LDAP Server Settings
Set up Synology NAS as an LDAP server to provide account authentication service.
After the LDAP Server package is installed and running on your Synology NAS, go to Main Menu > LDAP Server to enable the service.
Enable LDAP Server
The Provider-Consumer architecture is an ideal solution if you have multiple clients located in different physical areas. All Consumer servers periodically replicate data from the Provider server and act as main LDAP servers for local clients. Even when the Provider server is down or the connection between the Provider/Consumer servers is lost, local clients will not be affected as long as Consumer servers remain functional.
There are two types of servers in LDAP Server:
- The Provider server: Select this option if you want your server to be the master server. All Consumer servers will replicate data from the Provider server.
- The Consumer server: The Consumer server synchronizes in real time with its Provider server to clone an LDAP server. To modify settings on the Consumer server, you will have to contact the administrator of the Provider server.
To configure your Synology NAS as the Provider server, follow the steps below:
- Go to the Settings tab. Tick Enable LDAP Server.
- Tick As the Provider server.
- In the FQDN (Fully Qualified Domain Name) field, specify the domain name for the LDAP database.
- Enter the password of Bind DN (see below) in the Password field.
- Confirm the password.
- Click Apply.
To configure your Synology NAS as the Consumer server that replicates data from the Provider server, follow the steps below:
- Go to the Settings tab. Tick Enable LDAP Server.
- Tick As the Consumer server.
- In the Provider address field, enter the domain name or IP address of the Provider server's LDAP database.
- In the Encryption field, specify the connection encryption. By default, the encryption is SSL/TLS.
- In the Bind DN field, enter the Bind DN (see below) of the Provider server's LDAP database.
- Enter the password of Bind DN (see below) in the Password field.
- When LDAP Server acts as the Consumer server, its connection status with the Provider server will be shown.
- Click Apply.
When the setup is complete, you will see the following information under Authentication Information:
- Base DN: The distinguished name for LDAP Server's LDAP database. This is generated from the specified FQDN. For example, if the FQDN is "ldap.synology.com," its Base DN will be "dc=ldap,dc=synology,dc=com".
- Bind DN: The distinguished name for LDAP's root. For example, if the Base DN of the LDAP database is "dc=ldap,dc=synology,dc=com," the Bind DN of its root will be "uid=root,cn=users,dc=ldap,dc=synology,dc=com".
If client devices need to be bound to the LDAP directory, they should specify the Base DN to connect to the LDAP database, and then authenticate with the Bind DN of root or an LDAP administrator account.
Note:
- A root DN and a Base DN have to be provided to the clients for binding to the LDAP directory.
- For more information about FQDN, please see here.
- If you have set up port forwarding or firewall rules for your Synology NAS, make sure ports 389 (for LDAP connections) and 636 (for LDAP SSL connections) are properly configured at Control Panel > External Access > Router Configuration, or at Control Panel > Security > Firewall.
Configure Connection Settings
Click the Connection Settings button to manage the following settings:
- Disallow anonymous binds: Enable this option if you don't want to allow anonymous users to connect to your LDAP server. Accounts/passwords will be required for all connections.
- Allow encrypted incoming connections only: Enable this option to only allow clients with encrypted connections to connect to your server.
- Kick idle connections (minutes): Disconnect idle clients after a specified period.
Note:
- Connections settings are only available for Synology NAS acting as a Provider server.
- Some LDAP clients (e.g., macOS computers) cannot be bound to the LDAP directory if the Disallow anonymous binds option is ticked.