One of the Services running on my Server is the Subsonic streaming server. Subsonic is an open source project and has some very nice features like on the fly transcoding to match a certain bandwidth and web based playback of videos and music. I mostly use it for the video playback on my phone or Laptop, but my family has access to it as well.
Authenticating it against an Active Directory is easy, since LDAP support us prepared in the admin interface. All I needed to do to enable LDAP authentication was to check the box in advanced settings and tell subsonic where to look, what to look for and what user to use for looking up the information.
In my example config the Domain Controller will be “ad.example.com” and Subsonic users will be in the group “subsonic_users”. The user running the queries against the active directory will be “subsonic” with the password “securepassword”. This user should not be used for anything else and have very limited rights.
- First you need a LDAP URL
- Then you need a search URL, this is probably where most the errors will happen:
- finally you need to fill out the user and password. I used the old way of specifying user and domain:
As you can see the search filter is somewhat complex, so I will explain it. Important to know are the 3 main operators:
& is used to specify that all the following conditions must be met.
| is used to specify that either of the following conditions must be met
! means not
As you can see all of my conditions are linked with &, so they all have to be met in order for the user to log on.
sAMAccountname is the attribute for the username in the active Directory, there is also another attribute for account name: userPrincipalName, it holds the account name in the form of “user [at] example [dot] com”.
objectCategory specifies what kind of object is searched.It is not necessary in my search but it doesn’t hurt either.
userAccountControl holds the state of the user account. 514 means disabled, so my filter will only match accounts that are not disabled.
memberof means the filter will only match users who are in the specified group. This Filter will not match the primary group of the user, so if you want to use this make sure the group you are filtering for is not the primary group of any of your Subsonic Users.
After setting everything up I also chose to automatically create the authorized LDAP users in Subsonic. The existence of this option tells you the downside of all of this already: even when you linked your LDAP in subsonic, there is still user management in subsonic. You still have to give each user his rights within subsonic, I would have preferred to use groups for that. I am also guessing that there might be problems with password changes and deactivation of users. That is something I will have to look into later on, but for now it is acceptable.
Update: Subsonic caches the users database with a fixed time interval, however the default value for this is ridiculously long. As long as a user is in the cache, it can access Subsonic, even if you removed the Access in the AD. You can change the time Subsonic caches users in the file: “/var/lib/tomcat6/webapps/subsonic/WEB-INF/classes/ehcache.xml”.
This is the section of the file you are looking for:
cache name="userCache" maxElementsInMemory="1000" eternal="false" timeToIdleSeconds="3600" timeToLiveSeconds="3600" overflowToDisk="false"