SystemLink Forum

Hi André,

For adding LDAP groups to roles, you need to specify the group's distinguished name. Based on your screenshots, this could be something like:

CN=SystemLink_Admins,DC=systemlink,DC=carya,DC=net

You would likely have some OU=... entries in there as well between the CN and the DCs depending on how your LDAP directory is organized.

For additional reference, the LDAP User entry is easier because it always matches the first attribute you specify in the LDAP URL (uid in your case). If you changed uid to distinguishedName, you would also have to specify the user's distinguished name in the role (and when you log in to the web server).

I think I see where you are heading, but I can't seem to get to work.

I configured an admin group with value "CN=SystemLink_Admins,DC=systemlink,DC=carya,DC=net".

I left my LDAP url the same and logged on with just the user name (uid). I still logs me on as normal user although the user is member of the admin group.

Where do I go wrong? I have very limited knowledge of LDAP and am using a Synology Directory Server (openLDAP based). I only configured groups and users.

Thanks.

I'm not familiar with Synology Directory Server, but you should be able to use a tool such as ldapsearch (on Linux) to browse the directory:

ldapsearch -D [your bind user] -W -H [your LDAP protocol://host:port] -LLL "(cn=SystemLink_Admins)" dn

Or you can look up the memberOf attributes for a user that you know is in the group and find it that way.

According to this documentation, "the distinguished name of the group in the LDAP database is cn=[groupname],cn=groups,cn=[Base_DN]". Which by that I'm guessing they mean it would be "CN=SystemLink_Admins,CN=groups,DC=systemlink,DC=carya,DC=net" but it's not clear to me what Base_DN would be since they put cn= there.