experiment with seafile sso
This commit is contained in:
@@ -71,6 +71,7 @@ insecure.rik.veenboer.xyz {
|
||||
|
||||
seafile.rik.veenboer.xyz {
|
||||
handle {
|
||||
# import authentik
|
||||
reverse_proxy http://host:8100
|
||||
}
|
||||
|
||||
|
||||
@@ -94,7 +94,6 @@ server {
|
||||
proxy_pass http://host:9001;
|
||||
include /etc/nginx/conf/proxy.conf;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
|
||||
@@ -1,5 +1,86 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
## General
|
||||
SECRET_KEY = "zt^$p=*-yzytt3)1lidvsfjrq7qe+3t^$nw6wp_+bqhttxy4c!"
|
||||
|
||||
SERVICE_URL = "https://seafile.rik.veenboer.xyz/"
|
||||
|
||||
|
||||
## Remote User Authentication
|
||||
ENABLE_REMOTE_USER_AUTHENTICATION = False
|
||||
|
||||
# Optional, HTTP header, which is configured in your web server conf file,
|
||||
# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.
|
||||
REMOTE_USER_HEADER = 'X-Seafile-User'
|
||||
|
||||
# Optional, when the value of HTTP_REMOTE_USER is not a valid email address,
|
||||
# Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER'
|
||||
# and this domain, e.g. user1@example.com.
|
||||
REMOTE_USER_DOMAIN = 'veenboer.xyz'
|
||||
|
||||
# Optional, whether to create new user in Seafile system, default value is True.
|
||||
# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
|
||||
# The admin has to first import the users from external systems like LDAP.
|
||||
REMOTE_USER_CREATE_UNKNOWN_USER = True
|
||||
|
||||
# Optional, whether to activate new user in Seafile system, default value is True.
|
||||
# If this setting is disabled, user will be unable to login by default.
|
||||
# the administrator needs to manually activate this user.
|
||||
REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True
|
||||
|
||||
# Optional, map user attribute in HTTP header and Seafile's user attribute.
|
||||
REMOTE_USER_ATTRIBUTE_MAP = {
|
||||
'X-Authentik-Username': 'name',
|
||||
'X-Seafile-User': 'contact_email',
|
||||
|
||||
# for user info
|
||||
# "HTTP_GIVENNAME": 'givenname',
|
||||
# "HTTP_SN": 'surname',
|
||||
# "HTTP_ORGANIZATION": 'institution',
|
||||
|
||||
# for user role
|
||||
# 'HTTP_Shibboleth-affiliation': 'affiliation',
|
||||
}
|
||||
|
||||
# Map affiliation to user role. Though the config name is SHIBBOLETH_AFFILIATION_ROLE_MAP,
|
||||
# it is not restricted to Shibboleth
|
||||
SHIBBOLETH_AFFILIATION_ROLE_MAP = {
|
||||
# 'employee@uni-mainz.de': 'staff',
|
||||
# 'member@uni-mainz.de': 'staff',
|
||||
# 'student@uni-mainz.de': 'student',
|
||||
# 'employee@hu-berlin.de': 'guest',
|
||||
# 'patterns': (
|
||||
# ('*@hu-berlin.de', 'guest1'),
|
||||
# ('*@*.de', 'guest2'),
|
||||
# ('*', 'guest'),
|
||||
# ),
|
||||
}
|
||||
|
||||
|
||||
## OAuth Authentication
|
||||
ENABLE_OAUTH = True
|
||||
|
||||
# If create new user when he/she logs in Seafile for the first time, defalut `True`.
|
||||
OAUTH_CREATE_UNKNOWN_USER = True
|
||||
|
||||
# If active new user when he/she logs in Seafile for the first time, defalut `True`.
|
||||
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
|
||||
|
||||
# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
|
||||
OAUTH_ENABLE_INSECURE_TRANSPORT = True
|
||||
|
||||
# Client id/secret generated by authorization server when you register your client application.
|
||||
OAUTH_CLIENT_ID = "ppPkXbiyxpYKOlHdKHNM69HlzrKBz1DB9eTgvfgh"
|
||||
OAUTH_CLIENT_SECRET = "G1F5UwQyMDFSZpo8OjMLdU7TbMniWzNDJqjGHsGo1Yr03MOMM5uAw4gHLRMdxM72DLZUWWgSllEOkHk8ifBH7FVhlNw9zwc5LNOFIoXzMNZAuaJhLDlWPjWrfMCiosNT"
|
||||
|
||||
# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
|
||||
OAUTH_REDIRECT_URL = 'https://seafile.rik.veenboer.xyz/oauth/callback/'
|
||||
|
||||
OAUTH_PROVIDER_DOMAIN = 'authentik.rik.veenboer.xyz'
|
||||
OAUTH_AUTHORIZATION_URL = 'https://authentik.rik.veenboer.xyz/application/o/authorize/'
|
||||
OAUTH_TOKEN_URL = 'https://authentik.rik.veenboer.xyz/application/o/token/'
|
||||
OAUTH_USER_INFO_URL = 'https://authentik.rik.veenboer.xyz/application/o/userinfo/'
|
||||
OAUTH_SCOPE = ["user",]
|
||||
OAUTH_ATTRIBUTE_MAP = {
|
||||
# "id": (True, "email"), # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
|
||||
"name": (False, "name"),
|
||||
"email": (False, "contact_email"),
|
||||
"uid": (True, "uid"), # Seafile v11.0 +
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user