Prerequisites:
- Make sure LDAP-as-a-Service is configured correctly in JumpCloud. See Use Cloud LDAP.
- Make sure any relevant user/LDAP groups are properly configured. See Create an LDAP Group.
Notes:
- FreeNAS support site: https://www.freenas.org/get-help/.
- This process was last qualified on 10/19/2020 using both 11.2U8 & 11.3U5.
- Users from the LDAP connection do not seem to show up in the FreeNAS GUI. Be aware that LDAP users and groups appear in the drop-down menus of the Permissions screen of a dataset after configuring the LDAP service. See FreeNAS documentation for further details.
- SSH access is limited to local users only by default.
- Once configured, you may have to click Rebuild Directory Service Cache for users to be imported from LDAP, or for any updates to the JumpCloud Samba User Group to propagate to FreeNAS.
Importing a Certificate in FreeNAS
To import a certificate in FreeNAS:
- Go to https://certs.godaddy.com/repository/
- Download the GoDaddy Class 2 Certification Authority Root Certificate - G2 (gdroot-g2.crt).
- Open the .crt file with a text editor, then copy all contents.
- Log in to the FreeNAS Administrator Dashboard.
- Go to System > CAs, then click Import CA.
- Paste the certificate contents into the Certificate input field.
- Use the Identifier field (e.g. GoDaddy_Root_G2) to name the certificate.
- Leave the Private Key and Passphrase / Confirm Passphrase fields blank.
- If you have the serial number of the certificate, enter it in the Serial field or enter 1.
- Click OK.
Configuring LDAP in FreeNAS
To find the information for step 3, see Use Cloud LDAP.
- Log in to the FreeNAS Administrator Dashboard.
- Go to Directory Service > LDAP.
- Provide the following information:
- Hostname: ldap.jumpcloud.com
- Base DN: o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- Bind DN: uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com
- Bind Password: LDAP_BINDING_USER_PASSWORD
- Enable: Checked
Configuring START_TLS LDAP Settings in FreeNAS 11.2
To configure advanced LDAP settings in FreeNAS 11.2:
- Log in to the FreeNAS Administrator Dashboard.
- Go to Directory Service > LDAP.
- Click Advanced Mode.
- Set Encryption Mode toTLS.
- For Certificate, select the name of the certificate you imported. See Importing a Certificate in FreeNAS above for more information.
- Check the Samba Schema option.
- Click the Save button to complete the LDAP and LDAP Advanced Configurations.
Configuring START_TLS LDAP Settings in FreeNAS 11.3
FreeNAS 11.3 had some major changes to the way that it communicates and authenticates with LDAP over secure channels. The base service in FreeNAS 11.3 that handles LDAP Authentication is nslcd, compared to 11.2’s service of sssd.
FreeNAS 11.3’s nslcd service stores the CA in the /etc/ssl/truenas_cacerts.pem file which is used to encrypt over START_TLS. You can check the configuration for LDAP in the /usr/local/etc/nslcd.conf file.
To configure advanced LDAP settings in FreeNAS 11.3:
- Log in to the FreeNAS Administrator Dashboard.
- Go to Directory Service > LDAP.
- Click Advanced Mode.
- Set Encryption Mode to START_TLS.
- Check Validate Certificates.
- For Certificate, leave blank (nslcd will use the CA you created in Importing a Certificate in FreeNAS, which is stored in /etc/ssl/truenas_cacerts.pem).
- Check the Samba Schema option.
- Click the Save button to complete the LDAP and LDAP Advanced Configurations.
Optional settings for logging:
- You can move logging for nslcd to its own file for troubleshooting using the Auxiliary Parameters field in the LDAP configuration in the UI.
- Add the following line to create a specific log file under /var/log for nslcd using debug level logging:
log /var/log/nslcd.log debug
.