summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/htmldocs/LDAP.html147
-rw-r--r--docs/textdocs/LDAP.txt150
2 files changed, 297 insertions, 0 deletions
diff --git a/docs/htmldocs/LDAP.html b/docs/htmldocs/LDAP.html
new file mode 100644
index 0000000000..1cc8f8213f
--- /dev/null
+++ b/docs/htmldocs/LDAP.html
@@ -0,0 +1,147 @@
+
+
+
+
+<html><head><title>LDAP Support in Samba</title>
+
+<link rev="made" href="mailto:samba-bugs@samba.org">
+</head>
+<body>
+
+<hr>
+
+<h1>LDAP Support in Samba</h1>
+<h2>Matthew Chapman</h2>
+<h2>29th November 1998
+<p> <hr> <h2>
+WARNING: This is experimental code. Use at your own risk, and please report
+any bugs (after reading BUGS.txt).
+</h2> <br>
+</h2>
+
+
+<a href="LDAP.html#l1"><h2>1: What is LDAP?</h2> </a>
+<a href="LDAP.html#l2"><h2>2: Why LDAP and Samba?</h2> </a>
+<a href="LDAP.html#l3"><h2>3: Using LDAP with Samba</h2> </a>
+<a href="LDAP.html#l4"><h2>4: Using LDAP for Unix authentication</h2> </a>
+<a href="LDAP.html#l5"><h2>5: Compatibility with Active Directory</h2> </a>
+
+<p><hr><p><br>
+<p>
+ <a name="l1"></a>
+<h2>1: What is LDAP?</h2>
+A directory is a type of hierarchical database optimised for simple query
+operations, often used for storing user information. LDAP is the
+Lightweight Directory Access Protocol, a protocol which is rapidly
+becoming the Internet standard for accessing directories.<p>
+ Many client applications now support LDAP (including Microsoft's Active
+Directory), and there are a number of servers available. The most popular
+implementation for Unix is from the <em>University of Michigan</em>; its
+homepage is at <a href="http://www.umich.edu/~dirsvcs/ldap/"><code>http://www.umich.edu/~dirsvcs/ldap/</code></a>.<p>
+ Information in an LDAP tree always comes in <code>attribute=value</code> pairs.
+The following is an example of a Samba user entry:<p>
+ <pre>
+uid=jbloggs, dc=samba, dc=org
+objectclass=sambaAccount
+uid=jbloggs
+cn=Joe Bloggs
+description=Samba User
+uidNumber=500
+gidNumber=500
+rid=2000
+grouprid=2001
+lmPassword=46E389809F8D55BB78A48108148AD508
+ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
+pwdLastSet=35C11F1B
+smbHome=\\samba1\jbloggs
+homeDrive=Z
+script=logon.bat
+profile=\\samba1\jbloggs\profile
+workstations=JOE
+</pre>
+<p>
+ Note that the top line is a special set of attributes called a
+<em>distinguished name</em> which identifies the location of this entry beneath
+the directory's root node. Recent Internet standards suggest the use of
+domain-based naming using <code>dc</code> attributes (for instance, a microsoft.com
+directory should have a root node of <code>dc=microsoft, dc=com</code>), although
+this is not strictly necessary for isolated servers.<p>
+ There are a number of LDAP-related FAQ's on the internet, although
+generally the best source of information is the documentation for the
+individual servers.<p>
+ <br>
+<a name="l2"></a>
+<h2>2: Why LDAP and Samba?</h2><p>
+ Using an LDAP directory allows Samba to store user and group information
+more reliably and flexibly than the current combination of smbpasswd,
+smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
+for extra user information to be stored, this can easily be added without
+loss of backwards compatibility.<p>
+ In addition, the Samba LDAP schema is compatible with RFC2307, allowing
+Unix password database information to be stored in the same entries. This
+provides a single, consistent repository for both Unix and Windows user
+information.<p>
+ <br>
+<a name="l3"></a>
+<h2>3: Using LDAP with Samba</h2><p>
+ <ol><p>
+ <li> Install and configure an LDAP server if you do not already have
+one. You should read your LDAP server's documentation and set up the
+configuration file and access control as desired.<p>
+ <li> Build Samba (latest CVS is required) with:<p>
+ <pre>
+ ./configure --with-ldap
+ make clean; make install
+</pre>
+<p>
+ <li> Add the following options to the global section of <code>smb.conf</code> as
+required.<p>
+ <ul>
+<li><strong>ldap suffix</strong><p>
+ This parameter specifies the node of the LDAP tree beneath which
+Samba should store its information. This parameter MUST be provided
+when using LDAP with Samba.<p>
+ <strong>Default:</strong> <code>none</code><p>
+ <strong>Example:</strong> <code>ldap suffix = "dc=mydomain, dc=org"</code><p>
+ <li><strong>ldap bind as</strong><p>
+ This parameter specifies the entity to bind to an LDAP directory as.
+Usually it should be safe to use the LDAP root account; for larger
+installations it may be preferable to restrict Samba's access.<p>
+ <strong>Default:</strong> <code>none (bind anonymously)</code><p>
+ <strong>Example:</strong> <code>ldap bind as = "uid=root, dc=mydomain, dc=org"</code><p>
+ <li><strong>ldap passwd file</strong><p>
+ This parameter specifies a file containing the password with which
+Samba should bind to an LDAP server. For obvious security reasons
+this file must be set to mode 700 or less.<p>
+ <strong>Default:</strong> <code>none (bind anonymously)</code><p>
+ <strong>Example:</strong> <code>ldap passwd file = /usr/local/samba/private/ldappasswd</code><p>
+ <li><strong>ldap server</strong><p>
+ This parameter specifies the DNS name of the LDAP server to use
+when storing and retrieving information about Samba users and
+groups.<p>
+ <strong>Default:</strong> <code>ldap server = localhost</code><p>
+ <li><strong>ldap port</strong><p>
+ This parameter specifies the TCP port number of the LDAP server.<p>
+ <strong>Default:</strong> <code>ldap port = 389</code><p>
+ </ul><p>
+ <li> You should then be able to use the normal smbpasswd(8) command for
+account administration (or User Manager in the near future).<p>
+ </ol><p>
+ <br>
+<a name="l4"></a>
+<h2>4: Using LDAP for Unix authentication</h2><p>
+ The Samba LDAP code was designed to utilise RFC2307-compliant directory
+entries if available. RFC2307 is a proposed standard for LDAP user
+information which has been adopted by a number of vendors. Further
+information is available at <a href="http://www.xedoc.com.au/~lukeh/ldap"><code>http://www.xedoc.com.au/~lukeh/ldap/</code></a>.<p>
+ Of particular interest is Luke Howard's nameservice switch module
+(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
+LDAP-based password databases for Unix. If you are setting up a server to
+provide integrated Unix/NT services than these are worth investigating.<p>
+ <br>
+<a name="l5"></a>
+<h2>5: Compatibility with Active Directory</h2><p>
+ The current implementation is not designed to be used with Microsoft
+Active Directory, although compatibility may be added in the future.<p>
+ </body>
+</html>
diff --git a/docs/textdocs/LDAP.txt b/docs/textdocs/LDAP.txt
new file mode 100644
index 0000000000..9c419b00f3
--- /dev/null
+++ b/docs/textdocs/LDAP.txt
@@ -0,0 +1,150 @@
+
+TITLE INFORMATION: LDAP Support in Samba
+AUTHOR INFORMATION: Matthew Chapman
+DATE INFORMATION: 29th November 1998
+
+WARNING: This is experimental code. Use at your own risk, and please report
+any bugs (after reading BUGS.txt).
+
+Contents
+
+1: What is LDAP?
+2: Why LDAP and Samba?
+3: Using LDAP with Samba
+4: Using LDAP for Unix authentication
+5: Compatibility with Active Directory
+
+1: What is LDAP?
+
+A directory is a type of hierarchical database optimised for simple query
+operations, often used for storing user information. LDAP is the
+Lightweight Directory Access Protocol, a protocol which is rapidly
+becoming the Internet standard for accessing directories.
+
+Many client applications now support LDAP (including Microsoft's Active
+Directory), and there are a number of servers available. The most popular
+implementation for Unix is from the University of Michigan; its
+homepage is at http://www.umich.edu/~dirsvcs/ldap/.
+
+Information in an LDAP tree always comes in attribute=value pairs.
+The following is an example of a Samba user entry:
+
+uid=jbloggs, dc=samba, dc=org
+objectclass=sambaAccount
+uid=jbloggs
+cn=Joe Bloggs
+description=Samba User
+uidNumber=500
+gidNumber=500
+rid=2000
+grouprid=2001
+lmPassword=46E389809F8D55BB78A48108148AD508
+ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
+pwdLastSet=35C11F1B
+smbHome=\\samba1\jbloggs
+homeDrive=Z
+script=logon.bat
+profile=\\samba1\jbloggs\profile
+workstations=JOE
+
+Note that the top line is a special set of attributes called a
+distinguished name which identifies the location of this entry beneath
+the directory's root node. Recent Internet standards suggest the use of
+domain-based naming using dc attributes (for instance, a microsoft.com
+directory should have a root node of dc=microsoft, dc=com), although
+this is not strictly necessary for isolated servers.
+
+There are a number of LDAP-related FAQ's on the internet, although
+generally the best source of information is the documentation for the
+individual servers.
+
+2: Why LDAP and Samba?
+
+Using an LDAP directory allows Samba to store user and group information
+more reliably and flexibly than the current combination of smbpasswd,
+smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
+for extra user information to be stored, this can easily be added without
+loss of backwards compatibility.
+
+In addition, the Samba LDAP schema is compatible with RFC2307, allowing
+Unix password database information to be stored in the same entries. This
+provides a single, consistent repository for both Unix and Windows user
+information.
+
+3: Using LDAP with Samba
+
+1 Install and configure an LDAP server if you do not already have
+one. You should read your LDAP server's documentation and set up the
+configuration file and access control as desired.
+
+2 Build Samba (latest CVS is required) with:
+
+ ./configure --with-ldap
+ make clean; make install
+
+3 Add the following options to the global section of smb.conf as
+required.
+
+o ldap suffix
+
+This parameter specifies the node of the LDAP tree beneath which
+Samba should store its information. This parameter MUST be provided
+when using LDAP with Samba.
+
+Default: none
+
+Example: ldap suffix = "dc=mydomain, dc=org"
+
+o ldap bind as
+
+This parameter specifies the entity to bind to an LDAP directory as.
+Usually it should be safe to use the LDAP root account; for larger
+installations it may be preferable to restrict Samba's access.
+
+Default: none (bind anonymously)
+
+Example: ldap bind as = "uid=root, dc=mydomain, dc=org"
+
+o ldap passwd file
+
+This parameter specifies a file containing the password with which
+Samba should bind to an LDAP server. For obvious security reasons
+this file must be set to mode 700 or less.
+
+Default: none (bind anonymously)
+
+Example: ldap passwd file = /usr/local/samba/private/ldappasswd
+
+o ldap server
+
+This parameter specifies the DNS name of the LDAP server to use
+when storing and retrieving information about Samba users and
+groups.
+
+Default: ldap server = localhost
+
+o ldap port
+
+This parameter specifies the TCP port number of the LDAP server.
+
+Default: ldap port = 389
+
+4 You should then be able to use the normal smbpasswd(8) command for
+account administration (or User Manager in the near future).
+
+4: Using LDAP for Unix authentication
+
+The Samba LDAP code was designed to utilise RFC2307-compliant directory
+entries if available. RFC2307 is a proposed standard for LDAP user
+information which has been adopted by a number of vendors. Further
+information is available at http://www.xedoc.com.au/~lukeh/ldap/.
+
+Of particular interest is Luke Howard's nameservice switch module
+(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
+LDAP-based password databases for Unix. If you are setting up a server to
+provide integrated Unix/NT services than these are worth investigating.
+
+5: Compatibility with Active Directory
+
+The current implementation is not designed to be used with Microsoft
+Active Directory, although compatibility may be added in the future.