The current code of seahub assumes that user name to be email address, so it's not possible to log in with UNIX user names or Windows Domain user names now. The support may be added later.
Seafile will find a user both from database and LDAP. LDAP will be tried first. Note that the Seafile admin accounts are always stored in sqlite/mysql database.
To use LDAP to authenticate user, please add the following lines to ccnet.conf. Note that the values in the following config are just examples. You need to change the values for your own use.
[LDAP]
HOST = ldap://ldap.example.com
BASE = ou=users,dc=example,dc=com
USER_DN = cn=seafileadmin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
Meaning of each config options:
Tips for connecting to Active Directory:
Example config for Active Directory:
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = mail
Example config for OpenLDAP or other LDAP servers:
[LDAP]
HOST = ldap://192.168.1.123/
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
If you're using Active Directory but don't have email address for the users, you can use the following config:
[LDAP]
HOST = ldap://192.168.1.123/
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = userPrincipalName
The userPrincipalName
is an user attribute provided by AD. It's usually of the form username@domain-name
, where username
is Windows user login name. The the user can log in to seahub with username@domain-name
, such as [email protected]
. Note that such login name is not actually an email address. So sending emails from seahub won't work with this setting.
The config syntax on Windows is slightly different from Linux.
To use LDAP to authenticate user, please add the following lines to ccnet.conf
[LDAP]
HOST = ldap.example.com[:port]
# Default 'false'. Set to true if you want Seafile to communicate with the LDAP server via TLS connection.
USE_SSL = true | false
BASE = ou=users,dc=example,dc=com
USER_DN = cn=seafileadmin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
Meaning of each config options:
Tips for connecting to Active Directory:
Example config for Active Directory:
[LDAP]
HOST = 192.168.1.123
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = mail
Example config for OpenLDAP or other LDAP servers:
[LDAP]
HOST = 192.168.1.123
BASE = ou=users,dc=example,dc=com
USER_DN = cn=admin,dc=example,dc=com
PASSWORD = secret
LOGIN_ATTR = mail
If you're using Active Directory but don't have email address for the users, you can use the following config:
[LDAP]
HOST = 192.168.1.123
BASE = cn=users,dc=example,dc=com
USER_DN = [email protected]
PASSWORD = secret
LOGIN_ATTR = userPrincipalName
The userPrincipalName
is an user attribute provided by AD. It's usually of the form username@domain-name
, where username
is Windows user login name. The the user can log in to seahub with username@domain-name
, such as [email protected]
. Note that such login name is not actually an email address. So sending emails notifications from Seahub won't work with this setting.
Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the "BASE" config. The DNs are separated by ";", e.g. cn=developers,dc=example,dc=com;cn=marketing,dc=example,dc=com
Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting "FILTER" config. For example, add the following line to LDAP config:
FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com
Note that the cases in the above example is significant. The memberOf
attribute is only available in Active Directory.
Here is another example:
FILTER = &(!(UserAccountControl:1.2.840.113556.1.4.803:=2))
To use TLS connection to the directory server, you should install a valid SSL certificate on the directory server.
The current version of Seafile Linux server package is compiled on CentOS. We include the ldap client library in the package to maintain compatibility with older Linux distributions. But since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS.
The ldap library (libldap) bundled in the Seafile package is of version 2.4. If your Linux distribution is new enough (like CentOS 6, Debian 7 or Ubuntu 12.04 or above), you can use system's libldap instead.
To do this, just run the following command
cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 ..
This effectively remove the bundled ldap library from the library path. When the server runs, it'll look for ldap library from the system paths.
LDAP protocol version 3 supports "paged results" (PR) extension. When you have large number of users, this option can greatly improve the performance of listing users. Most directory server nowadays support this extension.
In Seafile Pro Edition, add this option to LDAP section of ccnet.conf to enable PR:
USE_PAGED_RESULT = true