starred/lldap-lldap

Fork 0

mirror of https://github.com/lldap/lldap.git synced 2026-04-25 00:05:50 +03:00

[GH-ISSUE #340] Support Synology #128

New issue

Closed

opened 2026-02-27 08:15:24 +03:00 by kerem · 9 comments

kerem commented

2026-02-27 08:15:24 +03:00

Owner

Originally created by @Roemer on GitHub (Oct 18, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/340

I suppose many home users / home labbers have a Synology and want to use LLDAP for authentication.

Now Synologys LDAP implementation is a bit different. Here are a lot of information:
https://kb.synology.com/en-uk/DSM/help/DSM/AdminCenter/file_directory_service_join?version=7

I think there are two main things missing:

Unique IDs (User ID and Group ID

This is not a very big deal, as Synology has a HASH method where pretty much any field can be converted to an int but maybe it is better if LLDAP provide such IDs.

Crypted Passwords

Synology needs crypted Passwords from LLDAP according to RFC 2027 (see userPassword in https://www.ietf.org/rfc/rfc2307.txt)

Originally created by @Roemer on GitHub (Oct 18, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/340 I suppose many home users / home labbers have a Synology and want to use LLDAP for authentication. Now Synologys LDAP implementation is a bit different. Here are a lot of information: https://kb.synology.com/en-uk/DSM/help/DSM/AdminCenter/file_directory_service_join?version=7 I think there are two main things missing: ### Unique IDs (User ID and Group ID This is not a very big deal, as Synology has a `HASH` method where pretty much any field can be converted to an int but maybe it is better if LLDAP provide such IDs. ### Crypted Passwords Synology needs crypted Passwords from LLDAP according to RFC 2027 (see `userPassword` in https://www.ietf.org/rfc/rfc2307.txt)

kerem

2026-02-27 08:15:24 +03:00

closed this issue
added the
wontfix
label

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@Roemer commented on GitHub (Oct 18, 2022):

For the IDs, I see some possible ways:

Leave it as is and let Synology use HASH (however that makes sure they are unique)
Hash a field on our own and return that
Add an auto-increment field to User and Group and just return that
Allow to manually specify the ids via UI with a simple check for uniqueness

@Roemer commented on GitHub (Oct 18, 2022): For the IDs, I see some possible ways: 1. Leave it as is and let Synology use `HASH` (however that makes sure they are unique) 2. Hash a field on our own and return that 3. Add an auto-increment field to User and Group and just return that 4. Allow to manually specify the ids via UI with a simple check for uniqueness

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@kesuskim commented on GitHub (Oct 31, 2022):

Definitely look forward to it. What should possibly be done for it?

@kesuskim commented on GitHub (Oct 31, 2022): Definitely look forward to it. What should possibly be done for it?

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Oct 31, 2022):

Before doing something like that, I'd like to have a confirmation from the synology devs that there's no way to make it work with the current system, i.e. no way to get synology to try to log in to the LDAP server every time, rather than store the hash themselves.

@nitnelave commented on GitHub (Oct 31, 2022): Before doing something like that, I'd like to have a confirmation from the synology devs that there's no way to make it work with the current system, i.e. no way to get synology to try to log in to the LDAP server every time, rather than store the hash themselves.

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@Roemer commented on GitHub (Oct 31, 2022):

I've opened a ticket for the Synology Support. Let's see what they answer.

@Roemer commented on GitHub (Oct 31, 2022): I've opened a ticket for the Synology Support. Let's see what they answer.

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@Roemer commented on GitHub (Nov 2, 2022):

Ok I got the following response in the end:

In this case, the NAS will not be able to join the LDAP server since the "userPassword" field is indeed a requirement.

@Roemer commented on GitHub (Nov 2, 2022): Ok I got the following response in the end: ``` In this case, the NAS will not be able to join the LDAP server since the "userPassword" field is indeed a requirement. ```

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Nov 2, 2022):

That complicates things...

I'd like to avoid complicating the whole password management aspect of the
project, especially if it's going to lower security. I don't want to hash
the password on the client side, and I don't want to send the password in
clear over http if we can avoid it. If Synology needs the user password
field, then I'll have to declare it incompatible with LLDAP.

On Wed, 2 Nov 2022, 09:07 Roman, @.***> wrote:

Ok I got the following response in the end:

In this case, the NAS will not be able to join the LDAP server since the "userPassword" field is indeed a requirement.

—
Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/340#issuecomment-1299758314,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWMD7HNSBBEDCJKEKNTWGIOLDANCNFSM6AAAAAARIL7SEQ
.
You are receiving this because you commented.Message ID:
@.***>

@nitnelave commented on GitHub (Nov 2, 2022): That complicates things... I'd like to avoid complicating the whole password management aspect of the project, especially if it's going to lower security. I don't want to hash the password on the client side, and I don't want to send the password in clear over http if we can avoid it. If Synology needs the user password field, then I'll have to declare it incompatible with LLDAP. On Wed, 2 Nov 2022, 09:07 Roman, ***@***.***> wrote: > Ok I got the following response in the end: > > In this case, the NAS will not be able to join the LDAP server since the "userPassword" field is indeed a requirement. > > — > Reply to this email directly, view it on GitHub > <https://github.com/nitnelave/lldap/issues/340#issuecomment-1299758314>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWMD7HNSBBEDCJKEKNTWGIOLDANCNFSM6AAAAAARIL7SEQ> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@Roemer commented on GitHub (Nov 2, 2022):

How about if we could enable this feature with an environment flag? So by default it would be as before but if someone really wants, he can enable that flag to get synology support on the cost of lower security.

@Roemer commented on GitHub (Nov 2, 2022): How about if we could enable this feature with an environment flag? So by default it would be as before but if someone really wants, he can enable that flag to get synology support on the cost of lower security.

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@nitnelave commented on GitHub (Nov 2, 2022):

The problem I have with this solution (I thought about it too) is that it
complicates the code a fair bit.

I don't know much about it, but is there a way to implement a Synology
plugin to provide LDAP authentication compatible with LLDAP?

On Wed, 2 Nov 2022, 09:21 Roman, @.***> wrote:

How about if we could enable this feature with an environment flag? So by
default it would be as before but if someone really wants, he can enable
that flag to get synology support on the cost of lower security.

—
Reply to this email directly, view it on GitHub
https://github.com/nitnelave/lldap/issues/340#issuecomment-1299789713,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGCPWOARXWIBC4OUZ5XPCTWGIP73ANCNFSM6AAAAAARIL7SEQ
.
You are receiving this because you commented.Message ID:
@.***>

@nitnelave commented on GitHub (Nov 2, 2022): The problem I have with this solution (I thought about it too) is that it complicates the code a fair bit. I don't know much about it, but is there a way to implement a Synology plugin to provide LDAP authentication compatible with LLDAP? On Wed, 2 Nov 2022, 09:21 Roman, ***@***.***> wrote: > How about if we could enable this feature with an environment flag? So by > default it would be as before but if someone really wants, he can enable > that flag to get synology support on the cost of lower security. > > — > Reply to this email directly, view it on GitHub > <https://github.com/nitnelave/lldap/issues/340#issuecomment-1299789713>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGCPWOARXWIBC4OUZ5XPCTWGIP73ANCNFSM6AAAAAARIL7SEQ> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented

2026-02-27 08:15:25 +03:00

Author

Owner

@Roemer commented on GitHub (Nov 2, 2022):

Hmm I haven't seen a package with a custom authentication mechanism for Synology yet. I have the feeling that this won't be possible.

@Roemer commented on GitHub (Nov 2, 2022): Hmm I haven't seen a package with a custom authentication mechanism for Synology yet. I have the feeling that this won't be possible.

kerem referenced this issue

2026-02-27 08:17:58 +03:00

[PR #128] [MERGED] build(deps): bump peter-evans/dockerhub-description from 2 to 3 #554