LDAP Group sync: can seafile deal with posixGroups

Hi there,

I am using seafile pro 6.0.4 and we have LDAP sync set up for users and groups. It works well with users, but not for groups. I see no groups imported from LDAP.

in our LDAP directory, we use posixGroups, such as:

cn=technogrp,ou=System,ou=Groups,dc=ifi,dc=uzh,dc=ch
gidNumber: 10002
cn: technogrp
objectClass: posixGroup
objectClass: top
memberUid: user1
memberUid: user2
memberUid: user3

my relevant settings in ccnet.conf are:

[LDAP]
BASE = ou=People,dc=ifi,dc=uzh,dc=ch;ou=Groups,dc=ifi,dc=uzh,dc=ch
[…]

[LDAP_SYNC]
ENABLE_GROUP_SYNC = true
GROUP_OBJECT_CLASS = posixGroup
GROUP_MEMBER_ATTR = memberUid
[…]

when I do

pro.py ldapsync --test

I see a list of users and groups, which means that the parameters are set up correctly and the groups themselves are found.

However, when I try to perform the actual sync with

pro.py ldapsync

I get

[WARNING] Search failed for base dn(user1), filter((|(objectClass=posixGroup)(objectClass=inetOrgPerson))) on server ldaps://ldap.ifi.uzh.ch/ error: {‘info’: ‘invalid DN’, ‘desc’: ‘Invalid DN syntax’}

I think the seafile ldapsync interprets the value of the memberUid field of the groups as DN (which would explain the warning message above). However, when using posixGroups the value of a memberUid is a uid. Is there a way to configure this?

Best regards,
Hp

Hi,

Currently there is no simple way to use posixGroup + memberUid attribute without changing the code. Can you use groupOfNames instead?

Hi Jonathan,

yes, that’s what I suspected. No, we cannot really change all our groups. 1st, we have a lot of them, and 2nd they are used all over the place in many other systems (trac, gitlab, etc.) which would mean a lot of work and changes all over our infrastructure.

I believe the changes in the code necessary for this would be minimal. If you could point out to me at which place the code would have to be adjusted, I can try to do that and send you a patch.

Best,
Hp

You can have a look at seafile-pro-server-6.0.4/pro/python/seafevents/ldap_syncer/ldap_group_sync.py. Specifically you have to modify the ‘get_group_member_from_ldap()’ function to make it correctly find the group members with uid.

Dear Jonathan,

thanks for the pointer, this confirmed my theory. Great, that there is only a single place, where changes are needed.
I just got some time to look at this and bingo, it works. It needs only minimal changes to the code, took me 30mins.
I am happy to send you the diff. And it would be great if you could incorporate this into the official pro version.

However, you should should test if it still works with groupOfNames (we do not have such groups), although I was careful to avoid any functional changes for this case (but you probably know how this is).

Please let me know where I can send the diff.

Best,
Hp

Hi Hanspeter,

Great that it solves your problem. Please send the patch to my email account: jonathan.xu AT seafile.com.

Thanks!