New Server - LDAP - Can't contact LDAP server/Resource temporarily unavailable

Hi, it’s me again with a new problem.

We are trying to set up a new Seafile server (pro)(11.0.16) that performs user authentication with LDAP. I seem to be missing something here, because I can’t get it to run. Funny thing is, I had it running before I came across the S3 bug (thanks for the fix). But I had discarded the config because I thought “I can quickly set it up again when the S3 bug is fixed” and discarded the vServer. At least that’s what I thought.

My seahub_settings.py:

ENABLE_LDAP = True
LDAP_SERVER_URL = 'ldap://192.168.103.55'
LDAP_BASE_DN = 'dc=ad,dc=domain,dc=de'
LDAP_ADMIN_DN = 'seafileserver@ad.domain.de'
LDAP_ADMIN_PASSWORD = 'password'
LDAP_PROVIDER = 'ldap'
LOGIN_ATTR = 'userPrincipalName'
LDAP_CONTACT_EMAIL_ATTR = 'mail'
LDAP_USER_ROLE_ATTR = ''
LDAP_USER_FIRST_NAME_ATTR = 'givenName'
LDAP_USER_LAST_NAME_ATTR = 'sn'
LDAP_USER_NAME_REVERSE = False
LDAP_FILTER = 'memberOf=CN=SeafileWeb,OU=01-Rechte,OU=domain.de,DC=ad,DC=domain,DC=de'

The error in the seahub.log when I open the LDAP user administration or try to log in::

2024-11-15 11:10:22,521 [ERROR] seahub.api2.endpoints.admin.users:950 get Failed to bind ldap server: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 11, 'ctrls': [], 'info': 'Resource temporarily unavailable'}
2024-11-15 11:10:22,522 [ERROR] django.request:241 log_response Internal Server Error: /api/v2.1/admin/ldap-users/

grafik

What i tried so far:

  • I have replaced the LDAP_SERVER_URL with the FQDN
  • I have added a slash after the IP/URL. As it was in the old config.
  • I have tested another LDAP server (we have 3)
  • I have tested LDAPs and also specified the port after the ip/fqdn :389/:636
  • replaced the ADMIN_DN with the distinguishedName instead of the UPN
  • Degraded the Docker container to version 11.0.7
  • Replaced the entire server (the first was hosted with OpenVPN at Hetzner, the second is here in the house in the same network as one of the domain controllers)
  • I used ldapsearch in the Seafile Docker container to test whether the connection could be established at all. The Answer is Yes, it works perfectly fine with the values from the configuration.
  • If I run a manual sync (./pro/pro.py ldapsync) it works. So the basic configuration seems to be ok.

I also used Wireshark to check the incoming packets on one of the domain controllers. Seafile does not even try to resolve a name when I specify an FQDN, let alone try to establish a connection with Kerberos.

I suspect that something is wrong with my configuration, but it is copied 1:1 from the manual.

All other settings are stock as they are created when the Docker container is first created (I also tested Datamate’s image, no luck).

I would appreciate it if someone could help me find out exactly what the problem is.

Have a nice weekend
Andre

Thanks for your feedback. I checked the seahub source code and found that it might be related to follow_referrals.

You can try to manually modify the seahub code of the docker container, Change 0 to 1.

1, /opt/seafile/seafile-server-latest/seahub/seahub/api2/endpoints/admin/users.py, line 142.
2, /opt/seafile/seafile-server-latest/seahub/seahub/base/accounts.py, line 900.
eg:
bind_conn.set_option(ldap.OPT_REFERRALS, 1)

Then restart Seafile and try again.

Source code: seahub/seahub/base/accounts.py at 11.0 · haiwen/seahub · GitHub
seahub/seahub/api2/endpoints/admin/users.py at master · haiwen/seahub · GitHub

Thank you for your answer. I have tried it, unfortunately this does not change anything.

We use a Windows Server 2019 as LDAP server, according to python-ldap.org it must be set to 0, as Seafile does correctly, so that it works with an MS AD.

I have also looked with Wireshark and Seafile or Seahub does not even try to connect. Since I already had it running, it must be something super stupid I’m overlooking on my end.

Is there any way to run Seahub in a debug mode? The old method with start-fastcgi doesn’t work anymore.

Log after changing follow_referrals to 1:

2024-11-18 07:46:33,827 [ERROR] seahub.api2.endpoints.admin.users:962 get Failed to bind ldap server: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 115, 'ctrls': [], 'info': 'Operation now in progress'}
2024-11-18 07:46:33,828 [ERROR] django.request:241 log_response Internal Server Error: /api/v2.1/admin/ldap-users/
2024-11-18 07:46:45,902 [INFO] xmlschema:1274 include_schema Include schema from 'file:///usr/local/lib/python3.10/dist-packages/xmlschema/schemas/XSD_1.1/xsd11-extra.xsd'
2024-11-18 07:46:46,823 [ERROR] seahub.api2.endpoints.admin.users:962 get Failed to bind ldap server: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 11, 'ctrls': [], 'info': 'Resource temporarily unavailable'}
2024-11-18 07:46:46,824 [ERROR] django.request:241 log_response Internal Server Error: /api/v2.1/admin/ldap-users/
2024-11-18 07:47:00,825 [INFO] seafes:178 load_seafevents_conf [seafes] use highlighter fvh
2024-11-18 07:47:00,993 [ERROR] seahub.api2.endpoints.admin.users:962 get Failed to bind ldap server: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 11, 'ctrls': [], 'info': 'Resource temporarily unavailable'}
2024-11-18 07:47:00,994 [ERROR] django.request:241 log_response Internal Server Error: /api/v2.1/admin/ldap-users/
2024-11-18 07:47:03,155 [ERROR] seahub.api2.endpoints.admin.users:962 get Failed to bind ldap server: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 11, 'ctrls': [], 'info': 'Resource temporarily unavailable'}
2024-11-18 07:47:03,156 [ERROR] django.request:241 log_response Internal Server Error: /api/v2.1/admin/ldap-users/

I wrote a simple test_ldap_bind.py script to test python ldap bind. You can put this script in the seafile docker container, modify the parameters and execute python3 test_ldap_bind.py:

import ldap


def ldap_bind(server_url, dn, password):
    bind_conn = ldap.initialize(server_url)
    bind_conn.set_option(ldap.OPT_REFERRALS, 0)
    bind_conn.protocol_version = ldap.VERSION3
    bind_conn.simple_bind_s(dn, password)
    return bind_conn


server_url = 'SERVER_URL'
dn = 'ADMIN_DN'
password = 'ADMIN_PASSWORD'

bind_conn = ldap_bind(server_url, dn, password)

This script refers to the code here: seahub/seahub/api2/endpoints/admin/users.py at master · haiwen/seahub · GitHub

The script runs smoothly. No feedback. I see a successful login in Wireshark and on the domain controller.

grafik

The thing is, a manual sync works. That’s why I don’t understand the whole thing.

I found the key point, the parameter LDAP_LOGIN_ATTR was wrongly configured as LOGIN_ATTR.

seafevents and seahub have different logics for reading parameters, so they behave differently. We will fix it in version 12.0.

It works. Many thanks for your help! That drove me bonkers!