You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
LDAP server: Synology Directory Server (Samba-based Active Directory)
Deployment: Docker on Synology NAS
Bug 1: Group filter breaks LDAP login
When setting "Limit synchronization to these groups" to Defguard (the CN of the AD group), login fails for users who are verified members of that group.
Without the group filter → login works fine with AD credentials.
With group filter Defguard → login fails with:
LDAP bind test for user CN=testuser,CN=Users,DC=lab,DC=local successful
User testuser is not in LDAP sync groups, not allowing to login through LDAP.
Verified via ldapsearch that the user is correctly listed as member:
And memberOf on the user object contains: memberOf: CN=Defguard,CN=Users,DC=lab,DC=local
Additionally the sync log shows Defguard parsing the group name incorrectly: filter = (&(objectClass=group)(cn=DC=local))
It searches for cn=DC=local instead of cn=Defguard, suggesting the group CN is being parsed incorrectly from the DN.
Question / UX issue: Enrollment requires setting a password for LDAP users
When starting the enrollment process for an LDAP-synced user, the enrollment wizard requires setting a new password.
After testing: login to the web UI works with both the enrollment password and the AD/LDAP password. So functionally it works, but the UX is confusing — it is unclear why an LDAP user needs to set a password during enrollment at all, since they already have AD credentials.
Is this by design? If so, what is the purpose of the enrollment password for LDAP users?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Environment:
Bug 1: Group filter breaks LDAP login
When setting "Limit synchronization to these groups" to Defguard (the CN of the AD group), login fails for users who are verified members of that group.
Without the group filter → login works fine with AD credentials.
With group filter Defguard → login fails with:
Verified via ldapsearch that the user is correctly listed as member:
And memberOf on the user object contains:
memberOf: CN=Defguard,CN=Users,DC=lab,DC=localAdditionally the sync log shows Defguard parsing the group name incorrectly:
filter = (&(objectClass=group)(cn=DC=local))It searches for cn=DC=local instead of cn=Defguard, suggesting the group CN is being parsed incorrectly from the DN.
Question / UX issue: Enrollment requires setting a password for LDAP users
When starting the enrollment process for an LDAP-synced user, the enrollment wizard requires setting a new password.
After testing: login to the web UI works with both the enrollment password and the AD/LDAP password. So functionally it works, but the UX is confusing — it is unclear why an LDAP user needs to set a password during enrollment at all, since they already have AD credentials.
Is this by design? If so, what is the purpose of the enrollment password for LDAP users?
Beta Was this translation helpful? Give feedback.
All reactions