Synology Inc. Online Community Forum

[caleb.mcdonald]

Hi, I have been using my Synology DS1512+ for the past week or so and loving it! And this is my first post also.
I setup LDAP server on the NAS, and my iMac has been happily logging in using it's LDAP server/users.. up until this morning. I updated the OSX to 10.7.4 which from my understanding includes a fix to do with LDAP that stops plain text of the LDAP user's password or something being saved to the HDD. But the fact it's not longer logging into the iMac using the NAS's LDAP users is very worrying.

I've disconnected from the LDAP via OSX, rebooted, re added LDAP as per your manual to no avail! (the green LED is lit saying it's connected after a reboot once I've connected it, so it keeps the connection fine) Further testing though is I clicked the option in OSX "allow only the selected network users to be log in" which normally allows you to see the users available from the LDAP server.. and it's blank! As if the NAS/LDAP server is no longer presenting or I should say the OSX is no longer able to read the LDAP information being presented to it by the NAS/LDAP server.

Has anyone else having this issue? Is there a easy fix or do we have to wait for Synology to release an update to the LDAP server package for it to now work with the latest OSX update?

Many thanks

[Jeremie]

Hi, I have been using my Synology DS1512+ for the past week or so and loving it! And this is my first post also.
I setup LDAP server on the NAS, and my iMac has been happily logging in using it's LDAP server/users.. up until this morning. I updated the OSX to 10.7.4 which from my understanding includes a fix to do with LDAP that stops plain text of the LDAP user's password or something being saved to the HDD. But the fact it's not longer logging into the iMac using the NAS's LDAP users is very worrying.

I've disconnected from the LDAP via OSX, rebooted, re added LDAP as per your manual to no avail! (the green LED is lit saying it's connected after a reboot once I've connected it, so it keeps the connection fine) Further testing though is I clicked the option in OSX "allow only the selected network users to be log in" which normally allows you to see the users available from the LDAP server.. and it's blank! As if the NAS/LDAP server is no longer presenting or I should say the OSX is no longer able to read the LDAP information being presented to it by the NAS/LDAP server.

Has anyone else having this issue? Is there a easy fix or do we have to wait for Synology to release an update to the LDAP server package for it to now work with the latest OSX update?

Many thanks

Welcome to the forum,

Just to let you know our support team can get in touch with you to solve technical issues, just fill in a form:
https://myds.synology.com/support/suppo ... p?lang=enu
You're welcome to PM me you ticket# so we can match you to this post.

Jeremie

[caleb.mcdonald]

Is it possible that the changes made in OSX Lion since the update with samba has something to do with this issue?

http://forums.appleinsider.com/t/121142 ... st_1834105

Developers report that Apple has internally officially announced that it will pull Samba from Mac OS X Lion and Lion Server, and replace it with Windows networking software developed by Apple.

--

Things I've tried so far:
- Turned LDAP server/client on NAS off
- Re-enabled LDAP server/client on NAS
- Rebooted NAS
- Re-added LDAP server to OS X, green LED (as always)
- Logs off as local admin, attempts LDAP/network user to no avail

Did notice the following in regards to the LDAP settings in OS X Lions

OS X Lion can see the users straight after you add the LDAP server:


If you cancel out of this window, and go back again, it can no longer see the users:

[caleb.mcdonald]

After a meeting with Synology support staff, they were able to correct the problem I was having! I have tested the LDAP login and everything is now working perfectly fine! Very happy.

Please note though that the LDAP Synology manual (DirectoryServer_enu.pdf) has an error in it, or I should say since the latest OSX Lion update, a requirement which I have now made known to the Synology staff to correct.

On page 16 (Chapter 2) it says at step 3 sub point "b", it says:

In the expanded list of LDAP servers, enter the name or IP address of the DiskStation that hosts Directory Server, and then choose RFC2307 from the drop-down menu. If you see a message prompting you to enter search DN suffix, click OK first.

However after today's meeting with their engineer (Synology), the DN suffix had to be entered for the LDAP user accounts to now work on the iMac! As soon as this data was entered, everything started working.

Thank you so much to the Synology engineer who resolved this problem for me, many thanks.

[danielp]

After a meeting with Synology support staff, they were able to correct the problem I was having! I have tested the LDAP login and everything is now working perfectly fine! Very happy.

Please note though that the LDAP Synology manual (DirectoryServer_enu.pdf) has an error in it, or I should say since the latest OSX Lion update, a requirement which I have now made known to the Synology staff to correct.

On page 16 (Chapter 2) it says at step 3 sub point "b", it says:

In the expanded list of LDAP servers, enter the name or IP address of the DiskStation that hosts Directory Server, and then choose RFC2307 from the drop-down menu. If you see a message prompting you to enter search DN suffix, click OK first.

However after today's meeting with their engineer (Synology), the DN suffix had to be entered for the LDAP user accounts to now work on the iMac! As soon as this data was entered, everything started working.

Thank you so much to the Synology engineer who resolved this problem for me, many thanks.

As a followup, it appears Apple has changed something in Mac OS X 10.7.4 regarding Active Directory that affected LDAP authentication:

Apple's Knowledge Base

After upgrading to 10.7.4, Users will need to input the DN suffix for LDAP.

[sconsulting]

However after today's meeting with their engineer (Synology), the DN suffix had to be entered for the LDAP user accounts to now work on the iMac! As soon as this data was entered, everything started working.

Unfortunately that didn't work in my case. It is correct, that the DN suffix refers to the Base DN of the directory server? Or what did you enter there? In my case it is quite strange, under OSX Account settings I get a connection to the Directory Server, and I can even choose the users which are allowed to logon, however, on the OSX logon the login fails....

Any help appreciated!

[zenmind]

I also entered the Base DN as the Suffix and it did not work for me either.

[sconsulting]

I really hope that Synology either updates the documentation correctly or releases a Directory Server update to make this work with OSX Lion 10.7.4.

[sconsulting]

In this thread I eventually found the answer, however, I was not able to test this yet:
viewtopic.php?f=183&t=41711

3. In the next window, select a description (how do you want your directory to be identified). As a search base, enter your NAS's IP in the LDAP form which for this example is dc=192,dc=168,dc=1,dc=10 . You do not need authentication, but if you want to use it, your login would be uid=directory,cn=users,dc=192,dc=168,dc=1,dc=10 and your password would be ****.

Can anyone verify this?

[markr]

I also entered the Base DN as the Suffix and it did not work for me either.

For Lion you also need to modify some plist settings. Open the terminal and run:

Code: Select all

cd /Library/Preferences/OpenDirectory/Configurations
sudo /usr/libexec/PlistBuddy -c "Print ':module options:ldap'" LDAPv3/my.com.plist
sudo /usr/libexec/PlistBuddy -c "Add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" LDAPv3/my.com.plist
sudo /usr/libexec/PlistBuddy -c "Add ':module options:ldap:Denied SASL Methods:' string NTLM" LDAPv3/my.com.plist
sudo /usr/libexec/PlistBuddy -c "Add ':module options:ldap:Denied SASL Methods:' string GSSAPI" LDAPv3/my.com.plist

Replace your Synology server IP/address for 'my.com'. Reboot.