Skip to content

Setting up Synology LDAP with Nextcloud

mikedolx edited this page Nov 8, 2019 · 6 revisions

This article describes how to setup a Synology LDAP server and connect a Nextcloud instance to it.

-> sorry no screenshots, yet!##

Topics

  • Setting up Synology LDAP server
  • Setting up LDAP Admin for windows (optional)
  • Setting up LDAP in Nextcloud
  • Pitfalls
  • Security Tweaks

Setting up Synology LDAP server

The following guide is made with a DSM 6.2.2-24922 and LDAP-Server 2.4.40-2496. If you haven't installed the LDAP-Server go to the package center, search and install 'LDAP Server'. Note: Older version of DSM may still contain the older LDAP server package named Directory Server.

Steps to install:

  • Open the LDAP server UI

  • Set the check mark at 'Enable LDAP Server'

  • Choose 'As the provider server'

  • enter your desired domain name like mydomain.de

  • provide a sufficiently secure bind password

  • [recommended] open connection settings

    • set check mark at 'disallow anonymous binds'
    • force clients to use encrypted connections
      • If you choose this setting, make sure you have setup a valid SSL certificate under control panel -> security - certificates. If you use a self-signed certificate, bare in mind, that your connecting client may require to import the custom root certificate. Depending on the app, importing a root certificate may be hard to achieve. The best practice from my point of view, is to use a Let's Encrypt certificate.
  • Apply the settings and make a note of your base dn and bind dn, written on the lower part of the LDAP Server front UI.

  • Add at least one group to your directory, that shall contain the user your nextcloud shall see (ex.: NextCloudUserGroup).

  • Add one or more user to your directory

    • Select 'Manage User' on the LDAP Server UI
    • Select 'create' and follow the wizard to create a new user. Add the user to the previously created group (ex.: NextCloudUserGroup)
    • There is no need to put any info under 'More Attributes', if you want you may add additional info. Nextcloud will not read out this info.

That's it, you have setup a LDAP server. The next step would be to test the server with LDAP Admin.

Setting up LDAP Admin for windows (optional)

LDAP Admin is a small but powerful windows app, that let's you browse and edit a LDAP server. I use it mainly to verify if the Synology LDAP server is working and to check out the properties of a single LDAP entry. It is also very convenient in terms of copying a 'dn' of a single user or tree.

-> If you know a better/nicer/cooler tool you may share this info here somehow.

-> You can skip this step if you don't want to play around with your LDAP server

Steps to install and setup:

  • Go to https://sourceforge.net/projects/ldapadmin/ and download the tool.
    • Currently it seems that Sourceforge downloads are not working (at least on my pc). If you know whats wrong, let me know.
  • Unzip and start the app. No installation needed (yay).
  • Select Start -> Connect (or use the fancy icon on the top left)
  • Create a new connection
    • Connection name: test-connection (or something that suits your needs)
    • General Tab:
      • Host: IP or host name of your Synology NAS that runs the LDAP server
      • Port: 389 (if you choose not to use encryption, else 636)
      • Base: enter here your noted base dn (like: dc=mydomain,dc=de)
      • Under Account, deselect the 'anonymous' checkmark and enter the previously noted bind dn (like: uid=root,cn=users,dc=mydomain,dc=de)
      • Password: the password you have entered in the LDAP Server UI
      • You may want to now make the first connection attempt by either clicking on 'Fetch DNs' right to the base dn field or 'Test Connection' on the lower left side of the settings ui
      • If the connection test was successful, click ok to confirm the settings and open the LDAP connection by double clicking on the newly created connection.

Done! You can now browse your Synology LDAP server. If you select any node on the tree and right click on it you have the option to copy the dn to the clipboard. This feature will come in handy, when setting up the LDAP in nextcloud.

Setting up LDAP in Nextcloud

To use your LDAP server in your Nextcloud instance, you have to enable the app "LDAP user and group backend". Afterwards open the admin settings and go to "LDAP / AD Integration".

I wrote this guide in English. If you have setup your Nextcloud on a different language, you may switch to English in your personal admin settings to complete the LDAP setup.

There are 6 tabs, that require input:

  • Server
  • Users
  • Login Attributes
  • Groups
  • Advanced
  • Expert

To setup your Synology LDAP server follow the steps below:

Server

  • Hostname and Port:
    • no encryption:
      • host: ldap://mydomain.de
      • port: 389
    • with encryption:
      • host: ldaps://mydomain.de
      • port: 636
  • User DN: uid=nextcloud,cn=users,dc=mydomain,dc=de
  • Password: the password you setup in the first chapter in you Synology LDAP Server
    • Click on 'Save Credentials'
  • Bind DN: dc=mydomain,dc=de
  • You may now try to use "Test Base DN"

Users

  • Click on "Edit LDAP Query" and enter the following:
  • (&(|(objectclass=inetOrgPerson))(|(memberof=cn=NextCloudUserGroup,cn=groups,dc=mydomain,dc=de)))
    • The query above means more or less: select all users that have the property objectclass with the value inetOrgPerson AND all users from the group NextCloudUserGroup.
  • Try to use "Verify settings and count users". If it's not successful, go on with the next steps.

Login Attributes

  • Click on "Edit LDAP Query" and enter the following:
  • (&(|(objectClass=inetOrgPerson))(uid=%uid))
    • Here you enter the query, that shall match the user id within your LDAP Server. %uid is a placeholder for the user name that is entered on the login screen.
  • Try to verify a user by entering the username and clicking on "Verify Settings". A notification should appear on top, saying "User found and settings verified".
    • If this step is not successful, go on to the next tab.

Groups

  • Click on "Edit LDAP Query" and enter the following:
  • (|(cn=NextCloudUserGroup))
  • Try to verify all user by clicking on "Verify settings and count the groups".
    • If this step is not successful, go on to the next tab.

Advanced

This tab is a bit more complex, but still no witchcraft is required :-).

Connection Settings

  • Configuration Active: set the check
  • Backup Host, Backup Port: leave empty unless you have another Synology LDAP server :-)
  • Turn off SSL certificate validation: If you use SSL AND you have setup a self signed certificate you may either set the check here (easy way but nothing for tin foil hats), or import the root CA to the host your Nextcloud is running (hard way). If your Nextcloud is running within a docker container, importing a root CA might be really hard.
  • Cache Time-To-Live: Leave the default value of 600

Directory Settings

I will not explain these settings. I tried them with my Synology LDAP server and they are working :-).

  • User Display Name Field: cn
  • 2n User Display Name Field:
  • Base User Tree: cn=users,dc=mydomain,dc=de
  • User Search Attributes: displayName
  • Group Diplay Name Field: cn
  • Base Group Tree: cn=groups,dc=mydomain,dc=de
  • Group Search Attributes: cn
  • Group-Member association: member (AD)
  • Dynamic Group Member URL:
  • Nested Groups: unchecked
  • Paging chunksize: 500 (default)
  • Enable LDAP password changes per user: checked
  • Default password policy DN:

Special Attributes

These settings may be used to tweak around, but i wasn't brave enough to try it out.

  • Quota Field:
  • Quota Default:
  • Email Field: mail
  • User Home Folder Naming Rule:
  • "$home" Placeholder Field:

You may now try to test the configuration by clicking on "Test Configuration". A notification on the top should appear saying "Valid configuration, connection established!".

Expert

This page should only be touched if you need to migrate users to LDAP. If you setup a brand new Nextcloud and LDAP Server, you may leave everything empty.

Now, after finishing the guide you can go back through all pages and test all settings

  • Server: Test Base DN
  • Users: Verify settings and count users
  • Login Attributes: enter a valid username and click on "Verify Settings"
  • Groups: Verify settings and count the groups
  • Advanced: Test Configuration

If everything works you may try to login with your new LDAP (test) user. Open a new browser window (private mode) and try to login.

Pitfalls

Here are a few pitfalls, that i stumbled upon:

  • When using SSL
    • make sure your Nextcloud host has the root CA of your LDAP Server certificate. In case of Let's Encrypt no actions are required. In case of self signed or CACert you have to import the root CA to your Nextcloud host.
    • Use the FQDN not the host IP.
  • When updating the bind credentials on the first page, remember to hit "Save Credentials". Otherwise Nextcloud with complain that "anonymous binding" is not allowed.
  • When defining the Login LDAP Query in "Login Attributes", make sure that %uid matches the login-username.

Security-Tweaks

This guide describes how to bind a LDAP Server with the root LDAP user. For security reasons, you may want to create a user just for nextcloud an use this to bind the LDAP server. When creating this user you have to assign it to the Directory Consumer group on the Synology LDAP server.

Clone this wiki locally
You can’t perform that action at this time.