28
28
In contrast to read only backends like idmap_rid, it is an allocating
29
29
backend: This means that it needs to allocate new user and group IDs in
30
order to create new mappings. The allocator can be provided by the
31
idmap_ldap backend itself or by any other allocating backend like
32
idmap_tdb or idmap_tdb2. This is configured with the
33
parameter <parameter>idmap alloc backend</parameter>.
37
Note that in order for this (or any other allocating) backend to
38
function at all, the default backend needs to be writeable.
39
The ranges used for uid and gid allocation are the default ranges
40
configured by "idmap uid" and "idmap gid".
44
Furthermore, since there is only one global allocating backend
45
responsible for all domains using writeable idmap backends,
46
any explicitly configured domain with idmap backend ldap
47
should have the same range as the default range, since it needs
48
to use the global uid / gid allocator. See the example below.
30
order to create new mappings.
66
49
<term>ldap_user_dn = DN</term>
68
Defines the user DN to be used for authentication. If absent an
69
anonymous bind will be performed.
51
Defines the user DN to be used for authentication.
52
The secret for authenticating this user should be
53
stored with net idmap secret
54
(see <citerefentry><refentrytitle>net</refentrytitle>
55
<manvolnum>8</manvolnum></citerefentry>).
56
If absent, the ldap credentials from the ldap passdb configuration
57
are used, and if these are also absent, an anonymous
58
bind will be performed as last fallback.
74
63
<term>ldap_url = ldap://server/</term>
76
Specifies the LDAP server to use when searching for existing
65
Specifies the LDAP server to use for
77
66
SID/uid/gid map entries. If not defined, idmap_ldap will
78
67
assume that ldap://localhost/ should be used.
85
74
Defines the available matching uid and gid range for which the
86
75
backend is authoritative.
87
If the parameter is absent, Winbind fails over to use the
88
"idmap uid" and "idmap gid" options
96
<title>IDMAP ALLOC OPTIONS</title>
100
<term>ldap_base_dn = DN</term>
102
Defines the directory base suffix under which new SID/uid/gid mapping
103
entries should be stored. If not defined, idmap_ldap will default
104
to using the "ldap idmap suffix" option from smb.conf.
109
<term>ldap_user_dn = DN</term>
111
Defines the user DN to be used for authentication. If absent an
112
anonymous bind will be performed.
117
<term>ldap_url = ldap://server/</term>
119
Specifies the LDAP server to which modify/add/delete requests should
120
be sent. If not defined, idmap_ldap will assume that ldap://localhost/
128
82
<title>EXAMPLES</title>
131
The follow sets of a LDAP configuration which uses two LDAP
132
directories, one for storing the ID mappings and one for retrieving
138
idmap backend = ldap:ldap://localhost/
139
idmap uid = 1000000-1999999
140
idmap gid = 1000000-1999999
142
idmap alloc backend = ldap
143
idmap alloc config : ldap_url = ldap://id-master/
144
idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com
85
The following example shows how an ldap directory is used as the
86
default idmap backend. It also configures the idmap range and base
87
directory suffix. The secret for the ldap_user_dn has to be set with
88
"net idmap secret '*' password".
93
idmap config * : backend = ldap
94
idmap config * : range = 1000000-1999999
95
idmap config * : ldap_url = ldap://localhost/
96
idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
97
idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
101
This example shows how ldap can be used as a readonly backend while
102
tdb is the default backend used to store the mappings.
103
It adds an explicit configuration for some domain DOM1, that
104
uses the ldap idmap backend. Note that a range disjoint from the
105
default range is used.
110
# "backend = tdb" is redundant here since it is the default
111
idmap config * : backend = tdb
112
idmap config * : range = 1000000-1999999
114
idmap config DOM1 : backend = ldap
115
idmap config DOM1 : range = 2000000-2999999
116
idmap config DOM1 : read only = yes
117
idmap config DOM1 : ldap_url = ldap://server/
118
idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
119
idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
145
120
</programlisting>