LDAP allows your DiskStation to join an existing directory service as an LDAP client, and then retrieve user or group information from an LDAP server (or "directory server"). You can manage LDAP users' or groups' access privileges to DSM applications and shared folders, just as you would with local DSM users or groups. For more information about LDAP, please refer to here.
The supported LDAP standard is LDAP version 3 (RFC 2251).
After CIFS plain text password authentication is enabled, LDAP users might need to modify their computers' settings to be able to access DiskStation files via CIFS:
sudo touch /etc/nsmb.conf
sudo vi /etc/nsmb.conf
[default]
minauth=none
If you're using smbclient, please add the following keys in the [global] section of smb.conf:
encrypt passwords = no
client plaintext auth = yes
client lanman auth = yes
client ntlmv2 auth = no
If you're using mount.cifs, execute the following command:
echo 0x30030 > /proc/fs/cifs/SecurityFlags
For more information, please refer to https://www.kernel.org/doc/readme/Documentation-filesystems-cifs-README
Different LDAP servers might use different attributes for account names, group names, or to distinguish between accounts and groups. The Profile option allows you to specify or customize how user and group information is mapped to LDAP attributes. One of the following profiles can be selected depending on your LDAP server:
Before customizing LDAP attribute mappings, you will need some background knowledge. Synology DSM and the Profile editor both adhere to RFC 2307. For example, you can specify filter > passwd as userFilter, in which case the DiskStation will interpret records with objectClass=userFilter on your LDAP server as LDAP accounts. If you specify passwd > uid as username, the DiskStation will interpret username on your LDAP server as an account name. Leaving the mapping empty will apply RFC 2307 rules.
DiskStation requires a fixed integer to serve as an LDAP account identifier (uidNumber) or a group identifier (gidNumber). However, not all LDAP servers use integers to represent such attributes. Therefore, a keyword HASH() is provided to convert such attributes to integers. For example, your LDAP server might use the attribute userid with a hexadecimal value as the unique identifier for an LDAP account. In this case, you can set passwd > uidNumber to HASH(userid), and then DiskStation will convert it into an integer.
The following is the summary of customizable attributes:
To avoid UID/GID conflicts between LDAP users/groups and local users/groups, you can enable UID/GID shifting to shift the UID/GID of LDAP users/groups by 1000000. This option is only for LDAP servers which are non-Synology LDAP servers and have a unique numerical ID attribute for each user/group.
In a nested group, an LDAP group member belongs to another LDAP group, where the hierarchy of an organization is represented. When users look up which group a specific member belongs to, or the name list of a specific group, DiskStation will expand a nested group according to the member attributes of the LDAP group, where the DN (Distinguished Name) of a child group is referenced by the attribute. The expansion of a nested group can be very time-consuming under different circumstances, e.g. where the server does not index the member attribute, or the group is deeply nested. You can choose not to expand a nested group to prevent such occurrence.
We support the usage of client certificate. Some specific LDAP Servers, e.g., Google LDAP, use certificates to authenticate clients. You can upload the client certificate after ticking the Enable client certificate option.
This function is supported on DSM 6.2.2 or above.