Setup LDAP with AutoFS on a Synology NAS.
I recently picked up a Synology DS418 NAS and built an OpenStack cloud to mess around with at home. The Synology makes it simple to set up services like LDAP, Autofs with NFS, and DNS. It’s nice having these supporting services handles by the NAS rather than having to configure and maintain another server.
To set up LDAP download the LDAP Server package from the Package Center on your Synology. Under settings click the box to enable the LDAP server and the radio button to set it up as a provider. Simply enough set a FQDN and a password. In this case I gave it a pretty generic name home.lab. Make note of the Base DN and Bind DN we will need these later.
Under Connection Settings at the very least I suggest clicking Disallow anonymous binds. This will require you to provide a password in order to authenticate.
Your LDAP server is now up and running. The next step is to set up a few users and groups. I would start under Manage Groups and create a group for each user you will be creating for example make a Bob group. When you create the user Bob add him to the Bob group. You can then create other groups such as media, backups, and so on to control user access to your data.
In order to apply the LDAP users and group permissions to your storage in File Station you will need to configure the LDAP client. Open the Control Panel and click Domain/LDAP. In the LDAP tab click the Enable LDAP Client box. Enter the IP address of your NAS. Enter the Base DN from your LDAP server configuration. In this case mine is dc=home,dc=lab. Click Apply and you should be all set.
When working in File Station to set permissions you will now see your LDAP users and groups listed as user@home.lab and can set permissions accordingly.
I strongly suggest enabling the firewall on your NAS regardless of where you are running it. From the Control Panel navigate to Security. Click the Firewall tab and click the Enable firewall box. Click Edit Rules > Create. From here you can select LDAP as a service to open port 389. I would also suggest setting IP addresses or a ranger under Source IP. In my case I only intend to use this on a small number of machines and an IP range used by services in OpensStack the rest of the network cannot access it.
The server configuration is done. We can move on to configure our clients. In my case I am running a bunch of Linux clients primary running CentOS 7, 8, and Ubuntu. There are a few different ways to go about configuring your clients. In this case I am using SSSD. This way my configuration on my clients is mostly the same between OS’s with a few minor differences.
CentOS 7
Install sssd
root@gunstar:~# yum install sssd sssd-ldap sssd-toolsCreate an empty configuration file
root@gunstar:~# touch /etc/sssd/sssd.conf
root@gunstar:~# chmod 600 /etc/sssd/sssd.conf
root@gunstar:~# chown root:root /etc/sssd/sssd.confEnable sssd with authconfig
root@gunstar:~# authconfig — enablesssd — enablesssdauth — update
Enable the sssd service and start it.
root@gunstar:~# systemctl enable sssd
root@gunstar:~# systemctl restart sssdCentOS 8
Install sssd
root@gunstar:~# dnf install sssd sssd-ldap sssd-toolsCreate an empty configuration file
root@gunstar:~# touch /etc/sssd/sssd.conf
root@gunstar:~# chmod 600 /etc/sssd/sssd.conf
root@gunstar:~# chown root:root /etc/sssd/sssd.confEnable sssd with authselect
root@gunstar:~# authselect select sssd — force && authselect apply-changesEnable the sssd service and start it.
root@gunstar:~# systemctl enable sssd
root@gunstar:~# systemctl restart sssdUbuntu
Install sssd
root@gunstar:~# apt install sssd libpam-sss libnss-sss sssd-toolsCreate an empty config file
root@gunstar:~# touch /etc/sssd/sssd.conf
root@gunstar:~# chmod 600 /etc/sssd/sssd.conf
root@gunstar:~# chown root:root /etc/sssd/sssd.confEnable and start the sssd serviceroot@gunstar:~# systemctl enable sssd
root@gunstar:~# systemctl start sssd
In all cases my sssd.conf file is the same. Edit that empty config file you created with the following.
[domain/home.lab]
ldap_tls_reqcert = never
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
#IP address of the NAS
ldap_uri = ldap://192.168.1.129
#Base DN from our LDAP server configuration.
ldap_search_base=dc=home,dc=lab
#Bind DN from our LDAP server configuration.
ldap_default_bind_dn = uid=root,cn=users,dc=home,dc=lab
ldap_default_authtok_type = password
#Password from our LDAP server configuration.
ldap_default_authtok = myldappassword
cache_credentials = True
use_fully_qualified_names = False[sssd]
config_file_version = 2
services = nss,pam
#FQDN from LDAP server
domains = home.lab[nss][pam][sudo]
At this point things should work. However we have a plain text password in our sssd.conf which we should obfuscate. From the sssd-tools package there is a utility called sss_obfuscate.
root@gunstar:~# sss_obfuscate -d home.lab
Enter password = myldappassword
Enter again = myldappasswordThe sssd.conf file has been modified. The authok_type has been changed to obfuscated_password and the password is no longer clear text.
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAOQsd8f0sdfsd0f8sd0f9sdg809g8sd0g80sdfb9hsfghsfdnbcjgndfkjgnhegihfd9g89he9fghdgdfCheck to see that you can list an LDAP user. You should see their user id and group memberships.
root@gunstar:~# id bob
uid=1000001(bob) gid=1000001(users) groups=1000001(users),1000005(bob),1000003(mediashare)This is great but when bob tries to log into the server he will have no home directory. You may want to look up oddjob-mkhomedir. This will create a new home directory locally with the proper permissions.
I would like to have consistent home directories for users across all of the servers I run so I will set up autofs. On Ubuntu and RHEL based systems install the package autofs.
root@cent8:~# dnf install autofs
root@cent7:~# yum install autofs
root@ubuntu:~# apt install autofsCreate a file called auto.master.
root@gunstar:~# touch /etc/auto.master
root@gunstar:~# chmod 644 /etc/auto.master
root@gunstar:~# chown root:root /etc/auto.masterEdit your auto.master file like the following.
root@gunstar:~# cat /etc/auto.master
/home program:/etc/auto.synoDownload the auto.syno script provided by Synology from the link in the references at the bottom of the page. There are a few things to modify.
LDAP_URI=”ldap://192.168.1.129"
BASE_DN=”dc=home,dc=lab”
USE_TLS=”no”
NFS_SERVER=”192.168.1.129"
#If you are unsure about this SSH to your NAS
#check the /etc/exports file
NFS_FOLDER=”/volume1/homes”
Restart the autofs service.
root@gunstar:~# systemctl restart autofsYou should now be able to move into an LDAP users home directory and have it mount.
root@ubuntuldap:~# cd ~bob
root@gunstar:/home/bob# pwd
/home/bobBy default users have the shell set to sh. You may want to change this to bash.
Create an ldif file like the following.
root@gunstar:~# cat shell.ldif
dn: uid=bob,cn=users,dc=home,dc=lab
changetype: modify
replace: loginShell
loginShell: /bin/bashCommit it to ldap with ldapmodify.
root@gunstar:~#ldapmodify -xWD "uid=root,cn=users,dc=home,dc=lab" -h 192.168.1.129 -f shell.ldif