Jump to content

Getting Emby Connected with LDAP on Synology

CChris

By CChris
in Synology

 Share

Recommended Posts

CChris

CChris   58

Posted
Posted

Hi all,

 

I am pretty new to Emby - and I am using it on my Synology DS218+
 

On my Synology, I have also installed the ActiveDirectoryServer and done the setup for a domain.

Now, I'm trying to connect my Emby installation with LDAP, but I am not able to get it working :-(

 

This is how I setup the LDAP Plugin in Emby:
5c61a0b34925f_2019021117_19_07Plugins.pn

When I try to login with one of my AD Users, I am getting the following error in the Logs:
 

2019-02-11 17:12:33.133 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.0.1.0
	Command line: /var/packages/EmbyServer/target/server/EmbyServer.exe -package synology -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe -ffdetect /var/packages/EmbyServer/target/ffmpeg/bin/ffdetect -restartexitcode 121
	Operating system: Unix 4.4.59.0
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: False
	Mono: 5.18.0.240 (tarball Fri Jan 18 15:40:28 UTC 2019)
	Processor count: 2
	Program data path: /var/packages/EmbyServer/target/var
	Application directory: /volume1/@appstore/EmbyServer/releases/4.0.1.0
	Novell.Directory.Ldap.LdapException: LdapException: Strong Authentication Required (8) Strong Authentication Required
	LdapException: Server Message: BindSimple: Transport encryption required.
	LdapException: Matched DN: 
	Source: mscorlib
	TargetSite: Void Throw()
	  at Novell.Directory.Ldap.LdapResponse.ChkResultCode () [0x00019] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.LdapConnection.ChkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response) [0x00031] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.LdapConnection.Bind (System.Int32 version, System.String dn, System.Byte[] passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00045] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.LdapConnection.Bind (System.Int32 version, System.String dn, System.String passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x0000c] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd) [0x00000] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000fb] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <8c99ead7fd9c44cab05a9d44c2163ecc>:0

LdapException: Strong Authentication Required (8) Strong Authentication Required
LdapException: Server Message: BindSimple: Transport encryption required.
LdapException: Matched DN:

As far as I know, this seems to be an issue that Synology is using TLS...

Any Ideas, how I can get this solved?
Do I need to change something in my Synology NAS?

 

Any help would be much appreciated :)
Thanks and with best regards,

 

Christoph

Link to comment
Share on other sites
CChris

CChris   58

Posted
  • Author
Posted

I've now done some changes on my Synology...

1) System Settings -> Security -> extended -> TLS/SSL Profiles -> Userdefined

There, I have activated the backward compatibility for the ActiveDirectoryServer.

 

After restarting Emby, and changing the Settings in Emby to use Port 636 and "enable SSL" I will now get the following Error in the Logs:

2019-02-11 17:46:33.128 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.0.1.0
	Command line: /var/packages/EmbyServer/target/server/EmbyServer.exe -package synology -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe -ffdetect /var/packages/EmbyServer/target/ffmpeg/bin/ffdetect -restartexitcode 121
	Operating system: Unix 4.4.59.0
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: False
	Mono: 5.18.0.240 (tarball Fri Jan 18 15:40:28 UTC 2019)
	Processor count: 2
	Program data path: /var/packages/EmbyServer/target/var
	Application directory: /volume1/@appstore/EmbyServer/releases/4.0.1.0
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
	  at /source/mono/external/boringssl/ssl/handshake_client.c:1132
	  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0 
	  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0 
	  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
	  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0 
	   --- End of inner exception stack trace ---
	  at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <8c99ead7fd9c44cab05a9d44c2163ecc>:0 
	Source: mscorlib
	TargetSite: Void Throw()
	  at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <b52b5ab7d3a84c28ab8243cbbadbef13>:0 
	  at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <8c99ead7fd9c44cab05a9d44c2163ecc>:0 
	InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
	  at /source/mono/external/boringssl/ssl/handshake_client.c:1132
	Source: mscorlib
	TargetSite: Void Throw()
	  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0 
	  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0 
	  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
	  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0
Link to comment
Share on other sites
CChris

CChris   58

Posted
  • Author
Posted (edited)

Hi, right now I'm using the default self signed certificate which will be created by the synology when the domain will be created.

-- Edit:
I just tried to use some let's encrypt certificates which I have created for some other sub-domains which are available on my synology.
But with using them, I'm getting another error:
 

Novell.Directory.Ldap.LdapException: LdapException: Unable to connect to server localhost:636 (91) Connect Error
	System.Net.Sockets.SocketException (0x80004005): Connection refused

And for the AD Domain itself I can't create any let's encrypt certificate...

Edited by CChris
Link to comment
Share on other sites
Luke Emby Team

Luke   37166

Posted
Posted

Ok so the self-signed cert is being rejected. We have added configuration to override this in a test version of the plugin:

 

https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=697229

 

A user has reported that it's not working, but we'll take another look at it soon, so you can participate there. Thanks.

  • Like 1
Link to comment
Share on other sites
CChris

CChris   58

Posted
  • Author
Posted

Hi @@Luke, I already posted in the other topic, but I will also keeping this topic updated:

1) used the newer LDAP.dll provided in the topic https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=697229 did not work for me.
2) I've switched to an Let's Encrypt Certificate, but getting the same error in the Logs than with the self-signed certificate
3) I've installed Emby locally on my computer and connected to my nas - finally, this worked well with the current certificate setup...

So at all, it seems to be only an issue when Emby and ActiveDirectory are running on the same (linux) machine?

Link to comment
Share on other sites
CChris

CChris   58

Posted
  • Author
Posted

Hi @@Luke,

today I did another test.

I've installed emby server on another Synology DiscStation, which is connected to my AD as a Client machine.
After applying the same Settings than for my working Windows-Test Server, I've tried to login a User from the AD - and:

I'm getting the same error like on my other DiscStation:

Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

I am still using a Let's Encrypt Certificate.
So, it is not only an issue when Emby is running on the same machine, but it's more likely an issue with the OpenSSL implementation.

In the other Topic, I have linked to a Topic on Stackoverflow, where I was able to find a discussion about the mono.btls provider:
 

https://stackoverflo...nssl-internalce

It might be worth to change the provider from btls to legacy?
 

Link to comment
Share on other sites
CChris

CChris   58

Posted
  • Author
Posted (edited)

Yes, it is working on my windows machine, when I'm using the LDAP Server on my Synology NAS.

I have the following setup

NAS_1 (embyServer, ADServer)
- Emby cannot connect to the AD due to the error shown above

NAS_2, connected to the AD Server on NAS_1 (embyServer)
- Emby cannot connect to the AD on NAS_1 due to the error shown above

Local Windows Machine, connected to the AD Server on NAS_1 (embyServer)
- Emby can connect to the AD and works as expected, even with limitation to a specific user group

Edit:
I will try to setup another scenario this weekend, using only the DirectoryServer (LDAP) on one of my NAS...
Maybe, there are some more options available, than in the ActiveDirectoryServer implementation of Synology.

Edited by CChris
Link to comment
Share on other sites
solabc16

solabc16   379

Posted
Posted

Hello @@CChris

 

We'll have other problems if we switch to 'legacy', we need to find out why the certificate validation is failing in this specific scenario.

 

At least when not using a self-signed certificate.

 

It is of course working correctly for Emby Server's basic functions, such as checking for updates and accessing metadata providers.

 

Best

- James

Link to comment
Share on other sites
  • 4 weeks later...
CChris

CChris   58

Posted
  • Author
Posted

I haven't tried the LDAP plugin with this version, since there was no announcement, that something has been fixed in the 4.0.3.0 related to this part.
I will test it and give you feedback soon

Link to comment
Share on other sites
CChris

CChris   58

Posted
  • Author
Posted (edited)

yep, still the same:

 

2019-03-17 23:03:48.102 Info HttpServer: HTTP POST http://media.caina.de:8096/emby/Users/authenticatebyname. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
2019-03-17 23:03:48.395 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.0.3.0
	Command line: /var/packages/EmbyServer/target/server/EmbyServer.exe -package synology -programdata /var/packages/EmbyServer/target/var -ffmpeg /var/packages/EmbyServer/target/ffmpeg/bin/ffmpeg -ffprobe /var/packages/EmbyServer/target/ffmpeg/bin/ffprobe -ffdetect /var/packages/EmbyServer/target/ffmpeg/bin/ffdetect -restartexitcode 121
	Operating system: Unix 4.4.59.0
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: False
	Mono: 5.18.0.240 (tarball Fri Jan 18 15:40:28 UTC 2019)
	Processor count: 2
	Program data path: /var/packages/EmbyServer/target/var
	Application directory: /volume1/@appstore/EmbyServer/releases/4.0.3.0
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

at /source/mono/external/boringssl/ssl/handshake_client.c:1132
     at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0
     at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0
     at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
     at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0
     at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0
     at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0
     --- End of inner exception stack trace ---
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <3d2456253cbd47f6ad5ba9987b1fa974>:0
    Source: mscorlib
    TargetSite: Void Throw()
     at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap (System.Threading.Tasks.Task task, System.Int32 timeout) [0x00036] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port, System.Int32 semaphoreId) [0x000cd] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Novell.Directory.Ldap.Connection.Connect (System.String host, System.Int32 port) [0x00000] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Novell.Directory.Ldap.LdapConnection.Connect (System.String host, System.Int32 port) [0x00070] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at LDAP.AuthenticationProvider.Authenticate (System.String username, System.String password) [0x000dc] in <39ed1d1bd22847048d5b976675e00ec8>:0
     at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider (MediaBrowser.Controller.Authentication.IAuthenticationProvider provider, System.String username, System.String password, MediaBrowser.Controller.Entities.User resolvedUser) [0x0011b] in <3d2456253cbd47f6ad5ba9987b1fa974>:0
    InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
     at /source/mono/external/boringssl/ssl/handshake_client.c:1132
    Source: mscorlib
    TargetSite: Void Throw()
     at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <06b225350c3541b2a422a59539189a6b>:0
     at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <06b225350c3541b2a422a59539189a6b>:0
     at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
     at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <06b225350c3541b2a422a59539189a6b>:0
     at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <06b225350c3541b2a422a59539189a6b>:0
     at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <06b225350c3541b2a422a59539189a6b>:0
Edited by CChris
Link to comment
Share on other sites
solabc16

solabc16   379

Posted
Posted

Hello @@CChris

 

Thanks for the above, it was mainly a sanity check to make I still had the right picture.

 

The next stable for your platform will see a change of runtime environment.

 

So I suggest we hang fire and re-evaluate at this point, I don't expect this to be in the too distant future.

 

Best

- James

Link to comment
Share on other sites
  • 1 month later...
CChris

CChris   58

Posted
  • Author
Posted

Hi,

I've just updated to the latest stable today (4.1.0.26 / 4.1.1.0) and wanted to say that my LDAP is now working as expected.
Thanks a lot :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...