diff --git a/docs/plans/auth-system-replacement.md b/docs/plans/auth-system-replacement.md
index 0f4ffc3..3df442f 100644
--- a/docs/plans/auth-system-replacement.md
+++ b/docs/plans/auth-system-replacement.md
@@ -119,6 +119,33 @@ services.kanidm.enablePam = true;
 services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net";
 ```
 
+## NAS Integration
+
+### Current: TrueNAS CORE (FreeBSD)
+
+TrueNAS CORE has a built-in LDAP client. Kanidm's read-only LDAP interface will work for NFS share permissions:
+
+- **NFS shares**: Only need consistent UID/GID mapping - Kanidm's LDAP provides this
+- **No SMB requirement**: SMB would need Samba schema attributes (deprecated in TrueNAS 13.0+), but we're NFS-only
+
+Configuration approach:
+1. Enable Kanidm's LDAP interface (`ldapbindaddress = "0.0.0.0:636"`)
+2. Import internal CA certificate into TrueNAS
+3. Configure TrueNAS LDAP client with Kanidm's Base DN and bind credentials
+4. Users/groups appear in TrueNAS permission dropdowns
+
+Note: Kanidm's LDAP is read-only and uses LDAPS only (no StartTLS). This is fine for our use case.
+
+### Future: NixOS NAS
+
+When the NAS is migrated to NixOS, it becomes a first-class citizen:
+
+- Native Kanidm PAM/NSS integration (same as other hosts)
+- No LDAP compatibility layer needed
+- Full integration with the rest of the homelab
+
+This future migration path is a strong argument for Kanidm over LDAP-only solutions.
+
 ## Implementation Steps
 
 1. **Create Kanidm service module** in `services/kanidm/`
@@ -139,7 +166,8 @@ services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net";
    - Configure trusted CA
 
 5. **Test NAS integration**
-   - Verify UID/GID mapping works with NFS/SMB shares
+   - Configure TrueNAS LDAP client to connect to Kanidm
+   - Verify UID/GID mapping works with NFS shares
 
 6. **Migrate auth01**
    - Remove LLDAP and Authelia services
@@ -156,7 +184,6 @@ services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net";
 - What UID/GID range should be reserved for Kanidm-managed users?
 - Which hosts should have PAM/NSS enabled initially?
 - What OAuth2 clients are needed at launch?
-- Should LDAP interface be enabled for any legacy services?
 
 ## References