jellyfin-plugin-ldapauth icon indicating copy to clipboard operation
jellyfin-plugin-ldapauth copied to clipboard
verified publisher icon jellyfin

Feature Proposal: Group-Based Library Access Control

Open kyuuk opened this issue 5 months ago • 9 comments

Hi,

I've implemented a new feature and would like to get your feedback on it. Feature Description

This feature allows administrators to control access to specific libraries based on users' LDAP group membership. It introduces a mapping between Jellyfin libraries and one or more LDAP groups. If a user belongs to any of the groups mapped to a library, they will have access to that library.

Motivation

This provides a more granular and flexible way to manage content visibility, especially in environments where user roles and access levels are already well-defined in LDAP.

I'm opening this issue to:

  • Present the feature and the reasoning behind it
  • See if poeple are interrested in this
  • Get feedback on the design/implementation choices and suggestions for improvement

the part that i am most unsure of is the group checking: in my code i assume all groups in an LDAP directory will match cn=<groupName>,<someBaseDN>

tested it only with Authentik.

I'd be happy to open a PR or share the relevant code if there's interest.

Thanks

Screenshot of the relevant section in the UI

Image

kyuuk avatar Jul 01 '25 21:07 kyuuk

This is great! I hope it is incorporated. My only request would be to go a step further and use the groups for parental controls too!

sgayda2 avatar Sep 16 '25 00:09 sgayda2

Hello @sgayda2, howdo you imagine this feature ? i never used parental control on Jellyfin.

would it be something like : for a given group allow a list of tags or block a list of tags ? both ?

i don't even know how it works when a user have both allowed tags & blocked tags

kyuuk avatar Sep 16 '25 19:09 kyuuk

So ideally this would come with changes in jellyfin, so i will describe my ideal and then my middle step that i think can be done just here.

Ideally the parental controls can be configured into a profiles, so that i can create a Kids profile, and a Teens Profile, and assign these to the relevant users of jellyfin. Where each profile has all of the current parental controls saved and configured for it. This would allow me to then use ldap groups to assign the relevant profile to the user. This requires the profiles feature in jellyfin, before you can do the assigning through ldap, so its a bit of a pie in the sky ask.

As for the current version, it would be good to have a pretend profile, within ldap, that can take a group and assign some of the properties (ideally all) to the given user. As the properties a numerous this could be very complex to configure (hence the profiles idea) but even being able to set a handful of the properties like mapping an ldap group to a max rating.

It may be worth opening a new feature request for this as it might be too complex to include here

sgayda2 avatar Sep 19 '25 18:09 sgayda2

Excellent!

This is exactly what I wanted to do.

In my case, I'm using the following configuration for recursive search: (memberOf:1.2.840.113556.1.4.1941:=CN=GROUP1,ou=GroupAccountsOU,dc=example,dc=com) (memberOf:1.2.840.113556.1.4.1941:=CN=GROUP2,ou=GroupAccountsOU,dc=example,dc=com)

It would be perfect if this configuration could also support mappings like: GROUP1 : Library1 , CommonLibrary GROUP2 : Library2 , CommonLibrary

tansiwo410 avatar Sep 30 '25 09:09 tansiwo410

It would be perfect if this configuration could also support mappings like: GROUP1 : Library1 , CommonLibrary GROUP2 : Library2 , CommonLibrary

That's what it actually does, just that the key is not the group but the library. Unfortunately, I'm not skilled enough in C# or JavaScript to implement this feature.

But I agree that it would be more readable if the key was the group but that would be far more complicated.

kyuuk avatar Oct 01 '25 19:10 kyuuk

Thanks,

That's what it actually does, just that the key is not the group but the library.

Having the library as the key is sufficient. On the contrary, if we make the group the key, there might be too many rows, so it may be better to keep the library as the key. How many groups (or how many characters) can be entered per library?

tansiwo410 avatar Oct 03 '25 22:10 tansiwo410

On the contrary, if we make the group the key, there might be too many rows, so it may be better to keep the library as the key. i agree with that

How many groups (or how many characters) can be entered per library?

as much as a POST request could handle globally i guess the code is here if you want to check

kyuuk avatar Oct 04 '25 12:10 kyuuk

When I tried to build the code you provided, I got an error.

error NU1202: Package Jellyfin.Controller 10.11.0-rc8 is not compatible with net8.0 (.NETCoreApp,Version=v8.0). Package Jellyfin.Controller 10.11.0-rc8 supports: net9.0 (.NETCoreApp,Version=v9.0)

Since LDAP-Auth.csproj had <TargetFramework>net8.0</TargetFramework>, I changed it to net9.0, but I still get errors.

LDAP-Auth failed with 9 error(s) (2.1s) C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\Helpers\ProfileImageUpdater.cs(4,21): error CS0234: The type or namespace name 'Entities' does not exist in the namespace 'Jellyfin.Data' (are you missing an assembly reference?) C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(12,21): error CS0234: The type or namespace name 'Entities' does not exist in the namespace 'Jellyfin.Data' (are you missing an assembly reference?) C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(288,33): error CS0246: The type or namespace name 'User' could not be found (are you missing a using directive or an assembly reference?) C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(301,36): error CS0246: The type or namespace name 'User' could not be found (are you missing a using directive or an assembly reference?) C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(556,70): error CS0246: The type or namespace name 'User' could not be found (are you missing a using directive or an assembly reference?) C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(33,53): error CS0535: 'LdapAuthenticationProviderPlugin' does not implement interface member 'IAuthenticationProvider.HasPassword(User)' C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(33,53): error CS0535: 'LdapAuthenticationProviderPlugin' does not implement interface member 'IAuthenticationProvider.ChangePassword(User, string)' C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\LDAPAuthenticationProviderPlugin.cs(33,78): error CS0535: 'LdapAuthenticationProviderPlugin' does not implement interface member 'IPasswordResetProvider.StartForgotPasswordProcess(User, bool)' C:\Users\Administrator\jellyfin-plugin-ldapauth\LDAP-Auth\Helpers\ProfileImageUpdater.cs(24,13): error CS0246: The type or namespace name 'User' could not be found (are you missing a using directive or an assembly reference?)

At https://github.com/jellyfin/jellyfin-plugin-ldapauth, in the build section it says "To build this plugin you will need .Net 9.x SDK.", so I have installed dotnet-sdk-9.0.305. Do you know what might be wrong?

tansiwo410 avatar Oct 05 '25 07:10 tansiwo410

yes i had the same problem, this is caused by this

Image

it uses the latest JF version which is not compatible, i saw that there is an open PR for this, so i didn't want to touch it

you can put the same dependency as me (which is the latest release and the version you are using) & it should work

kyuuk avatar Oct 05 '25 13:10 kyuuk