Searching in LDAP


#1

Hello!
Please clarify by community version:

  1. When I want to share a link or library/folder, I see only users who have already logged in. User search in LDAP is not performed. Is this normal behavior?
  2. When I search for people, their email addresses or userPrincipalName are displayed. Is it possible to infer another attribute? For example commonName or displayName …
    Thank you in advance!

P.S. We are planning a transition to the Pro version, but we need to clarify before the transition!


#2

As for 1.)
Seafile CE uses AD/LDAP authentication. This means: A user is created in the internal user database only after the first login. You can only share a library/folder with users that have logged in.
Seafile PE also offers AD/LADP synchronisation. This means: Users created in the central user directory are synced to the Seafile database in regular intervals. The interval time can be set in ccnet.conf. Once the sync has run, you can share libraries/folders with the user, no matter if the user has already logged or not.
As for 2.)
I am not entirely sure what you mean. Sorry if I misunderstand.
You can enable cloud mode in seahub_settings.py. Cloud mode disables the auto-complete of names/users when typing a user name in the share dialog. This is independent of the Seafile edition used.


#3

Thank you very much!
On the first question, everything is clear!

But for the second I will explain further:
I mean, when sharing a folder/library with other users, their names are displayed in English, from the userPrincipalName field in the LDAP.
And you need to display in Russian from the field commonName or displayName…
Is it possible to realize this?


#4

Hi ASerg68,

It is possible to do what you want but it is more complicated with community then with seafile pro. Let me explain what happens.

1) Seafile Community + AD/LDAP Authentification

Lets assume you have the following entry in the ccnet.conf:

[LDAP]
HOST = ldap://localhost/
BASE = ...
USER_DN = ....
PASSWORD = ...
LOGIN_ATTR = mail (or something else like "cn")

If a user login is successful for the first time, seafile writes an entry in the table “ccnet-db.LDAPUsers”.

mysql> select * from LDAPUsers;
+----+-------------------------+----------+----------+-----------+-------------+--------------+
| id | email                   | password | is_staff | is_active | extra_attrs | reference_id |
+----+-------------------------+----------+----------+-----------+-------------+--------------+
|  1 | cdb@datamate.org           |          |        1 |         1 | NULL        | NULL         |
...

The login value is written into the database field “email” - no matter if it is realy an email or not. So if you change in the LOGIN_ATTR to something like the “cn”, then the “cn”-value is written into this LDAPUsers table in the column “email”.
But this is not enough to display the complete Name (commonName or displayName) in the sharing dialog. To achieve that you have two possibilites:

a) Login as admin and change the user settings
this is the obvious solution. Login with an seafile admin and change the “display-name” of the user. But I am quite sure this is not what you want…

b) Update the user-information via api or mysql-query
I don’t know how you create the ldap user, but if you have the possibility to execute some custom code after the creation it is possible to set the user information. The logic is:

  • create the user in LDAP
  • use the seafile api to “login the user for the first time” with the user credentials - then the user login info are saved to LDAPUsers.
  • use the api to update the user information or just write the following database entry to seahub-db.profile_profile:
mysql> select * from profile_profile;
+----+-------------------------+------------------------------+-------+-----------+----------+-------------------------+-------------+----------------------+
| id | user                    | nickname                     | intro | lang_code | login_id | contact_email           | institution | list_in_address_book |
+----+-------------------------+------------------------------+-------+-----------+----------+-------------------------+-------------+----------------------+
|  1 | cdb@datamate.org           | Christoph Dyllick-Brenzinger |       | NULL      | cdb      | cdb@ionas.com           | NULL        |                    0 |

With this database entry my nickname “Christoph Dyllick-Brenzinger” is shown in the sharing dialog.

Summary for Seafile community
As you see it is definately possible but not very comfortable.

2) Seafile Pro and LDAP-Sync

On the contrary with Seafile Pro and the LDAP-Sync function it is very simple. You can define which values are written to the seafile database.

[LDAP]
...like before ...

[LDAP_SYNC]
...
ENABLE_EXTRA_USER_INFO_SYNC = true
FIRST_NAME_ATTR = givenName (or whatever you want)
LAST_NAME_ATTR = sn (or whatever you want)
UID_ATTR = sAMAccountName (or whatever you want)

That is everything that is needed. As soon as the user is synced to seafile the sharing dialog shows the correct name.

Summary for Seafile Pro
As you can see with Seafile Pro it is very easy to display the right name in the sharing dialog. If you have any other questions regarding switching to Seafile PE, let me know. My company datamate offers the full array of support services for Seafile and also seafile Pro licenses.

Best regards
Christoph


#5

[quote=“christophdb, post:4, topic:8963”]
Christoph
[/quote]Thanks a lot Christoph!
Now everything became clear.
Yes, we are planning to buy the Pro edition, but first we have already deployed the СE and are testing the possibilities on it!

Serg.


#6

Glad the questions could be answered. Please mark as solved.


#7

Hi @rdb,

I thought this option was deprecated. I suppose that it is designed for cloud mode (SAAS). Can it be used also in Multi-Institution Configuration to limit the visibilty of emails to the Institution scope ?

regards