Using OpenLDAP with jellyfin
Learn how to integrate OpenLDAP with the jellyfin media server to enhance your user management and authentication options.
Updated at July 16th, 2025
Table of Contents
Jellyfin, the free and open-source media server, offers the ability to centralize media streaming across devices. For organizations or advanced home networks, integrating OpenLDAP with Jellyfin provides centralized user authentication and access control.
This guide walks you through configuring Jellyfin to use OpenLDAP for user login, enabling a seamless and unified authentication system.
Prerequisites
- Before we begin, you’ll need:
- A running OpenLDAP server with users and groups configured
- A working Jellyfin instance (version 10.7.0 or later recommended)
- Admin access to both systems
- Internet access to download plugins
- Basic familiarity with LDAP structure (e.g., DN, UID, OU)
Step 1: Install LDAP Authentication Plugin in Jellyfin
1. Open your Jellyfin web interface.
2. Go to Dashboard → Plugins.
3. Click Catalog, then locate LDAP Authentication.
4. Click Install.
5. After installation, restart Jellyfin to enable the plugin.
Step 2: Configure LDAP Plugin
Once the plugin is installed and Jellyfin has restarted:
1. Navigate to Dashboard → Plugins → LDAP Authentication.
2. Fill out the configuration fields:
Example LDAP Settings:
| LDAP Server | ldap://192.168.1.100 or ldaps://ldap.example.com |
| LDAP Base DN | dc=example,dc=com |
| LDAP Bind DN | cn=admin,dc=example,dc=com |
| LDAP Bind Password | your_admin_password |
| LDAP Search Filter | (&(objectClass=person)(uid={username})) |
| LDAP Search Base | ou=users,dc=example,dc=com |
| LDAP Attributes | Leave default or customize based on your schema |
3. Save changes.
Tip: Use ldaps:// for secure communication if SSL is enabled on your LDAP server.
Step 3: Test LDAP Login
1. Log out of Jellyfin.
2. Attempt to log in using a valid LDAP username and password.
3. If successful, the user will be automatically created in Jellyfin on first login (unless restricted).
Step 4: Optional - Restrict Access to LDAP Users
To prevent non-LDAP users from accessing Jellyfin:
1. Go to Dashboard → Users.
2. Delete or disable local accounts as needed.
3. Use LDAP group filters or ACLs to define access (plugin-dependent – advanced feature).
Troubleshooting Tips
Problem: Cannot bind to LDAP server
Solution: Verify IP, port, and credentials. Try connecting using ldapsearch from terminal.
Problem: Login fails for valid users
Solution: Check LDAP filter syntax and search base. Use logs in Jellyfin under log/jellyfin.log.
Problem: SSL errors
Solution: Ensure your LDAP server’s certificate is trusted on the Jellyfin host.
LDAP Search Filter Examples
Here are a few common LDAP filter options you can use depending on your directory:
Basic UID match:
(&(objectClass=person)(uid={username}))Group membership check:
(&(objectClass=person)(uid={username})(memberOf=cn=jellyfin-users,ou=groups,dc=example,dc=com))Email-based login:
(&(objectClass=person)(mail={username}))Security Recommendations
- Always use LDAPS or secure tunneling to protect credentials.
- Restrict Jellyfin bind DN to read-only access.
- Regularly audit user access and logs.
Bonus: Integrate LDAP Groups (Advanced)
To use LDAP groups for access control (e.g., admin vs. viewer):
1. Set group attributes in LDAP (memberOf, gidNumber, etc.).
2. Use custom filters or script hooks to match Jellyfin roles.
3. Alternatively, manually assign roles after first login.
This requires deeper customization and possibly modifying the plugin or using an external identity provider like Authelia or Keycloak.
Conclusion
By integrating OpenLDAP with Jellyfin, you unify media access control with your directory services, improving security, manageability, and user experience. With just a few configuration steps, Jellyfin can support LDAP-authenticated logins and optionally integrate with groups for even finer-grained access control.