Ldap bind to NethServer from Synology

activedirectory

(boris) #1

NethServer Version: NethServer release 7.4.1708
Module: ldap/AD

Hi all,

I’m trying to get a Synology NAS box to connect to an LDAP server hosted on a NethServer.
I’ve installed the NethServer box as an AD account provider.

I’m aware of the different IP and FQDN needed at my NethServer for AD. Fine. That’s my LDAP client target. I’m also aware of the ldapservice account used as a BIND DN, which is what i’m using to connect.

I’m using a self signed cert on the NethServer and the box is not internet reachable so let’s encrypt isn’t an option.

A tcpdump using no encryption between the Synology box and the NethServer show’s: “strongAuthRequired” “Transport encryption required” “Operation unavailable without authentication” “LDAPMessage unbindRequest” LDAP errors.

If SSL/TLS or STARTTLS are used from the LDAP client the results are the same I can’t bind to the NethServer.

Using LdapAdmin.exe from a Windows box in order to browse the NethServer LDAP structure, using the same credentials “ldapservice@ad.xxxx” along with SSL/TLS (giving a certificate warning - self signed)… works just fine.

Any idea at troubleshooting this would be welcome. Starting with the LDAP logs on NethServer.

Thanks,
Regards,
b.


(Markus Neuberger) #2

Hi Boris,

the problem is the self-signed certificate or that Synology doesn’t trust it. In LDAPAdmin you can ignore it, so maybe there’s a possibity to setup Synology to trust/ignore the self-signed cert. I didn’t find one in my research but I don’t use a Synology NAS.

As regards security I really recommend to have a valid cert but if you just need to make it work you may follow these steps and connect without SSL/TLS (INSECURE!):


(boris) #3

Dear Markus, all,

Thanks a lot for your answer, it is very valuable!
The thing i think is a bit weird is that installing NethServer with OpenLDAP only (not the full AD pack) i’m perfectly able to connect from the Synology… This using all built in self signed certificate.

Also, the domain is a “domain.lan” domain which makes it hard to get let’s encrypt certificate. Although not impossible playing with local DNS resolving the NethServer with a CN bound to the certificate. let’s see…

Any other help would be welcome, starting really with perhaps a LDAP log in order to see at the daemon what’s going on.

Thanks,
regards,
boro


(Davide Principi) #4

To get a detailed LDAP trace see

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-directory.html#logging