I’ve setup LDAPS but am having issues with the bind account. Everything works if I enable anonymous binding, however, if I disable it, I get an error message:
Remote LDAP server returned response that credentials are invalid.
Yes, the password is correct. My suspicion is the bind account DN. My LDAP schema uses uid for the user naming attribute. By choosing “RFC 2307” in TrueNAS, I suspect that the lookup is doing something like member=CN=bind_account and simply not finding the user.
Saying that I’m mediocre with LDAP would be a compliment, so any help here is appreciated!
TrueNAS should only need the root CA’s public certificate for LDAPS. However, I’m a little confused with TrueNAS’s certificate interface.
I did create a client cert for the TrueNAS server (for HTTPS), which I added to “Certificates” in the GUI. I also uploaded the CA chain (sub + root) to “Certificate Authorities” in the GUI. However, I’m starting to think that the “Certificate Authorities” section is only for certs to make TrueNAS a CA, rather than establish trust with external CAs.
When I configure LDAPS, it requires that I pick a cert to perform the lookup with, however, it only allows me to select certs from the “Certificates” category rather than “Certificate Authorities”.
The goal is to setup LDAPS and kerberos for centralized identity management rather than having local accounts scattered about my network. I’m not using AD, but rather RHEL’s IdM services.
I did manage to get LDAPS working properly, so thank you for clarifying the GUI certificate manager. I removed the initial CA cert chain that I had imported and re-uploaded it. Not sure what went wrong in the first place.
Anyways, that was the easy part, unfortunately. Now the kerberos part. I wish that I was using AD because it makes things so much easier. AD is one of the few products that Microsoft actually did well…
If the IDM solution is based on FreeIPA you can test out the Electric Eel BETA. We have added support for proper IPA join there. Just need to configure DNS correctly first, use hostname of IPA server for LDAP bind, and we will automatically create kerberos configuration, keytabs, etc.
Yup, IDM uses FreeIPA on the backend. The full support for FreeIPA is very exciting! Since I unfortunately already have this NAS up and running with data on it, I may hold off on beta testing in the short term, but I will definitely follow along! I may even hold off on kerberos implementation until a stable version of Electric Eel comes out. Thanks for that info!