Jellyfin, Authentik, DUO. 2FA solution tutorial.

[Kein]

Good thought! Unfortunately didn't work. I tried 389 as well as the webUI port for the port, as well as trying the domain name for the server address. I suspect I've got some sort of issue with what I'm putting as the IP.

LDAP Outpost is my verified domain, auth.x.x
LDAP server in Jellyfin is server IP
Port I've tried 389 and my webUI port

I can see a container running the LDAP with 389 published. I tried the container IP address as well and that didn't work.

I had a similar issue when configuring and what I've done is to set the Provider Certificate as 'authentik Self-Signed Certificate' and then used port 636 for https and checked the Skip SSL/TLS Verification. For the IP just use your server's main IP. Also I preferred to use the tutorial available on the Authentik Jellyfin Configuration Guide with the steps available on Create an LDAP provider because I have a newer version of Authentik than what the OP mentioned and to verify the installation at the end I've used this line of code (for ubuntu):

Code:

ldapsearch \
-x \
-H ldap://xxx.xxx.xxx.xxx:389 \ #enter your own host IP address
-D "cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io" \
-b 'DC=ldap,DC=goauthentik,DC=io' \
'(objectClass=user)' \
-W \ #enter the password for the ldapservice user

Hope this helps you out! Cheers!

[BourbonDoc]

I still don't really know for sure what my issue was, but a couple of things seemed to make it work. Created ldapsearch group, added service account to it, gave full search permissions, then restarted authentik and jellyfin. Also had "http://" in front of the server address at one point and that messed it up.

Didn't end up doing anything with the certificate as mine is behind Nginx Proxy Manager.

Some combination of these and completing a fresh install/config for the third time (but slower) made it work. I swear sometimes it feels like I just have to push the keys harder and it somehow works.

[peterninkenpoop]

While I am able to successfully connect Jellyfin to the LDAP server:

Code:

Connect (Success); Bind (Success); Base Search (Found 7 Entities)

I seem to be unable to find any users or admins:

Code:

Found 0 user(s), 0 admin(s)

I have gone over the LDAP search filter many times, but can't seem to find an error. Attached is a screenshot of my Jellyfin LDAP setup, should someone like to take a look.

---

edit:
Looking back through things, I noticed when I created the LDAP application provider and bound it to ldap-authentication-flow I was unable to assign a search group. The problem is, there is no option for me to do so.

---

solution:
The problem did in fact have to do with not having been able to assign the service account to the ldap-authentication-flow search group. On version 2024.8.3 of Authentik, this is now done after creating the LDAP application provider and going to the permissions tab and then Assign to a new user.

I'm stuck at this point too.  Where are you finding the permissions tab?

[PlanetDyna]

Apparently there is a problem that the service user is not allowed to make LDAP requests after activating Duo. I have tested the following from a Reddit user. Unfortunately without success.

-Creating the service account in Duo and setting its 2FA to “bypass”

-Setting default-authentication-mfa-validation order to 20

I use LDAP proxy application in Duo because due to free version.
My error message is: Connect (Success); Bind: Invalid Credentials

[Jakeshort69]

Getting automatically locked out? Well I was too.

After a little bit of research I found that it was the Risk-based policy assessment from duo that automatically denied access after too many failed attempts(in my case 2).

Due to my jellyfin and ldap being on my truenas scale server I can't access a browser to authenticate with a more secure method(which is required to remove the "Risk Detected" stamp).


If anyone else gets stuck with DUO Risk-based Policy Assessment locking your accounts login due to a failed attempt or too many logins in too short a time(like I was) and need a small guide, here it is:


Go to -> "https://duo.com/"


Admin Login (top right) -> *Login to your admin account*


You should now be on the "Home" page on your duo admin interface.


From the left column go to -> "Applications" -> "Applications"


You should see your defined application listed -> "Click on your applications name"


Go to the header called "Application Policy".


Click on -> "Apply a policy to all users"


Click on -> "Create a new policy"


On the top left of the new tab that opened, give your policy a name, I will name mine "Risk-based factor selection".


Under the "Authenticators" header in the left column, click on -> "Risk-based factor selection"


Uncheck the "Limit available authentication methods based on risk" button.


Click on -> "Create Policy"

And you are finished! Now you should be able to authenticate with your application once again like normal. Worth to be noted is that this also disables one security step that DUO typically enforces(This will make it less secure).
But that should not matter due to authentication still being needed from both LDAP and DUO to access your application.

Best Regards,
J.

[reporting666]

Apparently there is a problem that the service user is not allowed to make LDAP requests after activating Duo. I have tested the following from a Reddit user. Unfortunately without success.

-Creating the service account in Duo and setting its 2FA to “bypass”

-Setting default-authentication-mfa-validation order to 20

I use LDAP proxy application in Duo because due to free version.
My error message is: Connect (Success); Bind: Invalid Credentials

I came here to post this.

I'm guessing it's because the service account is attempting to authenticate via DUO and that service account does not have DUO.

Did you ever figure out a solution?

I'm either:
A. creating another flow, and having the service account be excluded from the 2FA/Duo flow
B. hoping there is something stupid we can uncheck for that user to bypass, so I don't have to go through all that trouble