PWM for Radius / LDAP on Synology Disk Stations
holthau...@googlemail.com
I am new to LDAP directories. I like to set up PWM for self registering users to use a wireless LAN. I got a Synology Disk Station which supports a build in LDAP Server (OpenLDAP i think) and a Radius Server (Free Radius).
Now my issue is to use PWM on LAN for employees to register for wlan access. My LDAP is running and i have external access to it by phpLDAPAdmin, free radius as well. I also have connection from PWM. But as Synology seems to manage users by posixAccounts and these require gidNumber and uidNumber i stumbled around for hours but i am not able to use "new user registration" module.
only errors accure for missing fields...
Now i like you to ask if you are interested to write a configuration file to import in pwm for synology LDAP server. So many user will easily be able to use your software for same issue like me and secure their wireless in a few minutes.
I attached the LDIF of LDAP DN created by phpLDAPadmin
There are two "groups" blocked_user and wlan_user which i created on my synology DSM, cause every new registred user has to be in "blocked_user" till an admin moves it to "wlan_user". This is caused by synologys LDAP which adds every new user automatically to "users". You are not able to deselect it.
And because of Free radius app on DSM it is only possible to block specified user groups. In fact it would be nonsense to block "users" because every user is in this group.
So we have to add it to blocked_user, which is blocked group on freeradius. after moved to wlan_user access will be granted by freeradius.
OK that was complicated and not the best written english as well. I hope you understand my issue and im looking forward for your reply
-----------------------------------------------------------------------------
# LDIF Export for dc=ldap,dc=DOMAIN,dc=lan
# Server: WLan Nutzer (DOMAIN)
# Suchbereich: sub
# Suchfilter: (objectClass=*)
# Anzahl der Eintraege: 15
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on August 6, 2014 6:33 pm
# Version: 1.2.3
version: 1
# Eintrag 1: dc=ldap,dc=DOMAIN,dc=lan
dn: dc=ldap,dc=DOMAIN,dc=lan
dc: ldap
objectclass: domain
# Eintrag 2: cn=groups,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=groups,dc=ldap,dc=DOMAIN,dc=lan
cn: groups
objectclass: organizationalRole
# Eintrag 3: cn=administrators,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=administrators,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
cn: administrators
description: Diskstation default admin group
displayname: administrators
gidnumber: 1000002
memberuid: admin
objectclass: top
objectclass: posixGroup
objectclass: extensibleObject
objectclass: apple-group
objectclass: sambaGroupMapping
objectclass: sambaIdmapEntry
sambagrouptype: 2
sambasid: S-1-5-21-1561680604-4155178748-856318379-1002
# Eintrag 4: cn=blocked_user,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=blocked_user,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
cn: blocked_user
description: Blockierte Benutzer des W-LAN
gidnumber: 501
objectclass: posixGroup
objectclass: top
# Eintrag 5: cn=Directory Operators,cn=groups,dc=ldap,dc=DOMAIN,dc=l...
dn: cn=Directory Operators,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
cn: Directory Operators
description: Directory default admin group
displayname: Directory Operators
gidnumber: 1000000
memberuid: admin
objectclass: top
objectclass: posixGroup
objectclass: extensibleObject
objectclass: apple-group
objectclass: sambaGroupMapping
objectclass: sambaIdmapEntry
sambagrouptype: 2
sambasid: S-1-5-21-1561680604-4155178748-856318379-1001
# Eintrag 6: cn=users,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=users,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
cn: users
description: Directory default group
displayname: users
gidnumber: 1000001
memberuid: admin
objectclass: top
objectclass: posixGroup
objectclass: extensibleObject
objectclass: apple-group
objectclass: sambaGroupMapping
objectclass: sambaIdmapEntry
sambagrouptype: 2
sambasid: S-1-5-21-1561680604-4155178748-856318379-1000
# Eintrag 7: cn=wlan_user,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=wlan_user,cn=groups,dc=ldap,dc=DOMAIN,dc=lan
cn: wlan_user
description: Benutzer des W-LAN
gidnumber: 500
memberuid:
objectclass: posixGroup
objectclass: top
# Eintrag 8: cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
cn: synoconf
objectclass: organizationalRole
# Eintrag 9: cn=CurID,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=CurID,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
cn: CurID
gidnumber: 1000003
objectclass: organizationalRole
objectclass: sambaUnixIdPool
uidnumber: 1000004
# Eintrag 10: cn=MaxID,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=MaxID,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
cn: MaxID
gidnumber: 2097151
objectclass: organizationalRole
objectclass: sambaUnixIdPool
uidnumber: 2097151
# Eintrag 11: cn=MaxNum,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=MaxNum,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
cn: MaxNum
gidnumber: 10000
objectclass: organizationalRole
objectclass: sambaUnixIdPool
uidnumber: 10000
# Eintrag 12: cn=MinID,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=MinID,cn=synoconf,dc=ldap,dc=DOMAIN,dc=lan
cn: MinID
gidnumber: 1000000
objectclass: organizationalRole
objectclass: sambaUnixIdPool
uidnumber: 1000000
# Eintrag 13: cn=users,dc=ldap,dc=DOMAIN,dc=lan
dn: cn=users,dc=ldap,dc=DOMAIN,dc=lan
cn: users
objectclass: organizationalRole
# Eintrag 14: uid=admin,cn=users,dc=ldap,dc=DOMAIN,dc=lan
dn: uid=admin,cn=users,dc=ldap,dc=DOMAIN,dc=lan
authauthority: ;basic;
cn: admin
displayname: admin
gecos: Directory/Diskstation default admin user
gidnumber: 1000001
homedirectory: /home/admin
loginshell: /bin/sh
objectclass: top
objectclass: posixAccount
objectclass: shadowAccount
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: apple-user
objectclass: sambaSamAccount
objectclass: sambaIdmapEntry
objectclass: extensibleObject
sambaacctflags: [U ]
sambalmpassword: 0059CFD0C74DDF8125AD3B83FA6627
sambantpassword: E94F61D7A96DA1A9C44D653A22AC0E
sambapasswordhistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambapwdlastset: 1407190902
sambasid: S-1-5-21-1561680604-4155178748-856318379-10
shadowexpire: -1
shadowflag: 0
shadowinactive: 0
shadowlastchange: 16286
shadowmax: 99999
shadowmin: 0
shadowwarning: 7
sn: admin
uid: admin
uidnumber: 1000000
userpassword: {CRYPT}$1$XU$SW4oEGAhLZJ6pqhGThXb
# Eintrag 15: sambaDomainName=ldap,dc=ldap,dc=DOMAIN,dc=lan
dn: sambaDomainName=ldap,dc=ldap,dc=DOMAIN,dc=lan
objectclass: sambaDomain
sambaalgorithmicridbase: 1000
sambadomainname: ldap
sambaforcelogoff: -1
sambalockoutduration: 30
sambalockoutobservationwindow: 30
sambalockoutthreshold: 0
sambalogontochgpwd: 0
sambamaxpwdage: -1
sambaminpwdage: 0
sambaminpwdlength: 1
sambanextuserrid: 1007
sambapwdhistorylength: 0
sambarefusemachinepwdchange: 0
sambasid: S-1-5-21-1561680604-4155178748-8563183
holthau...@googlemail.com
1. Anybody feels free to write an webapp for synology stations where php for example will be able to execute shell commands to tell the rest of diskstation there is a new sambaSID and sambaNTpassword (anybody knows where the "create script" from directory server is located?)
2. Anybody writes java plugin for PWM which is able to ask the diskstation for next sambaSID and hashes sambaNTpassword in creation process so the user will be created correctly.
3. Maybe Synology itself makes option for RADIUS-app available to tell radius just to take uid-attribute and password-attribute for authenticating users and ignore the samba-attributes...(or does anybody know where the config file for this is locateted on DS)