Configure SSO LemonLdap In front of Seafile


#1

Hi,

This is a attempt to obtain some help on a non trivial objective. :sweat_smile:

I’m trying to configure SSO LemonLdap::NG in front of Seafile.

One way is to use HTTP Handler : https://lemonldap-ng.org/documentation/latest/configvhost#reverse_proxy

The other way is to use SAML SP, as on Nextcloud : https://lemonldap-ng.org/documentation/2.0/applications/nextcloud

I tried to Use HTTP handler on /sso path (previously used by Shib but deactivated)

I’m interested by bypassing Shib SP whereas relying on the features of shib intergration (on the fly roles). I thought i could do that with HTTP vars.

Apache <Location /sso> is empty
/sso path is intercepted By LLNG proxy (Nginx)
LLNG passes HTTP variables to Apache on /sso (i can see them)
But HTTP variables are lost on / path, even if i convert HTTP vars to Env
https://lemonldap-ng.org/documentation/latest/header_remote_user_conversion

The user is not logged in and i stay on the login home page
I don’t know how to process to the correct seahub_auth

If anyone already did such thing with HTTP handler (Keycloack Sso or anything else), i’d be pleased to know how

Please note that there is an HTTP handler fo Django, but i don’t know how to use it with seafile auth

Other mechanisms are described here : https://lemonldap-ng.org/documentation/2.0/applications

BTW, i can try to implement SP forwarding https://wiki.shibboleth.net/confluence/display/SHIB/SPForwardProxy, but i’m not sure that the Shibboleth implementation on seafile will work on a pure SAML 2 SP as LLNG

[Edit]

@daniel.pan @Jonathan

Is this Django method AuthRemoteUser already implemented in seafile ?
https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/

Regards,

Gautier


#2

Hi @xiez

Is that supposed to work to log into seahub / seafile ?

HTTP Headers send by NgInx proxy server (LemonLdap)
Logged in Apache

Auth-User:seafile username value
Auth-surname:seafile surname value
Auth-username:seafile username value
Auth-givenname:seafile givenname value

Apache Config

SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1

	
  # seafile fileserver
  #
  ProxyPass /seafhttp http://127.0.0.1:8082
  ProxyPassReverse /seafhttp http://127.0.0.1:8082
  RewriteRule ^/seafhttp - [QSA,L]

  #
  # seahub
  #
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:8000/
  ProxyPassReverse / http://127.0.0.1:8000/

#3

Hi,

RemoteUser auth will be included in version 7.0, you can manually update the python files in version 6.x according to https://github.com/haiwen/seahub/commit/02b65d30adcbd6f2680fcd7cc4882f9b79d7d46d

Newly added settings:

TRUST_PROXY_AUTHTENTICATION = True
TRUST_PROXY_ENDPOINTS = ['/sso/', ]  # /sso/ should be protected by the proxy
PROXY_AUTH_HEADER = 'HTTP_REMOTE_USER'

#4

Hi @xiez ,

I replaced the files on to a 6.3.10 pro version

seahub/auth/middleware.py
seahub/base/accounts.py
seahub/settings.py
seahub/views/sso.py

and added the settings to seahub_settings.py

I get an error when starting seahub

./seahub.sh start

LC_ALL is not set in ENV, set to en_US.UTF-8
Starting seahub at port 8000 ...
Error:Seahub failed to start.
Please try to run "./seahub.sh start" again

Is there a way to debug the startup error ?

DEBUG = True does nothing

[EDIT]

There may be an typo error on the Settings

TRUST_PROXY_AUTH**T**ENTICATION = True

But set to

TRUST_PROXY_AUTHENTICATION = True

I still get the error

Normal :

seahub/base/accounts.py

# Create a User object if not already in the database?
create_unknown_user = True

trust_proxy = getattr(settings, 'TRUST_PROXY_AUTHTENTICATION', False)
    # End the remote user auth process if the proxy is not trusted
if not remote_user or not self.trust_proxy:

#5

Yes, there is a typo, TRUST_PROXY_AUTHTENTICATION in seahub/base/accounts.py should be TRUST_PROXY_AUTHENTICATION.

To debug your error, please start dev server by ./seahub.sh python-env seahub/manage.py runserver , there should be some error messages.

FYI, here is the patch file for you to check, https://github.com/haiwen/seahub/commit/02b65d30adcbd6f2680fcd7cc4882f9b79d7d46d.patch


#6

Hi @xiez,

I changed the typo and tried to debug seahub startup

I had to deactivate some apps directly in seahub/seahub/settings.py

# 'seahub.drafts',
#'seahub.repo_tags',
#'seahub.file_tags',
#'seahub.related_files',

I had to let

'social_django',

but did install

pip install social-auth-app-django

Then seahub starts but needs migration

You have 53 unapplied migration(s). Your project may not work properly until you apply the migrations for app(s): admin_log, api2, auth, avatar, base, contacts, django_cas_ng, group, institutions, invitations, notifications, options, organizations, post_office, profile, registration, revision_tag, role_permissions, share, social_django, sysadmin_extra, tags, termsandconditions, trusted_ip, two_factor, wiki.
Run ‘python manage.py migrate’ to apply them.

Is it absolutely necessary ?

BTW, with seahub_settings.py

TRUST_PROXY_AUTHENTICATION = True
TRUST_PROXY_ENDPOINTS = ['/sso/', ]  # /sso/ should be protected by the proxy
PROXY_AUTH_HEADER = 'HTTP_REMOTE_USER'

Users do not log with proxy auth

What are the necessary settings in Apache config ?

What is the HTTP_REMOTE_USER Header value used to match users ?

is it username ?

[EDIT]

I got another error on seahub.log

Traceback (most recent call last):
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/thirdpart/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/thirdpart/django/core/handlers/base.py", line 244, in _legacy_get_response
    response = middleware_method(request)
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/middleware.py", line 71, in process_request
    user = auth.authenticate(remote_user=username)
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/__init__.py", line 54, in authenticate
    for backend in get_backends():
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/__init__.py", line 47, in get_backends
    backends.append(load_backend(backend_path))
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/__init__.py", line 23, in load_backend
    raise ImproperlyConfigured('Error importing authentication backend %s: "%s"' % (module, e))
ImproperlyConfigured: Error importing authentication backend seahub.social_core.backends.weixin_enterprise: "No module named social_core.backends.weixin_enterprise"

I removed from seahub/seahub/settings.py

AUTHENTICATION_BACKENDS = (
   # 'seahub.social_core.backends.weixin_enterprise.WeixinWorkOAuth2',

But no proxy login is possible…

I’ll stop my tests unless you can give me some advice, because i turn around the problem without solving it :thinking:

I would prefer to test the feature before the release of 7.0, but i’m not a developer…

You’re doing a great job !

Regards


#7

Hi @xiez

I had to change

PROXY_AUTH_HEADER = 'HTTP_AUTH_USER'

Because of LemonLdap::NG specific header.

Now it works ! :yum::yum::yum::yum::yum::yum::yum::yum:

My feedback :

There is no SSO button activated on the home page.
You may create a new setting

PROXY_AUTHENTICATION = True to display the button as for Shibboleth

The Proxy Authentication seems not to work with seafile nor Seadrive clients (i’m not logged in through /sso)

Would it be possible to use some of Shibboleth integration features like Roles and Affilation mappings ?

regards


#8

Okay. For seafile-pro-server-6.3.12, here are the steps:

Apply the patch files for Seahub

cd /opt/seafile/seafile-server-latest/seahub/seahub/auth/
mv middleware.py middleware.py.bak
wget https://raw.githubusercontent.com/haiwen/seahub/800d37095067c4c02661665b2bca3647340b22be/seahub/auth/middleware.py

cd /opt/seafile/seafile-server-latest/seahub/seahub/base
mv accounts.py accounts.py.bak
wget https://raw.githubusercontent.com/haiwen/seahub/800d37095067c4c02661665b2bca3647340b22be/seahub/base/accounts.py

cd /opt/seafile/seafile-server-latest/seahub/seahub
mv settings.py settings.py.bak
wget https://raw.githubusercontent.com/haiwen/seahub/800d37095067c4c02661665b2bca3647340b22be/seahub/settings.py

cd /opt/seafile/seafile-server-latest/seahub/seahub/views
mv sso.py sso.py.bak
wget https://raw.githubusercontent.com/haiwen/seahub/800d37095067c4c02661665b2bca3647340b22be/seahub/views/sso.py

Modify conf/seahub_settings:

ENABLE_SHIB_LOGIN = True   # workaround to show the SSO link in the login page
TRUST_PROXY_AUTHENTICATION = True
TRUST_PROXY_ENDPOINTS = ['/sso/', ]  # /sso/ should be protected by the proxy
PROXY_AUTH_HEADER = 'HTTP_REMOTE_USER' # or whatever header the proxy set

Restart seahub and test web/desktop SSO.

Roles and Affilation mappings can be added in the future, are these attributes set in HTTP headers ?


#9

Hi @xiez

I followed your steps on 6.3.12 pro.

  • I can not login anymore via PROXY, even on the web interface
  • The home page screen has lost a lot of CSS resources

#10

Rôles and affiliation mapping could be set from spécific attributes passed by the proxy. We could do the mapping as for shibboleth (department, rôle)


#11

HI @xiez, is there a way to debug proxy Authentication on seafile ?
Http headers are send by Nginx proxy to the apache vhost on top of seafile, but i can’t figure out if the auth user headers are send to seafile by apache proxypass directive.

Regards


#12

Hi, with your Help, i mapped seahub_settings.py to the appropriate HTTP_HEADER send by LLNG.

I still can not log on clients : the popup windows is filled by seahub interface after login, it does not switch to the main client interface

I wonder how to map user values to HTTP Headers as it can be done with Shibboleth SSO.

Regards


#13

Can we leave the debugging of the problem to 7.0 version? At this version, the corresponding code is merged.


#14

Sure, Daniel. Thank you. Regards