TrueNAS CORE
TrueNAS Enterprise
TrueNAS SCALE
TrueCommand
Compare Editions
Software Status
FreeNAS
Compare Systems
M-Series
X-Series
R-Series
Mini Series
Download TrueNAS CORE
Download TrueNAS SCALE
Get TrueNAS Enterprise
Where to BuyTrueCommand Version Documentation
This content follows TrueCommand 2.3 releases. Use the Product and Version selectors above to view content specific to TrueNAS software or major versions.
Creating User Accounts
8 minute read.
Last Modified 2024-03-19 09:09 EDTTrueCommand has a robust user management system designed to allow TrueCommand administrators to personalize the TrueCommand experience for each user account. You can create user accounts in the TrueCommand interface. Alternatively, LDAP can automatically create new user accounts when someone logs into TrueCommand with their LDAP credentials.
TrueCommand also organizes user accounts into teams so admins can simultaneously manage many user accounts.
TrueCommand has two levels of accounts - administrators, and users:
Administrators can add and remove users and servers. Administrators can also assign users to teams and servers to groups. Administrators have full access to all alerts and reports.
Users, however, can only interact with the servers they are assigned by an administrator.
Users can configure alerts and generate reports on their respective systems.
To create a new user account, open the Configure settings menu and click Users > + NEW USER. Enter a descriptive user name and an authentication method for the user.
TrueCommand uses the default authentication method to create unique credentials for logging in to the web interface. The administrator must provide these credentials to the intended user.
Two-factor authentication double-checks the authentication of an account user. The first verification occurs when the user logs in with a username and a password. Two-factor authentication adds an extra step in the process, a second security layer, that re-confirms their identity. If basic password security measures are in place, two-factor authentication makes it more difficult for unverified users to log in to your account.
Enabling two-factor authentication requires an already-authenticated email address. Authenticating a user email address requires first setting up SMTP Email in Settings-> Alert Services.
To verify a user email address and set 2FA:
- Enter the email address for the user and click Save Changes.
- Check the user’s email account for the verification code. Copy the code from the email.
- Paste the code in the Confirmation code field in the confirmation window. Click OK.
- Set Enable 2FA and click Save Changes.
TrueCommand supports using LDAP to better integrate within an established network environment. LDAP/AD allows using single sign-on credentials from the Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). Users can log in with an LDAP or AD account without creating a separate TrueCommand login.
LDAP and AD require the server IP address or DNS hostname and domain to use. The LDAP or AD Username (optional) is required when the TrueCommand user name does not match the LDAP or AD credentials.
Click on the settings (Gear) > Administration.
Click Add on the LDAP Servers widget to open the Add LDAP Server configuration screen.
To configure LDAP, type the LDAP server IP address or DNS host name into the LDAP Server URL field, type the domain name in the Domain field, and click ADD SERVER. You can add multiple LDAP servers and domains.
The Test LDAP Config icon opens a window that allows you to test your connection to the LDAP server. The Remove LDAP Server icon removes the selected LDAP server.
| Setting | Description |
|---|---|
| Hostname | (Required) Enter the host name, IP or DNS name, of the LDAP server, with port number on the end. For example: ldap.mycorp.com:636 (SSL port is typically 636 for AD/LDAP). |
| Domain | (Required) Base domain settings of the user. For example: dc=mycorp,dc=com for a typical username@mycorp.com user account. |
| Group Domain | Enter the alternative domain setting to use when searching for groups. The default value is the same as Domain. |
| Verify SSL | Select to require strict SSL certificate verification. The default value is false. Disable this option if the system host name is not the one on the SSL certificate, the system uses an IP to connect instead of the DNS host name, or the LDAP server uses a self-signed certificate. |
| User ID Field | Enter the user ID for the user that logs in (this is class-matched to the login username). Enter Domain name to use for user-matching. The default value is uid (user ID). Another commonly-used field is cn (common name). |
| Group ID Field | Enter the class for finding groups associated with a user. The default is cn (common name). Enter the Domain name to use when searching for a group name. |
| BIND User Domain | Enter the full domain setting for a pre-authenticated bind to the server. For example: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com. For an unauthenticated bind, enter just a name (example: truecommand-bin). This is sometimes used for logging purposes on the LDAP but otherwise is not validated. |
| Realm | Enter the realm that performs authentication against the LDAP server. |
| BIND Password | Enter the password to use for the bind user. For an unauthenticated bind, leave blank while setting the BIND User Domain to a non-empty value. |
| KDC | Enter the key distribution center (KDC) that supplies session tickets and temporary session keys to users and computers within the LDAP server. |
TrueCommand supports two methods of validating LDAP user credentials:
The direct BIND method uses the Domain and User ID Field values to create a static domain string for user authentication.
Example:
- Domain: dc=mycorp,dc=com
- User ID Field: uid
When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server and attempts to bind with the static domain uid=bobby.singer,dc=mycorp,dc=com and the user-provided password. If successful, the user authentication verifies, and Bobby Singer may access TrueCommand.
The indirect BIND authentication method is more dynamic and searches for the proper user domain settings rather than making format assumptions. With TrueCommand, indirect BIND configures a bind user (typically a read-only, minimal-permissions user account) with a known domain/password to perform the initial bind to the LDAP server. After logging in, TrueCommand searches for the user domain requesting to log in. It then attempts a second bind with the user domain and provided password.
Example:
- Domain: dc=mycorp,dc=com
- User ID Field: uid
- BIND User Domain: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com
- BIND Password: pre-shared-key
When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server. TrueCommand uses the BIND User Domain and BIND Password settings to perform an initial bind using pre-known settings from your LDAP provider. Once bound, TrueCommand searches for the user matching uid=bobby.singer, but only within the subdomains that include the domain setting (dc=mycorp,dc=com in this example). If TrueCommand finds a user, it uses the entire user domain string from the search result to initialize a second bind along with the user-provided password. If successful, TrueCommand verifies the user authentication, and Bobby Singer is allowed access to TrueCommand.
WARNING: AD/LDAP authentication requires SSL connections.
If the LDAP server uses an SSL certificate generated by a custom certificate authority (CA), then one of two things must occur before TrueCommand can use the LDAP server:
- (Option 1) Users must register the custom certificate authority with TrueCommand via the Certificates tab on the Administration screen.
- (Option 2) Users can disable the Verify SSL option to accept whatever SSL certificate the server provides. Users might need to choose Option 2 if the LDAP server hostname differs from the one listed on the certificate or if the server uses a self-signed SSL certificate.
Selecting Allow LDAP user creation means TrueCommand creates user accounts when someone logs in to the User Interface with their LDAP credentials. JOIN TEAM automatically adds LDAP users to specific TrueCommand teams.
You can assign users to existing teams by selecting a team from the Teams drop-down to add the user to that team. You can assign users to multiple teams. TrueCommand applies team permissions to any user added to a team, but setting specific permissions for the user can override related team permissions. For more indepth information regarding teams, see the Teams Documentation.
To limit non-administrative account access to connected systems, configure the System Access and/or System Groups sections. This requires first configuring system connections and/or system groups in TrueCommand.
Click ADD SYSTEM and select a system from the drop-down to give the user access to that system. To restrict the user to only viewing details about the system, set the read permission. To remove user access to a particular system, click - (minus) on that system.
When system groups are available, an ADD GROUP button displays. Click ADD GROUP and select a group from the drop-down list to give the user access to all the systems in that group. To assign a user a type of access to the group, choose read or read/write permissions. To remove user access to a particular system group, click - (minus) on the desired group.
TrueCommand users can reset their passwords from the login screen. After typing their username click the FORGOT PASSWORD button.
Enter the user email address (or where you want to send the reset login code).
An [AUTH] TrueCommand Password Reset email should arrive with the reset password login code. After receiving the code, enter the user name in the login screen and the reset password code and click SIGN IN. The user can then go to their profile to change their password.
