SSH access for LDAP users

An integrated account management LDAP server for DiskStations, Linux, and Mac clients.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
tonycpsu
I'm New!
I'm New!
Posts: 5
Joined: Sat Mar 10, 2012 6:11 pm

SSH access for LDAP users

Unread post by tonycpsu » Sat Mar 10, 2012 6:39 pm

I've set up my DS1511+ (running DSM 4.0 2198) as an LDAP server. Most things seem to be working, but I can't seem to log in via SSH with LDAP users.

If I just try to "su" to an LDAP user, I get the following error:

Code: Select all

mona> su user@domain.loc
su: can't run /sbin/nologin: No such file or directory
However, the user has a loginShell attribute in LDAP (set to /bin/sh). It appears something in the Synology LDAP setup is ignoring this mapping. I thought there might be some attribute filtering going on in /usr/syno/etc/nslcd.conf, but "loginShell" doesn't appear there.

Has anyone managed to get ssh logins of LDAP users working, and if so, what did you do?

Thanks

User avatar
bud77
Seasoned
Seasoned
Posts: 511
Joined: Tue Mar 06, 2012 3:23 pm
Location: France

Re: SSH access for LDAP users

Unread post by bud77 » Sat Mar 10, 2012 8:06 pm

Try to edit your /etc/passwd file, and make sure those users have a valid shell login

tonycpsu
I'm New!
I'm New!
Posts: 5
Joined: Sat Mar 10, 2012 6:11 pm

Re: SSH access for LDAP users

Unread post by tonycpsu » Sat Mar 10, 2012 8:07 pm

These are LDAP users, not local users. LDAP users don't have /etc/passwd entries.

tonycpsu
I'm New!
I'm New!
Posts: 5
Joined: Sat Mar 10, 2012 6:11 pm

Re: SSH access for LDAP users

Unread post by tonycpsu » Thu Mar 15, 2012 4:10 pm

So, I got a response to my support request about this issue:
Thank you for contacting Synology America Tech Support. My name is Ryan, and I am glad to assist you.



Unfortunately, SSH is only available for admin and root. The admin password is linked to the root user.



Please contact us if you need further assistance.
Kind of a bummer. I wonder if things would work if I installed the optware openssh port instead of relying on the crippled Synology sshd.

dvizard
I'm New!
I'm New!
Posts: 4
Joined: Tue Jan 24, 2012 12:33 am

Re: SSH access for LDAP users

Unread post by dvizard » Sat Apr 21, 2012 8:24 pm

Bump! This sucks horsedicks.

First off, their answer is clearly wrong. SSH is clearly possible for non-root local users. It's even possible with PPK authentication if the home user directory is never messed with (like, moved around and [Please control your language].) Just not for LDAP users.

Second, all I would need to know is where that mapping takes place. Since most users actually log in on Ubuntu machines, it makes sense to separate the Synology-side login shell from the Ubuntu-side login shell (/bin/bash in our case), since /bin/bash isn't available on the (plain) Synology. All I would need to do is to overwrite the /sbin/nologin replacement.

exp3rt
Trainee
Trainee
Posts: 12
Joined: Fri Jan 02, 2009 9:21 pm

Re: SSH access for LDAP users

Unread post by exp3rt » Tue Mar 19, 2013 1:59 am

I am stuck with the same issue - ssh login and usage of rsync by user defined in LDAP. Did you ever find out what's going wrong here?

norrellmeister
Trainee
Trainee
Posts: 10
Joined: Sat Sep 17, 2011 7:37 pm

Re: SSH access for LDAP users

Unread post by norrellmeister » Tue Dec 10, 2013 5:15 pm

FYI folks, this is Synology's doing.

From the Synology Open Source release for CedarView ( in the nss-pam-ldapd folder in the nslcd subfolder ):

< in config.h.in >

/**
* Fix DSM #25858. Remap shell to /sbin/nologin to disallow SSH/Telnet access.
*/
#define MY_ABC_HERE

< and in passwd.c ... >

#ifdef MY_ABC_HERE
WRITE_STRING(fp,"/sbin/nologin");
#else
WRITE_STRING(fp,shell);
#endif

They are manually overriding the shell, and from what I'm seeing here unless you want to rebuild nlscd or install your own, which would be quite invasive, there's no way to fix this. LDAP users don't get to login with the shell, period.

SimonH
Beginner
Beginner
Posts: 22
Joined: Sat Oct 27, 2012 8:39 pm

Re: SSH access for LDAP users

Unread post by SimonH » Thu Jan 02, 2014 10:20 pm

norrellmeister wrote:FYI folks, this is Synology's doing.
...
Thanks for this investigation norrelmeister.

I'm finding Synology's support for LDAP users somewhat frustrating. One of my goals in migrating to Syno was to have a central user database accessible from all of my Linux VMs/environments - ironically some apps installed on the Syno itself that are having most issues (the latest being the Synology supplied Git Server which only now appears to be able to set the git-shell for local, not LDAP, users :( ).
DS213+ running LMS, LDAP (broken since DSM6), Syslog, PhotoStation, CloudStation, git
Squeezebox: Radio, Touch, SpOS Joggler

foca
I'm New!
I'm New!
Posts: 3
Joined: Wed Dec 10, 2014 10:55 pm

Re: SSH access for LDAP users

Unread post by foca » Tue Mar 10, 2015 10:31 pm

Ugh is there a fix for this other than resetting the OS?

I uninstalled the Git synology package but still cannot login via SSH. No way that I know of to access /etc to fix the shell and login. This is really disappointing.

efesto
I'm New!
I'm New!
Posts: 3
Joined: Tue Nov 21, 2017 10:44 am

Re: SSH access for LDAP users

Unread post by efesto » Wed Nov 22, 2017 12:21 pm

Hi all,

Just discovered this as I'm facing the same issue.
I did update now to DSM 6.2, reinstalled the LDAP and AD.
I've created a new test@ldap.mynas with admin permissions.

logged in with my admin user: adminuser@mynas
scaled up the permissions with sudo -i to become root
tried to run :

su - test@ldap.mynas

result in :

su: can't run /sbin/nologin: No such file or directory

So question is.... is it still the case Synology has the hack in place ?

thanks.
L.

Locked

Return to “Directory Server”