Connect the NAS to an LDAP Directory

I – What is LDAP?

II – Hot to Join

III – Technical requirements of LDAP authentication with Microsoft Networking:

IV – Troubleshoot

 

I – What is LDAP?

LDAP stands for Lightweight Directory Access Protocol. It is a directory that can store the information of all the users and groups in a centralized server. Using LDAP, the administrator can manage the users in the LDAP directory and allow the users to connect to multiple NAS servers with the same username and password.

This application note is intended for administrator and users who have some knowledge about Linux servers, LDAP servers, and Samba. An LDAP server which is up and running is required when using the LDAP feature of the QNAP NAS.

Required information/settings:

  • The LDAP server connection and authentication information
  • The LDAP structure, where the users and groups are stored
  • The LDAP server security settings

 

II – How to Join

Follow the steps below to connect the QNAP NAS to an LDAP directory.

  1. Login the web interface of the NAS as an administrator.
  2. Go to “Access Right Management” > “Domain Security”. By default, the option “No domain security” is enabled. That means only the local NAS users can connect to the NAS.
  3. Select “LDAP authentication” and complete the settings.

  • LDAP Server Host: The host name or IP address of the LDAP server.
  • LDAP Security: Specify how the NAS will communicate with the LDAP server:
    1. ldap:// = Use a standard LDAP connection (default port: 389).
    2. ldap:// (ldap + SSL) = Use an encrypted connection with SSL (default port: 686).
      This is usually used by older version of LDAP servers.
    3. ldap:// (ldap + TLS) = Use an encrypted connection with TLS (default port: 389).
      This is usually used by newer version of LDAP servers
  • BASE DN: The LDAP domain. For example: dc=mydomain,dc=local
  • Root DN: The LDAP root user. For example cn=admin, dc=mydomain,dc=local
  • Password: The root user password.
  • Users Base DN: The organization unit (OU) in which users are stored. For example: ou=people,dc=mydomain,dc=local
  • Groups Base DN: The organization unit (OU) in which groups are stored. For example ou=group,dc=mydomain,dc=local
  • Password Encryption Type: Select the encryption type that the LDAP server uses to store the password. It must be the same as the LDAP server configuration.

Click “APPLY” to save the settings. Upon successful configuration, the NAS will be able to connect to the LDAP server.

Set the permission for the LDAP users and groups to access the shared folders on the NAS.

When the NAS is connected to an LDAP server, the administrator can:

  • Go to “Access Right Management” > “Users” and select “Domain Users” from the drop-down menu. The LDAP users list will be shown.
  • Go to “Access Right Management” > “User Groups” and select “Domain Groups” from the drop-down menu. The LDAP groups will be shown.
  • Specify the folder permissions of the LDAP domain users or groups in “Access Right Management” > “Shared Folders” > “Folder Permissions” .

 

III – Technical requirements of LDAP authentication with Microsoft Networking:

Required items to authenticate the LDAP users on Microsoft Networking (Samba):

  1. a third party software to synchronize the password between LDAP and Samba in the LDAP server.
  2. importing the Samba schema to the LDAP directory.

(1) Third-party software:

Some software are available and allow management of the LDAP users, including Samba password. For example:

  • LDAP Account Manager (LAM), with a Web-based interface, available at: http://www.ldap-account-manager.org/
  • smbldap-tools (command line tool)
  • webmin-ldap-useradmin – LDAP user administration module for Webmin.

(2) Samba schema:

To import the samba schema to the LDAP server, please refer to the documentation or FAQ of the LDAP server.

The samba.schema file is required and can be found in the directory examples/LDAP in the Samba source distribution.

Example for open-ldap in the Linux server where the LDAP server is running (it can be different depending on the Linux distribution):

Copy the samba schema:

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > 
/etc/ldap/schema/samba.schema

Edit /etc/ldap/slapd.conf (openldap server configuration file) and make sure the following lines are present in the file:

include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema

Configuration examples:

The following are some configuration examples. They are not mandatory and need to be adapted to match the LDAP server configuration:

  1. Linux OpenLDAP Server:
    Base DN: dc=qnap,dc=com
    Root DN: cn=admin,dc=qnap,dc=com
    Users Base DN: ou=people,dc=qnap,dc=com
    Groups Base DN: ou=group,dc=qnap,dc=com
  2. Mac Open Directory Server
    Base DN: dc=macserver,dc=qnap,dc=com
    Root DN: uid=root,cn=users,dc=macserver,dc=qnap,dc=com
    Users Base DN: cn=users,dc=macserver,dc=qnap,dc=com
    Groups Base DN: cn=groups,dc=macserver,dc=qnap,dc=com

 

IV – Troubleshoot

Evertyhing seem fine but I cant see my users;

Under Domain Controller, go to :

Computer Configuration > Windows Setting > Security Settings > Local Policies > Security Options > Domain controller: LDAP server signing requirements value must be “None”

 

 

VN:F [1.9.22_1171]
Rating: 9.5/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)
Qnap LDAP Bağlantı AyarlarıConnect the NAS to an LDAP Directory, 9.5 out of 10 based on 2 ratings

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>