Completed Centralized Authentication Functionality (LDAP/SSO/HTML Header/RADIUS) [DEVELOPMENT STARTED]

[Luke 37028]

For those who run the beta server, if you'd like to be a part of a test group, then please see here:

 

https://emby.media/community/index.php?/topic/56793-ldap-plugin/

 

Thanks !

[Luke 37028]

Edit, no need for PM, please see my previous post for a link to the testing thread. Thanks.

[Luke 37028]

These are the settings that are available in the plugin setup screen:

https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=553487

[Untoten 295]

These are the settings that are available in the plugin setup screen:

https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=553487

@@Luke My god this is amazing i want to cry. I will try this when I am back in the states.  Two questions:

• What is the current user sync workflow?
• A few of my systems have 100+ users who have set their own passwords, do you have any way to get the user credentials so we can manually add the users to our AD or a tool to do this?

Edited March 7, 2018 by Untoten

[selfless 0]

This is great, guys! Working like a charm with openldap.

 

Is there a way not to show the users on the loginscreen by default?

[Untoten 295]

This is great, guys! Working like a charm with openldap.

 

Is there a way not to show the users on the loginscreen by default?

That is what I am hoping comes of this.  All user settings global with inheritance from group.

[ebr 14905]

Please take specific questions and troubleshooting of the implementation to the beta thread.

 

Thanks.

[Luke 37028]

 

@@Luke My god this is amazing i want to cry. I will try this when I am back in the states.  Two questions:

• What is the current user sync workflow?
• A few of my systems have 100+ users who have set their own passwords, do you have any way to get the user credentials so we can manually add the users to our AD or a tool to do this?

 

 

There is no sync. You just login and the user gets created on the emby side.

[Luke 37028]

This is great, guys! Working like a charm with openldap.

 

Is there a way not to show the users on the loginscreen by default?

 

We will defer this to other feature requests, but yes. When the user gets automatically created, what we ought to have is the ability for you to specify the default set of settings that they get created with.

 

So having those defaults for new users, that's something that can just go into the core server so that it benefits everyone.

[Untoten 295]

There is no sync. You just login and the user gets created on the emby side.

What about 'transferring' existing users to LDAP from emby?

[mueslo 16]

What about 'transferring' existing users to LDAP from emby?

I doubt that will be implemented as that is a lot more effort than it's worth. You can do so manually, but only in the unlikely case that the Emby password hash/salt method is compatible with your LDAP server.

Edited March 7, 2018 by mueslo

[Luke 37028]

Is it even necessary to transfer? I suppose the only reason would be to configure the user accounts before they are actually used. But is there any other reason beyond that?

[Untoten 295]

Is it even necessary to transfer? I suppose the only reason would be to configure the user accounts before they are actually used. But is there any other reason beyond that?

Mostly the fact that all the users have self-set passwords (I do not know them), since I could not enter an email for the users (the attribute only exists for emby connect) to send a recovery email, I would have to figure out who each person is and their contact.  I can do it if needed, I am grateful this is being implemented at all, it was more food for thought.  Again, I am so so so happy this day is here now.

Edited March 7, 2018 by Untoten

[Luke 37028]

Mostly the fact that all the users have self-set passwords (I do not know them), since I could not enter an email for the users (the attribute only exists for emby connect) to send a recovery email, I would have to figure out who each person is and their contact.  I can do it if needed, I am grateful this is being implemented at all, it was more food for thought.  Again, I am so so so happy this day is here now.

 

I still don't quite follow. Couldn't  you just wait for them to login to Emby? At that point, the user in Emby will be created automatically once their LDAP authentication succeeds for the first time.

[Dibbes 431]

Luke, since that's another user, you will have lost statuses and other settings. I was more thinking about the possibility to link an LDAP account with an Emby account so that you use the LDAP to login to the already existing Emby account, hence keeping settings, etc. but using LDAP credentials.

 

 

Sent from my iPad using Tapatalk

[Luke 37028]

Luke, since that's another user, you will have lost statuses and other settings. I was more thinking about the possibility to link an LDAP account with an Emby account so that you use the LDAP to login to the already existing Emby account, hence keeping settings, etc. but using LDAP credentials.

 

 

Sent from my iPad using Tapatalk

 

I think on the manage user screen we'll probably have a way to set the login provider for that user. that would allow you to change an existing user to ldap.

[Dibbes 431]

I installed the LDAP plugin without configuring it yet, and it seems that the users that have the same Emby username as the AD account now have to login with their AD password, where previously the password was blank. Is this expected behaviour?

 

Note:

 

 - The OS of the Emby server is Windows 10 Pro x64 (fully updated) and part of the domain

 - The NSSM service is running with a domain admin account, so there are no access issues with the Synology boxes (which are also part of the AD)

 - None of the Emby users that have an equivalent (Same account name in both) in AD are Emby admins

Edited March 8, 2018 by Dibbes

[Luke 37028]

If they don't have an authentication provider assigned yet then it should try both.

[Carlo 4330]

If there was a "migrate" switch assigned to each user then Emby server could validate the login using the normal password in the DB and if successful reset the password in LDAP on behalf of the user.

 

That's the cleanest way I can think to do it.

[Luke 37028]

The beta looks to be going well. You can now configure default user permissions for newly imported LDAP users, and the change password function is now supported as well.

 

https://emby.media/community/index.php?/topic/56793-ldap-plugin/

 

Enjoy.

[Untoten 295]

The beta looks to be going well. You can now configure default user permissions for newly imported LDAP users, and the change password function is now supported as well.

 

https://emby.media/community/index.php?/topic/56793-ldap-plugin/

 

Enjoy.

Although this is amazing, this request also encompasses SSO, as many users wanted that.  So it is >50% done but many of the supporters of this thread do so for SSO.  Not discounting your work, this is incredible and adds so many features that come from this, but just want to make it clear that this request is for both.

[Luke 37028]

Thanks for the feedback.

[Luke 37028]

Well you have to start somewhere.

[Untoten 295]

Thanks for the feedback.

can you change it from completed then lol

[Luke 37028]

A new topic would probably be better, otherwise it's hard to assess the interest level for SSO vs LDAP. There could be a lot who are satisfied with what we've already done but that's difficult to measure.