Skip to main content

[How-To] Configure Jellyfin LDAP Integration

Purpose

This how to will explain the process to configure the ldap plugin with your jellyfin server to allow you active directory or ldap users to login to use the media server. 

Prerequisites

List of prerequisites:

  • Jellyfin Server running on windows os
  • Active Directory domain with domain admin user access
  • Network connectivity between the two servers

Instructions

Step 1: Install the LDAP Plugin to Jellyfin Server

For this first step, login to your jellyfin server with a administrative user that can make server changes. Once you do this, go to the sandwich in the top left, then click Administration under Dashboard section. From here in the left pane, click Catalog under the Plugins section. Search for LDAP in the catalog and install the plugin. Once the plugin is installed, a restart of the Jellyfin service is needed. Open Services, and restart the service "Jellyfin Server". Refresh your jellyfin server in web ui and verify that the LDAP plugin says "active".

Step 2: Configure the LDAP Plugin to Jellyfin Server

Now that the LDAP plugin is active, fill out the information in the plugin as follows:

FIELD EXAMPLE NOTES
LDAP Server dc-a.domain.com domain controller or domain name
LDAP Port 389 389 for not secure, 636 for secure
Secure LDAP unchecked if 389, unchecked, if 636, checked
StartTLS unchecked if 389, unchecked, if 636, checked
LDAP Client Cert Path blank if 389, blank, if 636, path to cert
LDAP Client Key Path blank if 389, blank, if 636, path to key
LDAP Root CA Path blank if 389, blank, if 636, path to root ca
Skip SSL/TLS Verification checked if 389, checked, if 636, unchecked
Allow Password Change unchecked requires bind user to have account operator perms
Password Change URL blank if pass change unchecked, blank
LDAP Bind User CN=jellyfin-user,OU=Users,DC=domain,DC=com Full DN to your LDAP bind user, this user must have run as batch file permissions
LDAP Bind User Password Password1! Password for LDAP Bind User
LDAP Base DN for Searched DC=domain,DC=com Base DN for all groups and users lookups

At this point, stop and click the "Save and Test LDAP Server Settings" button and verify that the return says "Connect (Success); Bind (Success); Base Search (Found 100 Entities)" or whatever number of entities you expected. Then, keep going:

LDAP Search Filter (memberOf:1.2.840.113556.1.4.1941:=CN=jellyfin-users,OU=groups,DC=domain,DC=com) The full DN for the security group you want to user for jellyfin users. The 1.2.x number at the start can be removed if you desire, it allows for nested groups in active directory
LDAP Search Attributes uid, cn, mail, displayName, sAMAccountName This is any attribute used to search for users AKA anything they can user to login to jellyfin with.
LDAP Uid Attribute sAMAccountName This is the attribute to use to identify the user AKA what the display name will populate as on their jellyfin profile
LDAP Username Attribute sAMAccountName This is the attribute to use to identify the user AKA what the username will populate as on their jellyfin profile
LDAP Password Attribute userPassword LDAP attribute for user password
Enable profile image synchronization unchecked if you have these setup and want them to sync, check it
LDAP Profile Image Attribute jpegphoto LDAP attribute for syncing the images
LDAP Admin Base DN: (memberOf:1.2.840.113556.1.4.1941:=CN=jellyfin-admins,OU=groups,DC=domain,DC=com) The full DN for the security group you want to user for jellyfin admins. The 1.2.x number at the start can be removed if you desire, it allows for nested groups in active directory
LDAP Admin Filter (objectClass=JellyfinAdministrator) Admin filter applying permission
Enable Admin Filter 'memberUid' mode checked If you are using the administrators section, checked

At this point, everything is configured for the LDAP part. You can now click "Save and Test LDAP Filter Settings" and see how man users and admins it finds. From there, enter an appropriate login for a user in the Test Login name and Click Save Search Attribute Settings and Query User to see if it returns the user. If all of that has worked, you have the LDAP integration working. All that is left is to check the box for Enable User creation and Enable access to all libraries. Then at the very bottom, click save.