Bad: LDAP deleted user still in LDAP(imported)


#1

We use LDAP as our user database. Seafile uses another way of keeping LDAP users in its own database LDAP(imported).

If a user is deleted and no longer in our LDAP database, it still lingers in seafiles LDAP(imported) as if it is active. It can be searched by others etc. It should be deleted though.

Do I really have to manually clean up LDAP(imported) so it is in sync with our LDAP database ?
What is this extra LDAP database for ?

Best,

Henrik


#2

The activation state of a user is recorded in LDAP(imported). The user information need to be kept in Seafile database in case the user is accidentally deleted in LDAP database. By keeping the user’s information, the libraries of that user is not deleted immediately.

Sometimes you also want the user to be inactive even it is presented in LDAP database.

In pro version, if you using the LDAP sync feature, when a user is deleted in LDAP, it is inactivated in Seafile automatically. In community edition, the admin has to manually inactivate the user.


#3

Thanks. Is a user still able to login if only being present in LDAP(imported) but not in LDAP ?


#4

The user can’t login. Because Seafile will check the user’s password against LDAP directly. If the user is not in LDAP, the password check will fail.


#5

Hi @daniel.pan

I noticed a weird behaviour from the admin WEB UI of Seafile.

If i deleted LDAP (Imported) from the admin web UI, they are not deleted (a rerfresh page shows them all), even if the SYNC Process is deactivated.

I suppose that this is a bug because when you delete them from the admin web UI, you intend to really delete them with their libraries

And so, as for GDPR compliancy, users may be deleted definitely if they do not use seafile anymore.

Regards


#6

I did not find this problem after testing in the latest version(Pro-6.3.13).


#7

We can’t reproduce the problem using 6.3.13 version. After deleting the user, its libraries are all deleted. If you login with that user again, the user will be re-imported from LDAP with a new empty library.


#8

Right, I updated to 6.2.13 and this problem do not occur anymore

As you said

After deleting the user, its libraries are all deleted. If you login with that user again, the user will be re-imported from LDAP with a new empty library.

But, i have some (old) users in the LDAP column that i can not delete anymore (no button to do so)

Did you change the LDAP database tables recently ? Do I have to delete them manually from the database ?


#9

I guess there are something wrong with these can’t be deleted users. Can you check django.log to see if there are any error logs?


#10

HI Daniel

I can not find any log named “django” and other logs are empty

Users that can not be deleted are aceeesible through /sys/useradmin/ldap/

Most of them are Groups (identified as users in this view but they have no contact email)
Some are real users

I think they were created in previous version of seafile and never deleted.

Is there a way to make a clean deletion (not from the database) for :

  • these users
  • all LDAP groups and departments (empty libraries prevents deletion) and associated libraries ?

If not, i will start from a fresh install (it’s a test server).


#11

Hi Gautier,

These special users should not be displayed in the interface as confirmed by our developer.

Please use a fresh install. If you still have the problems, we will give it a test.


#12

Hi, do your developper has any idea about the reason why they are here ?

Could you please explain which are the database tables concerned by LDAP Sync ?

I will (in the next days). But i’m quite sure they will not appear in a blank database

We should perform a ldap sync test to reproduce the issue from a blank database. Any advice ?

Regards


#13

Maybe in an old version, the flag that the user is a special user is not set.

The LDAPUser table is related to LDAP Sync. If you sync groups, the tables Group, GroupDNPair, GroupStructure will be used too.


#14

Hi @daniel.pan,

i started from a fresh install and now understands how the Seafile users views are designed

There are 3 views

  • Users
  • LDAP
  • LDAP (imported)

Users contains inly the root admin

LDAP (imported) contains

  • Users that looged in seafile from LDAP (and are imported into Seafile)
  • Users that are synced from LDAP

LDAP shows all users from My LDAP (but they are not into Seafile : this is only a view on the LDAP)

  • They are not only users
  • They can be “groups” of users with
 	objectClass 	groupOfNames
	objectClass 	gosaGroupOfNames
	objectClass 	fdGroupMail
	objectClass 	fdRenaterPartageGroup

FILTERS

With my tests, the FILTER option is difficult to handle
https://manual.seafile.com/deploy/using_ldap.html

I don’t figure out how to write an Nested condition Filter as this one

If i want :

OUTPUT_LDAP_FILTER = (objectclass=eduPerson)(|(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima))

I cannot do that because FILTER can not combine & and | operators and parentheses

But this one works (only | operator)

FILTER = |(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima)

EXTRA_USER_INFOS

It seems that extra user infos are limited to firstname, lastname and uid

DEPT_ATTR = supannEntiteAffectationPrincipale

do not work for me

SYNC PROCESS

Same problem for the previous Filter

But this filter also works : same list in LDAP (imported) as in LDAP

FILTER = |(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima)

I enabled the group syncing and sync as department

ENABLE_GROUP_SYNC = True
SYNC_GROUP_AS_DEPARTMENT = True

But the groups do not have a default library

I thought

CREATE_DEPARTMENT_LIBRARY = true

should work for groups (as departements) even if

SYNC_DEPARTMENT_FROM_OU = False (i do not want to sync OU for the moment)

I know better understand how LDAP / Seafile works, but there are still some questions.

Could you answer them ?

Regards


#15

Hi @gauburtin

For the filter syntax, you can refer to https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax

I think you can first try to fix the filter problem. Maybe other problems are just consequence of this issue. For debugging, you can try to run ldapsync with --test option ./pro/pro.py ldapsync --test


#16

Hi @Jonathan

I tried with

FILTER = (&(objectclass=supannPerson)(|(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima)))

with no success.

I don’t think that the FILTER is the cause of others problems

And i found something weird :

A user can log with CAS as he is found in the LDAP Users (last login=1mn)

But he cannot be added as a member of a group since he is synced and activated.

Is it normal ?


#17

This option is no longer supported since the introduction of real department support in Seafile.

About the filter, what do you mean by “not work”? Do you have logs for the problem?

The user should be able to be added to a group. Can you provide more details or screenshots?


#18

With this filter (both in [LDAP] and [LDAP SYNC] sections)

./pro/pro.py ldapsync --test
[04/10/2019 13:52:29] [DEBUG] Try to connect ldap server ldaps://ldap.domaine.fr.fr.
[04/10/2019 13:52:29] [DEBUG] Connect ldap server [ldaps://ldap.domaine.fr.fr] success with user_dn [cn=test,ou=dsa,ou=epcc-technical-accounts,dc=domaine,dc=fr] password [*****].
[04/10/2019 13:52:29] [DEBUG] Try to search login attribute [mail].
[04/10/2019 13:52:29] [DEBUG] Using filter [(&(objectclass=supannPerson)(|(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima)))].
[04/10/2019 13:52:29] [DEBUG] Search result from dn [o=epcc,dc=domaine,dc=fr], and try to print ten records:
[04/10/2019 13:52:29] [WARNING] Search failed for base dn(o=epcc,dc=domaine,dc=fr), filter((&(mail=*)((&(objectclass=supannPerson)(|(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima)))))) on server ldaps://ldap.domaine.fr.fr error: {‘desc’: ‘Bad search filter’}
[04/10/2019 13:52:29] [DEBUG] Search failed, please check whether dn [o=epcc,dc=domaine,dc=fr] is valid.

[04/10/2019 13:52:29] [DEBUG] LDAP group sync is enabled, try to search groups using group object class [organizationalRole].
[04/10/2019 13:52:29] [DEBUG] Search result from dn [o=epcc,dc=domaine,dc=fr], and try to print ten records:
[04/10/2019 13:52:29] [DEBUG] cn=test-seafile-epcc-pole-numerique,ou=roles,o=epcc,dc=domaine,dc=fr: {‘roleOccupant’: [‘uid=me.him,ou=people,ou=epcc-pole-numerique,o=epcc,dc=domaine,dc=fr’], ‘cn’: [‘test-seafile-epcc-pole-numerique’]}
[04/10/2019 13:52:29] [DEBUG] cn=rocket-epcc,ou=roles,o=epcc,dc=domaine,dc=fr: {‘roleOccupant’: [‘uid=me.him,ou=people,ou=epcc-pole-numerique,o=epcc,dc=domaine,dc=fr’, ‘uid=me.her,ou=people,ou=epcc-pole-numerique,o=epcc,dc=domaine,dc=fr’, ‘uid=seafile,ou=people,ou=epcc-comptes-fonctionnels,o=epcc,dc=domaine,dc=fr’, ‘uid=prenom.nom,ou=people,ou=epcc-comptes-fonctionnels,o=epcc,dc=domaine,dc=fr’], ‘cn’: [‘rocket-epcc’]}
[04/10/2019 13:52:29] [DEBUG] cn=anonymous,ou=dsa,o=epcc,dc=domaine,dc=fr: {‘cn’: [‘anonymous’]}
[04/10/2019 13:52:29] [DEBUG] cn=ade-lecteurs,ou=roles,o=epcc,dc=domaine,dc=fr: {‘roleOccupant’: [‘uid=prenom.nom,ou=people,ou=epcc-comptes-fonctionnels,o=epcc,dc=domaine,dc=fr’], ‘cn’: [‘ade-lecteurs’]}

I’ll do more tests before

Thank you


#19

Perhaps you can try (without the outer parentheses):

&(objectclass=supannPerson)(|(supannEntiteAffectationPrincipale=epcc-pole-numerique)(supannEntiteAffectationPrincipale=epcc-grand-equipement-documentaire)(supannEntiteAffectationPrincipale=epcc-communication)(supannEntiteAffectationPrincipale=epcc-biblissima))


#20

I tried, it worked ! Thanks