NAS

[TrueNAS Scale] LDAP

2023年12月19日

Overview

Directory Service LDAP の設定項目を確認する。

Reference

Environment

TrueNAS Scale 23.10.0.1

Summary Configuration

LDAP

Hostname

The hostname or IP address of the LDAP server. Separate entries by pressing Enter.

Base DN

Top level of the LDAP directory tree to be used when searching for resources. Example: dc=test,dc=org.

Bind DN

Administrative account name on the LDAP server. Example: cn=Manager,dc=test,dc=org.

Bind Password

Password for the Bind DN.

Enable

Activates the configuration. Unset to disable the configuration without deleting it.

  • Unchecked / default

Allow Anonymous Binding

Set for the LDAP server to disable authentication and allow read and write access to any client.

  • Unchecked / default

Encryption Mode

  • OFF: do not encrypt the LDAP connection.
  • ON: encrypt the LDAP connection with SSL on port 636.
  • START_TLS: encrypt the LDAP connection with STARTTLS on the default LDAP port 389.
  • OFF
  • ON
  • START_TLS

Certificate

Certificate to use when performing LDAP certificate-based authentication. To configure LDAP certificate-based authentication, create a Certificate Signing Request for the LDAP provider to sign. A certificate is not required when using username/password or Kerberos authentication.

  • truenas_default

Validate Certificates

Verify certificate authenticity.

  • Checked / default

Disable LDAP User/Group Cache

Disable caching LDAP users and groups in large LDAP environments. When caching is disabled, LDAP users and groups do not appear in dropdown menus, but are still accepted when manually entered.

  • Unchecked / default

Kerberos Realm

Select an existing realm that was added in Directory Services > Kerberos Realms.

Kerberos Principal

Select the location of the principal in the keytab created in Directory Services > Kerberos Keytabs.

LDAP Timeout

LDAP timeout in seconds. Increase this value if a Kerberos ticket timeout occurs.

  • 10 / default

DNS Timeout

DNS timeout in seconds. Increase this value if DNS queries timeout.

  • 10 / default

Samba Schema (DEPRECATED – see help text)

Use Samba LDAP schema extensions to provide support for LDAP authentication with SMB shares. DEPRECATED: Support for legacy samba schema for LDAP has been deprecated and will be removed in a future TrueNAS version.

  • Unchecked / default

Auxiliary Parameters

Additional options for nslcd.conf.

Schema

Select a schema when Samba Schema is set.

  • RFC2307
  • RFC2307BIS

nslcd.conf

上記の設定は /etc/nslcd.conf に反映される。

root@NAS003[/etc]# cat nslcd.conf
#
# NSLCD.CONF(5)         The configuration file for LDAP nameservice daemon
#

    uri         ldap://ldap.cavtime.com:389
    base        dc=cavtime,dc=com
    binddn      cn=admin,dc=cavtime,dc=com
    bindpw      Password
    scope       sub
    timelimit   10
    bind_timelimit 10
    nss_nested_groups yes
    nss_min_uid 1000
    nss_initgroups_ignoreusers ALLLOCAL
root@NAS003[/etc]#
Computer