How to connect macOS to LDAP services by using an open directory utility for accessing files on QNAP NAS

Introduction:

Lightweight Directory Access Protocol (LDAP) is a directory that can store the information of all the users and groups in a centralized server. Using LDAP, administrators can manage users in the LDAP directory and users can connect to multiple NAS with the same username and password.

This tutorial explains the process of setting up macOS devices to connect to a QNAP NAS using LDAP accounts. The environment must have a LDAP server and a QNAP NAS must be joined to the same LDAP server.

If you do not have a current LDAP server, you can use the built-in LDAP Server of a QNAP NAS.

Topic as below：

1. (Optional)Using the built-in LDAP service on QNAP NAS for user management
2. Before joining macOS to the LDAP directory you must disable LDAP Server Authentication on the NAS
3. Joining macOS to the LDAP directory

Optional: Using the built-in LDAP service on QNAP NAS for user management

QNAP NAS provides LDAP Server functionality, allowing you to consolidate your IT infrastructure. If you are using a dedicated LDAP server then this step is not required.

1. Enabling the LDAP Server

   1. Log in to QTS as the administrator.
   2. Go to Control Panel > Applications > LDAP Server.
      
   3. Select Enable LDAP Server.
   4. Enter a Full domain name.
   5. Enter a password.
   6. Click Apply.
      The LDAP Server is now enabled and ready to use.

   Creating LDAP Users and Groups

   1. Go to the Users tab.
   2. Click Create a User, Create Multiple Users or Batch Import Users based on your requirements.
      
   3. Follow the wizard to create LDAP users.

   Joining the NAS to an LDAP Domain

   1. Go to the LDAP Server tab.
   2. Click Domain Security.
      

      Control Panel > Privilege > Domain Security opens.

   3. Select LDAP authentication.
   4. Set the Select the type of LDAP server as LDAP server of local NAS.
   5. Click Apply.
      
      The NAS is now a client of the LDAP server.

   Checking LDAP domain users and their permissions

   1. Go to Privilege > Users.
   2. Select Domain Users.
   3. Click
      
   4. Adjust permission settings based on your requirements.
   5. Click Apply.
      

Before joining macOS to the LDAP directory you must disable LDAP Server Authentication on the NAS

From QTS version 4.3.3, the LDAP Server requires authentication. As macOS does not send any LDAP authentication, LDAP Server authentication must be disabled.

1. Go to Control Panel > Network & File Services > Telnet/SSH.
2. Select Allow SSH Connection.
3. Connect to the NAS using an SSH client (such as PuTTY).
4. Log in using the admin account.
5. Run the following command to disable LDAP authentication: /sbin/setcfg "LDAP Server" "Require Authc" "FALSE"
6. Run the following command to restart the LDAP server: /etc/init.d/ldap_server.sh restart

Joining macOS to the LDAP directory

1. Log in to macOS as the administrator.
2. Go to System Preferences.
3. Click Users & Groups.
   
4. Click Login Options.
   
5. Click Join….
   
   A server selection window opens.
6. Enter the IP address of the LDAP server.
7. Click OK.
   
8. Select Allow network users to log in at log in window.
9. Click Edit….
   
   A server list window opens.
10. Click Open Directory Utility.
    
    The Directory Utility window opens.
11. Select LDAPv3.
    
12. Click
13. Select RFC2307 in LDAP Mappings.
    
    The Search Base Suffix window opens.
14. Enter the base suffix of the LDAP server.
15. Click OK.
    
16. Click Edit.
    
    The server settings window opens.
17. Go to the Security tab.
18. Select Use authentication when connecting.
19. Enter the Distinguished Name.
20. Enter the Password.
21. Click OK.
    
22. Click OK.
    
23. Restart the Mac.
24. Go to the Directory Utility.
25. Go to the Directory Editor.
    
    LDAP users can now be viewed under the LDAP server you just set up.

Enabling the home folder for LDAP users

1. Open Users & Groups.
   
2. Click Login Options.
3. Click Edit….
4. Click Open Directory Utility.
   
5. Choose LDAPv3.
   
6. Click .
7. Select your LDAP server.
8. Click Edit….
   
   The server settings window opens.
9. Go to Search & Mappings.
   
10. Select RFC2307 in Access this LDAPv3 server using.
    The Search Base Suffix window opens.
11. Enter the base suffix of the LDAP server.
12. Click OK.
    
    The Search Base Suffix window closes.
13. Find Users > NFSHomeDirectory under Record Types and Attributes.
    
14. Select #/Users/$uid$ under Map to any items in list.
    
15. Click OK.
    The server settings window closes. The LDAP Mappings are now Custom.
16. Click OK.
    
17. Open the Directory Utility.
18. Go to the Directory Editor.
    
    The home folder for users are listed under NFSHomeDirectory.

Accessing the NAS via AFP

Users can log into macOS devices using LDAP and mount their home folder (or another shared folder) via AFP.

1. Log in to macOS.
2. Go to Finder > Go > Connect to Server…
   
   The Connect to Server window opens.
3. Enter afp://<YOUR NAS IP ADDRESS>.
4. Click Connect.
   
   A login window opens.
5. Select Registered User.
6. Enter your QNAP NAS username.
7. Enter your QNAP NAS password.
8. Click Connect.
   
   A folder selection window opens.
9. Select the home folder.
   
10. Click OK.
    
    You can now access files stored on your home folder from Finder.