diff options
Diffstat (limited to 'source3/winbindd/man/idmap_ldap.8.xml')
| -rw-r--r-- | source3/winbindd/man/idmap_ldap.8.xml | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/source3/winbindd/man/idmap_ldap.8.xml b/source3/winbindd/man/idmap_ldap.8.xml new file mode 100644 index 00000000000..e68f2782bf2 --- /dev/null +++ b/source3/winbindd/man/idmap_ldap.8.xml @@ -0,0 +1,145 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<refentry id="idmap_ldap.8"> + +<refmeta> + <refentrytitle>idmap_ldap</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">System Administration tools</refmiscinfo> + <refmiscinfo class="version">3.6</refmiscinfo> +</refmeta> + + +<refnamediv> + <refname>idmap_ldap</refname> + <refpurpose>Samba's idmap_ldap Backend for Winbind</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <title>DESCRIPTION</title> + + <para>The idmap_ldap plugin provides a means for Winbind to + store and retrieve SID/uid/gid mapping tables in an LDAP directory + service. + </para> + + <para> + In contrast to read only backends like idmap_rid, it is an allocating + backend: This means that it needs to allocate new user and group IDs in + order to create new mappings. + </para> + +</refsynopsisdiv> + +<refsect1> + <title>IDMAP OPTIONS</title> + + <variablelist> + <varlistentry> + <term>ldap_base_dn = DN</term> + <listitem><para> + Defines the directory base suffix to use for + SID/uid/gid mapping entries. If not defined, idmap_ldap will default + to using the "ldap idmap suffix" option from smb.conf. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>ldap_user_dn = DN</term> + <listitem><para> + Defines the user DN to be used for authentication. + The secret for authenticating this user should be + stored with net idmap secret + (see <citerefentry><refentrytitle>net</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>). + If absent, the ldap credentials from the ldap passdb configuration + are used, and if these are also absent, an anonymous + bind will be performed as last fallback. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>ldap_url = ldap://server/</term> + <listitem><para> + Specifies the LDAP server to use for + SID/uid/gid map entries. If not defined, idmap_ldap will + assume that ldap://localhost/ should be used. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>range = low - high</term> + <listitem><para> + Defines the available matching uid and gid range for which the + backend is authoritative. + </para></listitem> + </varlistentry> + </variablelist> +</refsect1> + +<refsect1> + <title>EXAMPLES</title> + + <para> + The following example shows how an ldap directory is used as the + default idmap backend. It also configures the idmap range and base + directory suffix. The secret for the ldap_user_dn has to be set with + "net idmap secret '*' password". + </para> + + <programlisting> + [global] + idmap config * : backend = ldap + idmap config * : range = 1000000-1999999 + idmap config * : ldap_url = ldap://localhost/ + idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com + idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com + </programlisting> + + <para> + This example shows how ldap can be used as a readonly backend while + tdb is the default backend used to store the mappings. + It adds an explicit configuration for some domain DOM1, that + uses the ldap idmap backend. Note that a range disjoint from the + default range is used. + </para> + + <programlisting> + [global] + # "backend = tdb" is redundant here since it is the default + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config DOM1 : backend = ldap + idmap config DOM1 : range = 2000000-2999999 + idmap config DOM1 : read only = yes + idmap config DOM1 : ldap_url = ldap://server/ + idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com + idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com + </programlisting> +</refsect1> + +<refsynopsisdiv> + <title>NOTE</title> + + <para>In order to use authentication against ldap servers you may + need to provide a DN and a password. To avoid exposing the password + in plain text in the configuration file we store it into a security + store. The "net idmap " command is used to store a secret + for the DN specified in a specific idmap domain. + </para> +</refsynopsisdiv> + +<refsect1> + <title>AUTHOR</title> + + <para> + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + </para> +</refsect1> + +</refentry> |