Configure LDAP settings

Once your Synology ActiveProtect appliance joins an LDAP service, you can view LDAP information at User Management > Domain/LDAP Users > Directory Information.

If you need to change LDAP client settings, go to the Appliance Console > Control Panel > Domain/LDAP > Domain/LDAP. Click Settings to check the advanced settings:

Edit general information

Option Description
Encryption Select a type of encryption for connecting your ActiveProtect appliance to the LDAP servers.
Base DN Enter the starting point from which the edge server searches for user data. For example, if your LDAP server's FQDN is "ldap.synology.com", its Base DN will be "dc=ldap,dc=synology,dc=com".
Profile Select a profile that regulates how user and group information is mapped to LDAP attributes. For more information, check About LDAP profiles.

Manage advanced settings

Option Description
Update user/group list Set how often your ActiveProtect appliance updates the user/group lists.1 For manual updates, click Update LDAP Data at User Management > LDAP Users.
Group member attribute
  • memberOf: A user attribute that refers to groups where users belong. If you select this option, group objects will refer to its users using the member attribute.
  • memberUID: A group attribute that refers to its members. If you select this option, user objects will not include information about their groups.
Enable UID/GID shifting Prevent conflicts between LDAP and local users/groups by shifting the UID/GID of LDAP users/groups by 1,000,000. This option is available for non-Synology LDAP servers with a unique numerical ID attribute for each user and group.
Expand nested groups Specify the number of levels for expanding nested groups. For example, with a level of 2, permissions from a group apply to its users, immediate child groups (level 1), and child groups of those child groups (level 2).2
Enable client certificate Upload a client certificate for LDAP authentication. Certain LDAP services require a certificate to authenticate LDAP clients.

Rejoin an LDAP directory

LDAP rejoining is only required when anomalies arise, such as invalid authentication data.

  1. Go to the Appliance Console > Control Panel > Domain/LDAP > Domain/LDAP > Settings.
  2. Under the General tab, click Rejoin LDAP.
  3. Enter your Bind DN (or your LDAP server's admin account) and password. Click OK to start the rejoining process.

Note:

  1. Automatic updates of user/group lists can affect system hibernation.
  2. Expanding nested groups can be time-consuming under certain circumstances, such as when the server lacks attribute indexing or when groups are heavily nested.
Download PDF
Edit general information
Manage advanced settings
Rejoin an LDAP directory