…using an internal CA. Ok, so Subsonic is a really awesome music streaming tool that is multi-platform and lets you stream music to all sorts of devices. The really neat thing I found with it is that it supports LDAP authentication, which means I don’t have to recreate user accounts and keep track of different passwords for all the users in my home network – I just leave that task to my domain controller. I’ve ran into a few interesting issues trying to get it setup though, so for the sake of my sanity if I ever need to set it up again, and for those of you out there that may be struggling with the same issues, I’ve decided to write up a little howto guide.
Prerequisites
So before continuing, I am assuming the following about your setup:
- AD (Active Directory) is currently installed somewhere on your network, or you can use an LDAP compatible server.
- LDAPS is enabled for AD (if you set up an Enterprise CA, this process becomes much easier) or for your LDAP server.
- You have created an account whose sole purpose is to read AD information (the number of times I’ve seen someone use a domain admin account for something like this…is the number of times I’ve owned a network in mere seconds 🙂 ). You’ll need some sort of LDAP binder user that has read capability.
- You have a list of users in a group on AD/LDAP for which you are granting access to subsonic. This can be a group called <insert name here> or simply just any user in the “Users” group.
- Subsonic is installed on your Ubuntu system and you have a local admin account that you created for it. If using a docker container, you’ll need to additionally overwrite the cacerts file in the docker image. e.g.
- (airsonic) -v /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
- (airsonic-advanced) -v /etc/ssl/certs/java/cacerts:/opt/java/openjdk/lib/security/cacerts:ro
- You installed HTTPS on subsonic. It’s pretty pointless to use LDAPS without also using HTTPS. Or run it through some kind of reverse proxy like nginx.
Configure the java keystore
LDAPS by nature requires the proper use of certificates, for security reasons of course. In order to verify the certificate from the AD server, the subsonic machine and AD machine must have a common CA that they trust. If you are using an internal CA to issue your LDAPS cert for your AD machine, all it takes is installing the same CA onto subsonic machine. Right? Well, partially.
You see, just like an application like Firefox will have its own individual keystore where it keeps the certificates it trusts, Java does the same thing. So just throwing the cert into /etc/ssl/certs/ won’t do you too much good. Fortunately, Ubuntu makes this process a bit easier.
Make sure you install the ca-certificates-java package (comes preinstalled with openjdk usually):
sudo apt-get install ca-certificates-java
Next, throw your CA cert into /usr/local/share/ca-certificates. Run the following command:
sudo update-ca-certificates
You should get output telling you that at least 1 new certificate has been added. This command will also automatically update your java keystore. You can check to see if your certificate has successfully been imported by running:
keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep "Your CA Name"
The default password for the java keystore is “changeit”.
Setting up Subsonic
Log into subsonic. Go to Settings -> Advanced and enable LDAP authentication. The biggest difference between LDAP and LDAPS here is the protocol (ldap:// vs ldaps://) and the port number changed (from 389 to 636). For the LDAP information, you will have to substitute your own information. For me, I have a group of users called “Subsonic” who are allowed access to the application. By default, the LDAP URL that is autofilled for you includes all users in the “Users” group, which is not what I wanted. I had to modify the LDAP search filter to include only users in the Subsonic group (if you want to include all users, you can just leave this alone):
LDAP URL: ldaps://myADserver:636/cn=Users,dc=yourdomain,dc=com LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=Subsonic,cn=Users,dc=yourdomain,dc=com))) LDAP manager DN: yourdomain\limiteduser
To explain further, the search filter looks for a return field of sAMAccountName which is the username of the user in the specific place you are looking. The Base DN starts looking at the root of the domain in the Users group (cn=Users,dc=yourdomain,dc=com) with the search filter of “objectCategory=user” (so any user account, but not computer or group accounts) AND a search filter of “memberof=cn=Subsonic…” which looks for the Subsonic group to be part of the user object in AD. Do note, there is a group object which has a list of users…but this is easier.
If you are interested with fooling around a bit more with possible search strings and base DN configs, check out JXplorer.
Well done Alex!