| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_ldap</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="idmap_ldap"><a name="idmap_ldap.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_ldap — Samba's idmap_ldap Backend for Winbind</p></div><div class="refsynopsisdiv" title="DESCRIPTION"><h2>DESCRIPTION</h2><p>The idmap_ldap plugin provides a means for Winbind to
|
|---|
| 2 | store and retrieve SID/uid/gid mapping tables in an LDAP directory
|
|---|
| 3 | service.
|
|---|
| 4 | </p><p>
|
|---|
| 5 | In contrast to read only backends like idmap_rid, it is an allocating
|
|---|
| 6 | backend: This means that it needs to allocate new user and group IDs in
|
|---|
| 7 | order to create new mappings.
|
|---|
| 8 | </p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266343"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p>
|
|---|
| 9 | Defines the directory base suffix to use for
|
|---|
| 10 | SID/uid/gid mapping entries. If not defined, idmap_ldap will default
|
|---|
| 11 | to using the "ldap idmap suffix" option from smb.conf.
|
|---|
| 12 | </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p>
|
|---|
| 13 | Defines the user DN to be used for authentication.
|
|---|
| 14 | The secret for authenticating this user should be
|
|---|
| 15 | stored with net idmap secret
|
|---|
| 16 | (see <a class="citerefentry" href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a>).
|
|---|
| 17 | If absent, the ldap credentials from the ldap passdb configuration
|
|---|
| 18 | are used, and if these are also absent, an anonymous
|
|---|
| 19 | bind will be performed as last fallback.
|
|---|
| 20 | </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p>
|
|---|
| 21 | Specifies the LDAP server to use for
|
|---|
| 22 | SID/uid/gid map entries. If not defined, idmap_ldap will
|
|---|
| 23 | assume that ldap://localhost/ should be used.
|
|---|
| 24 | </p></dd><dt><span class="term">range = low - high</span></dt><dd><p>
|
|---|
| 25 | Defines the available matching uid and gid range for which the
|
|---|
| 26 | backend is authoritative.
|
|---|
| 27 | </p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id266868"></a><h2>EXAMPLES</h2><p>
|
|---|
| 28 | The following example shows how an ldap directory is used as the
|
|---|
| 29 | default idmap backend. It also configures the idmap range and base
|
|---|
| 30 | directory suffix. The secret for the ldap_user_dn has to be set with
|
|---|
| 31 | "net idmap secret '*' password".
|
|---|
| 32 | </p><pre class="programlisting">
|
|---|
| 33 | [global]
|
|---|
| 34 | idmap config * : backend = ldap
|
|---|
| 35 | idmap config * : range = 1000000-1999999
|
|---|
| 36 | idmap config * : ldap_url = ldap://localhost/
|
|---|
| 37 | idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
|
|---|
| 38 | idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
|
|---|
| 39 | </pre><p>
|
|---|
| 40 | This example shows how ldap can be used as a readonly backend while
|
|---|
| 41 | tdb is the default backend used to store the mappings.
|
|---|
| 42 | It adds an explicit configuration for some domain DOM1, that
|
|---|
| 43 | uses the ldap idmap backend. Note that a range disjoint from the
|
|---|
| 44 | default range is used.
|
|---|
| 45 | </p><pre class="programlisting">
|
|---|
| 46 | [global]
|
|---|
| 47 | # "backend = tdb" is redundant here since it is the default
|
|---|
| 48 | idmap config * : backend = tdb
|
|---|
| 49 | idmap config * : range = 1000000-1999999
|
|---|
| 50 |
|
|---|
| 51 | idmap config DOM1 : backend = ldap
|
|---|
| 52 | idmap config DOM1 : range = 2000000-2999999
|
|---|
| 53 | idmap config DOM1 : read only = yes
|
|---|
| 54 | idmap config DOM1 : ldap_url = ldap://server/
|
|---|
| 55 | idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
|
|---|
| 56 | idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
|
|---|
| 57 | </pre></div><div class="refsynopsisdiv" title="NOTE"><h2>NOTE</h2><p>In order to use authentication against ldap servers you may
|
|---|
| 58 | need to provide a DN and a password. To avoid exposing the password
|
|---|
| 59 | in plain text in the configuration file we store it into a security
|
|---|
| 60 | store. The "net idmap " command is used to store a secret
|
|---|
| 61 | for the DN specified in a specific idmap domain.
|
|---|
| 62 | </p></div><div class="refsect1" title="AUTHOR"><a name="id265711"></a><h2>AUTHOR</h2><p>
|
|---|
| 63 | The original Samba software and related utilities
|
|---|
| 64 | were created by Andrew Tridgell. Samba is now developed
|
|---|
| 65 | by the Samba Team as an Open Source project similar
|
|---|
| 66 | to the way the Linux kernel is developed.
|
|---|
| 67 | </p></div></div></body></html>
|
|---|
