[How-To] Configure Jellyfin LDAP Integration
Purpose
This how to will explain the process to configure the ldap plugin with your jellyfin server to allow you active directory or ldap users to login to use the media server.
Prerequisites
List of prerequisites:
- Jellyfin Server running on windows os
- Active Directory domain with domain admin user access
- Network connectivity between the two servers
Instructions
Step 1: Install the LDAP Plugin to Jellyfin Server
For this first step, login to your jellyfin server with a administrative user that can make server changes. Once you do this, go to the sandwich in the top left, then click Administration under Dashboard section. From here in the left pane, click Catalog under the Plugins section. Search for LDAP in the catalog and install the plugin. Once the plugin is installed, a restart of the Jellyfin service is needed. Open Services, and restart the service "Jellyfin Server". Refresh your jellyfin server in web ui and verify that the LDAP plugin says "active".
Step 2: Configure the LDAP Plugin to Jellyfin Server
Now that the LDAP plugin is active, fill out the information in the plugin as follows:
| FIELD | EXAMPLE | NOTES |
| LDAP Server | dc-a.domain.com | domain controller or domain name |
| LDAP Port | 389 | 389 for not secure, 636 for secure |
| Secure LDAP | unchecked | if 389, unchecked, if 636, checked |
| StartTLS | unchecked | if 389, unchecked, if 636, checked |
| LDAP Client Cert Path | blank | if 389, blank, if 636, path to cert |
| LDAP Client Key Path | blank | if 389, blank, if 636, path to key |
| LDAP Root CA Path | blank | if 389, blank, if 636, path to root ca |
| Skip SSL/TLS Verification | checked | if 389, checked, if 636, unchecked |
| Allow Password Change | unchecked | requires bind user to have account operator perms |
| Password Change URL | blank | if pass change unchecked, blank |
| LDAP Bind User | CN=jellyfin-user,OU=Users,DC=domain,DC=com | Full DN to your LDAP bind user, this user must have run as batch file permissions |
| LDAP Bind User Password | Password1! | Password for LDAP Bind User |
| LDAP Base DN for Searched | DC=domain,DC=com | Base DN for all groups and users lookups |
At this point, stop and click the "Save and Test LDAP Server Settings" button and verify that the return says "Connect (Success); Bind (Success); Base Search (Found 100 Entities)" or whatever number of entities you expected. Then, keep going:
| LDAP Search Filter | (memberOf:1.2.840.113556.1.4.1941:=CN=jellyfin-users,OU=groups,DC=domain,DC=com) | The full DN for the security group you want to user for jellyfin users. The 1.2.x number at the start can be removed if you desire, it allows for nested groups in active directory |
| LDAP Search Attributes | uid, cn, mail, displayName, sAMAccountName | This is any attribute used to search for users AKA anything they can user to login to jellyfin with. |
| LDAP Uid Attribute | sAMAccountName | This is the attribute to use to identify the user AKA what the display name will populate as on their jellyfin profile |
| LDAP Username Attribute | sAMAccountName | This is the attribute to use to identify the user AKA what the username will populate as on their jellyfin profile |
| LDAP Password Attribute | userPassword | LDAP attribute for user password |
| Enable profile image synchronization | unchecked | if you have these setup and want them to sync, check it |
| LDAP Profile Image Attribute | jpegphoto | LDAP attribute for syncing the images |
| LDAP Admin Base DN: | (memberOf:1.2.840.113556.1.4.1941:=CN=jellyfin-admins,OU=groups,DC=domain,DC=com) | The full DN for the security group you want to user for jellyfin admins. The 1.2.x number at the start can be removed if you desire, it allows for nested groups in active directory |
| LDAP Admin Filter | (objectClass=JellyfinAdministrator) | Admin filter applying permission |
| Enable Admin Filter 'memberUid' mode | checked | If you are using the administrators section, checked |
At this point, everything is configured for the LDAP part. You can now click "Save and Test LDAP Filter Settings" and see how man users and admins it finds. From there, enter an appropriate login for a user in the Test Login name and Click Save Search Attribute Settings and Query User to see if it returns the user. If all of that has worked, you have the LDAP integration working. All that is left is to check the box for Enable User creation and Enable access to all libraries. Then at the very bottom, click save.