summaryrefslogtreecommitdiff
path: root/docs-xml/manpages-3/idmap_ldap.8.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/manpages-3/idmap_ldap.8.xml')
-rw-r--r--docs-xml/manpages-3/idmap_ldap.8.xml165
1 files changed, 165 insertions, 0 deletions
diff --git a/docs-xml/manpages-3/idmap_ldap.8.xml b/docs-xml/manpages-3/idmap_ldap.8.xml
new file mode 100644
index 0000000000..ea7def3a0c
--- /dev/null
+++ b/docs-xml/manpages-3/idmap_ldap.8.xml
@@ -0,0 +1,165 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="idmap_ldap.8">
+
+<refmeta>
+ <refentrytitle>idmap_ldap</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.2</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>idmap_ldap</refname>
+ <refpurpose>Samba's idmap_ldap Backend for Winbind</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <title>DESCRIPTION</title>
+
+ <para>The idmap_ldap plugin provides a means for Winbind to
+ store and retrieve SID/uid/gid mapping tables in an LDAP directory
+ service. The module implements both the &quot;idmap&quot; and
+ &quot;idmap alloc&quot; APIs.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>IDMAP OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>ldap_base_dn = DN</term>
+ <listitem><para>
+ Defines the directory base suffix to use when searching for
+ SID/uid/gid mapping entries. If not defined, idmap_ldap will default
+ to using the &quot;ldap idmap suffix&quot; option from smb.conf.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_dn = DN</term>
+ <listitem><para>
+ Defines the user DN to be used for authentication. If absent an
+ anonymous bind will be performed.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_url = ldap://server/</term>
+ <listitem><para>
+ Specifies the LDAP server to use when searching for existing
+ SID/uid/gid map entries. If not defined, idmap_ldap will
+ assume that ldap://localhost/ should be used.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range for which the
+ backend is authoritative. Note that the range commonly matches
+ the allocation range due to the fact that the same backend will
+ store and retrieve SID/uid/gid mapping entries. If the parameter
+ is absent, Winbind fail over to use the &quot;idmap uid&quot; and
+ &quot;idmap gid&quot; options from smb.conf.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>IDMAP ALLOC OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>ldap_base_dn = DN</term>
+ <listitem><para>
+ Defines the directory base suffix under which new SID/uid/gid mapping
+ entries should be stored. If not defined, idmap_ldap will default
+ to using the &quot;ldap idmap suffix&quot; option from smb.conf.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_user_dn = DN</term>
+ <listitem><para>
+ Defines the user DN to be used for authentication. If absent an
+ anonymous bind will be performed.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_url = ldap://server/</term>
+ <listitem><para>
+ Specifies the LDAP server to which modify/add/delete requests should
+ be sent. If not defined, idmap_ldap will assume that ldap://localhost/
+ should be used.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>range = low - high</term>
+ <listitem><para>
+ Defines the available matching uid and gid range from which
+ winbindd can allocate for users and groups. If the parameter
+ is absent, Winbind fail over to use the &quot;idmap uid&quot;
+ and &quot;idmap gid&quot; options from smb.conf.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>EXAMPLES</title>
+
+ <para>
+ The follow sets of a LDAP configuration which uses a slave server
+ running on localhost for fast fetching SID/gid/uid mappings, it
+ implies correct configuration of referrals.
+ The idmap alloc backend is pointed directly to the master to skip
+ the referral (and consequent reconnection to the master) that the
+ slave would return as allocation requires writing on the master.
+ </para>
+
+ <programlisting>
+ [global]
+ idmap domains = ALLDOMAINS
+ idmap config ALLDOMAINS:default = yes
+ idmap config ALLDOMAINS:backend = ldap
+ idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com
+ idmap config ALLDOMAINS:ldap_url = ldap://localhost/
+ idmap config ALLDOMAINS:range = 10000 - 50000
+
+ idmap alloc backend = ldap
+ idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com
+ idmap alloc config:ldap_url = ldap://master.example.com/
+ idmap alloc config:range = 10000 - 50000
+ </programlisting>
+</refsect1>
+
+<refsynopsisdiv>
+ <title>NOTE</title>
+
+ <para>In order to use authentication against ldap servers you may
+ need to provide a DN and a password. To avoid exposing the password
+ in plain text in the configuration file we store it into a security
+ store. The &quot;net idmap &quot; command is used to store a secret
+ for the DN specified in a specific idmap domain.
+ </para>
+</refsynopsisdiv>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.
+ </para>
+</refsect1>
+
+</refentry>