Synology Inc. Online Community Forum

[cejka]

I tried to use built in DSM 3.2 LDAP server to authenticate users with Apache.

I've made special conf file ldaptest.conf for it, here is its listing:

Code: Select all

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<Directory "/ldaptest">
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPUrl "ldap://localhost:389/cn=users,dc=domain,dc=com??sub?(objectClass=*)" NONE
    AuthLDAPBindDN "uid=root,cn=users,dc=domain,dc=com"
    AuthLDAPBindPassword SECRETPASSWORD
    AuthType Basic
    AuthName "Restricted area"
    Require valid-user
</Directory>

And I included that file at /usr/syno/apache/conf/httpd.conf-user

Code: Select all

Include conf/extra/ldaptest.conf

If I try to access http://NASaddress/ldaptest, server ask for a credentials. When I fill valid credentials I get Internal Server Error 500 or Not Found 404. In Apache error.log is following error message:

Code: Select all

[Thu Sep 29 23:29:54 2011] [info] [client XXX.XXX.X.XXX] [13309] auth_ldap authenticate: user USER authentication failed; URI /ldaptest [LDAP: ldap initialization failed][Unknown (private extension) error]

I found that simillar error has concurent QNAP NAS: http://forum.qnap.com/viewtopic.php?p=219985 but with no solution.


I have no idea what kind of error it is and how can it be elmininated. Can anybody help?

[cejka]

I solved it.

[tuxtlequino]

What did you do?

[skoffy]

Same problem. How have you solved it Cejka?

[cejka]

Hi buddies,

first of all, the purpose for which I want LDAP working is that I'm trying to setup following chain: Apache + SSL + LDAP + Subversion + WebDAV + WebSVN.

Info
Following advice enable you to ask for credentials and pass any valid user stored in your LDAP directory. It works without SSL.

Prerequisities

• I have my DSM updated to version 3.2
• I have bootstrapped DS-209+ on which I tested it.
• I have installed LDAP directory package from Synology. I have some user, e.x. ldaptester in it.
• I have enabled Webstation so I tested it on Apache originaly supplied with DSM 3.2 (apache 2.2.17).
• Also I've installed apr-util via IPKG.

Take a look at things which needs to be done.

• Check if in /usr/syno/apache/modules dir is file named mod_ldap.so. It needs to be there!
• Edit file named /usr/syno/apache/conf/httpd.conf-user (NEVER EVER touch file named httpd.conf-sys !!!) to include your custom ldap enabled configuration file into "Supplemental configuration" section like this:
  
  

  Code: Select all

  #LDAP test confifuration
Include conf/extra/ldaptest.conf

  
  
• Create new configuration file at /usr/syno/apache/conf/extra and name it ldaptest.conf
• Add following configuration lines in it:
  

  Code: Select all

  LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<Location "/ldaptest">
Order deny,allow
Deny from all
AuthName "LDAP TEST"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off

AuthLDAPURL "ldap://localhost:389/dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
AuthLDAPBindDN "uid=LDAPUSER,cn=users,dc=DOMAIN,dc=TLD"
AuthLDAPBindPassword "LDAPUSER_PASSWORD"

Require valid-user
Satisfy any
</Location>


  
  
  Capitalised words DOMAIN, TLD, LDAPUSER and LDAPUSER_PASSWORD needs to be edited by you according to what you set in your LDAP directory at DSM.
  
• Create new directory at /volume1/web and name it ldaptest. Insert into it some index.html file with text like "LDAP Works!" or so.
• Last and most important thing you have to do and which is cause of the error mentioned above by me is that you have to copy 3 files from /opt/lib/apr-util-1 to /usr/syno/apache/lib/apr-util-1. These files are:
  

  Code: Select all

  apr-ldap-1.so
apr-ldap.la
apr_ldap.so


How to test it
Open your browser and point it to http://YOUR_NAS_ADDRESS/ldaptest. Browser ask for credentials and if you enter valid combination of username and password of user stored in your LDAP, it should now work.


Hope this helps.

But I fall in other issue with supplied Apache and SVN over WebDAV. So I'm going to test it at IPKG installed Apache. Synology DS is never ending story.

[cejka]

I finally can confirm successful start of the IPKG Apache with LDAP and SSL enabled. And so can confirm that IPKG Apache + LDAP works with simmilar configuration as I mentioned above. If you have problem running IPKG Apache, confinue here: http://forum.synology.com/enu/viewtopic.php?f=34&t=23125 where I solved IPKG Apache start.

Cheers.

[tuxtlequino]

Thank you, thank you very much!!

[Jco]

Hi,

Thanks for these very usefull instructions. I managed to have it working.

One question : if I access the syno from WAN, will the password transit in clear ? Is that an issue at all (since the server is "localhost").

I tried to configure it with "ldaps" instead of "ldap" in the /usr/syno/apache/conf/extra/ldap.conf, but then I get a "404 not found" error when trying to connect.

Any leads ?