TrueNAS CORE
TrueNAS Enterprise
TrueNAS SCALE
TrueCommand
Compare Editions
Software Status
FreeNAS
Systems Overview
M-Series
X-Series
R-Series
Mini Series
Download TrueNAS CORE
Download TrueNAS SCALE
Get TrueNAS EnterpriseCreating User Accounts
8 minute read.
Last Modified 2022-11-01 10:39 -0400TrueCommand has a robust user management system designed to allow TrueCommand administrators to personalize the TrueCommand experience for each user account. You can create user accounts in the TrueCommand interface. Alternatively, LDAP can automatically create new user accounts when someone logs into TrueCommand with their LDAP credentials.
TrueCommand also organizes user accounts into teams so admins can simultaneously manage many user accounts.
TrueCommand has two levels of accounts - administrators, and users:
Administrators can add and remove users and servers. Administrators can also assign users to teams and servers to groups. Administrators have full access to all alerts and reports.
Users, however, can only interact with the servers they are assigned by an administrator.
Users can configure alerts and generate reports on their respective systems.
To create a new user account, open the Configure settings menu and click Users > + NEW USER. Enter a descriptive user name and an authentication method for the user.
TrueCommand uses the default authentication method to create unique credentials for logging in to the web interface. The administrator must provide these credentials to the intended user.
Two-factor authentication double-checks the authentication of an account user. The first verification occurs when the user logs in with a username and a password. Two-factor authentication adds an extra step in the process, a second security layer, that re-confirms their identity. If basic password security measures are in place, two-factor authentication makes it more difficult for unverified users to log in to your account.
Enabling two-factor authentication requires an already-authenticated email address. Authenticating a user email address requires first setting up SMTP Email in Settings-> Alert Services.
To verify a user email address and set 2FA:
- Enter the email address for the user and click Save Changes.
- Check the user’s email account for the verification code. Copy the code from the email.
- Paste the code in the Confirmation code field in the confirmation window. Click OK.
- Set Enable 2FA and click Save Changes.
TrueCommand supports using LDAP to better integrate within an established network environment. LDAP/AD allows using single sign-on credentials from the Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). Users can log in with an LDAP or AD account without creating a separate TrueCommand login.
LDAP and AD require the server IP address or DNS hostname and domain to use. The LDAP or AD Username (optional) is required when the TrueCommand user name does not match the LDAP or AD credentials.
Click on the settings (Gear) > Administration.
Click on the Configuration tab and scroll down to access the LDAP configuration section.
Click ADD SERVER to begin configuring LDAP in TrueCommand. The screen changes to display the LDAP configuration settings fields.
To configure LDAP, type the LDAP server IP address or DNS hostname into the LDAP Server URL field, type the domain name in the Domain field, and click ADD SERVER. You can add multiple LDAP servers and domains.
The Test LDAP Config icon opens a window that allows you to test your connection to the LDAP server. The Remove LDAP Server icon removes the selected LDAP server.
| Field | Value |
|---|---|
| LDAP Server URL (string, required) | IP or DNS name of the LDAP server, with port number on the end. Example: ldap.mycorp.com:636 (SSL port is typically 636 for AD/LDAP) |
| Domain (string, required) | Base domain settings of the user. Example: dc=mycorp,dc=com for a typical username@mycorp.com user account |
| Group Domain (string) | The alternative domain setting to use when searching for groups. The default value is the same as Domain |
| Verify SSL (bool) | Require strict SSL certificate verification. The default value is false. Disable this option if the hostname of the system is different than the one listed on the SSL certificate, an IP is used for the connection instead of the DNS hostname, or if a self-signed certificate is used by the LDAP server. |
| User ID Field (string) | Domain fieldname to use for user-matching. The default value is uid (user ID). Another field commonly-used is cn (common name) |
| Group ID Field (string) | The domain fieldname to use when searching for a group name. The default value is cn (common name). |
| BIND User Domain (string) | The full domain setting for a pre-authenticated bind to the server. Example: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com For an unauthenticated bind set this field to just a name (example: truecommand-bin). This is sometimes used for logging purposes on the LDAP, but otherwise is not validated. |
| BIND Password (string) | The password to use for the bind user. For an unauthenticated bind, leave this field blank while setting the BIND User Domain to a non-empty value. |
TrueCommand supports two common methods of validating LDAP user credentials:
The direct BIND method uses the Domain and User ID Field values to create a static domain string for user authentication.
Example:
- Domain: dc=mycorp,dc=com
- User ID Field: uid
When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server and then attempts to bind with the static domain uid=bobby.singer,dc=mycorp,dc=com and the user-provided password. If successful, the user authentication is verified, and Bobby Singer may access TrueCommand.
The indirect BIND authentication method is more dynamic and searches for the proper user domain settings rather than making format assumptions. With TrueCommand, indirect BIND configures a bind user (typically a read-only, minimal-permissions user account) with a known domain/password to perform the initial bind to the LDAP server. Once logged in, TrueCommand searches for the user domain currently requesting to login. It then attempts a second bind with the user domain and provided password.
Example:
- Domain: dc=mycorp,dc=com
- User ID Field: uid
- BIND User Domain: uid=binduser,cn=read-only-bind,dc=mycorp,dc=com
- BIND Password: pre-shared-key
When bobby.singer attempts to log in, TrueCommand establishes an SSL-secure connection to the LDAP server. TrueCommand uses the BIND User Domain and BIND Password settings to perform an initial bind using pre-known settings from your LDAP provider. Once bound, TrueCommand searches for the user matching uid=bobby.singer, but only within the subdomains that include the domain setting (dc=mycorp,dc=com in this example). If TrueCommand finds a user, it uses the entire user domain string from the search result to initialize a second bind along with the user-provided password. If successful, TrueCommand verifies the user authentication, and Bobby Singer is allowed access to TrueCommand.
WARNING: AD/LDAP authentication requires SSL connections.
If the LDAP server uses an SSL certificate generated by a custom certificate authority (CA), then one of two things must occur before TrueCommand can use the LDAP server:
- (Option 1) Users must register the custom certificate authority with TrueCommand via the Certificates tab on the Administration screen.
- (Option 2) Users can disable the Verify SSL option to accept whatever SSL certificate the server provides. Users might need to choose Option 2 if the LDAP server hostname differs from the one listed on the certificate or if the server uses a self-signed SSL certificate.
Selecting Allow LDAP user creation means TrueCommand creates user accounts when someone logs in to the User Interface with their LDAP credentials. JOIN TEAM automatically adds LDAP users to specific TrueCommand teams.
You can assign users to existing teams by selecting a team from the Teams drop-down to add the user to that team. You can assign users to multiple teams. TrueCommand applies team permissions to any user added to a team, but setting specific permissions for the user can override related team permissions. For more indepth information regarding teams, see the Teams Documentation.
To limit non-administrative account access to connected systems, configure the System Access and/or System Groups sections. This requires first configuring system connections and/or system groups in TrueCommand.
Click ADD SYSTEM and select a system from the drop-down to give the user access to that system. To restrict the user to only viewing details about the system, set the read permission. To remove user access to a particular system, click - (minus) on that system.
When system groups are available, an ADD GROUP button displays. Click ADD GROUP and select a group from the drop-down list to give the user access to all the systems in that group. To assign a user a type of access to the group, choose read or read/write permissions. To remove user access to a particular system group, click - (minus) on the desired group.
TrueCommand users can reset their passwords from the login screen. After typing their username click the FORGOT PASSWORD button.
Enter the user email address (or where you want to send the reset login code).
An [AUTH] TrueCommand Password Reset email should arrive with the reset password login code. After receiving the code, enter the user name in the login screen and the reset password code and click SIGN IN. The user can then go to their profile to change their password.
