3 minute read.Last Modified 2021-06-29 16:07 EDT
TrueNAS has an Open LDAP client for accessing the information on an LDAP server. An LDAP server provides directory services for finding network resources such as users and their associated permissions.
smbldap-tools. The LDAP server must support SSL/TLS and the certificate for the LDAP server CA must be imported. Non-CA certificates are not currently supported.
To integrate an LDAP server with TrueNAS, go to Credentials > Directory Services and click Settings in the LDAP window.
|Hostname||LDAP server hostnames or IP addresses. Separate entries with Space. Multiple hostnames or IP addresses can be entered to create an LDAP failover priority list. If a host does not respond, the next host in the list is tried until a new connection is established.|
|Base DN||Top level of the LDAP directory tree to be used when searching for resources. Example: dc=test,dc=org.|
|Bind DN||Administrative account name on the LDAP server. Example: cn=Manager,dc=test,dc=org.|
|Bind Password||Password for the Bind DN.|
|Enable||Activates the configuration. Unset to disable the configuration without deleting it. It can be enabled at a later time without reconfiguring the options.|
To further modify the LDAP configuration, click Advanced Options.
|Allow Anonymous Binding||Set for the LDAP server to disable authentication and allow read and write access to any client.|
|Encryption Mode||Options for encrypting the LDAP connection:|
|* OFF: do not encrypt the LDAP connection.|
|* ON: encrypt the LDAP connection with SSL on port 636.|
|* START_TLS: encrypt the LDAP connection with STARTTLS on the default LDAP port 389.|
|Certificate||Certificate to use when performing LDAP certificate-based authentication. To configure LDAP certificate-based authentication, create a Certificate Signing Request for the LDAP provider to sign. A certificate is not required when using username/password or Kerberos authentication. To configure LDAP certificate-based authentication, create a Certificate Signing Request for the LDAP provider to sign.|
|Validate Certificates||Verify certificate authenticity.|
|Disable LDAP User/Group Cache||Disable caching LDAP users and groups in large LDAP environments. When caching is disabled, LDAP users and groups do not appear in dropdown menus but are still accepted when manually entered.|
|Kerberos Realm||Select an existing realm that was added in Kerberos Realms.|
|Kerberos Principal||Select the location of the principal in the keytab created in Kerberos Keytab.|
|LDAP timeout||LDAP timeout in seconds. Increase this value if a Kerberos ticket timeout occurs.|
|DNS timeout||DNS timeout in seconds. Increase this value if DNS queries timeout.|
|Samba Schema||Only set LDAP authentication for SMB shares is required and the LDAP server is already configured with Samba attributes.|
|Auxiliary Parameters||Additional options can be specified for nslcd.conf.|
|Schema||Select a schema when Samba Schema is set.|
|Edit Idmap||The Edit Idmap button takes users to the Idmap configuration screen.|
DEPRECATED: Support for Samba Schema is officially deprecated in Samba 4.13. The feature will be removed after Samba 4.14. Users should begin upgrading legacy Samba domains to Samba AD domains.
If the cache becomes out of sync or fewer users than expected are available in the permissions editors, resync the cache using the Rebuild Directory Service Cache.