| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_ldap</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_ldap.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_ldap — Samba's idmap_ldap Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_ldap plugin provides a means for Winbind to
|
|---|
| 2 | store and retrieve SID/uid/gid mapping tables in an LDAP directory
|
|---|
| 3 | service.
|
|---|
| 4 | </p><p>
|
|---|
| 5 | In contrast to read only backends like idmap_rid, it is an allocating
|
|---|
| 6 | backend: This means that it needs to allocate new user and group IDs in
|
|---|
| 7 | order to create new mappings. The allocator can be provided by the
|
|---|
| 8 | idmap_ldap backend itself or by any other allocating backend like
|
|---|
| 9 | idmap_tdb or idmap_tdb2. This is configured with the
|
|---|
| 10 | parameter <em class="parameter"><code>idmap alloc backend</code></em>.
|
|---|
| 11 | </p><p>
|
|---|
| 12 | Note that in order for this (or any other allocating) backend to
|
|---|
| 13 | function at all, the default backend needs to be writeable.
|
|---|
| 14 | The ranges used for uid and gid allocation are the default ranges
|
|---|
| 15 | configured by "idmap uid" and "idmap gid".
|
|---|
| 16 | </p><p>
|
|---|
| 17 | Furthermore, since there is only one global allocating backend
|
|---|
| 18 | responsible for all domains using writeable idmap backends,
|
|---|
| 19 | any explicitly configured domain with idmap backend ldap
|
|---|
| 20 | should have the same range as the default range, since it needs
|
|---|
| 21 | to use the global uid / gid allocator. See the example below.
|
|---|
| 22 | </p></div><div class="refsect1" lang="en"><a name="id2522944"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p>
|
|---|
| 23 | Defines the directory base suffix to use when searching for
|
|---|
| 24 | SID/uid/gid mapping entries. If not defined, idmap_ldap will default
|
|---|
| 25 | to using the "ldap idmap suffix" option from smb.conf.
|
|---|
| 26 | </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p>
|
|---|
| 27 | Defines the user DN to be used for authentication. If absent an
|
|---|
| 28 | anonymous bind will be performed.
|
|---|
| 29 | </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p>
|
|---|
| 30 | Specifies the LDAP server to use when searching for existing
|
|---|
| 31 | SID/uid/gid map entries. If not defined, idmap_ldap will
|
|---|
| 32 | assume that ldap://localhost/ should be used.
|
|---|
| 33 | </p></dd><dt><span class="term">range = low - high</span></dt><dd><p>
|
|---|
| 34 | Defines the available matching uid and gid range for which the
|
|---|
| 35 | backend is authoritative.
|
|---|
| 36 | If the parameter is absent, Winbind fails over to use the
|
|---|
| 37 | "idmap uid" and "idmap gid" options
|
|---|
| 38 | from smb.conf.
|
|---|
| 39 | </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2483381"></a><h2>IDMAP ALLOC OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p>
|
|---|
| 40 | Defines the directory base suffix under which new SID/uid/gid mapping
|
|---|
| 41 | entries should be stored. If not defined, idmap_ldap will default
|
|---|
| 42 | to using the "ldap idmap suffix" option from smb.conf.
|
|---|
| 43 | </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p>
|
|---|
| 44 | Defines the user DN to be used for authentication. If absent an
|
|---|
| 45 | anonymous bind will be performed.
|
|---|
| 46 | </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p>
|
|---|
| 47 | Specifies the LDAP server to which modify/add/delete requests should
|
|---|
| 48 | be sent. If not defined, idmap_ldap will assume that ldap://localhost/
|
|---|
| 49 | should be used.
|
|---|
| 50 | </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2483559"></a><h2>EXAMPLES</h2><p>
|
|---|
| 51 | The follow sets of a LDAP configuration which uses two LDAP
|
|---|
| 52 | directories, one for storing the ID mappings and one for retrieving
|
|---|
| 53 | new IDs.
|
|---|
| 54 | </p><pre class="programlisting">
|
|---|
| 55 | [global]
|
|---|
| 56 | idmap backend = ldap:ldap://localhost/
|
|---|
| 57 | idmap uid = 1000000-1999999
|
|---|
| 58 | idmap gid = 1000000-1999999
|
|---|
| 59 |
|
|---|
| 60 | idmap alloc backend = ldap
|
|---|
| 61 | idmap alloc config : ldap_url = ldap://id-master/
|
|---|
| 62 | idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com
|
|---|
| 63 | </pre></div><div class="refsynopsisdiv"><h2>NOTE</h2><p>In order to use authentication against ldap servers you may
|
|---|
| 64 | need to provide a DN and a password. To avoid exposing the password
|
|---|
| 65 | in plain text in the configuration file we store it into a security
|
|---|
| 66 | store. The "net idmap " command is used to store a secret
|
|---|
| 67 | for the DN specified in a specific idmap domain.
|
|---|
| 68 | </p></div><div class="refsect1" lang="en"><a name="id2483595"></a><h2>AUTHOR</h2><p>
|
|---|
| 69 | The original Samba software and related utilities
|
|---|
| 70 | were created by Andrew Tridgell. Samba is now developed
|
|---|
| 71 | by the Samba Team as an Open Source project similar
|
|---|
| 72 | to the way the Linux kernel is developed.
|
|---|
| 73 | </p></div></div></body></html>
|
|---|
