The preferred way to use the LDAP wrapper is with Docker. Alternatively, the source can be downloaded and started manually with npm/node.
As domain (and basedn, if manually specified) it is recommended to use the same as used in your Microsoft Entra tenant (e.g. @domain.tld). This way, the spelling of the users (e.g. username@domain.tld) will match at the end. Otherwise, your users will have to use username@example.com instead of the estimated username@domain.tld, for example.
The API results and a local copy of the LDAP entries are stored as JSON files inside the container at this path: /app/.cache
Map this folder to provide persistent storage for your users/groups (and their samba password hashes).
Be aware that other users in the file system may also be able to read the JSON files and thus get access to the cached sambaNTPassword attribute.
Install container on a Synology NAS
Install Docker from the Synology Package Center.
In Docker, go to “Registry” to download the latest container image.
In Docker, go to “Image” to launch a new container. Use “bridge” as your network.
Use “bridge” as your network.
Give your container a name and enable auto-restart.
Configure the environment variables in “Advanced Settings”. Be sure to double check your AZURE_* values and define at least one binduser. The binduser (superuser like root) does not need to exist in your Microsoft Entra tenant. Replace example.com with your domain. Here is an example of a minimum required configuration:
TZ: "Europe/Zurich"# optionalAZURE_TENANTID: "0def2345-ff01-56789-1234-ab9d6dda1e1e"AZURE_APP_ID: "abc12345-ab01-0000-1111-a1e1eab9d6dd"AZURE_APP_SECRET: "iamasecret~yep-reallyreallysecret"LDAP_DOMAIN: "example.com"LDAP_BINDUSER: "ldapsearch|*secretldapsearch123*||root|*secretroot*"LDAP_DEBUG: "false"# set this to true for more logsGRAPH_IGNORE_MFA_ERRORS: "false"# set this to true to bypass MFADSM7: "true"# set this to false if you are running DSM 6 or lower
A full list of all environment variables can be found here.
Set local Port 389 to the Container Port 13389. If you receive the error Local port 389 conflicts with other ports used by other services, make sure that Synology Directory Service and Synology LDAP Server are not installed - they also use this port.
Add a local folder, such as docker/ldap, to the mount path /app/.cache in the volume settings. If you skip this step, your data will not be stored permanently.
This is a minimal example for a running configuration.
You can either set environment variables or create an .env file in the root directory.
## .env file or environment variables ### Values of your Microsoft Entra applicationAZURE_APP_ID="abc12345-ab01-0000-1111-a1e1eab9d6dd"AZURE_TENANTID="0def2345-ff01-56789-1234-ab9d6dda1e1e"AZURE_APP_SECRET="iamasecret~yep-reallyreallysecret"# Ignore MFA related errors, so user can login despite of activated MFA# GRAPH_IGNORE_MFA_ERRORS="false"# Settings for your LDAP serverLDAP_DOMAIN="example.com"LDAP_BINDUSER="root|mystrongpw||ldapsearch|ldapsearchpw123"
# clone repo and open foldergit clone https://github.com/ahaenggli/AzureAD-LDAP-wrapper.git
cd AzureAD-LDAP-wrapper
# install 3rd party librariesnpm install
# use a .env file or set your env vars# run with npmnpm start
# or start it with node ("--openssl-legacy-provider" is needed)# node --openssl-legacy-provider index.js
Caution
Check your Docker log for errors before attempting to use the ldap server.