[Network Administration]: Network directory with LDAP

Your humble blogger here at punctuated noise has a number of machines at home and a number of services that run on them. There’s a laptop that I usually work on, a mac connected to the television, and linux server with mail, web server, and a MySQL database. I wanted to also get a local WordPress site setup on it. The linux machine is more horsepower than I really need, so ideally I would even replace that with a smaller box that just sips power. The administration overhead is beginning to get overwhelming. I also got one of these, a Synology NAS for network storage. Yet another machine with users and logins.

Luckily this thing has an LDAP server that can be downloaded onto it. I could also load this thing up on the linux box if need be. I’m going to try to unify everything through this directory server. Both the linux box and the Macs should be able to do LDAP lookups for authentication, at least from what I can tell by first looking through it. (Ideally, I could get Kerberos running for single sign-on but, I have a feeling that the NAS is not going to support that.) The NAS LDAP server looks to be a forked openldap implementation specifically for Synology DSM. This is the manual. The manual is pretty straightforward I got this setup pretty quickly. It even has an option to encrypt over TLS or an SSL socket using ldaps://. I even got the local LDAP client to connect to it. So far, so good.

[Update 11/29/2012]: SSL certificates
OK, well, this appears to be not so straight forward. It looks like this Synology box uses a self-signed certificate for SSL on the server side. Not a big deal, but irritating. It spits out an error like:

additional info: TLS: hostname does not match CN in peer certificate

To get around it, you can create new certificates for the NAS, or you can have the clients not verify the server certificate with the openldap variable


[Update 11/29/2012]: CIFS caveat
What is this?? From the directory server manual:

Note: If you bind your DiskStation to an LDAP server that is not Synology Directory Server, enabling LDAP’s
CIFS support will enforce the PAM authorization mechanism, which requires client computers to transfer
plaintext password (instead of encrypted one) during account authentication. LDAP users will need to modify
their computer’s settings to enable plaintext support before they can access DiskStation files via CIFS. For
detailed instructions, click the Help button at the top-right corner, and then refer to the “About CIFS
Support and Client Computer’s Settings” section.
On the other hand, if you bind your DiskStation to Synology Directory Server, enabling LDAP’s CIFS support
will adopt the NTLM (or NTLMv2) authorization mechanism, which allows LDAP users to authorize with their
user credentials without making any changes to their computer settings.

This is basically saying that if I bind to a non-synology server and enable SMB shares, that user access will have to authenticate with plaintext. Well, that’s not good at all.

[Update 12/1/2012]: Linux Login
Well, I got my linux box (ubuntu) to authenticate through pam_ldap. This was pretty straight forward.

Install packages:

apt-get install libpam_ldap libnss_ldap

You can reconfig the ldap package after install with:

sudo dpkg-reconfigure ldap-auth-config

Edit /etc/nsswitch.conf to add ldap to passwd/group/shadow

passwd: compat ldap
group: compat ldap
shadow: compat ldap

Add to init.d startup

sudo update-rc.d nscd enable

Enable TLS over LDAP connection with the following in /etc/ldap.conf

ssl start_tls
ssl on

But, now here’s where I ran into a pretty big problem. It turns out that PAM over LDAP for SSL connections, either with a URI to ldaps:// or ldap:// over TLS, completely breaks “su”. See Debian bug 423252. It will spit out an error such as:

setgid: Operation not permitted

There’s a bug in the libgcrypt11 (the encryption library) that will pretty much prevent you from using encryption. Pretty ironic. It turns out that you’ll need the release 1.5 or higher of the library.

Once I got that straightened out, I got logins to my linux box authenticating against the LDAP server.

[Update 12/5/2012]: Export Home Folders
The Synology box will create and export home folders if you try to authenticate against a user that it is aware of, and user homes are enabled. If you enable user home directories for LDAP users, it’s also going to create them for local users. Basically, what happens is that if I login to the box, or try to mount the home directory, then it’s going to create home directories as needed for the user that I’m authenticating as. The main issue that I have is that it creates directory names like:


It’s not that I have a problem with this structure, but I would need to mount this to /home/<USERNAME> on my linux machine. Normally, I don’t think that this is an issue as long as the naming is fully deterministic, but it doesn’t appear to be. That is the fact that makes it difficult to create the automount map for the user if I wanted this mapped to /home/<USERNAME>

Basically, after all this, I’m going to skip this and just set this LDAP directory up on my linux server, and just use the client on the NAS. Later on, I can move this to single sign-on with kerberos as it’s more flexible anyway.

OH, yeah, and the server is not compiled with logging. Yet one more frustration.

Local Market Advertisements

One of the wonderful (or horrible) things about Austin being a smaller market is the proliferation of local advertizing on the television.
Usually there’s a tag line to help you remember, typically they are overplayed and annoying, but they are always memorable.

When I moved to San Francisco, the market is so large that almost all of the ads were national ads. I don’t think that I realized that I missed them until I got a chance to see some good local ads again.

Town and Country Leather: “Thanks for shopping local!”
I love this lady. I love that she has her face two stories tall plastered on billboards on I-35. I love the way that she says “Natuzzi” in the ad. I love that the recliners are “with power!” I love that the leather home theatre seating is so Texas and the red ones are just so horribly ugly.

Capitol Kia: “If I can’t beat a new Kia deal in Texas, I’m just gonna give it to you!”
These are great also. When we first moved here, the ads used to have just Bill Dickason, but now they have this lady in them also. Lately she’s usually holding a dog, which is just hilarious. They run constantly on the TV. It’s almost like it’s the soundtrack to your life. I love that everyone is so excited — “$199 a month!”, “500 available to chose from!”. They used to always say “Just in front of the water tower.”, but lately that’s been getting dropped. In the new ones, there’s some shots of the showroom. The best part is that there are like a dozen clocks on the wall, probably with different time-zones, because, when you’re buying your Kia in Central Texas you really need to know if now is an appropriate time to call someone in Shanghai.

Lorenz & Lorenz: “It’s just that easy!”
Unfortunately, I can’t find a recent ad on YouTube for this ambulance chaser. The new ads end with him snapping his fingers as exclamation to the tagline “It’s just that easy!” If you go to his website you can see the new ad in the player. The embed code is broken, of course. Anyway, in the old add is still pretty good. I love his look with the hair and glasses. I love that his suit is too big. I love that he just keeps saying “serious”. I really wish that there was a recent one to paste in. “It’s just that easy!”