Jump to content


Photo

LDAP Plugin


  • Please log in to reply
278 replies to this topic

#241 James Weber OFFLINE  

James Weber

    Member

  • Members
  • 14 posts
  • Local time: 04:57 PM

Posted 11 October 2019 - 10:10 PM

@Luke

 

Is it possible to input multiple SHA1 hashes for different servers? I was using port 389 and inputting my domain name so emby could resolve to either DC for authentication but I am changing all my LDAP services so LDAPS for more security. Currently I must put a hash and can only point to one AD server as each contain a different certificate.

 

Maybe a way to specify certificates in /etc/ssl/certs or something along those lines. I know it has to be multi platform independent. 

 

Something like the Nextcloud implementation where multiple servers can be added would be a nice feature. Also a test button to check if the configuration is working.  


Edited by James Weber, 11 October 2019 - 10:47 PM.


#242 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 12 October 2019 - 02:43 PM

@Luke

 

Is it possible to input multiple SHA1 hashes for different servers? I was using port 389 and inputting my domain name so emby could resolve to either DC for authentication but I am changing all my LDAP services so LDAPS for more security. Currently I must put a hash and can only point to one AD server as each contain a different certificate.

 

Maybe a way to specify certificates in /etc/ssl/certs or something along those lines. I know it has to be multi platform independent. 

 

Something like the Nextcloud implementation where multiple servers can be added would be a nice feature. Also a test button to check if the configuration is working.  

 

With multiple servers, how would we know which server to use for a given user?



#243 James Weber OFFLINE  

James Weber

    Member

  • Members
  • 14 posts
  • Local time: 04:57 PM

Posted 12 October 2019 - 02:52 PM

With multiple servers, how would we know which server to use for a given user?

 

@Luke

 

Mine are Windows AD servers that replicate. So the user information should be exactly the same on either. If anyone has more than one LDAP server the user base/information should match exactly the same on both. Two servers is just used for redundancy. If one LDAP server is down it just moves on to the next one for authentication. 


Edited by James Weber, 12 October 2019 - 02:54 PM.


#244 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 21 October 2019 - 02:09 PM

To minimize the UI work, what if we just accepted a comma delimited list of hashes?



#245 James Weber OFFLINE  

James Weber

    Member

  • Members
  • 14 posts
  • Local time: 04:57 PM

Posted 21 October 2019 - 02:25 PM

@Luke

That works for me no problem.

#246 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 22 October 2019 - 11:46 AM

Ok we can add that. Thanks.

#247 Koda OFFLINE  

Koda

    Advanced Member

  • Members
  • 47 posts
  • Local time: 01:57 AM

Posted 17 November 2019 - 09:33 AM

I have try to use this plugin. But I get allway this error

2019-11-17 13:45:38.037 Error UserManager: Error authenticating with provider LDAP
    *** Error Report ***
    Version: 4.2.1.0
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.19.0.6
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Runtime: file:///opt/emby-server/system/System.Private.CoreLib.dll
    Processor count: 1
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    Novell.Directory.Ldap.LdapException: LdapException: Invalid Credentials (49) Invalid Credentials
    LdapException: Server Message: 80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563�
    LdapException: Matched DN:
    Source: LDAP
    TargetSite: Void ChkResultCode()

This are my settings

Attached File  ldap.png   61.87KB   1 downloads

 

I have read the complete thread and have try instance of "UserPrincipalName" with cn, uid and SamAccountName

 

Edit: The ou Multmedia is correct. It was a fault

 

Has anyone an idea?

 

Best regards

Koda



#248 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 17 November 2019 - 12:32 PM

I have try to use this plugin. But I get allway this error

2019-11-17 13:45:38.037 Error UserManager: Error authenticating with provider LDAP
    *** Error Report ***
    Version: 4.2.1.0
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.19.0.6
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Runtime: file:///opt/emby-server/system/System.Private.CoreLib.dll
    Processor count: 1
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    Novell.Directory.Ldap.LdapException: LdapException: Invalid Credentials (49) Invalid Credentials
    LdapException: Server Message: 80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563�
    LdapException: Matched DN:
    Source: LDAP
    TargetSite: Void ChkResultCode()

This are my settings

attachicon.gifldap.png

 

I have read the complete thread and have try instance of "UserPrincipalName" with cn, uid and SamAccountName

 

Edit: The ou Multmedia is correct. It was a fault

 

Has anyone an idea?

 

Best regards

Koda

 

Hi there, it says invalid credentials. Are you sure you've configured it correctly?



#249 Koda OFFLINE  

Koda

    Advanced Member

  • Members
  • 47 posts
  • Local time: 01:57 AM

Posted 17 November 2019 - 01:10 PM

Hi there, it says invalid credentials. Are you sure you've configured it correctly?

I think so. But after a new try it works. Sorry :)

 

One wish: Can you change the input text field for password with a input password field?



#250 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 17 November 2019 - 02:01 PM

Change how?

#251 Koda OFFLINE  

Koda

    Advanced Member

  • Members
  • 47 posts
  • Local time: 01:57 AM

Posted 17 November 2019 - 02:23 PM

At this moment is this your html Field for password:

<input is="emby-input" type="text" id="txtBindCredentials" label="Bind credentials:" class="emby-input">

I hope you can chante it to

<input is="emby-input" type="password" id="txtBindCredentials" label="Bind credentials:" class="emby-input">

So the password is not show directly



#252 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 17 November 2019 - 09:56 PM

I think I may have done that to prevent browser password autocomplete features from interfering.


  • Koda likes this

#253 Koda OFFLINE  

Koda

    Advanced Member

  • Members
  • 47 posts
  • Local time: 01:57 AM

Posted 18 November 2019 - 01:33 AM

Great. Thank you

#254 Napo_Leon OFFLINE  

Napo_Leon

    Newbie

  • Members
  • 8 posts
  • Local time: 01:57 AM

Posted 21 January 2020 - 11:15 AM

I am trying to set Emby up for a school and have two questions about LDAP integration:

 

1. Is it possible to specify different user defaults for different user groups?

    e.g. Staff group 1 --> access to --> Library 1 &2

           Staff group 2 --> access to --> Library 3,4 & 5

           Student group 1 --> access to --> Library 1 & 5

           etc...

 

2. Can I specify multiple Domain Controllers (LDAP) servers, for instance comma separated?

    DC1.contoso.com,DC2.contoso.com,DC3.contoso.com



#255 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 21 January 2020 - 11:48 AM

It's not possible at this time, but perhaps in the future. Thanks.

#256 zer0ish OFFLINE  

zer0ish

    Member

  • Members
  • 11 posts
  • Local time: 08:57 PM

Posted 23 January 2020 - 06:31 PM

After a long time of trying, I got the LDAP plugin to work with my Active Directory.

My set up is Windows Server 2019 with AD DC on server 1.

Emby server on server 1.

Exchange on server 2.

 

But one thing I'm seeing is that there is no option to deny users from converting media.
I don't want anyone to have convert rights.
Is this something that can be fixed or added to the plugin?

 

I just want them to be able to change bitrates as usual and watch what is on the server.
Converting is something that should be administrator level only.

 

Glad this works, now I can have users using one account for PC, emby, exchange.

 

Thanks for the great work.

 

Edit: I also see that while in Emby the user can't change their password, getting "Sign In Error Invalid username or password. Please try again"

 

Edit2: I got a PM for my config

 

LDAP Server url: (must be fully qualified domain name)

example.net

 

LDAP Server Port number:

389

 

No SSL(yet)

SSL cert hash:

Havent tried yet

 

Bing DN:

CN=embybind,OU=AnotherOU,OU=NewOU,OU=NewOU,DC=example,DC=net

 

use ADSI edit to find the correct DN, this save me allot because before I was doing things clearly wrong.

So what ever user you created(doesn't have to be admin just a random user) find it with ADSI and use the string for it.

 

Bind credentials:

What ever password you used for the Bind DN user

 

User search base: (this is where I had the most issues, just keep it simple!!)

DC=example,DC=net

 

User search filter:(as mentioned by others but to my use case)

(&(sAMAccountName={0})(memberOf=CN=embysrv,OU=NewOU,OU=NewOU,DC=example,DC=net))

 

embysrv is a Group I made so that any users in that group have access to emby.
Copy what I have but use ADSI to find the proper name path for your group.

 

Thats it, the problem I was having is User search base going too deep. Just keep that simple to your domain name and have the filter look into the group for permissions.


Edited by zer0ish, 23 January 2020 - 07:01 PM.

  • Dibbes likes this

#257 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 23 January 2020 - 10:04 PM

The convert permission may not be in the plugin yet but you can still configure it after the user has been created in emby server. The settings in the plugin are only defaults.

#258 zer0ish OFFLINE  

zer0ish

    Member

  • Members
  • 11 posts
  • Local time: 08:57 PM

Posted 23 January 2020 - 10:37 PM

The convert permission may not be in the plugin yet but you can still configure it after the user has been created in emby server. The settings in the plugin are only defaults.


Yeah I saw that was an option. Hopefully it gets added to the plugin in the future.

Another odd interaction I saw when playing around with test accounts, was if I changed password from active directory or exchange, I had to delete the user in emby before I could log in again with the new password.

#259 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156704 posts
  • Local time: 08:57 PM

Posted 23 January 2020 - 11:09 PM

Why? Emby doesn't know that the ldap password is. It shouldn't really matter.

#260 zer0ish OFFLINE  

zer0ish

    Member

  • Members
  • 11 posts
  • Local time: 08:57 PM

Posted 24 January 2020 - 06:21 AM

Yeah I don't know why that's happening. But as soon as I delete the account in emby and hit login. It works right away.

 

Edit:

Ok, so it looks like it's a known microsoft active directory issue.
Even after disabling an account or changing a password, the system still hold the token for an amount of time.
So I can log into exchange with both passwords, but that messes with emby. 
I need to let the old password expire by not log into exchange and everything works with the new password.


Edited by zer0ish, 24 January 2020 - 09:27 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users