Kunskapscenter

Manage Users

On the Manage Users page, you can manage LDAP users and settings related to account credentials and logins.

User

The User tab provides options to manage users in the LDAP directory.

To create a user:

  1. Click Create > Create user.
  2. Specify the following information for the LDAP user and click Next:
    • Name: The username, which is stored as the uid attribute in the LDAP database.
    • Description (optional): The description of the user, which is stored as the gecos attribute.
    • Email (optional): The user's email address, which is stored as the mail attribute.
    • Password: The user's password, which is stored as the userPassword attribute.
    • Send a notification mail to the newly created user: Tick this option to send a notification mail to the user whose account is newly created. This option requires enabling system email notifications at Control Panel > Notification > Email. By default, the user's password is not displayed in the notification message. However, if you wish to display the password in the notification message, please tick the Display user password in notification mail checkbox.
    • Disallow the user to change account password: The user will not be able to change his/her password if this option is enabled. This information is stored as the shadowMin attribute.
    • Deactivate this account: This information is stored as the shadowExpire attribute.
  3. Select the groups to which the user belongs on the Join groups page, and click Next.
  4. If necessary, add additional attributes for the user on the More attributes page, and click Next.
  5. Click Done to complete the setup. The distinguished name (DN) of the user in the LDAP database is "uid=username,cn=users,Base DN".

To import users:

  1. Click Create > Import users.
  2. Tick the following options according to your needs:
    • Overwrite duplicate accounts: Tick this option if you wish to replace the duplicate accounts with the ones existing in the user list.
    • Send a notification mail to the newly created user: Tick this option to send a notification mail to the user whose account is newly created. This option requires enabling system email notifications at Control Panel > Notification > Email.
    • Display user password in notification mail: This option is available when Send a notification mail to the newly created user is ticked. Tick this option if you wish to display the password in the notification message.
    • Force password change for imported users upon initial login: Tick this option if you wish to force imported users to change their password upon initial login. This option adds extra protection to imported accounts.
  3. Select the type of delimiter you used to separate the fields in the list from the Delimiter drop-down menu.
  4. Click Browse to select a .txt or .csv file to upload.
  5. Confirm the preview is correct and click OK to import.

Note:

When you prepare a file to import, place each user account on an individual row. Each piece of information should be separated by a delimiter in the following order (choose tab, comma, or semicolon from the Delimiter drop-down menu):

  1. Username
  2. Password
  3. Description
  4. Email
  5. Employee number
  6. Department
  7. Employee type
  8. Title
  9. Work phone
  10. Home phone
  11. Mobile phone
  12. Address
  13. Birthday (the format should be YYYY/MM/DD, e.g., 2000/1/1)
  14. Group name

The format of an import file should meet the following requirements:

  • The import file must be in UTF-8 format.
  • The order of columns must be correct (from left to right).
  • Each line of information must contain 13 delimiters. If you wish to skip a piece of information (e.g., Description), you still need to enter a delimiter to separate the empty value from the next value (e.g., Email).
  • Work Phone, Home Phone, and Mobile Phone can include digits, dashes (-), plus signs (+), and parentheses, and the maximum length is 32 characters.
  • If you wish to add a user to multiple groups, please insert a comma (,) between groups and wrap them with a pair of quotation marks ("), e.g., "Group_A,Group_B,Group_C".

To edit user properties:

  1. Select the user you wish to edit at the User tab and click Edit.
  2. Edit the user properties at the corresponding tabs.
  3. Click OK to save the settings.

Note:

  • You can also edit a user by the following methods:
    • Double-click a user.
    • Right-click a user and then click Edit.

To delete a user:

  1. Select a user you wish to delete on the User tab, and click Delete.
  2. Click Delete again in the pop-up message to confirm the deletion.

Note:

  • You can also delete a user account by right-clicking a user and then clicking Delete.
  • You can select multiple users by pressing and holding the Ctrl or Shift key.
  • The deletion of users is irreversible.

To activate a user:

Select a user account that is currently locked, deactivated, or expired, and click Activate to change its status to Normal.

Note:

  • You can also activate a user account by right-clicking a user and then clicking Activate.
  • You can select multiple users by pressing and holding the Ctrl or Shift key.

Advanced

The Advanced tab provides options to modify advanced user settings.

To configure advanced user settings:

Tick the corresponding boxes according to your needs:

  • Show more information when login fails: Enable this option to let the user know upon login failures that the account has been deactivated.
  • Do not allow users to change personal settings except the password: Enable this option if you do not want to allow the user to modify information (such as the email address and description) except the password.
  • Force users to change password after the administrator resets the password: Enable this option if you want to force the user to change the password after the administrator resets his/her password.
  • Apply password strength rules: Enable this option if you want to set up password strength rules for the user. You can select more than one of the password restrictions below:
    • Exclude name and description of user from password: The password must not contain the username or the user description. UTF-8 encoded characters are excluded.
    • Include mixed case: The password must contain both upper and lower case letters.
    • Include numeric character: The password must contain at least one numeric character (0 - 9).
    • Include special character: The password must contain at least one ASCII special character (i.e., ~ ` ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ' " < > / ? , .).
    • Exclude common password: Refrain users from setting common passwords, such as "123456", "password", "qwerty", etc.
    • Minimal password length: The password length must be at least the value specified in the text field. The length should be a number between 6 and 127.
    • Password history (times): The password must be different from the previously set ones, the number of which is to be specified here.

Note:

  • New password strength rules are only applied when creating a new user account or when an existing user changes their password. Existing passwords and those belonging to imported user accounts are exempt from new password rules.
  • When password strength rules are modified, you can choose whether to force all users to change passwords at the next logon. This is applied to all users, including administrators and yourself.
  • The options Exclude name and description of user from password, Include mixed case, Include numeric characters, and Minimal password length (set to 8 by default) are ticked by default.
  • If Apply password strength rules is ticked, users are required to set a non-blank password even if Minimal password length is not ticked.
  • To enhance the strength of passwords, we recommend setting Minimal password length to 8 and enabling at least three of the first five options.

To enable password expiration:

To fortify the security for user accounts, you can tick Enable password expiration, setting up the following password expiration policies to enforce regular and periodical password changes.

  • Maximum password expiration period (days): Specify the number of days after which the passwords expire.
  • Minimum interval for password change (days): Tick the checkbox to enable this function, and specify the number of days before which the users are disallowed to change their passwords.
  • Prompt users to change password upon login before expiration (days): Tick the checkbox to have DSM prompt password update requests when users sign in. You will need to specify the number of days before the expiration date for it to take effect.
  • Allow users to change the password after expiration: Tick the checkbox to allow users to change the password after expiration; otherwise, the user will no longer be able to sign in to LDAP clients (e.g., DSM).
  • Send expiration notification emails: Tick the checkbox to send an expiration notification email at the time specified. You can enter multiple days separated with commas.

Note:

Once password expiration has been enabled, all passwords older than the period you specified will expire.

Auto Lock

Auto lock improves the security of your Synology NAS by locking the accounts with too many failed login attempts. This feature reduces the risk of accounts being broken into using brute-force attacks.

To enable auto lock:

  1. Tick Enable auto lock.
  2. Enter a number of failed login attempts in the Login attempts field and a number of minutes in the Within (minutes) field. An account will be locked when it exceeds the number of failed login attempts within the specified number of minutes.
  3. Tick Enable lock expiration and enter a number to unlock a locked account after the specified number of minutes.
  4. Click Apply to save the settings.

Note:

The auto lock options configured on a Consumer server (i.e., a read-only server) will not be applied to LDAP users.

User
Advanced
Auto Lock