jellyfin, authentik, ldap authentication, single sign-on (sso), bindings, docker containers
Resources:
- https://docs.goauthentik.io/docs/providers/ldap/
- https://docs.goauthentik.io/docs/providers/ldap/generic_setup
- https://docs.goauthentik.io/docs/outposts/manual-deploy-docker-compose#ldap-outpost
- https://docs.goauthentik.io/docs/core/certificates
- https://github.com/jellyfin/jellyfin-plugin-ldapauth
- https://www.reddit.com/r/selfhosted/comments/x3b74z/authentik_ldap_with_jellyfin_setup/
Environment:
- Jellyfin (10.x.x on linux): jellyfin.domain.com
- Authentik (2024.x.x in docker): authentik.domain.com
- LDAP had not been configured yet for this instance
- Nginx: used for 389/636 stream forwarding for ldap/ldaps
- Certs: I have the certs setup for LDAP in Authentik and CA Cert in the truststore where Jellyfin runs
-
Create LDAP Flows and Stages
Flows and Stages
Stages
1) Create Stage Type: Identification Stage Name: ldap-identification-stage User Fields: username email 2) Create Stage Type: Password Stage Name: ldap-authentication-password <defaults for the rest> 3) Create Stage Type: User Login Stage Name: ldap-authentication-login <defaults for the rest>Flows
4) Flow Type: Flow Name: ldap-authentication-flow Title: ldap-authentication-flow Designation: Authentication Stage Bindings > Bind Existing Stage Stage: ldap-identification-stage Order: 10 Stage: ldap-authentication-login Order: 30 EDIT - ldap-identification-stage Password Stage: ldap-authentication-password
-
Create LDAP Bind user and group
Directory
Users
Username: jellyfin-ldap-bind-user Type: internal Path: users NOTE: Set user passwordGroups
Name: jellyfin-users NOTES: - Add user from previous step to the group - Add other users that will require jellyfin access - OPTIONAL: Create a second group called "jellyfin-admins" and add necessary users
-
Create Provider
Applications > Providers
Type: LDAP Provider Name: jellyfin-ldap Bind flow: ldap-authentication-flow Search group: jellyfin-users Bind mode: Cached binding Search mode: Cached querying Code-based MFA Support: ON Base DN: DC=authentik,DC=domain,DC=com Certificate: SELECT CERTIFICATE IF USING CUSTOM CERTS N/A - if not using a certificate TLS Server Name: authentik.domain.com N/A - if not using a certificate with TLS UID Start Number: (default) GID Start Number: (default) Edit > Permissions: User Object Permissions > Assign to new user User: jellyfin-ldap-bind-user Can view LDAP Provider: ON
-
Create Application
Applications > Applications
1) Create Application Name: Jellyfin Slug: jellyfin Provider: jellyfin-ldap <defaults for the rest> UI Settings: Launch URL: https://jellyfin.domain.com Icon: Select an Icon 2) Edit Application > Policy/Group/User Bindings Bind Existing Policy Type: Group Group: jellyfin-users <defaults for the rest> OPTIONAL: Repeat for "jellyfin-admins" group
-
Create Outpost
NOTE: You may need to manually "implement" the outpost if using containers. View above resources
Applications > Outposts
Name: jellyfin-ldap-outpost Type: LDAP Applications: Jellyfin Advanced Settings: Ensure "authentik_host" is correct e.g. https://authentik.domain.com
Administration > Dashboard > Plugins
-
Install LDAP Plugin
Catalog
1) Select "LDAP Authentication" 2) Click "Install" 3) Restart Jellyfin
-
Configure LDAP Plugin
My Plugins
1) Click: LDAP-Auth > Settings LDAP Port: 636 389 - for insecure ldap:// 636 - for SSL secured ldaps:// LDAP Server: authentik.domain.com Secure LDAP: ON ON - for ssl secured ldaps:// StartTLS: OFF unless necessary # Only necessary if jellyfin is not using trust store # with CA cert trusted for authentik server certs LDAP Client Cert Path: LDAP Client Key Path: LDAP Root CA Path: Skip SSL/TLS Verification: OFF ON - if using ldaps:// AND you don't want to pass a certificate through jellyfin OFF - if using ldaps:// AND you DO pass the certificates OR not using ldaps:// Allow Password Change: OFF Password Reset URL: # "jellyfin-ldap-bind-use" is the user you created in Authentik LDAP Bind User: cn=jellyfin-ldap-bind-user,ou=users,dc=authentik,dc=domain,dc=com LDAP Bind Password: Password of "jellyfin-ldap-bind-user" LDAP Base DN for searches: dc=authentik,dc=domain,dc=com FILTERS: # "jellyfin-users" is the group you created in Authentik LDAP Search Filter: (&(objectClass=user)(memberOf=cn=jellyfin-users,ou=groups,dc=authentik,dc=domain,dc=com)) LDAP Search Attributes: uid, cn, mail, displayName LDAP Uid Attribute: uid LDAP Username Attribute: cn userPassword: userPassword Enable profile image synchronization: OFF LDAP Profile Image Attribute: jpegphoto LDAP Admin Base DN: Empty - defaults to same as user search DN # (OPTIONAL) "jellyfin-users" is a group you can create in Authentik LDAP Admin Filter: (&(objectClass=user)(memberOf=cn=jellyfin-admins,ou=groups,dc=authentik,dc=domain,dc=com)) Enable Admin Filter 'memberUid' mode: OFF Enable User Creation: ON Library Access: <Up to you>
Note: IP can be swapped for the domain for below commands
- TLS_CACERT=
<path to cert> - LDAPTLS_REQCERT=never
- Disables certificate verification
Verify listening port:
- ldap:
nc -v authentik.domain.com 389 - ldaps:
nc -v authentik.domain.com 636
Verify ldapsearch:
- ldap:
ldapsearch \ -x \ -H ldap://authentik.domain.com:389 \ -D 'cn=jellyfin-ldap-bind-user,ou=jellyfin-users,dc=authentik,dc=domain,dc=com' \ -w '<password>' \ -b 'dc=authentik,dc=domain,dc=com' \ '(objectClass=user)' - ldaps:
ldapsearch \ -x \ -H ldaps://authentik.domain.com:636 \ -D 'cn=jellyfin-ldap-bind-user,ou=jellyfin-users,dc=authentik,dc=domain,dc=com' \ -w '<password>' \ -b 'dc=authentik,dc=domain,dc=com' \ '(objectClass=user)'
Anyone has succeed with enabling LDAP Profile Image Attribute ??
Could that even work with Authentik? Got custom user's avatar setup on it