(408) 943-4100               V   Commercial Support Toggle between Light and Dark mode

LDAP

  3 minute read.

Last Modified 2021-06-29 16:07 EDT

TrueNAS has an Open LDAP client for accessing the information on an LDAP server. An LDAP server provides directory services for finding network resources such as users and their associated permissions.

LDAP authentication for SMB shares is disabled unless the LDAP directory has been configured for and populated with Samba attributes. The most popular script for performing this task is smbldap-tools. The LDAP server must support SSL/TLS and the certificate for the LDAP server CA must be imported. Non-CA certificates are not currently supported.

Configuration

To integrate an LDAP server with TrueNAS, go to Credentials > Directory Services and click Settings in the LDAP window.

LDAPSCALE

FieldDescription
HostnameLDAP server hostnames or IP addresses. Separate entries with Space. Multiple hostnames or IP addresses can be entered to create an LDAP failover priority list. If a host does not respond, the next host in the list is tried until a new connection is established.
Base DNTop level of the LDAP directory tree to be used when searching for resources. Example: dc=test,dc=org.
Bind DNAdministrative account name on the LDAP server. Example: cn=Manager,dc=test,dc=org.
Bind PasswordPassword for the Bind DN.
EnableActivates the configuration. Unset to disable the configuration without deleting it. It can be enabled at a later time without reconfiguring the options.

To further modify the LDAP configuration, click Advanced Options.

LDAPAdvancedSCALE

FieldDescription
Allow Anonymous BindingSet for the LDAP server to disable authentication and allow read and write access to any client.
Encryption ModeOptions for encrypting the LDAP connection:
* OFF: do not encrypt the LDAP connection.
* ON: encrypt the LDAP connection with SSL on port 636.
* START_TLS: encrypt the LDAP connection with STARTTLS on the default LDAP port 389.
CertificateCertificate to use when performing LDAP certificate-based authentication. To configure LDAP certificate-based authentication, create a Certificate Signing Request for the LDAP provider to sign. A certificate is not required when using username/password or Kerberos authentication. To configure LDAP certificate-based authentication, create a Certificate Signing Request for the LDAP provider to sign.
Validate CertificatesVerify certificate authenticity.
Disable LDAP User/Group CacheDisable caching LDAP users and groups in large LDAP environments. When caching is disabled, LDAP users and groups do not appear in dropdown menus but are still accepted when manually entered.
Kerberos RealmSelect an existing realm that was added in Kerberos Realms.
Kerberos PrincipalSelect the location of the principal in the keytab created in Kerberos Keytab.
LDAP timeoutLDAP timeout in seconds. Increase this value if a Kerberos ticket timeout occurs.
DNS timeoutDNS timeout in seconds. Increase this value if DNS queries timeout.
Samba SchemaOnly set LDAP authentication for SMB shares is required and the LDAP server is already configured with Samba attributes.
Auxiliary ParametersAdditional options can be specified for nslcd.conf.
SchemaSelect a schema when Samba Schema is set.
Edit IdmapThe Edit Idmap button takes users to the Idmap configuration screen.
DEPRECATED: Support for Samba Schema is officially deprecated in Samba 4.13. The feature will be removed after Samba 4.14. Users should begin upgrading legacy Samba domains to Samba AD domains.

Troubleshooting

If the cache becomes out of sync or fewer users than expected are available in the permissions editors, resync the cache using the Rebuild Directory Service Cache.