Author Topic: [Solved] trying to connect Synology NAS to Zentyal  (Read 12264 times)

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
[Solved] trying to connect Synology NAS to Zentyal
« on: August 13, 2013, 03:35:05 am »
The Synology directory service configuration seems very simple.

First I have to choose if I want to join a Domain or LDAP (this is my first problem).

I have been trying LDAP.  The only options it asks for are:

1. LDAP Server address (I'm using the static IP of my Zentyal 3.0 server)
2. Encryption (I've tried None and SSL)
3. Base DN (this is already prefilled and it is using something like DC=mycompanyname,DC=companybranch,DC=lan, and this is correct since my Domain was set up as mycompanyname.companybranch.lan)
4. Enable Windows CIFS support (I've tried off and on)

After that I click Apply and it asks for:

1. Bind DN or LDAP administrator account
2. Password

I've tried the using the root and read only root information from the Zentyal LDAP settings page.  I've also tried creating an Administrator usr name just for the Synology.  No matter what I try, it gives me a very quick error of "Invalid credentials.  Please check your account name and password (509)".

I have set Zentyal to accept all internal network traffic for LDAP on the packet filter.  This does not seem like it should be super complicated.  Can someone give me a clue as to what I am missing?
« Last Edit: September 05, 2013, 02:25:24 am by zippydan »

christian

  • Guest
Re: trying to connect synology NAS to Zentyal
« Reply #1 on: August 13, 2013, 08:44:51 am »
What's your Zentyal version ?

If running 2.x, then connect to LDAP on port 389.
If running 3.0, then you have to use port 390  ;)

easis

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #2 on: August 15, 2013, 12:26:46 am »
I was having the same issue, I don't recall exactly but some things I remember:
+ check that both: Zentyal and synology are in the same network (ping from each to the other)
+ disable the firewall in both Zentyal & synology; just for a while until the problem is solved.

Long story:
I'm testing Zentyal as PDC (to replace an old M$ PDC server) and adding a new synology NAS.
After setting up zentyal as PDC and working, I manage to join synology without issues...
But after playing with the security/firewall, changing some network segments and some distractions, and changing from one nic to another (in the NAS) I ended with the same problem.
Regards

--- Edit ---
I remember other possible cause: I follow the tutorial from "theJonas.net"
In video #2, at 09:43 he suggest to change the "Administration interface TCP port" from 443 to 444
I don't know why but changing this port block me to join users/windows to the PDC
So, after re-setting the 443 port, rechecking the network, and firewall I manage to join the NAS to Zentyal.
« Last Edit: August 15, 2013, 12:43:37 am by elavionsistemas »

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #3 on: August 16, 2013, 11:51:10 pm »
elavion: are you running Zentyal 3.x or 2.x?

christian: after two days of back and forth e-mails with Synology, they said there is no way to change the port through the Synology WebUI.  They advised me to change the configuration through SSH manually, but when I then pointed out I needed to start the LDAP client service, not just edit a config file, they told me I was "past the point" they would support and advised me to return their product for refund.

I like this Synology product, but I am shocked at the terrible service and unwillingness to keep a customer.

So on the Zentyal side, the only option I really have is to go back to 2.x?  I don't see how elavion could have gotten his Synology to work with 3.x.

christian

  • Guest
Re: trying to connect synology NAS to Zentyal
« Reply #4 on: August 17, 2013, 07:38:20 am »
I'm perhaps going to start a long reply here. Sorry for this but some times, I don't know how to make it short and concise and accurate too.  :-[

- I can't comment about Synology because I never had to configure it and haven't even read documentation about this product.

- I'm still running Zentyal 2.2 because I don't need most of the features 3.0 brings. Some are really nice but some are just useless for my own purpose and have noticeable side effects. The "double LDAP" design is one of these drawbacks.

- I'm running 2 different NAS (because I don't like the idea of using Zentyal as both "internet gateway" and NAS for internal data):
   # one is running OpenMediaVault which is fully configurable and successfully relies on Zentyal for account and group management.
   # the other one is Netgear ReadyNAS: this one is less flexible and although it permits to "join Windows domain" in a way that is no more nor less than LDAP access. Thus it should work but Netgear is thinking that aside Microsoft, there is nothing else. As a result, relying on an LDAP server that is not true AD doesn't really work (at least for me)

What I mean with above comments is that:
- yes you could revert back to Zentyal 2.2 if 3.0 whistles and bells are not mandatory for you
- it doesn't mean however that it will work fine  :-\

Trying to help with you current configuration:
- I really don't understand elavionsistemas's point. I never looked at this youtube based howto (I don't like the idea) but I don't understand how changing admin interface port may have any impact on LDAP configuration  ::)  This is however a good practice. If you need any HTTPS service running on Zentyal either than admin interface, it is mandatory to change this admin port. I always do this at the very beginning of any Zentyal installation (and I don't understand why default install is not selecting another port)
- Selecting port 444 is a poor idea / proposal as this port is supposed to be used by SNPP. Better select port above 1024 and check twice that it is not in used.
- what can you do if you are in the middle between the need for Zentyal 3.0 and Synology that is not flexible ? Well, you could install somewhere (but not Zentyal) a small piece of code that will act as LDAP proxy. This will handle LDAP requests made on port 389 (because Synology can do anything else) and translate it into requests on port 390. Very long time ago I made a test with such program (from Sun when I was running Sun One directory). I know some others exist here and there. Have a look, it may save your day  ;)

Last but not least: if you can, run this on port 636 rather than 389: when binding with LDAP, password is sent using base64 encoding. This is not encryption thus clear password, reason why LDAPS should always be used when authentication occurs  8)

I'll look at still existing LDAP proxy and will post here if I find one suitable.

easis

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #5 on: August 19, 2013, 05:33:57 pm »
Hi, I'm using v3.x:
Time: Mon Aug 19 09:08:32 MDT 2013
Core version: 3.0.24 (3.0.25 available)

I set/join some test PCs on this Zentyal PDC, I create some iSCSI targets on the Synology and can be accessed after the first issues that I wrote before.
In my tests, both: users from the current windows PDC(domain1) and Zentyal PDC(domain2) can access any shared folder in the NAS, including some services like PhotoStation.
This NAS is a DS412+

Regards

easis

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #6 on: August 19, 2013, 06:04:18 pm »
Some comments in blue
- I really don't understand elavionsistemas's point. I never looked at this youtube based howto (I don't like the idea) but I don't understand how changing admin interface port may have any impact on LDAP configuration  ::)  This is however a good practice. If you need any HTTPS service running on Zentyal either than admin interface, it is mandatory to change this admin port. I always do this at the very beginning of any Zentyal installation (and I don't understand why default install is not selecting another port). I'm still learning how to deploy Zentyal as PDC, maybe it's me, but I can't find a good documentation to accomplish this (when I start testing), so when I see thejonas's tutorials working I give it try, all works since the beginning including adding the NAS, but just after the changes like the "444 port" and firewall is when I have the same issues as the OP.
- Selecting port 444 is a poor idea / proposal as this port is supposed to be used by SNPP. Better select port above 1024 and check twice that it is not in used. And now I know, Thanks!

Regards
N.B. I add a screen shot from the tutorial when 443 is changed to 444 at the time 0:09:49 on the video: Zentyal 3.0 - Initial Configuration (Tutorial 2)

christian

  • Guest
Re: trying to connect synology NAS to Zentyal
« Reply #7 on: August 19, 2013, 06:10:42 pm »
Do not misunderstand my point: I'm not saying your implementation is poor, my comment is that this video tutorial suggesting to use port 444 is not that clever. BTW, this is not because you find something on internet, even on youtube that this is the absolute perfect and unique true solution  ;)

Back to your implementation:
do you mean you created iSCSI target and then mount it from Zentyal to expose it to user via Zentyal share ?

easis

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #8 on: August 19, 2013, 07:22:01 pm »
Do not misunderstand my point: I'm not saying your implementation is poor, my comment is that this video tutorial suggesting to use port 444 is not that clever. BTW, this is not because you find something on internet, even on youtube that this is the absolute perfect and unique true solution  ;)
No worries; BTW do you know about official documentation to setup Zentyal as PDC (I don't pretend to hijack this post, sorry, but I just find this post: http://forum.zentyal.org/index.php/topic,12603.0.html)

Back to your implementation:
do you mean you created iSCSI target and then mount it from Zentyal to expose it to user via Zentyal share ?
Well... no, on the NAS/synology where I create some iSCSI targets then used FROM the computers joined on this Zentyal PDC. But if I find time I'll try what you ask; no promises ;).
« Last Edit: August 19, 2013, 07:29:19 pm by elavionsistemas »

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #9 on: September 04, 2013, 02:17:51 am »
I have not changed any ports that I know of.  This is a pretty fresh installation of Zentyal 3.

I finally got Synology to use port 390 by editing the config files via SSH and tricking it into starting its service.

However, binding to the Zentyal LDAP is still failing with the error "Invalid credentials.  Please check your account name and password".  Again, this is on the Synology side.  Everything I have setup is in a config file called nslcd.conf on the Synology, and here is how I have configured it:

uri ldap://zentyalLANip:390
base exactly what is shown under "LDAP Settings" -> "LDAP Information" -> Base DN
binddn exactly what is shown under "LDAP Settings" -> "LDAP Information" -> Read-only root DN
bindpw exactly what is shown under "LDAP Settings" -> "LDAP Information" -> Read-only password

So what am I doing wrong?

christian

  • Guest
Re: trying to connect synology NAS to Zentyal
« Reply #10 on: September 04, 2013, 04:43:28 am »
You can still check what happens LDAP server side now that you have apply changes on NAS.
In order to do so, you first need to increase LDAP log level. This is done modifying olcloglevel attribute in cn=config.

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #11 on: September 04, 2013, 07:26:56 pm »
Wow what a hassle just to change a loglevel!!

I'm trying to follow the instructions on this page http://blog.suretecsystems.com/archives/163-OpenLDAP-Quick-Tips-Change-loglevels-on-the-fly!.html but I get stuck on the first step.  After the ldapsearch command, it asks me for my LDAP password.  I tried the LDAP passwords for zentyal and zentyalro, with no success.  I also tried running the command as sudo.

...  Any good guides for this?

Edit: I seem to have found this guide from you haha: http://forum.zentyal.org/index.php?topic=8534.0
I will see if I can make any progress from this.
« Last Edit: September 04, 2013, 07:29:56 pm by zippydan »

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #12 on: September 05, 2013, 01:24:51 am »
So, I installed JXplorer and was able to modify the olcloglevel to 256.

I reviewed /var/log/syslog and I can see the Synology server trying to connect, but the information doesn't seem very helpful:

the first line shows an ACCEPT from my Synology LAN IP
the next line shows BIND dn="cn=zentyal,dc=company,dc=lan" method=128
the next line shows RESULT tag=97 err=49 text=
the last line shows connection closed

Well error 49 is pretty much the exact same thing that Synology server was telling me.  Invalid credentials.  Error 49 indicates either an invalid Bind DN or an invalid password.  I have tried using both cn=zentyal and cn=zentyalro with their respective passwords from the LDAP Settings page on the Zentyal web admin.  Both fail with the same error 49.

On a side note, I was able to successfully connect using JXplorer and the cn=zentyal info.  I COULD NOT CONNECT using JXplorer and the cn=zentyalro info.  I don't know if that is normal, but anyway I can't connect with either from the Synology.

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: trying to connect synology NAS to Zentyal
« Reply #13 on: September 05, 2013, 01:51:17 am »
ok, I tried something else, and it seems to have worked, but it leaves me with the following questions:

1. Why did creating a new user work?
2. Why does using cn=zentyal and/or cn=zentyalro NOT work?
3. Am I going to run into any problems binding my Synology to the LDAP server using its own user instead of zentyal or zentyalro?

Here is what I did:

I made a new user on Zentyal called "Synology" and added it to the Domain Admins group.

Then, in the Synology box's nslcd.conf, I used the standard "base DN" from Zentyal's "LDAP Settings" page, but for "bindDN" I used

uid=Synology,ou=users,dn=company,dn=lan

And of course for the "bindPW", I used the password for the Synology account I created in Zentyal.

So Christian, give me the analysis.  Should I have any trouble with this setup?  Any reason not to use this setup?  I can now browse users and groups on my Synology box.

For anyone that needs to know how to "trick" the Synology into starting the LDAP client service and then changing the port, it is simple: just setup the Synology box to connect to any other LDAP server that runs on 389.  The easiest way to do this is

1. Go to the Synology Package Center and install the free Directory Server package.  You can then very quickly get an LDAP server running on the Synology box itself. 
2. Then use the Synology LDAP Client (located in Control Panel -> Directory Service -> LDAP) to connect to localhost.  Actually, after installing the Directory Server, the web admin should offer to do this for you automatically.
3. Now the Synology LDAP Client is connected and set to start automatically with each boot.  All you have to do now is enable SSH, connect to the Synology box via the command line (use root and your normal admin password) and mess around with the /usr/syno/etc/nslcd.conf config file.  Of course, your first order of business will be to change the "uri" line to ldap://zentyal-server-ip:390, then you can use my solution above for the "base", "binddn", and "bindpw" configuration lines.  Save your changes and exit.  Back in the Synology webadmin, it looks like the only thing you need to do to refresh the config file is to quit the Directory Service control panel window and reopen it.  If it shows a green "Connected" then you are all good!
4. You can stop the Synology's LDAP Server now and even uninstall the Directory Server package, if you want.
« Last Edit: September 05, 2013, 01:53:27 am by zippydan »

christian

  • Guest
Re: trying to connect synology NAS to Zentyal
« Reply #14 on: September 05, 2013, 05:48:11 am »
So Christian, give me the analysis.  Should I have any trouble with this setup?  Any reason not to use this setup?  I can now browse users and groups on my Synology box.

Trying to be modest, I'd say that rather than THE analysis, I'll share my understanding  ;)

Basically, what you explain is that you can't use Zentyalro account but this aside, ldap authentication from Synology works.
To me this is most likely due to typo. e.g. when you copy/paste password, it often adds tailing "space" character at the end of the string. did you try to copy/paste this password in, e.g. notepad and see what you get before pasting in Synology config file ?

This said, are you at risk? I don't think so  ;)
Zentyal team introduced zentyalro account when they realized that, although this was not supposed to be done this way, Zentyal users were using Zentyal LDAP as back-end repository for external applications. Using Zentyal account here is risky because it permits these external applications to change any LDAP content. So read-only account is better but only slightly better. Why ?  Because there is basically no ACL with Zentyal LDAP.
Aside zentyal admin account and zentyalro account, any other account is also authorized to read LDAP content and get list of users and groups  ::)

The idea behind use of specific read-only account is to grant this account with access rights that are not granted to standard accounts. e.g. you may have some groups or some attributes than can't be read with your own account. But this doesn't exist with Zentyal, or at least not in a way that will prevent your Synology to work so you can go ahead. Nevertheless, give a try to my above explanation and check twice to understand why zentyalro account doesn't work.