Jump to content


Photo

LDAP Plugin


  • Please log in to reply
278 replies to this topic

#181 Fug1 OFFLINE  

Fug1

    Newbie

  • Members
  • 7 posts
  • Local time: 05:43 PM

Posted 15 December 2018 - 07:21 AM

That solution would work for me, but it's vulnerable to a MITM attack. Would be preferable if you could specify a CA certificate.



#182 Elegant OFFLINE  

Elegant

    Advanced Member

  • Members
  • 37 posts
  • Local time: 05:43 PM

Posted 15 December 2018 - 03:03 PM

@Fug1, wouldn't bother me either.



#183 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156973 posts
  • Local time: 06:43 PM

Posted 16 December 2018 - 05:52 PM

We'll look into different approaches. Thanks.



#184 mueslo OFFLINE  

mueslo

    Advanced Member

  • Members
  • 44 posts
  • Local time: 11:43 PM

Posted 16 December 2018 - 06:41 PM

@Fug1 @Elegant What's the problem with adding your personal root certificate to the valid root certificates on whatever system Emby is being run?



#185 Fug1 OFFLINE  

Fug1

    Newbie

  • Members
  • 7 posts
  • Local time: 05:43 PM

Posted 16 December 2018 - 06:50 PM

@mueslo, I've done that but it doesn't seem to be using it. I'm running Emby in a Ubuntu 16.04 lxc container, so I used update-ca-certificates to load the CA that I used to sign the LDAP certificate.



#186 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156973 posts
  • Local time: 06:43 PM

Posted 16 December 2018 - 07:00 PM

It's because we ship our own certificate store.



#187 DexDeadly OFFLINE  

DexDeadly

    Advanced Member

  • Members
  • 33 posts
  • Local time: 06:43 PM

Posted 03 January 2019 - 11:53 PM

Hello  All,

 

I just setup the LDAP Plugin but I think I'm completely lost on setting up the connection.  I tried to mimic how I have pfsense setup.  However I dont believe I understand how to setup the bind credentials.  Is it a user name and password, whats the syntax?  I've attached a picture of my setup.  I've created a service account in my ad as well just like I did for pfsense to use for bind.  that user is emby.  Do I need to place that in ehre somewhere with the password.  Appreciate the help!

 

5c2ed8624029e_emby.png



#188 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156973 posts
  • Local time: 06:43 PM

Posted 04 January 2019 - 03:05 AM

That would be a password, yes. Please let us know how you get on.



#189 DexDeadly OFFLINE  

DexDeadly

    Advanced Member

  • Members
  • 33 posts
  • Local time: 06:43 PM

Posted 04 January 2019 - 04:42 AM

Ok so that is just the password. Is the line above it where I would place the user name? Not sure how. I have a windows active directory server if that's what you mean.

#190 Fug1 OFFLINE  

Fug1

    Newbie

  • Members
  • 7 posts
  • Local time: 05:43 PM

Posted 04 January 2019 - 08:08 AM

Bind DN should be your bind user name. CN is the user name of the bind user. So mine has CN=ldap-bind,OU=users,DC=mydomainname,DC=com


Edited by Fug1, 04 January 2019 - 08:10 AM.


#191 DexDeadly OFFLINE  

DexDeadly

    Advanced Member

  • Members
  • 33 posts
  • Local time: 06:43 PM

Posted 04 January 2019 - 10:32 AM

@Fug1 THANK YOU!  I kept reading and I was thinking that is what the issue was.  Once you showed me that I realized I was almost there and realized I missed a = on my last DC.  3AM not the best time to work on things sometimes haha.  Anyway appreciate the help.  I even was able to get a good working search filter for a security group.  :)  Love this plugin.  It was the 1 thing I really wanted to see.  Joined premier because of it!


Edited by DexDeadly, 04 January 2019 - 10:32 AM.


#192 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156973 posts
  • Local time: 06:43 PM

Posted 17 January 2019 - 03:09 PM

 

Has anyone been able to get LDAP working with TLS? Either STARTTLS on LDAP or LDAPS. Neither seems to work for me.

 

Seems to be an issue with the certificate. The certificate I'm using is self-signed. The CA I used to sign it is a trusted CA in the client O/S (Ubuntu), and it's also referenced in /etc/ldap/ldap.conf.
 
Emby logs with LDAPS:

2018-12-14 22:20:56.043 Error UserManager: Error authenticating with provider LDAP
        *** Error Report ***
        Version: 3.6.0.76
        Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
        Operating system: Unix 4.10.17.2
        64-Bit OS: True
        64-Bit Process: True
        User Interactive: True
        Processor count: 16
        Program data path: /var/lib/emby
        Application directory: /opt/emby-server/system
        System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
           at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
           at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
           at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
           at LDAP.AuthenticationProvider.Authenticate(String username, String password)
           at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
        Source: LDAP
        TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)
           at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
           at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
           at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
           at LDAP.AuthenticationProvider.Authenticate(String username, String password)
           at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)

 

@Fug1, taking a look at this. We could potentially use the certificate hash or public key as a means of validating the cert. That means you'd have to enter one of those values into the plugin configuration, and then our certificate validation override could check that.



#193 Fug1 OFFLINE  

Fug1

    Newbie

  • Members
  • 7 posts
  • Local time: 05:43 PM

Posted 17 January 2019 - 03:23 PM

@Luke, that works for me!



#194 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156973 posts
  • Local time: 06:43 PM

Posted 18 January 2019 - 12:58 AM

Great, thanks. We'll look at this in the near future.



#195 twinkybot OFFLINE  

twinkybot

    Advanced Member

  • Members
  • 81 posts
  • Local time: 12:43 AM

Posted 20 January 2019 - 07:13 AM

Hopefully I didn't miss the answer to my question but is it possible to export existing users to LDAP?

 

EDIT: yes found it on page 7 :)


Edited by twinkybot, 20 January 2019 - 07:17 AM.


#196 centuryx476 OFFLINE  

centuryx476

    Advanced Member

  • Members
  • 55 posts
  • Local time: 05:43 PM

Posted 21 January 2019 - 10:14 PM

Hello,

I am trying to get LDAP configured. I have used LDAP before on other products(Atlassian) so I' am familiar with the concepts

I cannot get a successful sign on.

2019-01-21 20:30:34.951 Warn HttpServer: AUTH-ERROR: (Removed Serve IP for this post) - Invalid user or password entered.
2019-01-21 20:30:34.951 Error HttpServer: Invalid user or password entered.

This is the search filter, can I put something else in there or are we limited to "(uid={0})"

User search Filter: (uid={0})

 

I really need LDAP to work as "Emby" satisfies all the requirements for my environment. 

I will appreciate any help

 

Thank you in Advance


Edited by centuryx476, 21 January 2019 - 10:15 PM.


#197 MathewW_MNF OFFLINE  

MathewW_MNF

    Member

  • Members
  • 14 posts
  • Local time: 10:43 AM

Posted 21 January 2019 - 10:38 PM

If you're using AD for LDAP try (sAMAccountName={0})



#198 otispresley OFFLINE  

otispresley

    Advanced Member

  • Members
  • 157 posts
  • Local time: 06:43 PM
  • LocationApex, NC

Posted 21 January 2019 - 10:55 PM

This is the search filter, can I put something else in there or are we limited to "(uid={0})"

User search Filter: (uid={0})

 

You can put something else in there. I am using AD and have this in mine to only allow users in the Emby group to log in:

(&(|(cn={0}))(|(|(memberof=CN=Emby,CN=Users,DC=example,DC=com))))

Edited by otispresley, 21 January 2019 - 10:56 PM.


#199 MathewW_MNF OFFLINE  

MathewW_MNF

    Member

  • Members
  • 14 posts
  • Local time: 10:43 AM

Posted 21 January 2019 - 10:57 PM

 

You can put something else in there. I am using AD and have this in mine to only allow users in the Emby group to log in:

(&(|(cn={0}))(|(|(memberof=CN=Emby,CN=Users,DC=example,DC=com))))

I'm curious about that one, I tried it and they had to use their full name rather than their username to login, is that the behaviour you get?



#200 otispresley OFFLINE  

otispresley

    Advanced Member

  • Members
  • 157 posts
  • Local time: 06:43 PM
  • LocationApex, NC

Posted 21 January 2019 - 11:03 PM

I'm curious about that one, I tried it and they had to use their full name rather than their username to login, is that the behaviour you get?

 

No, I can use the username. What version of Windows? Mine is on Server 2016. I have not done anything special to the domain settings that I know of. This is the Emby group:

5c4687c18c7cb_emby.png

 

I do have the Essentials role installed though. I wonder if that has anything to do with it?


Edited by otispresley, 21 January 2019 - 11:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users