Open AirP0WeR opened 1 year ago
nikdoof
commented
1 year ago I suspect you may need to use the Aux Parameters section under Advanced to provide some extra params:
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5
Much like the QNAP setup, you may need to map uid to cn
karelkryda
commented
1 year ago Hi,
I am trying to connect my Authentik LDAP with TrueNas Core. Unfortunately I also encountered this problem where I see long IDs instead of usernames.
In the LDAP configuration I added nss_map_attribute uid cn to the Other Parameters section, but I still only see IDs. I also set up Idmap for LDAP, but no change either.
I am attaching screenshots of my configuration:
Thank you in advance for your advice
nikdoof
commented
1 year ago Sorry I've not tested properly on Core, but for Scale:
Aux Parameters
map passwd uid cnSome further checks for homedir mapping and maybe some other attributes but I'll update this as I find out.
rinseaid
commented
1 year ago I've ended up with the below Auxiliary Parameters (also on TrueNAS Scale):
map passwd uid cn
map passwd loginShell "/bin/bash"
map passwd homeDirectory "/path/to/home/$cn"
filter group (objectClass=group)The filter group was necessary for the 'virtual-groups' created automatically for each authentik user. For whatever reason when nslcd queries the LDAP outpost with "(&(objectClass=posixGroup)(gidNumber=2034))", no results are returned. Changing 'posixGroup' to 'group' in the LDAP query fixes this for some reason. The weird thing is, the group does in fact have the posixGroup objectClass. This issue only appears to affect the virtual-groups, also, as other groups manually created in Authentik work fine with the same queries. @BeryJu, is this by design?
Not working:
> ldapsearch (...) "(&(objectClass=posixGroup)(gidNumber=2034))"
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=posixGroup)(gidNumber=2034))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1Working:
> ldapsearch (...) "(&(objectClass=group)(gidNumber=2034))"
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=group)(gidNumber=2034))
# requesting: ALL
#
# rinseaid, virtual-groups, domain.com
dn: cn=rinseaid,ou=virtual-groups,dc=domain,dc=com
sAMAccountName: rinseaid
gidNumber: 2034
ak-superuser: false
objectClass: group
objectClass: groupOfUniqueNames
objectClass: groupOfNames
objectClass: goauthentik.io/ldap/group
objectClass: posixGroup
objectClass: goauthentik.io/ldap/virtual-group
member: cn=rinseaid,ou=users,dc=domain,dc=com
cn: rinseaid
uid: xyzlongstringxyz
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1Working with posixGroup for non-virtual group:
ldapsearch (...) "(&(objectClass=group)(gidNumber=32103))"
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=com> with scope subtree
# filter: (&(objectClass=group)(gidNumber=32103))
# requesting: ALL
#
# guacamole-users, groups, domain.com
dn: cn=guacamole-users,ou=groups,dc=domain,dc=com
gidNumber: 32103
ak-superuser: false
objectClass: group
objectClass: groupOfUniqueNames
objectClass: groupOfNames
objectClass: goauthentik.io/ldap/group
objectClass: posixGroup
member: cn=rinseaid,ou=users,dc=domain,dc=com
cn: guacamole-users
uid: xyzlongstringxyz
sAMAccountName: guacamole-users
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
pbvdven
commented
10 months ago @rinseaid Where you able to use authentik ldap for samba login on truenas scale? i have setup ldap in truenas and now see users and groups when i add a ldap user to a share in truenas thats also working but the user cant login on the share then it says username password not valid any idea what im missing? do i need to setup kerberos realms? and is it even possible with authentik?
I use your Auxiliary Parameters thanks for that.
rinseaid
commented
10 months ago @pbvdven unfortunately I wasn't able to get this fully working, but I did discover a hacky solution that worked well enough for me. Basically the issue is that neither Kerberos nor the schema required by Samba are currently supported by authentik's LDAP outpost.
What I ended up doing was first establishing the LDAP configuration in TrueNAS, then creating a local user with the same username in TrueNAS local user configuration. The combined user has the group memberships I needed from authentik LDAP (check with id <username> from terminal), and from the local side has the ability to authenticate to SMB. The downsides to this approach are that it doesn't scale, and I think it may break after TrueNAS updates/reboots.
Hi there!
Got issue with LDAP connection to Truenas Scale.
Authentik use uid: Unique user identifier,but in Truenas I see that uid is used by username. Think other mappings are broken two.
Can I change Mapping Schema in Authentik?
Screenshots
getent passwdPS Main task to implemen authentication to Truenas.