I wrote this HOWTO, using LDAP on Synology so I could try out the Synology Directory Server. This is how I managed to get Linux machines to authenticate against it. At the time of writing, Synology was on DSM 6.2-23739 Update 2. I will be using Ubuntu 18.04 as the Linux clients
The Synology documentation for Directory Server is appalling only stating the blindingly obvious. That is all assuming the page has been updated, most having missing options or features.
Install the Synology Package
Install the Synology package Directory Server not “Active Directory Server” from Package Manager.
This will be the master server so is a provider in LDAP speak. The FQDN is the domain past only of your LAN, not the hostname of the nas, I will be using synonas.dragon.lab within this post. In fact as this is not coupled with DNS like M$ Active Directory it can be anything you want it to be. I will be using dragon.lab, what a surprise you say :).
We will be typing the password a lot, while we sort out using LDAP on Synology and a while you take the chance to check things out for yourself. As this is a test server use an easy to type password. If you ever get that far, on the live server use a strong password. So do not use password1234.
That is all you need on this page. Please take a note of the Base dn dc=dragon,dc=lab. This is the root or top of your LDAP database structure. The Bind dn uid=root,cn=users,dc=dragon,dc=lab this is the entry we authenticate against when connecting to the database.
The Connection Settings button opens a second dialog. There is no need to tweak anything in here for now.
Create Users and Groups
Creating users and groups is simple enough. We just need to think before hand how Uesr/Group permissions will be joined so that the users can interact with the system.
For now let’s create groups with these names. l_adm, fred, bert.
Add your groups first. When you are creating the users each user can be added to all the groups they should be in. Or add the users first so you can add all the groups for a user you create those. Twasn’t that helpful 🙂
Adding Users is similar to adding groups there are just a few more fields to fill in. Again it is all pretty simple. If you need a guide to tell you the blindingly obvious read the Synology help. Did I mention how bad their help is?
Create two users, my favorite two are Fred Bloggs and Bert Worker.
Then add those users to these groups:
fred fred l_adm
bert bert
All users end up in the group called users which was already generated for you when you created your LDAP database. It also ends up as their primary group when logging into Linux which is rather annoying. The Synology GUI has no way for you to change the order of the groups.
That’s all there is to using the GUI when using LDAP on Synology. Okay, we have some users and groups, but LDAP is of little use if you cannot do anything with it. 🙂
Linux Client Setup
This is the part that the Synology documentation completely ignores. A mention of what was in their LDAP schema would have been nice too, and so would and endless pint of beer that changes to different beers over time.
While sorting this out I used my trusty Minimal Server Installation on Ubuntu 18.04. This gives a known good starting point without the bloat of a full desktop install. It also boots quickly. This is running as a virtual machine. On Virtualbox allowing for snapshots enabling rollbacks as necessary after trying things out.
Install the Software
For each client that you want to authenticate against LDAP. We perform the following.
sudo apt-get install libpam-ldap nscd ldap-utils
During the installation you will be asked some questions.
- Should debconf manage LDAP configuration? Yes
- LDAP server Uniform Resource Identifier: ldap://synonas.dragon.lab
- Distinguished name of the search base: dc=dragon,dc=lab
- LDAP version to use: 3
- Make local root Database admin: Yes
- Does the LDAP database require login? No
- LDAP account for root: uid=root,cn=users,dc=dragon,dc=lab
- LDAP root account password: your password for LDAP
- Local crypt to use when changing passwords: crypt
If at any time you want to reconfigure that again just run the following command line. When you run it again the defaults shown will be the current settings of your LDAP server.
sudo dpkg-reconfigure ldap-auth-config
Or you can edit the config file directly. The file is where you would expect it to be. It is well commented and man ldap.conf runs through most if not all settings well . I didn’t read it all not yet any way. 🙂
sudo nano /etc/ldap/ldap.conf
Update nsswitch
LDAP user authentication is performed though PAM. We need to update PAM to let it know where to look when authenticating People.
sudo nano /etc/nsswitch.conf
Update the three lines for passwd, group, and shadow, They should look like this. This way around with compat first PAM will look in the local passwd file first and then search on LDAP. If you want the search order the other way around just swap the order. Try it out and see.
passwd: compat ldap group: compat ldap shadow: compat ldap
Save the file and exit.
Auto Creation of HOME Directories
So that Users will have their HOME directories created automatically we need to tweak a pam module. Cleverly named mkhomedir.
sudo nano /usr/share/pam-configs/mkhomedir
Update the file so it looks similar to this:
Name: Create home directory on login Default: yes Priority: 0 Session-Type: Additional Session-Interactive-Only: yes Session: required pam_mkhomedir.so skel=/etc/skel umask=0022
Adding local groups to LDAP Users
We need to create a new file similar to the one above this time it will add the necessary values in order that additional groups are pulled through, additional to those that are local to the Linux machine.
sudo nano /usr/share/pam-configs/ldap_groups
Name: Add local Groups from /etc/security/group.conf Default: yes Priority: 900 Auth-Type: Primary Auth: required pam_group.so
Save and exit the editor.
Create the settings which will add the groups to the LDAP user. These changes go at the end of the file before the last comment.For an explanation look at man pam_group.
sudo nano /etc/security/group.conf
# All LDAP Users get these extra local groups al = all, 0000-2400 from 00:00 to 24:00 i.e the time *;*;*;Al0000-2400;audio cdrom plugdev video users # Admins (l_adm) get to launch and configure printers, can share files via samba # and can use sudo. *;*;%l_adm;Al0000-2400;sudo lpadmin sambashare
Run pam-auth-update
Run pam-auth-update and it will ask if it is allowed to maintain the PAM config files, answer yes to that. Make sure the PAM profile for Create Home Directories at login is ticked. Run the command you will see what I mean 🙂 Then reboot to make sure that lot all survives a reboot.
sudo pam-auth-update
sudo reboot
That should be it for the configuration part.
Testing Client Connections
Using the ldapsearch utility we can check the connection to our LDAP server. First we check that a user, fred, can be found then check he is a member of the groups l_adm and fred.
ldapsearch -x uid=fred -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab
# LDAPv3 # basewith scope subtree # filter: uid=fred # requesting: ALL # # fred, users, dragon.lab dn: uid=fred,cn=users,dc=dragon,dc=lab objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: apple-user objectClass: sambaSamAccount objectClass: sambaIdmapEntry objectClass: extensibleObject cn: fred uid: fred gecos: Fred the Admin uidNumber: 1000002 homeDirectory: /home/fred shadowMin: 0 shadowMax: 99999 shadowWarning: 7 shadowExpire: -1 shadowInactive: 0 shadowFlag: 0 sn: fred authAuthority: ;basic; apple-generateduid: 7A838F61-F001-487F-8612-37487F84E719 sambaSID: S-1-5-21-2687800487-1837915111-4239398575-1011 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaAcctFlags: [U ] displayName: fred memberOf: cn=fred,cn=groups,dc=dragon,dc=lab memberOf: cn=users,cn=groups,dc=dragon,dc=lab memberOf: cn=l_adm,cn=groups,dc=dragon,dc=lab loginShell: /bin/sh gidNumber: 1000006 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
If you got something similar to the above we are on the right track. That output is a bit long winded so let’s shorten it a bit. We can add -LLL, which man ldapsearch says “A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version.“. We can also change -H ldap://synonas.dragon.lab to be -h synonas.dragon.lab. Although using a host name is now depreciated.
We can filter the output to just the fields we want to see and are interested in.
ldapsearch -xLLL uid=fred -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab dn uid gecos memberOf gidNumber homeDirectory loginShell
dn: uid=fred,cn=users,dc=dragon,dc=lab uid: fred gecos: Fred the Admin homeDirectory: /home/fred memberOf: cn=fred,cn=groups,dc=dragon,dc=lab memberOf: cn=users,cn=groups,dc=dragon,dc=lab memberOf: cn=l_adm,cn=groups,dc=dragon,dc=lab loginShell: /bin/sh gidNumber: 1000001
Now we have trimmed the output it is easier to see the fields we are after. Try the same with bert.
How about getting a list of all the LDAP groups.
ldapsearch -xLLL objectClass=posixGroup -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab dn cn memberUid member gidNumber
dn: cn=users,cn=groups,dc=dragon,dc=lab cn: users gidNumber: 1000001 member: uid=fred,cn=users,dc=dragon,dc=lab member: uid=bert,cn=users,dc=dragon,dc=lab memberUid: ldap_user dn: cn=Directory Operators,cn=groups,dc=dragon,dc=lab cn: Directory Operators gidNumber: 1000000 dn: cn=Directory Clients,cn=groups,dc=dragon,dc=lab cn: Directory Clients gidNumber: 2097149 dn: cn=Directory Consumers,cn=groups,dc=dragon,dc=lab cn: Directory Consumers gidNumber: 2097150 dn: cn=administrators,cn=groups,dc=dragon,dc=lab cn: administrators gidNumber: 1000002 memberUid: admin member: uid=admin,cn=users,dc=dragon,dc=lab dn: cn=fred,cn=groups,dc=dragon,dc=lab cn: fred gidNumber: 1000003 member: uid=fred,cn=users,dc=dragon,dc=lab memberUid: ldap_user dn: cn=bert,cn=groups,dc=dragon,dc=lab cn: bert gidNumber: 1000004 member: uid=bert,cn=users,dc=dragon,dc=lab memberUid: bert dn: cn=l_adm,cn=groups,dc=dragon,dc=lab cn: l_adm gidNumber: 1000005 member: uid=fred,cn=users,dc=dragon,dc=lab memberUid: fred
Here are some example queries to pull information out of LDAP that you might like to try out.
Find any records that have a gidNumber of 1000006 and (&) are a posixAccount (User)
ldapsearch -xLLL "(&(gidNumber=1000006)(objectClass=posixAccount))" -b dc=dragon,dc=lab -h synonas dn uid gecos gidNumber
Find all the users that have loginShell of /bin/bash.
ldapsearch -xLLL uid=ldap_user -b dc=dragon,dc=lab -h synonas dn cn uid loginShell uidNumber gidNumber memberOf homeDirectory
For more on searching with LDAP see this web site. Idf has loads of example that you can try out.
Change the loginShells
With the Synology LDAP all users only ever get /bin/sh as their login shells, let’s change fred’s shell to bash. To modify the LDAP data we need to create a ldif file.
nano change_shell.ldif
# # ldapmodify -xWD "uid=root,cn=users,dc=dragon,dc=lab" -h synonas -f change_shell.ldif # ldapsearch -xLLL uid=ldap_user -b dc=dragon,dc=lab -h synonas dn cn uid loginShell uidNumber gidNumber memberOf homeDirectory # # Change default shell ###################### dn: uid=fred,cn=users,dc=dragon,dc=org,dc=uk changetype: modify replace: loginShell loginShell: /bin/bash
Then apply it to the LDAP database.
ldapmodify -xWD "uid=root,cn=users,dc=dragon,dc=lab" -h synonas -f change_shell.ldif
To explain the command line options:
- -x Use simple authentication instead of SASL.
- -W Prompt for simple authentication. This is used instead of specifying the password on the command line (-w password).
- -D Use the Distinguished Name binddn to bind to the LDAP directory.
- -H Specify URI(s) referring to the ldap server(s); only the protocol/host/port fields are allowed; a list of URI, separated by whites pace or commas is expected.
- -f Read the entry modification information from file instead of from standard input.
Tool for editing the LDAP data
ldapvi is an interactive LDAP client for Unix terminals. Using it, you can update LDAP entries with a text editor. See the project web page here. The documentation is good for this tool 🙂
sudo apt-get install ldapvi
After installing the tool and creating the config file below read through the man page as you look at your own data.
You can create a config file to bind to your LDAP server.
nano $HOME/.ldapvirc
profile default bind: simple bind-dialog: always host: synonas.dragon.lab user: uid=root,cn=users,dc=dragon,dc=lab password: YOURPASSWORD
The first time you run it you get asked which editor you want to use:
ldapvi -d -h HOST
Select an editor. To change later, run 'select-editor'. 1. /usr/bin/vim.gtk3 2. /bin/nano <---- easiest 3. /usr/bin/vim.tiny 4. /bin/ed
Login to Linux
The whole point of this post was so that you can have a central place to maintain your users login data. So now lets try logging in. On the client machine you should be able to ssh to fred or bert. Both of the commands should work.
ssh fred@localhost
ssh bert@ldap-client
You should be able to get logged in. The HOME directory should have been already created and populated with .bashrc & .profile. These come from /etc/skel. Fred should have these groups possibly more user fred sudo l_adm.
If that all worked, you are done. Time for a coffee 🙂
Very interesting. The Synology documentation is indeed very limited when you want to create your own LDAP structure with Linux clients. I have tried to use your procedure with Mint 19.1 and a DS916+. After setting up the server and preparing the client, it won’t reboot. It hangs on the start up screen forever. I am guessing I have a communication issue with the LDAP server.
The one thing I have trouble with is to make sure that the LDAP server is indeed recognized by other PC on the network. In the “Testing client connection” section of your post, can the command “ldapsearch -x uid=fred -b dc=dragon,dc=lab -H ldap://synonas.dragon.lab” be executed from any other PC of the network or does it have to be the client ?
When I execute it I get the error message: “ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)” which seems to explain why my client hangs on startup… But I see no way to debug this… Would you have any input on this ? Thank you !
Did you encounter such problem ?
On the Linux client you will need at least one local user with sudo access. That is one user that is in the local passwd file. With most Linux distros that will be the one your created during the install process. Just in case your LDAP server goes down. You can run the ldapsearch on any machine that is setup as an LDAP client. -H ldap://your_ldap_server points where the server is to be found. The “synonas.dragon.lab” should be the name of your Synology box or you can use its IP address.
Hope that helps.
Hi Richard,
Thank you very much, your post just bullseyed my problem, marvelously solving it! Now I can proceed to get kerberos up and running in this setup.
Best regards,
Chris
Many thanks for this tutorial!!
Can you help enabling the user sync for users that belong to a specific group only?
I don’t want to sync admin nor root to the client system… 🙁
TIA
Thank you for this tutorial, it made it really easy for me to set up my LDAP server on a Synology NAS. I believe I am not the only one who used this tutorial… and that brings me to believe I am not the only one who realized that after migrating to DSM 7, many of the LDAP parameters have changed.
In particular, it does not seem possible to give LDAP users any kind of permissions on shared folders… I might be missing something here… ?
Thanks again !
I stopped using Synology NAS products about 3 years ago. The software became too unstable rendering the products useless. I rolled my own with Ubuntu server and ZFS plus a bunch of setup scripts. It’s been working flawlessly since.