Get a Quote     (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

Creating the Initial Configuration

  8 minute read.

Last Modified 2023-03-13 09:52 EDT

TrueCommand allows you to manage all your TrueNAS systems from one location. This multi-system management increases efficiency and simplifes operations

To get started with the initial configuration of TrueCommand, complete these steps:

  1. Create the administrator account. See Creating the Admin Account for more information.
  2. Create the necessary user accounts. See Creating User Accounts.
  3. Become familiar with the interface toolbars and icons. Review them here Interface Overview.
  4. Connect your first TrueNAS system. See Connecting Your First TrueNAS System for more information.

The Administration page, available to users with administrator permissions, displays additional system details and offers a variety of TrueCommand configuration options. Click the Configure icon and select Administration to access the Administration screen. It is organized into About, Certificates, and Configuration widgets (functional and information cards).

TrueCommand231AdminSystemInfo

TrueCommand Administration Overview

About

The About widget displays the current TrueCommand system ID and version, contact information for iXsystems, and license details.

Updating the License

You can expand TrueCommand to monitor more disks by upgrading or purchasing a license from iXsystems. Click GET A LICENSE to open a new browser tab to purchase a TrueCommand license. You can also contact iXsystems to upgrade the current license.

After you upgrade or purchase a new license, you must upload it to TrueCommand. Click Browse… to open a file browser on your local system. Select the new license file to upload and click UPLOAD LICENSE to apply the new license to TrueCommand.

Certificates Widget

The Certificates widget shows the certificates and Certificate Authorities (CAs) TrueCommand uses and has options to upload or import a certificate or CA.

AdministrationCertificates

Click Browse… to upload a file from the local system. Selecting Plain text allows you to copy and paste the raw text instead of uploading a file.

Certificate Authorities

Click IMPORT in the Certificate Authorities screen to add certificate authorities (CAs) to TrueCommand.

AdministrationCAs

The CA Import screen allows name the CA and to select changing it to plain text before you upload it.

Configuration

The Configuration widget contains options to configure various TrueCommand features. Configuration options are:

  • General Options
  • SSL Options
  • Alert Options
  • LDAP
  • SAML
  • Telemetry

Click CONFIGURE to change feature settings.

AdministrationConfiguration

After changing any options, click SAVE at the bottom of the window to save the new system configuration. To reset fields back to their previous values, click CANCEL.

General options include how long TrueCommand stores system statistics and the number of database backups from an iXsystems NAS to store.

SSL options

This feature is only available for local installations or containerized TrueCommand deployments.

By default, TrueCommand attempts an SSL connection, then a non-SSL connection if the first attempt fails. You can disable non-SSL connection attempts by setting Require SSL for all connections, which is useful when a monitored system uses a custom port or does not allow SSL-secured access.

There are additional options to configure how TrueCommand handles certificates. By default, TrueCommand accepts self-signed certificates and certificate hostname mismatches. Self-signed certificates enable the first-time login to TrueCommand. Certificate hostname mismatches let TrueCommand accept certificates from systems that use a hostname, even though it registered them with an IP address (or vice-versa).

Configure SSL

Alert Options

You can adjust the alert levels that TrueCommand shows from a connected NAS to tune the system messages displayed according to your use case. Choose an alert category to ignore. You can select multiple categories.

LDAP

The Allow LDAP user creation checkbox is not selected (disabled) by default. If disabled, you can use LDAP to log in with existing users.

SAML

The SAML service feature allows users to configure TrueCommand SAML for Active Directory or Google Admin

Telemetry

TrueCommand reports some (completely anonymous) basic usage telemetry back to iXsystems for product improvement analysis.

Click the PREVIEW button to see what your system is sending.

Select Disable Telemetry to disable the disable telemetry and click SAVE.

LDAP Servers

Users can configure TrueCommand to use LDAP servers for security and authentication management among connected TruNAS systems.

TrueCommand supports using LDAP to better integrate within an established network environment. LDAP/AD allows using single sign-on credentials from the Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). Users can log in with an LDAP or AD account without creating a separate TrueCommand login.

LDAP and AD require the server IP address or DNS hostname and domain to use. The LDAP or AD Username (optional) is required when the TrueCommand user name does not match the LDAP or AD credentials.

Click on the   (Gear) > Administration.
Click on the Configuration tab and scroll down to access the LDAP configuration section. Click ADD SERVER to begin configuring LDAP in TrueCommand. The screen changes to display the LDAP configuration settings fields.

Configure LDAP

To configure LDAP, type the LDAP server IP address or DNS hostname into the LDAP Server URL field, type the domain name in the Domain field, and click ADD SERVER. You can add multiple LDAP servers and domains.

The Test LDAP Config icon opens a window that allows you to test your connection to the LDAP server. The Remove LDAP Server icon removes the selected LDAP server.

Add LDAP Server

FieldValue
LDAP Server URL (string, required)IP or DNS name of the LDAP server, with port number on the end.
Example: ldap.mycorp.com:636 (SSL port is typically 636 for AD/LDAP)
Domain (string, required)Base domain settings of the user.
Example: dc=mycorp,dc=com for a typical username@mycorp.com user account
Group Domain (string)The alternative domain setting to use when searching for groups. The default value is the same as Domain
Verify SSL (bool)Require strict SSL certificate verification. The default value is false.
Disable this option if the hostname of the system is different than the one listed on the SSL certificate, an IP is used for the connection instead of the DNS hostname, or if a self-signed certificate is used by the LDAP server.
User ID Field (string)Domain fieldname to use for user-matching. The default value is uid (user ID). Another field commonly-used is cn (common name)
Group ID Field (string)The domain fieldname to use when searching for a group name. The default value is cn (common name).
BIND User Domain (string)The full domain setting for a pre-authenticated bind to the server.
Example: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com
For an unauthenticated bind set this field to just a name (example: truecommand-bin). This is sometimes used for logging purposes on the LDAP, but otherwise is not validated.
BIND Password (string)The password to use for the bind user.
For an unauthenticated bind, leave this field blank while setting the BIND User Domain to a non-empty value.

LDAP connection options

TrueCommand supports two common methods of validating LDAP user credentials:

Direct Bind

The direct BIND method uses the Domain and User ID Field values to create a static domain string for user authentication.

Example:

  • Domain: dc=mycorp,dc=com
  • User ID Field: uid

When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server and then attempts to bind with the static domain uid=bobby.singer,dc=mycorp,dc=com and the user-provided password. If successful, the user authentication is verified, and Bobby Singer may access TrueCommand.

Indirect Bind

The indirect BIND authentication method is more dynamic and searches for the proper user domain settings rather than making format assumptions. With TrueCommand, indirect BIND configures a bind user (typically a read-only, minimal-permissions user account) with a known domain/password to perform the initial bind to the LDAP server. Once logged in, TrueCommand searches for the user domain currently requesting to login. It then attempts a second bind with the user domain and provided password.

Example:

  • Domain: dc=mycorp,dc=com
  • User ID Field: uid
  • BIND User Domain: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com
  • BIND Password: pre-shared-key

When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server. TrueCommand uses the BIND User Domain and BIND Password settings to perform an initial bind using pre-known settings from your LDAP provider. Once bound, TrueCommand searches for the user matching uid=bobby.singer, but only within the subdomains that include the domain setting (dc=mycorp,dc=com in this example). If TrueCommand finds a user, it uses the entire user domain string from the search result to initialize a second bind along with the user-provided password. If successful, TrueCommand verifies the user authentication, and Bobby Singer is allowed access to TrueCommand.

SSL/TLS Connection Info

WARNING: AD/LDAP authentication requires SSL connections.

If the LDAP server uses an SSL certificate generated by a custom certificate authority (CA), then one of two things must occur before TrueCommand can use the LDAP server:

  • (Option 1) Users must register the custom certificate authority with TrueCommand via the Certificates tab on the Administration screen.
  • (Option 2) Users can disable the Verify SSL option to accept whatever SSL certificate the server provides. Users might need to choose Option 2 if the LDAP server hostname differs from the one listed on the certificate or if the server uses a self-signed SSL certificate.

Selecting Allow LDAP user creation means TrueCommand creates user accounts when someone logs in to the User Interface with their LDAP credentials. JOIN TEAM automatically adds LDAP users to specific TrueCommand teams.

LDAP Teams

The LDAP Teams widget allows you to add TrueCommand teams to your LDAP server by clicking JOIN and selecting a team from the list.

Alert Recipients

The Alert Recipients widget allows you to add email addresses to your LDAP server by clicking ADD and entering a valid address.

TrueCommand231AdminAlertRecipientsNone

Clicking the Configure button displays the following fields:

TrueCommand231AdminAlertRecipientsConfigure

FieldValue
MailserverAddress for the SMTP server.
Mailserver portPort number the SMTP server listens to.
Auth userUser name for plain authentication.
Auth passPassword for plain authentication. Leave blank for no-auth.
FromThe email address of the sender.

Related Content

Related Articles


Have more questions or want to discuss your specific configuration? For further discussion or assistance, see these resources:

Found content that needs an update? You can suggest content changes directly! To request changes to this content, click the Feedback button.