LDAP Broken under Seafile 8.0.1 Server

I just tried upgrading to 8.0.1 server from 7.1.5 as per the instructions (installing libmysqlclient-dev, future, mysqlclient etc. in advance) - this is on Ubuntu 18.04.

After installation, none of the accounts which authenticate against LDAP would log in (either through the web interface or desktop client) - however, local seafile accounts would authenticate fine.

There was no clue in the log files what was failing.

Reverting to 7.1.5, and the LDAP accounts all work fine (i.e. not an obvious problem with the LDAP server).

Is this a known issue for 8.0.1?

Matthew

I would like to add myself to this error. Can you please tell us whats wrong. Error is still in version 8.0.2. The Users are still in the ccnet usermgr database. But are not shown in the ldap imported tab on the web-interface.
I can’t find any errors in any seafile log.

We can’t reproduce the problem in version 8.0.2 yet. Can anyone confirm this problem on 8.0.2 too?

I don’t know about Matthew but my problem was with the custom build from Arch AUR. This will be fixed with 8.0.2-2. Thanks Daniel.

Hi,

I have the same issue after migrating from 7.1.5 to 8.0.3 - I am not able to login and the error message in the UI is Incorrect email or password.
There is no error in any of the logs.

The moment I switch back to 7.1.5 everything works as expected.

I am using community edition.

Hello,

Same issue on ARM with a really old install on ARM (build https://github.com/haiwen/seafile-rpi/releases/download/v8.0.3/seafile-server-8.0.3-buster-armv7.tar.gz)

Maybe a specific issue to ARM ?

Tried to launch seafile with this enviroment variable to debug SEAFILE_DEBUG=all but it looks like that change nothing about log level. Someone know how to enable full debug ?

I was able to migrate with LDAP to version 8 from version 6 on x86-64.

Hi,

I forgot to mention that my issue is happening on a Raspberry pi, so yes, maybe this is specific to ARM…

@daniel.pan, I would like to offer more information, is there anything I can do? BTW, thanks for a great product, I am using Seafile for years now, without any major issues.

I can’t help much. The Raspberry pi version is maintained by the community. We don’t build it ourselves.

@daniel.pan how can I enable full debug mode in ccnet ?

ccnet-server is removed in 8.0. Function is moved to seaf-server component.

Maybe a flag --enable-ldap is missing when compiling the seaf-server component for ARM.

Hello,

Really strange, as I see it’s enabled here: seafile-rpi/build3.sh at master · haiwen/seafile-rpi · GitHub but I don’t know if it on the true component.

I’ve tried the version 8.0.5 and it still not work.

@daniel.pan the seaf-server and seafile-server is it the same thing ?

@jobenvil Is it you the maintainer of the arm package ? Have you any idea about this issue ?

@Josue I don’t know why it doesn’t work. I expected that this flag would do the trick. Since I don’t use Ldap, is difficult for me to analyse at my end. Do you get any error, or just doesn’t work?

Hello,

I didn’t see any errors. Maybe if I find an option to make seafile server more verbose I could bring more information but I didn’t found any option which work.

I use this for the yunohost package. Maybe if you want you can test it by this way.

@nicu is using the rpi version as well, maybe he has a hint regarding showed error. Maybe both together could check what’s going on.

@nicu could you please check the new release v8.0.5 and give some feedback. It was compiled with the flag --enable-ldap

Hi,

No luck for me either, the behavior and error are the same with version 8.0.5.

I wonder if this has something to do with the fact that ccnet component has been removed starting with version 8.x.

Could be that something has not been migrated properly in the database? E.g., I see that my LDAP user exists in the table ccnet_db.LDAPUsers but it does not exist in ccnet_db.EmailUser.
So it seems at login time, only table EmailUser is being checked. Or maybe this is the normal behavior when LDAP is activated…?

Anyway, later today or tomorrow I will try to install the AMD64 version on my laptop, with the same configuration and database as the ARM version, and see if the problem persists. At least we will know if it is an architecture specific issue or not.

Ah, one more thing, maybe this will also help identifying the problem: I am using SSO functionality which also doesn’t work in 8.x version but it works in 7.x version.

My configuration in seahub_settings.py is

ENABLE_REMOTE_USER_AUTHENTICATION = True

# Optional, HTTP header, which is configured in your web server conf file,
# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.
REMOTE_USER_HEADER = 'HTTP_REMOTE_USER'

# Optional, whether to create new user in Seafile system, default value is True.
# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
# The admin has to first import the users from external systems like LDAP.
REMOTE_USER_CREATE_UNKNOWN_USER = False

# Optional, whether to activate new user in Seafile system, default value is True.
# If this setting is disabled, user will be unable to login by default.
# the administrator needs to manually activate this user.
REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True

As per my understanding, when SSO is used, the password is not validated, which would mean the LDAP system is not invoked. But instead, the Seafile application would check the user from HTTP header HTTP_REMOTE_USER against its own database.

When trying to login with SSO, in version 8.0.x, I get the error
Error, new user registration is not allowed, please contact administrator.
Which makes sense, considering that REMOTE_USER_CREATE_UNKNOWN_USER is set to False.
But that also shows that user existence is not checked against table ccnet_db.LDAPUsers.

@daniel.pan, what do you think? Please also check my previous message, as they are related.

That will be perfect!