Using LDAP on Synology

I wrote this HOWTO, using LDAP on Synology so I could try out the Synology Directory Server. This is how I managed to get Linux machines to authenticate against it. At the time of writing, Synology was on DSM 6.2-23739 Update 2. I will be using Ubuntu 18.04 as the Linux clients

The Synology documentation for Directory Server is appalling only stating the blindingly obvious. That is all assuming the page has been updated, most having missing options or features.

Install the Synology Package

Install the Synology package Directory Server not “Active Directory Server” from Package Manager.

This will be the master server so is a provider in LDAP speak. The FQDN is the domain past only of your LAN, not the hostname of the nas, I will be using synonas.dragon.lab within this post. In fact as this is not coupled with DNS like M$ Active Directory it can be anything you want it to be. I will be using dragon.lab, what a surprise you say :).

We will be typing the password a lot, while we sort out using LDAP on Synology and a while you take the chance to check things out for yourself. As this is a test server use an easy to type password. If you ever get that far, on the live server use a strong password. So do not use password1234.

Setting screen

That is all you need on this page. Please take a note of the Base dn dc=dragon,dc=lab. This is the root or top of your LDAP database structure. The Bind dn uid=root,cn=users,dc=dragon,dc=lab this is the entry we authenticate against when connecting to the database.

The Connection Settings button opens a second dialog. There is no need to tweak anything in here for now.

Connection settings

Create Users and Groups

Creating users and groups is simple enough. We just need to think before hand how Uesr/Group permissions will be joined so that the users can interact with the system.

For now let’s create groups with these names. l_adm, fred, bert.

Add your groups first. When you are creating the users each user can be added to all the groups they should be in. Or add the users first so you can add all the groups for a user you create those. Twasn’t that helpful 🙂

Adding Users is similar to adding groups there are just a few more fields to fill in. Again it is all pretty simple. If you need a guide to tell you the blindingly obvious read the Synology help. Did I mention how bad their help is?

Create two users, my favorite two are Fred Bloggs and Bert Worker.

Then add those users to these groups:
fred fred l_adm
bert bert

All users end up in the group called users which was already generated for you when you created your LDAP database. It also ends up as their primary group when logging into Linux which is rather annoying. The Synology GUI has no way for you to change the order of the groups.

That’s all there is to using the GUI when using LDAP on Synology. Okay, we have some users and groups, but LDAP is of little use if you cannot do anything with it. 🙂

Linux Client Setup

This is the part that the Synology documentation completely ignores. A mention of what was in their LDAP schema would have been nice too, and so would and endless pint of beer that changes to different beers over time.

While sorting this out I used my trusty Minimal Server Installation on Ubuntu 18.04. This gives a known good starting point without the bloat of a full desktop install. It also boots quickly. This is running as a virtual machine. On Virtualbox allowing for snapshots enabling rollbacks as necessary after trying things out.

Install the Software

For each client that you want to authenticate against LDAP. We perform the following.

sudo apt-get install libpam-ldap nscd ldap-utils

During the installation you will be asked some questions.

  • Should debconf manage LDAP configuration? Yes
  • LDAP server Uniform Resource Identifier: ldap://synonas.dragon.lab
  • Distinguished name of the search base: dc=dragon,dc=lab
  • LDAP version to use: 3
  • Make local root Database admin: Yes
  • Does the LDAP database require login? No
  • LDAP account for root: uid=root,cn=users,dc=dragon,dc=lab
  • LDAP root account password: your password for LDAP
  • Local crypt to use when changing passwords: crypt

If at any time you want to reconfigure that again just run the following command line. When you run it again the defaults shown will be the current settings of your LDAP server.

sudo dpkg-reconfigure ldap-auth-config

Or you can edit the config file directly. The file is where you would expect it to be. It is well commented and man ldap.conf runs through most if not all settings well . I didn’t read it all not yet any way. 🙂

sudo nano /etc/ldap/ldap.conf

Update nsswitch

LDAP user authentication is performed though PAM. We need to update PAM to let it know where to look when authenticating People.

sudo nano /etc/nsswitch.conf

Update the three lines for passwd, group, and shadow, They should look like this. This way around with compat first PAM will look in the local passwd file first and then search on LDAP. If you want the search order the other way around just swap the order. Try it out and see.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Save the file and exit.

Auto Creation of HOME Directories

So that Users will have their HOME directories created automatically we need to tweak a pam module. Cleverly named mkhomedir.

sudo nano /usr/share/pam-configs/mkhomedir

Update the file so it looks similar to this:

Name: Create home directory on login
Default: yes
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
        required        pam_mkhomedir.so skel=/etc/skel umask=0022

Adding local groups to LDAP Users

We need to create a new file similar to the one above this time it will add the necessary values in order that additional groups are pulled through, additional to those that are local to the Linux machine.

sudo nano /usr/share/pam-configs/ldap_groups
Name: Add local Groups from /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so

Save and exit the editor.

Create the settings which will add the groups to the LDAP user. These changes go at the end of the file before the last comment.For an explanation look at man pam_group.

sudo nano /etc/security/group.conf
# All LDAP Users get these extra local groups
al = all, 0000-2400 from 00:00 to 24:00 i.e the time
*;*;*;Al0000-2400;audio cdrom plugdev video users
 
# Admins (l_adm) get to launch and configure printers, can share files via samba
# and can use sudo.
*;*;%l_adm;Al0000-2400;sudo lpadmin sambashare

Run pam-auth-update

Run pam-auth-update and it will ask if it is allowed to maintain the PAM config files, answer yes to that. Make sure the PAM profile for Create Home Directories at login is ticked. Run the command you will see what I mean 🙂 Then reboot to make sure that lot all survives a reboot.

sudo pam-auth-update
sudo reboot

That should be it for the configuration part.

Testing Client Connections

Using the ldapsearch utility we can check the connection to our LDAP server. First we check that a user, fred, can be found then check he is a member of the groups l_adm and fred.

ldapsearch -x uid=fred -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab
# LDAPv3
# base <dc=dragon,dc=lab> with scope subtree
# filter: uid=fred
# requesting: ALL
#
 
# fred, users, dragon.lab
dn: uid=fred,cn=users,dc=dragon,dc=lab
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
cn: fred
uid: fred
gecos: Fred the Admin
uidNumber: 1000002
homeDirectory: /home/fred
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
shadowInactive: 0
shadowFlag: 0
sn: fred
authAuthority: ;basic;
apple-generateduid: 7A838F61-F001-487F-8612-37487F84E719
sambaSID: S-1-5-21-2687800487-1837915111-4239398575-1011
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaAcctFlags: [U          ]
displayName: fred
memberOf: cn=fred,cn=groups,dc=dragon,dc=lab
memberOf: cn=users,cn=groups,dc=dragon,dc=lab
memberOf: cn=l_adm,cn=groups,dc=dragon,dc=lab
loginShell: /bin/sh
gidNumber: 1000006
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

If you got something similar to the above we are on the right track. That output is a bit long winded so let’s shorten it a bit. We can add -LLL, which man ldapsearch says “A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version.“. We can also change -H ldap://synonas.dragon.lab to be -h synonas.dragon.lab. Although using a host name is now depreciated.

We can filter the output to just the fields we want to see and are interested in.

ldapsearch -xLLL uid=fred -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab dn uid gecos memberOf gidNumber homeDirectory loginShell
dn: uid=fred,cn=users,dc=dragon,dc=lab
uid: fred
gecos: Fred the Admin
homeDirectory: /home/fred
memberOf: cn=fred,cn=groups,dc=dragon,dc=lab
memberOf: cn=users,cn=groups,dc=dragon,dc=lab
memberOf: cn=l_adm,cn=groups,dc=dragon,dc=lab
loginShell: /bin/sh
gidNumber: 1000001

Now we have trimmed the output it is easier to see the fields we are after. Try the same with bert.

How about getting a list of all the LDAP groups.

ldapsearch -xLLL objectClass=posixGroup -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab dn cn memberUid member gidNumber
dn: cn=users,cn=groups,dc=dragon,dc=lab
cn: users
gidNumber: 1000001
member: uid=fred,cn=users,dc=dragon,dc=lab
member: uid=bert,cn=users,dc=dragon,dc=lab
memberUid: ldap_user
 
dn: cn=Directory Operators,cn=groups,dc=dragon,dc=lab
cn: Directory Operators
gidNumber: 1000000
 
dn: cn=Directory Clients,cn=groups,dc=dragon,dc=lab
cn: Directory Clients
gidNumber: 2097149
 
dn: cn=Directory Consumers,cn=groups,dc=dragon,dc=lab
cn: Directory Consumers
gidNumber: 2097150
 
dn: cn=administrators,cn=groups,dc=dragon,dc=lab
cn: administrators
gidNumber: 1000002
memberUid: admin
member: uid=admin,cn=users,dc=dragon,dc=lab
 
dn: cn=fred,cn=groups,dc=dragon,dc=lab
cn: fred
gidNumber: 1000003
member: uid=fred,cn=users,dc=dragon,dc=lab
memberUid: ldap_user
 
dn: cn=bert,cn=groups,dc=dragon,dc=lab
cn: bert
gidNumber: 1000004
member: uid=bert,cn=users,dc=dragon,dc=lab
memberUid: bert
 
dn: cn=l_adm,cn=groups,dc=dragon,dc=lab
cn: l_adm
gidNumber: 1000005
member: uid=fred,cn=users,dc=dragon,dc=lab
memberUid: fred

Here are some example queries to pull information out of LDAP that you might like to try out.

Find any records that have a gidNumber of 1000006 and (&) are a posixAccount (User)

ldapsearch -xLLL "(&(gidNumber=1000006)(objectClass=posixAccount))" -b dc=dragon,dc=lab -h synonas dn uid gecos gidNumber

Find all the users that have loginShell of /bin/bash.

ldapsearch -xLLL uid=ldap_user -b dc=dragon,dc=lab -h synonas dn cn uid loginShell uidNumber gidNumber memberOf homeDirectory

For more on searching with LDAP see this web site. Idf has loads of example that you can try out.

Change the loginShells

With the Synology LDAP all users only ever get /bin/sh as their login shells, let’s change fred’s shell to bash. To modify the LDAP data we need to create a ldif file.

nano change_shell.ldif
#
# ldapmodify -xWD "uid=root,cn=users,dc=dragon,dc=lab" -h synonas -f change_shell.ldif
# ldapsearch -xLLL uid=ldap_user -b dc=dragon,dc=lab -h synonas dn cn uid loginShell uidNumber gidNumber memberOf homeDirectory
#
# Change default shell
######################
dn: uid=fred,cn=users,dc=dragon,dc=org,dc=uk
changetype: modify
replace: loginShell
loginShell: /bin/bash

Then apply it to the LDAP database.

ldapmodify -xWD "uid=root,cn=users,dc=dragon,dc=lab" -h synonas -f change_shell.ldif

To explain the command line options:

  • -x Use simple authentication instead of SASL.
  • -W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w password).
  • -D Use the Distinguished Name binddn to bind to the LDAP directory.
  • -H Specify URI(s) referring to the ldap server(s); only the protocol/host/port fields are allowed; a list of URI, separated by whites pace or commas is expected.
  • -f Read the entry modification information from file instead of from standard input.

Tool for editing the LDAP data

ldapvi is an interactive LDAP client for Unix terminals. Using it, you can update LDAP entries with a text editor. See the project web page here. The documentation is good for this tool 🙂

sudo apt-get install ldapvi

After installing the tool and creating the config file below read through the man page as you look at your own data.

You can create a config file to bind to your LDAP server.

nano $HOME/.ldapvirc
profile default
bind: simple
bind-dialog: always
host: synonas.dragon.lab
user: uid=root,cn=users,dc=dragon,dc=lab
password: YOURPASSWORD

The first time you run it you get asked which editor you want to use:

ldapvi -d -h HOST
Select an editor.  To change later, run 'select-editor'.
  1. /usr/bin/vim.gtk3
  2. /bin/nano        <---- easiest
  3. /usr/bin/vim.tiny
  4. /bin/ed

Login to Linux

The whole point of this post was so that you can have a central place to maintain your users login data. So now lets try logging in. On the client machine you should be able to ssh to fred or bert. Both of the commands should work.

ssh fred@localhost
ssh bert@ldap-client

You should be able to get logged in. The HOME directory should have been already created and populated with .bashrc & .profile. These come from /etc/skel. Fred should have these groups possibly more user fred sudo l_adm.

If that all worked, you are done. Time for a coffee 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *