search

jellyfin / jellyfin-plugin-ldapauth

LDAP Authentication for Jellyfin
https://jellyfin.org
MIT License
119 stars 33 forks source link

User attribute changes #119

Closed tacerus closed 2 years ago

tacerus commented 2 years ago

Hello,

Thanks for the nice software - it was extremely easy to configure and worked on the first try! There is only one observation I made:

I configured two search filters - one for regular users, one for administrative users - and enabled the option to have users created upon their first logon.

It seems that the administrative search filter is only checked upon a users first login. Changing the user attributes in LDAP (to match the administrative instead of the regular filter) and re-authenticating in Jellyfin does not grant the user their additional privileges - it seems that the checkbox in the local Jellyfin user needs to be manually set.

Is this expected?

Best, Georg

crobibero commented 2 years ago

What version of the plugin are you using?

tacerus commented 2 years ago

Edit: Even removing the user in Jellyfin and having them authenticate again does not promote them to an Administrator. Applying the same attributes to a user who has never logged in before, and logging in, grants them the respective permissions.

tacerus commented 2 years ago

I am using version 12.0.0.0, installed using the web UI.

crobibero commented 2 years ago

This was fixed in v14, which is available for Jellyfin 10.8 https://github.com/jellyfin/jellyfin-plugin-ldapauth/releases/tag/v14

tacerus commented 2 years ago

Thank you!

tacerus commented 2 years ago

Sorry, one more thing - I now upgraded Jellyfin to 10.8 and installed version 15 of your plugin (I removed the old one and its configuration beforehand), but testing a LDAP query in the plugin settings results in "Failure: User Filter: Missing attribute description". I entered the same values as I did with the old version. Did I possibly miss something else in the changelog or should I make a new issue for this? It seems to be coming from the LDAP library but I don't see anything having changed with my filters, and we do not use a description attribute.

crobibero commented 2 years ago

There were some new settings added, try looking for any that have description entered by default

tacerus commented 2 years ago

I searched this repository already, finding zero results for anything containing "description". :-(

crobibero commented 2 years ago

Can you tell me which query is adding the description search? I haven't had any issues with my setup (using lldap)

tacerus commented 2 years ago

This is the generated LDAP-Auth.xml:

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <LdapServer>gaia.syscid.com</LdapServer>
  <LdapPort>636</LdapPort>
  <UseSsl>true</UseSsl>
  <UseStartTls>false</UseStartTls>
  <SkipSslVerify>false</SkipSslVerify>
  <LdapBindUser>xxxx</LdapBindUser>
  <LdapBindPassword>xxxx</LdapBindPassword>
  <LdapBaseDn>ou=libertacasa-users,dc=syscid,dc=com</LdapBaseDn>
  <LdapSearchFilter>(&amp;((objectClass=nsPerson)(|(memberOf=cn=lc_jellyfin_access,ou=libertacasa-groups,dc=syscid,dc=com)(memberOf=cn=lc_jellyfin_admins,ou=libertacasa-groups,dc=syscid,dc=com))))</LdapSearchFilter>
  <LdapAdminBaseDn />
  <LdapAdminFilter>(&amp;((objectClass=nsPerson)(memberOf=cn=lc_jellyfin_admins,ou=libertacasa-groups,dc=syscid,dc=com)))</LdapAdminFilter>
  <LdapSearchAttributes>uid, cn, mail</LdapSearchAttributes>
  <EnableCaseInsensitiveUsername>true</EnableCaseInsensitiveUsername>
  <CreateUsersFromLdap>true</CreateUsersFromLdap>
  <LdapUsernameAttribute>uid</LdapUsernameAttribute>
  <EnableAllFolders>false</EnableAllFolders>
  <EnabledFolders />
  <PasswordResetUrl />
</PluginConfiguration>

Upon pressing the UI button "Save and test LDAP filter settings", no LDAP BIND is performed, zero queries are made against my LDAP server.

Upon using "Save Search Attribute Settings and Query User", a BIND is performed, but again, zero queries.

The Jellyfin log reports the following:

[2022-04-26 15:21:56.069 +02:00] [ERR] [34] Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin: Failed to filter users with: "(&((objectClass=nsPerson)(|(memberOf=cn=lc_jellyfin_access,ou=libertacasa-groups,dc=syscid,dc=com)(memberOf=cn=lc_jellyfin_admins,ou=libertacasa-groups,dc=syscid,dc=com))))"
LdapLocalException: Missing attribute description (87) Filter Error

Note that the same filters worked perfectly in version 12 of the plugin, hence I wonder if possibly something in the library changed?

Thanks for looking into this, really appreciate it!

joshuaboniface commented 2 years ago

That error message is coming from the actual LDAP library not the plugin itself. It's vague but it's reporting that there's a syntax error in your filter. I haven't done a detailed compare but it looks like there might be one extra ) at the end which is throwing it off.

tacerus commented 2 years ago

Embarrassing, I checked the parentheses several times in an editor with syntax highlighting. Apparently that was not good enough - I should have tried a manual ldapsearch.

Thank you very much for spotting this and my apologies for the false alarm.