sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00
Code
samba-mirror/docs/htmldocs/LDAP.html
Luke Leighton 4f85105578 added text and html versions of LDAP.yo. smb.conf.5 not generated yet 
because there were parts rejected from the ldap patch file.
-

148 lines
6.0 KiB
HTML
Raw Blame History

<html><head><title>LDAP Support in Samba</title>
<link rev="made" href="mailto:samba-bugs@samba.org">
</head>
<body>
<hr>
<h1>LDAP Support in Samba</h1>
<h2>Matthew Chapman</h2>
<h2>29th November 1998
<p> <hr> <h2>
WARNING: This is experimental code. Use at your own risk, and please report
any bugs (after reading BUGS.txt).
</h2> <br>
</h2>
<a href="LDAP.html#l1"><h2>1: What is LDAP?</h2> </a>
<a href="LDAP.html#l2"><h2>2: Why LDAP and Samba?</h2> </a>
<a href="LDAP.html#l3"><h2>3: Using LDAP with Samba</h2> </a>
<a href="LDAP.html#l4"><h2>4: Using LDAP for Unix authentication</h2> </a>
<a href="LDAP.html#l5"><h2>5: Compatibility with Active Directory</h2> </a>
<p><hr><p><br>
<p>
<a name="l1"></a>
<h2>1: What is LDAP?</h2>
A directory is a type of hierarchical database optimised for simple query
operations, often used for storing user information. LDAP is the
Lightweight Directory Access Protocol, a protocol which is rapidly
becoming the Internet standard for accessing directories.<p>
Many client applications now support LDAP (including Microsoft's Active
Directory), and there are a number of servers available. The most popular
implementation for Unix is from the <em>University of Michigan</em>; its
homepage is at <a href="http://www.umich.edu/~dirsvcs/ldap/"><code>http://www.umich.edu/~dirsvcs/ldap/</code></a>.<p>
Information in an LDAP tree always comes in <code>attribute=value</code> pairs.
The following is an example of a Samba user entry:<p>
<pre>
uid=jbloggs, dc=samba, dc=org
objectclass=sambaAccount
uid=jbloggs
cn=Joe Bloggs
description=Samba User
uidNumber=500
gidNumber=500
rid=2000
grouprid=2001
lmPassword=46E389809F8D55BB78A48108148AD508
ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
pwdLastSet=35C11F1B
smbHome=\\samba1\jbloggs
homeDrive=Z
script=logon.bat
profile=\\samba1\jbloggs\profile
workstations=JOE
</pre>
<p>
Note that the top line is a special set of attributes called a
<em>distinguished name</em> which identifies the location of this entry beneath
the directory's root node. Recent Internet standards suggest the use of
domain-based naming using <code>dc</code> attributes (for instance, a microsoft.com
directory should have a root node of <code>dc=microsoft, dc=com</code>), although
this is not strictly necessary for isolated servers.<p>
There are a number of LDAP-related FAQ's on the internet, although
generally the best source of information is the documentation for the
individual servers.<p>
<br>
<a name="l2"></a>
<h2>2: Why LDAP and Samba?</h2><p>
Using an LDAP directory allows Samba to store user and group information
more reliably and flexibly than the current combination of smbpasswd,
smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
for extra user information to be stored, this can easily be added without
loss of backwards compatibility.<p>
In addition, the Samba LDAP schema is compatible with RFC2307, allowing
Unix password database information to be stored in the same entries. This
provides a single, consistent repository for both Unix and Windows user
information.<p>
<br>
<a name="l3"></a>
<h2>3: Using LDAP with Samba</h2><p>
<ol><p>
<li> Install and configure an LDAP server if you do not already have
one. You should read your LDAP server's documentation and set up the
configuration file and access control as desired.<p>
<li> Build Samba (latest CVS is required) with:<p>
<pre>
./configure --with-ldap
make clean; make install
</pre>
<p>
<li> Add the following options to the global section of <code>smb.conf</code> as
required.<p>
<ul>
<li><strong>ldap suffix</strong><p>
This parameter specifies the node of the LDAP tree beneath which
Samba should store its information. This parameter MUST be provided
when using LDAP with Samba.<p>
<strong>Default:</strong> <code>none</code><p>
<strong>Example:</strong> <code>ldap suffix = "dc=mydomain, dc=org"</code><p>
<li><strong>ldap bind as</strong><p>
This parameter specifies the entity to bind to an LDAP directory as.
Usually it should be safe to use the LDAP root account; for larger
installations it may be preferable to restrict Samba's access.<p>
<strong>Default:</strong> <code>none (bind anonymously)</code><p>
<strong>Example:</strong> <code>ldap bind as = "uid=root, dc=mydomain, dc=org"</code><p>
<li><strong>ldap passwd file</strong><p>
This parameter specifies a file containing the password with which
Samba should bind to an LDAP server. For obvious security reasons
this file must be set to mode 700 or less.<p>
<strong>Default:</strong> <code>none (bind anonymously)</code><p>
<strong>Example:</strong> <code>ldap passwd file = /usr/local/samba/private/ldappasswd</code><p>
<li><strong>ldap server</strong><p>
This parameter specifies the DNS name of the LDAP server to use
when storing and retrieving information about Samba users and
groups.<p>
<strong>Default:</strong> <code>ldap server = localhost</code><p>
<li><strong>ldap port</strong><p>
This parameter specifies the TCP port number of the LDAP server.<p>
<strong>Default:</strong> <code>ldap port = 389</code><p>
</ul><p>
<li> You should then be able to use the normal smbpasswd(8) command for
account administration (or User Manager in the near future).<p>
</ol><p>
<br>
<a name="l4"></a>
<h2>4: Using LDAP for Unix authentication</h2><p>
The Samba LDAP code was designed to utilise RFC2307-compliant directory
entries if available. RFC2307 is a proposed standard for LDAP user
information which has been adopted by a number of vendors. Further
information is available at <a href="http://www.xedoc.com.au/~lukeh/ldap"><code>http://www.xedoc.com.au/~lukeh/ldap/</code></a>.<p>
Of particular interest is Luke Howard's nameservice switch module
(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
LDAP-based password databases for Unix. If you are setting up a server to
provide integrated Unix/NT services than these are worth investigating.<p>
<br>
<a name="l5"></a>
<h2>5: Compatibility with Active Directory</h2><p>
The current implementation is not designed to be used with Microsoft
Active Directory, although compatibility may be added in the future.<p>
</body>
</html>
View Git Blame Copy Permalink