| **Group Search Domain** | Optional for admins who want to avoid issues with unwanted groups by forcing group searches to start at a deeper domain. |

| **BIND Password** | If the bind user is set, use this password when performing a simple bind on user search. |

| **Enable SSL** | Enable LDAPS/TLS connection. Uses the globally configured verification settings. |

TrueCommand only checks for usernames, passwords, and groups while authenticating LDAP credentials.

You can add entries for email, phone number, or URLs, but TrueCommand does not check for them.

For finding associated groups, TrueCommand looks for `groupOfUniqueNames`, `groupOfNames`, `posixGroup`, and `Group` object classes and users matching the `uniquemember`, `member`, `owner`, or `memberUid` attributes.

Teams configured under **LDAP Default Teams** are added to new users automatically, while group names can be mapped to one or more teams under **LDAP Group Mappings**.




The two most prominent error codes for LDAP are 254 (connection failure) and 49 (invalid credentials).

In the event of a connection failure, ensure **Enable SSL** is set when only LDAPS is available.

For credential failures, ensure the right authentication mode, either BIND Password or Kerberos, is enabled.

When Kerberos is enabled, its use is preferred.

When password servers are required, move the autogenerated **krb5.conf** within the container from `/etc/krb5.conf` to `/data` and enable its use by setting `--env KRB5_CONFIG=/data/krb5.conf` on a new container run.

See the Middleware log for further debugging.

Some AD servers require manual SASL settings to avoid an "illegal packet length" error by setting the environment variable `--env LDAPSASL_SECPROPS=minssf=0,maxssf=0` to disable security factor limitations.

Other **ldap.conf** settings can be configured this way, or setting the LDAPCONF environment variable to `/data/ldap.conf` and writing a custom conf there.

TrueCommand sets `TLS_REQCERT` and `TLS_REQSAN` to **allow** or **demand** depending on global TLS settings, as well as TLS_CERT and TLS_KEY to the MW managed self-signed certificate in `/data/truecommand`.

a. Enter the TrueCommand login URL `https://*IP:PORT*/saml/acs` in the **ACS Url** field.

*IP:PORT* is your TrueCommand system IP with HTTPS port.

c. Type the `https://*IP:PORT*/saml/hello` into the **Start URL** field.

*IP:PORT* is your TrueCommand system IP with HTTPS port.

| Primary email | email |

| First name | given_name |

| Employee ID | unique_name |

| Phone number | telephone_number |

Adjust the parameters according to your own organization, where `unique_name` corresponds to the TrueCommand `username` and is the only required attribute.

`Primary email` might be desired instead of and if an `Employee ID` is not available.

5. Verify the information is correct.

a. Select **DOWNLOAD METADATA** to open the **Download Metadata** window.

7. Verify user access details.

8. Wait for approximately 10-20 minutes for Google to populate all settings through its servers.

2. Click the <i class="material-icons" aria-hidden="true" title="Settings">settings</i> button on the top toolbar.

Click **Administration**. Click **Configure** in the **Configuration** widget.

The **Configuration** screen with the editable settings displays. Scroll down to **SAML settings**.

4. Select **Start the SAML service** to enable the service, and click **Save** again.

5. Log out of the TrueCommand UI.

6. Login now using the **SAML Login** option.

title: "TrueCommand IPv6 Configuration"

description: "Steps for enabling IPv6 communication between TrueCommand and a TrueNAS."

First, create a non-default network with IPv6 explicitly enabled:

Linux hosts are also required for the Docker daemon to support IPv6.

The default bridge can be configured to support IPv6 if desired with a fixed address for dynamic allocation.

Configure both the host and NAS with IPv6 addresses, either through a dynamic protocol like SLAAC or by assigning a static IP, so the TrueCommand container has a route to the NAS.

Input the address, without URL brackets, when adding a new system or editing an existing system.

For more information, see <a href="https://docs.docker.com/config/daemon/ipv6/">guide to enable IPv6 support provided by Docker</a> and the [TrueNAS IPv6 setup document](https://www.truenas.com/docs/scale/scaletutorials/network/configureipv6/).

title: "TrueCommand Performance Specification"

description: "Performance data for a self-hosted TrueCommand container."

Without any connected systems, TrueCommand uses ~20 MiB memory and 600 KiB disk for the sqlite settings database and slightly more for logs.

{{< truetable >}}

| Resource | Usage |

|-----------|-------------|

|Memory | 20 MiB|

|Storage | < 1 MiB|

|Container | 1.1 GiB|

|Network | Nothing with UI closed, 10 KiB/min serving UI|

{{< /truetable >}}

TrueCommand scales for each system added.

Each connected TrueNAS uses the following resources:

{{< truetable >}}

|Resource | Usage|

|-----------|-------------|

|Memory | ~5-10 MiB|

|Storage | ~100 MiB|

|Disk | 1 MiB reads/hour, 4 MiB writes/hour|

|CPU | ~5s/hour, ~22ms/15s, 0.1 to 1.5%|

|Network | Rx 5-10 KiB/min<br>Tx < 1 KiB/min|

{{< /truetable >}}

Storage usage includes a fixed 80M MiB disk storage for metrics and 2 to 5 MiB for NAS configuration backups.

Backup retention and metric storage duration can be changed, although resizing metrics can result in larger files even after reversion.

Network transmitted bytes are very low for each system, as TrueCommand only sends requests to the NAS.

Typically the ratio of received bytes to transmitted is about 20:1.

cAdvisor, Prometheus, and Grafana were used to generate this data. See the following configuration files to reproduce.

{{< highlight yaml "" >}}

global:

scrape_interval: 15s

evaluation_interval: 15s

scrape_configs:

- job_name: docker

static_configs:

- targets: ["DOCKERHOST:8090"]

metrics_path: "/metrics"

params:

format: ['prometheus']

{{< /highlight >}}

This enables Prometheus to collect metrics about itself, the docker engine directly, if `metrics-addr` is configured for the daemon, and cAdvisor.

See the compose file below to configure the exposed port and provide a route from the Prometheus container to its sibling cAdvisor container.

{{< highlight yaml "" >}}

name: cadvisor_prometheus

services:

prometheus:

image: prom/prometheus:v2.53.1

volumes:

- type: bind

source: ./prometheus.yml

target: /etc/prometheus/prometheus.yml

read_only: true

ports:

- 9090:9090

grafana:

image: grafana/grafana-oss:11.0.1

volumes:

- type: volume

source: grafana-storage

target: /var/lib/grafana

ports:

- 3000:3000

cadvisor:

image: gcr.io/cadvisor/cadvisor:v0.47.2

volumes:

- type: bind

source: /

target: /rootfs

read_only: true

- type: bind

source: /var/run

target: /var/run

read_only: true

- type: bind

source: /var/lib/docker

target: /var/lib/docker

read_only: true

- type: bind

source: /sys

target: /sys

read_only: true

ports:

- 8090:8080

userns_mode: "host"

security_opt:

- seccomp=default.json

command: --docker=unix:///var/run/user/1000/docker.sock --listen_ip=0.0.0.0

volumes:

grafana-storage:

{{< /highlight >}}

Run `docker compose up` to deploy the three containers.

cAdvisor reads from the cgroup and reports container-level metrics to Prometheus.

Grafana can then be used to display these metrics, as seen in the following dashboard:

{{< trueimage src="/images/TrueCommand/tc-three-system-perf.png" alt="Grafana dashboard with TrueCommand running and connected to three TrueNAS systems" id="Grafana dashboard with TrueCommand running and connected to three TrueNAS systems" >}}

title: "TrueCommand Syslog Configuration"

description: "Steps for sending TrueCommand logs via the syslog protocol."

Remote logging capabilities through syslog are available in TrueCommand version 2.3 or later.

To enable, first edit the internal configuration file `/etc/config.yaml`.

Overwrite the TC_CONFIG_PATH or create an additional tied volume for this file to preserve changes.

{{< highlight yaml "" >}}

logger:

remote_log:

enabled: false

log_level: error

host: 127.0.0.1 # rsyslog server address

port: 6514 # port based on the protocol

protocol: tcp # tcp or udp

identifier: TrueCommand # will be added as tag in the logs

{{< / highlight >}}

Restart the container.

An Rsyslog server can easily be setup with Docker.

{{< highlight yaml "" >}}

FROM ubuntu:latest

RUN apt update && apt install rsyslog -y

ADD rsyslog.conf /etc/.

ENTRYPOINT ["rsyslogd", "-n"]

{{< / highlight >}}

Logs are stored under the `/var/log/remote/YEAR/MONTH/DAY.log` path.