Completed Centralized Authentication Functionality (LDAP/SSO/HTML Header/RADIUS) [DEVELOPMENT STARTED]

[Untoten 295]

A new topic would probably be better, otherwise it's hard to assess the interest level for SSO vs LDAP. There could be a lot who are satisfied with what we've already done but that's difficult to measure.

Fair enough, I will try to separate all the information and likes in a different topic.  How hard would it be to just accept proxy/header auth?  That could be a simple SSO solution that would not require a full up-to-spec SAML implementation.

 

Thank you again for getting this done, with my poor luck I flew out to Denmark the day you released it and have not had a chance to try it yet haha.

[Luke 36991]

I've pushed an update to the LDAP plugin to allow you to specify the default libraries that an LDAP user should be given access to. Thanks !

[doug.dimick 12]

I'm trying to figure out where I can add my self-signed CA root cert so that I can use the LDAP plugin with SSL. In the Emby docker image there's /etc/ssl/certs/ca-certificates.crt but appending the certificate to that file doesn't appear to help. Where does Emby look for trusted CA certs?

[Luke 36991]

That's a good question. We haven't tested that sort of thing at this point.

[doug.dimick 12]

On another note, I generally permit ldap users to log in using either their uid/username or their email address. Emby treats those as two separate accounts, though. It would be nice if I could tell Emby to use a specific ldap field for the Emby-side account name. The below string works for authentication the way I want, I just wind up with both "doug" and "doug@my.org" as Emby accounts if I log in both ways.

 

User search filter:

(&(|(uid={0})(|(mailPrimaryAddress={0})(mail={0})))(memberof=cn=embyusers,cn=groups,cn=accounts,dc=my,dc=org))

[Luke 36991]

Hi, yes I agree that's a good idea as well. Thanks.

[twinkybot 3]

Nice work with the LDAP plugin

Working like a charm.

[metalcated 21]

LDAP works, but its simple and only one authentication method. Regardless kodos for making this happen!  

 

I saw in the main thread 

• SAML2 connector
  

Is that still something that is being considered? I would really like having that functionality to integrate Okta authentication as a means of logging in. Just curious. Thanks!

[Luke 36991]

 

LDAP works, but its simple and only one authentication method. Regardless kodos for making this happen!

 

I saw in the main thread 

• SAML2 connector

Is that still something that is being considered? I would really like having that functionality to integrate Okta authentication as a means of logging in. Just curious. Thanks!

 

 

I guess first we need to understand the demand for that compared to just having LDAP. Can you open a feature request topic for this? That will allow us to better measure it. Thanks !

[metalcated 21]

I guess first we need to understand the demand for that compared to just having LDAP. Can you open a feature request topic for this? That will allow us to better measure it. Thanks !

 

https://emby.media/community/index.php?/topic/77083-saml2oauth-login-method-ie-okta/

 

Thanks!

[nt-it-team 1]

Hello,

 

Will the LDAP integration continue to work after the changes due in March regarding LDAP signing?

 

ref:

https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

https://www.pkisolutions.com/reminder-ldap-signing-requirements-in-march-2020/

[Luke 36991]

Thanks for the info. I guess we'll find out as soon as we can test it. If it doesn't then we'll update the plugin.

[andrew0404 11]

I don't see a separate FR for SSO, did that not ever get created?