LDAP plugin did not work with existing/old users

Posted August 17, 2019 · August 17, 2019

Hello all,

i bought emby because the ldapplugin. I configured and it works fine, but only with user who have never had an account in Emby. I've changed existing users to ldap, or deleted this users, add this users again "with ldap" but same, unable to login, so i think there are discrepancy with the old non existing local accounts. Embyversion 4.2.1.0. Here is the log if i would like to login.

2019-08-17 02:33:59.485 Info HttpServer: HTTP POST https://stream.supertux.lan:8920/emby/Users/authenticatebyname. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.87 Chrome/76.0.3809.87 Safari/537.36
2019-08-17 02:33:59.518 Error UserManager: Error authenticating with provider LDAP
        *** Error Report ***
        Version: 4.2.1.0
        Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
        Operating system: Unix 5.0.15.1
        64-Bit OS: True
        64-Bit Process: True
        User Interactive: True
        Runtime: file:///opt/emby-server/system/System.Private.CoreLib.dll
        Processor count: 8
        Program data path: /var/lib/emby
        Application directory: /opt/emby-server/system
        Novell.Directory.Ldap.LdapException: LdapException: Invalid Credentials (49) Invalid Credentials
        LdapException: Matched DN: 
        Source: LDAP
        TargetSite: Void ChkResultCode()

2019-08-17 02:33:59.518 Info HttpClient: POST https://connect.emby.media/service/user/authenticate
2019-08-17 02:34:00.123 Info UserManager: Authentication request for sandra has been denied.
2019-08-17 02:34:00.123 Warn HttpServer: AUTH-ERROR: 2001:470:1e4b:569:54e5:727a:9bbb:f4f9 - Invalid user or password entered.
2019-08-17 02:34:00.123 Error HttpServer: Invalid user or password entered.

It looks like the user is wrong, or password is wrong, or user is in the wrong group, but everything on LDAP-Server is ok. Because other "new" users are working fine.

Thanks a lot

Posted August 17, 2019 · August 17, 2019

Hi, according to that log it is trying to use ldap. I'm not sure what the issue might be. Do you have an ldap user with the same name?

Posted August 17, 2019 · August 17, 2019

Yes i have. Ldapuser with the same name. What i do?

Add an LDAPuser in Active Directory. Add this user to the group "embyserver-stream". Nothing more. No i'am able to login in the emby webinterface. After the first login the user is listed automaticly in the userlist and can configured already from the administrator. But this works only with users the who have never logged in to the Emby server (before ldap plugin).

Posted August 18, 2019 · August 18, 2019

Well I believe you, I just think something else is going on because I've never seen this reported before. Are you sure you entered the right credentials? Is it possible the browser autocomplete created a problem here?

Posted August 20, 2019 · August 20, 2019

This is very strange, this day i created new users in AD and they also didn't work. Strange, always "Invalid Credentials". I think that some users were work was an cashproblem, or something else... The ldapserver is a Univention UCS Server. So it works only on port 7389 and for SSL 7636. On port 7389 it says "Invalid Credentials". On Port 7636 it says "The remote certificate is invalid according to the validation procedure." On this port all other connections like CheckMK works fine. And the certifikate is installed in trusted systemstore. Works other application like apache2 fine. I also set the CA there: "/etc/ldap/ldap.conf" because some webstuff should look there too. And i setuped the field "SSL certificate hash (SHA1)" too.

Somewhere should probably be a mistake. Maybe the SHA1. I converted with: "openssl dgst -sha1 mycert.crt"

Posted August 20, 2019 · August 20, 2019

That's interesting. Thanks for the info.

Posted August 20, 2019 · August 20, 2019

Ok, i tested this on a completly default plain Ubuntuldap. Without cert, auth and .... And the auth with emby did not work. So either I understand something completely wrong, or there is a bug here. Can you check this please? Thanks a lot.

Here are the Log from the LDAPserver. You can see that emby connect to:

Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 fd=12 ACCEPT from IP=192.168.33.1:36563 (IP=0.0.0.0:389)
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=0 BIND dn="" method=128
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=0 RESULT tag=97 err=0 text=
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=1 SRCH base="dc=supertux,dc=cc" scope=2 deref=0 filter="(objectClass=*)"
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=1 SRCH attr=memberOf displayName sAMAccountName
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=2 BIND dn="dc=supertux,dc=cc" method=128
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=2 RESULT tag=97 err=49 text=
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 op=3 ABANDON msg=23
Aug 20 19:34:03 ldap-test slapd[10622]: conn=1000 fd=12 closed (connection lost)

Interessting is "RESULT tag=97 err=49 text="

Edited August 20, 2019 by looking111

Posted August 20, 2019 · August 20, 2019

Are you able to see the password that was sent?

Posted August 20, 2019 · August 20, 2019

No, not, this is encrypted. Tested with some user like maxi44 and Password 123

Posted August 24, 2019 · August 24, 2019

Are you still running into this?

Posted August 24, 2019 · August 24, 2019

Yes. Hmm. Can we test this with an fresh emby installation, can i put my emby key on a test installation too? Maybe my emby have an issue, or ldapplugin is broken.

Posted August 27, 2019 · August 27, 2019

Finally, i found the problem. It is an syntaxerror in my embyldapconfig.

Important: This must contain {0} in order to allow specific user lookups.

So i tested some filter, but i have not enouthg experience with ldapfilter. So other interface i have this, example:

(memberof=cn=embyserver-stream,cn=groups,dc=supertux,dc=lan)

Can you help me to build in the {0} please? thanks

Posted August 27, 2019 · August 27, 2019

Thanks for the feedback ! I would suggest adding that question here:

https://emby.media/community/index.php?/topic/56793-ldap-plugin/

There are some more knowledgeable ldap users in that topic. Thanks.

Posted August 28, 2019 · August 28, 2019

It is now solved: https://emby.media/community/index.php?/topic/56793-ldap-plugin/page-12&do=findComment&comment=781575

YEAH

LDAP plugin did not work with existing/old users

Recommended Posts

looking111 8

Link to comment

Share on other sites

Luke 37060

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

Luke 37060

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

Luke 37060

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

Luke 37060

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

Luke 37060

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

Luke 37060

Link to comment

Share on other sites

looking111 8

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Activity