Seahub with Shibboleth: "Hook" or "Plugin" infrastructure for customizing attribute handling

Hi,

at our site, we use Shibboleth authentication quite extensively and now we also want to have a mapping of custom Shibboleth attributes to roles and groups. Our requirements therefore are quite specific, which makes us reluctant to ask them to be implemented just for our use installation.

Now we had an idea to achieve what we need and to simplify the development effort of the developers:

We’d like to have support for having a “hook” of custom Python code that gets included and executed in seahub/thirdpart/shibboleth/middleware.py alongside make_profile in addition to the regular stuff with the SHIB_ATTRIBUTE_MAP.
This “plugin” would enable us to provide our customized solution for deciding how to transform the affiliation attribute to a role and whether to create or join groups etc. while not requiring the Seafile developers to add code that’s mostly specific to our site requirements.

If our ideas is not easily understandable, I can try to write up some code that shows what and how we would like to have it.
If anyone has better ideas or remarks, please add them. :wink:

Now have a nice weekend, everyone,
Moritz

This will help a lot.

Actually, while writing this up, I discovered, that it wouldn’t even be necessary for you to implement a hook infrastructure - I could just customize the Shibboleth middleware and use it in seahub_settings.py, couldn’t I?

Here is a (not tested) gist of what we would want to achieve:


Basically, we want/need to have the flexibility to define arbitrary hierarchical mappings from the affiliations attribute to Seafile roles and we want to be able to add users to groups (but again, not all users to all groups, just specific ones, which is still t.b.d.).

Or do you think that’s a bad idea and should be solved otherwise?

Best wishes,
Moritz

This is a good idea to solve the problem.

It is not so specific. We are also interested by this feature, because we plan to use Seafile in multi-organizations context, with groups defined by Shibboleth attributes.

Regards

Gautier

Hi everyone,

while trying to implement that, I stumbled upon a problem:

In the call to ccnet_api.group_add_member, I need to supply a user which is a staff member of the group to which I want to add.
Now that is a problem because there is no such user.

Does anyone have an idea for solving this problem?

Regards,
Moritz

Hi Moritz,

Why do you need to call ccnet_api.group_add_member? The role feature is not related to the group feature.

Hi Daniel,

yes, but we want to be able to “import” group information from Shibboleth, too, kind of similar to LDAP group sync. :wink:

Best wishes,
Moritz

The correct way is to check whether the user is already in ccnet_db using ccnet_api, if not, you add the user to ccnet first (only the email field is needed, the password should be set to ‘!’, which means the password should be checked at IdP). You can check the code in creating a user in Shibboleth login.