Powered by GitBook

seafile-docs

Configure Seafile to use LDAP

The current code of seahub assumes that user name to be email address, so it's not possible to log in with UNIX user names or Windows Domain user names now. The support may be added later.

Seafile will find a user both from database and LDAP. LDAP will be tried first. Note that the Seafile admin accounts are always stored in sqlite/mysql database.

Connect to LDAP/AD from Linux

To use LDAP to authenticate user, please add the following lines to ccnet.conf. Note that the values in the following config are just examples. You need to change the values for your own use.

[LDAP]
HOST = ldap://ldap.example.com
BASE = ou=users,dc=example,dc=com
USER_DN = cn=seafileadmin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail

Meaning of each config options:

  • HOST: LDAP URL for the host. ldap://, ldaps:// and ldapi:// are supported. You can also include port number in the URL, like ldap://ldap.example.com:389. To use TLS, you should configure the LDAP server to listen on LDAPS port and specify ldaps:// here. More details about TLS will be covered below.
  • BASE: The root distinguished name (DN) to use when running queries against the directory server.
  • USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privilege to access all the nodes under BASE. It's recommended to use a user in the administrator group.
  • PASSWORD: Password of the above user.
  • LOGIN_ATTR: The attribute to be used as user login id. By default it's the 'mail' attribute.

Tips for connecting to Active Directory:

  • On a Windows Server, you can use the ldp.exe GUI tool to browse your directory server tree. It's easy in this way to locate your DN for BASE option.
  • AD supports '[email protected]' format for the USER_DN option. For example you can use [email protected] for USER_DN.

Example config for Active Directory:

[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = mail

Example config for OpenLDAP or other LDAP servers:

[LDAP]
HOST = ldap://192.168.1.123/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail

If you're using Active Directory but don't have email address for the users, you can use the following config:

[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = userPrincipalName

The userPrincipalName is an user attribute provided by AD. It's usually of the form username@domain-name, where username is Windows user login name. The the user can log in to seahub with username@domain-name, such as [email protected]. Note that such login name is not actually an email address. So sending emails from seahub won't work with this setting.

Connect to LDAP/AD from Windows server

The config syntax on Windows is slightly different from Linux.

To use LDAP to authenticate user, please add the following lines to ccnet.conf

[LDAP]
HOST = ldap.example.com[:port]
# Default 'false'. Set to true if you want Seafile to communicate with the LDAP server via TLS connection.
USE_SSL = true | false
BASE = ou=users,dc=example,dc=com
USER_DN = cn=seafileadmin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail

Meaning of each config options:

  • HOST: LDAP server address and port. You should not add ldap:// prefix to the HOST field..
  • USE_SSL: To use TLS, set this option to true. More details about TLS will be covered below.
  • BASE: The root distinguished name (DN) to use when running queries against the directory server.
  • USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privilege to access all the nodes under BASE. It's recommended to use a user in the administrator group.
  • PASSWORD: Password of the above user.
  • LOGIN_ATTR: The attribute to be used as user login id. By default it's the 'mail' attribute.

Tips for connecting to Active Directory:

  • On a Windows Server, you can use the ldp.exe GUI tool to browse your directory server tree. It's easy in this way to locate your DN for BASE option.
  • AD supports '[email protected]' format for the USER_DN option. For example you can use [email protected] for USER_DN.

Example config for Active Directory:

[LDAP]
HOST = 192.168.1.123
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = mail

Example config for OpenLDAP or other LDAP servers:

[LDAP]
HOST = 192.168.1.123
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail

If you're using Active Directory but don't have email address for the users, you can use the following config:

[LDAP]
HOST = 192.168.1.123
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = userPrincipalName

The userPrincipalName is an user attribute provided by AD. It's usually of the form username@domain-name, where username is Windows user login name. The the user can log in to seahub with username@domain-name, such as [email protected]. Note that such login name is not actually an email address. So sending emails notifications from Seahub won't work with this setting.

Multiple base DN/Additional search filter

Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the "BASE" config. The DNs are separated by ";", e.g. cn=developers,dc=example,dc=com;cn=marketing,dc=example,dc=com

Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting "FILTER" config. For example, add the following line to LDAP config:

FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com

Note that the cases in the above example is significant. The memberOf attribute is only available in Active Directory.

Here is another example:

FILTER = &(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

Using TLS connection to LDAP/AD server

To use TLS connection to the directory server, you should install a valid SSL certificate on the directory server.

The current version of Seafile Linux server package is compiled on CentOS. We include the ldap client library in the package to maintain compatibility with older Linux distributions. But since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS.

The ldap library (libldap) bundled in the Seafile package is of version 2.4. If your Linux distribution is new enough (like CentOS 6, Debian 7 or Ubuntu 12.04 or above), you can use system's libldap instead.

To do this, just run the following command

cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 ..

This effectively remove the bundled ldap library from the library path. When the server runs, it'll look for ldap library from the system paths.

Advanced LDAP options for Professional Edition

Use paged results extension

LDAP protocol version 3 supports "paged results" (PR) extension. When you have large number of users, this option can greatly improve the performance of listing users. Most directory server nowadays support this extension.

In Seafile Pro Edition, add this option to LDAP section of ccnet.conf to enable PR:

USE_PAGED_RESULT = true