--- title: QNAP NAS --- ## What is QNAP NAS From :::note QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications. ::: Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **not** (well) documented what really is done behind the scenes of QNAP. ## Preperation The following placeholders will be used: - `ldap.baseDN` is the Base DN you configure in the LDAP provider. - `ldap.domain` is (typically) a FQDN for your domain. Usually it is just the components of your base DN. For example, if `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain might be `ldap.goauthentik.io`. - `ldap.searchGroup` is the "Search Group" that can can see all users and groups in authentik. - `qnap.serviceAccount` is a service account created in authentik - `qnap.serviceAccountToken` is the service account token generated by authentik. Create an LDAP Provider if you don't already have one setup. This guide assumes you will be running with TLS. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the authentik side. Remember the `ldap.baseDN` you have configured for the provider as you'll need it in the sssd configuration. Create a new service account for all of your hosts to use to connect to LDAP and perform searches. Make sure this service account is added to `ldap.searchGroup`. :::caution It seems that QNAP LDAP client configuration has issues with too long password. Max password length <= 66 characters. ::: ## Deployment Create an outpost deployment for the provider you've created above, as described [here](../../../docs/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access. The outpost will connect to authentik and configure itself. ## NAS Configuration The procedure is a two step setup: 1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password. 2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost. :::note The config edit is essential, as QNAP relies on certain not configurable things. The search for users and groups relies on a fix filter for `objectClass` in `posixAccount` or `posixGroup` classes. Also by default the search scope is set to `one` (`singleLevel`), which can be adapted in the config to `sub` (`wholeSubtree`). ### Sample LDAP request from QNAP Default search for users ```text Scope: 1 (singleLevel) Deref Aliases: 0 (neverDerefAliases) Size Limit: 0 Time Limit: 0 Types Only: false Filter: (objectClass=posixAccount) Attributes: uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass ``` Default search for groups ```text Scope: 1 (singleLevel) Deref Aliases: 0 (neverDerefAliases) Size Limit: 0 Time Limit: 0 Types Only: false Filter: (objectClass=posixGroup) Attributes: cn userPassword memberUid gidNumber ``` ::: ### QNAP Web UI Configure the following values and "Apply" ![qnap domain security](./qnap-ldap-configuration.png) :::caution With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values. ::: :::note The UI Configuration is necessary, as it will save the Password encrypted in `/etc/config/nss_ldap.ensecret`. ::: ### SSH Connect your QNAP NAS via SSH. First stop the LDAP Service: ```bash /sbin/setcfg LDAP Enable FALSE /etc/init.d/ldap.sh stop ``` Edit the file at `/etc/config/nss_ldap.conf`: ```conf host ${ldap.domain} base ${ldap.baseDN} uri ldaps://${ldap.domain}/ ssl on rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN} nss_schema rfc2307bis # remap object classes to authentik ones nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group # remap attributes # uid to cn is essential otherwise only id usernames will occur nss_map_attribute uid cn # map displayName information into comments field nss_map_attribute gecos displayName # see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames nss_map_attribute uniqueMember member # configure scope per search filter nss_base_passwd ou=users,${ldap.baseDN}?one nss_base_shadow ou=users,${ldap.baseDN}?one nss_base_group ou=groups,${ldap.baseDN}?one tls_checkpeer no referrals no bind_policy soft timelimit 120 tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5 nss_initgroups_ignoreusers admin,akadmin ``` Now start the LDAP Service: ```bash /sbin/setcfg LDAP Enable TRUE /etc/init.d/ldap.sh start ``` To see if connection is working, type ```bash # list users $ getent passwd ``` The output should list local users and authentik accounts. ```bash # list groups $ getent group ``` The output should list local and authentik groups.