- 5,570
- 2,244
- NAS
- DS1520+, DS218+, DS215j
- Router
- RT2600ac
- MR2200ac
- RT6600ax
- WRX560
- Operating system
- macOS
- Mobile operating system
- iOS
Last edited:
I have joined my NAS to LDAP Server so that I have a second set of accounts. The DSM local user/group is the main one used for virtually everything, while LDAP is for second accounts used for Mail Server (to hide the .Maildir folder which would be visible in File Station), and VPN Server and SRM's VPN Plus. The DSM local user would be 'fred' and the LDAP user '[email protected]'.
When I set this up in DSM 6 I made the LDAP account have very restricted access to DSM 's other features, including assigning No Access to shared folders. Having migrated to DSM 7 I now have found, through a lot of trial and error, that DSM local users and groups that have an equivalent in LDAP will get assigned the LDAP's permissions. Noting that restrictive permissions get priority over permissive then this resulted in the DSM users and groups losing access to shared folders and some packages.
Further it seems that not all packages are affected, mostly it seems to be affecting file system related packages: File System and SMB are while SFTP and WebDAV are not, and neither are things like Drive (except for accessing Team folders). It was loss of access to a Team folder in Drive that first alerted me to this.
I've made a temporary renaming in LDAP Server's user names so that '[email protected]' is, e.g., '[email protected]'. This then gets propagated into whichever packages are being used.
The main thing to avoid is putting restrictive privileges to LDAP '[email protected]' group as this affects DSM's 'users' group, and so other groups.
Raised to Synology Support.
When I set this up in DSM 6 I made the LDAP account have very restricted access to DSM 's other features, including assigning No Access to shared folders. Having migrated to DSM 7 I now have found, through a lot of trial and error, that DSM local users and groups that have an equivalent in LDAP will get assigned the LDAP's permissions. Noting that restrictive permissions get priority over permissive then this resulted in the DSM users and groups losing access to shared folders and some packages.
Further it seems that not all packages are affected, mostly it seems to be affecting file system related packages: File System and SMB are while SFTP and WebDAV are not, and neither are things like Drive (except for accessing Team folders). It was loss of access to a Team folder in Drive that first alerted me to this.
I've made a temporary renaming in LDAP Server's user names so that '[email protected]' is, e.g., '[email protected]'. This then gets propagated into whichever packages are being used.
The main thing to avoid is putting restrictive privileges to LDAP '[email protected]' group as this affects DSM's 'users' group, and so other groups.
Raised to Synology Support.