Skip to main content

QNAP NAS

What is QNAP NAS

From https://en.wikipedia.org/wiki/QNAP_Systems

note

QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.

Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is not (well) documented what really is done behind the scenes of QNAP.

Preperation

The following placeholders will be used:

  • ldap.baseDN is the Base DN you configure in the LDAP provider.
  • ldap.domain is (typically) a FQDN for your domain. Usually it is just the components of your base DN. For example, if ldap.baseDN is dc=ldap,dc=goauthentik,dc=io then the domain might be ldap.goauthentik.io.
  • ldap.searchGroup is the "Search Group" that can can see all users and groups in authentik.
  • qnap.serviceAccount is a service account created in authentik
  • qnap.serviceAccountToken is the service account token generated by authentik.

Create an LDAP Provider if you don't already have one setup. This guide assumes you will be running with TLS. See the ldap provider docs for setting up SSL on the authentik side.

Remember the ldap.baseDN you have configured for the provider as you'll need it in the sssd configuration.

Create a new service account for all of your hosts to use to connect to LDAP and perform searches. Make sure this service account is added to ldap.searchGroup.

caution

It seems that QNAP LDAP client configuration has issues with too long password. Max password length <= 66 characters.

Deployment

Create an outpost deployment for the provider you've created above, as described here. Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.

The outpost will connect to authentik and configure itself.

NAS Configuration

The procedure is a two step setup:

  1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
  2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
note

The config edit is essential, as QNAP relies on certain not configurable things. The search for users and groups relies on a fix filter for objectClass in posixAccount or posixGroup classes.

Also by default the search scope is set to one (singleLevel), which can be adapted in the config to sub (wholeSubtree).

Sample LDAP request from QNAP

Default search for users

Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixAccount)
Attributes:
uid
userPassword
uidNumber
gidNumber
cn
homeDirectory
loginShell
gecos
description
objectClass

Default search for groups

Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixGroup)
Attributes:
cn
userPassword
memberUid
gidNumber

QNAP Web UI

Configure the following values and "Apply" qnap domain security

caution

With each save (Apply) in the UI the /etc/config/nss_ldap.conf will be overwritten with default values.

note

The UI Configuration is necessary, as it will save the Password encrypted in /etc/config/nss_ldap.ensecret.

SSH

Connect your QNAP NAS via SSH. First stop the LDAP Service:

/sbin/setcfg LDAP Enable FALSE
/etc/init.d/ldap.sh stop

Edit the file at /etc/config/nss_ldap.conf:

host                        ${ldap.domain}
base ${ldap.baseDN}
uri ldaps://${ldap.domain}/
ssl on
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
nss_schema rfc2307bis

# remap object classes to authentik ones
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group

# remap attributes
# uid to cn is essential otherwise only id usernames will occur
nss_map_attribute uid cn
# map displayName information into comments field
nss_map_attribute gecos displayName
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
nss_map_attribute uniqueMember member

# configure scope per search filter
nss_base_passwd ou=users,${ldap.baseDN}?one
nss_base_shadow ou=users,${ldap.baseDN}?one
nss_base_group ou=groups,${ldap.baseDN}?one

tls_checkpeer no
referrals no
bind_policy soft
timelimit 120
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
nss_initgroups_ignoreusers admin,akadmin

Now start the LDAP Service:

/sbin/setcfg LDAP Enable TRUE
/etc/init.d/ldap.sh start

To see if connection is working, type

# list users
$ getent passwd

The output should list local users and authentik accounts.

# list groups
$ getent group

The output should list local and authentik groups.