Ldapsync Seafile Pro 11 not working,

Seafile Server
1

After upgrading to Seafile Pro 11, I have done many tests to understand what I might have done wrong, but nothing works; the sync of groups and users is not functioning.

./pro/pro.py ldapsync -t # this seems to work, but not
./pro/pro.py ldapsync

Exception in thread Thread-1243:
Traceback (most recent call last):
  File "/usr/lib64/python3.9/threading.py", line 980, in _bootstrap_inner
    self.run()
  File "/opt/seafile/seafile-pro-server-11.0.7/pro/python/seafevents/ldap_syncer/ldap_sync.py", line 165, in run
    self.start_sync()
  File "/opt/seafile/seafile-pro-server-11.0.7/pro/python/seafevents/ldap_syncer/ldap_sync.py", line 172, in start_sync
    data_ldap = self.get_data_from_ldap()
  File "/opt/seafile/seafile-pro-server-11.0.7/pro/python/seafevents/ldap_syncer/ldap_sync.py", line 189, in get_data_from_ldap
    cur_ret = self.get_data_from_ldap_by_server(config)
  File "/opt/seafile/seafile-pro-server-11.0.7/pro/python/seafevents/ldap_syncer/ldap_group_sync.py", line 110, in get_data_from_ldap_by_server
    department_data_ldap = self.get_ou_data(ldap_conn, config)
  File "/opt/seafile/seafile-pro-server-11.0.7/pro/python/seafevents/ldap_syncer/ldap_group_sync.py", line 361, in get_ou_data
    dn, attrs = result[0]
IndexError: list index out of range

Moreover, I can’t find the configuration for the automatic creation and population of groups. Am I making a mistake somewhere? I don’t understand why it is not working."

2

Too many problems; I’m rolling back to version 10. :sob:

3

The ldap configurations of version 10.0 and version 11.0 is different.
Please refer to the manual to modify the configurations. Upgrade notes for 11.0

4

Hi,

I have read through the documentation and understood the changes. I have successfully updated the configuration from ccnet to seahub_settings.py. The command /pro/pro.py ldapsync -t works perfectly and displays the modifications I make in the seahub_settings.py file.

However, when I remove the test option -t from the command, errors occur.

I have performed several tests as I misunderstood some creation options initially: For example, the option LDAP_SYNC_GROUP_AS_DEPARTMENT.

I eventually figured out why it was crashing (see the error in the first post):

Previously, I did not use departments. To maintain the same behavior in this new version 11, I left the option LDAP_SYNC_DEPARTMENT_FROM_OU set to True, which causes the LDAP synchronization to crash. By setting this option to False, it works again.

However, I still have an issue with populating the groups. The option LDAP_GROUP_MEMBER_ATTR = 'member' works well with -t but does not seem to work without the -t option.
I am uncertain about the option LDAP_USER_ATTR_IN_MEMBERUID = 'cn'. I have tried ‘uid’ and ‘memberOf’.
but my groups remain desperately empty.

Best regards,

5

The key configurations when synchronizing the group are as follows:

LDAP_BASE_DN
LDAP_GROUP_OBJECT_CLASS
LDAP_GROUP_FILTER
LDAP_GROUP_MEMBER_ATTR

Can you provide non-private configurations to troubleshoot the problem?

6

hi,

Yes, no problem. Here is part of my configuration.

LDAP_BASE_DN = 'cn=accounts,dc=XXXXX,dc=XX'  # The users and groups are in the subordinate OUs of the LDAP hierarchy
LDAP_GROUP_OBJECT_CLASS = 'posixgroup'
LDAP_GROUP_FILTER = 'description=*seafile*'
LDAP_GROUP_MEMBER_ATTR = 'member'

./pro/pro.py ldapsync -t seems to work fine, I find all my groups and all the users that constitute them. However, if I remove -t, I get an empty result.

[06/27/2024 18:09:42] [INFO] LDAP user sync result: add [0]user, update [0]user, deactive [0]user, add [0]role, update [0]role
[06/27/2024 18:09:42] [INFO] LDAP profile sync result: add [0]profile, update [0]profile, delete [0]profile
[06/27/2024 18:09:42] [INFO] LDAP dept sync result: add [0]dept, update [0]dept, delete [0]dept
[06/27/2024 18:09:42] [INFO] LDAP group sync result: add [0]group, update [0]group, delete [0]group
7

Please check whether the groups have been synchronized in the Seafile admin page. If the groups already exist, the [0] in the log is normal because the groups have not changed.

8

Hi, yes the groups exist but they are empty.

9

Because you use posixgroup, these configurations also need to provide,

LDAP_GROUP_UUID_ATTR
LDAP_USER_OBJECT_CLASS
LDAP_USER_ATTR_IN_MEMBERUID

Are all these configurations changed compared to 10.0?

10

my old configuration in ccnet.conf

[LDAP_SYNC]
ENABLE_USER_SYNC = true
DEACTIVE_USER_IF_NOTFOUND = true
AUTO_REACTIVATE_USERS = True
SYNC_INTERVAL = 720
USER_OBJECT_CLASS = person
ACTIVATE_USER_WHEN_IMPORT = false
ACTIVATE_AFTER_FIRST_LOGIN = True
ENABLE_EXTRA_USER_INFO_SYNC = true
FIRST_NAME_ATTR = givenName
LAST_NAME_ATTR = sn
UID_ATTR = uid
FOLLOW_REFERRALS = true
USE_PAGED_RESULT = true
FILTER = memberOf=cn=grp-p-test,cn=groups,cn=accounts,dc=XXXX,dc=XX
#
ENABLE_GROUP_SYNC = true
GROUP_OBJECT_CLASS = groupofnames
#GROUP_OBJECT_CLASS = organizationalUnit
GROUP_MEMBER_ATTR = member
IMPORT_GROUP_STRUCTURE = true
DEL_GROUP_IF_NOT_FOUND = true
CREATE_GROUP_REPO = true
GROUP_FILTER =  description=*seafile*

other option in seahub_settings :

LDAP_GROUP_UUID_ATTR = 'ipaUniqueID' 
LDAP_USER_OBJECT_CLASS = 'person'
LDAP_USER_ATTR_IN_MEMBERUID = 'cn'

I am currently performing my tests on a test Seafile Pro server (3 users). I had to rollback on my production seafile server.

11

LDAP_GROUP_MEMBER_ATTR. For “posixGroup”, it should be set to “memberUid” in 11.0.
Please refer to this manual: LDAP in version 11.0 (Pro) - Seafile Admin Manual

12

Well, I took another look at migrating to Seafile 11 Pro.

After dealing with the bug related to the LDAP_SYNC_GROUP_AS_DEPARTMENT option.
I finally figured out why my LDAP groups were staying desperately empty and it was just by pure chance.

It turns out the issue was with the LDAP_USE_GROUP_MEMBER_RANGE_QUERY option for group syncing.
Once I set it to false, the groups populated normally. It took some time to figure it out. Lucky