summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1998-12-07 22:52:49 +0000
committerLuke Leighton <lkcl@samba.org>1998-12-07 22:52:49 +0000
commit4323fd4072854069eb9a3fe0dc0c33fb06b19335 (patch)
tree27b03928c278f59d336f2f1bec506c54b366ee2e /docs
parent656a7565e9beecc4a5be4e9ac62815d61548dd46 (diff)
downloadsamba-4323fd4072854069eb9a3fe0dc0c33fb06b19335.tar.gz
samba-4323fd4072854069eb9a3fe0dc0c33fb06b19335.tar.bz2
samba-4323fd4072854069eb9a3fe0dc0c33fb06b19335.zip
added ldap files by Matthew Chapman.
(This used to be commit 2bc031e8fafeafdc58c6a8056597b647d00657ae)
Diffstat (limited to 'docs')
-rw-r--r--docs/yodldocs/LDAP.yo161
1 files changed, 161 insertions, 0 deletions
diff --git a/docs/yodldocs/LDAP.yo b/docs/yodldocs/LDAP.yo
new file mode 100644
index 0000000000..cf454904d3
--- /dev/null
+++ b/docs/yodldocs/LDAP.yo
@@ -0,0 +1,161 @@
+mailto(samba-bugs@samba.org)
+article(LDAP Support in Samba)(Matthew Chapman)(29th November 1998
+htmltag(p)(1) htmltag(hr)(1) htmltag(h2)(1)
+WARNING: This is experimental code. Use at your own risk, and please report
+any bugs (after reading BUGS.txt).
+htmltag(h2)(0) htmltag(br)(1)
+)
+redef(PARAGRAPH)(0)(htmlcommand(<p>
+) txtcommand(
+
+))
+
+sect(What is LDAP?)
+A directory is a type of hierarchical database optimised for simple query
+operations, often used for storing user information. LDAP is the
+Lightweight Directory Access Protocol, a protocol which is rapidly
+becoming the Internet standard for accessing directories.
+
+Many client applications now support LDAP (including Microsoft's Active
+Directory), and there are a number of servers available. The most popular
+implementation for Unix is from the em(University of Michigan); its
+homepage is at url(tt(http://www.umich.edu/~dirsvcs/ldap/))(http://www.umich.edu/~dirsvcs/ldap/).
+
+Information in an LDAP tree always comes in tt(attribute=value) pairs.
+The following is an example of a Samba user entry:
+
+verb(uid=jbloggs, dc=samba, dc=org
+objectclass=sambaAccount
+uid=jbloggs
+cn=Joe Bloggs
+description=Samba User
+uidNumber=500
+gidNumber=500
+rid=2000
+grouprid=2001
+lmPassword=46E389809F8D55BB78A48108148AD508
+ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
+pwdLastSet=35C11F1B
+smbHome=\\samba1\jbloggs
+homeDrive=Z
+script=logon.bat
+profile=\\samba1\jbloggs\profile
+workstations=JOE)
+
+Note that the top line is a special set of attributes called a
+em(distinguished name) which identifies the location of this entry beneath
+the directory's root node. Recent Internet standards suggest the use of
+domain-based naming using tt(dc) attributes (for instance, a microsoft.com
+directory should have a root node of tt(dc=microsoft, dc=com)), although
+this is not strictly necessary for isolated servers.
+
+There are a number of LDAP-related FAQ's on the internet, although
+generally the best source of information is the documentation for the
+individual servers.
+
+
+nl()
+sect(Why LDAP and Samba?)
+
+Using an LDAP directory allows Samba to store user and group information
+more reliably and flexibly than the current combination of smbpasswd,
+smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
+for extra user information to be stored, this can easily be added without
+loss of backwards compatibility.
+
+In addition, the Samba LDAP schema is compatible with RFC2307, allowing
+Unix password database information to be stored in the same entries. This
+provides a single, consistent repository for both Unix and Windows user
+information.
+
+
+nl()
+sect(Using LDAP with Samba)
+
+starteit()
+
+eit() Install and configure an LDAP server if you do not already have
+one. You should read your LDAP server's documentation and set up the
+configuration file and access control as desired.
+
+eit() Build Samba (latest CVS is required) with:
+
+verb( ./configure --with-ldap
+ make clean; make install)
+
+eit() Add the following options to the global section of tt(smb.conf) as
+required.
+
+startdit()
+dit(ldap suffix)
+
+This parameter specifies the node of the LDAP tree beneath which
+Samba should store its information. This parameter MUST be provided
+when using LDAP with Samba.
+
+ bf(Default:) tt(none)
+
+ bf(Example:) tt(ldap suffix = "dc=mydomain, dc=org")
+
+dit(ldap bind as)
+
+This parameter specifies the entity to bind to an LDAP directory as.
+Usually it should be safe to use the LDAP root account; for larger
+installations it may be preferable to restrict Samba's access.
+
+ bf(Default:) tt(none (bind anonymously))
+
+ bf(Example:) tt(ldap bind as = "uid=root, dc=mydomain, dc=org")
+
+dit(ldap passwd file)
+
+This parameter specifies a file containing the password with which
+Samba should bind to an LDAP server. For obvious security reasons
+this file must be set to mode 700 or less.
+
+ bf(Default:) tt(none (bind anonymously))
+
+ bf(Example:) tt(ldap passwd file = /usr/local/samba/private/ldappasswd)
+
+dit(ldap server)
+
+This parameter specifies the DNS name of the LDAP server to use
+when storing and retrieving information about Samba users and
+groups.
+
+ bf(Default:) tt(ldap server = localhost)
+
+dit(ldap port)
+
+This parameter specifies the TCP port number of the LDAP server.
+
+ bf(Default:) tt(ldap port = 389)
+
+enddit()
+
+eit() You should then be able to use the normal smbpasswd(8) command for
+account administration (or User Manager in the near future).
+
+endeit()
+
+
+nl()
+sect(Using LDAP for Unix authentication)
+
+The Samba LDAP code was designed to utilise RFC2307-compliant directory
+entries if available. RFC2307 is a proposed standard for LDAP user
+information which has been adopted by a number of vendors. Further
+information is available at url(tt(http://www.xedoc.com.au/~lukeh/ldap/))(http://www.xedoc.com.au/~lukeh/ldap).
+
+Of particular interest is Luke Howard's nameservice switch module
+(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
+LDAP-based password databases for Unix. If you are setting up a server to
+provide integrated Unix/NT services than these are worth investigating.
+
+
+nl()
+sect(Compatibility with Active Directory)
+
+The current implementation is not designed to be used with Microsoft
+Active Directory, although compatibility may be added in the future.
+