LDAP usage (login and shares)

[daniel2]

I configured ldap and it looks like it synced successfully, because:
- Credentials > Directory Services > LDAP > Status = HEALTHY
- `getent group` showed appropriate groups with users
- firstly drop down/auto complete on permissions didn't show groups, but after a manual "Rebuild Directory Service Cache" it does show them.

My question is, where can I actually use LDAP users and groups in TrueNAS scale?

Because:
- Web UI Login Screen looks like it coulnd't use ldap credentials.
- SMB shares are not letting me log in.
maybe has something to do with, I think I read something somewhere(?) about, SMB not working with LDAP because of some samba thing.

Or is LDAP really "only" for these use cases:
- WebDAV (but how? because when setting a password thats just one user or not?)
- (UNIX) NFS shares (does that even work?)

I already read these posts, and documentation pages but couldn't find all informations:
- Forum: Directory users disappearing from local groups
- Forum (German): LDAP integration

 

[daniel2]

ooh I can't edit a post here, so I'll add the link to the documentation page as reply:

• Documentation about Directory Services (click LDAP)

 

[anodos]

With SMB you are limited to authentication methods provided by the protocol. For all practical purposes this means NTLMv2 or Kerberos. If you're using default Windows clients this means using Active Directory (Windows or Samba). Otherwise, you can in principal configure LDAP + Kerberos in your environment. NFSv4 + kerberos works, but once again you are limited by what is supported for that protocol NFSv3 doesn't really have auth per-se. These are kind of fundamental aspects of how file sharing protocols work on all platforms.

 

[anodos]

Forgot to mention LDAP and webav. In broad strokes, Digest authentication in webdav requires that the apache server in this case have access to MD5s of user password. This would mean storing MD5s in the LDAP server, which is generally considered bad form, but slightly better than storing NT hashes (which would be required for SMB authentication) in the LDAP server. Doing this with a veneer of security would require schema changes to OpenLDAP and setting ACLs to prevent anyone from reading them.

Doing this also would mean that compromise of the TrueNAS server would potentially compromise the entire environment as a person with root access on the TrueNAS server with this ill-advised LDAP configuration would have access to MD4s or MD5s of all user passwords.