1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
<html><head><title>LDAP Support in Samba</title>
<link rev="made" href="mailto:samba-bugs@samba.org">
</head>
<body>
<hr>
<h1>LDAP Support in Samba</h1>
<h2>Matthew Chapman</h2>
<h2>29th November 1998
<p> <hr> <h2>
WARNING: This is experimental code. Use at your own risk, and please report
any bugs (after reading BUGS.txt).
</h2> <br>
</h2>
<a href="LDAP.html#l1"><h2>1: What is LDAP?</h2> </a>
<a href="LDAP.html#l2"><h2>2: Why LDAP and Samba?</h2> </a>
<a href="LDAP.html#l3"><h2>3: Using LDAP with Samba</h2> </a>
<a href="LDAP.html#l4"><h2>4: Using LDAP for Unix authentication</h2> </a>
<a href="LDAP.html#l5"><h2>5: Compatibility with Active Directory</h2> </a>
<p><hr><p><br>
<p>
<a name="l1"></a>
<h2>1: What is LDAP?</h2>
A directory is a type of hierarchical database optimised for simple query
operations, often used for storing user information. LDAP is the
Lightweight Directory Access Protocol, a protocol which is rapidly
becoming the Internet standard for accessing directories.<p>
Many client applications now support LDAP (including Microsoft's Active
Directory), and there are a number of servers available. The most popular
implementation for Unix is from the <em>University of Michigan</em>; its
homepage is at <a href="http://www.umich.edu/~dirsvcs/ldap/"><code>http://www.umich.edu/~dirsvcs/ldap/</code></a>.<p>
Information in an LDAP tree always comes in <code>attribute=value</code> pairs.
The following is an example of a Samba user entry:<p>
<pre>
uid=jbloggs, dc=samba, dc=org
objectclass=sambaAccount
uid=jbloggs
cn=Joe Bloggs
description=Samba User
uidNumber=500
gidNumber=500
rid=2000
grouprid=2001
lmPassword=46E389809F8D55BB78A48108148AD508
ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
pwdLastSet=35C11F1B
smbHome=\\samba1\jbloggs
homeDrive=Z
script=logon.bat
profile=\\samba1\jbloggs\profile
workstations=JOE
</pre>
<p>
Note that the top line is a special set of attributes called a
<em>distinguished name</em> which identifies the location of this entry beneath
the directory's root node. Recent Internet standards suggest the use of
domain-based naming using <code>dc</code> attributes (for instance, a microsoft.com
directory should have a root node of <code>dc=microsoft, dc=com</code>), although
this is not strictly necessary for isolated servers.<p>
There are a number of LDAP-related FAQ's on the internet, although
generally the best source of information is the documentation for the
individual servers.<p>
<br>
<a name="l2"></a>
<h2>2: Why LDAP and Samba?</h2><p>
Using an LDAP directory allows Samba to store user and group information
more reliably and flexibly than the current combination of smbpasswd,
smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
for extra user information to be stored, this can easily be added without
loss of backwards compatibility.<p>
In addition, the Samba LDAP schema is compatible with RFC2307, allowing
Unix password database information to be stored in the same entries. This
provides a single, consistent repository for both Unix and Windows user
information.<p>
<br>
<a name="l3"></a>
<h2>3: Using LDAP with Samba</h2><p>
<ol><p>
<li> Install and configure an LDAP server if you do not already have
one. You should read your LDAP server's documentation and set up the
configuration file and access control as desired.<p>
<li> Build Samba (latest CVS is required) with:<p>
<pre>
./configure --with-ldap
make clean; make install
</pre>
<p>
<li> Add the following options to the global section of <code>smb.conf</code> as
required.<p>
<ul>
<li><strong>ldap suffix</strong><p>
This parameter specifies the node of the LDAP tree beneath which
Samba should store its information. This parameter MUST be provided
when using LDAP with Samba.<p>
<strong>Default:</strong> <code>none</code><p>
<strong>Example:</strong> <code>ldap suffix = "dc=mydomain, dc=org"</code><p>
<li><strong>ldap bind as</strong><p>
This parameter specifies the entity to bind to an LDAP directory as.
Usually it should be safe to use the LDAP root account; for larger
installations it may be preferable to restrict Samba's access.<p>
<strong>Default:</strong> <code>none (bind anonymously)</code><p>
<strong>Example:</strong> <code>ldap bind as = "uid=root, dc=mydomain, dc=org"</code><p>
<li><strong>ldap passwd file</strong><p>
This parameter specifies a file containing the password with which
Samba should bind to an LDAP server. For obvious security reasons
this file must be set to mode 700 or less.<p>
<strong>Default:</strong> <code>none (bind anonymously)</code><p>
<strong>Example:</strong> <code>ldap passwd file = /usr/local/samba/private/ldappasswd</code><p>
<li><strong>ldap server</strong><p>
This parameter specifies the DNS name of the LDAP server to use
when storing and retrieving information about Samba users and
groups.<p>
<strong>Default:</strong> <code>ldap server = localhost</code><p>
<li><strong>ldap port</strong><p>
This parameter specifies the TCP port number of the LDAP server.<p>
<strong>Default:</strong> <code>ldap port = 389</code><p>
</ul><p>
<li> You should then be able to use the normal smbpasswd(8) command for
account administration (or User Manager in the near future).<p>
</ol><p>
<br>
<a name="l4"></a>
<h2>4: Using LDAP for Unix authentication</h2><p>
The Samba LDAP code was designed to utilise RFC2307-compliant directory
entries if available. RFC2307 is a proposed standard for LDAP user
information which has been adopted by a number of vendors. Further
information is available at <a href="http://www.xedoc.com.au/~lukeh/ldap"><code>http://www.xedoc.com.au/~lukeh/ldap/</code></a>.<p>
Of particular interest is Luke Howard's nameservice switch module
(nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
LDAP-based password databases for Unix. If you are setting up a server to
provide integrated Unix/NT services than these are worth investigating.<p>
<br>
<a name="l5"></a>
<h2>5: Compatibility with Active Directory</h2><p>
The current implementation is not designed to be used with Microsoft
Active Directory, although compatibility may be added in the future.<p>
</body>
</html>
|