Jump to content

Centralized Authentication Functionality (LDAP/SSO/HTML Header/RADIUS) [DEVELOPMENT STARTED]

Untoten

By Untoten
in Feature Requests

 Share

Recommended Posts

Luke Emby Team

Luke 42077

Posted
Posted

Edit, no need for PM, please see my previous post for a link to the testing thread. Thanks.

Untoten

Untoten 306

Posted
  • Author
Posted (edited)

These are the settings that are available in the plugin setup screen:

https://emby.media/community/index.php?/topic/56793-ldap-plugin/?p=553487

@@Luke My god this is amazing i want to cry. I will try this when I am back in the states.  Two questions:

  • What is the current user sync workflow?
  • A few of my systems have 100+ users who have set their own passwords, do you have any way to get the user credentials so we can manually add the users to our AD or a tool to do this?
Edited by Untoten
selfless

selfless 0

Posted
Posted

This is great, guys! Working like a charm with openldap.

 

Is there a way not to show the users on the loginscreen by default?

Untoten

Untoten 306

Posted
  • Author
Posted

This is great, guys! Working like a charm with openldap.

 

Is there a way not to show the users on the loginscreen by default?

That is what I am hoping comes of this.  All user settings global with inheritance from group.

ebr Emby Team

ebr 16169

Posted
Posted

Please take specific questions and troubleshooting of the implementation to the beta thread.

 

Thanks.

Luke Emby Team

Luke 42077

Posted
Posted

 

@@Luke My god this is amazing i want to cry. I will try this when I am back in the states.  Two questions:

  • What is the current user sync workflow?
  • A few of my systems have 100+ users who have set their own passwords, do you have any way to get the user credentials so we can manually add the users to our AD or a tool to do this?

 

 

There is no sync. You just login and the user gets created on the emby side.

  • Like 1
Luke Emby Team

Luke 42077

Posted
Posted

This is great, guys! Working like a charm with openldap.

 

Is there a way not to show the users on the loginscreen by default?

 

We will defer this to other feature requests, but yes. When the user gets automatically created, what we ought to have is the ability for you to specify the default set of settings that they get created with.

 

So having those defaults for new users, that's something that can just go into the core server so that it benefits everyone.

  • Like 1
Untoten

Untoten 306

Posted
  • Author
Posted

There is no sync. You just login and the user gets created on the emby side.

What about 'transferring' existing users to LDAP from emby?

mueslo

mueslo 17

Posted
Posted (edited)

What about 'transferring' existing users to LDAP from emby?

I doubt that will be implemented as that is a lot more effort than it's worth. You can do so manually, but only in the unlikely case that the Emby password hash/salt method is compatible with your LDAP server.

Edited by mueslo
Luke Emby Team

Luke 42077

Posted
Posted

Is it even necessary to transfer? I suppose the only reason would be to configure the user accounts before they are actually used. But is there any other reason beyond that?

Untoten

Untoten 306

Posted
  • Author
Posted (edited)

Is it even necessary to transfer? I suppose the only reason would be to configure the user accounts before they are actually used. But is there any other reason beyond that?

Mostly the fact that all the users have self-set passwords (I do not know them), since I could not enter an email for the users (the attribute only exists for emby connect) to send a recovery email, I would have to figure out who each person is and their contact.  I can do it if needed, I am grateful this is being implemented at all, it was more food for thought.  Again, I am so so so happy this day is here now.

Edited by Untoten
Luke Emby Team

Luke 42077

Posted
Posted

Mostly the fact that all the users have self-set passwords (I do not know them), since I could not enter an email for the users (the attribute only exists for emby connect) to send a recovery email, I would have to figure out who each person is and their contact.  I can do it if needed, I am grateful this is being implemented at all, it was more food for thought.  Again, I am so so so happy this day is here now.

 

I still don't quite follow. Couldn't  you just wait for them to login to Emby? At that point, the user in Emby will be created automatically once their LDAP authentication succeeds for the first time.

Dibbes

Dibbes 514

Posted
Posted

Luke, since that's another user, you will have lost statuses and other settings. I was more thinking about the possibility to link an LDAP account with an Emby account so that you use the LDAP to login to the already existing Emby account, hence keeping settings, etc. but using LDAP credentials.

 

 

Sent from my iPad using Tapatalk

  • Like 2
Luke Emby Team

Luke 42077

Posted
Posted

Luke, since that's another user, you will have lost statuses and other settings. I was more thinking about the possibility to link an LDAP account with an Emby account so that you use the LDAP to login to the already existing Emby account, hence keeping settings, etc. but using LDAP credentials.

 

 

Sent from my iPad using Tapatalk

 

I think on the manage user screen we'll probably have a way to set the login provider for that user. that would allow you to change an existing user to ldap.

  • Like 1
Dibbes

Dibbes 514

Posted
Posted (edited)

I installed the LDAP plugin without configuring it yet, and it seems that the users that have the same Emby username as the AD account now have to login with their AD password, where previously the password was blank. Is this expected behaviour?

 

Note:

 

 - The OS of the Emby server is Windows 10 Pro x64 (fully updated) and part of the domain

 - The NSSM service is running with a domain admin account, so there are no access issues with the Synology boxes (which are also part of the AD)

 - None of the Emby users that have an equivalent (Same account name in both) in AD are Emby admins

Edited by Dibbes
Luke Emby Team

Luke 42077

Posted
Posted

If they don't have an authentication provider assigned yet then it should try both.

Carlo

Carlo 4560

Posted
Posted

If there was a "migrate" switch assigned to each user then Emby server could validate the login using the normal password in the DB and if successful reset the password in LDAP on behalf of the user.

 

That's the cleanest way I can think to do it.

  • Like 1
  • 2 weeks later...
  • 3 weeks later...
Untoten

Untoten 306

Posted
  • Author
Posted

The beta looks to be going well. You can now configure default user permissions for newly imported LDAP users, and the change password function is now supported as well.

 

https://emby.media/community/index.php?/topic/56793-ldap-plugin/

 

Enjoy.

Although this is amazing, this request also encompasses SSO, as many users wanted that.  So it is >50% done but many of the supporters of this thread do so for SSO.  Not discounting your work, this is incredible and adds so many features that come from this, but just want to make it clear that this request is for both.

Luke Emby Team

Luke 42077

Posted
Posted

Thanks for the feedback.

Luke Emby Team

Luke 42077

Posted
Posted

Well you have to start somewhere.

  • 2 weeks later...
Untoten

Untoten 306

Posted
  • Author
Posted

Thanks for the feedback.

can you change it from completed then lol

Luke Emby Team

Luke 42077

Posted
Posted

A new topic would probably be better, otherwise it's hard to assess the interest level for SSO vs LDAP. There could be a lot who are satisfied with what we've already done but that's difficult to measure.

  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...