From 32a965e09ce4befe971855e11e1fb5ceb51a9ed1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 13 Dec 1999 13:35:20 +0000 Subject: 2nd phase of head branch sync with SAMBA_2_0 - this delets all the files that were in the head branch but weren't in SAMBA_2_0 (This used to be commit d7b208786590b5a28618590172b8d523627dda09) --- docs/htmldocs/LDAP.html | 147 ------------------------------------------------ 1 file changed, 147 deletions(-) delete mode 100644 docs/htmldocs/LDAP.html (limited to 'docs/htmldocs/LDAP.html') diff --git a/docs/htmldocs/LDAP.html b/docs/htmldocs/LDAP.html deleted file mode 100644 index 1cc8f8213f..0000000000 --- a/docs/htmldocs/LDAP.html +++ /dev/null @@ -1,147 +0,0 @@ - - - - -LDAP Support in Samba - - - - - -
- -

LDAP Support in Samba

-

Matthew Chapman

-

29th November 1998 -

-WARNING: This is experimental code. Use at your own risk, and please report -any bugs (after reading BUGS.txt). -


- - - -

1: What is LDAP?

 -

2: Why LDAP and Samba?

 -

3: Using LDAP with Samba

 -

4: Using LDAP for Unix authentication

 -

5: Compatibility with Active Directory

 - -


-

- -

1: What is LDAP?

-A directory is a type of hierarchical database optimised for simple query -operations, often used for storing user information. LDAP is the -Lightweight Directory Access Protocol, a protocol which is rapidly -becoming the Internet standard for accessing directories.

- Many client applications now support LDAP (including Microsoft's Active -Directory), and there are a number of servers available. The most popular -implementation for Unix is from the University of Michigan; its -homepage is at http://www.umich.edu/~dirsvcs/ldap/.

- Information in an LDAP tree always comes in attribute=value pairs. -The following is an example of a Samba user entry:

- 

-uid=jbloggs, dc=samba, dc=org
-objectclass=sambaAccount
-uid=jbloggs
-cn=Joe Bloggs
-description=Samba User
-uidNumber=500
-gidNumber=500
-rid=2000
-grouprid=2001
-lmPassword=46E389809F8D55BB78A48108148AD508
-ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
-pwdLastSet=35C11F1B
-smbHome=\\samba1\jbloggs
-homeDrive=Z
-script=logon.bat
-profile=\\samba1\jbloggs\profile
-workstations=JOE
-
-

- Note that the top line is a special set of attributes called a -distinguished name which identifies the location of this entry beneath -the directory's root node. Recent Internet standards suggest the use of -domain-based naming using dc attributes (for instance, a microsoft.com -directory should have a root node of dc=microsoft, dc=com), although -this is not strictly necessary for isolated servers.

- There are a number of LDAP-related FAQ's on the internet, although -generally the best source of information is the documentation for the -individual servers.

-
- -

2: Why LDAP and Samba?

- Using an LDAP directory allows Samba to store user and group information -more reliably and flexibly than the current combination of smbpasswd, -smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges -for extra user information to be stored, this can easily be added without -loss of backwards compatibility.

- In addition, the Samba LDAP schema is compatible with RFC2307, allowing -Unix password database information to be stored in the same entries. This -provides a single, consistent repository for both Unix and Windows user -information.

-
- -

3: Using LDAP with Samba

-

    -

  1. Install and configure an LDAP server if you do not already have -one. You should read your LDAP server's documentation and set up the -configuration file and access control as desired.

    -

  2. Build Samba (latest CVS is required) with:

    - 

    -	./configure --with-ldap
-	make clean; make install
-
    -

    -

  3. Add the following options to the global section of smb.conf as -required.

    -

      -
    • ldap suffix

      - This parameter specifies the node of the LDAP tree beneath which -Samba should store its information. This parameter MUST be provided -when using LDAP with Samba.

      - Default: none

      - Example: ldap suffix = "dc=mydomain, dc=org"

      -

    • ldap bind as

      - This parameter specifies the entity to bind to an LDAP directory as. -Usually it should be safe to use the LDAP root account; for larger -installations it may be preferable to restrict Samba's access.

      - Default: none (bind anonymously)

      - Example: ldap bind as = "uid=root, dc=mydomain, dc=org"

      -

    • ldap passwd file

      - This parameter specifies a file containing the password with which -Samba should bind to an LDAP server. For obvious security reasons -this file must be set to mode 700 or less.

      - Default: none (bind anonymously)

      - Example: ldap passwd file = /usr/local/samba/private/ldappasswd

      -

    • ldap server

      - This parameter specifies the DNS name of the LDAP server to use -when storing and retrieving information about Samba users and -groups.

      - Default: ldap server = localhost

      -

    • ldap port

      - This parameter specifies the TCP port number of the LDAP server.

      - Default: ldap port = 389

      -

    -

  4. You should then be able to use the normal smbpasswd(8) command for -account administration (or User Manager in the near future).

    -

-
- -

4: Using LDAP for Unix authentication

- The Samba LDAP code was designed to utilise RFC2307-compliant directory -entries if available. RFC2307 is a proposed standard for LDAP user -information which has been adopted by a number of vendors. Further -information is available at http://www.xedoc.com.au/~lukeh/ldap/.

- Of particular interest is Luke Howard's nameservice switch module -(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing -LDAP-based password databases for Unix. If you are setting up a server to -provide integrated Unix/NT services than these are worth investigating.

-
- -

5: Compatibility with Active Directory

- The current implementation is not designed to be used with Microsoft -Active Directory, although compatibility may be added in the future.

- - -- cgit