I was having issues getting version 12 set up on my freshly installed Jellyfin Server 10.7.7, I was getting failure to bind errors. I was attempting to use version 14 as it includes options to test and list users but any attempt to install by copying the folder to the plugins directory causes it to return an error, "This plugin has no settings to configure."

Checking the logs, it appears as if the plugin is disabled,
[2021-12-19 05:32:42.019 -06:00] [INF] [1] Emby.Server.Implementations.Plugins.PluginManager: Skipping disabled plugin "14.0.0.0" of "LDAP Authentication"

But within the Jellyfin UI it shows enabled and I can not change it.

Using docker-compose, I just change jellyfin version, restart.
LDAP login is not working anymore. Plugin is disabled by Jellyfin at boot.
Here is my logs :

jellyfin_1     | [08:15:51] [INF] Loading assemblies
jellyfin_1     | [08:15:51] [INF] Loaded assembly LDAP-Auth, Version=9.0.0.0, Culture=neutral, PublicKeyToken=null from /config/plugins/LDAP Authentication/LDAP-Auth.dll
jellyfin_1     | [08:15:51] [INF] Loaded assembly Novell.Directory.Ldap.NETStandard, Version=3.2.0.0, Culture=neutral, PublicKeyToken=null from /config/plugins/LDAP Authentication/Novell.Directory.Ldap.NETStandard.dll
jellyfin_1     | [08:15:51] [INF] Loaded assembly Jellyfin.Plugin.OpenSubtitles, Version=9.0.0.0, Culture=neutral, PublicKeyToken=null from /config/plugins/Open Subtitles/Jellyfin.Plugin.OpenSubtitles.dll
jellyfin_1     | [08:15:51] [INF] Loaded assembly OpenSubtitlesHandler, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null from /config/plugins/Open Subtitles/OpenSubtitlesHandler.dll
jellyfin_1     | [08:15:51] [ERR] Failed to load assembly /config/plugins/Playback Reporting/Jellyfin.Plugin.PlaybackReporting.dll. This error occurs when a plugin references an incompatible version of one of the shared libraries. Disabling plugin.
jellyfin_1     | System.TypeLoadException: Could not load type 'MediaBrowser.Model.Services.IReturn`1' from assembly 'MediaBrowser.Model, Version=10.7.0.0, Culture=neutral, PublicKeyToken=null'.
jellyfin_1     |    at System.Reflection.RuntimeAssembly.GetExportedTypes()
jellyfin_1     |    at Emby.Server.Implementations.Plugins.PluginManager.LoadAssemblies()+MoveNext()
jellyfin_1     | [08:15:51] [ERR] Failed to load assembly /config/plugins/Reports/Jellyfin.Plugin.Reports.dll. This error occurs when a plugin references an incompatible version of one of the shared libraries. Disabling plugin.
jellyfin_1     | System.TypeLoadException: Could not load type 'MediaBrowser.Model.Services.IReturn`1' from assembly 'MediaBrowser.Model, Version=10.7.0.0, Culture=neutral, PublicKeyToken=null'.
jellyfin_1     |    at System.Reflection.RuntimeAssembly.GetExportedTypes()
jellyfin_1     |    at Emby.Server.Implementations.Plugins.PluginManager.LoadAssemblies()+MoveNext()
jellyfin_1     | [08:15:51] [ERR] Failed to load assembly /config/plugins/Trakt/Trakt.dll. This error occurs when a plugin references an incompatible version of one of the shared libraries. Disabling plugin.
jellyfin_1     | System.TypeLoadException: Could not load type 'MediaBrowser.Model.Services.IService' from assembly 'MediaBrowser.Model, Version=10.7.0.0, Culture=neutral, PublicKeyToken=null'.
jellyfin_1     |    at System.Reflection.RuntimeAssembly.GetExportedTypes()
jellyfin_1     |    at Emby.Server.Implementations.Plugins.PluginManager.LoadAssemblies()+MoveNext()
jellyfin_1     | [08:15:52] [ERR] DI Loop detected in the attempted creation of Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin
jellyfin_1     | [08:15:52] [ERR] Called from: Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin
jellyfin_1     | [08:15:52] [ERR] Error creating Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin
jellyfin_1     | System.Runtime.InteropServices.ExternalException (0x80004005): DI Loop detected.
jellyfin_1     |    at Emby.Server.Implementations.ApplicationHost.CreateInstanceSafe(Type type)
jellyfin_1     |    at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext()
jellyfin_1     |    at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext()
jellyfin_1     |    at System.Linq.Enumerable.CastIterator[TResult](IEnumerable source)+MoveNext()
jellyfin_1     |    at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
jellyfin_1     |    at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
jellyfin_1     |    at Emby.Server.Implementations.ApplicationHost.GetExports[T](Boolean manageLifetime)
jellyfin_1     |    at Jellyfin.Server.Implementations.Users.UserManager..ctor(JellyfinDbProvider dbProvider, IEventManager eventManager, ICryptoProvider cryptoProvider, INetworkManager networkManager, IApplicationHost appHost, IImageProcessor imageProcessor, ILogger`1 logger)
jellyfin_1     |    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
jellyfin_1     |    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, RuntimeResolverContext context)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSiteMain(ServiceCallSite callSite, TArgument argument)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitCache(ServiceCallSite callSite, RuntimeResolverContext context, ServiceProviderEngineScope serviceProviderEngine, RuntimeResolverLock lockType)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitRootCache(ServiceCallSite singletonCallSite, RuntimeResolverContext context)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSite(ServiceCallSite callSite, TArgument argument)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.Resolve(ServiceCallSite callSite, ServiceProviderEngineScope scope)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.DynamicServiceProviderEngine.<>c__DisplayClass1_0.<RealizeService>b__0(ServiceProviderEngineScope scope)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ServiceProvider.GetService(Type serviceType)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.ConstructorMatcher.CreateInstance(IServiceProvider provider)
jellyfin_1     |    at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.CreateInstance(IServiceProvider provider, Type instanceType, Object[] parameters)
jellyfin_1     |    at Emby.Server.Implementations.ApplicationHost.CreateInstanceSafe(Type type)
jellyfin_1     | [08:15:54] [INF] Loaded plugin: Open Subtitles 9.0.0.0

System

OS : Debian 10
Jellyfin version : 10.5.0
LDAP plugin version : 6.0.0
I'm using OpenLDAP default Debian package.

Description

Field filled as follow :

• LDAP server : 192.168.0.xx
• LDAP base DN : ou=People,dc=domain,dc=tld
• LDAP port : 389
• LDAP attributes : uid
• LDAP Name attribute : uid
• LDAP user Filter : (objectClass=inetOrgPerson)
• LDAP Admin Filter : (enabledService=JellyfinAdministrator)
• LDAP Bind User : cn=user,dc=domain,dc=tld
• LDAP Bind User Password : xxxxxxxxxx

This setup is working when my user's RDN identifier is "cn" (cn=Name LastName,ou=People,dc=domain,dc=tld), but it is not working when i use "uid" (uid=pseudo,ou=People,dc=le43,dc=eu) as RDN identifier. I really don't know if I'm doing something wrong, please tell me if I am.

The only error message i'm getting is :
[2020-03-23 17:54:36.822 +01:00] [ERR] Error processing request: "[192.168.0.254] Invalid username or password entered."

Thanks a lot.

Jellyfin ver: 10.7.7
server: windows 10 x64

config file

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <LdapServer>10.30.0.6</LdapServer>
  <LdapBaseDn>OU=vser,DC=wt,DC=local</LdapBaseDn>
  <LdapPort>389</LdapPort>
  <LdapSearchAttributes>uid, cn, mail, displayName</LdapSearchAttributes>
  <LdapUsernameAttribute>cn</LdapUsernameAttribute>
  <LdapSearchFilter>(memberOf=CN=jellyfin_users,OU=vser,DC=wt,DC=local)</LdapSearchFilter>
  <LdapAdminFilter>(memberOf=CN=vserver,OU=vser,DC=wt,DC=local)</LdapAdminFilter>
  <LdapBindUser>CN=vserver,OU=vser,DC=wt,DC=local</LdapBindUser>
  <LdapBindPassword>passwd</LdapBindPassword>
  <CreateUsersFromLdap>true</CreateUsersFromLdap>
  <UseSsl>false</UseSsl>
  <UseStartTls>false</UseStartTls>
  <SkipSslVerify>false</SkipSslVerify>
  <EnableCaseInsensitiveUsername>false</EnableCaseInsensitiveUsername>
</PluginConfiguration>

err log
[2021-09-12 20:21:48.499 +08:00] [ERR] [15] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Found no users matching "chenmo" in LDAP search
[2021-09-12 20:21:48.502 +08:00] [ERR] [15] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "LDAP-Authentication"
MediaBrowser.Controller.Authentication.AuthenticationException: Found no LDAP users matching provided username.
at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.LocateLdapUser(String username)
at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.Authenticate(String username, String password)
at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2021-09-12 20:21:48.505 +08:00] [ERR] [15] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider "Default"
MediaBrowser.Controller.Authentication.AuthenticationException: Specified user does not exist.
at Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2021-09-12 20:21:48.506 +08:00] [INF] [15] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "chenmo" has been denied (IP: "192.168.16.186").
[2021-09-12 20:21:48.509 +08:00] [ERR] [15] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request: "Invalid username or password entered". URL "POST" "/Users/authenticatebyname".
[2021-09-12 20:21:58.953 +08:00] [INF] [19] Emby.Server.Implementations.Session.SessionWebSocketListener: Sending ForceKeepAlive message to 1 inactive WebSockets.
[2021-09-12 20:21:58.959 +08:00] [INF] [19] Emby.Server.Implementations.Session.SessionWebSocketListener: Lost 1 WebSockets.
[2021-09-12 20:22:10.969 +08:00] [INF] [19] Emby.Server.Implementations.Session.SessionWebSocketListener: Lost 1 WebSockets.

I'm curious if the plugin is running from the backend or from the web frontend for authentication. I have it configured to use a local address, but this seems to fail, I've not been able to test locally today, but externally it fails.

 <LdapServer>192.168.1.61</LdapServer>
 <LdapBaseDn>dc=example,dc=com</LdapBaseDn>
 <LdapPort>390</LdapPort>
 <LdapSearchAttributes>uid,cn</LdapSearchAttributes>
 <LdapUsernameAttribute>cn</LdapUsernameAttribute>
 <LdapSearchFilter>objectClass=person</LdapSearchFilter>
 <LdapAdminFilter>enabledService=JellyfinAdministrator</LdapAdminFilter>
 <LdapBindUser>cn=manager,dc=example,dc=com</LdapBindUser>
 <LdapBindPassword>*******</LdapBindPassword>
 <CreateUsersFromLdap>true</CreateUsersFromLdap>
 <UseSsl>false</UseSsl>  #If its connecting from the front end then I'll need to set this up

When trying to sign in with an LDAP user that does not yet have an account the following message is given:

Connection Failure
We're unable to connect to the selected server right now. Please ensure it is running and try again.

This is what leads me to think that the plugin is trying to contact LDAP from the frontend UI and not the backend, if I'm mistaken I apologize for opening the issue, though I would love some guidance if I'm just setting this up incorrectly.

Getting this after update to 10.6.0 and 6.0.0.0

[2020-07-28 02:32:10.470 +03:00] [INF] [1] Emby.Server.Implementations.ApplicationHost: Loading assemblies
[2020-07-28 02:32:10.570 +03:00] [INF] [1] Emby.Server.Implementations.ApplicationHost: Loaded assembly "LDAP-Auth, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null" from "/var/lib/jellyfin/plugins/LDAP Authentication/LDAP-Auth.dll"
[2020-07-28 02:32:10.571 +03:00] [ERR] [1] Emby.Server.Implementations.ApplicationHost: Error loading types from "LDAP-Auth, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null".
System.TypeLoadException: Method 'HasPassword' in type 'Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin' from assembly 'LDAP-Auth, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null' does not have an implementation.
   at System.Reflection.RuntimeAssembly.GetExportedTypes()
   at Emby.Server.Implementations.ApplicationHost.GetTypes(IEnumerable`1 assemblies)+MoveNext() in /mnt/AUR/jellyfin/src/jellyfin-10.6.0/Emby.Server.Implementations/ApplicationHost.cs:line 865

I'm trying to setup this plugin currently. Installed correctly, configured connection info through the web UI with the same data as is working fine on other applications connecting to LDAP.

However, no matter what I do, when trying to login with a user available on the LDAP instance, Jellyfin just reports Invalid username or password.

The log doesn't indicate it's even checking LDAP...

Emby.Server.Implementations.HttpServer.HttpListenerHost: Error processing request: [<ip redacted>] Invalid username or password entered.

I am pretty new to using LDAP applications for my local domain, because of this it takes me a little trial and error to figure out what some of these fields need or what I am actually looking for.
For the LDAP plugin in NextCloud as an example they include a "Test" button for fields similar to user search settings, for instance you click Test and it'll return, "Found X users." This both lets you know if you entered the right settings overall to return users and gives you a count to let you know it is the right group. They also have a "Search for User" field so you can trial different attributes like DisplayName or Email and see if it can find the user.

Hi, I have problems using this plugin. My domain controller is a Windows Server 2016. The error it gives me in the logs is as follows. Jellyfin is exposed through a reverse proxy. I do not know if that would have something to do with it? I have a very similar configuration in nextcloud and it works.
It is also possible that I have something wrong configured.
Very thanks.
[2019-05-27 10:51:44.636 +00:00] [INF] ExecuteQueuedTasks [2019-05-27 10:52:26.054 +00:00] [ERR] Error authenticating with provider "LDAP-Authentication" LdapReferralException: Search result reference received, and referral following is off (10) Referral LdapReferralException: Referral: ldap://ForestDnsZones.castejon.lo/DC=ForestDnsZones,DC=castejon,DC=lo [2019-05-27 10:52:26.059 +00:00] [ERR] Error authenticating with provider "Default" System.Exception: Invalid username or password at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser) at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser) [2019-05-27 10:52:26.063 +00:00] [ERR] Invalid username or password entered.

Since the current release version (6.0) of the plugin is (apparently) incompatible with the current version of Jellyfin (10.6.0), might it be time to push a new release and add it to the catalogue repo?

Seems that there are a few lines missing from the original STARTTLS merge

Specifically new line 126 for LDAP-Auth/LDAPAuthenticationProviderPlugin.cs is missing and causes the bind to fail with no TLS.

ldapClient.StartTls();

Once I manually put it back in, TLS started working again.

Can it be merged again properly?

Describe the bug
After upgrading to current unstable version of jellyfin if LDAP plugin is enabled the server will not start

System (please complete the following information):

• OS: Debian 10 Buster
• Virtualization: LXC on Proxmox
• Clients: usually browser or jftui, but it does not matter
• Browser: not relevant
• Jellyfin Version: 20200815.11-unstable
• Playback: not related
• Installed Plugins: Anime, LDAP-Auth, AudioDB, MusicBrainz, OMDb, TheTVDB
• Reverse Proxy: nginx
• Base URL: /jellyfin/
• Networking: host in LAN
• Storage: local

To Reproduce

1. Have LDAP plugin enabled on version 10.6.2
2. Update to nightly version
3. Start the server
4. See error

Expected behavior
Server starts up properly

Logs

Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] User Interactive: True
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Processor count: 6
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Program data path: /var/lib/jellyfin
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Web resources path: /usr/share/jellyfin/web
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Application directory: /usr/lib/jellyfin/bin/
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Setting cache path: /var/cache/jellyfin
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Loading assemblies
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Loaded assembly Jellyfin.Plugin.Anime, Version=9.0.0.0, Culture=neutral, PublicKeyToken=null from /var/lib/jellyfin/plugins/Anime/Jellyfin.Plugin.Anime.dll
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Loaded assembly Novell.Directory.Ldap.NETStandard, Version=3.2.0.0, Culture=neutral, PublicKeyToken=null from /var/lib/jellyfin/plugins/LDAP Authentication/Novell.Directory.Ldap.NETStandard.dll
Aug 15 16:24:26 megumin2 jellyfin[941]: [16:24:26] [INF] Loaded assembly LDAP-Auth, Version=9.0.0.0, Culture=neutral, PublicKeyToken=null from /var/lib/jellyfin/plugins/LDAP Authentication/LDAP-Auth.dll

(hangs here forever)

Additional context
Removing LDAP plugin causes the server to start properly but trying to reinstall it again will result in the same problem.

Hi,

I am trying to get Jellyfin use the Synology LDAP server as authentication provider.

The setup is as follows:
LDAP Server:

• Running on Synology server
• Set up to use SSL on port 636
• Using a Lets Encrypt cert
• Ports not exposed t public internet (only to local network)

Jellyfin:

• Running on the Synology server via docker (tag latest)
• LDAP plugin version 12
• network: bridge
• can reach the LDAP server on both ports 389 and 636 using the host IP (192.168.XXX.XXX)

If I configure the LDAP plugin to connect without SSL - everything works. I can login by using user credentials stored in the LDAP server.

However, if I select the "Secure LDAP" checkbox it saves fine, but I cannot login using LDAP stored credentials.

At first I thought this is because the SSL/TLS Verification fails (because I am using a local IP while the SSL cert is issued to the server domain), so I checked the "Skip SSL/TLS Verification" box as well - still nothing.

I then tried manually adding an entry to the hosts file of the running docker container:

$ docker exec container_id -it bash
container_id$ echo "192.168.XXX.XXX the.server.domain" >> /etc/hosts

Still nothing with or without the "Skip SSL/TLS Verification" option.

Finally with the following setup:

1. Local IP & ports reachable
2. Container's /etc/hosts modified to redirect the cert domain to the local IP
3. "Skip SSL/TLS Verification" option checked
4. "Secure LDAP" checked
5. Correct port selected (636)
6. Correct LDAP Base DN & Bind DN

I read the logs, and this is the error:

[ERR] [27] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Failed to Connect or Bind to server
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port, Int32 semaphoreId)
   at Novell.Directory.Ldap.Connection.Connect(String host, Int32 port)
   at Novell.Directory.Ldap.LdapConnection.Connect(String host, Int32 port)
   at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.LocateLdapUser(String username)

How can I fix this?

Edit: Just noticed the OpenSSL versions of the Synology server and Jellyfin container are quite different (1.0.2 vs 1.1.1). Could that be causing it?

can't find the config file any where. there is a json but, it lacks parameters for ldap configuration. is this a bug? a failure to create configuration directory?

This may require changes to the core authentication subsystem, but:

In testing the plugin, I noticed a bug. Imagine a user with the mail LDAP attribute [email protected], and the uid of testuser. With the changes in #3, they enter the mail attribute in the user login field. Authentication happens, and the plugin creates a new user by using the uid value. However when the authentication request is returned to the core code, it still thinks the new user should be the mail value entered in the login dialog, rather than the uid. This results in duplicate users, with the uid one not having any password or authentication.

I think it should be possible for an authentication provider to override what the user entered as their "username" and use the value provided by the plugin. For this particular case, the LDAP field designated as the "username", though the principle would apply to any future hypothetical authentication plugin as well. This will provide the ability to use arbitrary LDAP fields when logging in but ending up with a single, consistent user.

After updating to jellyfin 10.6 and LDAP-Auth 8.0, I can't seem to be able to change the configuration through the web ui. Changes to /var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml are still properly reflected in the ui (after a refresh).

Things Tried

1. I've tried reinstalling LDAP-Auth but the issue is unchanged.
2. Deleting the config doesn't help either and a new config is never generated.
3. No difference in behavior between local access and remote access through a reverse proxy.

Logs

The jellyfin logs don't offer much guidance as to what is going wrong. A sample of the logs at the time the "save" button is pressed:

[2020-07-21 18:53:40.009 +00:00] [INF] WS "::ffff:10.0.0.2" request
[2020-07-21 18:53:52.835 +00:00] [INF] WS "::ffff:10.0.0.2" closed
[2020-07-21 18:53:53.326 +00:00] [INF] WS "::ffff:10.0.0.2" request
[2020-07-21 18:53:55.013 +00:00] [INF] WS "::ffff:10.0.0.2" closed
[2020-07-21 18:53:55.409 +00:00] [INF] WS "::ffff:10.0.0.2" request

Error taken from the chrome web console. The error is thrown when the configuration page is loaded:

VM228:41 Uncaught TypeError: Cannot read property 'addEventListener' of null
    at <anonymous>:41:48
    at w (bundle.js?v=21:14)
    at We (bundle.js?v=21:25)
    at k.fn.init.append (bundle.js?v=21:25)
    at k.fn.init.k.each.k.fn.<computed> [as appendTo] (bundle.js?v=21:25)
    at viewContainer.js?v=21:1
    at Object.execCb (alameda.js:1233)
    at defineModule (alameda.js:493)
    at main (alameda.js:1087)
    at alameda.js:363

Setup

Debian 10 running inside a LXC container

System

• OS: Ubuntu 18.04
• Jellyfin Version: 10.6.4 (dockerized)
• LDAP Plugin version: 10.0.0
• I'm using OpenLDAP standard package provided by Ubuntu

Symptoms

Attempting to install the LDAP Auth plugin through the dashboard fails with the following error:

jellyfin                | [01:00:01] [ERR] [42] Emby.Server.Implementations.HttpServer.HttpListenerHost: Error processing request. URL: http://192.168.201.3:8097/Packages/Installed/LDAP Authentication?Assemb
lyGuid=958aad66-3784-4d2a-b89a-a7b6fab6e25c&version=10.0.0.0
jellyfin                | MediaBrowser.Common.Extensions.ResourceNotFoundException: Package not found: LDAP Authentication
jellyfin                |    at MediaBrowser.Api.PackageService.Post(InstallPackage request)
jellyfin                |    at Emby.Server.Implementations.Services.ServiceExecGeneral.GetTaskResult(Task task)
jellyfin                |    at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken ca
ncellationToken)
jellyfin                |    at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationTok
en)

The repository currently in used is the default, https://repo.jellyfin.org/releases/plugin/manifest-stable.json and I can get to the relevant plugin files using my browser at https://tor1.mirror.jellyfin.org/releases/plugin/ldap-authentication/.

Previously I had installed a custom-built fork of this plugin to allow StartTLS connections against my LDAP server but that isn't working in the new version of Jellyfin either (may file a separate bug for that). I'd like to install the regular version of the plugin to see if the StartTLS fix that made it to master ever got released so I can use LDAP again.

Thanks.

Although slightly byond the scope of this plugin, it would insanely improve it usefullness if it would include Header Authenication.

What is header auth?
Proxy does auth, if successfull sets header "X-Forwarded-User" = "username"
Webserver gets username and logs in the user without password.

Configuration fails to populate until another page loads the required javascript.

VM263:9 Uncaught TypeError: Dashboard.showLoadingMsg is not a function
    at HTMLDivElement.<anonymous> (<anonymous>:9:27)
    at HTMLDivElement.dispatch (bundle.js?v=10.4.3:39)
    at HTMLDivElement.m.handle (bundle.js?v=10.4.3:39)
    at onViewChange (viewManager.js?v=10.4.3:65)
    at viewManager.js?v=10.4.3:151

Jellyfin: 10.4.3
LDAP-auth: 6

Hello,

Thank you for the plugin, it's great not to have to have Emby Premium.

I am using this with MS Active Directory. When logging in, the username is case sensitive and I can't disable that, I believe that this should not be default behaviour as in LDAP it is generally all case insensitive.

My config is below:

LDAP Base DN for searches:
OU=Users,OU=HQ,DC=ad,DC=domain,DC=co,DC=uk

LDAP Attributes:
sAMAccountName, mail

LDAP Name Attribute::
sAMAccountName

LDAP User Filter:
(&(memberof:1.2.840.113556.1.4.1941:=CN=HQUsers,OU=Groups,OU=HQ,DC=ad,DC=domain,DC=co,DC=uk)(objectCategory=person)(objectClass=user)(!(objectclass=computer)))

LDAP Admin Filter:
(memberof:1.2.840.113556.1.4.1941:=CN=MediaAdmins,OU=Groups,OU=HQ,DC=ad,DC=domain,DC=co,DC=uk)

LDAP Bind User:
CN=Jellyfin,OU=Service Accounts,OU=HQ,DC=ad,DC=domain,DC=co,DC=uk

Also the error when a user who doesn't exist or the password is wrong isn't very helpful for end users, maybe it could be a normal invalid username or password?

Connection Failure
We're unable to connect to the selected server right now. Please ensure it is running and try again.

Many thanks

When you have more than a thousand users the error is displayed and it is not possible to login with any ldap user

ERROR:
[15:29:41] [ERR] [25] Emby.Server.Implementations.HttpServer.HttpListenerHost: Error processing request. URL: http://localhost/Users/authenticatebyname
LdapException: Sizelimit Exceeded (4) Sizelimit Exceeded

System (please complete the following information):

• OS: Linux Ubuntu
• Virtualization:Docker
• Clients: All
• Jellyfin Version: 10.5.5
• Installed Plugins: LDAP v6
• Reverse Proxy: nginx

Running Plugin version 6.0 on server version 10.4.3, after entering all of my settings then restarting the server all of the settings disappear. I also noticed if I leave any settings blank, including the field LDAP Bind User which can be blank in some cases, it'll enter examples automatically instead of just leaving it blank. The auto-filled LDAP Admin Filter option also seems to be an incorrect example: "(enabledService=JellyfinAdministrator"

• Windows 10 64 bit
• JellyFin 10.5.5 fresh install
• Trying to login with AD user
• Samba 4.9.8 as AD DC controller, single domain
• Default SAMBA generated SSL cert (self-signed)

Error:
_

[2020-06-12 22:21:47.919 -06:00] [ERR] [15] Emby.Server.Implementations.HttpServer.HttpListenerHost: Error processing request. URL: "http://192.168.1.100:8096/Users/authenticatebyname"
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.Authenticate(String username, String password)
at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
at Emby.Server.Implementations.Library.UserManager.AuthenticateLocalUser(String username, String password, String hashedPassword, User user, String remoteEndPoint)
at Emby.Server.Implementations.Library.UserManager.AuthenticateUser(String username, String password, String hashedPassword, String remoteEndPoint, Boolean isUserSession)
at Emby.Server.Implementations.Session.SessionManager.AuthenticateNewSessionInternal(AuthenticationRequest request, Boolean enforcePassword)
at MediaBrowser.Api.UserService.Post(AuthenticateUserByName request)
at Emby.Server.Implementations.Services.ServiceExecGeneral.GetTaskResult(Task task)
at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken cancellationToken)
at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationToken)

_

Please add a setting to disable SSL validation. Since this is an internal domain only, I won't be adding a valid CA validated certificate.

SAMBA is running with Server 2008 level and requires SSL to connect to the controller so there is no other option to use.

New to Jellyfin plugins. Is is possible for plugins to override the default "forgot password" functionality?

Since users from LDAP aren't managed by Jellyfin, having the "forgot password" button go through the normal flow isn't useful. It would be better if there was some way to hook into it, detect that the username entered is LDAP-managed, and redirect the user to a URL where they can reset their LDAP password instead.

Feel free to close this if it's not possible.

Hi there,
I noticed that after a fresh installation (for whatever reason) and configuring the LDAP Plugin, users only show up after the their initial log in which makes it impossible to configure the access to the libraries.
Valid for all version even for LDAP-Auth 12.0.0.0

As an admin I'd like to control visibility of libraries for all LDAP-Users especial for those who are not listed in the Admin-Users-Page in order to prevent unwanted access to certain libraries.

Example would be

| LDPA-User | visible on the Jellyfin Admin-Users-Page | libraries | restricted libraries | User can access media from? |
| Ben | true | Music, TV-Series, Films | Films | Music, TV-Series |
| Sally | false | Music, TV-Series, Films | Music | TV-Series, Films |

Jellyfin v10.4.2
LDAP-Auth v4.0.0.0

To Reproduce:

1. Save LDAP plugin configuration
2. File is created using default values

I can't get the plugin to load inside a Debian Buster LXC container, it seems like dependencies are missing.

The Jellyfin installation is almost fresh.

Am I missing something?

Thanks in advance.

Here are the logs:

[2020-12-15 20:55:00.145 +00:00] [INF] Environment Variables: ["[JELLYFIN_ARGS, $JELLYFIN_WEB_OPT $JELLYFIN_RESTART_OPT $JELLYFIN_FFMPEG_OPT $JELLYFIN_SERVICE_OPT $JELLYFIN_NOWEBAPP_OPT]", "[JELLYFIN_CACHE_DIR, /var/cache/jellyfin]", "[JELLYFIN_CONFIG_DIR, /etc/jellyfin]", "[JELLYFIN_USER, jellyfin]", "[JELLYFIN_FFMPEG_OPT, --ffmpeg=/usr/lib/jellyfin-ffmpeg/ffmpeg]", "[JELLYFIN_WEB_OPT, --webdir=/usr/share/jellyfin/web]", "[JELLYFIN_RESTART_OPT, --restartpath=/usr/lib/jellyfin/restart.sh]", "[JELLYFIN_LOG_DIR, /var/log/jellyfin]", "[JELLYFIN_DATA_DIR, /var/lib/jellyfin]"]
[2020-12-15 20:55:00.150 +00:00] [INF] Arguments: ["/usr/lib/jellyfin/bin/jellyfin.dll", "--webdir=/usr/share/jellyfin/web", "--restartpath=/usr/lib/jellyfin/restart.sh", "--ffmpeg=/usr/lib/jellyfin-ffmpeg/ffmpeg", ""]
[2020-12-15 20:55:00.151 +00:00] [INF] Operating system: "Linux"
[2020-12-15 20:55:00.151 +00:00] [INF] Architecture: X64
[2020-12-15 20:55:00.152 +00:00] [INF] 64-Bit Process: True
[2020-12-15 20:55:00.152 +00:00] [INF] User Interactive: True
[2020-12-15 20:55:00.152 +00:00] [INF] Processor count: 6
[2020-12-15 20:55:00.152 +00:00] [INF] Program data path: "/var/lib/jellyfin"
[2020-12-15 20:55:00.152 +00:00] [INF] Web resources path: "/usr/share/jellyfin/web"
[2020-12-15 20:55:00.153 +00:00] [INF] Application directory: "/usr/lib/jellyfin/bin/"
[2020-12-15 20:55:00.395 +00:00] [INF] Setting cache path: "/var/cache/jellyfin"
[2020-12-15 20:55:00.406 +00:00] [INF] Loading assemblies
[2020-12-15 20:55:00.423 +00:00] [INF] Loaded assembly "Jellyfin.Plugin.Anime, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null" from "/var/lib/jellyfin/plugins/Anime/Jellyfin.Plugin.Anime.dll"
[2020-12-15 20:55:00.428 +00:00] [INF] Loaded assembly "LDAP-Auth, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null" from "/var/lib/jellyfin/plugins/LDAP Authentication/LDAP-Auth.dll"
[2020-12-15 20:55:00.429 +00:00] [ERR] Error getting exported types from "LDAP-Auth, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null"
System.IO.FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. The system cannot find the file specified.

File name: 'System.Runtime, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
   at System.Reflection.RuntimeAssembly.GetExportedTypes()
   at Emby.Server.Implementations.ApplicationHost.GetTypes(IEnumerable`1 assemblies)+MoveNext()


[2020-12-15 20:55:00.437 +00:00] [INF] Loaded assembly "Novell.Directory.Ldap.NETStandard, Version=3.4.0.0, Culture=neutral, PublicKeyToken=510c34e9dec7f86f" from "/var/lib/jellyfin/plugins/LDAP Authentication/Novell.Directory.Ldap.NETStandard.dll"
[2020-12-15 20:55:00.438 +00:00] [ERR] Error getting exported types from "Novell.Directory.Ldap.NETStandard, Version=3.4.0.0, Culture=neutral, PublicKeyToken=510c34e9dec7f86f"
System.IO.FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'. The system cannot find the file specified.

File name: 'System.Runtime, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
   at System.Reflection.RuntimeAssembly.GetExportedTypes()
   at Emby.Server.Implementations.ApplicationHost.GetTypes(IEnumerable`1 assemblies)+MoveNext()


[2020-12-15 20:55:02.752 +00:00] [INF] Kestrel listening on all interfaces
[2020-12-15 20:55:02.887 +00:00] [INF] Running startup tasks
[2020-12-15 20:55:02.901 +00:00] [INF] Daily trigger for "Extract Chapter Images" set to fire at 12/16/2020 02:00, which is 5:04:57.0988991 from now.
[2020-12-15 20:55:03.023 +00:00] [INF] Found ffmpeg version "4.3.1"
[2020-12-15 20:55:03.081 +00:00] [INF] Available "decoders": ["h264", "h264_qsv", "h264_cuvid", "hevc", "hevc_qsv", "hevc_cuvid", "mpeg2video", "mpeg2_qsv", "mpeg2_cuvid", "mpeg4", "mpeg4_cuvid", "msmpeg4", "vc1_qsv", "vc1_cuvid", "vp8_cuvid", "vp8_qsv", "vp9_cuvid", "vp9_qsv", "aac", "ac3", "mp3"]
[2020-12-15 20:55:03.126 +00:00] [INF] Available "encoders": ["libx264", "h264_amf", "h264_nvenc", "h264_qsv", "h264_v4l2m2m", "h264_vaapi", "libx265", "hevc_amf", "hevc_nvenc", "hevc_qsv", "hevc_vaapi", "mpeg4", "msmpeg4", "libvpx", "libvpx-vp9", "aac", "ac3", "libmp3lame", "libopus", "libvorbis", "srt"]
[2020-12-15 20:55:03.160 +00:00] [INF] Available hwaccel types: ["vdpau", "cuda", "vaapi", "qsv", "drm", "opencl"]
[2020-12-15 20:55:03.160 +00:00] [INF] FFmpeg: SetByArgument: "/usr/lib/jellyfin-ffmpeg/ffmpeg"
[2020-12-15 20:55:03.163 +00:00] [INF] ServerId: "adbb8b3f59944c6db7e00b3de16b9fed"
[2020-12-15 20:55:03.753 +00:00] [INF] Registering publisher for "urn:schemas-upnp-org:device:MediaServer:1" on "192.168.10.15"
[2020-12-15 20:55:03.807 +00:00] [INF] Executed all pre-startup entry points in 0:00:00.6168013
[2020-12-15 20:55:03.808 +00:00] [INF] Core startup complete
[2020-12-15 20:55:04.155 +00:00] [INF] Watching directory /mnt/media/tv_series
[2020-12-15 20:55:04.162 +00:00] [INF] Watching directory /mnt/media/movies
[2020-12-15 20:55:04.167 +00:00] [INF] Executed all post-startup entry points in 0:00:00.3595039
[2020-12-15 20:55:04.168 +00:00] [INF] Startup complete 0:00:04.4062709
[2020-12-15 20:55:05.955 +00:00] [INF] "StartupTrigger" fired for task: "Update Plugins"
[2020-12-15 20:55:05.956 +00:00] [INF] Queueing task "PluginUpdateTask"
[2020-12-15 20:55:05.960 +00:00] [INF] Executing "Update Plugins"
[2020-12-15 20:55:06.609 +00:00] [WRN] HTTP Response 200 to "10.0.0.235". Time (slow): 0:00:01.1895637. "http://192.168.10.15:8096/System/Logs/Log?name=jellyfin20201215.log"
[2020-12-15 20:55:07.063 +00:00] [INF] "Update Plugins" Completed after 0 minute(s) and 1 seconds
[2020-12-15 20:55:07.241 +00:00] [INF] ExecuteQueuedTasks
[2020-12-15 20:57:31.109 +00:00] [INF] WS "::ffff:10.0.0.235" request

Jellyfin version: Latest stable 10.6.1
OS: CentOS 8.2 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
LDAP Plugin version: 9.0.0.0

I was put in a situation where I had the change the LDAP password for the service account I use for LDAP, as one other service wasn't able to handle special characters in the password, all other services worked fine after changing the LDAP bind password but Jellyfin absolutely would not work with the new password.

I tried uninstalling the plugin, restarting JF, reinstalling, but settings were still saved, all settings could be changed but not the password for the bind.

Error code on authentication was as similar;

Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: LdapException: Invalid Credentials (49) Invalid Credentials
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: LdapException: Server Message: 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4563
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: LdapException: Matched DN:
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: [18:00:35] [ERR] [6] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider LDAP-Authentication
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: MediaBrowser.Controller.Authentication.AuthenticationException: Failed to Connect or Bind to server
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]:    at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.LocateLdapUser(String username)
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]:    at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.Authenticate(String username, String password)
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]:    at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: [18:00:35] [INF] [6] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for user has been denied (IP: *bleep).

The AD service account used for LDAP binds got an increment on the attribute BadPwdCount everytime LDAP auth was attempted.

Only after changing the plaintext password in /var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml which remained upon both uninstallation and restart of Jellyfin did LDAP auth work as expected again.

Full LDAP configuration;

<?xml version="1.0"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <LdapServer>10.100.10.16</LdapServer>
  <LdapBaseDn>DC=*bleep*,DC=*bleep*,DC=*bleep*</LdapBaseDn>
  <LdapPort>636</LdapPort>
  <LdapSearchAttributes>cn, displayName, sAMAccountName</LdapSearchAttributes>
  <LdapUsernameAttribute>sAMAccountName</LdapUsernameAttribute>
  <LdapSearchFilter>(memberOf=CN=SG-JellyfinUsers,OU=Groups,OU=*bleep*,DC=ad,DC=*bleep*,DC=se)</LdapSearchFilter>
  <LdapAdminFilter>(enabledService=JellyfinAdministrator)</LdapAdminFilter>
  <LdapBindUser>CN=LDAP_SA,OU=Service Accounts,OU=*bleep*,DC=ad,DC=*bleep*,DC=*bleep*</LdapBindUser>
  <LdapBindPassword>*bleep*</LdapBindPassword>
  <CreateUsersFromLdap>true</CreateUsersFromLdap>
  <UseSsl>true</UseSsl>
  <UseStartTls>false</UseStartTls>
  <SkipSslVerify>true</SkipSslVerify>
</PluginConfiguration>

IP was used instead of hostname because for some reason, the LDAP plugin refuses to resolve the hostname, even if the host itself is fully capable of doing so, and does for some other purposes.

I started implementing a POC to allow the admin to define default library access permissions grouped by LDAP filters.

Here is an initial screen shot. Before I plum in the backend, I wanted to get comments or feedback on:

1. Is there interest in this in the upstream project?
2. Does this UX look like it aligns with how the plugin should present itself?

When the user clicks 'Delete' on an item, it would prompt prior to deleting that filter group.

When the user clicks + it would pop up a dialog allowing them to define the filter and select which libraries are available.

When the user clicks 'Edit' it would pup up that same dialog, pre-filled with the current settings.

These settings would only be used during initial Jellyfin user creation.

These options are only available if 'Enable User Creation' is selected.

I installed the LDAP Authentication extension in Jellyfin and I am not able to save the settings. When I try to edit the settings, the page simply reloads without my saving my changes.

I am on Jellyfin 10.6.4 and LDAP-Auth 9.0.0.0.

I saw that there is a similar issue in the Jellyfin repo (jellyfin/jellyfin#3798) but the issue still hasn't been fixed. Is there any workaround to this problem?

Hello,

I am using the plugin for Active Directory and it works great, I am curious if it would be possible to add a second optional field for a secondary failover domain controller in the event the primary is not reachable.

If you go to the Advanced -> Plugins and then load a plugin, it registers a 'pageshow' handler. If you leave the page and go back, it registers again with a new instance of the handler. On 'pageshow', each registered handler is then called resulting in race conditions, etc. You can most easily see this by loading in the JavaScript console and seeing the load count for the plugin configuration webpage:

The "3" below grows each time you leave and go back into the plugin.

Hello,

I think I'm close to getting the plugin configured correctly for my environment, but I've run into the following:

LdapReferralException: Search result reference received, and referral following is off (10) Referral

I'm looking for valid users in an AD group (in this case the "All Users" email group) that is in a different OU than where the user accounts are.

Searching, I found the following page that (I believe) explains the issue I'm having:
https://stackoverflow.com/questions/46052873/a-list-of-all-users-ldap-referral-error-ldapreferralexception

Also, are there any issues with account names with spaces? for example FirstName (space) LastName

Hope I provided the needed information, but if not please ask and I'll get more.

Thanks!

Hello all !

I have a problem trying to update my Jellyfin install to 10.5 with the v6 LdapAuth plugin, to 10.6.4 with the v9 LdapAuth plugin. However, after the update, when trying to log-in, I get:

Sep 06 03:09:21 [01:09:21] [WRN] [22] Jellyfin.Server.Implementations.Users.UserManager: User XXXXX was found with invalid/missing Authentication Provider Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin. Assigning user to InvalidAuthProvider until this is corrected
Sep 06 03:09:21 [01:09:21] [ERR] [22] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider InvalidOrMissingAuthenticationProvider
Sep 06 03:09:21 MediaBrowser.Controller.Authentication.AuthenticationException: User Account cannot login with this provider. The Normal provider for this user cannot be found
Sep 06 03:09:21 at Jellyfin.Server.Implementations.Users.InvalidAuthProvider.Authenticate(String username, String password)
Sep 06 03:09:21 at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
Sep 06 03:09:21 [01:09:21] [INF] [22] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for XXXXX has been denied (IP: 82.251.102.162).
Sep 06 03:09:21 [01:09:21] [ERR] [22] Emby.Server.Implementations.HttpServer.HttpListenerHost: Error processing request: Invalid username or password entered. URL: http://localhost:8096/jellyfin/Users/authenticatebyname
Sep 06 03:09:21 172.18.0.1 [06/Sep/2020:01:09:21 +0000] "POST /jellyfin/Users/authenticatebyname HTTP/1.1" 401 45 "https://XXXXX/jellyfin/web/index.html"

And of course, I cannot use the v6 plugin with 10.6.x, so I am stuck for now on the old one :/

Any guide on how I can "convert" the existing Ldap users to the new plugin version ?

I'm not sure if this is an issue with my configuration or if it is related to FreeIPA but I am receiving the below error when attempting to authenticate over LDAP with a FreeIPA server. I am planning on setting up a different test one for compatibility testing soon. The user/admin filters, and bind user test correctly using ldapsearch.

The instance is running in docker using the linuxserver image and the error occurs when directly connecting or through a reverse proxy, and across multiple browsers (chrome desktop and android, firefox)

[22:18:49] [ERR] Error processing request System.NullReferenceException: Object reference not set to an instance of an object. at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.Authenticate(String username, String password) at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser) at Emby.Server.Implementations.Library.UserManager.AuthenticateLocalUser(String username, String password, String hashedPassword, User user, String remoteEndPoint) at Emby.Server.Implementations.Library.UserManager.AuthenticateUser(String username, String password, String hashedPassword, String remoteEndPoint, Boolean isUserSession) at Emby.Server.Implementations.Session.SessionManager.AuthenticateNewSessionInternal(AuthenticationRequest request, Boolean enforcePassword) at MediaBrowser.Api.UserService.Post(AuthenticateUserByName request) at Emby.Server.Implementations.Services.ServiceExecGeneral.GetTaskResult(Task task) at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken cancellationToken) at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationToken)

Config Info, server and bind user not listed but validated.
LDAP Base DN for searches: cn=accounts,dc=example,dc=com
LDAP Attributes: uid
LDAP Name Attribute: cn
LDAP User Filter: (&(objectClass=person)(memberof=cn=airsonic_users,cn=groups,cn=accounts,dc=example,dc=com))
LDAP Admin Filter: (&(objectClass=person)(memberof=cn=airsonic_admins,cn=groups,cn=accounts,dc=example,dc=com))

As always, any help is appreciated!

Currently the logs look like this when a user isn't found in LDAP (login attempt with an incorrect username):

[2020-02-08 23:26:48.523 -05:00] [ERR] Found no users matching "test" in LDAP search.                                                                                                                                      
[2020-02-08 23:26:48.526 -05:00] [ERR] Error processing request                                                                                                                                                            
System.Exception: Found no LDAP users matching provided username.                                                                                                                                                          
   at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.Authenticate(String username, String password)                                                                                                            
   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)                                                      
   at Emby.Server.Implementations.Library.UserManager.AuthenticateLocalUser(String username, String password, String hashedPassword, User user, String remoteEndPoint)                                                     
   at Emby.Server.Implementations.Library.UserManager.AuthenticateUser(String username, String password, String hashedPassword, String remoteEndPoint, Boolean isUserSession)                                              
   at Emby.Server.Implementations.Session.SessionManager.AuthenticateNewSessionInternal(AuthenticationRequest request, Boolean enforcePassword)                                                                            
   at MediaBrowser.Api.UserService.Post(AuthenticateUserByName request)                                                                                                                                                    
   at Emby.Server.Implementations.Services.ServiceExecGeneral.GetTaskResult(Task task)                                                                                                                                     
   at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken cancellationToken)                      
   at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationToken)

The logs look like this when a login attempt is made with a valid username but incorrect password:

[2020-02-08 23:29:22.826 -05:00] [ERR] Failed to Connect or Bind to server as user "uid=phasecorex,ou=users,dc=example,dc=com"
LdapException: Invalid Credentials (49) Invalid Credentials
LdapException: Matched DN:
[2020-02-08 23:29:22.861 -05:00] [ERR] Error processing request
LdapException: Invalid Credentials (49) Invalid Credentials
LdapException: Matched DN:

For both of the above examples, I am using a readonly LDAP bind user. Also it looks like from the frontend perspective, both of these display the same error, so that is good.

In both cases it would be nice to see a standardized log line stating that the login was a failure, along with the users IP address. That way it would be easy to set up Fail2Ban to protect my server. Perhaps it could raise the error up to whatever Jellyfin is already doing when logging login errors? Regardless it would be nice to not have exceptions being thrown in the logs for these.

Thank you!

Hi guys,
Thanks for your great job, it works perfectly well on my installation.
I thought it would be really great if the 'jpegPhoto' attribute from an user account could be used as an avatar in jellyfin.
I don't know how complexe it is to integrate something like that but it would be awesome !
Have a good day.
Best regards.
Xyko0

Current scenario:

1. A user is created as a regular user from LDAP
2. The LDAP server changes that user to have admin privelages for jellyfin
3. The user will still be a regular user

Expected scenatio:

3. The user is now an admin of the jellyfin server.

Attempted solutions:

Use a jellyfin admin account to delete the user via the GUI. This does not appear to remove the user from the underlying database, as watched shows are still tracked on re-registering after being deleted.

Delete the jellyfin cache logs metadata transcodes folders, rebuild the library. This rather blunt method solves the issue, but requires re-setting up the whole server

I have all of this working on my Test system which does not have the number of users as the production system. When I try on the production system I get a LDAP size limit exceeded error in the logs. Using the ldapsearch command line query works just fine. Is there some setting to make the Ldap plugin handle a large number of users?

First of all, thank you for your work on this project. This has been very useful to me. Though I have one feature request to increase the flexibility of the plugin.

Currently we only look at the user's fields for user and admin filters. I think it is common to define groups with "member" fields. In that case we can not filter users by only looking at user's fields.

I think we should add the following settings :

• LDAP Base DN for group searches (e.g. "ou=groups,dc=local,dc=domain")
• LDAP Group Member Attribute (e.g. "member")

Finally, a setting should allow to specify if we want to filter on the group's fields or on the user's fields (current behaviour).

It seems Jellyfin has changed the way logs are managed, and since the output there is no ouput regarding LDAP authentification. The only related output is this:
[2020-03-09 17:08:16.344 +00:00] [ERR] Error processing request: "[10.0.4.4] Invalid username or password entered."
However, I don't know if it's because the plugin simply isn't being invoked, or if its only the logging. As my configuration wasn't working before the update.

Sadly due to the limited documentation I'm not sure what depth this issue has. I got the LDAP plugin configured correctly. If a user was part of a group in my LdapSearchFilter they able to login with no issues and the account is created.

However, I had a user that was only part of the admin group that was defined in the LdapAdminFilter parameter. This user was unable to login. Only until I added them into my User Group were they able to log in. Then even when they did log in and their account was created it wasn't created as an administrative account.

Below are my current configurations and screen shots to help provide evidence to the issue:

<?xml version="1.0"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <LdapServer>server.domain.xyz</LdapServer>
  <LdapBaseDn>DC=domain,DC=xyz</LdapBaseDn>
  <LdapPort>389</LdapPort>
  <LdapSearchAttributes>SamAccountName</LdapSearchAttributes>
  <LdapUsernameAttribute>SamAccountName</LdapUsernameAttribute>
  <LdapSearchFilter>(memberOf=CN=Jellyfin-Users,OU=O-Groups,DC=domain,DC=xyz)</LdapSearchFilter>
  <LdapAdminFilter>(memberOf=CN=Jellyfin-Admins,OU=O-Groups,DC=domain,DC=xyz)</LdapAdminFilter>
  <LdapBindUser>CN=Jellyfin LDAP,OU=Service-Accounts,OU=O-Users,DC=domain,DC=xyz</LdapBindUser>
  <LdapBindPassword>mysupersecurepassword</LdapBindPassword>
  <CreateUsersFromLdap>true</CreateUsersFromLdap>
  <UseSsl>false</UseSsl>
  <UseStartTls>false</UseStartTls>
  <SkipSslVerify>false</SkipSslVerify>
</PluginConfiguration>

When I was finally able to login with the user I had to manually promote them to admin.

I would like to be able to configure a default set of folders for LDAP account users to have access to, rather than it defaulting to all folders the first time an LDAP user connects to my Jellyfin server.

I created PR #90 as an attempt to implement this feature:

Cheers,
James

Hi,

I'm having problem to get the plugin working in my configuration. I think it's related to STARTTLS but could be wrong.

On my server, I have OpenLDAP installed and configured with STARTTLS listening on port 389. Jellyfin is installed on the same machine, so I configured the LDAP Server as "localhost" (tried 127.0.0.1, real IP and FQDN too) on port 389.

Without "Secure LDAP" (which seems to refer to SSL, not STARTTLS) enabled in the plugin configuration, logs says it should be enabled. With "Secure LDAP" enabled, I have this in my logs :

[2019-07-24 23:44:42.118 +02:00] [ERR] Failed to Connect or Bind to server
LdapException: Unable to connect to server localhost:389 (91) Connect Error
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
   at Novell.Directory.Ldap.Connection.connect(String host, Int32 port, Int32 semaphoreId)
[2019-07-24 23:44:42.153 +02:00] [ERR] Error authenticating with provider "LDAP-Authentication"
LdapException: Unable to connect to server localhost:389 (91) Connect Error
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at Novell.Directory.Ldap.AsyncExtensions.WaitAndUnwrap(Task task, Int32 timeout)
   at Novell.Directory.Ldap.Connection.connect(String host, Int32 port, Int32 semaphoreId)
[2019-07-24 23:44:42.161 +02:00] [ERR] Error authenticating with provider "Default"
System.Exception: Invalid username or password
   at Emby.Server.Implementations.Library.DefaultAuthenticationProvider.Authenticate(String username, String password, User resolvedUser)
   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2019-07-24 23:44:42.167 +02:00] [ERR] Error authenticating with provider "InvalidOrMissingAuthenticationProvider"
MediaBrowser.Controller.Net.SecurityException: User Account cannot login with this provider. The Normal provider for this user cannot be found
   at Emby.Server.Implementations.Library.InvalidAuthProvider.Authenticate(String username, String password)
   at Emby.Server.Implementations.Library.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
[2019-07-24 23:44:42.192 +02:00] [ERR] Invalid username or password entered.

I also have a bunch of other apps on this server which are working well with STARTTLS (Nextcloud, Gitea, ...), so I'm pretty confident about my OpenLDAP configuration.

Am I doing this wrong ? Is STARTTLS not supported ?

Thanks a lot for your work !

Hello !

I have a problem in v9 that causes the LdapAdminFilter to do nothing. What I mean is that for admin users, the login succeeds but they are not admins.

The exact same config worked for the old v6 with jellyfin 10.5, and users that were previously created are still admins, but new users are not.

Testing with ldapsearch gives the correct results.

Any idea what may be causing the problem ?

I was wondering how difficult it would be to add the functionality to import users from LDAP. the plugin seems to handle binding and searching (and even creating the user on login) really well and I greatly enjoy being able to se LDAP as a backend as I have several users and many apps that I try to keep connected together.

Having a button to import users from ldap I think could also solve the ldap password not updating in jellyfin and requiring manual reset.

Adding a scheduled cron to run the importer would be even sweeter! The apps I use the most that pull from JF users is Ombi and Organizr

Hi,

I currently use jellyfin-plugin-ldapauth for my jellyfin instance and the authentication works perfectly well ! (it is great to read that sometimes huh ?)
But (yeah, sorry), when LDAP like FreeIpa is used, the information about groups isn't stored into user's CN (with memberOf attribute), it's actually the opposite : the group contains users included to.

For example, if i want to know if my user is allowed to use my jellyfin instance, i have to search in my LDAP groups with the memberUid: attribute.

User looks like that :

# jdoe, users, accounts, lan.example.com
dn: uid=jdoe,cn=users,cn=accounts,dc=lan,dc=example,dc=com
displayName: John Doe
**uid: jdoe**

And group looks like that :

# Users, groups, compat, lan.example.com
dn: cn=leechers,cn=groups,cn=compat,dc=lan,dc=example,dc=com
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: ipaexternalgroup
objectClass: top
gidNumber: 118000022
memberUid: otherLeecher
memberUid: newPirate
**memberUid: jdoe**
cn: leechers

So it is possible to authenticate through LDAP, but i can't specify neither the admin filter nor the group restriction.

Do you think it would be possible to add a group filter section in your plugin ?
It should be able to use the previous successfully authenticated ldap user and do a new research with another LDAP filter, and the admin could specify the dn group to look for AND the attribute which should contain the uid user.

In my case "(&(cn=leechers)(memberuid=jdoe))" or two textArea, first with the group cn, second with the attribute which has to match previously authenticated uid.

Thanks.

I've been having non-stop issues with getting the LDAP plugin to work with my Active Directory Domain... I have it working just fine for NextCloud so I know everything on my end is working as it should.
During attempts to troubleshoot this I am attempting Jellyfin Server 10.4.3 because I was told (on reddit) that it has less issues than 10.5. Well, still not working.
I am now trying to remove 6.0 of the pluigin to install 4.0 for testing to see if it reacts any different. It won't uninstall. The plugins page just hangs on a progress wheel and I see the following in the log.

[2020-07-11 20:15:17.630 -05:00] [ERR] Error processing request System.UnauthorizedAccessException: Access to the path 'LDAP-Auth.dll' is denied. at System.IO.FileSystem.RemoveDirectoryRecursive(String fullPath, WIN32_FIND_DATA& findData, Boolean topLevel) at System.IO.FileSystem.RemoveDirectory(String fullPath, Boolean recursive) at Emby.Server.Implementations.Updates.InstallationManager.UninstallPlugin(IPlugin plugin) at MediaBrowser.Api.PluginService.Delete(UninstallPlugin request) at Emby.Server.Implementations.Services.ServiceExecGeneral.<>c__DisplayClass5_0.<CreateExecFn>b__0(Object service, Object request) at Emby.Server.Implementations.Services.ServiceExecGeneral.Execute(Type serviceType, IRequest request, Object instance, Object requestDto, String requestName) at Emby.Server.Implementations.Services.ServiceController.Execute(HttpListenerHost httpHost, Object requestDto, IRequest req) at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost httpHost, IRequest httpReq, HttpResponse httpRes, ILogger logger, CancellationToken cancellationToken) at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IHttpRequest httpReq, String urlString, String host, String localPath, CancellationToken cancellationToken)

Please describe your bug

Steps to reproduce:
1.Connect Jellyfin to LDAP backend via the provided LDAP plugin.
2. Create a new user in LDAP.
3. Make sure your new LDAP user matches the Jellyfin LDAP Admin Filter.
4. Log in with your new user to Jellyfin
5. Check that you have admin permissions (i.e. can access server dashboard etc)
6. Log out
7. Change your LDAP user so that it no longer matches the Jellyfin LDAP Admin Filter.
8. Log back in to Jellyfin with your LDAP user

You will find out that your user still has admin privileges. The only way to revoke those is by going to the users section and manually removing the checkbox "Allow this user to manage the server". The reverse is also true - start with non admin user, log in, log out, satisfy LDAP admin filter, log back in - no admin privileges.

Expected behaviour:
User privileges are evaluated against LDAP on every login and the corresponding changes are made to reflect that in Jellyfin.

Jellyfin Version

10.7.7

if other:

No response

Environment

- OS:Linux
- Virtualization: Docker
- Clients: Browser
- Browser: Chome
- FFmpeg Version: N/A
- Playback Method: N/A
- Hardware Acceleration: N/A
- Plugins: LDAP
- Reverse Proxy: Synology reverse proxy
- Base URL: jellyfin.mydomain.tlddomain
- Networking: Host
- Storage: local

Jellyfin logs

No response

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Along the same vein as #20 - I've tried supplying a secondary server in the form as "server1.domain server2.domain", but that fails with:

LdapException: Unable to connect to server server1.domain server2.domain:636 (91) Connect Error
System.Net.Internals.SocketExceptionFactory+ExtendedSocketException (00000005, 0xFFFDFFFF): Name or service not known

Could support for SRV lookups be added? This would mean that jellyfin does the following:

• Look up _ldap.tcp.$DOMAIN SRV
• Query one of the servers returned, if that fails, try the next one.

The SRV records are automatically handled by FreeIPA and Windows AD DS to be an up-to-date list of domain controllers in the closest subnet as the requester, and should return data like this:

_ldap._tcp.$DOMAIN. 86400 IN CNAME _ldap._tcp.$SITE._locations.$DOMAIN.
_ldap._tcp.$SITE._locations.$DOMAIN. 86400 IN SRV 0 100 389 $SERVER1.$DOMAIN.
_ldap._tcp.$SITE._locations.$DOMAIN. 86400 IN SRV 0 100 389 $SERVER2.$DOMAIN.

For more info on it from the Windows AD DS side: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/how-domain-controllers-are-located