1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/examples/LDAP
Andrew Bartlett 4168d61fb2 This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP.  If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP.   We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap).  If we fail to read/add the domain entry, we just
fallback to the old behaviour.

We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available.  This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added.  Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.

The code now allows modifications to the ID mapping in many cases.

Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).

The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'.  This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.

On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.

We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate.  Instead, we just start at the bottom
of the range, and increment again if the user already exists.  The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.

Thanks to metze and AB for double-checking parts of this.

Andrew Bartlett
(This used to be commit 9c595c8c23)
2003-07-04 13:29:42 +00:00
..
convertSambaAccount applying fix for group map conversion (patch from Kristyan Osborne) 2003-07-01 15:21:43 +00:00
export_smbpasswd.pl syncing import/export smbpasswd file scripts from 2.2 2003-05-09 21:51:57 +00:00
import_smbpasswd.pl syncing import/export smbpasswd file scripts from 2.2 2003-05-09 21:51:57 +00:00
ldapchpasswd sync with 2.2 2001-12-26 05:35:40 +00:00
ldapsync.pl sync with 2.2 2001-12-26 05:35:40 +00:00
README syncing README to go along with scripts 2003-05-09 21:52:49 +00:00
samba-schema-netscapeds4.x merging some changes from SAMBA_2_2 2002-05-08 15:37:14 +00:00
samba-schema-netscapeds5.x merging some changes from SAMBA_2_2 2002-05-08 15:37:14 +00:00
samba-schema.IBMSecureWay merging some changes from SAMBA_2_2 2002-05-08 15:37:14 +00:00
samba.schema This patch cleans up some of our ldap code, for better behaviour: 2003-07-04 13:29:42 +00:00

!==
!== README File for storing smbpasswd in LDAP
!==
!== written by Gerald Carter <jerry@samba.org>
!==

This is a quick and dirty means of converting smbpasswd entries
to sambaAccount entriues in an LDAP directory.


Pre-requisites for import_smbpasswd.pl & export_smbpasswd.pl
--------------------------------------------------------------
These two scripts are modified versions of 
[import|export]_smbpasswd.pl rewritten to use the Net::LDAP
perl module available from 

	http://perl-ldap.sourceforge.net




OpenLDAP 2.0.x
--------------

A sample schema file (samba.schema) has been included for use
with OpenLDAP 2.0.x.  The OIDs used in this file are owned by
the Samba team and generated from its own Enterprise number
of 7165 (as issued by IANA).

Copy the samba.schema file into your /etc/openldap/schema directory,
and add an include for it in the /etc/openldap/slapd.conf file.
Note that samba.schema relies upon the uid and uidNumber attributes
from the RFC2307 schema (i.e. nis.schema)

If you choose to import /etc/passwd, nis, or nisplus tables 
into ldap, you can use migration tools provided by PADL Software 
which are located at 

	http://www.padl.com/tools.html

It is not a requirement that a user's /etc/passwd account
is stored in LDAP for the samba.schema file to work (although
the whole point of storing smbpasswd in LDAP is to have a 
single location for user accounts, right?)

The padl tools will leave you with LDIF files which you can import
into OpenLDAP.  Before you can import them, you need to include
nis.schema and cosine.schema in your slapd.conf file.

You must restart the LDAP server for these new included schema files 
to become active.


import_smbpasswd.pl
----------------------

Make sure you customize the local site variable in the perl script
(i.e. ldapserver, rootdn, rootpw, etc...).  The script reads from
standard input and requires that user entries already exist
in your directories containing the 'objectclass: posixAccount'
value pair.  For more information on this object and related schema,
refer to RFC2307 and http://www.padl.com/software.html).

The following will import an smbpasswd file into an LDAP directory

	$ cat smbpasswd | import_smbpasswd.pl


export_smbpasswd.pl
----------------------

Make sure you customize the local site variable in the perl script
(i.e. ldapserver, rootdn, rootpw, etc...).  You can then generate
an smbpasswd file by executing

	$ export_smbpasswd.pl > smbpasswd

NOTE: Server side (or client side) search limites may prevent
all users from being listed.  Check you directory server documentation
for details.



ldapsync.pl & ldapchgpasswd.pl
------------------------------
For more information on these scripts, see

	http://www.mami.net/univr/tng-ldap/howto/


The ldapsync.pl script requires a small command (smbencrypt) 
for generating LanMan and NT password hashes which 
can be found at ftp://samba.org/pub/samba/contributed/

!==
!== end of README
!==