From a67128338d5fa46657203b066591ae3efdc5b0a7 Mon Sep 17 00:00:00 2001
From: publicdesert <publicdesert@mailbox.org>
Date: Wed, 15 Jun 2022 18:14:00 +0200
Subject: [PATCH 1/6] Add examples for Gitea and Seafile
---
README.md | 2 ++
example_configs/gitea.md | 20 ++++++++++++++++++++
example_configs/seafile.md | 26 ++++++++++++++++++++++++++
3 files changed, 48 insertions(+)
create mode 100644 example_configs/gitea.md
create mode 100644 example_configs/seafile.md
diff --git a/README.md b/README.md
index 3564077..a29b6a9 100644
--- a/README.md
+++ b/README.md
@@ -199,11 +199,13 @@ folder for help with:
- [Authelia](example_configs/authelia_config.yml)
- [Bookstack](example_configs/bookstack.env.example)
- [Dolibarr](example_configs/dolibarr.md)
+ - [Gitea](example_configs/gitea.md)
- [Jellyfin](example_configs/jellyfin.md)
- [Jisti Meet](example_configs/jitsi_meet.conf)
- [KeyCloak](example_configs/keycloak.md)
- [Matrix](example_configs/matrix_synapse.yml)
- [Organizr](example_configs/Organizr.md)
+ - [Seafile](example_configs/seafile.md)
## Comparisons with other services
diff --git a/example_configs/gitea.md b/example_configs/gitea.md
new file mode 100644
index 0000000..422d21a
--- /dev/null
+++ b/example_configs/gitea.md
@@ -0,0 +1,20 @@
+# Configuration for Gitea
+In Gitea, go to `Site Administration > Authentication Sources` and click `Add Authentication Source`
+Select `LDAP (via BindDN)`
+
+* Host: Your lldap server's ip/hostname
+* Port: Your lldap server's port (3890 by default)
+* Bind DN: `uid=admin,ou=people,dc=example,dc=com`
+* Bind Password: Your bind user's password
+* User Search Base: `ou=people,dc=example,dc=com`
+* User Filter: In this example only members of the group `git_user` can log in. To log in they can either use their email address or user name:<br>
+`(&(memberof=cn=git_user,ou=groups,dc=example,dc=com)(|(uid=%[1]s)(mail=%[1]s)))`<br>
+For more info on the user filter, see: https://docs.gitea.io/en-us/authentication/#ldap-via-binddn
+* Admin Filter: Use similar string as above or leave it empty if you don't want LDAP users to be admins.
+* Username Attribute: `uid`
+* Email Attribute: `mail`
+* Check `Enable User Synchronization`
+
+Replace every instance of `dc=example,dc=com` with your configured domain.
+
+After applying the above settings, users should be able to log in with either their user name or email address.
\ No newline at end of file
diff --git a/example_configs/seafile.md b/example_configs/seafile.md
new file mode 100644
index 0000000..2ae4030
--- /dev/null
+++ b/example_configs/seafile.md
@@ -0,0 +1,26 @@
+# Configuration for Seafile
+
+## Basic configuration
+Add the following to your `seafile/conf/ccnet.conf` file:
+```
+[LDAP]
+HOST = ldap://192.168.1.100:3890
+BASE = ou=people,dc=example,dc=com
+USER_DN = uid=admin,ou=people,dc=example,dc=com
+PASSWORD = YOURPASSWORDHERE
+LOGIN_ATTR = mail
+```
+* Replace `192.168.1.100:3890` with your lldap server's ip/hostname and port.
+* Replace every instance of `dc=example,dc=com` with your configured domain.
+* Replace `YOURPASSWORDHERE` with your bind user's password.
+
+__IMPORTANT__: Seafile requires the LOGIN_ATTR to be in an email-like format. You cannot use the uid as LOGIN_ATTR!
+
+After restarting the Seafile server, users should be able to log in with their email address and password.
+
+## Filtering by group membership
+If you only want members of a specific group to be able to log in, add the following line:
+```
+FILTER = memberOf=cn=seafile_user,ou=groups,dc=example,dc=com
+```
+* Replace `seafile_user` with the name of your group.
From fc7ec97051178d72772abf2f4135baf030fdba69 Mon Sep 17 00:00:00 2001
From: publicdesert <publicdesert@mailbox.org>
Date: Wed, 15 Jun 2022 22:48:56 +0200
Subject: [PATCH 2/6] Apply suggested changes
---
example_configs/gitea.md | 6 ++++--
example_configs/seafile.md | 3 +--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/example_configs/gitea.md b/example_configs/gitea.md
index 422d21a..b2c8a54 100644
--- a/example_configs/gitea.md
+++ b/example_configs/gitea.md
@@ -7,10 +7,12 @@ Select `LDAP (via BindDN)`
* Bind DN: `uid=admin,ou=people,dc=example,dc=com`
* Bind Password: Your bind user's password
* User Search Base: `ou=people,dc=example,dc=com`
-* User Filter: In this example only members of the group `git_user` can log in. To log in they can either use their email address or user name:<br>
+* User Filter: If you want all users to be able to log in, use<br>
+`(&(objectClass=person)(|(uid=%[1]s)(mail=%[1]s)))`.<br>
+To log in they can either use their email address or user name. If you only want members a specific group to be able to log in, in this case the group `git_user`, use<br>
`(&(memberof=cn=git_user,ou=groups,dc=example,dc=com)(|(uid=%[1]s)(mail=%[1]s)))`<br>
For more info on the user filter, see: https://docs.gitea.io/en-us/authentication/#ldap-via-binddn
-* Admin Filter: Use similar string as above or leave it empty if you don't want LDAP users to be admins.
+* Admin Filter: Use `(memberof=cn=lldap_admin,ou=groups,dc=example,dc=com)` if you want lldap admins to become Gitea admins. Leave empty otherwise.
* Username Attribute: `uid`
* Email Attribute: `mail`
* Check `Enable User Synchronization`
diff --git a/example_configs/seafile.md b/example_configs/seafile.md
index 2ae4030..b2db43e 100644
--- a/example_configs/seafile.md
+++ b/example_configs/seafile.md
@@ -7,12 +7,11 @@ Add the following to your `seafile/conf/ccnet.conf` file:
HOST = ldap://192.168.1.100:3890
BASE = ou=people,dc=example,dc=com
USER_DN = uid=admin,ou=people,dc=example,dc=com
-PASSWORD = YOURPASSWORDHERE
+PASSWORD = CHANGE_ME
LOGIN_ATTR = mail
```
* Replace `192.168.1.100:3890` with your lldap server's ip/hostname and port.
* Replace every instance of `dc=example,dc=com` with your configured domain.
-* Replace `YOURPASSWORDHERE` with your bind user's password.
__IMPORTANT__: Seafile requires the LOGIN_ATTR to be in an email-like format. You cannot use the uid as LOGIN_ATTR!
From 936a6d696ab7c294b38bf4651849c923f3bcaded Mon Sep 17 00:00:00 2001
From: publicdesert <publicdesert@mailbox.org>
Date: Fri, 17 Jun 2022 15:04:28 +0200
Subject: [PATCH 3/6] Removed Seafile example config
Removed Seafile example config because of the issue in described in #191
---
README.md | 1 -
example_configs/seafile.md | 25 -------------------------
2 files changed, 26 deletions(-)
delete mode 100644 example_configs/seafile.md
diff --git a/README.md b/README.md
index a29b6a9..0d5a39b 100644
--- a/README.md
+++ b/README.md
@@ -205,7 +205,6 @@ folder for help with:
- [KeyCloak](example_configs/keycloak.md)
- [Matrix](example_configs/matrix_synapse.yml)
- [Organizr](example_configs/Organizr.md)
- - [Seafile](example_configs/seafile.md)
## Comparisons with other services
diff --git a/example_configs/seafile.md b/example_configs/seafile.md
deleted file mode 100644
index b2db43e..0000000
--- a/example_configs/seafile.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# Configuration for Seafile
-
-## Basic configuration
-Add the following to your `seafile/conf/ccnet.conf` file:
-```
-[LDAP]
-HOST = ldap://192.168.1.100:3890
-BASE = ou=people,dc=example,dc=com
-USER_DN = uid=admin,ou=people,dc=example,dc=com
-PASSWORD = CHANGE_ME
-LOGIN_ATTR = mail
-```
-* Replace `192.168.1.100:3890` with your lldap server's ip/hostname and port.
-* Replace every instance of `dc=example,dc=com` with your configured domain.
-
-__IMPORTANT__: Seafile requires the LOGIN_ATTR to be in an email-like format. You cannot use the uid as LOGIN_ATTR!
-
-After restarting the Seafile server, users should be able to log in with their email address and password.
-
-## Filtering by group membership
-If you only want members of a specific group to be able to log in, add the following line:
-```
-FILTER = memberOf=cn=seafile_user,ou=groups,dc=example,dc=com
-```
-* Replace `seafile_user` with the name of your group.
From 1ae7987b884a931a9b73901b41824101e7e46780 Mon Sep 17 00:00:00 2001
From: Dedy Martadinata S <dedyms@pm.me>
Date: Mon, 20 Jun 2022 16:54:16 +0700
Subject: [PATCH 4/6] docs: portainer: add filter by group example
---
example_configs/portainer.md | 43 ++++++++++++++++++++++++------------
1 file changed, 29 insertions(+), 14 deletions(-)
diff --git a/example_configs/portainer.md b/example_configs/portainer.md
index 1518b7c..e73f8d1 100644
--- a/example_configs/portainer.md
+++ b/example_configs/portainer.md
@@ -1,49 +1,64 @@
-# Configuration for Portainer CE
-## Settings > Authentication
+# Configuration for Portainer CE/BE
+### Settings > Authentication > LDAP > Custom
---
-## LDAP configuration
-### LDAP Server
+## LDAP configuration
+
+#### LDAP Server
```
-localhost:3890
+localhost:3890 or ip-address:3890
```
-### Anonymous mode
+#### Anonymous mode
```
off
```
-### Reader DN
+#### Reader DN
```
uid=admin,ou=people,dc=example,dc=com
```
-### Password
+#### Password
```
xxx
```
+* Password is the ENV you set at *LLDAP_LDAP_USER_PASS=* or `lldap_config.toml`
## User search configurations
-### Base DN
+
+#### Base DN
```
ou=people,dc=example,dc=com
```
-### Username attribute
+#### Username attribute
```
uid
```
-### Filter
+### Filter
+#### All available user(s)
```
(objectClass=person)
```
+* Using this filter will list all user registered in LLDAP
+
+#### All user(s) from specific group
+```
+(&(objectClass=person)(memberof=cn=lldap_portainer,ou=groups,dc=example,dc=com))
+```
+* Using this filter will only list user that included in `lldap_portainer` group.
+* Admin should manually configure groups and add a user to it. **lldap_portainer** only sample.
+
+
## Group search configurations
-### Group Base DN
+
+#### Group Base DN
```
ou=groups,dc=example,dc=com
```
-### Group Membership Attribute
+#### Group Membership Attribute
```
cn
```
-### Group Filter
+#### Group Filter
```
is optional
```
From 8f446bd9325f73c68020f12839d8bed09df124fc Mon Sep 17 00:00:00 2001
From: MickMorley <19698105+MickMorley@users.noreply.github.com>
Date: Tue, 21 Jun 2022 17:13:37 -0400
Subject: [PATCH 5/6] docs: add Syncthing example
---
example_configs/syncthing.md | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 example_configs/syncthing.md
diff --git a/example_configs/syncthing.md b/example_configs/syncthing.md
new file mode 100644
index 0000000..a3934f8
--- /dev/null
+++ b/example_configs/syncthing.md
@@ -0,0 +1,30 @@
+# Configuration for Syncthing
+## Actions > Advanced > LDAP
+---
+
+| Parameter | Value | Details |
+|----------------------|------------------------------------------------------------------------|-------------------------------------------------------|
+| Address | `localhost:3890` | Replace `localhost:3890` with your LLDAP host & port |
+| Bind DN | `cn=%s,ou=people,dc=example,dc=com` | |
+| Insecure Skip Verify | *unchecked* | |
+| Search Base DN | `ou=people,dc=example,dc=com` | Only used when using filters. |
+| Search Filter | `(&(uid=%s)(memberof=cn=lldap_syncthing,ou=groups,dc=example,dc=com))` | Filters on users belonging to group `lldap_syncthing` |
+| Transport | `plain` | |
+
+Replace `dc=example,dc=com` with your LLDAP configured domain for all occurances
+
+Leave **Search Base DN** and **Search Filter** both blank if you are not using any filters.
+
+## Actions > Advanced > GUI
+
+Change **Auth Mode** from `static` to `ldap`
+
+
+If you get locked out of the UI due to invalid LDAP settings, you can always change the settings from the `config.xml`, save the file, and force restart the app.
+
+### Example
+
+Change the below and restart
+
+` <authMode>ldap</authMode>` to ` <authMode>static</authMode>`
+
From b03a38f2672972dc8cc862e4589a168dc7d05500 Mon Sep 17 00:00:00 2001
From: publicdesert <105128693+publicdesert@users.noreply.github.com>
Date: Fri, 24 Jun 2022 12:38:40 +0200
Subject: [PATCH 6/6] docs: add Readd example config for Seafile
Readds both the previous example for Seafile and an alternative setup with Authelia as an intermediary.
---
README.md | 1 +
example_configs/seafile.md | 89 ++++++++++++++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
create mode 100644 example_configs/seafile.md
diff --git a/README.md b/README.md
index 0d5a39b..a29b6a9 100644
--- a/README.md
+++ b/README.md
@@ -205,6 +205,7 @@ folder for help with:
- [KeyCloak](example_configs/keycloak.md)
- [Matrix](example_configs/matrix_synapse.yml)
- [Organizr](example_configs/Organizr.md)
+ - [Seafile](example_configs/seafile.md)
## Comparisons with other services
diff --git a/example_configs/seafile.md b/example_configs/seafile.md
new file mode 100644
index 0000000..6ea4876
--- /dev/null
+++ b/example_configs/seafile.md
@@ -0,0 +1,89 @@
+# Configuration for Seafile
+Seafile's LDAP interface requires a unique, immutable user identifier in the format of `username@domain`. Since LLDAP does not provide an attribute like `userPrincipalName`, the only attribute that somewhat qualifies is therefore `mail`. However, using `mail` as the user identifier results in the issue that Seafile will treat you as an entirely new user if you change your email address through LLDAP. If this is not an issue for you, you can configure LLDAP as an authentication source in Seafile directly. A better but more elaborate way to use Seafile with LLDAP is by using Authelia as an intermediary. This document will guide you through both setups.
+
+## Configuring Seafile to use LLDAP directly
+Add the following to your `seafile/conf/ccnet.conf` file:
+```
+[LDAP]
+HOST = ldap://192.168.1.100:3890
+BASE = ou=people,dc=example,dc=com
+USER_DN = uid=admin,ou=people,dc=example,dc=com
+PASSWORD = CHANGE_ME
+LOGIN_ATTR = mail
+```
+* Replace `192.168.1.100:3890` with your LLDAP server's ip/hostname and port.
+* Replace every instance of `dc=example,dc=com` with your configured domain.
+
+After restarting the Seafile server, users should be able to log in with their email address and password.
+
+### Filtering by group membership
+If you only want members of a specific group to be able to log in, add the following line:
+```
+FILTER = memberOf=cn=seafile_user,ou=groups,dc=example,dc=com
+```
+* Replace `seafile_user` with the name of your group.
+
+## Configuring Seafile to use LLDAP with Authelia as an intermediary
+Authelia is an open-source authentication and authorization server that can use LLDAP as a backend and act as an OpenID Connect Provider. We're going to assume that you have already set up Authelia and configured it with LLDAP.
+If not, you can find an example configuration [here](authelia_config.yml).
+
+1. Add the following to Authelia's `configuration.yml`:
+```
+identity_providers:
+ oidc:
+ hmac_secret: Your_HMAC_Secret #Replace with a random string
+ issuer_private_key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ Your_Private_Key
+ #See https://www.authelia.com/configuration/identity-providers/open-id-connect/#issuer_private_key for instructions on how to generate a key
+ -----END RSA PRIVATE KEY-----
+ cors:
+ endpoints:
+ - authorization
+ - token
+ - revocation
+ - introspection
+ - userinfo
+ clients:
+ - id: seafile
+ description: Seafile #The display name of the application. Will show up on Authelia consent screens
+ secret: Your_Shared_Secret #Replace with random string
+ public: false
+ authorization_policy: one_factor #Can also be two_factor
+ scopes:
+ - openid
+ - profile
+ - email
+ redirect_uris:
+ - https://seafile.example.com/oauth/callback/
+ userinfo_signing_algorithm: none
+ pre_configured_consent_duration: 6M
+ #On first login you must consent to sharing information between Authelia and Seafile. This option configures the amount of time after which you need to reconsent.
+ # y = years, M = months, w = weeks, d = days
+```
+
+2. Add the following to `seafile/conf/seahub_settings.py`
+```
+ENABLE_OAUTH = True
+OAUTH_ENABLE_INSECURE_TRANSPORT = True
+OAUTH_CLIENT_ID = 'seafile' #Must be the same as in Authelia
+OAUTH_CLIENT_SECRET = 'Your_Shared_Secret' #Must be the same as in Authelia
+OAUTH_REDIRECT_URL = 'https://seafile.example.com/oauth/callback/'
+OAUTH_PROVIDER_DOMAIN = 'auth.example.com'
+OAUTH_AUTHORIZATION_URL = 'https://auth.example.com/api/oidc/authorization'
+OAUTH_TOKEN_URL = 'https://auth.example.com/api/oidc/token'
+OAUTH_USER_INFO_URL = 'https://auth.example.com/api/oidc/userinfo'
+OAUTH_SCOPE = [
+ "openid",
+ "profile",
+ "email",
+]
+OAUTH_ATTRIBUTE_MAP = {
+ "preferred_username": (True, "email"), #Seafile will create a unique identifier of your <LLDAP's User ID >@<the value specified in OAUTH_PROVIDER_DOMAIN>. The identifier is not visible to the user and not actually used as the email address unlike the value suggests
+ "name": (False, "name"),
+ "id": (False, "not used"),
+ "email": (False, "contact_email"),
+}
+```
+
+Restart both your Authelia and Seafile server. You should see a "Single Sign-On" button on Seafile's login page. Clicking it should redirect you to Authelia. If you use the [example config for Authelia](authelia_config.yml), you should be able to log in using your LLDAP User ID.
\ No newline at end of file