Can we sync departments from LDAP apart ? (is there any filter available)
Can we select LDAP group members to be department admins ?
Can we sync nested LDAP groups to nested Seafile groups ?
Separate management from existing groups to new deptements/subgroups may be confusing.
Only admins can create departments → they can create nested groups too
Users can only create groups (as before) → they can not create nested groups
Can we convert existing Seafile groups to new departments ?
I’d like to know a little before getting this version in production
The admin of a group still need to be a member of the group. In a later version, we will add the feature that a group admin can manage sub-groups of that group.
There seems to be some confusion among these 3 features:
multi-tenancy
multiple institutions
departments
Multi-tenancy is more for SaaS providers. They can host many small customers within one Seafile instance. Each tenant is completely logically separated from each other. They cannot share folders with each other, except for using a link.
Multiple institutions is similar to multi-tenancy but with the exception that users in different institutions can share directly with users in other institution. Each institution can have its own admin, who can manage the users in its institution.
Both multi-tenancy and multi-institution is design for kind of “public” hosting. While department is designed for internal management of an organization.
Currently the multi-institution feature is only used by hosting provider for universities. They usually assign new users to institutions based on Shibboleth login attributes. In the future there may be need for syncing this relation from LDAP or AD.
Thank you for reminding us the differences between the hosting options.
My questions are based on a specific use case.
As a university Campus, we will provide seafile hosting to different institutions, which could lead us to use Multi-institution feature
for users originating from different universities
but who need to share files between them and also create groups independant from the institutions.
We will not use shibboleth affiliation, because we already build a LDAP directory in which all users are separated between OU = institutions (organizationalUnit) and Groups = Laboratories (groupOfNames).
Laboratories do not depend from institutions, their members can belong to different instiitutions.
We already (since 2 years) have a Seafile instance for our institution, which must be separated from the others.
Instead of installing a new seafile instance, i’m thinking of one Multitenancy instance in which two tenant (the former and the new one) could share the program files, but with a logical split between the two.
In this case, we could have two LDAP for each one tenant.
As it seems to be difficult to implement, i suppose that installing two instances of seafile is the best way to achieve our goals.
The former one with classic config and LDAP Syncing :
We already have former “groups” for departments and i’m afraid it will be difficult to migrate these to departments.
Instead the nesting feature, i don’t really see the differnce between the two options.
The new one, which could be a multi-intitutions instance, but we may need to
We would recommend you to setup two separate seafile instances. For the new Seafile instance which serves the universities, it’s simpler if you just use the “departments” feature to organize the universities and the departments under them. There are still two missing features to make this setting possible:
We need to support syncing both OUs and groups. We plan to add this support in 6.3 version in near future.
A new interface for department admins to manage the user quotas and files in the departments under their administration. The concept is similar to multi-institution, but expanded to nested departments. Perhaps at the beginning you don’t need this feature, but just manage the users directly with the global system admin. This is still to be discussed.
UPDATE:
Another simple idea is to use multi-institution feature to separate the universities at the top level only. The departments and groups can still be imported to Seafile. For the users departments and LDAP groups are all just “groups” in Seafile. The good thing of this solution is that there is not too many level of administration. And having any department admins to look into users’s files may not be a good idea either. (This could be very desirable for companies though.)
Thank you for your suggestions. We are still investigating many solutions.
One of them is based on our Identity / LDAP manager, from wich we could
create user accounts into seafile (with the LDAP pwd) ;
define user profile and quota (if the API allows to)
populate Group with users (from OU or any other LDAP structure)
This feature could be based ont a plugin that uses Seafile API.
We are not sure that synchronizing LDAP to Seafile is the most accurate way, because many operations are done in background and not controlled by a human. As identity management is quite a complex and risky field, we would like to know exactly what happens between LDAP and Seafile.
I will give you some feedback about this plugin if we achieve to make it work.
Multi-institutions could be a global solutions, but many structures (60) that will use our Campus cloud are “laboratories” in wich users depends on different “universities” (10). It would then become too much difficult to build a collaborative space between close institutions.
I think it’s better to send us an email describing all your missing features in one place. It’s a bit hard to track your requirements in the forum. Could you please send an email?
