summaryrefslogtreecommitdiff
path: root/docs/smbdotconf
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2007-03-21 22:37:54 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:47:30 -0500
commit987e11cdc9b0a29657d474a784b180b8d797a2be (patch)
tree0fbe8d09a6326a2cb89623855c61c1b0eeb8c3a9 /docs/smbdotconf
parent812b69a496b27302e63ba19fb160cfcc6a039b17 (diff)
downloadsamba-987e11cdc9b0a29657d474a784b180b8d797a2be.tar.gz
samba-987e11cdc9b0a29657d474a784b180b8d797a2be.tar.bz2
samba-987e11cdc9b0a29657d474a784b180b8d797a2be.zip
Document the ldapsam:editposix parametrical option
(This used to be commit 68558b947543c35221722f8752c6fce3e831d3b5)
Diffstat (limited to 'docs/smbdotconf')
-rw-r--r--docs/smbdotconf/ldap/ldapsameditposix.xml93
1 files changed, 93 insertions, 0 deletions
diff --git a/docs/smbdotconf/ldap/ldapsameditposix.xml b/docs/smbdotconf/ldap/ldapsameditposix.xml
new file mode 100644
index 0000000000..c10a0759bc
--- /dev/null
+++ b/docs/smbdotconf/ldap/ldapsameditposix.xml
@@ -0,0 +1,93 @@
+<samba:parameter name="ldapsam:editposix"
+ context="G"
+ type="string"
+ advanced="1" developer="0"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller
+ eliminating the need to set up custom scripts to add and manage the posix users and groups. This option
+ will instead directly manipulate the ldap tree to create, remove and modify user and group entries.
+ This option also requires a running winbindd as it is used to allocate new uids/gids on user/group
+ creation. The allocation range must be therefore configured.
+ </para>
+
+ <para>
+ To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly
+ configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users,
+ Domain Admins, Domain Guests) can be precreated with the command <command moreinfo="none">net sam
+ provision</command>. To run this command the ldap server must be running, Winindd must be running and
+ the smb.conf ldap options must be properly configured.
+
+ The tipical ldap setup used with the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> option
+ is usually sufficient to use <smbconfoption name="ldapsam:editposix">yes</smbconfoption> as well.
+ </para>
+
+ <para>
+ An example configuration can be the following:
+
+ <programlisting>
+ encrypt passwords = true
+ passdb backend = ldapsam
+
+ ldapsam:trusted=yes
+ ldapsam:editposix=yes
+
+ ldap admin dn = cn=admin,dc=samba,dc=org
+ ldap delete dn = yes
+ ldap group suffix = ou=groups
+ ldap idmap suffix = ou=idmap
+ ldap machine suffix = ou=computers
+ ldap user suffix = ou=users
+ ldap suffix = dc=samba,dc=org
+
+ idmap backend = ldap:"ldap://localhost"
+
+ idmap uid = 5000-50000
+ idmap gid = 5000-50000
+ </programlisting>
+
+ This configuration assume the ldap server have been loaded with a base tree like described
+ in the following ldif:
+
+ <programlisting>
+ dn: dc=samba,dc=org
+ objectClass: top
+ objectClass: dcObject
+ objectClass: organization
+ o: samba.org
+ dc: samba
+
+ dn: cn=admin,dc=samba,dc=org
+ objectClass: simpleSecurityObject
+ objectClass: organizationalRole
+ cn: admin
+ description: LDAP administrator
+ userPassword: secret
+
+ dn: ou=users,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: users
+
+ dn: ou=groups,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: groups
+
+ dn: ou=idmap,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: idmap
+
+ dn: ou=computers,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: computers
+ </programlisting>
+ </para>
+
+</description>
+<value type="default">no</value>
+</samba:parameter>