Khalimerot 12 Posted July 7, 2022 Posted July 7, 2022 Yes i mean the hostname sorry, why is it not an option? even if you don't have a DNS server at home, you can eventually edit the hostfile to point the hostname to the target ldap machine
dedyms 2 Posted July 11, 2022 Posted July 11, 2022 sorry for the late reply, because the issue itself not IP but the self signed certificate. When other apps had the options to ignore this kind of error emby don't. ``` 2022-07-11 10:42:03.210 Error LDAP: Ssl certifiate error RemoteCertificateNameMismatch, RemoteCertificateChainErrors 2022-07-11 10:42:03.213 Error UserManager: Error authenticating with provider LDAP ```
Khalimerot 12 Posted July 11, 2022 Posted July 11, 2022 (edited) here the error says the name is a mismatch. Wich means you have a certificate for hostname X, but you are trying to connect with IP or hostname Y that's the problem i had, my LDAP server was having a self signed certificate with hostname ldap.xxx.local and my emby was connecting with IP, it worked at the moment i change the address in emby by ldap.xxx.local, and created the record on my dns server. I'm pretty sure that if you manage to have the same hostname on your certificate and on the address emby call, it will work. My certificate is also a self signed one. But for that you will need a local DNS server, or edit the hosts file of the emby server. Edited July 11, 2022 by Khalimerot
dedyms 2 Posted July 11, 2022 Posted July 11, 2022 1 hour ago, Khalimerot said: here the error says the name is a mismatch. Wich means you have a certificate for hostname X, but you are trying to connect with IP or hostname Y that's the problem i had, my LDAP server was having a self signed certificate with hostname ldap.xxx.local and my emby was connecting with IP, it worked at the moment i change the address in emby by ldap.xxx.local, and created the record on my dns server. I'm pretty sure that if you manage to have the same hostname on your certificate and on the address emby call, it will work. My certificate is also a self signed one. But for that you will need a local DNS server, or edit the hosts file of the emby server. It is working now, thanks for the hint. tldr; the cert not generated properly. 1
Sp4x18 2 Posted October 30, 2023 Posted October 30, 2023 I Share my Config with Authentik LDAP LDAP server address: ipfromldapserver LDAP server Port number: (3)389 Bind DN: cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io Bind credentials: your_ldapservice_user_password User search base: dc=ldap,dc=goauthentik,dc=io User search filter: (sAMAccountName={0}) Greets
linedpaper 3 Posted April 19, 2024 Posted April 19, 2024 Or to filter by group with Authentik, modify for your domain/group (&(sAMAccountName={0})(memberOf=CN=EmbyUsers,ou=groups,dc=authentik,dc=io))
Tumasch 1 Posted October 4, 2024 Posted October 4, 2024 Here my Experiences how to set up the LDAP Access with Active Directory on Synology. I wasted 2 hours to find correct parameters - maybe it saves you this pain. 1. LDAP server address Use the server address you find in Synologys DSM Control Panel - Security - Certificates. Choose the certificate which is used by Active directory. You usually find it easily as its name ist DISKSTATIONHOSTNAME.DOMAINFORMACTIVEDIRECTORY and it is self-signed. (Download the Certificate, you need it later.) Do NOT use ldap:// as prefix, it wont work! Just the bare server name. Do NOT use IP Address, as it will cause a certificate error later (i learned it the hard way) I have here diskstation.mydomain.local 2. LDAP server Port number: You need 636. If you select unsecured port, it will fail because not enough security I got following error: "ldapexception: strong authentication required (8) strong authentication required". 3. Activate SSL 4. SSL certificate thumbprint (SHA1): You need the fingerprint of the certificate of the Active Directory Server. It was difficiult to point out, but here's a reliable way. Attention - I have a localized Windows, maybe my translated english terms may be slightly different. Open Microsft management Console on windows (WIN+R - mmc.exe) Load the Certificates Snap-in (File - add SnapIn - Certificates) Open "Own certificates" - "Certificates". Rightclick on an empty space in right section of the MMC and choose All tasks - Import. Select the certificate you downloaded on #1 above. It should now be imported. Open the certificate (double click on it) and select Details. At the bottom, you should find the searched Fingerprint. Click on the fingerprint list entry and copy the fingerprint ID with CTRL-C Paste it in Emby Now you may delete the certificate in the MMC and close it. --> Taken from I tried an online tool, but it gave me a wrong Fingerprint. I got following error: "ldapexception: The remote certificate was rejected by the provided remotecertificatevalidationcallback". 5. Bind DN I suggest to create a new User in Active Directory without permissions to do anything for security reasons. Then enter the users DN - in my case it is CN=EmbyAuthUser,CN=Users,DC=mydomain,DC=local You may use AD Explorer from sysinternals (Microsoft) to find the correct name [2] 6. Bind credentials: Just the password of the user you selected as Bind DN. 7. User search base: Simply enter the Domain Base. It's the last part of the Bind DN usually. In my case: DC=mydomain,DC=local 8. User search filter: For Active Directory, use this: (&(CN={0})) I try to figure out how I can limit access to members of my specific Group grp_EmbyUsers, but that's still a challenge. The examples above did not work so far. Maybe i find it later. 9. Login Now you should be able to log in with AD username and password. Do NOT use the domain as Prefix, i.e. mydomain.local\username this will not work! Just use the bare user name username and password. Happy watching! Remarks: To test everything, Microsofts ldp Tool was very helpful. (WIN+R - ldp.exe). With this and the webpage of kemptechnologies [3] i played around with parameters until I got something that did work. You need File - Connect to test Server, File - Bind to test Binding above (Access to read Data in AD) and Search to find a search filter. Links: [1] https://learn.microsoft.com/de-de/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in [2] https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer [3] https://support.kemptechnologies.com/hc/en-us/articles/204990569--How-to-troubleshoot-LDAP-Authentication-issues-using-ldp-exe I 1
Carlo 4552 Posted October 5, 2024 Posted October 5, 2024 Hi, Thank you for the detailed post on your setup. I'm sure it will benefit many other users! Carlo
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now