freeIPA LDAP configuration in Dragonfish 24.04

Hi everyone, newbie here. I am trying to setup FreeIPA LDAP integration in TrueNAS to authenticate users for NFS shares. I can’t wrap my head around it and hit a wall.

I saw in the release notes for Dragonfish 24.04 that freeIPA support as been officially added, so I wanted to try it as I am trying to document myself on freeIPA. The server is working fine for DNS, NTP, and authenticating users in Linux, Nextcloud and pfSense (OpenVPN).

I found some tutorials and forum posts but most of them are old and configured with TureNAS core / FreeNAS.

Where can I find more info about what has been added in 24.04 to better support freeIPA ?

Thanks in advance !

1 Like

I’m also trying to setup FreeIPA LDAP integration in Dragonfish and am struggling as well. Would love to find more info on FreeIPA with TrueNAS.

FreeIPA support is in 24.04 but the front end UI is not ready yet so you won’t be able to add this yet.
Instructions for adding FreeIPA will be added to the Documentation Hub as soon as this feature is ready for users to implement!

1 Like

Oh, I will be waiting for this in the future then !

In the meantime, I’ve kept trying to make it work, here is where I am at right now :

Let’s say I am trying to add the example.com realm.

I managed to have the LDAP Directory Service shown as “Healthy”, but no actual user is being retreived : I cannot see them in the dropdown menus of Datasets permissions nor in the shell with

id <user_to_test>

I do however see the groups.

An ldapsearch with appropriate filter from the shell does work :

ldapsearch -b "dc=example,dc=com" -H ldap://ipamaster.example.com \
-D "uid=truenas.connect,cn=users,cn=accounts,dc=example,dc=com" \
-w mysupersecretpassword -s sub \
"(memberOf=cn=nextcloud_users,cn=groups,cn=accounts,dc=example,dc=com)"

I also changed the idmap setting to accomodate the range used by freeIPA (from 1,000,000,001 to 2,000,000,000), getting inspiration from this FreeNAS guide.

I suppose I need to tell TrueNAS how to retreive the usernames, but I do not understand how to do that from the provided documentation.

Damn, I feel so close It’s frustrating. If I manage to make it work reliably, I’ll try to make a somewhat comprehensive “guide” here.

Ok, I feel even dumber. I did the good old reboot and everything works fine. Well… I guess I only needed to formalise to problem for it to solve itself ! Every wanted user and groups can be assigned to datasets permissions, and users are part of the correct groups.

I’ll do a bit more real testing and come back here in a few days to summarise what I’ve learned, in case some people are interested.