LDAP
LDAP allows your DiskStation to join an existing directory service as an LDAP client, and then retrieve user or group information from an LDAP server (or "directory server"). You can manage LDAP users' or groups' access privileges to DSM applications and shared folders, just as you would with local DSM users or groups. For more information about LDAP, please refer to here.
The supported LDAP standard is LDAP version 3 (RFC 2251).
To Join DiskStation to a directory service:
- Go to Control Panel > Directory Service
- Go to the LDAP tab and tick Enable LDAP Client.
- Enter the IP address or domain name of the LDAP server in the LDAP Server address field.
- Choose an encryption type from the Encryption drop-down menu to encrypt LDAP connection to the LDAP server.
- Enter the Base DN of the LDAP server in the Base DN field.
- Select the proper Profile depending on your LDAP server. For example, choose Standard if you're using Synology Directory Server or Mac Open Directory.
- To allow LDAP users to access DiskStation files via CIFS, tick Enable CIFS plain text password authentication. See the section below to ensure LDAP users can use their computers to successfully access DiskStation files via CIFS.
- Click Apply.
-
Enter the Bind DN (or LDAP administrator account) and the password in the fields, and then click OK.
About CIFS Support and Client Computer's Settings
After CIFS support is enabled, LDAP users might need to modify their computers' settings to be able to access DiskStation files via CIFS:
-
If your DiskStation joins to the directory service provided by a Synology LDAP server (or another DiskStation that has installed and run the Directory Server package), LDAP users can access your DiskStation files via CIFS without modifying their computers' settings.
-
If your DiskStation binds to a non-Synology LDAP server, LDAP users will need to enable their computer's PAM support to be able to access DiskStation files via CIFS. However, doing so will transfer LDAP users' password to DiskStation in plain text (without encryption), thus lowering the security level.
To modify Windows settings:
- Go to Start > Run, type regedit in the field, and then click OK to open Registry Editor.
-
Depending on your Windows version, find or create the following registry:
-
Windows 2000, XP, Vista, and Windows 7:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Parameters]
-
Windows NT:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters]
-
Windows 95 (SP1), 98 and Me:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
-
Create or modify the DWORD value EnablePlainTextPassword and change its value data from 0 to 1.
-
Restart Windows for the change to take effect.
To modify Mac OS X's settings:
- Go to Applications > Utilities to open Terminal.
-
Create an empty file /etc/nsmb.conf:
sudo touch /etc/nsmb.conf
-
Open /etc/nsmb.conf with vi:
sudo vi /etc/nsmb.conf
-
Type "i" to insert text, and paste the following:
[default]
minauth=none
-
Press the Esc key and then type "ZZ" to save the changes and exit vi.
To modify Linux's settings:
If you're using smbclient, please add the following keys in the [global] section of smb.conf:
encrypt passwords = no
client plaintext auth = yes
client lanman auth = yes
If you're using mount.cifs, execute the following command:
echo 0x30030 > /proc/fs/cifs/SecurityFlags
For more information, please refer to https://www.kernel.org/doc/readme/Documentation-filesystems-cifs-README
About Profiles
Different LDAP servers might use different attributes for account names, group names, or to distinguish between accounts and groups. The Profile option allows you to specify or customize how user and group information is mapped to LDAP attributes. One of the following profiles can be selected depending on your LDAP server:
- Standard: For servers running Synology Directory Server or Mac Open Directory.
- IBM Lotus Domino: For servers running IBM Lotus Domino 8.5.
- Custom: Allows you to customize mappings. Consult the section below for details.
Before customizing LDAP attribute mappings, you will need some background knowledge. Synology DSM and the Profile editor both adhere to RFC 2307. For example, you can specify filter > passwd as userFilter, in which case the DiskStation will interpret records with objectClass=userFilter on your LDAP server as LDAP accounts. If you specify passwd > uid as username, the DiskStation will interpret username on your LDAP server as an account name. Leaving the mapping empty will apply RFC 2307 rules.
DiskStation requires a fixed integer to serve as an LDAP account identifier (uidNumber) or a group identifier (gidNumber). However, not all LDAP servers use integers to represent such attributes. Therefore, a keyword HASH() is provided to convert such attributes to integers. For example, your LDAP server might use the attribute userid with a hexadecimal value as the unique identifier for an LDAP account. In this case, you can set passwd > uidNumber to HASH(userid), and then DiskStation will convert it into an integer.
The following is the summary of customizable attributes:
- filter
- group: required objectClass for group.
- passwd: required objectClass for user.
- shadow: required objectClass for user passwords.
- group
- cn: group name.
- gidNumber: GID number of this group.
- memberUid: members of this group.
- passwd
- uidNumber: UID number of this user.
- uid: username.
- gidNumber: primary GID number of this user.
- shadow
- uid: username.
- userPassword: user password.
About UID/GID shifting
To avoid UID/GID conflicts between LDAP users/groups and local users/groups, you can enable UID/GID shifting to shift the UID/GID of LDAP users/groups by 1000000. This option is only for LDAP servers which are non-Synology LDAP servers and have a unique numerical ID attribute for each user/group.