| 1 | <samba:parameter name="ldapsam:editposix"
|
|---|
| 2 | context="G"
|
|---|
| 3 | type="string"
|
|---|
| 4 | advanced="1" developer="0"
|
|---|
| 5 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 6 | <description>
|
|---|
| 7 |
|
|---|
| 8 | <para>
|
|---|
| 9 | Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller
|
|---|
| 10 | eliminating the need to set up custom scripts to add and manage the posix users and groups. This option
|
|---|
| 11 | will instead directly manipulate the ldap tree to create, remove and modify user and group entries.
|
|---|
| 12 | This option also requires a running winbindd as it is used to allocate new uids/gids on user/group
|
|---|
| 13 | creation. The allocation range must be therefore configured.
|
|---|
| 14 | </para>
|
|---|
| 15 |
|
|---|
| 16 | <para>
|
|---|
| 17 | To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly
|
|---|
| 18 | configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users,
|
|---|
| 19 | Domain Admins, Domain Guests) can be precreated with the command <command moreinfo="none">net sam
|
|---|
| 20 | provision</command>. To run this command the ldap server must be running, Winindd must be running and
|
|---|
| 21 | the smb.conf ldap options must be properly configured.
|
|---|
| 22 |
|
|---|
| 23 | The typical ldap setup used with the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> option
|
|---|
| 24 | is usually sufficient to use <smbconfoption name="ldapsam:editposix">yes</smbconfoption> as well.
|
|---|
| 25 | </para>
|
|---|
| 26 |
|
|---|
| 27 | <para>
|
|---|
| 28 | An example configuration can be the following:
|
|---|
| 29 |
|
|---|
| 30 | <programlisting>
|
|---|
| 31 | encrypt passwords = true
|
|---|
| 32 | passdb backend = ldapsam
|
|---|
| 33 |
|
|---|
| 34 | ldapsam:trusted=yes
|
|---|
| 35 | ldapsam:editposix=yes
|
|---|
| 36 |
|
|---|
| 37 | ldap admin dn = cn=admin,dc=samba,dc=org
|
|---|
| 38 | ldap delete dn = yes
|
|---|
| 39 | ldap group suffix = ou=groups
|
|---|
| 40 | ldap idmap suffix = ou=idmap
|
|---|
| 41 | ldap machine suffix = ou=computers
|
|---|
| 42 | ldap user suffix = ou=users
|
|---|
| 43 | ldap suffix = dc=samba,dc=org
|
|---|
| 44 |
|
|---|
| 45 | idmap backend = ldap:"ldap://localhost"
|
|---|
| 46 |
|
|---|
| 47 | idmap uid = 5000-50000
|
|---|
| 48 | idmap gid = 5000-50000
|
|---|
| 49 | </programlisting>
|
|---|
| 50 |
|
|---|
| 51 | This configuration assumes a directory layout like described in the following ldif:
|
|---|
| 52 |
|
|---|
| 53 | <programlisting>
|
|---|
| 54 | dn: dc=samba,dc=org
|
|---|
| 55 | objectClass: top
|
|---|
| 56 | objectClass: dcObject
|
|---|
| 57 | objectClass: organization
|
|---|
| 58 | o: samba.org
|
|---|
| 59 | dc: samba
|
|---|
| 60 |
|
|---|
| 61 | dn: cn=admin,dc=samba,dc=org
|
|---|
| 62 | objectClass: simpleSecurityObject
|
|---|
| 63 | objectClass: organizationalRole
|
|---|
| 64 | cn: admin
|
|---|
| 65 | description: LDAP administrator
|
|---|
| 66 | userPassword: secret
|
|---|
| 67 |
|
|---|
| 68 | dn: ou=users,dc=samba,dc=org
|
|---|
| 69 | objectClass: top
|
|---|
| 70 | objectClass: organizationalUnit
|
|---|
| 71 | ou: users
|
|---|
| 72 |
|
|---|
| 73 | dn: ou=groups,dc=samba,dc=org
|
|---|
| 74 | objectClass: top
|
|---|
| 75 | objectClass: organizationalUnit
|
|---|
| 76 | ou: groups
|
|---|
| 77 |
|
|---|
| 78 | dn: ou=idmap,dc=samba,dc=org
|
|---|
| 79 | objectClass: top
|
|---|
| 80 | objectClass: organizationalUnit
|
|---|
| 81 | ou: idmap
|
|---|
| 82 |
|
|---|
| 83 | dn: ou=computers,dc=samba,dc=org
|
|---|
| 84 | objectClass: top
|
|---|
| 85 | objectClass: organizationalUnit
|
|---|
| 86 | ou: computers
|
|---|
| 87 | </programlisting>
|
|---|
| 88 | </para>
|
|---|
| 89 |
|
|---|
| 90 | </description>
|
|---|
| 91 | <value type="default">no</value>
|
|---|
| 92 | </samba:parameter>
|
|---|
