Jump to content


Photo

LDAP Plugin


  • Please log in to reply
278 replies to this topic

#261 Napo_Leon OFFLINE  

Napo_Leon

    Newbie

  • Members
  • 8 posts
  • Local time: 08:13 AM

Posted 24 January 2020 - 11:29 AM

Hopefully someone can help me because I have run outta ideas......  :wacko:

 

I am trying to connect to my AD. It does connect, but the problem is that I cannot seem to bind.

Tried using multiple existing users or a brand new created dedicated 'emby' account but nothing works.

Keep on getting this in the log files:

 

Novell.Directory.Ldap.LdapException: LdapException: Operations Error (1) Operations Error
LdapException: Server Message: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839�
LdapException: Matched DN:
    Source: LDAP
    TargetSite: Void ChkResultCode()

 

I am 100% certain I use a valid user/password in the bind fields.

Does anyone has an idea what can be the problem?



#262 zer0ish OFFLINE  

zer0ish

    Member

  • Members
  • 11 posts
  • Local time: 03:13 AM

Posted 24 January 2020 - 11:40 AM

Hopefully someone can help me because I have run outta ideas......  :wacko:

 

I am trying to connect to my AD. It does connect, but the problem is that I cannot seem to bind.

Tried using multiple existing users or a brand new created dedicated 'emby' account but nothing works.

Keep on getting this in the log files:

 

Novell.Directory.Ldap.LdapException: LdapException: Operations Error (1) Operations Error
LdapException: Server Message: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839�
LdapException: Matched DN:
    Source: LDAP
    TargetSite: Void ChkResultCode()

 

I am 100% certain I use a valid user/password in the bind fields.

Does anyone has an idea what can be the problem?

Can you provide screen shots of your ldap settings for people to review and help?

Take a look at my previous post and try and set your self up like that.



#263 Napo_Leon OFFLINE  

Napo_Leon

    Newbie

  • Members
  • 8 posts
  • Local time: 08:13 AM

Posted 24 January 2020 - 11:44 AM

Pretty straight forward (I thought).. 

 

 

5e2b10af5ffa3_Annotation20200124164524.p



#264 zer0ish OFFLINE  

zer0ish

    Member

  • Members
  • 11 posts
  • Local time: 03:13 AM

Posted 24 January 2020 - 11:57 AM

Based on what I see try this for your Search filter.
(&(sAMAccountName={0})(memberOf=CN=Users,DC=what ever you have blanked,DC=local))

 

This assumes all the users authenticating are in the User CN Group.

 

For the bind if your emby user is in the CN=Users group then that looks fine.
Use ADSI Edit to make sure you have the right DN structure.

 


Edited by zer0ish, 24 January 2020 - 03:21 PM.


#265 Napo_Leon OFFLINE  

Napo_Leon

    Newbie

  • Members
  • 8 posts
  • Local time: 08:13 AM

Posted 25 January 2020 - 07:42 AM

Based on what I see try this for your Search filter.
(&(sAMAccountName={0})(memberOf=CN=Users,DC=what ever you have blanked,DC=local))

 

This assumes all the users authenticating are in the User CN Group.

 

For the bind if your emby user is in the CN=Users group then that looks fine.
Use ADSI Edit to make sure you have the right DN structure.

 

 

Thanks!!! 

Seems that the bind user needs to be in the same OU also specified in the 'User search base'.

Strange though, since every user in AD (with valid credentials) should be able to read whole AD structure.

 

Now let's see if I can get filtering based on a security group to work....  :)  



#266 Napo_Leon OFFLINE  

Napo_Leon

    Newbie

  • Members
  • 8 posts
  • Local time: 08:13 AM

Posted 04 February 2020 - 07:20 AM

I noticed that 'Allow media conversion' can not be set in the default profile.

And it's on by default.....

 

5e39530c272d8_mediaconvert.png

 

Is it possible to add this? I really do not want to go through 1000+ users manually to disable this per user....



#267 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 157225 posts
  • Local time: 03:13 AM

Posted 04 February 2020 - 12:18 PM

Yes it's something that can be added. Thanks.

#268 zer0ish OFFLINE  

zer0ish

    Member

  • Members
  • 11 posts
  • Local time: 03:13 AM

Posted 04 February 2020 - 02:44 PM

I noticed that 'Allow media conversion' can not be set in the default profile.

And it's on by default.....

 

5e39530c272d8_mediaconvert.png

 

Is it possible to add this? I really do not want to go through 1000+ users manually to disable this per user....

 

I mentioned this as well and agree.
I'd also add that pretty much everything on the main screen of Users should be an options.
I don't want users sharing to social media either.

But then again, I only have family members and some friends. Not 1000+ :)



#269 chm@herning-gym.dk OFFLINE  

chm@herning-gym.dk

    Newbie

  • Members
  • 1 posts

Posted 05 February 2020 - 04:39 AM

Hi,

 

I'm testing Emby with LDAP plugin on a fresh pc.

 

In the text it says that i can run i for 14 days befor i need a Premiere license, however i get the error "System.Exception: System.Exception: Emby Premiere required for LDAP" even the test-server is only 1 days old ...



#270 Koda OFFLINE  

Koda

    Advanced Member

  • Members
  • 47 posts
  • Local time: 08:13 AM

Posted 03 March 2020 - 02:47 PM

Hi

 

Since a few month the LDAP Plugin works great. I use Port 389 for non SSL and 636 for SSL

 

Now I have change my Settings and yould like to use SSL. I have insert the Windows CA Root CA to my Debian machine and have activate the SSL Option and change the port.

 

THen I have enable to force LDAPS: https://support.micr...ows-server-2008

 

Now When I login, I get this error:

2020-03-03 19:39:03.052 Error LDAP: Ssl certifiate error RemoteCertificateNameMismatch, RemoteCertificateChainErrors
2020-03-03 19:39:03.053 Error UserManager: Error authenticating with provider LDAP
    *** Error Report ***
    Version: 4.3.1.0
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.19.0.6
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Runtime: file:///opt/emby-server/system/System.Private.CoreLib.dll
    Processor count: 6
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
     at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
     at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
     at LDAP.AuthenticationProvider.Authenticate(String username, String password)
     at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
    Source: LDAP
    TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)

Windos LDAPS don't use SHA1, so I don't know what I must insert in the field "SSL certificate hash (SHA1):"

 

THank you for help


Edited by Koda, 03 March 2020 - 02:57 PM.


#271 Koda OFFLINE  

Koda

    Advanced Member

  • Members
  • 47 posts
  • Local time: 08:13 AM

Posted 05 March 2020 - 01:19 PM

Now I have change the IP to the DNS Name where my certificate is named. But Now I get this error

2020-03-05 18:17:50.481 Error UserManager: Error authenticating with provider LDAP
    *** Error Report ***
    Version: 4.3.1.0
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.19.0.6
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Runtime: file:///opt/emby-server/system/System.Private.CoreLib.dll
    Processor count: 6
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
     at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
     at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
     at LDAP.AuthenticationProvider.Authenticate(String username, String password)
     at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
    Source: LDAP
    TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)

EDIT: I found the solution: The Root CA must in the CA of my Linux Server. After this, I must insert the fingerprint in the Field "SSL certificate hash (SHA1):" of LDAP Plugin


Edited by Koda, 05 March 2020 - 01:58 PM.


#272 PortableStick OFFLINE  

PortableStick

    Member

  • Members
  • 18 posts
  • Local time: 01:13 AM

Posted 10 April 2020 - 11:43 AM

I'm looking for a way to get LDAP authentication working without having to boot up Emby and download anything. Is there a way to pre-package the plugin in a docker container and configure it with env vars?



#273 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 157225 posts
  • Local time: 03:13 AM

Posted 10 April 2020 - 03:03 PM

I'm looking for a way to get LDAP authentication working without having to boot up Emby and download anything. Is there a way to pre-package the plugin in a docker container and configure it with env vars?

 

Hi, I'm not quite sure what you're asking. Are you asking about using the plugin without Emby Server?



#274 PortableStick OFFLINE  

PortableStick

    Member

  • Members
  • 18 posts
  • Local time: 01:13 AM

Posted 10 April 2020 - 04:37 PM

What I want to do is download the plugin, move it into the plugin folder manually in a Docker file, and configure LDAP authentication so it's ready before I launch Emby for the first time. The use-case is that I'm building a giant monolithic docker-compose file that I use to handle all of my services and I want to use LDAP to authenticate everything, but without having to go into each one to configure things through the UI. So I will be using the plugin in Emby Server, I just want to install and configure it in a script.



#275 PortableStick OFFLINE  

PortableStick

    Member

  • Members
  • 18 posts
  • Local time: 01:13 AM

Posted 10 April 2020 - 04:47 PM

I should be more clear about what I actually need (I'm running on very little sleep so forgive my rambling). I know how I'm going to build the Docker image and dynamically modify whichever config file necessary. What I don't know is 1) where I can download the plugin, 2) where it needs to be installed, 3) if there's anything you can tell me about the configuration files (ie, what needs to be edited), and 4) if there are any quirks about authentication in Emby that might complicate things if I tried this.

 

Of course, I'm also assuming that the license permits this. Maybe I'm speaking out of place here.



#276 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 157225 posts
  • Local time: 03:13 AM

Posted 10 April 2020 - 05:27 PM

I should be more clear about what I actually need (I'm running on very little sleep so forgive my rambling). I know how I'm going to build the Docker image and dynamically modify whichever config file necessary. What I don't know is 1) where I can download the plugin, 2) where it needs to be installed, 3) if there's anything you can tell me about the configuration files (ie, what needs to be edited), and 4) if there are any quirks about authentication in Emby that might complicate things if I tried this.

 

Of course, I'm also assuming that the license permits this. Maybe I'm speaking out of place here.

 

This sounds vaguely familiar. Have we discussed this before?



#277 PortableStick OFFLINE  

PortableStick

    Member

  • Members
  • 18 posts
  • Local time: 01:13 AM

Posted 10 April 2020 - 05:48 PM

No sir, I've only been working on this for the past few days.



#278 otispresley OFFLINE  

otispresley

    Advanced Member

  • Members
  • 158 posts
  • Local time: 03:13 AM
  • LocationApex, NC

Posted 11 April 2020 - 09:07 AM

No sir, I've only been working on this for the past few days.

 

I think you should be able to install the plugin and configure it on an existing installation then take the .dll and config files and copy them to the proper location in the container in your Dockerfile.

For example in Docker, the files are in /config/plugins. You can find the plugin LDAP.dll there and its config LDAP.xml in /config/plugins/configurations.

 

So, your Dockerfile might look something like:

FROM emby/embyserver:latest
COPY LDAP.dll /config/plugins/
COPY LDAP.xml /config/plugins/configurations/

@Luke can confirm whether this will work or not. I hope it helps.


Edited by otispresley, 11 April 2020 - 09:08 AM.


#279 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 157225 posts
  • Local time: 03:13 AM

Posted 12 April 2020 - 02:28 PM

Yes that sounds right, thanks for the help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users