How to use Syncthing with OpenLDAP?

kevdog · December 11, 2020, 8:01pm

I’m really new to Syncthing and kind of new to using OpenLDAP but I have used OpenLDAP authentication on some other projects.

I’ve read Syncthing’s documentation regarding the use of OpenLDAP. I don’t understand however how to completely use this feature.

When I perform ldapsearches on the command line I typically need to authenticate with a user and a password. A simple search for example:

ldapsearch -D "cn=admin,dc=ldap,dc=domain,dc=com" -W -b 'ou=users,dc=ldap,dc=domain,dc=com' -H ldaps://openldap.domain.com:636 cn=kevdog

I believe the -D refers to the user I’m using to authenticate and run the query with, and the -W indicates the password.

So I don’t understand how I would perform a similar search with syncthing

Address = openldap.domain.com:636

Base Domain = ou=users,dc=ldap,dc=domain,dc=com

Bind Domain is wear I’m struggling. My command line uses a --bindDN and --bindPassword but the GUI is only setup for a bindDN.

I guess I don’t understand what I’m using since other implementations I’ve had to enter the password in the configuration file and save the file with 600 permissions.

My organization scheme looks like the following: (it’s pretty basic):

calmh · December 11, 2020, 8:09pm

The bind is made with the user’s credentials, which is how they’re verified. That’s the %s place holder in the bind DN. In your case you want something like cn=%s,ou=users,dc=ldap,dc=example,dc=com.

kevdog · December 11, 2020, 8:21pm

That kind of clears things up but I still don’t think things are working:

❯ ldapsearch -D "cn=kevdog,ou=users,dc=ldap,dc=domain,dc=com" -W -H ldaps://openldap.domain.com:636 -b "ou=users,dc=ldap,dc=domain,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=ldap,dc=gohilton,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Have I configured things incorrectly? Really confused. It at least authenticates this time

Here are the log files from the openldap server:

5fd3da40 conn=1202 fd=17 ACCEPT from IP=10.0.1.86:44846 (IP=0.0.0.0:636)

5fd3da40 conn=1202 fd=17 TLS established tls_ssf=256 ssf=256

5fd3da40 conn=1202 op=0 BIND dn="cn=kevdog,ou=users,dc=ldap,dc=domain,dc=com" method=128

5fd3da40 conn=1202 op=0 BIND dn="cn=kevdog,ou=users,dc=ldap,dc=domain,dc=com" mech=SIMPLE ssf=0

5fd3da40 conn=1202 op=0 RESULT tag=97 err=0 text=

5fd3da40 conn=1202 op=1 SRCH base="ou=users,dc=ldap,dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"

5fd3da40 conn=1202 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=

5fd3da40 conn=1202 op=2 UNBIND

5fd3da40 conn=1202 fd=17 closed

calmh · December 11, 2020, 10:51pm

I don’t know, that looks like an LDAP question more than a Syncthing question.

kevdog · December 12, 2020, 6:19pm

Ok so I had to spend a lot of time figuring things out to address my problems but I’m posting a solution here for the next person. It was both a combination of the OpenLDAP setup and Syncthing

Syncthing does not have option to use TLS ClientCertificates. I wish it could but it does not. Because of this I had to change my OpenLDAP config from: LDAP_TLS_VERIFY_CLIENT=demand to LDAP_TLS_VERIFY_CLIENT=try.
If using self-signed SSL certs for the OpenLDAP make sure within Syncthing you choose LDAP->Insecure Skip Verify. I also there was a way to add a self-signed root CA.pem or CA.cert file within Syncthing, however it doesn’t seem to have this option.
Within the ldap configuration, I needed to ensure that individual users could read their own configuation. This is the equivalent of doing an ldapsearch on the command line of:

ldapsearch -D "cn=%s,ou=users,dc=ldap,dc=domain,dc=com" -W -H ldaps://openldap.domain.com -b "cn=%s,ou=users,dc=ldap,dc=domain,dc=com"

Again the above command – specifically the ou=users,dc=ldap,dc=domain,dc=com – may change depending on your table layout within LDAP.

The database needs to have at minimum an olcAccess rule like the following:

olcAccess: {1}to * by self read

For these rules were found in the olcDatabase={1}mdb.ldif file within cn=config directoy of openldap.

Hopefully this helps. Would be great if syncthing could add at least a way to import a self-signed rootCA.pem. Client certificates are nice however there is a workaround.

calmh · December 12, 2020, 7:24pm

For what it’s worth you should be able to add your root CA to the system trust store and Syncthing will use it as well.

system · January 11, 2021, 7:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.