| 1 | '\" t
|
|---|
| 2 | .\" Title: idmap_ldap
|
|---|
| 3 | .\" Author: [see the "AUTHOR" section]
|
|---|
| 4 | .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
|
|---|
| 5 | .\" Date: 08/08/2011
|
|---|
| 6 | .\" Manual: System Administration tools
|
|---|
| 7 | .\" Source: Samba 3.6
|
|---|
| 8 | .\" Language: English
|
|---|
| 9 | .\"
|
|---|
| 10 | .TH "IDMAP_LDAP" "8" "08/08/2011" "Samba 3\&.6" "System Administration tools"
|
|---|
| 11 | .\" -----------------------------------------------------------------
|
|---|
| 12 | .\" * set default formatting
|
|---|
| 13 | .\" -----------------------------------------------------------------
|
|---|
| 14 | .\" disable hyphenation
|
|---|
| 15 | .nh
|
|---|
| 16 | .\" disable justification (adjust text to left margin only)
|
|---|
| 17 | .ad l
|
|---|
| 18 | .\" -----------------------------------------------------------------
|
|---|
| 19 | .\" * MAIN CONTENT STARTS HERE *
|
|---|
| 20 | .\" -----------------------------------------------------------------
|
|---|
| 21 | .SH "NAME"
|
|---|
| 22 | idmap_ldap \- Samba\'s idmap_ldap Backend for Winbind
|
|---|
| 23 | .SH "DESCRIPTION"
|
|---|
| 24 | .PP
|
|---|
| 25 | The idmap_ldap plugin provides a means for Winbind to store and retrieve SID/uid/gid mapping tables in an LDAP directory service\&.
|
|---|
| 26 | .PP
|
|---|
| 27 | In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in order to create new mappings\&.
|
|---|
| 28 | .SH "IDMAP OPTIONS"
|
|---|
| 29 | .PP
|
|---|
| 30 | ldap_base_dn = DN
|
|---|
| 31 | .RS 4
|
|---|
| 32 | Defines the directory base suffix to use for SID/uid/gid mapping entries\&. If not defined, idmap_ldap will default to using the "ldap idmap suffix" option from smb\&.conf\&.
|
|---|
| 33 | .RE
|
|---|
| 34 | .PP
|
|---|
| 35 | ldap_user_dn = DN
|
|---|
| 36 | .RS 4
|
|---|
| 37 | Defines the user DN to be used for authentication\&. The secret for authenticating this user should be stored with net idmap secret (see
|
|---|
| 38 | \fBnet\fR(8))\&. If absent, the ldap credentials from the ldap passdb configuration are used, and if these are also absent, an anonymous bind will be performed as last fallback\&.
|
|---|
| 39 | .RE
|
|---|
| 40 | .PP
|
|---|
| 41 | ldap_url = ldap://server/
|
|---|
| 42 | .RS 4
|
|---|
| 43 | Specifies the LDAP server to use for SID/uid/gid map entries\&. If not defined, idmap_ldap will assume that ldap://localhost/ should be used\&.
|
|---|
| 44 | .RE
|
|---|
| 45 | .PP
|
|---|
| 46 | range = low \- high
|
|---|
| 47 | .RS 4
|
|---|
| 48 | Defines the available matching uid and gid range for which the backend is authoritative\&.
|
|---|
| 49 | .RE
|
|---|
| 50 | .SH "EXAMPLES"
|
|---|
| 51 | .PP
|
|---|
| 52 | The following example shows how an ldap directory is used as the default idmap backend\&. It also configures the idmap range and base directory suffix\&. The secret for the ldap_user_dn has to be set with "net idmap secret \'*\' password"\&.
|
|---|
| 53 | .sp
|
|---|
| 54 | .if n \{\
|
|---|
| 55 | .RS 4
|
|---|
| 56 | .\}
|
|---|
| 57 | .nf
|
|---|
| 58 | [global]
|
|---|
| 59 | idmap config * : backend = ldap
|
|---|
| 60 | idmap config * : range = 1000000\-1999999
|
|---|
| 61 | idmap config * : ldap_url = ldap://localhost/
|
|---|
| 62 | idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
|
|---|
| 63 | idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
|
|---|
| 64 |
|
|---|
| 65 | .fi
|
|---|
| 66 | .if n \{\
|
|---|
| 67 | .RE
|
|---|
| 68 | .\}
|
|---|
| 69 | .PP
|
|---|
| 70 | This example shows how ldap can be used as a readonly backend while tdb is the default backend used to store the mappings\&. It adds an explicit configuration for some domain DOM1, that uses the ldap idmap backend\&. Note that a range disjoint from the default range is used\&.
|
|---|
| 71 | .sp
|
|---|
| 72 | .if n \{\
|
|---|
| 73 | .RS 4
|
|---|
| 74 | .\}
|
|---|
| 75 | .nf
|
|---|
| 76 | [global]
|
|---|
| 77 | # "backend = tdb" is redundant here since it is the default
|
|---|
| 78 | idmap config * : backend = tdb
|
|---|
| 79 | idmap config * : range = 1000000\-1999999
|
|---|
| 80 |
|
|---|
| 81 | idmap config DOM1 : backend = ldap
|
|---|
| 82 | idmap config DOM1 : range = 2000000\-2999999
|
|---|
| 83 | idmap config DOM1 : read only = yes
|
|---|
| 84 | idmap config DOM1 : ldap_url = ldap://server/
|
|---|
| 85 | idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
|
|---|
| 86 | idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
|
|---|
| 87 |
|
|---|
| 88 | .fi
|
|---|
| 89 | .if n \{\
|
|---|
| 90 | .RE
|
|---|
| 91 | .\}
|
|---|
| 92 | .SH "NOTE"
|
|---|
| 93 | .PP
|
|---|
| 94 | In order to use authentication against ldap servers you may need to provide a DN and a password\&. To avoid exposing the password in plain text in the configuration file we store it into a security store\&. The "net idmap " command is used to store a secret for the DN specified in a specific idmap domain\&.
|
|---|
| 95 | .SH "AUTHOR"
|
|---|
| 96 | .PP
|
|---|
| 97 | The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
|
|---|
