6

I'm attempting to deploy freeIPA in my company. The network is quite simple:

  • < 10 FC20 (and FC21 beta) desktops
  • < 5 FC20 servers (including the one with freeIPA)
  • 1 Synology NAS DS1813+ (DSM 5.0)

I am first simulating everything on VMs (including the Synology NAS). The Synology should also export NFS shares and be as much integrated as possible with freeIPA. Also, I would like it to host NFS home directories for the freeIPA users (home directories are currently local to the client).

Status:

  • freeIPA Server up (4.1.1)
  • Fedora clients enrolled, I can log in with LDAP users
  • Synology: problems

About the Synology client status and my specific questions:

  • there is no ipa-client-install for DSM, so I tried to follow generic and fragmented (up-to-date manuals are not available as far as I know) instructions such as:
  • it can see and use the freeIPA server as the only DNS server
  • The first step mentioned is "Install SSSD 1.5.x or later, if it is not already installed."
  • Problem is, SSSD doesn't seem to be available for DSM. What can I do here?
  • Is the absence of SSSD a show-stopper?
  • One of the comments below points out that this is no show-stopper, as SSSD is just a client-side credential cache.But then: can I just ignore SSSD configuration and forget about it, or does its absence imply some different steps in the client configuration? Is it really totally optional?
  • NFS shares: suppose I manage to enroll the Synology properly, it's not very clear to me which steps to follow in order to use it as home share for the LDAP users. Can anyone with experience give me a short checklist? In particular, about the order of the steps to follow? I know how to create an export in the Synology station and how to use it from a client. But here I have the additional difficulties of using the export as home share and integrate it in freeIPA. The added complexity an no clear guide give my headaches.
  • notice that the users are few, so I'm more than willing to create new LDAP users and then move / re-own files, rather than migrating users.
  • What I would like to avoid as much as possible is to mess up manually with configuration files in the Synology station. As long as I do things via its UI, I can minimise the chance to break things.

I'm more than happy to update this question in case something is under-specified. Thanks!

cornuz
  • 437
  • 1
  • 7
  • 17
  • Looks like these folks got it at least somewhat working: http://forum.synology.com/enu/viewtopic.php?f=116&t=72871 – David W Dec 01 '14 at 11:59
  • Thanks @DavidW , That is indeed the only discussion I had found. I'm still trying to figure out whether it contains something useful for me (I didn't seem to have the LDAP authentication problem they talk about) – cornuz Dec 01 '14 at 14:11
  • 1
    sssd isn't a show stopper. For your use case it just caches the credentials so you can still login if the network to the ldap server went away. Centos 5 and older don't have sssd either. – Sirex Dec 01 '14 at 19:06

1 Answers1

1

Clients (especially MS) look up DNS for LDAP. DNS must have a srv for LDAP.

dig [@ns] _ldap._tcp.example.com srv

might reveal if it has one. If the NAS still can't find it, adding an MS-specific one might help, like 

_ldap._tcp.dc._msdcs.example.com. <ttl> IN SRV <prio> <weight> 389 freeipa.example.com.

and

freeipa.example.com. <ttl> IN A <ip address>
Nizam Mohamed
  • 181
  • 1
  • 5