LDAP replication between Synology DSM and OpenBSD

       446 words, 3 minutes

I want my OpenBSD 6.4 services to authenticate users from a remote LDAP server ; namely a Synology Directory Server (DSM 6.2.x). It turns out that this a standard OpenLDAP 2.4.x configured to accept replication refreshAndPersist mode. So let’s configure a Primary / Secondary Replication system between Synology and OpenBSD.

Get stuff from Synology (Primary)

From the DSM instance, we’ll need extra LDAP schemas (that don’t come with OpenLDAP release on OpenBSD) and an initial dump of data:

root@synology:~# cd /usr/syno/etc.defaults/openldap/schema/
root@synology:/usr/syno/etc.defaults/openldap/schema/# \
  tar cvzpf ~/syno-schemas.tar.gz apple.schema \
      apple_auxillary.schema samba.schema syno.schema

root@synology:~# slapcat -F /var/packages/DirectoryServer/target/etc/data/slapd.d \
  > syno-dump.ldif
5bd85e20 [monitor.c:362] bdb_monitor_db_open: monitoring disabled; \
  configure monitor database to enable

Then, simply transfer both files to the OpenBSD server.

Configure stuff on OpenBSD (Secondary)

First of all, install and enable OpenLDAP:

# pkg_add openldap-server-2.4.45p5
# rcctl enable slapd
# rcctl set slapd flags -h ldap://

Then install the schema files:

# tar xvzpf syno-schemas.tar.gz -C /etc/openldap/schema/

There a small modification to apply to the syno.schema file:

# diff -U2 /etc/openldap/schema/syno.schema.orig /etc/openldap/schema/syno.schema
--- /etc/openldap/schema/syno.schema.orig Fri Sep 7 10:56:21 2018
+++ /etc/openldap/schema/syno.schema Tue Oct 30 15:00:13 2018
@@ -146,5 +146,5 @@

attributetype (
- NAME 'SynoExcludeCommonPwd'
+ NAME 'pwdSynoExcludeCommonPwd'
EQUALITY booleanMatch

Configure OpenLDAP using the Synology schemas, suffix and enable replication:

# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/apple_auxillary.schema
include /etc/openldap/schema/apple.schema
include /etc/openldap/schema/syno.schema
suffix          "dc=synology,dc=tumfatig,dc=local"
rootdn          "uid=root,cn=users,dc=synology,dc=tumfatig,dc=local"
syncrepl rid=000
  retry="5 10 300 +"

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 250

# doas -u _openldap slaptest -u
config file testing succeeded

Before starting the OpenLDAP daemon, restore the initial dump.

# doas -u _openldap slapadd -f /etc/openldap/slapd.conf -l syno-dump.ldif
5bd86476 hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
_#################### 100.00% eta none elapsed none fast!
Closing DB...

Finally, the OpenLDAP daemon can be started:

# rcctl start slapd
# rcctl check slapd

In my case, I only use the secondary locally. So it only listens on localhost without SSL.

# ldap search -x -b "cn=users,dc=synology,dc=tumfatig,dc=local" \
  -H ldap://localhost "(mail=*)" gecos
dn: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local
gecos: Joel Carnat

# ldap search -x -b "cn=groups,dc=synology,dc=tumfatig,dc=local" \
  -H ldap://localhost "(member=*)" description member
dn: cn=users,cn=groups,dc=synology,dc=tumfatig,dc=local
description: Directory default group
member: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local
member: uid=tom,cn=users,dc=synology,dc=tumfatig,dc=local

Changing attributes is done from the Synology DSM interface. And in seconds, the changes are accessible from the localhost secondary instance.

Every services can now use this local user database copy. Even when OpenBSD would lose connexion to the OpenLDAP primary.

It should be possible to maintain an LDAP copy on the OpenBSD server using the native ldapd(8) and scheduling some ldapsearch/ldapsadd commands. So far I didn’t try it…