[Network Administration]: Network directory with LDAP

Your humble blogger here at punctuated noise has a number of machines at home and a number of services that run on them. There’s a laptop that I usually work on, a mac connected to the television, and linux server with mail, web server, and a MySQL database. I wanted to also get a local WordPress site setup on it. The linux machine is more horsepower than I really need, so ideally I would even replace that with a smaller box that just sips power. The administration overhead is beginning to get overwhelming. I also got one of these, a Synology NAS for network storage. Yet another machine with users and logins.

Luckily this thing has an LDAP server that can be downloaded onto it. I could also load this thing up on the linux box if need be. I’m going to try to unify everything through this directory server. Both the linux box and the Macs should be able to do LDAP lookups for authentication, at least from what I can tell by first looking through it. (Ideally, I could get Kerberos running for single sign-on but, I have a feeling that the NAS is not going to support that.) The NAS LDAP server looks to be a forked openldap implementation specifically for Synology DSM. This is the manual. The manual is pretty straightforward I got this setup pretty quickly. It even has an option to encrypt over TLS or an SSL socket using ldaps://. I even got the local LDAP client to connect to it. So far, so good.

[Update 11/29/2012]: SSL certificates
OK, well, this appears to be not so straight forward. It looks like this Synology box uses a self-signed certificate for SSL on the server side. Not a big deal, but irritating. It spits out an error like:

additional info: TLS: hostname does not match CN in peer certificate

To get around it, you can create new certificates for the NAS, or you can have the clients not verify the server certificate with the openldap variable


[Update 11/29/2012]: CIFS caveat
What is this?? From the directory server manual:

Note: If you bind your DiskStation to an LDAP server that is not Synology Directory Server, enabling LDAP’s
CIFS support will enforce the PAM authorization mechanism, which requires client computers to transfer
plaintext password (instead of encrypted one) during account authentication. LDAP users will need to modify
their computer’s settings to enable plaintext support before they can access DiskStation files via CIFS. For
detailed instructions, click the Help button at the top-right corner, and then refer to the “About CIFS
Support and Client Computer’s Settings” section.
On the other hand, if you bind your DiskStation to Synology Directory Server, enabling LDAP’s CIFS support
will adopt the NTLM (or NTLMv2) authorization mechanism, which allows LDAP users to authorize with their
user credentials without making any changes to their computer settings.

This is basically saying that if I bind to a non-synology server and enable SMB shares, that user access will have to authenticate with plaintext. Well, that’s not good at all.

[Update 12/1/2012]: Linux Login
Well, I got my linux box (ubuntu) to authenticate through pam_ldap. This was pretty straight forward.

Install packages:

apt-get install libpam_ldap libnss_ldap

You can reconfig the ldap package after install with:

sudo dpkg-reconfigure ldap-auth-config

Edit /etc/nsswitch.conf to add ldap to passwd/group/shadow

passwd: compat ldap
group: compat ldap
shadow: compat ldap

Add to init.d startup

sudo update-rc.d nscd enable

Enable TLS over LDAP connection with the following in /etc/ldap.conf

ssl start_tls
ssl on

But, now here’s where I ran into a pretty big problem. It turns out that PAM over LDAP for SSL connections, either with a URI to ldaps:// or ldap:// over TLS, completely breaks “su”. See Debian bug 423252. It will spit out an error such as:

setgid: Operation not permitted

There’s a bug in the libgcrypt11 (the encryption library) that will pretty much prevent you from using encryption. Pretty ironic. It turns out that you’ll need the release 1.5 or higher of the library.

Once I got that straightened out, I got logins to my linux box authenticating against the LDAP server.

[Update 12/5/2012]: Export Home Folders
The Synology box will create and export home folders if you try to authenticate against a user that it is aware of, and user homes are enabled. If you enable user home directories for LDAP users, it’s also going to create them for local users. Basically, what happens is that if I login to the box, or try to mount the home directory, then it’s going to create home directories as needed for the user that I’m authenticating as. The main issue that I have is that it creates directory names like:


It’s not that I have a problem with this structure, but I would need to mount this to /home/<USERNAME> on my linux machine. Normally, I don’t think that this is an issue as long as the naming is fully deterministic, but it doesn’t appear to be. That is the fact that makes it difficult to create the automount map for the user if I wanted this mapped to /home/<USERNAME>

Basically, after all this, I’m going to skip this and just set this LDAP directory up on my linux server, and just use the client on the NAS. Later on, I can move this to single sign-on with kerberos as it’s more flexible anyway.

OH, yeah, and the server is not compiled with logging. Yet one more frustration.


5 thoughts on “[Network Administration]: Network directory with LDAP

  1. Concerning the “@LH-//-/” home folder path, why not to simply use mapping to \\NAS_SERVER\Home, which is a virtual folder mapped internally in the NAS following the authentication

  2. I know you posted this a while ago so I’m hoping you see this and can help me. I’m looking for this manual and everything I click the link (the one you have here as well as from Google linking to synology’s website) it brings up “page not found”. I was wondering if by ANY chance, if you might still happen to have the information saved somewhere and could send it to me?? A PDF or something? You can email me at rthjmh@me.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.