Shibboleth authentication - Multiple user with id = 0

Hello,

I’ve discovered something that seems to be abnormal with some users id…

Explanations :
It seems to happen with users which have been authenticated with Shibboleth (and only Shibboleth).
I have LDAP and Shibboleth authentication available in same time for now, and the LDAP is also included in the Shibboleth authentication system (goal : allow authentication with both for my organisation user and shibboleth for others).
I use Web API (admin part) to get some informations about users, librairies etc. And I realize that some of my users have the same id… (they have id=0). I think that can cause some problems…
And the first one I discover : I can’t find these user if I search them in the search field in admin panel, I’m redirect to : “Page unavailable”…
[Edit] An other one is that I can’t share folder or invite the user in a group because I can’t find him with interface.
If the user logged in with LDAP, he appears in the list “LDAP (imported)”, can be find with search field, and his id change to one different from 0. Only one account is use and create (a pretty good thing!).

Questions :

  • Is it related to shibboleth attribute map configuration in seahub_settings.py ? for now I have only configured default
    `SHIBBOLETH_ATTRIBUTE_MAP = {

    Change eppn to mail if you use mail attribute for REMOTE_USER

    “mail”: (False, “username”),
    }`
  • LDAP and Shibboleth should not / can’t be configured at the same time ?..
  • Is it safe ? Normal ? There’s no others complications or bug that could come from that ?

Other informations :

  • If I search a user that doesn’t exist or a user that was never logged in yet (an LDAP user for example) I have a “Page unavailable” too, It will be better to have an error message like “No user ‘Bob’ was find”, and I think that LDAP users should be find, or have a specific message if they have not logged in yet, no ?
  • I use that request from Web API : https://manual.seafile.com/develop/web_api_v2.1.html#admin-only-get-account
  • System informations : Seafile Community 6.0.4, Apache 2.4.12, MySQL 5.7, LDAP & Shibboleth authentication.

Thank you for your help,

It’s a bug that’s has been fixed in the newest version 6.0.6, you can upgrade your Seafile server and test it again.

we will check why this happened soon.

Ok thank you for your response, I will try to update soon.

It’s probably a little problem in account initialization after a Shibboleth log in.

Hi,

Up

I would like to know if you recommend to use only one authentication system or if it’s okay to use two at the same time ?
Is there a better integration of that kind of thing in Pro Edition ?

Another question about authentifcation : is it possible to authenticate user regardless of LOGIN_ATTR ? I mean to authenticate user with LDAP login or LDAP mail and match the same account in Seafile ?

Thank you

I checked the code, if the user exists in LDAP but not imported to Seafile database yet, the id is 0. This is because the id is the database item id, and there is no database item for this user yet. It is not used anywhere. So you don’t need to worry about multiple users have the same id value 0.

Only users that imported to Seafile database can be used in auto completion.

A user is imported to Seafile database upon first time login. A user can also be imported using the LDAP sync feature in Seafile pro edition.

You can use both authentication systems. There will be a small problem: if a user exists both in LDAP and Shibboleth, there will be two entries in Seafile internal database (The user will appear both in LDAP (imported) and Database in admin UI). If you inactive the user in one entry, the user is still active according to another entry.

You can use the LDAP sync feature in Seafile Pro to sync users’ login id to Seafile’s internal database. Then a user can login via the login id. (Check UID_ATTR in https://manual.seafile.com/deploy_pro/using_ldap_pro.html)

Hello,

Thank you for your response.
I configure attribute mapping for Shibboleth, and I think we are going to use only Shibboleth now.

I can find Shibboleth already authenticated users with the research field. But there’s no list of these users in Admin UI, they aren’t in “Users”, and there is nothing like “LDAP imported” for Shibboleth imported users… Is this an improvement planned ?

The LDAP feature was improved before Shibboleth. From the experience of implementing LDAP, we found saving users in two separate database tables had a few drawbacks. There is why there is no separate table for Shibboleth users.