CAS authentication creates new local users

uosseafile · November 11, 2019, 2:15pm

Hi,

Seafile Pro 7.0.10 with LDAP authentication.

I enabled CAS authentication, as described in the server manual:

ENABLE_CAS = True
CAS_SERVER_URL = ‘https://cas.server:8443/cas/’
CAS_LOGOUT_COMPLETELY = True

After authenticating against our CAS server with my LDAP account “testuser”, I click on seafile’s “Single Sign-On” link and I’m logged in.
But it turns out, that I’m not the LDAP user “testuser@mydomain” that I supposed to be. Seafile creates a new local user called “testuser@seafile.local” instead, with an empty repository.
So it seems, that CAS is not working with LDAP users.
Another thing is, that after logging out from CAS, I am still logged in with seafile.

@daniel.pan: can you examine this?

Thanks,
Dirk

daniel.pan · November 13, 2019, 7:17am

It depends on what you use as unique identifier for a user. If the identifier is the same, a new user will not be created. Can you check the unique identifier for LDAP and CAS?

daniel.pan · November 13, 2019, 7:21am

By the way, CAS is not recommend way for SSO. The third party Python library is not well maintained. SAML2 is much better.

uosseafile · November 13, 2019, 7:34am

Hi Daniel,

thanks for the reply. We use the uid for CAS and edupersonPrincipalName for Seafile. But people can login with their uid to seafile (login_id in table profile_profile). So I thought this would work.
We have a user portal at university where we use CAS for single sign-on. It would be nice if we could integrate seafile there.

Regards,
Dirk

daniel.pan · November 13, 2019, 7:55am

You may check the document for a general way to integrate Seafile with any kind of SSO https://download.seafile.com/published/seafile-manual/deploy/remote_user.md

lazypaul · May 26, 2020, 3:07am

Hi Daniel :
CAS sso login not the ldap user but created a new user:

Seafile with LDAP login uid is mail, but after CAS sso login create a user call xxxx@seafile.local, not the domain of xxx@mydomain.com, not the same user.

how to slove this problem.

ENABLE_CAS = True
CAS_SERVER_URL = ‘https:// 172.16.1.123’
CAS_LOGOUT_COMPLETELY = True
CAS_SERVER_CERT_VERIFY = False

[LDAP]
HOST = ldap://172.16.1.3
BASE = dc=abc,dc=com
USER_DN = cn=yourname,dc=abc,dc=com
PASSWORD = 12345678
LOGIN_ATTR = mail

[LDAP_SYNC]
ENABLE_USER_SYNC = true
DEACTIVE_USER_IF_NOTFOUND = true
SYNC_INTERVAL = 60
USER_OBJECT_CLASS = person
ENABLE_EXTRA_USER_INFO_SYNC = true
CONTACT_EMAIL_ATTR = mail
FIRST_NAME_ATTR = givenName
LAST_NAME_ATTR = sn
USER_NAME_REVERSE = true
UID_ATTR = sAMAccountName
ACTIVATE_USER_WHEN_IMPORT = true
SYNC_DEPARTMENT_FROM_OU = true
CREATE_DEPARTMENT_LIBRARY = true

lazypaul · June 3, 2020, 7:48am

Hey budy, have you slove this problem now? I meet the same problem.