What is LDAP?
LDAP stands for Lightweight Directory Access Protocol. It is a directory that can store the information of all the users and groups in a centralized server. Using LDAP, the administrator can manage the users in the LDAP directory and allow the users to connect to multiple NAS servers with the same username and password.
This application note is intended for administrator and users who have some knowledge about Linux servers, LDAP servers, and Samba. An LDAP server which is up and running is required when using the LDAP feature of the QNAP NAS.
Required information/settings:
- The LDAP server connection and authentication information
- The LDAP structure, where the users and groups are stored
- The LDAP server security settings
Follow the steps below to connect the QNAP NAS to an LDAP directory.
- Login the web interface of the NAS as an administrator.
- Go to “Access Right Management” > “Domain Security”. By default, the option “No domain security” is enabled. That means only the local NAS users can connect to the NAS.
- Select “LDAP authentication” and complete the settings.
- LDAP Server Host: The host name or IP address of the LDAP server.
- LDAP Security: Specify how the NAS will communicate with the LDAP server:
- ldap:// = Use a standard LDAP connection (default port: 389).
- ldap:// (ldap + SSL) = Use an encrypted connection with SSL (default port: 686).
This is usually used by older version of LDAP servers.
- ldap:// (ldap + TLS) = Use an encrypted connection with TLS (default port: 389).
This is usually used by newer version of LDAP servers
- BASE DN: The LDAP domain. For example: dc=mydomain,dc=local
- Root DN: The LDAP root user. For example cn=admin, dc=mydomain,dc=local
- Password: The root user password.
- Users Base DN: The organization unit (OU) in which users are stored. For example: ou=people,dc=mydomain,dc=local
- Groups Base DN: The organization unit (OU) in which groups are stored. For example ou=group,dc=mydomain,dc=local
- Password Encryption Type: Select the encryption type that the LDAP server uses to store the password. It must be the same as the LDAP server configuration.
Click “APPLY” to save the settings. Upon successful configuration, the NAS will be able to connect to the LDAP server.
Set the permission for the LDAP users and groups to access the shared folders on the NAS.
When the NAS is connected to an LDAP server, the administrator can:
- Go to “Access Right Management” > “Users” and select “Domain Users” from the drop-down menu. The LDAP users list will be shown.
- Go to “Access Right Management” > “User Groups” and select “Domain Groups” from the drop-down menu. The LDAP groups will be shown.
- Specify the folder permissions of the LDAP domain users or groups in “Access Right Management” > “Shared Folders” > “Folder Permissions” .
Technical requirements of LDAP authentication with Microsoft Networking:
Required items to authenticate the LDAP users on Microsoft Networking (Samba):
- a third party software to synchronize the password between LDAP and Samba in the LDAP server.
- importing the Samba schema to the LDAP directory.
(1) Third-party software:
Some software are available and allow management of the LDAP users, including Samba password. For example:
- LDAP Account Manager (LAM), with a Web-based interface, available at:
http://www.ldap-account-manager.org/
- smbldap-tools (command line tool)
- webmin-ldap-useradmin – LDAP user administration module for Webmin.
(2) Samba schema:
To import the samba schema to the LDAP server, please refer to the documentation or FAQ of the LDAP server.
The samba.schema file is required and can be found in the directory examples/LDAP in the Samba source distribution.
Example for open-ldap in the Linux server where the LDAP server is running (it can be different depending on the Linux distribution):
Copy the samba schema:
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
Edit /etc/ldap/slapd.conf (openldap server configuration file) and make sure the following lines are present in the file:
include /etc/ldap/schema/samba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema
Configuration examples:
The following are some configuration examples. They are not mandatory and need to be adapted to match the LDAP server configuration:
- Linux OpenLDAP Server:
Base DN: dc=qnap,dc=com
Root DN: cn=admin,dc=qnap,dc=com
Users Base DN: ou=people,dc=qnap,dc=com
Groups Base DN: ou=group,dc=qnap,dc=com
- Mac Open Directory Server
Base DN: dc=macserver,dc=qnap,dc=com
Root DN: uid=root,cn=users,dc=macserver,dc=qnap,dc=com
Users Base DN: cn=users,dc=macserver,dc=qnap,dc=com
Groups Base DN: cn=groups,dc=macserver,dc=qnap,dc=com