Introduction

I have two Synology boxes, each located in one of the two cities where I spend most of my time — Sydney and Melbourne.

Like any good system administrator:

My ports are closed off for access, except VPN access. Therefore, I maintain a VPN server at each point of presence (PoP).
I insist on encrypted communications between all of my services; in this case, TLS.
I’d like to use a centralised store of identity to manage services; in this case, LDAP.

This seemed to work fine, but broke in the past few months, meaning that one Synology box (the client) couldn’t get the identities from the LDAP server running on the other. Here’s how I got Synology VPN Server authenticating against a remote LDAP host over TLS (LDAPS).

Certificates

I run my own Certificate Authority, so I have a root certificate and use that to sign certificates. Jamie Nguyen has a great guide to get started if you’re new to this.

Other prerequisites are:

Root access to the client box
Synology LDAP server installed on one machine

Source material (giants on whose shoulders I stood)

In my searching I found the following resources useful:

Procedure

Set an SSL certificate for LDAP Server in Control panel -> Security -> Certificate -> Configure
Enable “Force clients to use encrypted connections” in LDAP Server -> Settings -> Connection Settings
SSH as root into the client box
Stop apparmor: /usr/syno/etc.defaults/rc.sysv/apparmor.sh stop

Add your certificate to the root store

 #Copy to the default folder for CA Root Certs of DSM
 cp my_root_ca.crt /usr/share/ca-certificates/mozilla/

 #Linking to the system folder
 ln -s /usr/share/ca-certificates/mozilla/my_root_ca.crt /etc/ssl/certs/my_root_ca.pem

 #Create hashed link
 cd /etc/ssl/certs
 ln -s my_root_ca.pem `openssl x509 -hash -noout -in my_root_ca.pem`.0

Additional troubleshooting

On the LDAP server, you may find running sudo tail -f /var/log/splapd.log useful. This will print out all of the server’s LDAP logs, so best to do this in a non-production/low traffic environment.