Santrex 7 Posted December 1, 2020 Share Posted December 1, 2020 Greetings! We have a question regarding the possibility of controlling the "List of Users of the Emby Server". We use Domain Authorization. And manually create user accounts. But we noticed that "Any" User has the right to create an account in Emby if "LDAP Module" is enabled on the server. (just by entering data on the login pages). And there is no tool to turn it off! This is a potential security hole. We have 1000 accounts in AD and if the user receives a link to the Login Page, he can register on the server "Without our knowledge". We need to forcibly disable User Registration on the server. Only Administrators should be able to do this. Help us. Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 Hi, the user has to exist on your LDAP server, they can't just create new ones. Does that answer your question? Link to comment Share on other sites More sharing options...
Santrex 7 Posted December 1, 2020 Author Share Posted December 1, 2020 9 minutes ago, Luke said: Hi, the user has to exist on your LDAP server, they can't just create new ones. Does that answer your question? They are of course exist Users on my LDAP server. But there are many clients... who shouldn't be able to do that. Emby Server Allows them to create an account bypassing the System Administrator. We are losing control. Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 To create an account where? It won't create a new account in your LDAP server. Link to comment Share on other sites More sharing options...
Santrex 7 Posted December 1, 2020 Author Share Posted December 1, 2020 11 minutes ago, Luke said: Hi, the user has to exist on your LDAP server, they can't just create new ones. Does that answer your question? I know that you can specify a specific AD OU "for" control. But the structure of AD is more complex. It is not good to regulate this only on the LDAP side. We would like to block "Registration" on the server by non-Administrators. Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 There is no registration feature in Emby Server. Link to comment Share on other sites More sharing options...
Santrex 7 Posted December 1, 2020 Author Share Posted December 1, 2020 3 minutes ago, Luke said: To create an account where? It won't create a new account in your LDAP server. The first login to the Emby server "Automatically" creates an LDAP Account. (if such a user exists in AD) We have tested this many times. And "Any" LDAP User can "Register" himself in Emby. Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 The whole point of the LDAP plugin is to allow your AD users to login. If you want to filter who can login, then the plugin has settings to do this. And yes, those filter strings are complex, but they will get the job done if you use them properly. Link to comment Share on other sites More sharing options...
Santrex 7 Posted December 1, 2020 Author Share Posted December 1, 2020 2 minutes ago, Luke said: There is no registration feature in Emby Server. Yes, I know not! I've checked it myself many times. I deleted my Emby account and when I logged in it was back in the database. The LDAP Module can do this automatically. Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 Because the whole point of the LDAP plugin is to offload user authentication to your LDAP server. That's the way it was designed. It's not a new registration, it's just creating a record in Emby Server to match the user who just logged in. If the user exists on your LDAP server, then they can login with Emby. If you want to restrict which LDAP users can login, then use the filters in the plugin settings. Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 Just to entertain this idea, yes it is possible to add an option in the plugin to only allow users to login who already exist (with the same name) in Emby Server. That means you'd have to create users in Emby Server manually that match the LDAP users. So yes that is technically possible, but if you need this immediately then the LDAP filters are something you can use today that will accomplish the same thing. 1 Link to comment Share on other sites More sharing options...
Santrex 7 Posted December 1, 2020 Author Share Posted December 1, 2020 (edited) 8 minutes ago, Luke said: Just to entertain this idea, yes it is possible to add an option in the plugin to only allow users to login who already exist (with the same name) in Emby Server. That means you'd have to create users in Emby Server manually that match the LDAP users. So yes that is technically possible, but if you need this immediately then the LDAP filters are something you can use today that will accomplish the same thing. You got the idea right. While we are using the API for monitoring and deleting "unnecessary" accounts. We ask if you can add this in the future to the LDAP Plugin. We Must Register Emby Users only personally. Thanks! Edited December 1, 2020 by Santrex Link to comment Share on other sites More sharing options...
Luke 37010 Posted December 1, 2020 Share Posted December 1, 2020 Yes it's possible for the future. Thanks. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now