jellyfin-plugin-ldapauth
jellyfin-plugin-ldapauth copied to clipboard
jellyfin
LDAP Password does not update once set, manual editing required.
Jellyfin version: Latest stable 10.6.1 OS: CentOS 8.2 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux LDAP Plugin version: 9.0.0.0
I was put in a situation where I had the change the LDAP password for the service account I use for LDAP, as one other service wasn't able to handle special characters in the password, all other services worked fine after changing the LDAP bind password but Jellyfin absolutely would not work with the new password.
I tried uninstalling the plugin, restarting JF, reinstalling, but settings were still saved, all settings could be changed but not the password for the bind.
Error code on authentication was as similar;
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: LdapException: Invalid Credentials (49) Invalid Credentials
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: LdapException: Server Message: 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4563
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: LdapException: Matched DN:
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: [18:00:35] [ERR] [6] Jellyfin.Server.Implementations.Users.UserManager: Error authenticating with provider LDAP-Authentication
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: MediaBrowser.Controller.Authentication.AuthenticationException: Failed to Connect or Bind to server
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.LocateLdapUser(String username)
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: at Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin.Authenticate(String username, String password)
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: at Jellyfin.Server.Implementations.Users.UserManager.AuthenticateWithProvider(IAuthenticationProvider provider, String username, String password, User resolvedUser)
Jul 30 18:00:35 Host-Jellyfin jellyfin[67694]: [18:00:35] [INF] [6] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for user has been denied (IP: *bleep).
The AD service account used for LDAP binds got an increment on the attribute BadPwdCount everytime LDAP auth was attempted.
Only after changing the plaintext password in /var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml which remained upon both uninstallation and restart of Jellyfin did LDAP auth work as expected again.
Full LDAP configuration;
<?xml version="1.0"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<LdapServer>10.100.10.16</LdapServer>
<LdapBaseDn>DC=*bleep*,DC=*bleep*,DC=*bleep*</LdapBaseDn>
<LdapPort>636</LdapPort>
<LdapSearchAttributes>cn, displayName, sAMAccountName</LdapSearchAttributes>
<LdapUsernameAttribute>sAMAccountName</LdapUsernameAttribute>
<LdapSearchFilter>(memberOf=CN=SG-JellyfinUsers,OU=Groups,OU=*bleep*,DC=ad,DC=*bleep*,DC=se)</LdapSearchFilter>
<LdapAdminFilter>(enabledService=JellyfinAdministrator)</LdapAdminFilter>
<LdapBindUser>CN=LDAP_SA,OU=Service Accounts,OU=*bleep*,DC=ad,DC=*bleep*,DC=*bleep*</LdapBindUser>
<LdapBindPassword>*bleep*</LdapBindPassword>
<CreateUsersFromLdap>true</CreateUsersFromLdap>
<UseSsl>true</UseSsl>
<UseStartTls>false</UseStartTls>
<SkipSslVerify>true</SkipSslVerify>
</PluginConfiguration>
IP was used instead of hostname because for some reason, the LDAP plugin refuses to resolve the hostname, even if the host itself is fully capable of doing so, and does for some other purposes.
Having the same issue. Except I can't get it to connect via IP either.
Are you using windows ad?
uncheck these:
<UseSsl>true</UseSsl>
<UseStartTls>false</UseStartTls>
<SkipSslVerify>true</SkipSslVerify>
