LDAP Server Settings
Set up Synology NAS as an LDAP server to provide account authentication service.
After the LDAP Server package is installed and running on your Synology NAS, go to Main Menu > LDAP Server to enable the service.
Enable LDAP Server
The Provider-Consumer architecture is the ideal solution if you have multiple clients located in different physical areas. All Consumer servers will replicate data from the Provider server periodically and will act as the main LDAP servers for the local clients. Even when the Provider server is down or the connection between the Provider/Consumer servers is lost, the local clients will not be affected as long as the Consumer server remains functional.
There are two types of servers in LDAP Server:
- The Provider server: Select this option if you want your server to be the master server. All Consumer servers will replicate data from the Provider server.
- The Consumer server: The Consumer server will sync in real time with its Provider server to clone an LDAP server. To modify the settings on the Consumer server, you will have to contact the administrator of the Provider server.
To enable LDAP Server as the Provider server and provide LDAP service, follow the steps below:
- Go to the Settings tab. Tick Enable LDAP Server.
- Tick As the Provider server.
- In the FQDN (Fully Qualified Domain Name) field, specify the domain name for the LDAP database.
- Enter the password of Bind DN (see below) in the Password field.
- Confirm the password.
- Click Apply.
To enable LDAP Server as the Consumer server to replicate data from the Provider server, follow the steps below:
- Go to the Settings tab. Tick Enable LDAP Server.
- Tick As the Consumer server.
- In the Provider address field, enter the domain name or IP address of the Provider server's LDAP database.
- In the Encryption field, specify the connection encryption. By default, the encryption will be SSL/TLS.
- In the Bind DN field, enter the Bind DN (see below) of the Provider server's LDAP database.
- Enter the password of Bind DN (see below) in the Password field.
- When LDAP Server acts as the Consumer server, its connection status with the Provider server will be shown.
- Click Apply.
When the setup is complete, you will see the following information under Authentication Information:
- Base DN: The distinguished name for LDAP Server's LDAP database. This is generated from the specified FQDN. For example, if the FQDN is “ldap.synology.com,” its Base DN will be “dc=ldap,dc=synology,dc=com”
- Bind DN: The distinguished name for LDAP's root. For example, if the Base DN of the LDAP database is “dc=ldap,dc=sinology,dc=com,” then the Bind DN of its root will be “uid=root,cn=users,dc=ldap,dc=sinology,dc=com”
If LDAP clients wish to bind to your LDAP Server, they should specify the Base DN to connect to the LDAP database, and then authenticate with the Bind DN of root or an LDAP administrator account.
Note:
- A root DN and a Base DN have to be provided to the clients to bind to the LDAP server.
- For more information about FQDN, please see here.
- If you have set up port forwarding or firewall rules for your Synology NAS, make sure ports 389 (for LDAP connections) and 636 (for LDAP SSL connections) are properly configured at Control Panel > External Access > Router Configuration, or at Control Panel > Security > Firewall.
Configure Connection Settings
Click the Connection Settings button to manage the following settings:
- Disallow anonymous binds: Enable this option if you do not want to allow anonymous users to connect to your LDAP server. Accounts/passwords will be required for all connections.
- Allow encrypted incoming connections only: Enable this option to only allow clients with encrypted connections to connect to your server.
- Kick idle connections (minutes): Disconnect idle clients after the specified period of time.
Note:
- Connections settings are only available for LDAP servers acting as Provider servers.
- Depending on the connection method of LDAP clients, some LDAP clients (e.g. Mac) will show abnormal connection status when the Disallow anonymous binds option has been enabled. Regardless of the status displayed, the connection should work normally.