Jump to content

LDAP Configuration


CChris

Recommended Posts

Hi, I don't want to 'spam' the existing topic for the LDAP Plugin with my current issue, since I think, the existing Topic is already hard to follow...

 

I have setup an Samba4 Server and configured the LDAP Plugin for the User-Login accordingly.

5d25c4e38a2ff_2019071012_57_58Plugins.pn

The whole User-Search Filter is:

(&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=emby-users,OU=Groups,OU=Home,DC=home,DC=caina,DC=de)))

 

All of this is working fine - My AD Structure is like this:

5d25c574646b8_2019071012_59_53ActiveDire
5d25c5816be8c_2019071013_00_38ActiveDire

Nearly everything is working as expected - Users, that are in the Group "Emby-Users" will have access to Emby, users, which are not in that Group do not have access to Emby.

Except of one thing:

Users of the Group "Emby-Users" have only access to Emby, if they are also within the default Group of "Domain Users" and if "Domain Users" is set as their Primary Group.
As soon as I remove the User from the "Domain Users" Group, they do not have access to Emby anymore...

But, this is a requirement, since some users are "external" users and should not be part of the Domain Users Group like some others.

 

Sure, this isn't an issue from Emby - but maybe, someone will have an Idea where I could / should have a look - to get this kind of configuration work...??

 

The Emby Log is showing "user not found" when I try to login a user that is not part of the Domain Users default group

 

Thanks and with best regards,
Christoph

Edited by CChris
Link to post
Share on other sites

Hi, given that this plugin targets a niche audience, unfortunately spamming that thread might be the best way to get the attention of knowledgeable users who can help with this. You could just link to here instead of re-posting the entire thing though. Thanks.

Link to post
Share on other sites

Hi all,

Just a short update:
 

I have setup another service which does also authenticate users against my LDAP.
There, the above setup is nearly the same - and does work like expected:

 

5d270abbd77dd_2019071112_07_25Check_MKLo
 

Link to post
Share on other sites

Receiving the below error when using a SSL certificate, is there an issue with how the checksum works? I am attempting to authenticate with the administrator account for testing purposes. Thanks!

019-07-11 11:47:59.498 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.1.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 5.0.10.300
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 2
	Program data path: /config
	Application directory: /system
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
	   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
	   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
	   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
	   at LDAP.AuthenticationProvider.Authenticate(String username, String password)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
	Source: LDAP
	TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)

5d275b89685f2_EmbyLDAP.png

Edited by Elegant
Link to post
Share on other sites

The wrong way apparently. I thought that it was meant to be the certificate hash of the CA not the certificate hash of the server certificate. All good now. Thanks!

Edited by Elegant
Link to post
Share on other sites
  • 1 year later...
echoxxzz
Posted (edited)
On 12/07/2019 at 09:23, Elegant said:

The wrong way apparently. I thought that it was meant to be the certificate hash of the CA not the certificate hash of the server certificate. All good now. Thanks!

This plugin needs some cosmetic work:

1. It doesn't use an LDAP Server URL (i.e. ldaps://dc.domain.com), it just wants the server name.

2. It really wants the Certificate Fingerprint (yes that's what it's called) which you can get using openssl:

     openssl x509 -noout -fingerprint -sha1 -inform pem -in cert.pem | cut -d = -f 2 -s | tr -d :

Hopes this helps others trying to connect to LDAP.

Edited by echoxxzz
Link to post
Share on other sites
  • 2 weeks later...
Luke
On 4/30/2021 at 10:50 PM, echoxxzz said:

This plugin needs some cosmetic work:

1. It doesn't use an LDAP Server URL (i.e. ldaps://dc.domain.com), it just wants the server name.

2. It really wants the Certificate Fingerprint (yes that's what it's called) which you can get using openssl:

     openssl x509 -noout -fingerprint -sha1 -inform pem -in cert.pem | cut -d = -f 2 -s | tr -d :

Hopes this helps others trying to connect to LDAP.

Hi, what areas of the configuration screen are you referring to?

Link to post
Share on other sites
echoxxzz

1. The plugin isn't using an LDAP URL it just wants the server name or IP address. I kept using URL syntax (ie. ldap://servername.com) and it kept failing until I just used the server name. Maybe replace "LDAP server url" with "LDAP server name or address".

2. In order to enable SSL the plugin-in is asking for a SHA1 hash of the certificate. I was literally trying to use the sha1 hash of the physical certificate .pem file. After I viewed a couple of certs in a web browser that was using an SSL connection I discovered that the real term is called a certificate "thumbprint". Googling "calculate certificate thumbprint" and I easily found the  openssl command to display a thumbprint. Maybe replace "SSL certificate hash" with "SSL certificate thumbprint".

 

 

 

Capture.PNG

Link to post
Share on other sites
echoxxzz

For example here is cert from Google and it shows the term in actually called thumbprint.

 

Capture.PNG

Link to post
Share on other sites
  • 1 month later...
Luke
On 5/11/2021 at 11:00 PM, echoxxzz said:

1. The plugin isn't using an LDAP URL it just wants the server name or IP address. I kept using URL syntax (ie. ldap://servername.com) and it kept failing until I just used the server name. Maybe replace "LDAP server url" with "LDAP server name or address".

2. In order to enable SSL the plugin-in is asking for a SHA1 hash of the certificate. I was literally trying to use the sha1 hash of the physical certificate .pem file. After I viewed a couple of certs in a web browser that was using an SSL connection I discovered that the real term is called a certificate "thumbprint". Googling "calculate certificate thumbprint" and I easily found the  openssl command to display a thumbprint. Maybe replace "SSL certificate hash" with "SSL certificate thumbprint".

 

 

 

Capture.PNG

Thanks, we'll take a look.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...