ados8000 8 Posted June 2, 2023 Share Posted June 2, 2023 (edited) I've recently changed from FreeIPA which was completely unreliable to Windows Active Directory. Setup works and filters out users from the "Emby" group. I have no issues with login but something I noticed when using a testing account. If you change the users password in AD the user can login with that password and any previous one. Rebooted server, enable/disabled user, set authentication in Emby to default then LDAP but same issue. If password is "Apples" and then changed to "Oranges", they can still login with "Apples" even when the LDAP server is online and the password doesn't match. If you try a password the user has never had then it fails, if you delete the user account in Emby then the password must be correct. Seems the plugin is keeping the password hashes in cache, not good. Anyone able to provide insight into this? Also, I had FreeIPA working with password writeback i.e. user can change their password in Emby and it updates but doesn't with Windows AD. Anyone know the solution to that too? Edited June 2, 2023 by ados8000 Link to comment Share on other sites More sharing options...
Luke 37272 Posted June 2, 2023 Share Posted June 2, 2023 Hi, passwords are not remembered, so perhaps one of the following is true: The user was already logged in. Normally changing a password in emby server will sign out existing sessions, but for ldap, there's no to know that you changed the password from the ldap side Or perhaps the ldap server is still accepting the old password for some reason Link to comment Share on other sites More sharing options...
ados8000 8 Posted June 3, 2023 Author Share Posted June 3, 2023 (edited) Sorry but that doesn't match the findings through my testing above. The plugin has to be the issue, test steps explained: 1. No test user in Emby, login and account created with current password Apples. 2. Log user out and change password in AD to Grapes. 3. Login works with new password Grapes but on logout and login so does Apples still. 4. Try a never used password Fruit and denied. 5. Logout and delete user from Emby. 6. Try to login With Apples and fails, try to login with Grapes and works. It is keeping a record of hashes or some authentication until the account is new. Edited June 3, 2023 by ados8000 Link to comment Share on other sites More sharing options...
Luke 37272 Posted June 3, 2023 Share Posted June 3, 2023 What do you mean by log user out? What exactly did you do? Link to comment Share on other sites More sharing options...
ados8000 8 Posted June 3, 2023 Author Share Posted June 3, 2023 Used the Emby web portal to sign in and out for password testing. I created the account for testing, it was only signed in for 1 browser. Link to comment Share on other sites More sharing options...
Luke 37272 Posted June 3, 2023 Share Posted June 3, 2023 How did you sign out? Link to comment Share on other sites More sharing options...
ados8000 8 Posted June 3, 2023 Author Share Posted June 3, 2023 using the profile icon -> sign out Link to comment Share on other sites More sharing options...
ados8000 8 Posted July 15, 2023 Author Share Posted July 15, 2023 (edited) Could we possibly get the plugin developers opinion on the matter. I would like to have Emby (LDAP plugin) not allow sign-ins of past passwords as it has obvious security risks. Edited July 15, 2023 by ados8000 Link to comment Share on other sites More sharing options...
Luke 37272 Posted July 15, 2023 Share Posted July 15, 2023 11 hours ago, ados8000 said: Could we possibly get the plugin developers opinion on the matter. I would like to have Emby (LDAP plugin) not allow sign-ins of past passwords as it has obvious security risks. For the scenario you described, can you temporarily enable debug logging in the server logs section, then repeat the problem, and then attach the server log? thanks. Link to comment Share on other sites More sharing options...
Luke 37272 Posted July 22, 2023 Share Posted July 22, 2023 @ados8000? Link to comment Share on other sites More sharing options...
ados8000 8 Posted July 22, 2023 Author Share Posted July 22, 2023 @Lukethanks for following up, I've been away for the past few weeks with email only access. I won't be able to test until end of next week. Link to comment Share on other sites More sharing options...
Solution Luke 37272 Posted August 3, 2023 Solution Share Posted August 3, 2023 @ados8000did you see this? https://github.com/metabase/metabase/issues/7635#issuecomment-400725424 Also if you do a google search on "ldap accepting old password", you'll find lots of hits on it. It's possible that other backends mimic this AD behavior. Link to comment Share on other sites More sharing options...
ados8000 8 Posted November 18, 2023 Author Share Posted November 18, 2023 (edited) @Lukeyep, I had forgotten about this <facepalm>. I still haven't been able to get Emby LDAP plugin to use SSL and I know my server works because I have Authentik using SSL. Sunk a bit of time into it and I think the plugin doesn't work for new AD servers, it's still using SHA-1 for example. Edited November 18, 2023 by ados8000 Link to comment Share on other sites More sharing options...
Luke 37272 Posted November 19, 2023 Share Posted November 19, 2023 4 hours ago, ados8000 said: @Lukeyep, I had forgotten about this <facepalm>. I still haven't been able to get Emby LDAP plugin to use SSL and I know my server works because I have Authentik using SSL. Sunk a bit of time into it and I think the plugin doesn't work for new AD servers, it's still using SHA-1 for example. Hi, what exactly is the ssl problem? Link to comment Share on other sites More sharing options...
ados8000 8 Posted November 19, 2023 Author Share Posted November 19, 2023 (edited) If I use these settings with 389 and no SSL it works. Soon as I use 636 and SSL it fails (see log) It just thinks the password is wrong but switch back to 389 without SSL and works. It's annoying the plugin doesn't have a test button so I have to login every time to test if it works and that doesn't confirm if the connection is working. However I have Authentik and Organizr working with the same Windows Server AD system on SSL without issue. SSL.txt Edited November 19, 2023 by ados8000 Link to comment Share on other sites More sharing options...
Luke 37272 Posted November 19, 2023 Share Posted November 19, 2023 Hi, can you please attach the complete Emby server log? I don’t see any ldap activity in that one. Thanks. Link to comment Share on other sites More sharing options...
ados8000 8 Posted November 19, 2023 Author Share Posted November 19, 2023 (edited) The account is called testing Edited December 29, 2023 by GrimReaper Log deleted Link to comment Share on other sites More sharing options...
Luke 37272 Posted November 19, 2023 Share Posted November 19, 2023 Is there any chance this might help you resolve the issue: 2023-11-19 14:09:30.521 Error LDAP: Ssl certifiate error RemoteCertificateNameMismatch, RemoteCertificateChainErrors https://stackoverflow.com/questions/60341743/why-do-i-get-remotecertificatenamemismatch Link to comment Share on other sites More sharing options...
ados8000 8 Posted December 28, 2023 Author Share Posted December 28, 2023 On 11/19/2023 at 2:10 PM, ados8000 said: The account is called testing embyserver (1).txt 166.32 kB · 1 download @GrimReapersorry, another. I assumed sanitised meant remove my domain a from log file at least, so odd. Link to comment Share on other sites More sharing options...
GrimReaper 3331 Posted December 29, 2023 Share Posted December 29, 2023 16 minutes ago, ados8000 said: @GrimReapersorry, another. I assumed sanitised meant remove my domain a from log file at least, so odd. *Deleted* 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now