Configure Seafile to use LDAP

Note: This documentation is for the Community Edition. If you’re using Pro Edition, please refer to the Seafile Pro documentation.

How does LDAP User Management work in Seafile

When Seafile is integrated with LDAP/AD, users in the system can be divided into two tiers:

  • Users within Seafile’s internal user database. Some attributes are attached to these users, such as whether it’s a system admin user, whether it’s activated. This tier includes two types of users:
    • Native users: these users are created by the admin on Seafile’s system admin interface. These users are stored in the EmailUser table of the ccnet database.
    • Users imported from LDAP/AD server: When a user in LDAP/AD logs into Seafile, its information will be imported from LDAP/AD server into Seafile’s database. These users are stored in the LDAPUsers table of the ccnet database.
  • Users in LDAP/AD server. These are all the intended users of Seafile inside the LDAP server. Seafile doesn’t manipulate these users directly. It has to import them into its internal database before setting attributes on them.

When Seafile counts the number of users in the system, it only counts the activated users in its internal database.

When Seafile is integrated with LDAP/AD, it’ll look up users from both the internal database and LDAP server. As long as the user exists in one of these two sources, they can log into the system.

Basic LDAP/AD Integration

The only requirement for Seafile to use LDAP/AD for authentication is that there must be a unique identifier for each user in the LDAP/AD server. Seafile can only use email-address-format user identifiers. So there are usually only two options for this unique identifier:

  • Email address: this is the most common choice. Most organizations assign unique email address for each member.
  • UserPrincipalName: this is a user attribute only available in Active Directory. It’s format is user-login-name@domain-name, e.g. john@example.com. It’s not a real email address, but it works fine as the unique identifier.

Connecting to Active Directory

To use AD to authenticate user, please add the following lines to ccnet.conf.

If you choose email address as unique identifier:

  1. [LDAP]
  2. HOST = ldap://192.168.1.123/
  3. BASE = cn=users,dc=example,dc=com
  4. USER_DN = administrator@example.local
  5. PASSWORD = secret
  6. LOGIN_ATTR = mail

If you choose UserPrincipalName as unique identifier:

  1. [LDAP]
  2. HOST = ldap://192.168.1.123/
  3. BASE = cn=users,dc=example,dc=com
  4. USER_DN = administrator@example.local
  5. PASSWORD = secret
  6. LOGIN_ATTR = userPrincipalName

Meaning of each config options:

  • HOST: LDAP URL for the host. ldap://, ldaps:// and ldapi:// are supported. You can also include a port number in the URL, like ldap://ldap.example.com:389. To use TLS, you should configure the LDAP server to listen on LDAPS port and specify ldaps:// here. More details about TLS will be covered below.
  • BASE: The root distinguished name (DN) to use when running queries against the directory server. You cannot use the root DN (e.g. dc=example,dc=com) as BASE.
  • USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privilege to access all the nodes under BASE. It’s recommended to use a user in the administrator group.
  • PASSWORD: Password of the above user.
  • LOGIN_ATTR: The attribute used for user’s unique identifier. Use mail or userPrincipalName.

Tips for choosing BASE and USER_DN:

  • To determine the BASE, you first have to navigate your organization hierachy on the domain controller GUI.
    • If you want to allow all users to use Seafile, you can use ‘cn=users,dc=yourdomain,dc=com’ as BASE (with proper adjustment for your own needs).
    • If you want to limit users to a certain OU (Organization Unit), you run dsquery command on the domain controller to find out the DN for this OU. For example, if the OU is ‘staffs’, you can run ‘dsquery ou -name staff’. More information can be found here.
  • AD supports ‘user@domain.name’ format for the USER_DN option. For example you can use administrator@example.com for USER_DN. Sometime the domain controller doesn’t recognize this format. You can still use dsquery command to find out user’s DN. For example, if the user name is ‘seafileuser’, run dsquery user -name seafileuser. More information here.

Connecting to other LDAP servers

Please add the following options to ccnet.conf:

  1. [LDAP]
  2. HOST = ldap://192.168.1.123/
  3. BASE = ou=users,dc=example,dc=com
  4. USER_DN = cn=admin,dc=example,dc=com
  5. PASSWORD = secret
  6. LOGIN_ATTR = mail

The meaning of the options are the same as described in the previous section. With other LDAP servers, you can only use mail attribute as user’s unique identifier.

Advanced LDAP/AD Integration Options

Multiple BASE

Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the “BASE” config. The DNs are separated by “;”, e.g. ou=developers,dc=example,dc=com;ou=marketing,dc=example,dc=com

Additional Search Filter

Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting “FILTER” config. The value of this option follows standard LDAP search filter syntax (https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx).

The final filter used for searching for users is (&($LOGIN_ATTR=*)($FILTER)). $LOGIN_ATTR and $FILTER will be replaced by your option values.

For example, add the following line to LDAP config:

  1. FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com

The final search filter would be (&(mail=*)(memberOf=CN=group,CN=developers,DC=example,DC=com))

Note that the case of attribute names in the above example is significant. The memberOf attribute is only available in Active Directory.

Limiting Seafile Users to a Group in Active Directory

You can use the FILTER option to limit user scope to a certain AD group.

  1. First, you should find out the DN for the group. Again, we’ll use the dsquery command on the domain controller. For example, if group name is ‘seafilegroup’, run dsquery group -name seafilegroup.
  2. Add the following line to LDAP config:
  1. FILTER = memberOf={output of dsquery command}

Using TLS connection to LDAP/AD server

To use a TLS connection to the directory server, you should install a valid SSL certificate on the directory server.

The current version of Seafile Linux server package is compiled on CentOS. We include the ldap client library in the package to maintain compatibility with older Linux distributions. But since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS.

The ldap library (libldap) bundled in the Seafile package is of version 2.4. If your Linux distribution is new enough (like CentOS 6, Debian 7 or Ubuntu 12.04 or above), you can use system’s libldap instead.

On Ubuntu 14.04 and Debian 7/8, moving the bundled ldap related libraries out of the library path should make TLS connection work.

  1. cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
  2. mkdir disabled_libs_use_local_ones_instead
  3. mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 libldap_r-2.4.so.2 disabled_libs_use_local_ones_instead/

On CentOS 6, you have to move the libnssutil library:

  1. cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib
  2. mkdir disabled_libs_use_local_ones_instead
  3. mv libnssutil3.so disabled_libs_use_local_ones_instead/

This effectively removes the bundled libraries from the library search path.
When the server starts, it’ll instead find and use the system libraries (if they are installed).
This change has to be repeated after each update of the Seafile installation.