summaryrefslogtreecommitdiff
path: root/docs/textdocs/LDAP.txt
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1998-12-07 21:48:58 +0000
committerLuke Leighton <lkcl@samba.org>1998-12-07 21:48:58 +0000
commit4447b6c79df51bebadc673449c50ffad13f75de1 (patch)
tree68e71f4e797b933d1daeab0139b67bbde4762460 /docs/textdocs/LDAP.txt
parent8e2598144a35dd99cd51b15dfccf790b1a75d308 (diff)
downloadsamba-4447b6c79df51bebadc673449c50ffad13f75de1.tar.gz
samba-4447b6c79df51bebadc673449c50ffad13f75de1.tar.bz2
samba-4447b6c79df51bebadc673449c50ffad13f75de1.zip
added text and html versions of LDAP.yo. smb.conf.5 not generated yet
because there were parts rejected from the ldap patch file. (This used to be commit 4f85105578fdf74d883f185f983e608112fe823b)
Diffstat (limited to 'docs/textdocs/LDAP.txt')
-rw-r--r--docs/textdocs/LDAP.txt150
1 files changed, 150 insertions, 0 deletions
diff --git a/docs/textdocs/LDAP.txt b/docs/textdocs/LDAP.txt
new file mode 100644
index 0000000000..9c419b00f3
--- /dev/null
+++ b/docs/textdocs/LDAP.txt
@@ -0,0 +1,150 @@
+
+TITLE INFORMATION: LDAP Support in Samba
+AUTHOR INFORMATION: Matthew Chapman
+DATE INFORMATION: 29th November 1998
+
+WARNING: This is experimental code. Use at your own risk, and please report
+any bugs (after reading BUGS.txt).
+
+Contents
+
+1: What is LDAP?
+2: Why LDAP and Samba?
+3: Using LDAP with Samba
+4: Using LDAP for Unix authentication
+5: Compatibility with Active Directory
+
+1: What is LDAP?
+
+A directory is a type of hierarchical database optimised for simple query
+operations, often used for storing user information. LDAP is the
+Lightweight Directory Access Protocol, a protocol which is rapidly
+becoming the Internet standard for accessing directories.
+
+Many client applications now support LDAP (including Microsoft's Active
+Directory), and there are a number of servers available. The most popular
+implementation for Unix is from the University of Michigan; its
+homepage is at http://www.umich.edu/~dirsvcs/ldap/.
+
+Information in an LDAP tree always comes in attribute=value pairs.
+The following is an example of a Samba user entry:
+
+uid=jbloggs, dc=samba, dc=org
+objectclass=sambaAccount
+uid=jbloggs
+cn=Joe Bloggs
+description=Samba User
+uidNumber=500
+gidNumber=500
+rid=2000
+grouprid=2001
+lmPassword=46E389809F8D55BB78A48108148AD508
+ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
+pwdLastSet=35C11F1B
+smbHome=\\samba1\jbloggs
+homeDrive=Z
+script=logon.bat
+profile=\\samba1\jbloggs\profile
+workstations=JOE
+
+Note that the top line is a special set of attributes called a
+distinguished name which identifies the location of this entry beneath
+the directory's root node. Recent Internet standards suggest the use of
+domain-based naming using dc attributes (for instance, a microsoft.com
+directory should have a root node of dc=microsoft, dc=com), although
+this is not strictly necessary for isolated servers.
+
+There are a number of LDAP-related FAQ's on the internet, although
+generally the best source of information is the documentation for the
+individual servers.
+
+2: Why LDAP and Samba?
+
+Using an LDAP directory allows Samba to store user and group information
+more reliably and flexibly than the current combination of smbpasswd,
+smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
+for extra user information to be stored, this can easily be added without
+loss of backwards compatibility.
+
+In addition, the Samba LDAP schema is compatible with RFC2307, allowing
+Unix password database information to be stored in the same entries. This
+provides a single, consistent repository for both Unix and Windows user
+information.
+
+3: Using LDAP with Samba
+
+1 Install and configure an LDAP server if you do not already have
+one. You should read your LDAP server's documentation and set up the
+configuration file and access control as desired.
+
+2 Build Samba (latest CVS is required) with:
+
+ ./configure --with-ldap
+ make clean; make install
+
+3 Add the following options to the global section of smb.conf as
+required.
+
+o ldap suffix
+
+This parameter specifies the node of the LDAP tree beneath which
+Samba should store its information. This parameter MUST be provided
+when using LDAP with Samba.
+
+Default: none
+
+Example: ldap suffix = "dc=mydomain, dc=org"
+
+o ldap bind as
+
+This parameter specifies the entity to bind to an LDAP directory as.
+Usually it should be safe to use the LDAP root account; for larger
+installations it may be preferable to restrict Samba's access.
+
+Default: none (bind anonymously)
+
+Example: ldap bind as = "uid=root, dc=mydomain, dc=org"
+
+o ldap passwd file
+
+This parameter specifies a file containing the password with which
+Samba should bind to an LDAP server. For obvious security reasons
+this file must be set to mode 700 or less.
+
+Default: none (bind anonymously)
+
+Example: ldap passwd file = /usr/local/samba/private/ldappasswd
+
+o ldap server
+
+This parameter specifies the DNS name of the LDAP server to use
+when storing and retrieving information about Samba users and
+groups.
+
+Default: ldap server = localhost
+
+o ldap port
+
+This parameter specifies the TCP port number of the LDAP server.
+
+Default: ldap port = 389
+
+4 You should then be able to use the normal smbpasswd(8) command for
+account administration (or User Manager in the near future).
+
+4: Using LDAP for Unix authentication
+
+The Samba LDAP code was designed to utilise RFC2307-compliant directory
+entries if available. RFC2307 is a proposed standard for LDAP user
+information which has been adopted by a number of vendors. Further
+information is available at http://www.xedoc.com.au/~lukeh/ldap/.
+
+Of particular interest is Luke Howard's nameservice switch module
+(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
+LDAP-based password databases for Unix. If you are setting up a server to
+provide integrated Unix/NT services than these are worth investigating.
+
+5: Compatibility with Active Directory
+
+The current implementation is not designed to be used with Microsoft
+Active Directory, although compatibility may be added in the future.