Manage Users
You can manage users and account/password related settings at LDAP Server > User.
User
The User tab provides options to manage users on LDAP Server.
To create a user:
Follow the steps below to create a user account:
- Click Create. This will launch the User Creation Wizard window.
- Specify the following information for the LDAP user and then click Next:
- Name: The name of the user will be stored as the uid attribute in the LDAP database.
- Description (optional): The description of the user will be stored as the gecos attribute.
- Email (optional): The email address of the user will be stored as the mail attribute.
- Password: The password of the user will be stored as the userPassword attribute.
- Disallow the user to change account password (optional): This information will be stored as the shadowMin attribute.
- Disable this account (optional): This information will be stored as the shadowExpire attribute.
- Tick the checkbox(es) to add the user to the following built-in group(s) and click Next:
- Users: This is the default group for all LDAP users. If users in this group are not added to the administrators group, they will not have DSM or LDAP administrative privileges.
- Directory Operators: Users added to this group will have administrative privileges of the LDAP database.
- Administrators: Users added to this group will have the same administrative privileges as DSM admin.
- If necessary, edit additional user attributes and then click Next.
- Click Apply to complete the setup. The distinguished name of the user in the LDAP database is uid=[username],cn=[users],[Base_DN]
Note:
You can set an account expiration date or prohibit a user from changing the password.
To import users:
Follow the steps below to import user accounts.
- Click the arrow next to Create. Select Import users.
- Select a file to upload. The file should contain user information in CSV format with tab-separated values.
- Confirm the preview is correct and click OK to import users.
File Formatting:
When preparing a file to import, different user accounts should be recorded on separate rows and each value should be separated by a tab in the following order (from left to right):
- Username
- Password
- Description
- Email
- Employee number
- Department
- Employee type
- Title
- Work phone (can include digits, dashes '-', plus signs '+', and parentheses '(' and ')', maximum length is 32 characters)
- Home phone (can include digits, dashes '-', plus signs '+', and parentheses '(' and ')', maximum length is 32 characters)
- Mobile phone (can include digits, dashes '-', plus signs '+', and parentheses '(' and ')', maximum length is 32 characters)
- Address
- Birthday (the format should be YYYY/MM/DD like 2000/1/1)
To edit a user:
Select a user account and double click on it or click Edit to edit the account settings.
To remove a user:
Select a user and click Delete to remove the user.
To activate a user:
Select a user account that is currently locked, disabled, or expired, and click Activate to change its status to Normal.
Advanced
The Advanced tab provides options to modify advanced user settings.
To configure advanced user settings:
Tick the corresponding boxes according to your needs:
- Show more information when login fails: Enable this option to let the user know upon login failures that the account has been disabled.
- Do not allow users to change personal settings except the password: Enable this option if you do not want to allow the user to modify information (such as the email address and description) except the password.
- Enforce password change for users after the administrator resets the password: Enable this option if you want to force the user to change the password after the administrator resets his password.
- Apply password strength rules: Enable this option if you want to set up password strength rules for the user. To do so, select more than one of the password restrictions from the rules below.
- Exclude name and description of user from password: The password must not contain the user name or the user description. UTF-8 encoded characters are excluded.
- Include mixed case: The password must contain both upper and lower case letters.
- Include numeric character: The password must contain at least one numeric character (0~9).
- Include special character: The password must contain at least one ASCII special character (i.e., ~, `, !, @, #, $, %, ^, &, *, (, ), -, _, =, +, [, {, ], }, \, |, ;, :, ', ", <, >, /, ?).
- Minimal password length: The password must be at least the value specified in the text field. The length should be a number between 6 and 127.
- Password history (times): The password will be recorded for the number of times specified. The user will not be allowed to reuse an old password found in the history.
Note:
- New password strength rules are only applied when creating a new user account or when an existing user changes their password. Existing passwords and those belonging to imported user accounts are exempt from new password rules.
- When password strength rules are modified, you can choose whether to force all users to change passwords at the next logon. This is applied to all users, including administrators and yourself.
- The options Exclude name and description of user from password, Include mixed case, Include numeric characters, and Minimal password length (set to 8 by default) are ticked by default.
- If Apply password strength rules is ticked, users are required to set a non-blank password even if Minimal password length is not ticked.
- To enhance the strength of passwords, we recommend setting Minimal password length to 8 and enabling at least three of the first five options.
To enable password expiration:
To enhance the security for DSM user accounts, you can set up password expiration policies to enforce regular and periodical password change for users.
- Maximum password expiration period (days): Set the maximum period of time that a password can be used before the system requires the user to change it.
- Minimum password expiration period (days): Set the minimum period of time that a password must be used before the system allows the user to change it.
- Prompt users to change password upon login before expiration (days): Enable this option to prompt the user to change the password before expiration.
- Allow users to change the password after expiration: Enable this option to allow users to change the password after expiration; otherwise, the user will no longer be able to log into DSM.
- Send expiration notification emails: Enable this option to send an expiration notification email at the time specified. You can enter multiple days separated with commas.
Note:
Once password expiration has been enabled, all passwords older than the period you specified will expire.
Auto Lock
The auto lock feature helps improve the security of your Synology NAS by locking the accounts with too many failed login attempts. This helps reduce the risk of accounts being broken into using brute-force attacks.
To enable auto lock:
- Tick Enable auto lock.
- Enter a number of failed login attempts in the Login attempts field and a number of minutes in the Within (minutes) field. An account will be locked when it exceeds the number of failed login attempts within the specified number of minutes.
- Tick Enable lock expiration and enter a number to remove a locked account after the specified number of minutes.
- Click Apply to save the settings.