From b017064cec857b3fd533c5c1b1cd4e6327906b45 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Nov 2002 07:09:17 +0000 Subject: Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccount attributes rather than calling getpwnam() on the user. This should help fix some of metze's performance issues - particularly on enumerations. There is a consequential change to the operation of 'non unix account's in LDAP - they are no longer restricted to being 'within' the NUA range, but will always be added to that range. Finally, there is the doco for this and the previous LDAP SSL changes. (This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50) --- docs/docbook/manpages/smb.conf.5.sgml | 46 +++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 7 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index e4c4587c1f..5cb8f088a6 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -663,6 +663,7 @@ ldap user suffix ldap machine suffix ldap passwd sync + ldap trust ids lm announce lm interval @@ -3464,16 +3465,20 @@ The ldap ssl can be set to one of three values: - On = Always use SSL when contacting the - ldap server. - Off = Never use SSL when querying the directory. Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. + + On = + Use SSL on the ldaps port when contacting the + ldap server. Only + available when the backwards-compatiblity + --with-ldapsam option is specified + to configure. See passdb backend - Default : ldap ssl = on + Default : ldap ssl = start_tls @@ -3540,9 +3545,24 @@ + + ldap trust uids (G) + Normally, Samba validates each entry + in the LDAP server against getpwnam(). This allows + LDAP to be used for Samba with the unix system using + NIS (for example) and also ensures that Samba does not + present accounts that do not otherwise exist. + This option is used to disable this functionality, and + instead to rely on the presence of the appropriate + attributes in LDAP directly, which can result in a + significant performance boost in some situations. + Setting this option to yes effectivly assumes + that the local machine is running nss_ldap against the + same LDAP server. - - + Default: ldap trust ids = No + + level2 oplocks (S) @@ -5357,8 +5377,20 @@ ldapsam_nua - The LDAP based passdb backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to ldap://localhost) + Note: In this module, any account + without a matching POSIX account is regarded + as 'non unix'. See also - non unix account range + non unix account + range + + LDAP connections should be secured where + possible. This may be done using either + Start-TLS (see + ldap ssl) or by + specifying ldaps:// in + the URL argument. + nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. -- cgit