AzureAD-LDAP-wrapper icon indicating copy to clipboard operation
AzureAD-LDAP-wrapper copied to clipboard
verified publisher icon ahaenggli

Wrapper/Synology 'forgetting' LDAP groups

Open RomanSandstorm opened this issue 9 months ago • 6 comments

Our network connects to our MS 365 tenant using Entra ID. We recently moved from on-premises AD, so your LDAP-Wrapper seems ideal.

Running DSM 7.2.2. LDAP-Wrapper 2.0.3.

Followed instructions (well-written, BTW) perfectly. All good.

Connected. Populated LDAP Users and LDAP groups.

Assigned permissions to some shares using both users, and groups.

Mapped network drive using the user's criteria. Mapping worked fine. 😀😀😀

Image

Then... 30 minutes later...

The same LDAP groups become 'Unknown'. And authentication and mapping fails.

Image

It seems that LDAP users retain, and do not become 'Unknown' after 30-60 minutes.

But I cannot add 100's of users individually.

I have spent many hours, trying adv permissions, wiping existing, refreshing the LDAP data. Removing and re-adding the LDAP-wrapper.

It is possible I have missed something in the doco, or just made a blinder somewhere.

I would azppreciate any assistance.

Many thanks.

RomanSandstorm avatar Apr 01 '25 07:04 RomanSandstorm

Are there any errors or warnings in the log?

I'm not sure if it makes a difference, but I usually set the folder permissions on the ldap group and not on the shared folder: Image

If you have 100's of users, this hobby project may not be enough to handle that number...

ahaenggli avatar Apr 02 '25 14:04 ahaenggli

Thank you so much for your rapid reply! Much appreciated.

I assume you mean the SMB log?

From it:

Image

The admin01 and Visitor01 are local accounts, and always work perfectly.

The two "[email protected]" accounts were doing drive mapping from Windows 10. They are accounts from LDAP. As can be seen here, they worked fine. But....

Subsequent attempts to connect via drive maps failed (Unknown user / group:zzzz was showing). And did not even show in the SMB log! Thus, "[email protected]" was looked up, not found, error given in Wondows, but not even an entry on the Synology. I had many attempts between 12:10 and 13:46. (I was changing permissions, etc.)

Yes, I did the same as you suggested: setting the permissions on the group. Also set permissions on the apps: SMB, and DSM. Also tried resetting the permissions at the folder level, and then setting within Advanced permissions.

All had the same result.

A thought: it seems that the LDAP 'update' period (which is set to 30 minutes), in the background, brings in the 'Unknown user/group'. The very first time I set up the LDAP-Wrapper, it worked perfectly until the next day. I think the default update is 24 hours. I subsequently duplicated the Wrapper and changed to 30 minutes as I was adding users, testing, etc. And then I noticed the 'Unknown' issue occur much quicker.

Manually doing an LDAP update...

Image

... seems to work OK. The fields are populated fine. But then in 30 minutes... bzzzzzt.

But it's only for groups. Individuals added from LDAP retain permissions - even when it turns to 'Unknown'.

When I said '100's', I meant a few dozen users, but with permissions entered at several different folders, resulting oin 100's of selections being needed. Sorry to be imprecise.

I am guessing I can resort to the Synology / Entra recommended path, with creating a VPN, and paying for traffic (should be tiny, as it is likely only going to be Entra authentication info), but this does stretch my networking knowledge with my Sophos.

Thanks, I don't expect you to look into this apparently unique issue. I was hoping it may have been something previously encountered. I have asked a similar question on Reddit, as perhaps it may be a general LDAP/ENtra/MS 365 Groups issue that others may have encountered. But no responses thus far. 🙁

Cheers, mate. Thanks for the software (that worked perfectly for me for 30 minutes! But obviously, permanently for many 100's of other folks.)

RomanSandstorm avatar Apr 03 '25 08:04 RomanSandstorm

Hi, I'm running into the same issue. After a while all group permission entries turn into "Unknown user or group: ...." and randomly start failing (although when using the permission inspector they seem to come back for an indeterminate amount of time). In contrast, all permission entries regarding users stay intact.

josecurioso avatar Apr 30 '25 06:04 josecurioso

Hi Jose,

Well, I guess my problem wasn't unique.

I have invested way more time into this, and I can reproduce the groups failing. But, like you, individual users are fine.

I've tried going down the 'Synology NOT joining and Entra Domain' path (https://kb.synology.com/en-br/DSM/tutorial/How_to_activate_Entra_ID_SAML_SSO).

Without an Entra Domain (and thus a VPN, and thus a heap more networking and configuring and cost), it is necessary to duplicate every Entra user as a Synology user. A pain, and almost may as well just use local users from the start, but there is the SSO advantage. When it works.

Because I have created two identical test users in Entra (and then on the Synology), and one SSO works fine, and the other does not! Seriously? So I then duplicated/copied the one that works, and that copy does not work. Grrrr....

Anyway... not related to this topic of ahaenggli's 'almost ideal' solution.

Cheers.

RomanSandstorm avatar May 01 '25 00:05 RomanSandstorm

Is there a difference between the main group (=users) and the synchronized groups? Or does the default user group users also disappear? I have no idea where to start looking at the moment...

ahaenggli avatar May 01 '25 20:05 ahaenggli

Thanks for replying again. As this now appears 'not quite so unique' it may be worth a dozen or so brain cells. LOL.

Short answer: no. For me at least.

Every LDAP group works perfectly - at first. Security groups, 365 groups, dynamic groups - all show up as options, and can be selected, and the permissions work 100%.

But then... as Jose and I have said, after a time (and this time varies; it may or may not be related to the LDAP update period), the groups become 'Unknown User/group'. Individual LDAP users remain solid.

Given you have not had any similar reports of this (other than Jose and me), perhaps it is something particular in his and my 365 tenancy? Clearly we have followed the setup instructions fine, as it does work at first. So the likelihood is something weird at our 365 end.

And further, it is probably related to the 'refreshing' of the LDAP directory; the collecting of 'deltas' maybe? rather than a full re-download each time? I dunno. I don't know how your system works.

As I mentioned in my last message, I am attempting to follow Synology's 'Activate Entra ID SAML SSO - NOT joining domain' procedure. But it involves duplicating every user locally. I think I finally have this going by changing the 'Unique User Identifier' from what Synology say in their doco. (I have to have a 'user.mailnickname' to match the created local user on the Synology.) Anyway, this isn't your issue! LOL.

Thanks.

RomanSandstorm avatar May 02 '25 00:05 RomanSandstorm

Refer to this page for potential solution: https://community.synology.com/enu/forum/1/post/160659

wil-code avatar Nov 14 '25 20:11 wil-code