Jump to content

Centralized Authentication Functionality (LDAP/SSO/HTML Header/RADIUS) [DEVELOPMENT STARTED]


Recommended Posts

Merry Christmas (or your respective holiday) everyone!

  • Like 1
Link to post
Share on other sites
  • 2 weeks later...
  • 2 weeks later...

Hopefully soon, 2 years has been a long wait and it appears we have plenty of support for this. *fingers crossed*

  • Like 1
Link to post
Share on other sites

Can you suggest any software that can be used as a quick and easy ldap test server?

 

Ubuntu is your friend:

 

https://www.linuxbabe.com/ubuntu/install-configure-openldap-server-ubuntu-16-04

 

Otherwise, download a trial of Windows Sever (180 days, I believe) and promote to domain controller:

 

https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/

Edited by Dibbes
  • Like 1
Link to post
Share on other sites

Can you suggest any software that can be used as a quick and easy ldap test server?

If you're running a VM for this purpose anyway, you might also use FreeIPA (best used on RH derivates like Fedora, CentOS or RHEL). It's a package that comes with a web interface to automatically manage multiple services, among them LDAP. There's a demo of the Web UI here: https://ipa.demo1.freeipa.org/ipa/ui/ Credentials: admin:Secret123

Edited by mueslo
  • Like 1
Link to post
Share on other sites

Can you suggest any software that can be used as a quick and easy ldap test server?

@@Luke, There are many, if you want to test multiple types too, Microsoft offers 180 day evaluations of their servers, which do not require additional software for LDAP, they just have to have the feature added, within control panel,, very native.

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2

 

Again, I suggest going the SAML2 route, as LDAP can be easily utilized as a userbase, it is quickly becoming a standard for auth and if it is up to standard, it should allow kerberos seamlessly.  Here are some userful links:

 

SAML2 Specs:

http://saml.xml.org/saml-specifications

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

 

.Net Guides/Tools

https://www.componentspace.com/SAMLv20.aspx

https://www.componentpro.com/products/saml

https://www.flexmls.com/developers/sso/getting-started/asp-net-saml-apis/

 

Other interesting links:

https://www.samltool.com/

https://developer.okta.com/standards/SAML/saml_tracer

Link to post
Share on other sites

Yes I was hoping for something standalone and simple. The Ubuntu one looks good but I suppose it's inevitable that it will turn out to have differences from Microsoft implementations.

  • Like 1
Link to post
Share on other sites

Yes I was hoping for something standalone and simple. The Ubuntu one looks good but I suppose it's inevitable that it will turn out to have differences from Microsoft implementations.

SAML2 is the way ;) I am telling you, it's indescribably better.

 

As for standalone, this seems to be what you are seeking:

https://www.openldap.org/

 

Docker distro of openldap:

https://github.com/osixia/docker-openldap

 

SAML testing environments:

https://hub.docker.com/r/kristophjunge/test-saml-idp/

 

Barebones NPM IDP for testing SAML

https://www.npmjs.com/package/saml-idp

Edited by Untoten
  • Like 1
Link to post
Share on other sites

This is Sweet. Once I get my vmhost components purchased and up and running I will stand up a few M$ VMs as a DC, SQL server, and a server to host direct access. My hope is to move the Radius authentication off my firewall and over to an IAS instance on one of the M$ VMs. With any luck I will be able to setup Emby to authenticate to the DC!!!

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
  • Like 2
Link to post
Share on other sites

This is Sweet. Once I get my vmhost components purchased and up and running I will stand up a few M$ VMs as a DC, SQL server, and a server to host direct access. My hope is to move the Radius authentication off my firewall and over to an IAS instance on one of the M$ VMs. With any luck I will be able to setup Emby to authenticate to the DC!!!

 

 

Sent from my iPhone using Tapatalk

I am hoping SAML is the route they go, having seamless SSO for all my services would be a dream.  I am so excited for this though.

  • Like 1
Link to post
Share on other sites

As of right now ldap would appear to be the most likely outcome, at least to start with.

Fair enough, I just appreciate this development regardless.  I am checking daily to watch (no pressure) haha.  I can finally unify my services :)

  • Like 1
Link to post
Share on other sites

I am hoping SAML is the route they go, having seamless SSO for all my services would be a dream.  I am so excited for this though.

 

Raw LDAP is a lot simpler, so I'm hoping they just go with that. While LDAP on your machine is already rare, SAML is like a unicorn ;)

Link to post
Share on other sites

Raw LDAP is a lot simpler, so I'm hoping they just go with that. While LDAP on your machine is already rare, SAML is like a unicorn ;)

 

As long as I can integrate Emby with my domain, I don't care how that's done... I'd already be VERY happy...

 

Obviously after there will be coming requests for Account Picture sync, password resets, Sync a specific OU, or just a security group, etc... :)

  • Like 1
Link to post
Share on other sites

Raw LDAP is a lot simpler, so I'm hoping they just go with that. While LDAP on your machine is already rare, SAML is like a unicorn ;)

Eh, SSO is easier for me nowadays, and it has more features, more universal and can utilize LDAP as a backend.  They are not really rare vs unicorn as many orgs that now have one have the other, I have implemented SSO at hundreds of companys over the years, most fortune 500 included.  I prefer SSO for universality and ease of use for the users, but to each their own.

 

 

 

As long as I can integrate Emby with my domain, I don't care how that's done... I'd already be VERY happy...

 

Obviously after there will be coming requests for Account Picture sync, password resets, Sync a specific OU, or just a security group, etc... :)

Same tbh, Anything would be incredible, I cannot describe how excited I am haha.  On your second point, I think much of that will be work-aroundable until they get around to it, which is why I want this so bad.  And finally password reset can work haha.

  • Like 1
Link to post
Share on other sites
  • 3 weeks later...

Happy valentines day everyone :)

  • Like 1
Link to post
Share on other sites
softworkz

Good news, finally there will be some progress on this issue soon.

 

First thing will be ldap. We would like to better understand the scenarios you're having in mind and how you are expecting this to be set up. Hence I'd like to gather feedback on a few questions:

 

  1. LDAP is just a protocol while the directory services that are accessed via ldap can be very different.
    What kind of DS implementations are you intending to connect to? We're currently planning for
    • MS Active Directory
    • Apache DS
      Which one do you have in mind or already in use?
  2. Important point is how you would want to provision users. Probably only in rare cases you would simply want to allow any user contained in the directory to access Emby. There are a number of ways possible ways to handle this:
    • Filtering via ldap query: only users matching a certain path query are allowed
      Pro: easy to implement, 
      Con: not too flexible; what can be done depends on the DS implementation; the ds content mght need to be modified to indicate which users are eligible for using emby; ldap queries may be difficult to design for some; 
       
    • Black List: Just allow adding some DS users to a simple list, which are not allowed to log in (all others are allowed)
      Pro: very easy to implement
      Con: Insecure since any user added to the DS afterwards will have access to emby immediately, even if this is undesired
       
    • White List/Import: Display a list of users from the DS to the admin from which he can manually select the users that he wants to grant access to emby
      PRO: Explicit selection is transparent and most secure variant; allows assigning individial emby permissions even before a user logs in for the first time
      CON: Users that get added to the DS are not automatically allowed to log into emby
       
    • Approval based: When a user logs in for the first time, login fails with an error message like "Approval request has been sent". Then the admin is informed about this and will need to accept or deny the user
      PRO: transparent and secure (explicit control about user access)
      CON: High development effort, probably not going to happen; inconvenient user experience (first login failing)
       
    • Any better ideas?

Note that this is just about LDAP authentication (without SSO), please do not reply suggesting other methods. For now, it's LDAP only.

Very important: This is not a feature list! It's just meant as a starting point for exchanging some thoughts...

  • Like 1
Link to post
Share on other sites
DarkFeather

I use OpenLDAP domain controllers, and searching for Emby users by base DN is fine. OpenLDAP uses uid instead of samAccountName in AD, and so it'd be great if we could enter what those properties are in the CAS setup screen.

 

I'd also be open to the MemberOf attribute being used as well -- MediaWiki and most other LDAP clients can look at that. It's standard between OpenLDAP and Active Directory.

 

User approval works too.

  • Like 1
Link to post
Share on other sites

Ohh this is amazing news. Anything to start will be a huge step forward.

 

For me

 

1. MS Active Directory

2. Filtering via ldap query (with a selectable group)

This was we can just make a group in AD for emby specific users. Anyone added to this group will be able to login on first try.

 

I would say no need to have them all imported. Just have the emby account created when they log in for the first time. It would be nice to have a an option for a preset profile style and the admin can alter if needed.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...