Open Oujiii opened 5 years ago
Okay, I found what happens when you install in a subdomain.
For some reason, when you login using YNH SSO, it will create an user in the database that's user@seafile.example.com
even if your LDAP user is user@example.com
This will happen regardless of the user you login, as long as you come from the YNH Portal.
If you try to manually login using your YNH SSO credentials by going directly to seafile.example.com
it will import the LDAP user, creating a new user, different from user created from YNH Portal, that's why #42 was happening.
Haven't really find a way to circumvent this. Until it's fixed, if you install in a subdomain, your users will always be like that.
For the admin account thing, I simply went to /var/opt/yunohost/seafile/seafile-server-latest/
and ran the reset-admin.sh
and then I input user@seafile.example.com
and the same password from the LDAP.
If that doesn't help, run the reset-admin.sh
and use user@example.com
and his LDAP password, then go straight to seafile.example.com
(you have to do this in a browser where you're not logged in the YNH portal), use user@example.com
and his LDAP password, go to the Admin area and set the user@seafile.example.com
as an admin.
Now if you wanna log on on any sync client, you have to use user@seafile.example.com
I hope that helps.
I know this issue, but for now I didn't find a clean way to fix this. It's related to this https://github.com/YunoHost-Apps/seafile_ynh/issues/5
And yes when I implemented the sso authentication growed...
I tried to force to use a user instead of email it's just bad because in the seahub code where are everywhere a check that the username contains a @
. So we need to keep an email a username.
Maybe the last solution is if seafile get a other domain for the email we dynamically force to use username@seafiledomain.tld
.
That's what I thought. Maybe you wanna add something about this in the README so more people are aware on how to handle the whole subdomain issue when installing?
The problem is not specific to the subdomain. The problem could happen anytime when you have multiple domain on your instance...
Well, thought about a solution improve this situation. I thought that we could maybe add a patch in seahub (which is written in python). But the problem is that the user validation (linked to LDAP) is in the ccnet part, which is written in c. So it's quite complicated to fix this.
Maybe you wanna add something about this in the README so more people are aware on how to handle the whole subdomain issue when installing?
I saw that I've already written something about that here.
I started to investigate, the problem is in the SSO and LDAP check.
${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME}
https://github.com/YunoHost-Apps/seafile_ynh/blob/765989f499c03f6592128e58fea4a55bf07cbfc8/sources/patches/x86-64-sso_auth.patch#L17${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME}
is always valid which is wrong
Edit: after reading some code, and test some, with SSO enable the username is considered trusted so LDAP is checked but no user is found in LDAP and created with default values.
https://github.com/YunoHost-Apps/seafile_ynh/blob/765989f499c03f6592128e58fea4a55bf07cbfc8/sources/patches/x86-64-sso_auth.patch#L28-L48
${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME}
for a valid login if it isn't a valid email in LDAPSeafile LDAP check shouldn't take ${YUNOHOST_USERNAME}@${YUNOHOST_SEAFILE_HOSTNAME} for a valid login if it isn't a valid email in LDAP
This might be really complicated because the LDAP part of seafile is the ccnet and it's written in C.
SSO should give the email address of the yunhost account to Seafile (is it possible ?)
Seeing your patch https://github.com/YunoHost-Apps/seafile_ynh/pull/46 it's possible
I installed it in my instance on
seafile.example.com
and when I accessed it directly, it asked for my credentails, so I just inputmail@example.com
and it logged it fine.What I noticed a few hours later is that if I access the Seafile server using the yunohost SSO, it creates a different user library, even though the user is the same.
So, my login on Yunohost is
mail
. If I go toexample.com
and login withmail
and then click in Seafile, it will redirect to one library. If I go toseafile.example.com
and login withmail@example.com
it creates another different library.I think this issue is somewhat related to #5 and #42
I also noted that in none of the cases I was able to use the admin interface, even though I set up
mail
as the admin user.Just ran a few tests and found out that:
example.com/seafile
directly, it won't redirect me to a SSL connection by itself. I might have to manually configure this in nginxThat's about it for now.