We value your privacy

We use cookies to personalize your use of our site. This includes third-party cookies for that we use for advertising and site analytics. See our Privacy Statement and Cookie Policy for more information on how we collect and use data.

Cookie Options
OK
Knowledge Center

Configure Domain/LDAP Settings

Once your Synology NAS has joined a directory, you can manage various settings for your directory client environment.

Manage Domain Client Settings

View the basic information of your Synology NAS and the domain at Control Panel > Domain/LDAP > Domain/LDAP. Click Settings to modify the basic information or other advanced settings.

To manage general information:

Go to the General tab to modify the basic domain client settings of your Synology NAS.

  • DNS server: Edit the IP address of a DNS server that can resolve the IP addresses of domain controllers.
  • DC IP/FQDN: Specify a domain controller's (DC) IP address or a Fully Qualified Domain Name (FQDN), and your Synology NAS will try to communicate with it.
    • If you want to enter multiple IP addresses or FQDNs, make sure to separate them with a comma (,). You can also add an asterisk (*) after the last DC's IP address/FQDN so that your Synology NAS will try to communicate with other DCs if it fails to communicate with the specified ones. A comma should be used to separate the asterisk from the last IP address/FQDN.
  • Update user/group list: Set how often your Synology NAS automatically updates the domain user and group lists. Go to the Domain User or Domain Group tab and click Sync Domain Data to update the list manually. Automatic updates will affect system hibernation.
  • IWA: Integrated Windows Authentication (IWA) lets users who have already signed in to their computers using domain accounts to access DSM via a web browser without entering their credentials again. Learn more about how to set up IWA.

To configure management mode settings:

Go to the Management mode tab to determine how you manage the privileges of domain users and groups.

  • Trusted domains: Manage users and groups of the domain that your Synology NAS has joined, as well as those of the trusted domains. This mode allows you to filter the user and group lists by domain.
    • To manage users and groups of the trusted domains, the trusted domains must have two-way trusts with the domain that your Synology NAS has joined.
    • Set DC IP: Select how your Synology NAS communicates with the DCs in the trusted domain in the Set DC IP pop-up window.
      • Automatic: Your Synology NAS will automatically communicate with one or more DCs in the trusted domain provided by the DNS service.
      • Manual: Specify one or more DCs' IP addresses or Fully Qualified Domain Names (FQDNs) in the trusted domain. Your Synology NAS will directly communicate with them.
        • If you want to enter multiple IP addresses or FQDNs, make sure to separate them with a comma (,). You can also add an asterisk (*) after the last DC's IP address/FQDN so that your Synology NAS will try to communicate with other DCs if it fails to communicate with the specified ones. A comma should be used to separate the asterisk from the last IP address/FQDN.
    • Sync Domain Data: Check the trusted domain you want to update and click Sync Domain Data to manually sync the users and group lists in the domain. You can sync data from one domain at a time.
    • Test: Click to test the functionality of the trusted domain's client service. The wizard will run a precondition check and provide the test results.
      • : The test item has passed the test.
      • : One or more minor issues need to be resolved. Such issues may result in domain service abnormalities.
        1. Click Details on the right side of each issue.
        2. Fix the issues according to the recommended actions.
      • : One or more critical issues must be resolved immediately. Such issues will result in domain service failures.
        1. Click Details on the right side of each issue.
        2. Follow the instructions on the pop-up window to troubleshoot the issue.
  • Single domain with OUs: Only users and groups of the domain that your Synology NAS has joined will be synchronized. This mode allows you to filter user and group lists by organizational units (OUs).

To manage advanced settings:

Go to the Advanced tab to configure the following settings.

  • Obtain trusted domain data directly from corresponding domains: This option allows Synology NAS to request the data stored in trusted domains directly from the corresponding trusted domains. Tick this checkbox if there are any users or groups whose permissions cannot be modified at the Domain User or Domain Group tab.
  • LDAP encryption: Select a type of encryption (SASL or SSL/TLS) adopted by your Synology NAS for LDAP connections to the domain.
  • Nested group levels: Specify the number of levels that the nested domain group members can be expanded. Group nesting allows you to add a group to another group, providing flexibility in applying access control lists (ACLs) to services on your Synology NAS.
    • The number of Nested group levels determines to what extent group hierarchies are expanded. If the level number is 2, for instance, the ACLs of a group are applied to its users, child groups (the first level), and child groups of its child groups (the second level).
    • Expansion of nested groups can be time-consuming under certain circumstances, such as when the server does not index the member attribute, or when groups are deeply nested.
  • Domain Administrators: Specify up to ten groups of users to whom you want to grant administrative privileges. Any user with administrative privileges will have full control of your Synology NAS and the files stored therein.
    • Two default domain groups, Domain Admins and Enterprise Admins, are automatically added to the local administrators group. Therefore, the domain users in these groups are granted administrative privileges on your Synology NAS, including access to file services (e.g., SMB, FTP, AFP, and WebDAV) and other DSM packages.

To test the functionality of domain client service:

If your domain service is not working properly, follow the steps below to troubleshoot the issues.

  1. Go to Control Panel > Domain/LDAP > Domain/LDAP.
  2. Click Test, and the wizard will run a precondition check and provide the test results.
    • : The test item has passed the test.
    • : One or more minor issues need to be resolved. Such issues may result in domain service abnormalities.
      1. Click Details on the right side of each issue.
      2. Fix the issues according to the recommended actions.
    • : One or more critical issues must be resolved immediately. Such issues will result in domain service failures.
      1. Click Details on the right side of each issue.
      2. Follow the instructions on the pop-up window to troubleshoot the issue.

To rejoin your Synology NAS to the domain:

In most cases, you don't need to rejoin the domain. This operation is needed only when abnormalities occur, such as when the computer account of your Synology NAS has expired.

  1. Go to Control Panel > Domain/LDAP > Domain/LDAP, and click Edit.
  2. Select the General tab and click Rejoin Domain.
  3. Enter the required information in the pop-up window:
    • Domain account: Enter the domain's administrator account or a user account with sufficient privileges.
    • Password: Enter the password of this domain account.
  4. Click OK. Your Synology NAS will start joining the target domain again.

Note:

  • If the username of a domain account includes % or $, the account may not be able to access its home folder. You’ll need to change the username through the domain's administrator account.
  • You can configure domain users' access permissions to shared folders on your Synology NAS.

Manage LDAP Client Settings

Once your Synology NAS has joined an LDAP directory, you can view the general information of your Synology NAS and the LDAP directory at Control Panel > Domain/LDAP > Domain/LDAP. Click Edit to modify the general information or other advanced settings.

To manage general information:

Go to the General tab to modify the basic LDAP client settings of your Synology NAS.

  • Encryption: Select an encryption method from the drop-down menu.
  • Base DN: Edit the Base DN of the LDAP server in this field. The Base DN is the distinguished name for the LDAP database, generated from the specified FQDN of the LDAP server. For example, if the FQDN is "ldap.synology.com", its Base DN will be "dc=ldap,dc=synology,dc=com".
  • Profile: Select a profile that regulates how user and group information is mapped to LDAP attributes.

To manage advanced settings:

Go to the Advanced tab to configure the following settings.

  • Update user/group list (minutes): Set how often your Synology NAS automatically updates the LDAP user/group lists. Go to the LDAP User or LDAP Group tab and click Update LDAP Data to update the lists manually. Automatic updates will affect system hibernation.
  • Group member attribute:
    • memberOf: In RFC2307bis, "memberOf" is a user object attribute that refers to the group where users belong. "member" is a group object attribute that refers to users of the group.
    • memberUID: In RFC2307, "memberUID" is a group object attribute that refers to the users of a group. However, user objects do not include information about the group where users belong.
  • Enable CIFS plain text password authentication: To allow LDAP users to access Synology NAS files via CIFS, select this option and enable PAM settings of computers. This option is only for LDAP servers that do not support Samba schema. Learn more about CIFS support and client computer settings.
  • Enable UID/GID shifting: To avoid UID/GID conflicts between LDAP users/groups and local users/groups, enable this option to shift the UID/GID of LDAP users/groups by 1000000. This option is only for non-Synology LDAP servers that provide a unique numerical ID attribute for each user/group.
  • Expand nested groups: Enable nested group expansion by ticking this checkbox and setting a level number for your nested LDAP group. Group nesting allows you to add a group to another group, providing flexibility in applying ACLs to services on your Synology NAS.
    • The number of Nested group levels determines to what extent group hierarchies are expanded. If the level number is 2, for instance, the ACLs of a group are applied to its users, child groups (the first level), and child groups of its child groups (the second level).
    • Expansion of nested groups can be time-consuming under certain circumstances, such as when the LDAP server does not index the member attribute, or when groups are deeply nested.
  • Enable client certificate: Tick the checkbox to update the client certificate.

To test the functionality of LDAP client service:

If your LDAP service is not working properly, follow the steps below to troubleshoot issues.

  1. Go to Control Panel > Domain/LDAP > Domain/LDAP.
  2. Click Test, and the wizard will run a precondition check and provide the test results.
    • : The test item has passed the test.
    • : One or more minor issues need to be resolved. Such issues may result in LDAP service abnormalities.
      1. Click Details on the right side of each issue.
      2. Fix the issues according to the recommended actions.
    • : One or more critical issues must be resolved immediately. Such issues will result in LDAP service failures.
      1. Click Details on the right side of each issue.
      2. Fix the issues according to the recommended actions.

To rejoin your Synology NAS to the LDAP directory:

In most cases, you don't need to rejoin the LDAP directory. This operation is needed only when abnormalities occur (e.g., invalid authentication information).

  1. Go to Control Panel > Domain/LDAP > Domain/LDAP, and click Edit.
  2. Select the General tab and click Rejoin LDAP.
  3. Enter the required information in the pop-up window:
    • Bind DN or LDAP admin account: Enter the LDAP Bind DN or an administrator account.
    • Password: Enter the password of this LDAP account.
  4. Click OK. Your Synology NAS will start joining the target LDAP directory again.

About CIFS support and client computer settings

CIFS plain text password authentication lets LDAP users access files stored in Synology NAS via CIFS even if the LDAP server does not support Samba schema.

If your LDAP directory is not provided by a Samba supporting server, tick Enable CIFS plain text password authentication, and do the following on your computers. Please note that this option may compromise system security because it allows passwords to be transferred without encryption (in plain text).

  • To modify Windows settings:
    1. Go to Start > Run, type "regedit" in the field, and then click OK to open Registry Editor.
    2. Depending on your Windows version, find or create the following registry:
      • Windows 2000, Windows XP, Windows Vista, Windows 7, and Windows 10:
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Parameters]
      • Windows NT:
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters]
      • Windows 95 (SP1), Windows 98, and Windows Me:
        [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
    3. Create or modify the DWORD value EnablePlainTextPassword and change its value data from 0 to 1.
    4. Restart Windows for the changes to take effect.
  • To modify macOS settings:
    1. Go to Applications > Utilities to open Terminal.
    2. Create an empty file /etc/nsmb.conf:
      sudo touch /etc/nsmb.conf
    3. Open /etc/nsmb.conf with "vi":
      sudo vi /etc/nsmb.conf
    4. Type "i" for inserting texts, and paste the following:
      [default]
      minauth=none
    5. Press the Esc key and then type "ZZ" to save the changes and exit vi.
  • To modify Linux settings:
    • If you're using smbclient, add the following keys in the [global] section of smb.conf:
      encrypt passwords = no
      client plaintext auth = yes
      client lanman auth = yes
      client ntlmv2 auth = no
    • If you're using mount.cifs, execute the following command:
      echo 0x30030 > /proc/fs/cifs/SecurityFlags
Manage Domain Client Settings
Manage LDAP Client Settings