LDAP for local account login

[pitt1717]

so im trying to learn Open LDAP and have the server set up. I can authenticate a linux client and pfsense fine. and can even gain sudo in linux and can manage my pfsense box with my user as if I logged in as admin. I am trying to do the same for freenas but can't get it to work.
if I go to directories and go to permissions, I can see my ldap user so freenas is finding the server/tree fine, but if I put my user in the wheel group(created on the ldap server) (as that is the group the freenas root user is in) I can't login to the gui with my user. Is there anyway to allow my user gui access and manage freenas?
Since I went virtual with esx, im trying to manage my users a little better now and figured I would start with management users for my linux servers, pfsense, freenas and cisco gear.

thanks

 

[Ericloewe]

Is there anyway to allow my user gui access and manage freenas?

No. Only the local root user can login to the webGUI.

Now that I think about it, I'm not sure anyone's filed a ticket for this yet, despite the frequency of the question...

 

[BaT]

It would be handy to get more details, how do you see such an authentication.

Effectively WebGUI works as a local root user, so what you may want to see is something like Windows Local Admins and Domain Admin groups, members of which would either become root or will have it's privileges.

Also, not sure what to do with the CLI access - let those members to sudo to UID 0 or just make them an alias of the root by assigning UID/GID=0

 

[Nick2253]

so what you may want to see is something like Windows Local Admins and Domain Admin groups, members of which would either become root or will have it's privileges.

Is there a way to do this? FreeNAS is one of the few appliances we have that we cannot use AD groups to control (to the best of my knowledge). I personally don't care if all allowed users have full access, I just want to be able to term an employee without having to change the FreeNAS root password.

 

[BaT]

Is there a way to do this? FreeNAS is one of the few appliances we have that we cannot use AD groups to control (to the best of my knowledge). I personally don't care if all allowed users have full access, I just want to be able to term an employee without having to change the FreeNAS root password.

At the moment there is no such functionality. But there is a ticket referring this thread, so something may appear in the later versions of FreeNAS.

But it would be great to have better overview of what functionality is expected by the end users and what are their use cases.

Adding something like Domain Admins group with members having local root privilege is fairly easy. From other side, if we'd start to talk about fine grain permissions to different configuration aspects, like having Storage Admins group for storage configuration, Application Admins for configuring services and so on - that may require quite a big rewrite on the middleware side.

You can leave your suggestions here or in the ticket https://redmine.ixsystems.com/issues/27638

 

[Ericloewe]

Adding something like Domain Admins group with members having local root privilege is fairly easy. From other side, if we'd start to talk about fine grain permissions to different configuration aspects, like having Storage Admins group for storage configuration, Application Admins for configuring services and so on - that may require quite a big rewrite on the middleware side.

The latter option seems beyond what anyone's asked for (for now at least, I'm sure someone will show up saying "I want this user to be able to configure only X and Y, but not Z" at some point).

One particular thought I have about such a setup is that many tasks are linked. It's not very useful to be able to make a share if you can't make a dataset. So, I'm definitely in the "keep it simple for now! camp.

The complex setup could be achieved by limiting OS privileges (or disallowing SSH access entirely) and handling the authentication in the webGUI, which would be responsible for limiting access within to its various pages. This would also need to tie in with a new GUI layout, which would have to be structured in a way that can deal with these needs. Yet another reason to keep it simple for now.z

Final thought for now: A lot of people have asked for this not just in an AD setting, but for local users as well.