From c207399d16a7a921cd092d52cd380758fb00a77a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 16 Jun 2003 16:06:25 +0000 Subject: Fix some information, based on comments by Andrew Bartlett. (This used to be commit 443b00c949b37b2fe593adb9d46ad248e69f9deb) --- docs/docbook/projdoc/Speed.xml | 11 ------- docs/docbook/projdoc/passdb.xml | 63 +++++++++++++++++------------------------ 2 files changed, 26 insertions(+), 48 deletions(-) (limited to 'docs') diff --git a/docs/docbook/projdoc/Speed.xml b/docs/docbook/projdoc/Speed.xml index cdf2246b9f..cbc1807e4e 100644 --- a/docs/docbook/projdoc/Speed.xml +++ b/docs/docbook/projdoc/Speed.xml @@ -198,17 +198,6 @@ the lowest practical password level will improve things. - -LDAP - - -LDAP can be vastly improved by using the -ldap trust ids parameter. - - - - - Client tuning diff --git a/docs/docbook/projdoc/passdb.xml b/docs/docbook/projdoc/passdb.xml index 1bbec990cc..6c77ca9dc1 100644 --- a/docs/docbook/projdoc/passdb.xml +++ b/docs/docbook/projdoc/passdb.xml @@ -703,12 +703,12 @@ backends of the same type. For example, to use two different tdbsam databases: Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in - examples/LDAP/samba.schema. The sambaAccount objectclass is given here: + examples/LDAP/samba.schema. The sambaSamAccount objectclass is given here: -objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY +objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba Auxilary Account' MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ @@ -728,8 +728,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY Just as the smbpasswd file is meant to store information which supplements a - user's /etc/passwd entry, so is the sambaAccount object - meant to supplement the UNIX user account information. A sambaAccount is a + user's /etc/passwd entry, so is the sambaSamAccount object + meant to supplement the UNIX user account information. A sambaSamAccount is a STRUCTURAL objectclass so it can be stored individually in the directory. However, there are several fields (e.g. uid) which overlap with the posixAccount objectclass outlined in RFC2307. This is by design. @@ -740,7 +740,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY In order to store all user account information (UNIX and Samba) in the directory, - it is necessary to use the sambaAccount and posixAccount objectclasses in + it is necessary to use the sambaSamAccount and posixAccount objectclasses in combination. However, smbd will still obtain the user's UNIX account information via the standard C library calls (e.g. getpwnam(), et. al.). This means that the Samba server must also have the LDAP NSS library installed @@ -754,7 +754,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY OpenLDAP configuration - To include support for the sambaAccount object in an OpenLDAP directory + To include support for the sambaSamAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory. The samba.schema file can be found in the directory examples/LDAP in the samba source distribution. @@ -768,7 +768,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY Next, include the samba.schema file in slapd.conf. - The sambaAccount object contains two attributes which depend upon other schema + The sambaSamAccount object contains two attributes which depend upon other schema files. The 'uid' attribute is defined in cosine.schema and the 'displayName' attribute is defined in the inetorgperson.schema file. Both of these must be included before the samba.schema file. @@ -781,7 +781,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY ## schema files (core.schema is required by default) include /etc/openldap/schema/core.schema -## needed for sambaAccount +## needed for sambaSamAccount include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema @@ -792,7 +792,7 @@ include /etc/openldap/schema/nis.schema It is recommended that you maintain some indices on some of the most usefull attributes, - like in the following example, to speed up searches made on sambaAccount objectclasses + like in the following example, to speed up searches made on sambaSamAccount objectclasses (and possibly posixAccount and posixGroup as well). @@ -988,7 +988,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz ldap suffix = "ou=people,dc=samba,dc=org" # generally the default ldap search filter is ok - # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))" + # ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))" @@ -998,12 +998,12 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz Accounts and Groups management - As users accounts are managed thru the sambaAccount objectclass, you should - modify your existing administration tools to deal with sambaAccount attributes. + As users accounts are managed thru the sambaSamAccount objectclass, you should + modify your existing administration tools to deal with sambaSamAccount attributes. - Machines accounts are managed with the sambaAccount objectclass, just + Machines accounts are managed with the sambaSamAccount objectclass, just like users accounts. However, it's up to you to store thoses accounts in a different tree of your LDAP namespace: you should use "ou=Groups,dc=plainjoe,dc=org" to store groups and @@ -1022,12 +1022,12 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz - Security and sambaAccount + Security and sambaSamAccount There are two important points to remember when discussing the security - of sambaAccount entries in the directory. + of sambaSamAccount entries in the directory. @@ -1045,7 +1045,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz - To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults + To remedy the first security issue, the ldap ssl &smb.conf; parameter defaults to require an encrypted session (ldap ssl = on) using the default port of 636 when contacting the directory server. When using an OpenLDAP server, it @@ -1078,15 +1078,15 @@ access to attrs=lmPassword,ntPassword - LDAP special attributes for sambaAccounts + LDAP special attributes for sambaSamAccounts - The sambaAccount objectclass is composed of the following attributes: + The sambaSamAccount objectclass is composed of the following attributes: - Attributes in the sambaAccount objectclass (LDAP) + Attributes in the sambaSamAccount objectclass (LDAP) lmPasswordthe LANMAN password 16-byte hash stored as a character @@ -1151,7 +1151,7 @@ access to attrs=lmPassword,ntPassword The majority of these parameters are only used when Samba is acting as a PDC of a domain (refer to the Samba as a primary domain controller chapter for details on how to configure Samba as a Primary Domain Controller). The following four attributes - are only stored with the sambaAccount entry if the values are non-default values: + are only stored with the sambaSamAccount entry if the values are non-default values: @@ -1162,7 +1162,7 @@ access to attrs=lmPassword,ntPassword - These attributes are only stored with the sambaAccount entry if + These attributes are only stored with the sambaSamAccount entry if the values are non-default values. For example, assume TASHTEGO has now been configured as a PDC and that logon home = \\%L\%u was defined in its &smb.conf; file. When a user named "becky" logons to the domain, @@ -1177,7 +1177,7 @@ access to attrs=lmPassword,ntPassword - Example LDIF Entries for a sambaAccount + Example LDIF Entries for a sambaSamAccount The following is a working LDIF with the inclusion of the posixAccount objectclass: @@ -1192,7 +1192,7 @@ access to attrs=lmPassword,ntPassword lmPassword: 552902031BEDE9EFAAD3B435B51404EE pwdLastSet: 1010179124 logonTime: 0 - objectClass: sambaAccount + objectClass: sambaSamAccount uid: guest2 kickoffTime: 2147483647 acctFlags: [UX ] @@ -1203,7 +1203,7 @@ access to attrs=lmPassword,ntPassword - The following is an LDIF entry for using both the sambaAccount and + The following is an LDIF entry for using both the sambaSamAccount and posixAccount objectclasses: @@ -1215,7 +1215,7 @@ access to attrs=lmPassword,ntPassword lmPassword: 552902031BEDE9EFAAD3B435B51404EE primaryGroupID: 1201 objectClass: posixAccount - objectClass: sambaAccount + objectClass: sambaSamAccount acctFlags: [UX ] userPassword: {crypt}BpM2ej8Rkzogo uid: gcarter @@ -1262,8 +1262,7 @@ access to attrs=lmPassword,ntPassword only Only update the LDAP password and let the LDAP server worry - about the other fields. This option is only available when - the LDAP library supports LDAP_EXOP_X_MODIFY_PASSWD. + about the other fields. This option is only available when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD. @@ -1272,16 +1271,6 @@ access to attrs=lmPassword,ntPassword - - ldap trust ids - - - LDAP Performance can be improved by using the ldap trust ids parameter. - See the smb.conf manpage for details. - - - - -- cgit