FreeIPA LDAP Groups Available Show No Users (and Users Can't Authenticate)

Questions about using Windows AD service.
Post Reply
Shaav
Starting out
Posts: 10
Joined: Fri Oct 17, 2014 5:06 pm

FreeIPA LDAP Groups Available Show No Users (and Users Can't Authenticate)

Post by Shaav » Mon Dec 31, 2018 9:29 am

I have a QNAP-s879U-RP with running firmware 4.3.4.0569 (last available for this device I believe) that I want to connect to a FreeIPA server for user authentication.

The LDAP setup works perfectly and I can see all of my Domain Users/Groups. If I add Domain User permissions to a Shared Folder it works fine. However if I only add a Domain Group, members of that group cannot access the Shared Folder (testing using Filestation—the user can log into Filestation without difficultly, but they can see no shares). CORRECTION—FreeIPA creates private user-specific groups for each user (of the same name) and if I add one of those user groups rather than the user itself, that user has no problem accessing the share.

I believe that the QNAP is not pulling the users of the group properly because if I go to Privilege > User Groups, select a Domain Group and View Group Details, it does not show any group members (but if I select on of those private user-specific groups, it does show the user as a member).

Any thoughts?

The closest hint I could find as to what might be happening was in this post: https://confluence.atlassian.com/stashk ... 09328.html for a different product but with precisely this problem that says:
LDAP support falls into two flavours of directory schema. There's the RFC-2307 style, and the RFC-4519 style.
FreeIPA implements a RFC-4519 schema similar to OpenLDAP or Active Directory.
I'm wondering if that might the cause. Anyone know what schema QNAP uses for LDAP?

Shaav
Starting out
Posts: 10
Joined: Fri Oct 17, 2014 5:06 pm

Re: FreeIPA LDAP Groups Available Show No Users (and Users Can't Authenticate)

Post by Shaav » Tue Jan 01, 2019 5:10 am

Figured out the solution myself!

FreeIPA keeps "compatability" schemas in a different tree. So ordinarily users are in the following base DNs respectively:

cn=users,cn=accounts,dc=domain,dc=com
cn=groups,cn=accounts,dc=domain,dc=com

but QNAP needs them to be:

cn=users,cn=compat,dc=domain,dc=com
cn=groups,cn=compat,dc=domain,dc=com

Post Reply

Return to “Windows Domain & Active Directory”