diff options
Diffstat (limited to 'docs/textdocs/LDAP.txt')
| -rw-r--r-- | docs/textdocs/LDAP.txt | 150 |
1 files changed, 0 insertions, 150 deletions
diff --git a/docs/textdocs/LDAP.txt b/docs/textdocs/LDAP.txt deleted file mode 100644 index 9c419b00f3..0000000000 --- a/docs/textdocs/LDAP.txt +++ /dev/null @@ -1,150 +0,0 @@ - -TITLE INFORMATION: LDAP Support in Samba -AUTHOR INFORMATION: Matthew Chapman -DATE INFORMATION: 29th November 1998 - -WARNING: This is experimental code. Use at your own risk, and please report -any bugs (after reading BUGS.txt). - -Contents - -1: What is LDAP? -2: Why LDAP and Samba? -3: Using LDAP with Samba -4: Using LDAP for Unix authentication -5: Compatibility with Active Directory - -1: What is LDAP? - -A directory is a type of hierarchical database optimised for simple query -operations, often used for storing user information. LDAP is the -Lightweight Directory Access Protocol, a protocol which is rapidly -becoming the Internet standard for accessing directories. - -Many client applications now support LDAP (including Microsoft's Active -Directory), and there are a number of servers available. The most popular -implementation for Unix is from the University of Michigan; its -homepage is at http://www.umich.edu/~dirsvcs/ldap/. - -Information in an LDAP tree always comes in attribute=value pairs. -The following is an example of a Samba user entry: - -uid=jbloggs, dc=samba, dc=org -objectclass=sambaAccount -uid=jbloggs -cn=Joe Bloggs -description=Samba User -uidNumber=500 -gidNumber=500 -rid=2000 -grouprid=2001 -lmPassword=46E389809F8D55BB78A48108148AD508 -ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4 -pwdLastSet=35C11F1B -smbHome=\\samba1\jbloggs -homeDrive=Z -script=logon.bat -profile=\\samba1\jbloggs\profile -workstations=JOE - -Note that the top line is a special set of attributes called a -distinguished name which identifies the location of this entry beneath -the directory's root node. Recent Internet standards suggest the use of -domain-based naming using dc attributes (for instance, a microsoft.com -directory should have a root node of dc=microsoft, dc=com), although -this is not strictly necessary for isolated servers. - -There are a number of LDAP-related FAQ's on the internet, although -generally the best source of information is the documentation for the -individual servers. - -2: Why LDAP and Samba? - -Using an LDAP directory allows Samba to store user and group information -more reliably and flexibly than the current combination of smbpasswd, -smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges -for extra user information to be stored, this can easily be added without -loss of backwards compatibility. - -In addition, the Samba LDAP schema is compatible with RFC2307, allowing -Unix password database information to be stored in the same entries. This -provides a single, consistent repository for both Unix and Windows user -information. - -3: Using LDAP with Samba - -1 Install and configure an LDAP server if you do not already have -one. You should read your LDAP server's documentation and set up the -configuration file and access control as desired. - -2 Build Samba (latest CVS is required) with: - - ./configure --with-ldap - make clean; make install - -3 Add the following options to the global section of smb.conf as -required. - -o ldap suffix - -This parameter specifies the node of the LDAP tree beneath which -Samba should store its information. This parameter MUST be provided -when using LDAP with Samba. - -Default: none - -Example: ldap suffix = "dc=mydomain, dc=org" - -o ldap bind as - -This parameter specifies the entity to bind to an LDAP directory as. -Usually it should be safe to use the LDAP root account; for larger -installations it may be preferable to restrict Samba's access. - -Default: none (bind anonymously) - -Example: ldap bind as = "uid=root, dc=mydomain, dc=org" - -o ldap passwd file - -This parameter specifies a file containing the password with which -Samba should bind to an LDAP server. For obvious security reasons -this file must be set to mode 700 or less. - -Default: none (bind anonymously) - -Example: ldap passwd file = /usr/local/samba/private/ldappasswd - -o ldap server - -This parameter specifies the DNS name of the LDAP server to use -when storing and retrieving information about Samba users and -groups. - -Default: ldap server = localhost - -o ldap port - -This parameter specifies the TCP port number of the LDAP server. - -Default: ldap port = 389 - -4 You should then be able to use the normal smbpasswd(8) command for -account administration (or User Manager in the near future). - -4: Using LDAP for Unix authentication - -The Samba LDAP code was designed to utilise RFC2307-compliant directory -entries if available. RFC2307 is a proposed standard for LDAP user -information which has been adopted by a number of vendors. Further -information is available at http://www.xedoc.com.au/~lukeh/ldap/. - -Of particular interest is Luke Howard's nameservice switch module -(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing -LDAP-based password databases for Unix. If you are setting up a server to -provide integrated Unix/NT services than these are worth investigating. - -5: Compatibility with Active Directory - -The current implementation is not designed to be used with Microsoft -Active Directory, although compatibility may be added in the future. |