Knowledge Center

Set Up LDAP Server

Set up your Synology NAS as an LDAP server to provide account authentication services.

The Provider-Consumer architecture is an ideal solution if you have multiple clients located in different physical areas. LDAP Server comes with two types of servers:

  • The Provider server: Your Synology NAS acts as the master server.
  • The Consumer server:
    • Your Synology NAS periodically replicates data from the Provider server and acts as the main LDAP server for local clients.
    • You must contact the administrator of the Provider server if you want to modify the settings of the Consumer server.
    • As long as the Consumer server is functional, local clients will not be affected even if the Provider server is down or if the connection between the Provider/Consumer servers is lost.

Enable Synology NAS as the Provider server

  1. Go to the Server section and tick the Enable LDAP Server checkbox.
  2. Select As the Provider server.
  3. In the FQDN (Fully Qualified Domain Name) field, specify the domain name for the LDAP database.
  4. In the Password field, enter the password of Bind DN.
  5. Confirm the password.
  6. Click Apply.

Enable Synology NAS as the Consumer server

  1. Go to the Server section and tick the Enable LDAP Server checkbox.
  2. Select As the Consumer server of Synology LDAP Server.
  3. In the Provider address field, enter the domain name or IP address of the Provider server.
  4. In the Encryption field, specify the connection encryption. SSL/TLS is selected by default.
  5. In the Base DN field, enter the Base DN of the Provider server.
  6. Enter the Username and Password of Bind DN.
  7. The Connection status between the Consumer server and the Provider server will be shown after Step 8 is done.
  8. Click Apply.

Configure Connection Settings

If your Synology NAS acts as the Provider server, you can go to the Server section and click the Connection Settings button to manage the following settings.

  • Disallow anonymous binds: Prevent anonymous users from connecting to your LDAP server. Accounts and passwords are required for all connections. Some LDAP clients (e.g., Mac computers) cannot be bound to the LDAP directory if this option is selected.
  • Force clients to use encrypted connections: Clients must use encrypted connections to connect to your LDAP server.
  • Kick idle connections (minutes): Disconnect clients that are idle after a specified time.

View Authentication Information

When the setup is complete, you can find the Base DN and Bind DN information in the Authentication Information section.

  • Base DN: The base distinguished name of the LDAP. This is generated from the specified FQDN. For example, if the FQDN is "ldap.synology.com," its Base DN will be "dc=ldap,dc=synology,dc=com".
  • Bind DN: The distinguished name of the LDAP's user. For example, if the Base DN of the LDAP database is "dc=ldap,dc=synology,dc=com," the root Bind DN will be "uid=root,cn=users,dc=ldap,dc=synology,dc=com".

Note:

  • Base DN must be provided to the client devices to enable the devices to bind to the LDAP directory. At Control Panel > Domain/LDAP > Domain/LDAP, the client devices must specify the Base DN, and then specify the Bind DN or the LDAP’s administrator account for authentication. Refer to this article for detailed instructions.
  • If you have set up port forwarding or firewall rules for your Synology NAS, make sure ports 389 (for LDAP connections) and 636 (for LDAP SSL connections) are properly configured at Control Panel > External Access > Router Configuration, or at Control Panel > Security > Firewall.
Enable Synology NAS as the Provider server
Enable Synology NAS as the Consumer server
Configure Connection Settings
View Authentication Information