Selasa, 20 Oktober 2020

SYNOLOGY-ldap

 

LDAP

LDAP allows your Synology NAS to join an existing directory service as an LDAP client, and then retrieve user or group information from an LDAP server (or "directory server"). You can manage LDAP users' or groups' access privileges to DSM applications and shared folders, just as you would with local DSM users or groups. For more information about LDAP, please refer to here.

The supported LDAP standard is LDAP version 3 (RFC 2251).

To Join Synology NAS to a directory service:

  1. Go to Control Panel > Domain/LDAP.
  2. Go to the LDAP tab and tick Enable LDAP Client.
  3. Enter the IP address or domain name of the LDAP server in the LDAP Server address field.
  4. Choose an encryption type from the Encryption drop-down menu to encrypt LDAP connection to the LDAP server.
  5. Enter the Base DN of the LDAP server in the Base DN field.
  6. Select the proper Profile depending on your LDAP server. For example, choose Standard if you're using Synology LDAP Server or Mac Open Directory.
  7. To allow users of an LDAP server which does not support Samba schema to access Synology NAS files via CIFS, tick Enable CIFS plain text password authentication. See the section below to ensure LDAP users can use their computers to successfully access Synology NAS files via CIFS.
  8. Click Apply.
  9. Enter the Bind DN (or LDAP administrator account) and the password in the fields, and then click OK.

About CIFS Support and Client Computer's Settings

After CIFS plain text password authentication is enabled, LDAP users might need to modify their computers' settings to be able to access Synology NAS files via CIFS:

  • If your Synology NAS joins to the directory service provided by a Synology LDAP server (or another Synology NAS that has installed and run the LDAP Server package) or the LDAP server that supports Samba schema and all LDAP users have correct sambaNTPassword attributes, LDAP users can access your Synology NAS files via CIFS without ticking Enable CIFS plain text password authentication or modifying their computers' settings. Otherwise, LDAP users will need to enable their computer's PAM support to be able to access Synology NAS files via CIFS. However, doing so will transfer LDAP users' password to Synology NAS in plain text (without encryption), thus lowering the security level.

To modify Windows settings:

  1. Go to Start > Run, type regedit in the field, and then click OK to open Registry Editor.
  2. Depending on your Windows version, find or create the following registry:
    • Windows 2000, XP, Vista, and Windows 7:
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Parameters]
    • Windows NT:
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters]
    • Windows 95 (SP1), 98 and Me:
      [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
  3. Create or modify the DWORD value EnablePlainTextPassword and change its value data from 0 to 1.
  4. Restart Windows for the change to take effect.

To modify Mac OS X's settings:

  1. Go to Applications > Utilities to open Terminal.
  2. Create an empty file /etc/nsmb.conf:
    sudo touch /etc/nsmb.conf
  3. Open /etc/nsmb.conf with vi:
    sudo vi /etc/nsmb.conf
  4. Type "i" to insert text, and paste the following:
    [default]
    minauth=none
  5. Press the Esc key and then type "ZZ" to save the changes and exit vi.

To modify Linux's settings:

If you're using smbclient, please add the following keys in the [global] section of smb.conf:

encrypt passwords = no
client plaintext auth = yes
client lanman auth = yes
client ntlmv2 auth = no

If you're using mount.cifs, execute the following command:

echo 0x30030 > /proc/fs/cifs/SecurityFlags

For more information, please refer to https://www.kernel.org/doc/readme/Documentation-filesystems-cifs-README

About Profiles

Different LDAP servers might use different attributes for account names, group names, or to distinguish between accounts and groups. The Profile option allows you to specify or customize how user and group information is mapped to LDAP attributes. One of the following profiles can be selected depending on your LDAP server:

  • Standard: For servers running Synology LDAP Server or Mac Open Directory.
  • IBM Lotus Domino: For servers running IBM Lotus Domino 8.5.
  • Custom: Allows you to customize mappings. Consult the section below for details.

Before customizing LDAP attribute mappings, you will need some background knowledge. Synology DSM and the Profile editor both adhere to RFC 2307. For example, you can specify filter > passwd as userFilter, in which case the Synology NAS will interpret records with objectClass=userFilter on your LDAP server as LDAP accounts. If you specify passwd > uid as username, the Synology NAS will interpret username on your LDAP server as an account name. Leaving the mapping empty will apply RFC 2307 rules.

Synology NAS requires a fixed integer to serve as an LDAP account identifier (uidNumber) or a group identifier (gidNumber). However, not all LDAP servers use integers to represent such attributes. Therefore, a keyword HASH() is provided to convert such attributes to integers. For example, your LDAP server might use the attribute userid with a hexadecimal value as the unique identifier for an LDAP account. In this case, you can set passwd > uidNumber to HASH(userid), and then Synology NAS will convert it into an integer.

The following is the summary of customizable attributes:

  • filter
    • group: required objectClass for group.
    • passwd: required objectClass for user.
    • shadow: required objectClass for user passwords.
  • group
    • cn: group name.
    • gidNumber: GID number of this group.
    • memberUid: members of this group.
  • passwd
    • uidNumber: UID number of this user.
    • uid: username.
    • gidNumber: primary GID number of this user.
  • shadow
    • uid: username.
    • userPassword: user password.

About UID/GID shifting

To avoid UID/GID conflicts between LDAP users/groups and local users/groups, you can enable UID/GID shifting to shift the UID/GID of LDAP users/groups by 1000000. This option is only for LDAP servers which are non-Synology LDAP servers and have a unique numerical ID attribute for each user/group.

About Nested Group Expansion

In a nested group, an LDAP group member belongs to another LDAP group, where the hierarchy of an organization is represented. When users look up which group a specific member belongs to, or the name list of a specific group, Synology NAS will expand a nested group according to the member attributes of the LDAP group, where the DN (Distinguished Name) of a child group is referenced by the attribute. The expansion of a nested group can be very time-consuming under different circumstances, e.g. where the server does not index the member attribute, or the group is deeply nested. You can choose not to expand a nested group to prevent such occurrence.

About Client Certificates

We support the usage of client certificate. Some specific LDAP Servers, e.g., Google LDAP, use certificates to authenticate clients. You can upload the client certificate after ticking the Enable client certificate option.

Note:

This function is supported on DSM 6.2.2 or above.

Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)