2007-03-21 22:38:36 +03:00
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id= "idmap_ldap.8" >
<refmeta >
<refentrytitle > idmap_ldap</refentrytitle>
<manvolnum > 8</manvolnum>
2008-04-07 00:26:45 +04:00
<refmiscinfo class= "source" > Samba</refmiscinfo>
<refmiscinfo class= "manual" > System Administration tools</refmiscinfo>
2017-12-12 11:08:06 +03:00
<refmiscinfo class= "version" > &doc.version; </refmiscinfo>
2007-03-21 22:38:36 +03:00
</refmeta>
<refnamediv >
<refname > idmap_ldap</refname>
<refpurpose > Samba's idmap_ldap Backend for Winbind</refpurpose>
</refnamediv>
<refsynopsisdiv >
<title > DESCRIPTION</title>
<para > The idmap_ldap plugin provides a means for Winbind to
2007-08-21 02:47:12 +04:00
store and retrieve SID/uid/gid mapping tables in an LDAP directory
2009-01-21 02:13:29 +03:00
service.
2009-01-21 12:56:34 +03:00
</para>
<para >
2009-01-21 02:13:29 +03:00
In contrast to read only backends like idmap_rid, it is an allocating
2009-01-21 12:56:34 +03:00
backend: This means that it needs to allocate new user and group IDs in
2011-05-31 02:26:33 +04:00
order to create new mappings.
2009-01-21 02:13:29 +03:00
</para>
2007-03-21 22:38:36 +03:00
</refsynopsisdiv>
<refsect1 >
<title > IDMAP OPTIONS</title>
2007-08-21 02:47:12 +04:00
<variablelist >
2007-03-21 22:38:36 +03:00
<varlistentry >
<term > ldap_base_dn = DN</term>
<listitem > <para >
2011-05-31 02:26:34 +04:00
Defines the directory base suffix to use for
2007-03-21 22:38:36 +03:00
SID/uid/gid mapping entries. If not defined, idmap_ldap will default
to using the " ldap idmap suffix" option from smb.conf.
</para> </listitem>
</varlistentry>
2007-04-12 01:50:59 +04:00
<varlistentry >
<term > ldap_user_dn = DN</term>
<listitem > <para >
2011-06-01 03:19:50 +04:00
Defines the user DN to be used for authentication.
The secret for authenticating this user should be
stored with net idmap secret
(see <citerefentry > <refentrytitle > net</refentrytitle>
<manvolnum > 8</manvolnum> </citerefentry> ).
If absent, the ldap credentials from the ldap passdb configuration
are used, and if these are also absent, an anonymous
bind will be performed as last fallback.
2007-04-12 01:50:59 +04:00
</para> </listitem>
</varlistentry>
2007-03-21 22:38:36 +03:00
<varlistentry >
<term > ldap_url = ldap://server/</term>
<listitem > <para >
2011-05-31 02:26:34 +04:00
Specifies the LDAP server to use for
2007-08-21 02:47:12 +04:00
SID/uid/gid map entries. If not defined, idmap_ldap will
2007-03-21 22:38:36 +03:00
assume that ldap://localhost/ should be used.
</para> </listitem>
</varlistentry>
<varlistentry >
<term > range = low - high</term>
<listitem > <para >
Defines the available matching uid and gid range for which the
2009-01-21 02:13:29 +03:00
backend is authoritative.
2007-03-21 22:38:36 +03:00
</para> </listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 >
<title > EXAMPLES</title>
<para >
2012-09-05 19:37:19 +04:00
The following example shows how an ldap directory is used as the
default idmap backend. It also configures the idmap range and base
2011-06-01 03:19:50 +04:00
directory suffix. The secret for the ldap_user_dn has to be set with
" net idmap secret '*' password" .
2007-03-21 22:38:36 +03:00
</para>
<programlisting >
[global]
2011-05-31 02:26:32 +04:00
idmap config * : backend = ldap
idmap config * : range = 1000000-1999999
idmap config * : ldap_url = ldap://localhost/
idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
2011-06-01 03:19:50 +04:00
idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
2007-03-21 22:38:36 +03:00
</programlisting>
2011-06-01 01:28:57 +04:00
<para >
This example shows how ldap can be used as a readonly backend while
tdb is the default backend used to store the mappings.
It adds an explicit configuration for some domain DOM1, that
uses the ldap idmap backend. Note that a range disjoint from the
default range is used.
</para>
<programlisting >
[global]
# "backend = tdb" is redundant here since it is the default
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOM1 : backend = ldap
idmap config DOM1 : range = 2000000-2999999
idmap config DOM1 : read only = yes
idmap config DOM1 : ldap_url = ldap://server/
idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
</programlisting>
2007-03-21 22:38:36 +03:00
</refsect1>
2007-04-12 01:50:59 +04:00
<refsynopsisdiv >
<title > NOTE</title>
<para > In order to use authentication against ldap servers you may
need to provide a DN and a password. To avoid exposing the password
in plain text in the configuration file we store it into a security
store. The " net idmap " command is used to store a secret
for the DN specified in a specific idmap domain.
</para>
</refsynopsisdiv>
2007-03-21 22:38:36 +03:00
<refsect1 >
<title > AUTHOR</title>
<para >
2007-08-21 02:47:12 +04:00
The original Samba software and related utilities
2007-03-21 22:38:36 +03:00
were created by Andrew Tridgell. Samba is now developed
2007-08-21 02:47:12 +04:00
by the Samba Team as an Open Source project similar
2007-03-21 22:38:36 +03:00
to the way the Linux kernel is developed.
2007-08-21 02:47:12 +04:00
</para>
2007-03-21 22:38:36 +03:00
</refsect1>
</refentry>
