Jump to content

LDAP Configuration


CChris

Recommended Posts

CChris

Hi, I don't want to 'spam' the existing topic for the LDAP Plugin with my current issue, since I think, the existing Topic is already hard to follow...

 

I have setup an Samba4 Server and configured the LDAP Plugin for the User-Login accordingly.

5d25c4e38a2ff_2019071012_57_58Plugins.pn

The whole User-Search Filter is:

(&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=emby-users,OU=Groups,OU=Home,DC=home,DC=caina,DC=de)))

 

All of this is working fine - My AD Structure is like this:

5d25c574646b8_2019071012_59_53ActiveDire
5d25c5816be8c_2019071013_00_38ActiveDire

Nearly everything is working as expected - Users, that are in the Group "Emby-Users" will have access to Emby, users, which are not in that Group do not have access to Emby.

Except of one thing:

Users of the Group "Emby-Users" have only access to Emby, if they are also within the default Group of "Domain Users" and if "Domain Users" is set as their Primary Group.
As soon as I remove the User from the "Domain Users" Group, they do not have access to Emby anymore...

But, this is a requirement, since some users are "external" users and should not be part of the Domain Users Group like some others.

 

Sure, this isn't an issue from Emby - but maybe, someone will have an Idea where I could / should have a look - to get this kind of configuration work...??

 

The Emby Log is showing "user not found" when I try to login a user that is not part of the Domain Users default group

 

Thanks and with best regards,
Christoph

Edited by CChris
Link to comment
Share on other sites

Hi, given that this plugin targets a niche audience, unfortunately spamming that thread might be the best way to get the attention of knowledgeable users who can help with this. You could just link to here instead of re-posting the entire thing though. Thanks.

Link to comment
Share on other sites

CChris

Hi all,

Just a short update:
 

I have setup another service which does also authenticate users against my LDAP.
There, the above setup is nearly the same - and does work like expected:

 

5d270abbd77dd_2019071112_07_25Check_MKLo
 

Link to comment
Share on other sites

Elegant

Receiving the below error when using a SSL certificate, is there an issue with how the checksum works? I am attempting to authenticate with the administrator account for testing purposes. Thanks!

019-07-11 11:47:59.498 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.1.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 5.0.10.300
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 2
	Program data path: /config
	Application directory: /system
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
	   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
	   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
	   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
	   at LDAP.AuthenticationProvider.Authenticate(String username, String password)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
	Source: LDAP
	TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)

5d275b89685f2_EmbyLDAP.png

Edited by Elegant
Link to comment
Share on other sites

Elegant

The wrong way apparently. I thought that it was meant to be the certificate hash of the CA not the certificate hash of the server certificate. All good now. Thanks!

Edited by Elegant
Link to comment
Share on other sites

  • 1 year later...
echoxxzz
On 12/07/2019 at 09:23, Elegant said:

The wrong way apparently. I thought that it was meant to be the certificate hash of the CA not the certificate hash of the server certificate. All good now. Thanks!

This plugin needs some cosmetic work:

1. It doesn't use an LDAP Server URL (i.e. ldaps://dc.domain.com), it just wants the server name.

2. It really wants the Certificate Fingerprint (yes that's what it's called) which you can get using openssl:

     openssl x509 -noout -fingerprint -sha1 -inform pem -in cert.pem | cut -d = -f 2 -s | tr -d :

Hopes this helps others trying to connect to LDAP.

Edited by echoxxzz
Link to comment
Share on other sites

  • 2 weeks later...
On 4/30/2021 at 10:50 PM, echoxxzz said:

This plugin needs some cosmetic work:

1. It doesn't use an LDAP Server URL (i.e. ldaps://dc.domain.com), it just wants the server name.

2. It really wants the Certificate Fingerprint (yes that's what it's called) which you can get using openssl:

     openssl x509 -noout -fingerprint -sha1 -inform pem -in cert.pem | cut -d = -f 2 -s | tr -d :

Hopes this helps others trying to connect to LDAP.

Hi, what areas of the configuration screen are you referring to?

Link to comment
Share on other sites

echoxxzz

1. The plugin isn't using an LDAP URL it just wants the server name or IP address. I kept using URL syntax (ie. ldap://servername.com) and it kept failing until I just used the server name. Maybe replace "LDAP server url" with "LDAP server name or address".

2. In order to enable SSL the plugin-in is asking for a SHA1 hash of the certificate. I was literally trying to use the sha1 hash of the physical certificate .pem file. After I viewed a couple of certs in a web browser that was using an SSL connection I discovered that the real term is called a certificate "thumbprint". Googling "calculate certificate thumbprint" and I easily found the  openssl command to display a thumbprint. Maybe replace "SSL certificate hash" with "SSL certificate thumbprint".

 

 

 

Capture.PNG

Link to comment
Share on other sites

echoxxzz

For example here is cert from Google and it shows the term in actually called thumbprint.

 

Capture.PNG

Link to comment
Share on other sites

  • 1 month later...
On 5/11/2021 at 11:00 PM, echoxxzz said:

1. The plugin isn't using an LDAP URL it just wants the server name or IP address. I kept using URL syntax (ie. ldap://servername.com) and it kept failing until I just used the server name. Maybe replace "LDAP server url" with "LDAP server name or address".

2. In order to enable SSL the plugin-in is asking for a SHA1 hash of the certificate. I was literally trying to use the sha1 hash of the physical certificate .pem file. After I viewed a couple of certs in a web browser that was using an SSL connection I discovered that the real term is called a certificate "thumbprint". Googling "calculate certificate thumbprint" and I easily found the  openssl command to display a thumbprint. Maybe replace "SSL certificate hash" with "SSL certificate thumbprint".

 

 

 

Capture.PNG

Thanks, we'll take a look.

Link to comment
Share on other sites

  • 5 months later...
Elegant

Does this work with intermediate certificates? I noticed that there is a comma delimiter for the thumbprints so I added both the root and intermediate CA thumbprints but authentication remains unsucessful. I tried swapping the thumbprint order but that made no impact:

2021-11-25 11:53:22.449 Error UserManager: Error authenticating with provider LDAP
	*** Error Report ***
	Version: 4.6.7.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Linux version 5.14.14-300.fc35.x86_64 (mockbuild@bkernel02.iad2.fedoraproject.org) (gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1), GNU ld version 2.37-
	Framework: .NET Core 3.1.21
	OS/Process: x64/x64
	Runtime: system/System.Private.CoreLib.dll
	Processor count: 2
	Data path: /config
	Application path: /system
	System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
	   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
	   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
	   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
	   at LDAP.AuthenticationProvider.Authenticate(String username, String password)
	   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser, CancellationToken cancellationToken)
	Source: LDAP
	TargetSite: Void WaitAndUnwrap(System.Threading.Tasks.Task, Int32)
	

Please advise.

 

Thanks!

Link to comment
Share on other sites

echoxxzz

I just use openssl to determine the server certificate that Emby uses and put that one in for the thumbprint.

openssl s_client -connect ldap.server.com:636

Link to comment
Share on other sites

  • 5 months later...
Khalimerot

Reviving a dead topic, but i'm in need.

I have the same error :

System.Security.Authentication.AuthenticationException: System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

I'm working with a Synology directory service.

I tried to get the thumbprint by exporting the cert.pem and using openssl :

openssl x509 -noout -fingerprint -sha1 -inform pem -in d:\cert.pem

But the given fingerprint do not work.

And i tried the command given by Echoxxzz

openssl s_client -connect my.syno.local:636

It shows informations about the certificate use by the syno, but i can't see any thumbprint or fingerprint.

Thank you.

Link to comment
Share on other sites

echoxxzz

The command I gave just dumps the cert in x509 format. Either save it to a file or pipe it back into openssl using the -fingerprint option:

openssl s_client -connect my.syno.local:636 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

Edited by echoxxzz
Link to comment
Share on other sites

Khalimerot

OK, thank for claryfing

The fingerprint key is the good one, but sadly, i still have the same error.

I tried with xx:yy and xxyy formating.

The problem must come from somewhere else, but i don't find where.

Link to comment
Share on other sites

Khalimerot

Was using the ip of my synology and not it's hostname.

It's working with the hostname, now i just have to figure out the bind DN format.

Link to comment
Share on other sites

echoxxzz

The bind DN should be a dedicated account that you use for no other purpose than to enumerate directory users and groups. You need this account because most directories don't support anonymous logins.

Link to comment
Share on other sites

Khalimerot

Yes, i was searching the formating, i'm bad at understanding the DN syntax. :)

I usually use dsquery on the windows DC server to find it, with synology it's a little different.

I finally figure it out and everything works now.

Thank you!

  • Thanks 1
Link to comment
Share on other sites

  • 1 month later...
dedyms

So any info how to setup LDAPS with self generated cert properly? Other apps like nextcloud, jellyfin, portainer had the ignore ssl cert error thing that make LDAPS can be used. In emby i dont see the options or even type of connection? STARTTLS? TLS?

On other hand i already use LDAP in emby and in moving to LDAPS if possible. thanks.

 

 

2022-07-07-235339_874x826_scrot.png

Edited by dedyms
Link to comment
Share on other sites

Khalimerot

Did you try by putting the "machine" domain name instead of the IP? 

The same as the one from your cert? 

Mine is : DS920.zordon.dom (local domain)

And the cert is self generated by the synology with ds920.zordon.dom name and it's working nicely.

But i had the same problem where it was not working when i was using the ip of the syno (my syno is my AD/LDAP server)

 

image.png.61a6a166bbf59dc716a72deb562294d1.png

Edited by Khalimerot
  • Like 1
Link to comment
Share on other sites

dedyms
15 minutes ago, Khalimerot said:

Did you try by putting the "machine" domain name instead of the IP? 

The same as the one from your cert? 

Mine is : DS920.zordon.dom (local domain)

And the cert is self generated by the synology with ds920.zordon.dom name and it's working nicely.

But i had the same problem where it was not working when i was using the ip of the syno (my syno is my AD/LDAP server)

 

image.png.61a6a166bbf59dc716a72deb562294d1.png

ah i see, it need using hostname instead IP, not an option for me then. Thanks for the info. I hope LDAP plugin will get more attention more. This is jellyfin LDAP setup, so many available options, when i thought emby will get further but not really the case.

 

2022-07-07-235421_957x795_scrot.png

Edited by dedyms
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...