1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="idmap_ldap.8">
<refmeta>
<refentrytitle>idmap_ldap</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
<refmiscinfo class="version">4.2</refmiscinfo>
</refmeta>
<refnamediv>
<refname>idmap_ldap</refname>
<refpurpose>Samba's idmap_ldap Backend for Winbind</refpurpose>
</refnamediv>
<refsynopsisdiv>
<title>DESCRIPTION</title>
<para>The idmap_ldap plugin provides a means for Winbind to
store and retrieve SID/uid/gid mapping tables in an LDAP directory
service.
</para>
<para>
In contrast to read only backends like idmap_rid, it is an allocating
backend: This means that it needs to allocate new user and group IDs in
order to create new mappings.
</para>
</refsynopsisdiv>
<refsect1>
<title>IDMAP OPTIONS</title>
<variablelist>
<varlistentry>
<term>ldap_base_dn = DN</term>
<listitem><para>
Defines the directory base suffix to use for
SID/uid/gid mapping entries. If not defined, idmap_ldap will default
to using the "ldap idmap suffix" option from smb.conf.
</para></listitem>
</varlistentry>
<varlistentry>
<term>ldap_user_dn = DN</term>
<listitem><para>
Defines the user DN to be used for authentication.
The secret for authenticating this user should be
stored with net idmap secret
(see <citerefentry><refentrytitle>net</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>).
If absent, the ldap credentials from the ldap passdb configuration
are used, and if these are also absent, an anonymous
bind will be performed as last fallback.
</para></listitem>
</varlistentry>
<varlistentry>
<term>ldap_url = ldap://server/</term>
<listitem><para>
Specifies the LDAP server to use for
SID/uid/gid map entries. If not defined, idmap_ldap will
assume that ldap://localhost/ should be used.
</para></listitem>
</varlistentry>
<varlistentry>
<term>range = low - high</term>
<listitem><para>
Defines the available matching uid and gid range for which the
backend is authoritative.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>
The following example shows how an ldap directory is used as the
default idmap backend. It also configures the idmap range and base
directory suffix. The secret for the ldap_user_dn has to be set with
"net idmap secret '*' password".
</para>
<programlisting>
[global]
idmap config * : backend = ldap
idmap config * : range = 1000000-1999999
idmap config * : ldap_url = ldap://localhost/
idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
</programlisting>
<para>
This example shows how ldap can be used as a readonly backend while
tdb is the default backend used to store the mappings.
It adds an explicit configuration for some domain DOM1, that
uses the ldap idmap backend. Note that a range disjoint from the
default range is used.
</para>
<programlisting>
[global]
# "backend = tdb" is redundant here since it is the default
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOM1 : backend = ldap
idmap config DOM1 : range = 2000000-2999999
idmap config DOM1 : read only = yes
idmap config DOM1 : ldap_url = ldap://server/
idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
</programlisting>
</refsect1>
<refsynopsisdiv>
<title>NOTE</title>
<para>In order to use authentication against ldap servers you may
need to provide a DN and a password. To avoid exposing the password
in plain text in the configuration file we store it into a security
store. The "net idmap " command is used to store a secret
for the DN specified in a specific idmap domain.
</para>
</refsynopsisdiv>
<refsect1>
<title>AUTHOR</title>
<para>
The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
</para>
</refsect1>
</refentry>
|