Knowledge Base

How to join the Synology NAS to the LDAP directory service

Overview

When the directory service is set up on Directory Server or any other LDAP server, Synology NAS and other LDAP clients (such as Mac and Linux computers) can be bound to the server to join the directory service. With the support of LDAP, managing user accounts and privileges has become a lot more efficient. As a Synology DiskStation can merge into any existing LDAP directory service easily, it could greatly reduce the time spent on creating numerous sets of accounts for different services.

This article will guide you through and explain how to join the Synology NAS to the LDAP directory server.

Contents

  1. Before you start
  2. Limitations
  3. To bind your DiskStation to an LDAP server

1. Before you start

This article assumes that you have done the following tasks for your DiskStation:

  • Updated the DiskStation Manager (DSM) to the latest version.
  • Logged in under DSM admin (or a user belonging to the administrators group) for your DiskStation.

Refer to How to Host a Directory Server Using Synology NAS for more information about hosting a directory server by Synology NAS.

Return to top

2. Limitations

Please see the following limitations.

  • Your DiskStation can be bound to only one LDAP server at a time.
  • If you use the LDAP functionality mentioned in this section to bind your DiskStation to a server that doesn't contain the object class posixAccount for its users and groups (such as Windows Domain Controller or Microsoft Exchange Server), your DiskStation will not be able to retrieve the information of LDAP users and groups from the server.
  • If you want to bind your DiskStation to a Windows Domain Controller to retrieve the information of domain users and groups, go to Main Menu > Control Panel > Win/Mac/NFS > Domain/Workgroup. However, you are not allowed to bind your DiskStation to an LDAP server and Windows Domain Controller at the same time.

Return to top

3. To bind your DiskStation to an LDAP server

  1. Log in to DSM as admin (or a user belonging to the administrators group), go to Main Menu > Control Panel > LDAP, and then tick Enable LDAP Client.
  2. Enter the IP address or hostname of the LDAP server in the LDAP Server address field.
  3. Choose an encryption type from the Encryption drop-down menu to secure LDAP connection with encryption mechanism.
  4. Enter the Base DN of the LDAP server in the Base DN field, or choose an available Base DN from the Base DN drop-down menu.
  5. Tick Enable Windows CIFS support to allow LDAP users to access DiskStation files with their computers via the CIFS protocol.
  6. Note: If you bind your DiskStation to an LDAP server that is not Synology Directory Server, enabling LDAP's CIFS support will enforce the PAM authorization mechanism, which requires client computers to transfer plaintext password (instead of encrypted one) during account authentication. LDAP users will need to modify their computer's settings to enable plaintext support before they can access DiskStation files via CIFS.

    For detailed instructions, click the Help button at the top-right corner, and then refer to the "About CIFS Support and Client Computer's Settings" section. On the other hand, if you bind your DiskStation to Synology Directory Server, enabling LDAP's CIFS support will adopt the NTLM (or NTLMv2) authorization mechanism, which allows LDAP users to authorize with their user credentials without making any changes to their computer settings.
  7. Click OK.
  8. In the authentication window that appears, do the following:
    • Enter the distinguished name (DN) or account name of an LDAP administrator (such as root or a user belonging to Directory Server's Directory Operators group) in the Bind DN or LDAP administrator account field.
    • Enter the password for the LDAP administrator in the Password field.
    • Click Apply.

After your DiskStation is bound to the LDAP server, it will start retrieving the information of LDAP users or groups from the server, and then display them under the LDAP User or LDAP Group tab.

Note:
Not all DSM applications can be accessed by LDAP users. For a complete list of supported applications, please refer to Domain Integration by clicking the green Software spec & applied models button.

If LDAP users want to access DiskStation files with their computer via the AFP protocol, they will need to authorize with the username "LDAP_Username@Suffix". For example, if the name of the LDAP user is "ldap1", and the Base DN of the LDAP database is "dc=ldap,dc=synology,dc=com", then the suffix would be "ldap.synology.com", and the user can authorize with the username "ldap1@ldap.synology.com".

Return to top

Is this information useful for you? Yes No

Need technical support? Submit Support Form