Configure SSO LemonLdap In front of Seafile


This is a attempt to obtain some help on a non trivial objective. :sweat_smile:

I’m trying to configure SSO LemonLdap::NG in front of Seafile.

One way is to use HTTP Handler : Manage virtual hosts — LemonLDAP::NG 2.0 documentation

The other way is to use SAML SP, as on Nextcloud :

I tried to Use HTTP handler on /sso path (previously used by Shib but deactivated)

I’m interested by bypassing Shib SP whereas relying on the features of shib intergration (on the fly roles). I thought i could do that with HTTP vars.

Apache <Location /sso> is empty
/sso path is intercepted By LLNG proxy (Nginx)
LLNG passes HTTP variables to Apache on /sso (i can see them)
But HTTP variables are lost on / path, even if i convert HTTP vars to Env
Convert HTTP header into environment variable — LemonLDAP::NG 2.0 documentation

The user is not logged in and i stay on the login home page
I don’t know how to process to the correct seahub_auth

If anyone already did such thing with HTTP handler (Keycloack Sso or anything else), i’d be pleased to know how

Please note that there is an HTTP handler fo Django, but i don’t know how to use it with seafile auth

Other mechanisms are described here : Index of /documentation/2.0/applications

BTW, i can try to implement SP forwarding, but i’m not sure that the Shibboleth implementation on seafile will work on a pure SAML 2 SP as LLNG


@daniel.pan @Jonathan

Is this Django method AuthRemoteUser already implemented in seafile ?



Hi @xiez

Is that supposed to work to log into seahub / seafile ?

HTTP Headers send by NgInx proxy server (LemonLdap)
Logged in Apache

Auth-User:seafile username value
Auth-surname:seafile surname value
Auth-username:seafile username value
Auth-givenname:seafile givenname value

Apache Config

SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1

  # seafile fileserver
  ProxyPass /seafhttp
  ProxyPassReverse /seafhttp
  RewriteRule ^/seafhttp - [QSA,L]

  # seahub
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  ProxyPreserveHost On
  ProxyPass /
  ProxyPassReverse /


RemoteUser auth will be included in version 7.0, you can manually update the python files in version 6.x according to

Newly added settings:

TRUST_PROXY_ENDPOINTS = ['/sso/', ]  # /sso/ should be protected by the proxy
1 Like

Hi @xiez ,

I replaced the files on to a 6.3.10 pro version


and added the settings to

I get an error when starting seahub

./ start

LC_ALL is not set in ENV, set to en_US.UTF-8
Starting seahub at port 8000 ...
Error:Seahub failed to start.
Please try to run "./ start" again

Is there a way to debug the startup error ?

DEBUG = True does nothing


There may be an typo error on the Settings


But set to


I still get the error

Normal :


# Create a User object if not already in the database?
create_unknown_user = True

trust_proxy = getattr(settings, 'TRUST_PROXY_AUTHTENTICATION', False)
    # End the remote user auth process if the proxy is not trusted
if not remote_user or not self.trust_proxy:

Yes, there is a typo, TRUST_PROXY_AUTHTENTICATION in seahub/base/ should be TRUST_PROXY_AUTHENTICATION.

To debug your error, please start dev server by ./ python-env seahub/ runserver , there should be some error messages.

FYI, here is the patch file for you to check,

Hi @xiez,

I changed the typo and tried to debug seahub startup

I had to deactivate some apps directly in seahub/seahub/

# 'seahub.drafts',

I had to let


but did install

pip install social-auth-app-django

Then seahub starts but needs migration

You have 53 unapplied migration(s). Your project may not work properly until you apply the migrations for app(s): admin_log, api2, auth, avatar, base, contacts, django_cas_ng, group, institutions, invitations, notifications, options, organizations, post_office, profile, registration, revision_tag, role_permissions, share, social_django, sysadmin_extra, tags, termsandconditions, trusted_ip, two_factor, wiki.
Run ‘python migrate’ to apply them.

Is it absolutely necessary ?

BTW, with

TRUST_PROXY_ENDPOINTS = ['/sso/', ]  # /sso/ should be protected by the proxy

Users do not log with proxy auth

What are the necessary settings in Apache config ?

What is the HTTP_REMOTE_USER Header value used to match users ?

is it username ?


I got another error on seahub.log

Traceback (most recent call last):
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/thirdpart/django/core/handlers/", line 41, in inner
    response = get_response(request)
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/thirdpart/django/core/handlers/", line 244, in _legacy_get_response
    response = middleware_method(request)
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/", line 71, in process_request
    user = auth.authenticate(remote_user=username)
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/", line 54, in authenticate
    for backend in get_backends():
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/", line 47, in get_backends
  File "/home/cc/seafile/seafile-pro-server-6.3.10/seahub/seahub/auth/", line 23, in load_backend
    raise ImproperlyConfigured('Error importing authentication backend %s: "%s"' % (module, e))
ImproperlyConfigured: Error importing authentication backend seahub.social_core.backends.weixin_enterprise: "No module named social_core.backends.weixin_enterprise"

I removed from seahub/seahub/

   # 'seahub.social_core.backends.weixin_enterprise.WeixinWorkOAuth2',

But no proxy login is possible…

I’ll stop my tests unless you can give me some advice, because i turn around the problem without solving it :thinking:

I would prefer to test the feature before the release of 7.0, but i’m not a developer…

You’re doing a great job !


Hi @xiez

I had to change


Because of LemonLdap::NG specific header.

Now it works ! :yum::yum::yum::yum::yum::yum::yum::yum:

My feedback :

There is no SSO button activated on the home page.
You may create a new setting

PROXY_AUTHENTICATION = True to display the button as for Shibboleth

The Proxy Authentication seems not to work with seafile nor Seadrive clients (i’m not logged in through /sso)

Would it be possible to use some of Shibboleth integration features like Roles and Affilation mappings ?


Okay. For seafile-pro-server-6.3.12, here are the steps:

Apply the patch files for Seahub

cd /opt/seafile/seafile-server-latest/seahub/seahub/auth/

cd /opt/seafile/seafile-server-latest/seahub/seahub/base

cd /opt/seafile/seafile-server-latest/seahub/seahub

cd /opt/seafile/seafile-server-latest/seahub/seahub/views

Modify conf/seahub_settings:

ENABLE_SHIB_LOGIN = True   # workaround to show the SSO link in the login page
TRUST_PROXY_ENDPOINTS = ['/sso/', ]  # /sso/ should be protected by the proxy
PROXY_AUTH_HEADER = 'HTTP_REMOTE_USER' # or whatever header the proxy set

Restart seahub and test web/desktop SSO.

Roles and Affilation mappings can be added in the future, are these attributes set in HTTP headers ?

Hi @xiez

I followed your steps on 6.3.12 pro.

  • I can not login anymore via PROXY, even on the web interface
  • The home page screen has lost a lot of CSS resources

Rôles and affiliation mapping could be set from spécific attributes passed by the proxy. We could do the mapping as for shibboleth (department, rôle)

HI @xiez, is there a way to debug proxy Authentication on seafile ?
Http headers are send by Nginx proxy to the apache vhost on top of seafile, but i can’t figure out if the auth user headers are send to seafile by apache proxypass directive.


Hi, with your Help, i mapped to the appropriate HTTP_HEADER send by LLNG.

I still can not log on clients : the popup windows is filled by seahub interface after login, it does not switch to the main client interface

I wonder how to map user values to HTTP Headers as it can be done with Shibboleth SSO.


Can we leave the debugging of the problem to 7.0 version? At this version, the corresponding code is merged.

Sure, Daniel. Thank you. Regards