From 4447b6c79df51bebadc673449c50ffad13f75de1 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Mon, 7 Dec 1998 21:48:58 +0000 Subject: added text and html versions of LDAP.yo. smb.conf.5 not generated yet because there were parts rejected from the ldap patch file. (This used to be commit 4f85105578fdf74d883f185f983e608112fe823b) --- docs/htmldocs/LDAP.html | 147 +++++++++++++++++++++++++++++++++++++++++++++++ docs/textdocs/LDAP.txt | 150 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 297 insertions(+) create mode 100644 docs/htmldocs/LDAP.html create mode 100644 docs/textdocs/LDAP.txt diff --git a/docs/htmldocs/LDAP.html b/docs/htmldocs/LDAP.html new file mode 100644 index 0000000000..1cc8f8213f --- /dev/null +++ b/docs/htmldocs/LDAP.html @@ -0,0 +1,147 @@ + + + + +LDAP Support in Samba + + + + + +
+ +

LDAP Support in Samba

+

Matthew Chapman

+

29th November 1998 +

+WARNING: This is experimental code. Use at your own risk, and please report +any bugs (after reading BUGS.txt). +


+ + + +

1: What is LDAP?

 +

2: Why LDAP and Samba?

 +

3: Using LDAP with Samba

 +

4: Using LDAP for Unix authentication

 +

5: Compatibility with Active Directory

 + +


+

+ +

1: What is LDAP?

+A directory is a type of hierarchical database optimised for simple query +operations, often used for storing user information. LDAP is the +Lightweight Directory Access Protocol, a protocol which is rapidly +becoming the Internet standard for accessing directories.

+ Many client applications now support LDAP (including Microsoft's Active +Directory), and there are a number of servers available. The most popular +implementation for Unix is from the University of Michigan; its +homepage is at http://www.umich.edu/~dirsvcs/ldap/.

+ Information in an LDAP tree always comes in attribute=value pairs. +The following is an example of a Samba user entry:

+ 

+uid=jbloggs, dc=samba, dc=org
+objectclass=sambaAccount
+uid=jbloggs
+cn=Joe Bloggs
+description=Samba User
+uidNumber=500
+gidNumber=500
+rid=2000
+grouprid=2001
+lmPassword=46E389809F8D55BB78A48108148AD508
+ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
+pwdLastSet=35C11F1B
+smbHome=\\samba1\jbloggs
+homeDrive=Z
+script=logon.bat
+profile=\\samba1\jbloggs\profile
+workstations=JOE
+
+

+ Note that the top line is a special set of attributes called a +distinguished name which identifies the location of this entry beneath +the directory's root node. Recent Internet standards suggest the use of +domain-based naming using dc attributes (for instance, a microsoft.com +directory should have a root node of dc=microsoft, dc=com), although +this is not strictly necessary for isolated servers.

+ There are a number of LDAP-related FAQ's on the internet, although +generally the best source of information is the documentation for the +individual servers.

+
+ +

2: Why LDAP and Samba?

+ Using an LDAP directory allows Samba to store user and group information +more reliably and flexibly than the current combination of smbpasswd, +smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges +for extra user information to be stored, this can easily be added without +loss of backwards compatibility.

+ In addition, the Samba LDAP schema is compatible with RFC2307, allowing +Unix password database information to be stored in the same entries. This +provides a single, consistent repository for both Unix and Windows user +information.

+
+ +

3: Using LDAP with Samba

+

    +

  1. Install and configure an LDAP server if you do not already have +one. You should read your LDAP server's documentation and set up the +configuration file and access control as desired.

    +

  2. Build Samba (latest CVS is required) with:

    + 

    +	./configure --with-ldap
+	make clean; make install
+
    +

    +

  3. Add the following options to the global section of smb.conf as +required.

    +

      +
    • ldap suffix

      + This parameter specifies the node of the LDAP tree beneath which +Samba should store its information. This parameter MUST be provided +when using LDAP with Samba.

      + Default: none

      + Example: ldap suffix = "dc=mydomain, dc=org"

      +

    • ldap bind as

      + This parameter specifies the entity to bind to an LDAP directory as. +Usually it should be safe to use the LDAP root account; for larger +installations it may be preferable to restrict Samba's access.

      + Default: none (bind anonymously)

      + Example: ldap bind as = "uid=root, dc=mydomain, dc=org"

      +

    • ldap passwd file

      + This parameter specifies a file containing the password with which +Samba should bind to an LDAP server. For obvious security reasons +this file must be set to mode 700 or less.

      + Default: none (bind anonymously)

      + Example: ldap passwd file = /usr/local/samba/private/ldappasswd

      +

    • ldap server

      + This parameter specifies the DNS name of the LDAP server to use +when storing and retrieving information about Samba users and +groups.

      + Default: ldap server = localhost

      +

    • ldap port

      + This parameter specifies the TCP port number of the LDAP server.

      + Default: ldap port = 389

      +

    +

  4. You should then be able to use the normal smbpasswd(8) command for +account administration (or User Manager in the near future).

    +

+
+ +

4: Using LDAP for Unix authentication

+ The Samba LDAP code was designed to utilise RFC2307-compliant directory +entries if available. RFC2307 is a proposed standard for LDAP user +information which has been adopted by a number of vendors. Further +information is available at http://www.xedoc.com.au/~lukeh/ldap/.

+ Of particular interest is Luke Howard's nameservice switch module +(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing +LDAP-based password databases for Unix. If you are setting up a server to +provide integrated Unix/NT services than these are worth investigating.

+
+ +

5: Compatibility with Active Directory

+ The current implementation is not designed to be used with Microsoft +Active Directory, although compatibility may be added in the future.

+ + diff --git a/docs/textdocs/LDAP.txt b/docs/textdocs/LDAP.txt new file mode 100644 index 0000000000..9c419b00f3 --- /dev/null +++ b/docs/textdocs/LDAP.txt @@ -0,0 +1,150 @@ + +TITLE INFORMATION: LDAP Support in Samba +AUTHOR INFORMATION: Matthew Chapman +DATE INFORMATION: 29th November 1998 + +WARNING: This is experimental code. Use at your own risk, and please report +any bugs (after reading BUGS.txt). + +Contents + +1: What is LDAP? +2: Why LDAP and Samba? +3: Using LDAP with Samba +4: Using LDAP for Unix authentication +5: Compatibility with Active Directory + +1: What is LDAP? + +A directory is a type of hierarchical database optimised for simple query +operations, often used for storing user information. LDAP is the +Lightweight Directory Access Protocol, a protocol which is rapidly +becoming the Internet standard for accessing directories. + +Many client applications now support LDAP (including Microsoft's Active +Directory), and there are a number of servers available. The most popular +implementation for Unix is from the University of Michigan; its +homepage is at http://www.umich.edu/~dirsvcs/ldap/. + +Information in an LDAP tree always comes in attribute=value pairs. +The following is an example of a Samba user entry: + +uid=jbloggs, dc=samba, dc=org +objectclass=sambaAccount +uid=jbloggs +cn=Joe Bloggs +description=Samba User +uidNumber=500 +gidNumber=500 +rid=2000 +grouprid=2001 +lmPassword=46E389809F8D55BB78A48108148AD508 +ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4 +pwdLastSet=35C11F1B +smbHome=\\samba1\jbloggs +homeDrive=Z +script=logon.bat +profile=\\samba1\jbloggs\profile +workstations=JOE + +Note that the top line is a special set of attributes called a +distinguished name which identifies the location of this entry beneath +the directory's root node. Recent Internet standards suggest the use of +domain-based naming using dc attributes (for instance, a microsoft.com +directory should have a root node of dc=microsoft, dc=com), although +this is not strictly necessary for isolated servers. + +There are a number of LDAP-related FAQ's on the internet, although +generally the best source of information is the documentation for the +individual servers. + +2: Why LDAP and Samba? + +Using an LDAP directory allows Samba to store user and group information +more reliably and flexibly than the current combination of smbpasswd, +smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges +for extra user information to be stored, this can easily be added without +loss of backwards compatibility. + +In addition, the Samba LDAP schema is compatible with RFC2307, allowing +Unix password database information to be stored in the same entries. This +provides a single, consistent repository for both Unix and Windows user +information. + +3: Using LDAP with Samba + +1 Install and configure an LDAP server if you do not already have +one. You should read your LDAP server's documentation and set up the +configuration file and access control as desired. + +2 Build Samba (latest CVS is required) with: + + ./configure --with-ldap + make clean; make install + +3 Add the following options to the global section of smb.conf as +required. + +o ldap suffix + +This parameter specifies the node of the LDAP tree beneath which +Samba should store its information. This parameter MUST be provided +when using LDAP with Samba. + +Default: none + +Example: ldap suffix = "dc=mydomain, dc=org" + +o ldap bind as + +This parameter specifies the entity to bind to an LDAP directory as. +Usually it should be safe to use the LDAP root account; for larger +installations it may be preferable to restrict Samba's access. + +Default: none (bind anonymously) + +Example: ldap bind as = "uid=root, dc=mydomain, dc=org" + +o ldap passwd file + +This parameter specifies a file containing the password with which +Samba should bind to an LDAP server. For obvious security reasons +this file must be set to mode 700 or less. + +Default: none (bind anonymously) + +Example: ldap passwd file = /usr/local/samba/private/ldappasswd + +o ldap server + +This parameter specifies the DNS name of the LDAP server to use +when storing and retrieving information about Samba users and +groups. + +Default: ldap server = localhost + +o ldap port + +This parameter specifies the TCP port number of the LDAP server. + +Default: ldap port = 389 + +4 You should then be able to use the normal smbpasswd(8) command for +account administration (or User Manager in the near future). + +4: Using LDAP for Unix authentication + +The Samba LDAP code was designed to utilise RFC2307-compliant directory +entries if available. RFC2307 is a proposed standard for LDAP user +information which has been adopted by a number of vendors. Further +information is available at http://www.xedoc.com.au/~lukeh/ldap/. + +Of particular interest is Luke Howard's nameservice switch module +(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing +LDAP-based password databases for Unix. If you are setting up a server to +provide integrated Unix/NT services than these are worth investigating. + +5: Compatibility with Active Directory + +The current implementation is not designed to be used with Microsoft +Active Directory, although compatibility may be added in the future. -- cgit