Bug: TrueNAS generates invalid sssd.conf for LDAP Directory Service integration and reports misleading timeout errors

TrueNAS version: 25.10.0.1 SCALE

Summary

When configuring LDAP as a Directory Service, TrueNAS generates an invalid /etc/sssd/sssd.conf file that prevents SSSD from successfully enumerating users and groups.

Because of how TrueNAS determines whether a domain is “online,” this failure mode surfaces as a generic 60-second timeout error (“Timed out while waiting for domain to come online”), which strongly suggests a networking or connectivity problem — even though the real issue is an invalid SSSD configuration.

This combination of:

• invalid config generation
• and misleading readiness checks

results in a very confusing and time-consuming debugging experience.

Issue 1: Invalid ldap_*_object_class values

TrueNAS writes LDAP filter syntax into SSSD options that expect plain object class names.

Generated (invalid)

ldap_user_object_class = (objectClass=posixAccount)
ldap_group_object_class = (objectClass=groupOfUniqueNames)

Correct / working

ldap_user_object_class = posixAccount
ldap_group_object_class = groupOfUniqueNames

Per SSSD documentation, these options must be object class names, not LDAP filters. Using filter syntax prevents proper enumeration.

Issue 2: Indented INI keys cause mis-parsing

Several LDAP mapping options are written with leading whitespace:

ldap_user_search_base = ou=people,dc=upton,dc=com
    ldap_group_search_base = ou=groups,dc=upton,dc=com
    ldap_user_name = uid
    ldap_user_uid_number = uidNumber
    ldap_user_gid_number = gidNumber
    ldap_user_home_directory = homeDirectory
    ldap_user_shell = loginShell

Because SSSD uses an INI parser where indented lines can be treated as continuation lines, these keys are not reliably parsed. This caused:

• missing homeDirectory mappings
• missing loginShell mappings
• silent fallback to defaults

Removing indentation resolves the issue immediately.

Issue 3: Misleading “domain timeout” error masks configuration failures

When saving the LDAP configuration in the UI, the loading spinner runs for exactly 60 seconds, followed by:

“Timed out while waiting for domain to come online”

After taking a peek at the middleware code, this timeout corresponds to logic that waits for at least one user and one group to be returned via NSS:

for pwd in iterpw(module=NssModule.SSS.name):
    has_users = True
    break

for grp in itergrp(module=NssModule.SSS.name):
    has_groups = True
    break

If neither users nor groups are returned within 60 seconds, the domain is considered offline.

Why this is problematic

• If the SSSD config is invalid (as in this case), enumeration will never succeed
• The error message strongly implies a networking or connectivity issue
• There is no indication that SSSD is running but returning zero results
• No hint is given to check /etc/sssd/sssd.conf

I’ve seen a few fourm posts with this exact error, like this one:
<url to truenas fourms> /t/cannot-connect-ldap-timeout-error/47975

Result after manual fixes

After:

• correcting ldap_user_object_class / ldap_group_object_class
• removing indentation from all LDAP mapping keys

LDAP integration works correctly:

• id <ldap-user> resolves immediately
• UID/GID, home directory, and shell map correctly
• The domain comes online without timeout

Notes

This appears to be a middleware config-generation issue combined with insufficient error differentiation during domain readiness checks. The issue is fully reproducible and resolves immediately once the generated config is corrected.

Happy to provide logs, additional repro steps, or test against other LDAP backends if helpful.

Can you file a jira ticket on our bugtracker? The forums isn’t really for bugtracking.

Thanks for the reply! I actually tried Jira first after reading this article: Issue Reporting in Jira | TrueNAS Documentation Hub, but I get the following error when clicking the blue “Create” button. No matter how many times I refresh the page it doesn’t seem to work. I even tried with my work account wich has full Jira licenses.

Screenshot 2025-12-12 at 3.25.33 PM1402×789 114 KB

I’m not sure if Jira is just bugging out or if I need to be given access. How does that normally work? I’m hapy to make a Jira ticket if I’m able!

Is there an update on this? I am running into the same issue where the SSSD config is invalid. I fix the config manually, but then how do I rebuild the cache afterwards? Doing it from the webui gives me the same connection timeout, even with the fixed config.

I have the same problem. When adding, it gets stuck at “Waiting for domain to come online.” After that, however, the connection is shown as “Healthy.” But even manual recaching ends with the error “Waiting for domain to come online.” The LDAP server has no problems with any other services, such as Nextcloud.
However, my config doesn’t look as broken as the one above.

sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://192.168.10.11
ldap_search_base = dc=ldap,dc=heim,dc=lan
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert = allow
ldap_default_bind_dn = cn=admin,dc=ldap,dc=heim,dc=lan
ldap_default_authtok = REMOVED
enumerate = True
timeout = 10
ldap_search_timeout = 10
ldap_network_timeout = 10
ldap_schema = rfc2307
min_id = 1000

But the message “Waiting for domain to come online” doesn’t really help much either.

@awalkerix and @kyleaupton did you manage to create the issue? I can’t find anything about it in Jira.

Use the Report a Bug in the TrueNAS GUI and make one. If there exists a ticket, they will close as dup or combine them. We don’t have any linked ticket numbers in this thread so I don’t know if it exists. Sometimes they are Private an only TrueNAS Enterprise can see them.