diff options
Diffstat (limited to 'docs/yodldocs/LDAP.yo')
-rw-r--r-- | docs/yodldocs/LDAP.yo | 161 |
1 files changed, 0 insertions, 161 deletions
diff --git a/docs/yodldocs/LDAP.yo b/docs/yodldocs/LDAP.yo deleted file mode 100644 index cf454904d3..0000000000 --- a/docs/yodldocs/LDAP.yo +++ /dev/null @@ -1,161 +0,0 @@ -mailto(samba-bugs@samba.org) -article(LDAP Support in Samba)(Matthew Chapman)(29th November 1998 -htmltag(p)(1) htmltag(hr)(1) htmltag(h2)(1) -WARNING: This is experimental code. Use at your own risk, and please report -any bugs (after reading BUGS.txt). -htmltag(h2)(0) htmltag(br)(1) -) -redef(PARAGRAPH)(0)(htmlcommand(<p> -) txtcommand( - -)) - -sect(What is LDAP?) -A directory is a type of hierarchical database optimised for simple query -operations, often used for storing user information. LDAP is the -Lightweight Directory Access Protocol, a protocol which is rapidly -becoming the Internet standard for accessing directories. - -Many client applications now support LDAP (including Microsoft's Active -Directory), and there are a number of servers available. The most popular -implementation for Unix is from the em(University of Michigan); its -homepage is at url(tt(http://www.umich.edu/~dirsvcs/ldap/))(http://www.umich.edu/~dirsvcs/ldap/). - -Information in an LDAP tree always comes in tt(attribute=value) pairs. -The following is an example of a Samba user entry: - -verb(uid=jbloggs, dc=samba, dc=org -objectclass=sambaAccount -uid=jbloggs -cn=Joe Bloggs -description=Samba User -uidNumber=500 -gidNumber=500 -rid=2000 -grouprid=2001 -lmPassword=46E389809F8D55BB78A48108148AD508 -ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4 -pwdLastSet=35C11F1B -smbHome=\\samba1\jbloggs -homeDrive=Z -script=logon.bat -profile=\\samba1\jbloggs\profile -workstations=JOE) - -Note that the top line is a special set of attributes called a -em(distinguished name) which identifies the location of this entry beneath -the directory's root node. Recent Internet standards suggest the use of -domain-based naming using tt(dc) attributes (for instance, a microsoft.com -directory should have a root node of tt(dc=microsoft, dc=com)), although -this is not strictly necessary for isolated servers. - -There are a number of LDAP-related FAQ's on the internet, although -generally the best source of information is the documentation for the -individual servers. - - -nl() -sect(Why LDAP and Samba?) - -Using an LDAP directory allows Samba to store user and group information -more reliably and flexibly than the current combination of smbpasswd, -smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges -for extra user information to be stored, this can easily be added without -loss of backwards compatibility. - -In addition, the Samba LDAP schema is compatible with RFC2307, allowing -Unix password database information to be stored in the same entries. This -provides a single, consistent repository for both Unix and Windows user -information. - - -nl() -sect(Using LDAP with Samba) - -starteit() - -eit() Install and configure an LDAP server if you do not already have -one. You should read your LDAP server's documentation and set up the -configuration file and access control as desired. - -eit() Build Samba (latest CVS is required) with: - -verb( ./configure --with-ldap - make clean; make install) - -eit() Add the following options to the global section of tt(smb.conf) as -required. - -startdit() -dit(ldap suffix) - -This parameter specifies the node of the LDAP tree beneath which -Samba should store its information. This parameter MUST be provided -when using LDAP with Samba. - - bf(Default:) tt(none) - - bf(Example:) tt(ldap suffix = "dc=mydomain, dc=org") - -dit(ldap bind as) - -This parameter specifies the entity to bind to an LDAP directory as. -Usually it should be safe to use the LDAP root account; for larger -installations it may be preferable to restrict Samba's access. - - bf(Default:) tt(none (bind anonymously)) - - bf(Example:) tt(ldap bind as = "uid=root, dc=mydomain, dc=org") - -dit(ldap passwd file) - -This parameter specifies a file containing the password with which -Samba should bind to an LDAP server. For obvious security reasons -this file must be set to mode 700 or less. - - bf(Default:) tt(none (bind anonymously)) - - bf(Example:) tt(ldap passwd file = /usr/local/samba/private/ldappasswd) - -dit(ldap server) - -This parameter specifies the DNS name of the LDAP server to use -when storing and retrieving information about Samba users and -groups. - - bf(Default:) tt(ldap server = localhost) - -dit(ldap port) - -This parameter specifies the TCP port number of the LDAP server. - - bf(Default:) tt(ldap port = 389) - -enddit() - -eit() You should then be able to use the normal smbpasswd(8) command for -account administration (or User Manager in the near future). - -endeit() - - -nl() -sect(Using LDAP for Unix authentication) - -The Samba LDAP code was designed to utilise RFC2307-compliant directory -entries if available. RFC2307 is a proposed standard for LDAP user -information which has been adopted by a number of vendors. Further -information is available at url(tt(http://www.xedoc.com.au/~lukeh/ldap/))(http://www.xedoc.com.au/~lukeh/ldap). - -Of particular interest is Luke Howard's nameservice switch module -(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing -LDAP-based password databases for Unix. If you are setting up a server to -provide integrated Unix/NT services than these are worth investigating. - - -nl() -sect(Compatibility with Active Directory) - -The current implementation is not designed to be used with Microsoft -Active Directory, although compatibility may be added in the future. - |