Multiple accounts same username

[Oujiii]

I installed it in my instance on seafile.example.com and when I accessed it directly, it asked for my credentails, so I just input mail@example.com and it logged it fine.

What I noticed a few hours later is that if I access the Seafile server using the yunohost SSO, it creates a different user library, even though the user is the same.

So, my login on Yunohost is mail. If I go to example.com and login with mail and then click in Seafile, it will redirect to one library. If I go to seafile.example.com and login with mail@example.com it creates another different library.

I think this issue is somewhat related to #5 and #42

I also noted that in none of the cases I was able to use the admin interface, even though I set up mail as the admin user.

Just ran a few tests and found out that:

1. System admin wasn't available when running on a root of a subdomain
2. If I try to acess example.com/seafile directly, it won't redirect me to a SSL connection by itself. I might have to manually configure this in nginx

That's about it for now.

[Oujiii]

Okay, I found what happens when you install in a subdomain.

For some reason, when you login using YNH SSO, it will create an user in the database that's user@seafile.example.com even if your LDAP user is user@example.com This will happen regardless of the user you login, as long as you come from the YNH Portal. If you try to manually login using your YNH SSO credentials by going directly to seafile.example.com it will import the LDAP user, creating a new user, different from user created from YNH Portal, that's why #42 was happening.

Haven't really find a way to circumvent this. Until it's fixed, if you install in a subdomain, your users will always be like that.

For the admin account thing, I simply went to /var/opt/yunohost/seafile/seafile-server-latest/ and ran the reset-admin.sh and then I input user@seafile.example.com and the same password from the LDAP.

If that doesn't help, run the reset-admin.sh and use user@example.com and his LDAP password, then go straight to seafile.example.com (you have to do this in a browser where you're not logged in the YNH portal), use user@example.com and his LDAP password, go to the Admin area and set the user@seafile.example.com as an admin.

Now if you wanna log on on any sync client, you have to use user@seafile.example.com

I hope that helps.

[Josue-T]

I know this issue, but for now I didn't find a clean way to fix this. It's related to this https://github.com/YunoHost-Apps/seafile_ynh/issues/5

And yes when I implemented the sso authentication growed...

I tried to force to use a user instead of email it's just bad because in the seahub code where are everywhere a check that the username contains a @. So we need to keep an email a username.

Maybe the last solution is if seafile get a other domain for the email we dynamically force to use username@seafiledomain.tld.

[Oujiii]

That's what I thought. Maybe you wanna add something about this in the README so more people are aware on how to handle the whole subdomain issue when installing?

[Josue-T]

The problem is not specific to the subdomain. The problem could happen anytime when you have multiple domain on your instance...

[Josue-T]

Well, thought about a solution improve this situation. I thought that we could maybe add a patch in seahub (which is written in python). But the problem is that the user validation (linked to LDAP) is in the ccnet part, which is written in c. So it's quite complicated to fix this.

Maybe you wanna add something about this in the README so more people are aware on how to handle the whole subdomain issue when installing?

I saw that I've already written something about that here.

[HugoPoi]

I started to investigate, the problem is in the SSO and LDAP check.

What currently happen

• SSO give a builded email not real one to Seafile for authentication, it's builded like ${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME} https://github.com/YunoHost-Apps/seafile_ynh/blob/765989f499c03f6592128e58fea4a55bf07cbfc8/sources/patches/x86-64-sso_auth.patch#L17
• When Seafile check the auth in LDAP, I don't know how but ${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME} is always valid which is wrong Edit: after reading some code, and test some, with SSO enable the username is considered trusted so LDAP is checked but no user is found in LDAP and created with default values. https://github.com/YunoHost-Apps/seafile_ynh/blob/765989f499c03f6592128e58fea4a55bf07cbfc8/sources/patches/x86-64-sso_auth.patch#L28-L48

  What should be

• SSO should give the email address of the yunhost account to Seafile (is it possible ?)
• Seafile LDAP check shouldn't take ${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME} for a valid login if it isn't a valid email in LDAP

[Josue-T]

Seafile LDAP check shouldn't take ${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME} for a valid login if it isn't a valid email in LDAP

This might be really complicated because the LDAP part of seafile is the ccnet and it's written in C.

SSO should give the email address of the yunhost account to Seafile (is it possible ?)

Seeing your patch https://github.com/YunoHost-Apps/seafile_ynh/pull/46 it's possible