[Solved][Synology Directory Server]
Hey all -
is someone able to post his dockercompose with a synology Ldap connection?
Because i tried to figured it out why homarr dont want to connect. But i have no idea.
My Stuff:
Synology Box with running Synology Active Directory.
Homarr Latest Version on Docker.
environment:
AUTH_PROVIDER: ldap,credentials
AUTH_LDAP_URI: ldap://domainip:389
AUTH_LDAP_BASE: dc=domain,dc=local #Same as LLDAP_LDAP_BASE_DN
AUTH_LDAP_BIND_DN: cn=admin,dc=domain,dc=local
AUTH_LDAP_BIND_PASSWORD: adminpass #Same as LLDAP_LDAP_USER_PASS
AUTH_LDAP_SEARCH_SCOPE: sub
AUTH_LDAP_USERNAME_ATTRIBUTE: uid
But it dont wanna connect. So if someone has a working compose settings what ever . to connect to a synology server.
it will help a lot.
Solution:Jump to solution
IMPORTANT
Password: Dont use Special Symbols in your password for the Domain User
*Solution...
39 Replies
Thank you for submitting a support request.
Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Please provide a your logs
@Tag thanks for your attation. i cant recive any logs because they are all empt:
Exporting hostname...
Migrating database...
yarn run v1.22.19
$ ts-node ./migrate.ts
Done in 3.41s.
Starting production server...
Listening on port 7575 url: http://XXXXXXXX:7575
user Administrator is trying to log in using LDAP. Connecting to LDAP server...
ERROR Invalid username or password
ℹ Local icons repository directory exists and contains 0 icons
ℹ Saving updated configuration of 'Mitarbeiter' config.
ℹ Saving updated configuration of 'Kunden' config." are Error at the first stage, this means that 3 things can be wrong:
URI, BIND_DN and/or BIND_PASSWORD. The bind DN must be for an existing admin user with some level of LDAP management permissions, and the bind password must be the password for that admin account.
Also make sure that homarr has access to the ldap server. if they are not on the same birdge or host networking, they might not be able to see each other.
thanks but i using all the settins and passwords from other dashboard or ecodms or some other tools that are connect to ldap. external also dont works
You're using lldap? not sure how you got it working using that base dn but the way we recommend in the docs goes like this:
Make sure you replace admin with whatever user you're trying to use as admin that is linked to the password you've entered
The example and the whole developpement process of the ldap integration used LLDAP to begin with so it's pretty safe to use the example to the letter
(Seeing how your config does look very similar to the example though, I do assume you would have changed the appropriate parameters but might have missed a little thing, like using "uid" instead of "cn". Not sure ou=People matters a lot, but better leave it in there)
btw I can already tell that your user search might fail, don't modify the scope. The default is already tailored for LLDAP.
i just using the Active Directory Controler form den Synology System.
i useing the same settings like for my other ACDC Applikations.
Its looking simular to example. also tried other settings.
Domain | Synology Directory Server - Synology Knowledge Center
Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
Well, what I first said still stands. One of the 3 elements is incorrect: BIND_DN, BIND_PASSWORD or URI.
URI: link to your ldap server prepend by "ldap://" (adding the port "389" might not even be needed as the protocol already takes care of that as the default, only a different port requires it, but for testing it's preferable to keep it)
BIND_DN: Can depend slightly on your setup, but it usually goes like this
cn=admin,dc=example,dc=com where admin is basically the user you would use to manage your ldap server. very top level. It's needed to query the ldap server of the existence of the user that is trying to login. "example" and "com" should be replace by your own domain and tld, but might vary depending on the structure.
Don't leave it as is in the env var.
BIND_PASSWORD: The password for the admin account mentionned in the BIND_DN.
If the 3 are correct and you are really adament it is, then the only thing left is that homarr cannot establish a connection with the server to begin with and you should check you network settings
I'll take a look at the docs you sent to see if I see anything special about the setup. In the meanwhile, Try retyping the 3 vars manually yet again. I know it seems like madness but it happened so many times before that there's just that one almost invisibile char that is wrongis this applicable to your case? https://kb.synology.com/en-br/DSM/help/DirectoryServer/ldap_server?version=7
Your link doesn't seem to provide any ldap information at first glance, but there's this dedicated ldap page right here that gives all the proper information
Set Up LDAP Server | LDAP Server - Synology Knowledge Center
Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
Hey there. I runng a Directory Server
Synology Directory Server - Synology Knowledge Center
Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
So i also tested if the homaar docker can connect to the DC, so over shell iam able. But no Settings in the env. works to connect to the DC .
version: "3.9"
services:
homarr:
container_name: Homarr
image: ghcr.io/ajnart/homarr:latest
mem_limit: 4g
cpu_shares: 768
security_opt:
- no-new-privileges:true
restart: on-failure:5
ports:
- 4755:7575
volumes:
- /volume1/docker/homarr:/app/data/configs:rw
- /volume1/docker/homarr/data:/data:rw
- /volume1/docker/homarr/icons:/app/public/icons:rw
- /var/run/docker.sock:/var/run/docker.sock
environment:
AUTH_PROVIDER: ldap,credentials
AUTH_LDAP_URI: ldap://192.168.200.3:389
AUTH_LDAP_BASE: "dc=HERE,dc=local"
AUTH_LDAP_BIND_DN: "CN=Administrator,CN=Users,dc=HERE,dc=local"
AUTH_LDAP_BIND_PASSWORD: "SUPERSECRET"
AUTH_LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"
AUTH_LDAP_USER_MAIL_ATTRIBUTE: "sAMAccountName"
AUTH_LDAP_GROUP_CLASS: "group"
AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: "member"
AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: "dn"
AUTH_LDAP_ADMIN_GROUP: "Administrators"
AUTH_LDAP_OWNER_GROUP: "Administrators"
AUTH_LDAP_SEARCH_SCOPE: "sub"
AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: "(sAMAccountType=805306368)"
TZ: Europe/Berlin
# Aktivierung der Debug-Logs
DEBUG: "true"
So thats my config. It dont work either that i have setup other docker with the same Active Directory and all of them works. But Homarr dont work. What ever i tried what ever i setup. No reaktion. i have installed ldap search on the container to test out if i can connect over shell. Yeah it works. but over ENV nothing. the bad part ist that homarr dont send out any kind of issues. My result is that homarr dont work with DC. please correct me with the right config if you mean it works.Hey, thanks for sending out more info. the thing is, it is sending the amount of info it should for the security it needs. I did give out the exact info of what the problem is, the step, and the affected values.
MAy I ask, do you use non UTF-8 chars in the password? "öäüéàèß" or others? We had a problem recently with that on the username and I had to make a special translation layer for it
yeah also tried simple user TESTADMIN TESTPASSWORD nothing change.
it looks that homarr dont wanna connect to the Direcotry Server . But over shell command it works " ldapsearch -H ldap://192.168.200.3:389 -D "[email protected]" -W -b "dc=HERE,dc=local - i recive the whole domain informations.
Could you try a search using the bind_DN instead?
AUTH_LDAP_BIND_DN: "[email protected]" you mean that part ?
This
try that in ldapsearch
yeah both way over the shell works.
it must be somethink with homarr config. but without debug mode im homar or a full log file. i dont know for what i need to search.
Look, this is the code.
It tries to login the admin first using the bind_dn and the bind_password.
That's the first step and it's not going over it.
For obvious security reasons, we can't log all the extra information on a production environment.
I can try to make you a test image with extra (unsecured) logging, but I won't have any more info than that to offer afterwards.
Alright, You can try "SeDemal/homarr:41" now
It'll have more logs in the error message. Whatever you get there will be the last bit of info I'll be able to give you, there's quite literally no other way to get more than that.
Once you've found the issue, if you ever do, I strongly recommend to get back to the normal version since the extra logs are not safe.
hey , first i must thanks . That you spend time on this issue. Thats pretty awesome. Thank
2. this ist the log when i click on ldap connect :
Listening on port 7575 url: http://TEGE01:7575
user is trying to log in using LDAP. Connecting to LDAP server...
Connection established. Searching User...
ERROR must either provide a buffer via raw or some value
at new EqualityFilter (node_modules/@ldapjs/filter/lib/filters/equality.js:44:15)
at parseExpr (node_modules/@ldapjs/filter/lib/string-parsing/parse-expression.js:52:14)
at parseFilter (node_modules/@ldapjs/filter/lib/string-parsing/parse-filter.js:78:14)
at parseFilter (node_modules/@ldapjs/filter/lib/string-parsing/parse-filter.js:49:15)
at Object.parseString (node_modules/@ldapjs/filter/lib/string-parsing/parse-string.js:29:18)
at Client.search (node_modules/ldapjs/lib/client/client.js:571:30)
at .next/server/chunks/7534.js:46:16
at new Promise (<anonymous>)
at ldapSearch (.next/server/chunks/7534.js:45:51)
at Object.authorize (.next/server/chunks/7534.js:98:37)
- So if your Domain User has Symbols like " !"§$%&/() " you recive errror : ERROR Invalid username or password. 49-InvalidCredentialsError:Invalid Credentials
dont work: AUTH_LDAP_BIND_DN: "CN=Administrator,CN=Users,dc=HERE,dc=local" you need to use AUTH_LDAP_BIND_DN: "[email protected]"
@Tag is there a premission Interface for dashboard. that i can add user to see the dashboard or not ?Wait, so you needed to set the bind DN to this active directory format? That worked?
Yeah that's a limitation of ldap's certification though, and it seems the depenency taking care of ldap took that too seriously... (Active directory isn't ldap, so it kinda does as it wants to even if that goes out of ldap's limitations. Making Windows AD work was a pain)
I had to make a whole function to make accents work, so special characters don't surprise me much (Although my accent function should make them work, so actually kinda surprising)
Only in the new version that is set to come out, V1. Auth is all new in homarr and V1 really digs deep onto permissions. You'll be able to set permissions per board and per integration.
version: "3.9"
services:
homarr:
network_mode: "host" #use it if you wanna have host ip.
container_name: Homarr
image: ghcr.io/ajnart/homarr:latest
#image: ghcr.io/sedemal/homarr:41 #TESTING SYSTEM with better logs.
mem_limit: 4g
cpu_shares: 768
security_opt:
- no-new-privileges:true
restart: on-failure:5
ports:
- 4755:7575
volumes:
- /volume1/docker/homarr:/app/data/configs:rw
- /volume1/docker/homarr/data:/data:rw
- /volume1/docker/homarr/icons:/app/public/icons:rw
- /var/run/docker.sock:/var/run/docker.sock
environment:
AUTH_PROVIDER: ldap,credentials
AUTH_LDAP_URI: ldap://DOMAINIP:389
AUTH_LDAP_BASE: "dc=DOMAINNAME,dc=local"
AUTH_LDAP_BIND_DN: "[email protected]"
AUTH_LDAP_BIND_PASSWORD: "DOMAINPASSWORD"
AUTH_LDAP_USERNAME_ATTRIBUTE: "sAMAccountName"
#AUTH_LDAP_USER_MAIL_ATTRIBUTE: "MAIL"
#AUTH_LDAP_GROUP_CLASS: "group"
#AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: "member"
#AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: "dn"
#AUTH_LDAP_ADMIN_GROUP: "Administrators"
#AUTH_LDAP_OWNER_GROUP: "Administrators"
AUTH_LDAP_SEARCH_SCOPE: "sub"
#AUTH_LDAP_ENCRYPTION: NO
#AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: "(sAMAccountType=805306368)"
TZ: Europe/Berlin
# activate Debug-Logs
#DEBUG: "true"
Solution
IMPORTANT
Password: Dont use Special Symbols in your password for the Domain User
*Solution
DONT WORKS | AUTH_LDAP_BIND_DN: "CN=Administrator,CN=Users,dc=HERE,dc=local"
WORKS | AUTH_LDAP_BIND_DN: "[email protected]" NEEDED | AUTH_LDAP_SEARCH_SCOPE: "sub" to search any user
WORKS | AUTH_LDAP_BIND_DN: "[email protected]" NEEDED | AUTH_LDAP_SEARCH_SCOPE: "sub" to search any user
@Tag THe " is missing in your example on https://homarr.dev/docs/advanced/sso/
🙋 Single Sign On | Homarr documentation
Homarr supports multiple authentication options, from internal userbase (credentials), to LDAP (with Active directory support), and OIDC.
yeah that and dont have special symbols in the administrator password. over the shell there is no issue with that. but over homarr it makes issues.
Is there a option to test it or possible to get a pre release.
All in All Tag - respect for your time , work and support lovely to see people doing that. You can be defintly proud of your self. Again many thanks for helping me. We figured it out - Directory is connectig and working. now only premission system for boards is misssing 🙂
join the insiders and early adopters
That's still weird though, I personally have special chars in my own password and it still works. Not sure what's that about
thanks for pointing it out. I'll also add a note for the bind possibly having to be formatted as you've shown
These are the symbol that i used " XXXX(-*X$^^/XXXX " and it dont work.
Where i can find more informations ?
And where is the donate button for thanking you for your help
You can first get the insider role in #✨・roles
You'll then have access to the insider channel where you can read a bit on early adoption.
You can find it on the github page or at the bottom center of the http://homarr.dev docs page.
Here's the link: https://opencollective.com/homarr
Die Schweizer 🙂 Thanks
Yeah 🙂
Thank you for the support ^^
Hey since you wanted to try out V1, could you test out LDAP with special chars? We're using a different dependency and it might be better for that kind of stuff
@Tag sure . Let me check LDAP section.
btw: Admin rights disappear after giving them to an LDAP user. This means that no LDAP user can obtain admin rights .
This error is present in the LIVE version.
Have you set the groups env vars properly?
#AUTH_LDAP_ADMIN_GROUP: "Administrators"
#AUTH_LDAP_OWNER_GROUP: "Administrators" you mean that it needed to have theese activate ?
Yeah, and the group needs to correlate to an admin group
Works. #AUTH_LDAP_GROUP_CLASS: "group"
#AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: "member" needs to be activate to get the right admin role.