DarkFeather 3 Posted December 19, 2017 Share Posted December 19, 2017 +1 -- my network also desires LDAP integration 2 Link to comment Share on other sites More sharing options...
kihim 1 Posted December 19, 2017 Share Posted December 19, 2017 BUMP 1 Link to comment Share on other sites More sharing options...
Untoten 295 Posted December 25, 2017 Author Share Posted December 25, 2017 Merry Christmas (or your respective holiday) everyone! 1 Link to comment Share on other sites More sharing options...
zerpex 4 Posted January 4, 2018 Share Posted January 4, 2018 +1, it would be really great. 1 Link to comment Share on other sites More sharing options...
Untoten 295 Posted January 15, 2018 Author Share Posted January 15, 2018 Hopefully soon, 2 years has been a long wait and it appears we have plenty of support for this. *fingers crossed* 1 Link to comment Share on other sites More sharing options...
Luke 37008 Posted January 15, 2018 Share Posted January 15, 2018 Can you suggest any software that can be used as a quick and easy ldap test server? 2 Link to comment Share on other sites More sharing options...
Dibbes 431 Posted January 15, 2018 Share Posted January 15, 2018 (edited) Can you suggest any software that can be used as a quick and easy ldap test server? Ubuntu is your friend: https://www.linuxbabe.com/ubuntu/install-configure-openldap-server-ubuntu-16-04 Otherwise, download a trial of Windows Sever (180 days, I believe) and promote to domain controller: https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/ Edited January 15, 2018 by Dibbes 1 Link to comment Share on other sites More sharing options...
Luke 37008 Posted January 16, 2018 Share Posted January 16, 2018 That looks like it could work, thanks. 1 Link to comment Share on other sites More sharing options...
mueslo 16 Posted January 16, 2018 Share Posted January 16, 2018 (edited) Can you suggest any software that can be used as a quick and easy ldap test server? If you're running a VM for this purpose anyway, you might also use FreeIPA (best used on RH derivates like Fedora, CentOS or RHEL). It's a package that comes with a web interface to automatically manage multiple services, among them LDAP. There's a demo of the Web UI here: https://ipa.demo1.freeipa.org/ipa/ui/ Credentials: admin:Secret123 Edited January 16, 2018 by mueslo 1 Link to comment Share on other sites More sharing options...
Untoten 295 Posted January 17, 2018 Author Share Posted January 17, 2018 Can you suggest any software that can be used as a quick and easy ldap test server? @@Luke, There are many, if you want to test multiple types too, Microsoft offers 180 day evaluations of their servers, which do not require additional software for LDAP, they just have to have the feature added, within control panel,, very native. https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2 Again, I suggest going the SAML2 route, as LDAP can be easily utilized as a userbase, it is quickly becoming a standard for auth and if it is up to standard, it should allow kerberos seamlessly. Here are some userful links: SAML2 Specs: http://saml.xml.org/saml-specifications http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html .Net Guides/Tools https://www.componentspace.com/SAMLv20.aspx https://www.componentpro.com/products/saml https://www.flexmls.com/developers/sso/getting-started/asp-net-saml-apis/ Other interesting links: https://www.samltool.com/ https://developer.okta.com/standards/SAML/saml_tracer Link to comment Share on other sites More sharing options...
Luke 37008 Posted January 17, 2018 Share Posted January 17, 2018 Yes I was hoping for something standalone and simple. The Ubuntu one looks good but I suppose it's inevitable that it will turn out to have differences from Microsoft implementations. 1 Link to comment Share on other sites More sharing options...
Untoten 295 Posted January 17, 2018 Author Share Posted January 17, 2018 (edited) Yes I was hoping for something standalone and simple. The Ubuntu one looks good but I suppose it's inevitable that it will turn out to have differences from Microsoft implementations. SAML2 is the way I am telling you, it's indescribably better. As for standalone, this seems to be what you are seeking: https://www.openldap.org/ Docker distro of openldap: https://github.com/osixia/docker-openldap SAML testing environments: https://hub.docker.com/r/kristophjunge/test-saml-idp/ Barebones NPM IDP for testing SAML https://www.npmjs.com/package/saml-idp Edited January 17, 2018 by Untoten 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 17, 2018 Share Posted January 17, 2018 (edited) This is Sweet. Once I get my vmhost components purchased and up and running I will stand up a few M$ VMs as a DC, SQL server, and a server to host direct access. My hope is to move the Radius authentication off my firewall and over to an IAS instance on one of the M$ VMs. With any luck I will be able to setup Emby to authenticate to the DC!!! Sent from my iPhone using Tapatalk Edited January 17, 2018 by Tur0k 2 Link to comment Share on other sites More sharing options...
Untoten 295 Posted January 23, 2018 Author Share Posted January 23, 2018 This is Sweet. Once I get my vmhost components purchased and up and running I will stand up a few M$ VMs as a DC, SQL server, and a server to host direct access. My hope is to move the Radius authentication off my firewall and over to an IAS instance on one of the M$ VMs. With any luck I will be able to setup Emby to authenticate to the DC!!! Sent from my iPhone using Tapatalk I am hoping SAML is the route they go, having seamless SSO for all my services would be a dream. I am so excited for this though. 1 Link to comment Share on other sites More sharing options...
Luke 37008 Posted January 23, 2018 Share Posted January 23, 2018 As of right now ldap would appear to be the most likely outcome, at least to start with. 2 Link to comment Share on other sites More sharing options...
Untoten 295 Posted January 23, 2018 Author Share Posted January 23, 2018 As of right now ldap would appear to be the most likely outcome, at least to start with. Fair enough, I just appreciate this development regardless. I am checking daily to watch (no pressure) haha. I can finally unify my services 1 Link to comment Share on other sites More sharing options...
zerpex 4 Posted January 23, 2018 Share Posted January 23, 2018 +1 for openldap 3 Link to comment Share on other sites More sharing options...
mueslo 16 Posted January 23, 2018 Share Posted January 23, 2018 I am hoping SAML is the route they go, having seamless SSO for all my services would be a dream. I am so excited for this though. Raw LDAP is a lot simpler, so I'm hoping they just go with that. While LDAP on your machine is already rare, SAML is like a unicorn Link to comment Share on other sites More sharing options...
Dibbes 431 Posted January 23, 2018 Share Posted January 23, 2018 Raw LDAP is a lot simpler, so I'm hoping they just go with that. While LDAP on your machine is already rare, SAML is like a unicorn As long as I can integrate Emby with my domain, I don't care how that's done... I'd already be VERY happy... Obviously after there will be coming requests for Account Picture sync, password resets, Sync a specific OU, or just a security group, etc... 1 Link to comment Share on other sites More sharing options...
Untoten 295 Posted January 24, 2018 Author Share Posted January 24, 2018 Raw LDAP is a lot simpler, so I'm hoping they just go with that. While LDAP on your machine is already rare, SAML is like a unicorn Eh, SSO is easier for me nowadays, and it has more features, more universal and can utilize LDAP as a backend. They are not really rare vs unicorn as many orgs that now have one have the other, I have implemented SSO at hundreds of companys over the years, most fortune 500 included. I prefer SSO for universality and ease of use for the users, but to each their own. As long as I can integrate Emby with my domain, I don't care how that's done... I'd already be VERY happy... Obviously after there will be coming requests for Account Picture sync, password resets, Sync a specific OU, or just a security group, etc... Same tbh, Anything would be incredible, I cannot describe how excited I am haha. On your second point, I think much of that will be work-aroundable until they get around to it, which is why I want this so bad. And finally password reset can work haha. 1 Link to comment Share on other sites More sharing options...
Untoten 295 Posted February 14, 2018 Author Share Posted February 14, 2018 Happy valentines day everyone 1 Link to comment Share on other sites More sharing options...
Haplo164 1 Posted February 18, 2018 Share Posted February 18, 2018 I also switched over from plex for the user management, and I would love some SSO options. 1 Link to comment Share on other sites More sharing options...
softworkz 3326 Posted February 25, 2018 Share Posted February 25, 2018 Good news, finally there will be some progress on this issue soon. First thing will be ldap. We would like to better understand the scenarios you're having in mind and how you are expecting this to be set up. Hence I'd like to gather feedback on a few questions: LDAP is just a protocol while the directory services that are accessed via ldap can be very different. What kind of DS implementations are you intending to connect to? We're currently planning for MS Active Directory Apache DS Which one do you have in mind or already in use? Important point is how you would want to provision users. Probably only in rare cases you would simply want to allow any user contained in the directory to access Emby. There are a number of ways possible ways to handle this: Filtering via ldap query: only users matching a certain path query are allowed Pro: easy to implement, Con: not too flexible; what can be done depends on the DS implementation; the ds content mght need to be modified to indicate which users are eligible for using emby; ldap queries may be difficult to design for some; Black List: Just allow adding some DS users to a simple list, which are not allowed to log in (all others are allowed) Pro: very easy to implement Con: Insecure since any user added to the DS afterwards will have access to emby immediately, even if this is undesired White List/Import: Display a list of users from the DS to the admin from which he can manually select the users that he wants to grant access to emby PRO: Explicit selection is transparent and most secure variant; allows assigning individial emby permissions even before a user logs in for the first time CON: Users that get added to the DS are not automatically allowed to log into emby Approval based: When a user logs in for the first time, login fails with an error message like "Approval request has been sent". Then the admin is informed about this and will need to accept or deny the user PRO: transparent and secure (explicit control about user access) CON: High development effort, probably not going to happen; inconvenient user experience (first login failing) Any better ideas? Note that this is just about LDAP authentication (without SSO), please do not reply suggesting other methods. For now, it's LDAP only. Very important: This is not a feature list! It's just meant as a starting point for exchanging some thoughts... 1 Link to comment Share on other sites More sharing options...
DarkFeather 3 Posted February 25, 2018 Share Posted February 25, 2018 I use OpenLDAP domain controllers, and searching for Emby users by base DN is fine. OpenLDAP uses uid instead of samAccountName in AD, and so it'd be great if we could enter what those properties are in the CAS setup screen. I'd also be open to the MemberOf attribute being used as well -- MediaWiki and most other LDAP clients can look at that. It's standard between OpenLDAP and Active Directory. User approval works too. 1 Link to comment Share on other sites More sharing options...
James W 7 Posted February 25, 2018 Share Posted February 25, 2018 Ohh this is amazing news. Anything to start will be a huge step forward. For me 1. MS Active Directory 2. Filtering via ldap query (with a selectable group) This was we can just make a group in AD for emby specific users. Anyone added to this group will be able to login on first try. I would say no need to have them all imported. Just have the emby account created when they log in for the first time. It would be nice to have a an option for a preset profile style and the admin can alter if needed. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now