is successfully authenticated, the user information is set to the request header, and Seafile creates and logs in the user based on this information.
!!! danger "Make sure that the proxy server has a corresponding security mechanism to protect against forgery request header attacks"
Please add the following settings to conf/seahub_settings.py to enable this feature.
ENABLE_REMOTE_USER_AUTHENTICATION = True
# Optional, HTTP header, which is configured in your web server conf file,
# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.
REMOTE_USER_HEADER = 'HTTP_REMOTE_USER'
# Optional, when the value of HTTP_REMOTE_USER is not a valid email address,
# Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER'
# and this domain, e.g. user1@example.com.
REMOTE_USER_DOMAIN = 'example.com'
# Optional, whether to create new user in Seafile system, default value is True.
# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
# The admin has to first import the users from external systems like LDAP.
REMOTE_USER_CREATE_UNKNOWN_USER = True
# Optional, whether to activate new user in Seafile system, default value is True.
# If this setting is disabled, user will be unable to login by default.
# the administrator needs to manually activate this user.
REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True
# Optional, map user attribute in HTTP header and Seafile's user attribute.
REMOTE_USER_ATTRIBUTE_MAP = {
'HTTP_DISPLAYNAME': 'name',
'HTTP_MAIL': 'contact_email',
# for user info
"HTTP_GIVENNAME": 'givenname',
"HTTP_SN": 'surname',
"HTTP_ORGANIZATION": 'institution',
# for user role
'HTTP_SHIBBOLETH_AFFILIATION': 'affiliation',
}
# Map affiliation to user role. Though the config name is SHIBBOLETH_AFFILIATION_ROLE_MAP,
# it is not restricted to Shibboleth
SHIBBOLETH_AFFILIATION_ROLE_MAP = {
'employee@uni-mainz.de': 'staff',
'member@uni-mainz.de': 'staff',
'student@uni-mainz.de': 'student',
'employee@hu-berlin.de': 'guest',
'patterns': (
('*@hu-berlin.de', 'guest1'),
('*@*.de', 'guest2'),
('*', 'guest'),
),
}
Then restart Seafile.