Jump to content


Photo

LDAP Plugin


  • Please log in to reply
278 replies to this topic

#1 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 06 March 2018 - 05:31 PM

Let the testing begin.

 

Important - This requires the latest beta server. Also when this is fully released, it will require Emby Premiere.

 

Installation

 

Install from the Emby plugin catalog.

 

How it Works

 

Users get assigned an authentication provider. All existing users in your emby user database will be assigned to the default built-in provider. To test LDAP, try logging in manually with a user that doesn't yet exist in Emby. This should perform the authentication, and then create the user on the Emby side.

 

To Do

  • When the admin user manually creates a user in Emby, they should be able to assign the authentication provider that the user belongs to

  • Untoten, Maximus Naxsus and mueslo like this

#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 06 March 2018 - 06:17 PM

This is the configuration available in the plugin. Let me know if you have any feedback, thanks.

 

5a9f1386c54e7_Untitled.png


  • Maximus Naxsus and mueslo like this

#3 mueslo OFFLINE  

mueslo

    Advanced Member

  • Members
  • 44 posts
  • Local time: 07:31 PM

Posted 06 March 2018 - 08:45 PM

I just installed 3.3.1.2-beta, but I don't see it listed anywhere in the plugins. Do I already need premium to test the beta?

 

Running on FreeNAS (Mono/FreeBSD 11 Jail)

 

Edit: thanks for your hard work! I'll be glad to get Premiere when this is up and running :)


Edited by mueslo, 06 March 2018 - 09:21 PM.


#4 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 06 March 2018 - 09:18 PM

No, I need to republish, hang on.

#5 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 12:31 AM

Try it now, you should be able to find it. It's in the General section. Thanks.



#6 James W OFFLINE  

James W

    Advanced Member

  • Members
  • 76 posts
  • Local time: 11:31 AM

Posted 07 March 2018 - 01:58 AM

Has anyone got this to work with a Windows Server? 

 

I am trying but emby will not connect to my AD server. I can run a ldapsearch from the server and bind is successful to my AD but emby cannot connect with error 91

 

ldapsearch -x -LLL -h 10.100.0.2:389 -D user -w password -b "dc=ad,dc=example,dc=com" -s sub "(objectClass=user)" userPrincipalName 

 

will print out my AD users so I know that the emby server can communicate with my AD server. 

2018-03-06 21:53:04.900 Error UserManager: Error authenticating with provider LDAP
    *** Error Report ***
    Version: 3.3.1.2
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.4.0.116
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Processor count: 1
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    LdapException: Unable to connect to server 10.100.0.2:389 (91) Connect Error
    System.IO.IOException: Unable to transfer data on the transport connection: Connection reset by peer. ---> System.Net.Sockets.SocketException: Connection reset by peer
     --- End of inner exception stack trace ---
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
     at Novell.Directory.Ldap.Connection.connect(String host, Int32 port, Int32 semaphoreId)
    Novell.Directory.Ldap.LdapException
     at Novell.Directory.Ldap.Connection.connect(String host, Int32 port, Int32 semaphoreId)
     at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
     at LDAP.AuthenticationProvider.<Authenticate>d__8.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
     at Emby.Server.Implementations.Library.UserManager.<AuthenticateWithProvider>d__57.MoveNext()

Edited by James W, 07 March 2018 - 10:23 PM.


#7 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 02:09 AM

What port are you using?



#8 James W OFFLINE  

James W

    Advanced Member

  • Members
  • 76 posts
  • Local time: 11:31 AM

Posted 07 March 2018 - 02:12 AM

@Luke the windows default port 389

 

I tried the secure 636 as well but there is a certificate error

2018-03-06 21:23:12.445 Error UserManager: Error authenticating with provider LDAP
    *** Error Report ***
    Version: 3.3.1.2
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.4.0.116
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Processor count: 1
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
     at Novell.Directory.Ldap.Connection.connect(String host, Int32 port, Int32 semaphoreId)
     at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
     at LDAP.AuthenticationProvider.<Authenticate>d__8.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
     at Emby.Server.Implementations.Library.UserManager.<AuthenticateWithProvider>d__57.MoveNext()
    System.Security.Authentication.AuthenticationException
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
     at Novell.Directory.Ldap.Connection.connect(String host, Int32 port, Int32 semaphoreId)
     at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
     at LDAP.AuthenticationProvider.<Authenticate>d__8.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
     at Emby.Server.Implementations.Library.UserManager.<AuthenticateWithProvider>d__57.MoveNext()

Edited by James W, 07 March 2018 - 10:22 PM.


#9 horstepipe OFFLINE  

horstepipe

    Advanced Member

  • Members
  • 1704 posts
  • Local time: 08:31 PM

Posted 07 March 2018 - 02:21 AM

Hey
I never worked with LDAP before. Will this bring the possibility to setup 2fa by any means?
  • Maximus Naxsus likes this

#10 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 02:29 AM

Ok, I've pushed an update to the plugin. Check the config page because now you can configure the port separately from the url. thanks.



#11 James W OFFLINE  

James W

    Advanced Member

  • Members
  • 76 posts
  • Local time: 11:31 AM

Posted 07 March 2018 - 02:41 AM

@Luke unfortunately still the same error. It is strange since I can do an LDAP search from terminal and list all my users 

 

 

If it make any difference this is a fresh install on a new VM. Nothing is setup in emby only the LDAP plugin is installed. 


Edited by James W, 07 March 2018 - 02:46 AM.


#12 horstepipe OFFLINE  

horstepipe

    Advanced Member

  • Members
  • 1704 posts
  • Local time: 08:31 PM

Posted 07 March 2018 - 03:21 AM

Hey
I never worked with LDAP before. Will this bring the possibility to setup 2fa by any means?


If not, are there any other (security) benefits when I would use it for Emby as the only service?

#13 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 03:34 AM

If not, are there any other (security) benefits when I would use it for Emby as the only service?

 

Probably not. This is for people who want to share logins with other services.


  • horstepipe likes this

#14 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 03:36 AM

@James W, I've pushed an update to the plugin. Please try again and also see the config page for the ssl option.

 

here's a working example using a popular online ldap test server.

 

5a9f9659264ab_Untitled.png

 

With these values you can then login with user: tesla, password: password



#15 mueslo OFFLINE  

mueslo

    Advanced Member

  • Members
  • 44 posts
  • Local time: 07:31 PM

Posted 07 March 2018 - 07:20 AM

Just got around to testing it and it works great for me (local LDAP server without SSL)! Auto-provisioning works great. I have some notes/things I tested:

 

1) Changing password in Emby doesn't work, as expected. However, it just says something like "authentication failed, wrong username/password". Not sure if the plugin architecture allows this, but it'd be great to instead either hide that dialog or to set the message to "Your account/authentication provider doesn't allow changing your password in Emby. Please contact your administrator."

 

2) I keep getting getting a message that I need to restart my server to finish the LDAP plugin installation. However, when I do so, the message remains and a new notification with the same message appears. Not sure if this is a separate issue, haven't yet tried installing a different plugin to see if it happens for the other one as well. Edit: happens *ONLY* to LDAP, so this seems to an LDAP plugin bug

 

3) It'd be great to add provisioning settings: e.g. an option to automatically hide users that were added via the LDAP plugin from the login page.

Edit: the lack of this leads to probably the most important bug I've found: any LDAP provisioned users have media delete permissions, as that is enabled by default!

 

4) Existing users with names the same as those existing in the LDAP directory are automatically authenticated via LDAP once the plugin is installed. This is fine and actually exactly what I want in my use case, but it should probably be noted in the plugin description. As a precaution that this does not have any bad side-effects, I also tested what happens when the LDAP server goes down: Both prior/upgraded accounts and ldap-provisioned accounts can no longer login with their ldap password, their previous password, or an empty password. Exactly the way it should be, security-wise.

 

Edit2 5) Bug: with the LDAP plugin enabled, authentication does not work from the Android app. The log contains a lot of "MediaBrowser.Controller.Net.SecurityException: Access token has expired." this was a configuration error on my part

 

All the LDAP accounts seem to have a blue background (the same as the LDAP plugin background). That's a great little feature for getting an overview :)

 

Thank you for your hard work!

 

 

6HOI7NU.png

(This came out of my student budget!)


Edited by mueslo, 10 March 2018 - 07:09 PM.


#16 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 12:01 PM

Thanks for the feedback and support ! I'll look at those improvements.



#17 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 05:38 PM

@mueslo

 

3) It'd be great to add provisioning settings: e.g. an option to automatically hide users that were added via the LDAP plugin from the login page.

 
Edit: the lack of this leads to probably the most important bug I've found: any LDAP provisioned users have media delete permissions, as that is enabled by default!

I think a better option would be to enhance the core with either:

  • a default template for new users
  • user groups, then in the ldap plugin config you can pick the user group that imported users should be assigned to

  • shocker, Nickbert and otispresley like this

#18 mueslo OFFLINE  

mueslo

    Advanced Member

  • Members
  • 44 posts
  • Local time: 07:31 PM

Posted 07 March 2018 - 05:45 PM

 

I think a better option would be to enhance the core with either:

  • a default template for new users
  • user groups, then in the ldap plugin config you can pick the user group that imported users should be assigned to

 

 

Yeah, I wasn't very clear/coherent there, that's exactly what I mean. I think a default template would be easier to implement. Mapping LDAP groups sounds nice, but it is a bit more complex. For example, when a user is moved to a different group in LDAP, you expect the permissions in Emby to change accordingly. But in the end I guess it's just a question of associating user templates with LDAP groups.



#19 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156694 posts
  • Local time: 02:31 PM

Posted 07 March 2018 - 05:46 PM

I don't mean managing LDAP groups, I just mean user groups in Emby. So you can make groups on the emby side, then in the ldap plugin you can pick the emby group that the imported user would be assigned to.



#20 nstephenh OFFLINE  

nstephenh

    Member

  • Members
  • 12 posts

Posted 07 March 2018 - 09:47 PM

Has anyone gotten this working with freeIPA? My experience with LDAP is limited, and I could only get nextcloud properly configured by following this guide (although the config was non-standard from what I can tell). http://poorlydocumen...with-freeipa-4/

 

What' i've done is copied the bind user's information from nextcloud (then removed the "uid=user" part), as well as the base DN into the user search base field. I did not modify the user search filter. I know this is not the correct configuration but I don't know what the correct config would be.

 

Any help would be appreciated.

 

Here's the error I get when I try to sign in with this config

2018-03-07 20:32:43.128 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 3.3.1.2
	Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
	Operating system: Unix 4.13.0.36
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 4
	Program data path: /var/lib/emby
	Application directory: /opt/emby-server/system
	LdapException: Inappropriate Authentication (48) Inappropriate Authentication
	LdapException: Matched DN: 
	Novell.Directory.Ldap.LdapException
	   at Novell.Directory.Ldap.LdapResponse.chkResultCode()
	   at Novell.Directory.Ldap.LdapConnection.Bind(Int32 version, String dn, SByte[] passwd, LdapConstraints cons)
	   at LDAP.AuthenticationProvider.<Authenticate>d__9.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at Emby.Server.Implementations.Library.UserManager.<AuthenticateWithProvider>d__57.MoveNext()





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users