| 1 | <samba:parameter name="ldapsam:editposix"
|
|---|
| 2 | context="G"
|
|---|
| 3 | type="string"
|
|---|
| 4 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 5 | <description>
|
|---|
| 6 |
|
|---|
| 7 | <para>
|
|---|
| 8 | Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller
|
|---|
| 9 | eliminating the need to set up custom scripts to add and manage the posix users and groups. This option
|
|---|
| 10 | will instead directly manipulate the ldap tree to create, remove and modify user and group entries.
|
|---|
| 11 | This option also requires a running winbindd as it is used to allocate new uids/gids on user/group
|
|---|
| 12 | creation. The allocation range must be therefore configured.
|
|---|
| 13 | </para>
|
|---|
| 14 |
|
|---|
| 15 | <para>
|
|---|
| 16 | To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly
|
|---|
| 17 | configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users,
|
|---|
| 18 | Domain Admins, Domain Guests) can be precreated with the command <command moreinfo="none">net sam
|
|---|
| 19 | provision</command>. To run this command the ldap server must be running, Winbindd must be running and
|
|---|
| 20 | the smb.conf ldap options must be properly configured.
|
|---|
| 21 |
|
|---|
| 22 | The typical ldap setup used with the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> option
|
|---|
| 23 | is usually sufficient to use <smbconfoption name="ldapsam:editposix">yes</smbconfoption> as well.
|
|---|
| 24 | </para>
|
|---|
| 25 |
|
|---|
| 26 | <para>
|
|---|
| 27 | An example configuration can be the following:
|
|---|
| 28 |
|
|---|
| 29 | <programlisting>
|
|---|
| 30 | encrypt passwords = true
|
|---|
| 31 | passdb backend = ldapsam
|
|---|
| 32 |
|
|---|
| 33 | ldapsam:trusted=yes
|
|---|
| 34 | ldapsam:editposix=yes
|
|---|
| 35 |
|
|---|
| 36 | ldap admin dn = cn=admin,dc=samba,dc=org
|
|---|
| 37 | ldap delete dn = yes
|
|---|
| 38 | ldap group suffix = ou=groups
|
|---|
| 39 | ldap idmap suffix = ou=idmap
|
|---|
| 40 | ldap machine suffix = ou=computers
|
|---|
| 41 | ldap user suffix = ou=users
|
|---|
| 42 | ldap suffix = dc=samba,dc=org
|
|---|
| 43 |
|
|---|
| 44 | idmap backend = ldap:"ldap://localhost"
|
|---|
| 45 |
|
|---|
| 46 | idmap uid = 5000-50000
|
|---|
| 47 | idmap gid = 5000-50000
|
|---|
| 48 | </programlisting>
|
|---|
| 49 |
|
|---|
| 50 | This configuration assumes a directory layout like described in the following ldif:
|
|---|
| 51 |
|
|---|
| 52 | <programlisting>
|
|---|
| 53 | dn: dc=samba,dc=org
|
|---|
| 54 | objectClass: top
|
|---|
| 55 | objectClass: dcObject
|
|---|
| 56 | objectClass: organization
|
|---|
| 57 | o: samba.org
|
|---|
| 58 | dc: samba
|
|---|
| 59 |
|
|---|
| 60 | dn: cn=admin,dc=samba,dc=org
|
|---|
| 61 | objectClass: simpleSecurityObject
|
|---|
| 62 | objectClass: organizationalRole
|
|---|
| 63 | cn: admin
|
|---|
| 64 | description: LDAP administrator
|
|---|
| 65 | userPassword: secret
|
|---|
| 66 |
|
|---|
| 67 | dn: ou=users,dc=samba,dc=org
|
|---|
| 68 | objectClass: top
|
|---|
| 69 | objectClass: organizationalUnit
|
|---|
| 70 | ou: users
|
|---|
| 71 |
|
|---|
| 72 | dn: ou=groups,dc=samba,dc=org
|
|---|
| 73 | objectClass: top
|
|---|
| 74 | objectClass: organizationalUnit
|
|---|
| 75 | ou: groups
|
|---|
| 76 |
|
|---|
| 77 | dn: ou=idmap,dc=samba,dc=org
|
|---|
| 78 | objectClass: top
|
|---|
| 79 | objectClass: organizationalUnit
|
|---|
| 80 | ou: idmap
|
|---|
| 81 |
|
|---|
| 82 | dn: ou=computers,dc=samba,dc=org
|
|---|
| 83 | objectClass: top
|
|---|
| 84 | objectClass: organizationalUnit
|
|---|
| 85 | ou: computers
|
|---|
| 86 | </programlisting>
|
|---|
| 87 | </para>
|
|---|
| 88 |
|
|---|
| 89 | </description>
|
|---|
| 90 | <value type="default">no</value>
|
|---|
| 91 | </samba:parameter>
|
|---|
