| 1 | '\" t
|
|---|
| 2 | .\" Title: idmap_ldap
|
|---|
| 3 | .\" Author: [see the "AUTHOR" section]
|
|---|
| 4 | .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
|---|
| 5 | .\" Date: 10/25/2016
|
|---|
| 6 | .\" Manual: System Administration tools
|
|---|
| 7 | .\" Source: Samba 4.4
|
|---|
| 8 | .\" Language: English
|
|---|
| 9 | .\"
|
|---|
| 10 | .TH "IDMAP_LDAP" "8" "10/25/2016" "Samba 4\&.4" "System Administration tools"
|
|---|
| 11 | .\" -----------------------------------------------------------------
|
|---|
| 12 | .\" * Define some portability stuff
|
|---|
| 13 | .\" -----------------------------------------------------------------
|
|---|
| 14 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|---|
| 15 | .\" http://bugs.debian.org/507673
|
|---|
| 16 | .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|---|
| 17 | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|---|
| 18 | .ie \n(.g .ds Aq \(aq
|
|---|
| 19 | .el .ds Aq '
|
|---|
| 20 | .\" -----------------------------------------------------------------
|
|---|
| 21 | .\" * set default formatting
|
|---|
| 22 | .\" -----------------------------------------------------------------
|
|---|
| 23 | .\" disable hyphenation
|
|---|
| 24 | .nh
|
|---|
| 25 | .\" disable justification (adjust text to left margin only)
|
|---|
| 26 | .ad l
|
|---|
| 27 | .\" -----------------------------------------------------------------
|
|---|
| 28 | .\" * MAIN CONTENT STARTS HERE *
|
|---|
| 29 | .\" -----------------------------------------------------------------
|
|---|
| 30 | .SH "NAME"
|
|---|
| 31 | idmap_ldap \- Samba\*(Aqs idmap_ldap Backend for Winbind
|
|---|
| 32 | .SH "DESCRIPTION"
|
|---|
| 33 | .PP
|
|---|
| 34 | The idmap_ldap plugin provides a means for Winbind to store and retrieve SID/uid/gid mapping tables in an LDAP directory service\&.
|
|---|
| 35 | .PP
|
|---|
| 36 | In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in order to create new mappings\&.
|
|---|
| 37 | .SH "IDMAP OPTIONS"
|
|---|
| 38 | .PP
|
|---|
| 39 | ldap_base_dn = DN
|
|---|
| 40 | .RS 4
|
|---|
| 41 | Defines the directory base suffix to use for SID/uid/gid mapping entries\&. If not defined, idmap_ldap will default to using the "ldap idmap suffix" option from smb\&.conf\&.
|
|---|
| 42 | .RE
|
|---|
| 43 | .PP
|
|---|
| 44 | ldap_user_dn = DN
|
|---|
| 45 | .RS 4
|
|---|
| 46 | Defines the user DN to be used for authentication\&. The secret for authenticating this user should be stored with net idmap secret (see
|
|---|
| 47 | \fBnet\fR(8))\&. If absent, the ldap credentials from the ldap passdb configuration are used, and if these are also absent, an anonymous bind will be performed as last fallback\&.
|
|---|
| 48 | .RE
|
|---|
| 49 | .PP
|
|---|
| 50 | ldap_url = ldap://server/
|
|---|
| 51 | .RS 4
|
|---|
| 52 | Specifies the LDAP server to use for SID/uid/gid map entries\&. If not defined, idmap_ldap will assume that ldap://localhost/ should be used\&.
|
|---|
| 53 | .RE
|
|---|
| 54 | .PP
|
|---|
| 55 | range = low \- high
|
|---|
| 56 | .RS 4
|
|---|
| 57 | Defines the available matching uid and gid range for which the backend is authoritative\&.
|
|---|
| 58 | .RE
|
|---|
| 59 | .SH "EXAMPLES"
|
|---|
| 60 | .PP
|
|---|
| 61 | The following example shows how an ldap directory is used as the default idmap backend\&. It also configures the idmap range and base directory suffix\&. The secret for the ldap_user_dn has to be set with "net idmap secret \*(Aq*\*(Aq password"\&.
|
|---|
| 62 | .sp
|
|---|
| 63 | .if n \{\
|
|---|
| 64 | .RS 4
|
|---|
| 65 | .\}
|
|---|
| 66 | .nf
|
|---|
| 67 | [global]
|
|---|
| 68 | idmap config * : backend = ldap
|
|---|
| 69 | idmap config * : range = 1000000\-1999999
|
|---|
| 70 | idmap config * : ldap_url = ldap://localhost/
|
|---|
| 71 | idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
|
|---|
| 72 | idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
|
|---|
| 73 |
|
|---|
| 74 | .fi
|
|---|
| 75 | .if n \{\
|
|---|
| 76 | .RE
|
|---|
| 77 | .\}
|
|---|
| 78 | .PP
|
|---|
| 79 | This example shows how ldap can be used as a readonly backend while tdb is the default backend used to store the mappings\&. It adds an explicit configuration for some domain DOM1, that uses the ldap idmap backend\&. Note that a range disjoint from the default range is used\&.
|
|---|
| 80 | .sp
|
|---|
| 81 | .if n \{\
|
|---|
| 82 | .RS 4
|
|---|
| 83 | .\}
|
|---|
| 84 | .nf
|
|---|
| 85 | [global]
|
|---|
| 86 | # "backend = tdb" is redundant here since it is the default
|
|---|
| 87 | idmap config * : backend = tdb
|
|---|
| 88 | idmap config * : range = 1000000\-1999999
|
|---|
| 89 |
|
|---|
| 90 | idmap config DOM1 : backend = ldap
|
|---|
| 91 | idmap config DOM1 : range = 2000000\-2999999
|
|---|
| 92 | idmap config DOM1 : read only = yes
|
|---|
| 93 | idmap config DOM1 : ldap_url = ldap://server/
|
|---|
| 94 | idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
|
|---|
| 95 | idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
|
|---|
| 96 |
|
|---|
| 97 | .fi
|
|---|
| 98 | .if n \{\
|
|---|
| 99 | .RE
|
|---|
| 100 | .\}
|
|---|
| 101 | .SH "NOTE"
|
|---|
| 102 | .PP
|
|---|
| 103 | In order to use authentication against ldap servers you may need to provide a DN and a password\&. To avoid exposing the password in plain text in the configuration file we store it into a security store\&. The "net idmap " command is used to store a secret for the DN specified in a specific idmap domain\&.
|
|---|
| 104 | .SH "AUTHOR"
|
|---|
| 105 | .PP
|
|---|
| 106 | The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
|
|---|
