--- title: Integrate with QNAP NAS sidebar_label: QNAP NAS --- ## What is QNAP NAS > QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications. > > -- https://en.wikipedia.org/wiki/QNAP_Systems Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **not** (well) documented what really is done behind the scenes of QNAP. ## Preparation The following placeholders are used in this guide: - `ldap.baseDN` is the Base DN you configure in the LDAP provider. - `ldap.domain` is (typically) a FQDN for your domain. Usually it is just the components of your base DN. For example, if `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain might be `ldap.goauthentik.io`. - `ldap.searchGroup` is the "Search Group" that can can see all users and groups in authentik. - `qnap.serviceAccount` is a service account created in authentik - `qnap.serviceAccountToken` is the service account token generated by authentik. :::note This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: Create an LDAP Provider if you don't already have one setup. This guide assumes you will be running with TLS. See the [ldap provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side. Remember the `ldap.baseDN` you have configured for the provider as you'll need it in the sssd configuration. Create a new service account for all of your hosts to use to connect to LDAP and perform searches. Make sure this service account is added to `ldap.searchGroup`. :::caution It seems that QNAP LDAP client configuration has issues with too long password. Max password length \<= 66 characters. ::: ## Deployment Create an outpost deployment for the provider you've created above, as described [here](https://docs.goauthentik.io/docs/add-secure-apps/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access. The outpost will connect to authentik and configure itself. ## NAS Configuration The procedure is a two step setup: 1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password. 2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost. :::note The config edit is essential, as QNAP relies on certain not configurable things. The search for users and groups relies on a fix filter for `objectClass` in `posixAccount` or `posixGroup` classes. Also by default the search scope is set to `one` (`singleLevel`), which can be adapted in the config to `sub` (`wholeSubtree`). ### Sample LDAP request from QNAP Default search for users ```text Scope: 1 (singleLevel) Deref Aliases: 0 (neverDerefAliases) Size Limit: 0 Time Limit: 0 Types Only: false Filter: (objectClass=posixAccount) Attributes: uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass ``` Default search for groups ```text Scope: 1 (singleLevel) Deref Aliases: 0 (neverDerefAliases) Size Limit: 0 Time Limit: 0 Types Only: false Filter: (objectClass=posixGroup) Attributes: cn userPassword memberUid gidNumber ``` ::: ### QNAP Web UI Configure the following values and "Apply" ![qnap domain security](./qnap-ldap-configuration.png) :::caution With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values. ::: :::note The UI Configuration is necessary, as it will save the Password encrypted in `/etc/config/nss_ldap.ensecret`. ::: ### SSH Connect your QNAP NAS via SSH. First stop the LDAP Service: ```bash /sbin/setcfg LDAP Enable FALSE /etc/init.d/ldap.sh stop ``` Edit the file at `/etc/config/nss_ldap.conf`: ```conf host ${ldap.domain} base ${ldap.baseDN} uri ldaps://${ldap.domain}/ ssl on rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN} nss_schema rfc2307bis # remap object classes to authentik ones nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group # remap attributes # uid to cn is essential otherwise only id usernames will occur nss_map_attribute uid cn # map displayName information into comments field nss_map_attribute gecos displayName # see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames nss_map_attribute uniqueMember member # configure scope per search filter nss_base_passwd ou=users,${ldap.baseDN}?one nss_base_shadow ou=users,${ldap.baseDN}?one nss_base_group ou=groups,${ldap.baseDN}?one tls_checkpeer no referrals no bind_policy soft timelimit 120 tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5 nss_initgroups_ignoreusers admin,akadmin ``` Now start the LDAP Service: ```bash /sbin/setcfg LDAP Enable TRUE /etc/init.d/ldap.sh start ``` To see if connection is working, type ```bash # list users $ getent passwd ``` The output should list local users and authentik accounts. ```bash # list groups $ getent group ``` The output should list local and authentik groups.