| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_ad</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="idmap_ad"><a name="idmap_ad.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_ad — Samba's idmap_ad Backend for Winbind</p></div><div class="refsynopsisdiv" title="DESCRIPTION"><h2>DESCRIPTION</h2><p>The idmap_ad plugin provides a way for Winbind to read
|
|---|
| 2 | id mappings from an AD server that uses RFC2307/SFU schema
|
|---|
| 3 | extensions. This module implements only the "idmap"
|
|---|
| 4 | API, and is READONLY. Mappings must be provided in advance
|
|---|
| 5 | by the administrator by adding the posixAccount/posixGroup
|
|---|
| 6 | classes and relative attribute/value pairs to the user and
|
|---|
| 7 | group objects in the AD.</p><p>
|
|---|
| 8 | Note that the idmap_ad module has changed considerably since
|
|---|
| 9 | Samba versions 3.0 and 3.2.
|
|---|
| 10 | Currently, the <em class="parameter"><code>ad</code></em> backend
|
|---|
| 11 | does not work as the the default idmap backend, but one has
|
|---|
| 12 | to configure it separately for each domain for which one wants
|
|---|
| 13 | to use it, using disjoint ranges. One usually needs to configure
|
|---|
| 14 | a writeable default idmap range, using for example the
|
|---|
| 15 | <em class="parameter"><code>tdb</code></em> or <em class="parameter"><code>ldap</code></em>
|
|---|
| 16 | backend, in order to be able to map the BUILTIN sids and
|
|---|
| 17 | possibly other trusted domains. The writeable default config
|
|---|
| 18 | is also needed in order to be able to create group mappings.
|
|---|
| 19 | This catch-all default idmap configuration should have a range
|
|---|
| 20 | that is disjoint from any explicitly configured domain with
|
|---|
| 21 | idmap backend <em class="parameter"><code>ad</code></em>. See the example below.
|
|---|
| 22 | </p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266828"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">range = low - high</span></dt><dd><p>
|
|---|
| 23 | Defines the available matching UID and GID range for which the
|
|---|
| 24 | backend is authoritative. Note that the range acts as a filter.
|
|---|
| 25 | If specified any UID or GID stored in AD that fall outside the
|
|---|
| 26 | range is ignored and the corresponding map is discarded.
|
|---|
| 27 | It is intended as a way to avoid accidental UID/GID overlaps
|
|---|
| 28 | between local and remotely defined IDs.
|
|---|
| 29 | </p></dd><dt><span class="term">schema_mode = <rfc2307 | sfu ></span></dt><dd><p>
|
|---|
| 30 | Defines the schema that idmap_ad should use when querying
|
|---|
| 31 | Active Directory regarding user and group information.
|
|---|
| 32 | This can be either the RFC2307 schema support included
|
|---|
| 33 | in Windows 2003 R2 or the Service for Unix (SFU) schema.
|
|---|
| 34 | </p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id266865"></a><h2>EXAMPLES</h2><p>
|
|---|
| 35 | The following example shows how to retrieve idmappings from our principal and
|
|---|
| 36 | trusted AD domains. If trusted domains are present id conflicts must be
|
|---|
| 37 | resolved beforehand, there is no
|
|---|
| 38 | guarantee on the order conflicting mappings would be resolved at this point.
|
|---|
| 39 |
|
|---|
| 40 | This example also shows how to leave a small non conflicting range for local
|
|---|
| 41 | id allocation that may be used in internal backends like BUILTIN.
|
|---|
| 42 | </p><pre class="programlisting">
|
|---|
| 43 | [global]
|
|---|
| 44 | idmap config * : backend = tdb
|
|---|
| 45 | idmap config * : range = 1000000-1999999
|
|---|
| 46 |
|
|---|
| 47 | idmap config CORP : backend = ad
|
|---|
| 48 | idmap config CORP : range = 1000-999999
|
|---|
| 49 | </pre></div><div class="refsect1" title="AUTHOR"><a name="id266885"></a><h2>AUTHOR</h2><p>
|
|---|
| 50 | The original Samba software and related utilities
|
|---|
| 51 | were created by Andrew Tridgell. Samba is now developed
|
|---|
| 52 | by the Samba Team as an Open Source project similar
|
|---|
| 53 | to the way the Linux kernel is developed.
|
|---|
| 54 | </p></div></div></body></html>
|
|---|
