Sync users between Synology's - Setting up an LDAP server on Synology NAS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right how's it going today we are diving into some more advanced territory for the synology nasa's and this is going to be a tutorial onto how to set up ldap on a synology nas all right so first off what is ldap ldap is a method of storing data for different profiles long story basically what this is going to allow you to do is to have one sign-on one joined username and password for every single one of your nas's and so you can have 15 users and any one of those users will be able to apply its permissions to any given nas and it's using a protocol called ldap it's basically a lightweight open directory service that allows you to easily go through and have all this information essentially the username and password and account information all tied very simply together so this is going to be a tutorial for more advanced users this is something you generally would want to sign up for if you're going to have multiple nasa's or even multiple services that multiple people are going to be signing into majority people are going to be businesses because you do need to make sure if you are running ldap that you've got a back way in every single time as well as the fact that you make sure to have high availability and things like that which is what we are going to go over here all right and so before we do get started i did want to say we need to talk about a little bit of a difference between ldap and active directory so active directory is pretty much microsoft there is open source versions of it now but active directory is microsoft's version of ldap for windows and it is a lot more complex a lot more particular on how you're set up and a lot more subject to failure if you don't know what you're doing and so if possible i would recommend starting with an ldap server if at all possible and sticking with that if that fits your needs but if you want to be able to have windows pcs sign in to their pcs with these credentials you are going to need to look at having active directory which synology does have an app for but i've need to go through and turn through that a couple of more times before i do tutorial on it because it's a lot more complex and a lot more difficult to set up and the repercussions can be a lot worse another thing is you cannot run active directory and ldap on the same nas all right and so now let's go ahead and get started the first thing you're going to need to do is you're going to need to set up a static ip address for the nas you're working with and you are also going to need to make sure that it has a dns record pointing to it so if you don't know what that means a dns record is pretty much the transition from having something like this where it says testbed.sr.spacerx.com and transforming that into an ip address and so when you're running ldap you cannot just reference an ip address you actually have to reference what's called a fully qualified domain name which in this case is this right here so you've got a couple of different options the first is if you aren't already using your ddns for this account you can go into control panel external access ddns and you can actually do what i have done here which is a bit of a janky setup so what i have done here is i have created a new ddns address and what i did is i set the external ddns address for this to be a manual ip address that's on my local network and so what this means is if you go to testbed123.synology.me you'll see that oh it just leads to me but it doesn't leak to me it just leads to this ip address on your network which probably is not populated and so this is a janky way that i've set up instead of what i highly recommend doing is buying your own domain name or running your own dns server locally and then just having an a record point to the static ip address of the box and it can be the local static ip address because i would not recommend running ldap over the internet if at all possible you can do it if you've got something like okay i know this one server needs my ldap therefore i will only allow ldap requests from this one ip address two ip addresses 10 ip addresses but just don't open up to the broad internet because it's just not safe but as you can see right here i've already gone through and i have a dns record that points from testbed sr.spacex.co which is my own dns setup and it points to the static ip address of this box which is something you are going to need to do and then from there we can just go ahead and install the ldap server so we just scroll down and find the ldap server ldap server right here and then while that's installing i'm also just going to go ahead and install it on this guy right here as well this is the other box that i'm going to be installing this on is actually funny enough my old old old server that i used for tutorials that i grabbed out for this all right and so once ldap has gone through and fully installed now we can get ahead and get set up and running so we're just going to hit open on it and we are going to go ahead and hit enable the ldap server the first thing you're going to be asked is fqdn what does that mean fully qualified domain name which should be something like this so if you're doing the synology.me it just needs to be the full domain name that points to the ip address of this box if you're just locally resolving it it just needs to point to the local ip address of this box right now you need to make a password for this all right so we have set this up right here as a provider so this means that he is the head honcho he is the single point that is most in charge of ldap this is the server that you will use to edit any ldap permissions create new groups at any users all that will be done through this specific ldap server the provider we're then going to go ahead and set up every single one of our other synologies as what's called consumers and so a consumer is effectively a read-only replica and so that means that it has access to validate everybody but you can't change your permission on it instead you have to change your permission on the provider the provider says hey new new information out and sends it to the consumers and so that way if the provider goes down all the consumers are still able to validate requests but they will not be able to edit the thing so you really want to make sure you have multiple on there and so that way requests are a lot faster and it's a lot less likely to fail and so now we can go into connection settings and you've got a couple options here if you are setting this up with mac os you do need to allow anonymous binds and then you can also force encrypted connections which is what i would recommend doing and now we can just go ahead and hit apply all right and so now we have all the different information here and it's technically up and running the first thing you really need to make sure to do is set up a backup you want to make sure to back up the ldap credentials because if you lose it it will be a big issue and so the other thing you'll see is while this is going on ldap users will not be able to log in until the process is complete it's a pretty quick backup but i would recommend setting up to backup at midnight or something and then the other thing you can do is have the head one nobody actually log into and just have consumer nasa's that everybody else uses for authentication so this way if this server is backing up the consumers will still be able to validate anybody logging in i'm not going to set that up now though and now let's go ahead and just create a user so we'll just say we'll just create a simple will well we'll call it will wide just in case and give them password and so now we can see that we've actually got a few different options here so now we don't just have the regular users and administrator we now have these directory informations so we will just keep everybody in users for regular devices and then for consumers we'll we'll create accounts for that now i'll go ahead and show that but if you want them to be an admin you can add them in here and then you can also just add in some basic information here this is where ldap is actually a directory service so it's actually originally designed to have all this information and the whole adding of passwords was kind of an afterthought all right and so now we've got our user we can also go through and just create groups right here and have everything like that i would highly highly highly recommend working with permissions on the group level rather than the user level because if you have this many accounts that you're setting up ldap you really want to make sure that you are having everybody sequestered into groups and it just makes permission so much easier to manage and so now let's just go about setting this up on a second device we're going to go ahead and create a consumer account we'll call it consumer one you could tie it exactly to this one so you know whenever the device you're having is connecting you know which one it is and just generated a password i'd recommend a random one and so we are going to set them up as a consumer group and so just like that we now have it and so now we can go ahead and open up ldap on our second synology and this is just a second synology that i'm setting this up with you could all also set this up with so many other devices because ldap is such a popular protocol and so now for this second device we're actually going to have it set up as a consumer so that way if the main nas is down people will be able to use this nas to authenticate including this local account so we're actually going to enable it but we're going to set it up as a consumer and so what we're going to do is we're just going to put in that fully qualified domain name which should resolve right here to the actual ldap one that we just set up and now for base dn we can go back up here and we can just copy it from right here and so now we can go ahead and add in that username and password for the consumer that we set up so it's consumer01 and enter in the password for that and so now let's just go ahead and hit apply all right and so you can see just like that it is successfully connected and so that means we are good to go if we open up users we'll see all the users are right here and we can also see we can only view them because it's read only instead we have to do any changes to the master which is the provider so now we've got it working but they're not going to show up just in dsm yet so instead all we're doing right now is we're setting up basically a replication server right here now we actually need to tell dsm to connect to that replication server and the reason we're doing this with this additional complexity is it's just going to allow us to have the main mass go offline while having this nas with all the different information still in it so now we're just going to go ahead and open up control panel and we're going to go into ldap and we're just going to join our ldap and so now we're actually going to go through on this guy right here we're actually going to save for server address localhost because localhost points to itself which is what we want to happen here and so now we just need to log in with that consumer account again and enable encryption don't really have to here and then copy and paste that base dn from the ldap account over here so now it's just going to go through and it's got this really great setup here that just shows us everything and it's just check check check check check if you get any weird stuff you kind of got to figure it out i was having issues with authentication and when i did a reset last time it just kind of worked joining the actual ldap does take a minute because it's redoing directory permissions all right and so now just like that we can go ahead and it should just be working all right and so now we can just go over to ldap user and so now we will see all the different ldaps and we can enable home services for everybody and we will see that it's got a quite long name now to add it in here which is a bit of a pain so now we should just be able to go ahead and log out and log back in with this and so just like that i'm able to log in with that account and that is really all there is to it now ldap is set up and running on your device and any of those devices will be able to log in just like that all right well that's gonna be it for this tutorial go and leave any other tutorials you like see me make in the comments below and have a good one bye [Music] you
Info
Channel: SpaceRex
Views: 25,860
Rating: undefined out of 5
Keywords:
Id: Ac4FVy9N068
Channel Id: undefined
Length: 14min 3sec (843 seconds)
Published: Sat Mar 19 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.