Syncthing can be configured to delegate authentication to an external LDAP source. Typical examples include Microsoft Active Directory and OpenLDAP / OpenDirectory servers.
To enable LDAP authentication some configuration options must be set in the advanced config editor. Under “Actions > Advanced”, select and expand the LDAP tab. The following options are available:
Set to the address of the LDAP server, with hostname and port. For example,
dc1.example.com:389for standard LDAP, or
dc1.example.com:636for LDAPS. (See also
This is the pattern for the bind user. The special token
%smust be inserted to represent the username entered by the user at the login prompt. Typical examples are
%firstname.lastname@example.org Active Directory or something like
CN=%s,CN=Users,DC=example,DC=comfor standard LDAP servers.
Insecure Skip Verify
When set, this option disables all certificate verification for LDAPS. Use with care and only when absolutely necessary.
Search Base DN
Optional, base DN to use for user searches. See Enforcing Group Membership below.
Optional, search filter to use for user searches. See Enforcing Group Membership below.
plainfor unencrypted LDAP (port 389),
tlsfor LDAPS (port 636), or
starttlsfor Start TLS (port 389 typically).
A simple setup might look like this:
Once these settings are correct, LDAP authentication must be enabled by
setting the authentication mode to
ldap in the advanced GUI
Enforcing Group Membership¶
New in version 1.5.0.
In some cases it may be desirable to restrict login to members of a certain group. We do this by using a custom search filter that matches users who belong to the group only.
We need to know three things to specify the required search:
The base DN under which users are stored. This can be something like
CN=Users,DC=example,DC=comfor AD, or it can be a specific OU for a subset of users.
The DN for the group we need to match, and the user attribute that stores group memberships. This varies depending on the LDAP schema and layout, for AD the membership attribute is
The attribute that stores the user ID that the user enters at the login prompt. Again this varies, and it can be either
UID, or something else. For AD it is
With these at hand we can enter the base DN in the
Search Base DN
configuration option, and build our search filter. The search filter needs
to match both the user ID and the group membership. For an AD setup with a
Syncthing in the standard location, a valid search filter is:
(& (sAMAccountName=%s) (memberOf=CN=Syncthing,CN=Users,DC=example,DC=com) )
Line breaks for clarity only. We enter this as one long string. For example, like this: