I have two Synology boxes, each located in one of the two cities where I spend most of my time — Sydney and Melbourne.
Like any good system administrator:
- My ports are closed off for access, except VPN access. Therefore, I maintain a VPN server at each point of presence (PoP).
- I insist on encrypted communications between all of my services; in this case, TLS.
- I’d like to use a centralised store of identity to manage services; in this case, LDAP.
This seemed to work fine, but broke in the past few months, meaning that one Synology box (the client) couldn’t get the identities from the LDAP server running on the other. Here’s how I got Synology VPN Server authenticating against a remote LDAP host over TLS (LDAPS).
Other prerequisites are:
- Root access to the client box
- Synology LDAP server installed on one machine
Source material (giants on whose shoulders I stood)
In my searching I found the following resources useful:
- Set an SSL certificate for LDAP Server in Control panel -> Security -> Certificate -> Configure
- Enable “Force clients to use encrypted connections” in LDAP Server -> Settings -> Connection Settings
- SSH as root into the client box
- Add your certificate to the root store
#Copy to the default folder for CA Root Certs of DSM cp my_root_ca.crt /usr/share/ca-certificates/mozilla/ #Linking to the system folder ln -s /usr/share/ca-certificates/mozilla/my_root_ca.crt /etc/ssl/certs/my_root_ca.pem #Create hashed link cd /etc/ssl/certs ln -s my_root_ca.pem `openssl x509 -hash -noout -in my_root_ca.pem`.0
On the LDAP server, you may find running
sudo tail -f /var/log/splapd.loguseful. This will print out all of the server’s LDAP logs, so best to do this in a non-production/low traffic environment.