LDAP group rights are not working

Questions about using Windows AD service.
Post Reply
maier-tech
New here
Posts: 5
Joined: Tue Jun 09, 2009 6:01 pm

LDAP group rights are not working

Post by maier-tech »

Hallo all,
now I'm struggling with a very strange problem. I connected my QNAP TS121 with my PDC (ClearOS 5.2). It is running, and I see all LDAP users and groups. I can also assign the users or groups to the shares. When I then want to get access to a share it works perfect, If used user, but it doesn't work if I use LDAP groups for autentication. Is there a trick ?

I'm using TS121 with firmware 4.10, the network connection works properly and the LDAP is also announced working properly (otherwise I would not see the LDAP groups and users).

Kind greez :)
ChrisK1
First post
Posts: 1
Joined: Fri Mar 27, 2015 5:01 pm

Re: LDAP group rights are not working

Post by ChrisK1 »

The same problem here with FW 4.1.2. on TS-ES1680U
No matter if I use an external LDAP-server or the inbuild one, sharing folders with domain-groups does not work.
If some qnap developer is reading this here, can you please check this? This is a real showstopper for us here.
TIA!
Chris
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: LDAP group rights are not working

Post by schumaku »

Community forum here - get in contact with QNAP Customer Service -> http://helpdesk.qnap.com/ please.
mta33
First post
Posts: 1
Joined: Wed Aug 12, 2015 5:44 am

Re: LDAP group rights are not working

Post by mta33 »

I know it is an old post but I ran in the same problem recently (QTS 4.2)

LDAP group seems to don't have effect on share folder permissions (I use advanced share folder permission with ldap user and ldap gorup).

I found the solution by retrieving the user from Share Folder permission.

It seems that Qnap system first check user permission and if the user is not found in the list, the user Group permission is then checked.
If user is define with "Deny", the system stop there and don't check Ldap Group Permission.
kconti
First post
Posts: 1
Joined: Tue May 17, 2016 2:12 am

Re: LDAP group rights are not working

Post by kconti »

Hello,

I'm still looking for a good solution to this problem. I am also on QTS 4.2 and checking each user individually for permissions is NOT a good solution.

Steps to reproduce:

Go to "Shared Folders" -> find share you want to add permissions to -> "Edit Share Folder Permissions" -> Select Permission type "Users and groups permission" -> "Add" -> "Domain Groups" -> Find group and select "RW" checkbox.

In theory, you should then be able to go to that user in the system and look at their shared folder permissions and everything should be all set. The problem is, even though that user now has the label next to him/her "Read/Write" (under column "Preview"), the checkbox for "RW" is unchecked still, and the users do not have access until I manually click that check box next to every user...which makes setting up a group pointless to begin with.

Please help with a good solution - thank you.
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: LDAP group rights are not working

Post by schumaku »

kconti wrote:In theory, you should then be able to go to that user in the system and look at their shared folder permissions and everything should be all set. The problem is, even though that user now has the label next to him/her "Read/Write" (under column "Preview"), the checkbox for "RW" is unchecked still, and the users do not have access until I manually click that check box next to every user...which makes setting up a group pointless to begin with.
Agree with your theory. This reads to me like the groups are not looked-up - or the users group membership can't be looked-up from the directory. However, I can't get rid of the impression that your NAS set-up is incomplete and broken as per your report in another thread.
mta33 wrote:If user is define with "Deny", the system stop there and don't check Ldap Group Permission.
Definitively nothing wrong with that: Deny is deny ... and this is handled first. And "deny" does massively differ from "no access"
mta33 wrote:I found the solution by retrieving the user from Share Folder permission.
Removing (I guess) ... yes, either remove the user from the list, or don't tick anything ... both does lead to a "no access" by username.
bo@tman
New here
Posts: 4
Joined: Fri Jul 08, 2016 4:29 am

Re: LDAP group rights are not working

Post by bo@tman »

Hi,

I stumbled upon this post while trying to figure out the same issue on my QNAP box.

I found that the issue actually was that the group I was using was an AD Distribution Group. The solution was to use a Security Group. Once I switched to a using Security Group, users could access the folder.

I hope that this maybe helps someone else out.

I am currently running firmware version 4.2.0 Build 20160311
Post Reply

Return to “Windows Domain & Active Directory”