TrueNAS CORE authentication using Google Workspace Secure LDAP

C

chrisnavigation

Cadet
Joined
Dec 13, 2022
Messages
5
Hello all,

I'd like to be able to have people access SMB shares to use their Google Workspace user name (email address) and password.

We have Google Workspace Enterprise license level, which include Google Secure LDAP.

I have a created a new LDAP client entry in Google Workspace admin console for TrueNAS, and I am provided with the following:

1. Certificate with CRT and KEY file
2. User name and password

I believe the Google Secure LDAP endpoint is: ldap.google.com

How can I configure TrueNAS with the above have users authenticate?

Thanks!
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
chrisnavigation said:
Hello all,

I'd like to be able to have people access SMB shares to use their Google Workspace user name (email address) and password.

We have Google Workspace Enterprise license level, which include Google Secure LDAP.

I have a created a new LDAP client entry in Google Workspace admin console for TrueNAS, and I am provided with the following:

1. Certificate with CRT and KEY file
2. User name and password

I believe the Google Secure LDAP endpoint is: ldap.google.com

How can I configure TrueNAS with the above have users authenticate?

Thanks!
Click to expand...
The SMB protocol has a limited set of options available for client authentication. For all practical purposes they are:
1. NTLM
2. Kerberos

There is a legacy and insecure way of storing NT hashes in the remote LDAP server, and granting the SMB server access to them (Samba schema). This allows (1) through LDAP server. (2) requires a Kerberos realm in addition to the LDAP server. Note that configuring windows to talk to a non-AD kerberos realm can be somewhat involved from an admin perspective.

TL;DR, if you want to use SMB, it's better generally to use AD (either Microsoft or Samba).
 
C

chrisnavigation

Cadet
Joined
Dec 13, 2022
Messages
5
anodos said:
The SMB protocol has a limited set of options available for client authentication. For all practical purposes they are:
1. NTLM
2. Kerberos

There is a legacy and insecure way of storing NT hashes in the remote LDAP server, and granting the SMB server access to them (Samba schema). This allows (1) through LDAP server. (2) requires a Kerberos realm in addition to the LDAP server. Note that configuring windows to talk to a non-AD kerberos realm can be somewhat involved from an admin perspective.

TL;DR, if you want to use SMB, it's better generally to use AD (either Microsoft or Samba).
Click to expand...
Thanks for the information.

In our case we would like to authenticate to Google Secure LDAP and move away from Microsoft Active Directory to enable a modern cloud based (internet accessibility) auth strategy that avoids VPN's and DC being available.

In regards to the certificate that Google Secure LDAP generates (CERT and KEY files), how can I import this into TrueNAS?

When I go to "System > CAs > Add" the change the "Type" to "Import CA", how can I paste in the "Certificate Subject > Certificate" from either of the two files Google Secure LDAP generated?
 
You must log in or register to reply here.

Similar threads

C
Authenticating SMB share via LDAP to (google.ldap.com)
Replies
6
Views
2K
Accust
A
V
  • Locked
LDAP for authentication only
Replies
3
Views
1K
dlavigne
D
E
  • Locked
FREENAS 9.1.0 LDAP Authentication using SSH PublicKey
Replies
2
Views
4K
Harry Weppner
Harry Weppner
C
Samba shares with local and LDAP users
Replies
2
Views
2K
anodos
anodos
A
  • Locked
Secure Open Directory LDAP
Replies
8
Views
3K
blacs30
B
Top