LDAP Configuration

[CChris 58]

Hi, I don't want to 'spam' the existing topic for the LDAP Plugin with my current issue, since I think, the existing Topic is already hard to follow...

 

I have setup an Samba4 Server and configured the LDAP Plugin for the User-Login accordingly.

The whole User-Search Filter is:

(&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=emby-users,OU=Groups,OU=Home,DC=home,DC=caina,DC=de)))

 

All of this is working fine - My AD Structure is like this:

Nearly everything is working as expected - Users, that are in the Group "Emby-Users" will have access to Emby, users, which are not in that Group do not have access to Emby.

Except of one thing:

Users of the Group "Emby-Users" have only access to Emby, if they are also within the default Group of "Domain Users" and if "Domain Users" is set as their Primary Group.
As soon as I remove the User from the "Domain Users" Group, they do not have access to Emby anymore...

But, this is a requirement, since some users are "external" users and should not be part of the Domain Users Group like some others.

 

Sure, this isn't an issue from Emby - but maybe, someone will have an Idea where I could / should have a look - to get this kind of configuration work...??

 

The Emby Log is showing "user not found" when I try to login a user that is not part of the Domain Users default group

 

Thanks and with best regards,
Christoph

Edited July 10, 2019 by CChris

[Luke 39351]

Hi, given that this plugin targets a niche audience, unfortunately spamming that thread might be the best way to get the attention of knowledgeable users who can help with this. You could just link to here instead of re-posting the entire thing though. Thanks.

[CChris 58]

Hi all,

Just a short update:
 

I have setup another service which does also authenticate users against my LDAP.
There, the above setup is nearly the same - and does work like expected:

 

 

[Elegant 10]

Receiving the below error when using a SSL certificate, is there an issue with how the checksum works? I am attempting to authenticate with the administrator account for testing purposes. Thanks!

019-07-11 11:47:59.498 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.1.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 5.0.10.300
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 2
	Program data path: /config
	Application directory: /system
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
	   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
	   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
	   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
	   at LDAP.AuthenticationProvider.Authenticate(String username, String password)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
	Source: LDAP
	TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)

Edited July 11, 2019 by Elegant

[Luke 39351]

How did you determine the certificate hash?

[Elegant 10]

The wrong way apparently. I thought that it was meant to be the certificate hash of the CA not the certificate hash of the server certificate. All good now. Thanks!

Edited July 12, 2019 by Elegant

[Luke 39351]

Thanks for the feedback.

[echoxxzz 22]

On 12/07/2019 at 09:23, Elegant said:

The wrong way apparently. I thought that it was meant to be the certificate hash of the CA not the certificate hash of the server certificate. All good now. Thanks!

This plugin needs some cosmetic work:

1. It doesn't use an LDAP Server URL (i.e. ldaps://dc.domain.com), it just wants the server name.

2. It really wants the Certificate Fingerprint (yes that's what it's called) which you can get using openssl:

     openssl x509 -noout -fingerprint -sha1 -inform pem -in cert.pem | cut -d = -f 2 -s | tr -d :

Hopes this helps others trying to connect to LDAP.

Edited May 3, 2021 by echoxxzz

[Luke 39351]

On 4/30/2021 at 10:50 PM, echoxxzz said:

This plugin needs some cosmetic work:

1. It doesn't use an LDAP Server URL (i.e. ldaps://dc.domain.com), it just wants the server name.

2. It really wants the Certificate Fingerprint (yes that's what it's called) which you can get using openssl:

     openssl x509 -noout -fingerprint -sha1 -inform pem -in cert.pem | cut -d = -f 2 -s | tr -d :

Hopes this helps others trying to connect to LDAP.

Hi, what areas of the configuration screen are you referring to?

[echoxxzz 22]

1. The plugin isn't using an LDAP URL it just wants the server name or IP address. I kept using URL syntax (ie. ldap://servername.com) and it kept failing until I just used the server name. Maybe replace "LDAP server url" with "LDAP server name or address".

2. In order to enable SSL the plugin-in is asking for a SHA1 hash of the certificate. I was literally trying to use the sha1 hash of the physical certificate .pem file. After I viewed a couple of certs in a web browser that was using an SSL connection I discovered that the real term is called a certificate "thumbprint". Googling "calculate certificate thumbprint" and I easily found the  openssl command to display a thumbprint. Maybe replace "SSL certificate hash" with "SSL certificate thumbprint".

 

 

 

[echoxxzz 22]

For example here is cert from Google and it shows the term in actually called thumbprint.

 

[Luke 39351]

On 5/11/2021 at 11:00 PM, echoxxzz said:

1. The plugin isn't using an LDAP URL it just wants the server name or IP address. I kept using URL syntax (ie. ldap://servername.com) and it kept failing until I just used the server name. Maybe replace "LDAP server url" with "LDAP server name or address".

2. In order to enable SSL the plugin-in is asking for a SHA1 hash of the certificate. I was literally trying to use the sha1 hash of the physical certificate .pem file. After I viewed a couple of certs in a web browser that was using an SSL connection I discovered that the real term is called a certificate "thumbprint". Googling "calculate certificate thumbprint" and I easily found the  openssl command to display a thumbprint. Maybe replace "SSL certificate hash" with "SSL certificate thumbprint".

 

 

 

Thanks, we'll take a look.

[Elegant 10]

Does this work with intermediate certificates? I noticed that there is a comma delimiter for the thumbprints so I added both the root and intermediate CA thumbprints but authentication remains unsucessful. I tried swapping the thumbprint order but that made no impact:

2021-11-25 11:53:22.449 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.6.7.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Linux version 5.14.14-300.fc35.x86_64 (mockbuild@bkernel02.iad2.fedoraproject.org) (gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1), GNU ld version 2.37-
	Framework: .NET Core 3.1.21
	OS/Process: x64/x64
	Runtime: system/System.Private.CoreLib.dll
	Processor count: 2
	Data path: /config
	Application path: /system
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
	   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
	   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
	   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
	   at LDAP.AuthenticationProvider.Authenticate(String username, String password)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
	Source: LDAP
	TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)
	

Please advise.

 

Thanks!

[echoxxzz 22]

I just use openssl to determine the server certificate that Emby uses and put that one in for the thumbprint.

openssl s_client -connect ldap.server.com:636

[Elegant 10]

6 hours ago, echoxxzz said:

I just use openssl to determine the server certificate that Emby uses and put that one in for the thumbprint.

openssl s_client -connect ldap.server.com:636

Nailed it. Thanks!

[Khalimerot 12]

Reviving a dead topic, but i'm in need.

I have the same error :

System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

I'm working with a Synology directory service.

I tried to get the thumbprint by exporting the cert.pem and using openssl :

openssl x509 -noout -fingerprint -sha1 -inform pem -in d:\cert.pem

But the given fingerprint do not work.

And i tried the command given by Echoxxzz

openssl s_client -connect my.syno.local:636

It shows informations about the certificate use by the syno, but i can't see any thumbprint or fingerprint.

Thank you.

[echoxxzz 22]

The command I gave just dumps the cert in x509 format. Either save it to a file or pipe it back into openssl using the -fingerprint option:

openssl s_client -connect my.syno.local:636 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

Edited May 8, 2022 by echoxxzz

[Khalimerot 12]

OK, thank for claryfing

The fingerprint key is the good one, but sadly, i still have the same error.

I tried with xx:yy and xxyy formating.

The problem must come from somewhere else, but i don't find where.

[Khalimerot 12]

Was using the ip of my synology and not it's hostname.

It's working with the hostname, now i just have to figure out the bind DN format.

[echoxxzz 22]

The bind DN should be a dedicated account that you use for no other purpose than to enumerate directory users and groups. You need this account because most directories don't support anonymous logins.

[Khalimerot 12]

Yes, i was searching the formating, i'm bad at understanding the DN syntax.

I usually use dsquery on the windows DC server to find it, with synology it's a little different.

I finally figure it out and everything works now.

Thank you!

[Luke 39351]

Thanks for the feedback.

[dedyms 2]

So any info how to setup LDAPS with self generated cert properly? Other apps like nextcloud, jellyfin, portainer had the ignore ssl cert error thing that make LDAPS can be used. In emby i dont see the options or even type of connection? STARTTLS? TLS?

On other hand i already use LDAP in emby and in moving to LDAPS if possible. thanks.

 

 

Edited July 7, 2022 by dedyms

[Khalimerot 12]

Did you try by putting the "machine" domain name instead of the IP? 

The same as the one from your cert? 

Mine is : DS920.zordon.dom (local domain)

And the cert is self generated by the synology with ds920.zordon.dom name and it's working nicely.

But i had the same problem where it was not working when i was using the ip of the syno (my syno is my AD/LDAP server)

 

Edited July 7, 2022 by Khalimerot

[dedyms 2]

15 minutes ago, Khalimerot said:

Did you try by putting the "machine" domain name instead of the IP? 

The same as the one from your cert? 

Mine is : DS920.zordon.dom (local domain)

And the cert is self generated by the synology with ds920.zordon.dom name and it's working nicely.

But i had the same problem where it was not working when i was using the ip of the syno (my syno is my AD/LDAP server)

 

ah i see, it need using hostname instead IP, not an option for me then. Thanks for the info. I hope LDAP plugin will get more attention more. This is jellyfin LDAP setup, so many available options, when i thought emby will get further but not really the case.

 

Edited July 7, 2022 by dedyms