From 2eeb8b58e639b6fc9b36f353b9d00575195a47a6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 2 May 2003 14:52:48 +0000 Subject: Update LDAP documentation for 3.0 (This used to be commit a092928b8e864c5c29cc8541d2492f0aa18931f3) --- docs/docbook/projdoc/passdb.xml | 124 ++++++++++++++++++++++++++++------------ 1 file changed, 88 insertions(+), 36 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/passdb.xml b/docs/docbook/projdoc/passdb.xml index cc497f7d93..672b914cb0 100644 --- a/docs/docbook/projdoc/passdb.xml +++ b/docs/docbook/projdoc/passdb.xml @@ -263,9 +263,9 @@ on LDAP architectures and Directories, please refer to the following sites. -Note that O'Reilly Publishing is working on -a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002. + O'Reilly Publishing has published + LDAP System Administration + written by Gerald Carter. @@ -351,17 +351,13 @@ System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS". Supported LDAP Servers - - The LDAP samdb code in 2.2.3 (and later) has been developed and tested -using the OpenLDAP 2.0 server and client libraries. +using the OpenLDAP 2.0 and 2.1 server and client libraries. The same code should be able to work with Netscape's Directory Server and client SDK. However, due to lack of testing so far, there are bound -to be compile errors and bugs. These should not be hard to fix. -If you are so inclined, please be sure to forward all patches to -samba-patches@samba.org and -jerry@samba.org. +to be compile errors and bugs. These should not be hard to fix. Please submit +fixes via . @@ -376,17 +372,18 @@ Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY - DESC 'Samba Account' - MUST ( uid $ rid ) - MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ - logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ - displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupID $ domain )) +objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY + DESC 'Samba Auxilary Account' + MUST ( uid $ rid ) + MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ + logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ + displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ + description $ userWorkstations $ primaryGroupID $ domain )) -The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are +The samba.schema file has been formatted for +OpenLDAP 2.0/2.1. The OID's are owned by the Samba Team and as such is legal to be openly published. If you translate the schema to be used with Netscape DS, please submit the modified schema file as a patch to To include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory. +The samba.schema file can be found in the directory examples/LDAP +in the samba source distribution. @@ -466,7 +465,7 @@ like in the following example, to speed up searches made on sambaAccount objectc ## required by OpenLDAP 2.0 index objectclass eq -## support pb_getsampwnam() +## support pdb_getsampwnam() index uid pres,eq ## support pdb_getsambapwrid() index rid eq @@ -483,6 +482,11 @@ index primaryGroupID eq index displayName pres,eq + +Remember to restart slapd after making these changes: + +root# /etc/init.d/slapd restart + @@ -490,21 +494,22 @@ index displayName pres,eq Configuring Samba -The following parameters are available in smb.conf only with --with-ldapsam -was included when compiling Samba. +The following parameters are available in smb.conf only if your version of samba was built +with LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are +found. - passdb backend [ldapsam|ldapsam_nua]:url + passdb backend = ldapsam:url ldap ssl ldap admin dn ldap suffix ldap filter - ldap port - ldap machine suffix - ldap user suffix - ldap delete dn - + ldap machine suffix + ldap user suffix + ldap delete dn + ldap passwd sync + ldap trust ids @@ -535,7 +540,8 @@ use with an LDAP directory could appear as # ('off', 'start tls', or 'on' (default)) ldap ssl = start tls - passdb backend ldapsam:ldap://ahab.samba.org + # syntax: passdb backend = ldapsam:ldap://server-name[:port] + passdb backend = ldapsam:ldap://ahab.samba.org # smbpasswd -x delete the entire dn-entry ldap delete dn = no @@ -545,13 +551,12 @@ use with an LDAP directory could appear as ldap user suffix = ou=People ldap machine suffix = ou=Systems - # define the port to use in the LDAP session (defaults to 636 when - # "ldap ssl = on") - ldap port = 389 - # specify the base DN to use when searching the directory ldap suffix = "ou=people,dc=samba,dc=org" + # Trust unix account information in LDAP (see the smb.conf manpage for details) + ldap trust ids = Yes + # generally the default ldap search filter is ok # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))" @@ -607,15 +612,14 @@ of sambaAccount entries in the directory. These password hashes are clear text equivalents and can be used to impersonate the user without deriving the original clear text strings. For more information -on the details of LM/NT password hashes, refer to the User Database of the Samba-HOWTO-Collection. +on the details of LM/NT password hashes, refer to the first sections of this chapter. To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults to require an encrypted session (ldap ssl = on) using the default port of 636 -when contacting the directory server. When using an OpenLDAP 2.0 server, it +when contacting the directory server. When using an OpenLDAP server, it is possible to use the use the StartTLS LDAP extended operation in the place of LDAPS. In either case, you are strongly discouraged to disable this security (ldap ssl = off). @@ -708,11 +712,13 @@ The sambaAccount objectclass is composed of the following attributes: primaryGroupID: the relative identifier (RID) of the primary group of the user. + domain: domain the user is part of. + The majority of these parameters are only used when Samba is acting as a PDC of -a domain (refer to the Samba-PDC-HOWTO for details on +a domain (refer to for details on how to configure Samba as a Primary Domain Controller). The following four attributes are only stored with the sambaAccount entry if the values are non-default values: @@ -798,6 +804,52 @@ ntPassword: 878D8014606CDA29677A44EFA1353FC7 + + +Password synchronisation + + +Since 3.0 Samba can update the non-samba (LDAP) password stored with an account. When +using pam_ldap, this allows changing both unix and windows passwords at once. + + +The ldap passwd sync options can have the following values: + + + + yes + When the user changes his password, update + ntPassword, lmPassword + and the password fields. + + + + no + Only update ntPassword and lmPassword. + + + + only + Only update the LDAP password and let the LDAP server worry + about the other fields. + + + +More information can be found in the smb.conf manpage. + + + + + +ldap trust ids + + +LDAP Performance can be approved by using the ldap trust ids parameter. +See the smb.conf manpage for details. + + + + -- cgit