I can see the following; Synology DSM can connect to Synology LDAP Server using STARTTLS locally, MacOS doesn’t support disallowing anonymous binds from what I can gather/research (I haven’t gotten MacOS to connect yet – I don’t get an authentication failure but after entering user credentials, it just presents the spinning wheel icon forever until you force restart).

I have also changed the SSL cert for Synology LDAP Server to use the certificate I created from your ACME SSL guide (I’ve tried this and the default, neither seem to work).

I have also checked nothing funny with firewall rules potentially blocking ports, I’m currently trying to figure out how to check any logs for hints as to what the problem may be.

Regards
Andy

Again – great guides thanks. I can get this working without authenticating the connection, without SSL/STARTTLS, and without the LDAP group filter to pfsense_admins, but adding any of those steps results in pfsense not being able to connect to the Synology LDAP server.

A couple of questions, when you use STARTTLS (which I am trialling for this project to get my head around things, but I’m not sure whether this will be an issue for me later with MacOS clients I want to try and get working with Synology LDAP server), did you change the certificate in Synology for the LDAP server to the one SSL cert you created previously in Acme? It isn’t in the instructions so I assumed not (and are just using the self signed cert that is the default), and I can see you also left (in pfSense) the Peer Certificate Authority as Global Root CA rather than switching to R3?

Otherwise I’m scratching my head a bit, particularly around why the group filter and authenticated connections fail (on the later, I’ve been using Client specific user profiles for other services connecting to Synology LDAP, but neither a pfSense specific client user, or the root seem to work for pfSense).

Any thoughts appreciated.

Regards
Andy