The EVO can be configured to work with directory services such as LDAP and Active Directory.
Some basic considerations:
- The EVO can use either Active Directory or LDAP, but not both simultaneously
- Names of users and groups must contain only Latin letters and digits (dots, dashes, underscores are also allowed) and must be shorter than 32 characters
- A conflict with the EVO's internal root user may be created if the directory also has a user named "root"
- For best compatibility, it is recommended that all usernames be lowercase
Requirements for configuration:
- For either integration, the EVO must be pointed at a local DNS that can resolve the directory server's hostname. This is found at the Connectivity page in the EVO web GUI.
- The EVO clock must also be in agreement with the directory server's clock. The EVO time is found at the System page, and the NTP server or NTP client role can be chosen. Check the Connectivity page to ensure a gateway is properly configured if an internet provider is to be used.
Active Directory
The Active Directory configuration is located at the Users & Passwords page
1. Tick "Enable AD"
2. Specify the domain name
3. In the User and Password fields, specify credentials of the domain administrator or another user that has permission to manage computer accounts
4. Click the Save button.
User permission can then be managed individually or according to groups at the NAS & Project Sharing page.
It is also possible to maintain a whitelist of AD groups, if you prefer to only import a selection of users, rather than the complete directory. This can save system resources and make user management easier.
We currently provide out-of-the-box support for up to 350000 AD users. If you need more, please contact our support team.
Note: Active Directory group policy may include a timeout that will result in client authentications expiring, and subsequently network shares will become unmounted from client machines (overnight, for example). The policy can be adjusted on the AD server to ensure user sessions do not expire for EVO volumes mounted on workstations.
Note: When mounting EVO NAS shares in an Active Directory environment, authentication for non-AD EVO users (created in the EVO web administration) will require instruction that the AD domain not be used. Prepending evo\
to the username in the workstation’s mount prompt (example evo\alexander
) will tell the workstation to use the "evo" domain, rather than the local domain. If an alternate domain is not specified, the workstation will default to using the Active Directory domain, and EVO will expect an AD user rather than one created at the Users & Passwords page.
LDAP
LDAP functionality can easily be added to EVO, but there are some important caveats to consider before configuring it. Please read to the end of this article before following the steps required to add LDAP communication.
The LDAP section is found at the Users & Passwords page
Assuming an example hostname of "ldap-server.mydomain.com", these are the settings required:Host: ldap-server.mydomain.com:389
Base DN: dc=ldap-server,dc=mydomain,dc=com
Encryption: None
Samba mode: pam
Next, tick the "Enable LDAP" box.
AFP users can now connect with LDAP credentials.
SMB users will need to connect with plain-text passwords, which also requires setting the server to use SMB1.
You can change this under the "NAS Configuration" section on the Advanced page in EVO. Change the "SMB Protocol" setting to SMB1 and click Save.
To enable plaintext passwords on the workstations -
Mac clients will need to either edit or create the /etc/nsmb.conf file with the following contents:
[default]
signing_required=no
minauth=none
For Windows clients, either download and double-click the attached patch, or browse in Registry Editor to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\parameters]
and set
"EnablePlainTextPassword"=dword:00000001
In EVO version 5, it is also required that both User IDs and Group IDs are above 5000.
Any users or groups with an ID below 5000 will be skipped when synchronizing EVO with the LDAP server, so those users would not be able to access EVO resources.
This requirement is lifted in EVO version 6. If you're unable to accommodate these ID requirements with a lower EVO version, please contact us to see what options are available.