diff options
Diffstat (limited to 'docs/yodldocs')
-rw-r--r-- | docs/yodldocs/LDAP.yo | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/docs/yodldocs/LDAP.yo b/docs/yodldocs/LDAP.yo new file mode 100644 index 0000000000..cf454904d3 --- /dev/null +++ b/docs/yodldocs/LDAP.yo @@ -0,0 +1,161 @@ +mailto(samba-bugs@samba.org) +article(LDAP Support in Samba)(Matthew Chapman)(29th November 1998 +htmltag(p)(1) htmltag(hr)(1) htmltag(h2)(1) +WARNING: This is experimental code. Use at your own risk, and please report +any bugs (after reading BUGS.txt). +htmltag(h2)(0) htmltag(br)(1) +) +redef(PARAGRAPH)(0)(htmlcommand(<p> +) txtcommand( + +)) + +sect(What is LDAP?) +A directory is a type of hierarchical database optimised for simple query +operations, often used for storing user information. LDAP is the +Lightweight Directory Access Protocol, a protocol which is rapidly +becoming the Internet standard for accessing directories. + +Many client applications now support LDAP (including Microsoft's Active +Directory), and there are a number of servers available. The most popular +implementation for Unix is from the em(University of Michigan); its +homepage is at url(tt(http://www.umich.edu/~dirsvcs/ldap/))(http://www.umich.edu/~dirsvcs/ldap/). + +Information in an LDAP tree always comes in tt(attribute=value) pairs. +The following is an example of a Samba user entry: + +verb(uid=jbloggs, dc=samba, dc=org +objectclass=sambaAccount +uid=jbloggs +cn=Joe Bloggs +description=Samba User +uidNumber=500 +gidNumber=500 +rid=2000 +grouprid=2001 +lmPassword=46E389809F8D55BB78A48108148AD508 +ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4 +pwdLastSet=35C11F1B +smbHome=\\samba1\jbloggs +homeDrive=Z +script=logon.bat +profile=\\samba1\jbloggs\profile +workstations=JOE) + +Note that the top line is a special set of attributes called a +em(distinguished name) which identifies the location of this entry beneath +the directory's root node. Recent Internet standards suggest the use of +domain-based naming using tt(dc) attributes (for instance, a microsoft.com +directory should have a root node of tt(dc=microsoft, dc=com)), although +this is not strictly necessary for isolated servers. + +There are a number of LDAP-related FAQ's on the internet, although +generally the best source of information is the documentation for the +individual servers. + + +nl() +sect(Why LDAP and Samba?) + +Using an LDAP directory allows Samba to store user and group information +more reliably and flexibly than the current combination of smbpasswd, +smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges +for extra user information to be stored, this can easily be added without +loss of backwards compatibility. + +In addition, the Samba LDAP schema is compatible with RFC2307, allowing +Unix password database information to be stored in the same entries. This +provides a single, consistent repository for both Unix and Windows user +information. + + +nl() +sect(Using LDAP with Samba) + +starteit() + +eit() Install and configure an LDAP server if you do not already have +one. You should read your LDAP server's documentation and set up the +configuration file and access control as desired. + +eit() Build Samba (latest CVS is required) with: + +verb( ./configure --with-ldap + make clean; make install) + +eit() Add the following options to the global section of tt(smb.conf) as +required. + +startdit() +dit(ldap suffix) + +This parameter specifies the node of the LDAP tree beneath which +Samba should store its information. This parameter MUST be provided +when using LDAP with Samba. + + bf(Default:) tt(none) + + bf(Example:) tt(ldap suffix = "dc=mydomain, dc=org") + +dit(ldap bind as) + +This parameter specifies the entity to bind to an LDAP directory as. +Usually it should be safe to use the LDAP root account; for larger +installations it may be preferable to restrict Samba's access. + + bf(Default:) tt(none (bind anonymously)) + + bf(Example:) tt(ldap bind as = "uid=root, dc=mydomain, dc=org") + +dit(ldap passwd file) + +This parameter specifies a file containing the password with which +Samba should bind to an LDAP server. For obvious security reasons +this file must be set to mode 700 or less. + + bf(Default:) tt(none (bind anonymously)) + + bf(Example:) tt(ldap passwd file = /usr/local/samba/private/ldappasswd) + +dit(ldap server) + +This parameter specifies the DNS name of the LDAP server to use +when storing and retrieving information about Samba users and +groups. + + bf(Default:) tt(ldap server = localhost) + +dit(ldap port) + +This parameter specifies the TCP port number of the LDAP server. + + bf(Default:) tt(ldap port = 389) + +enddit() + +eit() You should then be able to use the normal smbpasswd(8) command for +account administration (or User Manager in the near future). + +endeit() + + +nl() +sect(Using LDAP for Unix authentication) + +The Samba LDAP code was designed to utilise RFC2307-compliant directory +entries if available. RFC2307 is a proposed standard for LDAP user +information which has been adopted by a number of vendors. Further +information is available at url(tt(http://www.xedoc.com.au/~lukeh/ldap/))(http://www.xedoc.com.au/~lukeh/ldap). + +Of particular interest is Luke Howard's nameservice switch module +(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing +LDAP-based password databases for Unix. If you are setting up a server to +provide integrated Unix/NT services than these are worth investigating. + + +nl() +sect(Compatibility with Active Directory) + +The current implementation is not designed to be used with Microsoft +Active Directory, although compatibility may be added in the future. + |