asdfqwerasdf 0 Posted January 29, 2024 Posted January 29, 2024 Hi All, I have succesfully configured the LDAP plugin against Authetik and I'm happy with it. However, I have a few users that were present before LDAP was configured. I noticed that if there is a local user it will have precedence over LDAP. I'm wondering, is there a way to migrate a user to be an LDAP user (assuming the LDAP user already exist in the LDAP server) without loosing settings and watch history of the user? Thanks
Luke 42080 Posted January 29, 2024 Posted January 29, 2024 HI, you can select in emby user setup which login provider they need to login with, on a per user basis.
asdfqwerasdf 0 Posted January 29, 2024 Author Posted January 29, 2024 Hi Luke, thanks for answering Is this a beta thing? I'm going to ⚙ → users → pick some user; but I find nothing related in Profile, Access, Parental control nor in Password. Thx
Luke 42080 Posted January 29, 2024 Posted January 29, 2024 No, it's been around since we introduce LDAP.
asdfqwerasdf 0 Posted January 29, 2024 Author Posted January 29, 2024 Sounds like I'm making some kimd of very fundamental mistake. Could you please point me how to get to this option? Thanks
Luke 42080 Posted January 30, 2024 Posted January 30, 2024 It's called Authentication Provider and is on the main user edit screen. So just click on a user in the Users list. It's not going to show up for admin users though. Admins have to stick with the default Emby Server login provider.
Luke 42080 Posted January 31, 2024 Posted January 31, 2024 19 hours ago, asdfqwerasdf said: Oh, that explains it. Thanks. The reason for this is that one wrong move or any problems with your ldap server could lead to you being locked out of our emby server entirely. This is why admin users stay on the internal login provider.
asdfqwerasdf 0 Posted February 29, 2024 Author Posted February 29, 2024 This is 100% fair. Just, for me personally goes against the least-atonishment principle and it is mildly bothersome, as I don't want to remember nor rotate local credentials, and would be just happier with an ldap query for admins and an ldap query for users or something in that ballkpark.
Luke 42080 Posted February 29, 2024 Posted February 29, 2024 12 hours ago, asdfqwerasdf said: This is 100% fair. Just, for me personally goes against the least-atonishment principle and it is mildly bothersome, as I don't want to remember nor rotate local credentials, and would be just happier with an ldap query for admins and an ldap query for users or something in that ballkpark. Are you also volunteering to do tech support for when users can't login to their server either due to a configuration error or problem on their ldap server That is the biggest issue. If we're going to offer that sort of thing, then there has to be a way for users to climb out of that hole. And this is especially hard given the reliance on external software as well as the ldap configuration, that means the server won't always be able to determine what the problem is.
asdfqwerasdf 0 Posted June 10, 2024 Author Posted June 10, 2024 Your support point is 100% fair. Just for whatever is worth, I would have perhaps done it more like audiobookshelf, which allows for a bypass of OIDC (or any other external identity for that matter) with a URL query parameter: https://www.audiobookshelf.org/guides/oidc_authentication/#bypassing-sso-redirect
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now