From 3dc4422ba07c4321b95d7bcee93e894026114ce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Thu, 5 Feb 2026 23:24:37 +0100 Subject: [PATCH] docs: add NAS integration notes to auth plan Document TrueNAS CORE LDAP integration approach (NFS-only) and future NixOS NAS migration path with native Kanidm PAM/NSS. Co-Authored-By: Claude Opus 4.5 --- docs/plans/auth-system-replacement.md | 31 +++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/docs/plans/auth-system-replacement.md b/docs/plans/auth-system-replacement.md index 0f4ffc3..3df442f 100644 --- a/docs/plans/auth-system-replacement.md +++ b/docs/plans/auth-system-replacement.md @@ -119,6 +119,33 @@ services.kanidm.enablePam = true; services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net"; ``` +## NAS Integration + +### Current: TrueNAS CORE (FreeBSD) + +TrueNAS CORE has a built-in LDAP client. Kanidm's read-only LDAP interface will work for NFS share permissions: + +- **NFS shares**: Only need consistent UID/GID mapping - Kanidm's LDAP provides this +- **No SMB requirement**: SMB would need Samba schema attributes (deprecated in TrueNAS 13.0+), but we're NFS-only + +Configuration approach: +1. Enable Kanidm's LDAP interface (`ldapbindaddress = "0.0.0.0:636"`) +2. Import internal CA certificate into TrueNAS +3. Configure TrueNAS LDAP client with Kanidm's Base DN and bind credentials +4. Users/groups appear in TrueNAS permission dropdowns + +Note: Kanidm's LDAP is read-only and uses LDAPS only (no StartTLS). This is fine for our use case. + +### Future: NixOS NAS + +When the NAS is migrated to NixOS, it becomes a first-class citizen: + +- Native Kanidm PAM/NSS integration (same as other hosts) +- No LDAP compatibility layer needed +- Full integration with the rest of the homelab + +This future migration path is a strong argument for Kanidm over LDAP-only solutions. + ## Implementation Steps 1. **Create Kanidm service module** in `services/kanidm/` @@ -139,7 +166,8 @@ services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net"; - Configure trusted CA 5. **Test NAS integration** - - Verify UID/GID mapping works with NFS/SMB shares + - Configure TrueNAS LDAP client to connect to Kanidm + - Verify UID/GID mapping works with NFS shares 6. **Migrate auth01** - Remove LLDAP and Authelia services @@ -156,7 +184,6 @@ services.kanidm.clientSettings.uri = "https://auth.home.2rjus.net"; - What UID/GID range should be reserved for Kanidm-managed users? - Which hosts should have PAM/NSS enabled initially? - What OAuth2 clients are needed at launch? -- Should LDAP interface be enabled for any legacy services? ## References