We value your privacy

We use cookies to personalize your use of our site. This includes third-party cookies for that we use for advertising and site analytics. See our Privacy Statement and Cookie Policy for more information on how we collect and use data.

Cookie Options
OK
Knowledge Center

How do I join my Synology NAS to Google Secure LDAP?

Last updated:Jun 17, 2023

How do I join my Synology NAS to Google Secure LDAP?

Purpose

This tutorial guides you through the process of joining your Synology NAS to Google Secure LDAP service by configuring Google Secure LDAP settings and the connection settings on your Synology NAS. When the setup is complete, you can access Synology NAS using your Google accounts.

Notes:

    • The instructions below are based on Google Secure LDAP service. The actual steps may vary according to their user-interface updates.

Contents

Resolution

1. Before you start

Before starting, please make sure:

  • Your organization has an edition of Google Workspace that supports Secure LDAP service (refer to this article). Google secure LDAP service is not available to personal Google accounts.
  • You are using an account belonging to the administrators group on your Synology NAS.
  • You have updated your DSM version to 6.2.2 or above. This service is only available for users with DSM version 6.2.2 or above. For a smoother and faster experience when accessing the Google Secure LDAP service, we recommend updating your Synology NAS to DSM 7.

2. Setting up Google Secure LDAP service

To use Google LDAP service, use your Google account to set up Google Workspace and apply for LDAP service. You will need to add LDAP clients to Google Secure LDAP service to be able to use this service. Sign in to Google admin console with a super administrator account, then follow the steps below to set this up.

2.1 Add LDAP clients

Follow the instructions in this Google Help page for step-by-step help on how to add LDAP clients. As an example for this tutorial, we will use "ldapsearch" as an LDAP client name for Synology NAS.

2.2 Configure access permissions

The next step is to configure Access Permissions for the client. You will be able to specify:

  • The LDAP client's access level for verifying user credentials
  • The LDAP client's access level for reading user information
  • Whether the client is able to read group information

Follow the instructions in this Google Help page for how to configure access permissions. You must set both Verify user credential and Read user information permission levels to Entire domain (syno.net), and toggle On for Read group information for your Synology NAS.

2.3 Generate a certificate and download it

After you have configured client access permission, you will need to generate a certificate and import it into your Synology NAS. Click on the GENERATE NEW CERTIFICATE button to generate a certificate which will be used to authenticate the connection between Google LDAP service and your Synology NAS. You must download this certificate and upload it to your Synology NAS to authenticate the connection. Follow the instructions in this Google Help page on how to download the certificate.

2.4 Generate access credentials

As an extra layer of security, Synology NAS requires a username and password to join Google LDAP. Therefore, in addition to the authentication certificate, you will need to obtain access credentials (i.e., usernames and passwords). Follow the instructions in this Google Help page to complete this process.

2.5 Review your settings

Finally, after you have configured access permissions, downloaded the certificate, and generated access credentials, review your settings on the page. Make sure the status is ON. You are ready to move on to setting up the LDAP connection on your Synology NAS.

3. Join your Synology NAS to Google Secure LDAP service

For DSM 7

  1. After you have configured the settings on Google admin console, go to DSM Control Panel > Domain/LDAP > Domain/LDAP.
  2. Click Join.
  3. Configure the following settings and click Next:
    • Server type: Select Auto-detect or LDAP.
    • Server address: Enter "ldap.google.com".
  4. Configure the following settings:
    • Bind DN or LDAP administrator account: Enter the username of your Google Secure LDAP's administrator account.
    • Password: Enter the password of your Google Secure LDAP's administrator account.
    • Encryption: Select SSL/TLS.
    • Base DN: Enter the base DN of your Google Secure LDAP service. As an example, the Google account we used is "synotest@syno.net" and our domain is "syno.net", so we enter its base DN "dc=syno,dc=net".
    • Profile: Select Standard.
  5. Tick Enable client certificate and configure the following:
    1. Click the Upload Client Certificate button. A window will appear.
    2. The downloaded Google LDAP certificate should be in a zip folder. Unzip the folder first.
    3. For Certificate, choose the .crt file from the Google LDAP certificate folder to import.
    4. For Private Key, choose the .key file from the Google LDAP certificate folder to import.
    5. Click OK to save.
  6. Click Next, and the wizard will run a precondition check and join your Synology NAS to the Google Secure LDAP service.
  7. After joining your NAS to the LDAP service, click the Edit button at the top of the Domain/LDAP tab.
  8. Under the Advanced tab, configure the following options and save the settings:
    • Enable CIFS plain text password authentication: Tick this option.1 2
    • Expand nested groups: Untick this option.

For DSM 6.2.2

  1. After you have configured the settings on Google admin console, go to DSM Control Panel > Domain/LDAP > LDAP.
  2. Tick Enable LDAP Client.
  3. Configure the following options:
    • LDAP Server address: Enter "ldap.google.com".
    • Encryption: Select SSL/TLS.
    • Base DN: Enter the base DN of your Google Secure LDAP service. As an example, the Google account we used is "synotest@syno.net" and our domain is "syno.net", so we enter its base DN "dc=syno,dc=net".
    • Profile: select Standard.
  4. Tick Enable CIFS plain text password authentication.1 2
  5. Tick Do not expand nested groups.
  6. Tick Enable client certificate and configure the following:
    1. Click the Upload Client Certificate button. A window will appear.
    2. The downloaded Google LDAP certificate should be in a zip folder. Unzip the folder first.
    3. For Certificate, choose the .crt file from the Google LDAP certificate folder to import.
    4. For Private Key, choose the .key file from the Google LDAP certificate folder to import.
    5. Click OK to save.
  7. Click Apply.
  8. A pop-up window will appear requesting the administrator account and password of your Google Workspace for authentication. Enter your information and click Apply. This completes the setup process for joining your Synology NAS to Google Secure LDAP service.

4. Unbind Google Secure LDAP service from your Synology NAS

If you want to join your Synology NAS to other directory services, follow the steps below to unbind Google Secure LDAP service:

  • For DSM 7: Go to Control Panel > Domain/LDAP > Domain/LDAP. Click Leave LDAP.
  • For DSM 6.2.2: Go to Control Panel > Domain/LDAP > LDAP. Untick Enable LDAP Client.

Notes:

  1. To allow Google Secure LDAP users to access shared folders on Synology NAS via SMB, set Maximum SMB protocol and Minimum SMB protocol to SMB1. However, enabling SMB1 is insecure and could make your Synology NAS vulnerable to attacks. Proceed only if you understand and accept the risks.
    • DSM 7: At Control Panel > File Services > SMBAdvanced Settings.
    • DSM 6.2: At Control Panel > File Services > SMB/AFP/NFS > SMB > Advanced Settings.
  2. Before connecting client computers to your Synology NAS via SMB, make sure they have enabled SMB1 and allowed passwords to be transferred in plain text and without encryption. Refer to the DSM 7 or DSM 6.2 help article for more information on CIFS support and client computer settings.
  3. If you experience issues such as partial listing of LDAP users or inability to load user data, make sure that you have followed the instructions in Chapter 2.2 and granted the correct permissions to your LDAP client.

Further reading

Purpose
Contents
Resolution
1. Before you start
2. Setting up Google Secure LDAP service
3. Join your Synology NAS to Google Secure LDAP service
4. Unbind Google Secure LDAP service from your Synology NAS
Further reading