1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
2
"http://www.w3.org/TR/REC-html40/loose.dtd">
6
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7
<META name="GENERATOR" content="hevea 1.06">
9
Configuring the smbldap-tools
13
<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A>
14
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
15
<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
18
<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><UL>
19
<LI><A HREF="smbldap-tools004.html#toc6"> The smbldap.conf file</A>
20
<LI><A HREF="smbldap-tools004.html#toc7"> The smbldap_bind.conf file</A>
23
As mentioned in the previous section, you'll have to update two
24
configuration files. The first (<TT>smbldap.conf</TT>) allows you to
25
set global parameter that are readable by everybody, and the second
26
(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
27
bind to a slave and a master ldap server: this file must thus be
28
readable only by root.<BR>
30
A script is named <TT>configure.pl</TT> can help you to set their contents
31
up. It is located in the tarball
32
downloaded or in the documentation directory if you got the RPM
33
archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it:
35
/usr/share/doc/smbldap-tools/configure.pl
36
</PRE>It will ask for the default values defined in your
37
<TT>smb.conf</TT> file, and will update the two configuration files used
38
by the scripts. Note that you can stop the script at any moment with
39
the <TT>Crtl-c</TT> keys.<BR>
40
Before using this script :
42
the two configuration files <B>must</B> be present in the
43
<TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory
44
<LI>check that samba is configured and running, as the script will try to
45
get your workgroup's domain secure id (SID).
47
In those files are parameters are defined like this:
50
</PRE>Full example configuration files can be found at
51
<A HREF="smbldap-tools009.html#configuration::files">8.1</A>.<BR>
54
<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3>
55
This file is used to define parameters that can be readable by
56
everybody. A full example file is available in section <A HREF="smbldap-tools009.html#configuration::file::smbldap">8.1.1</A>.<BR>
58
Let's have a look at all available parameters.
60
<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters
61
are deprecated. Available uid and gid are now defined in the default
62
new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>.
63
<LI><TT>SID</TT> : Secure Identifier Domain
65
Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
66
<LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT>
67
command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
69
<LI><TT>slaveLDAP</TT> : slave LDAP server
71
Example: <TT>slaveLDAP="127.0.0.1"</TT>
72
<LI>Remark: must be a resolvable DNS name or it's IP address
74
<LI><TT>slavePort</TT> : port to contact the slave server
76
Example: <TT>slavePort="389"</TT>
78
<LI><TT>masterLDAP</TT> : master LDAP server
80
Example: <TT>masterLDAP="127.0.0.1"</TT>
82
<LI><TT>masterPort</TT> : port to contact the master server
84
Example: <TT>masterPort="389"</TT>
86
<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
89
Example: <TT>ldapTLS="1"</TT>
90
<LI>Remark: the LDAP severs must be configured to accept TLS
91
connections. See section the Samba-LDAP Howto for more
92
details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to
93
the master and slave directories.
95
<LI><TT>verify</TT> : How to verify the server's certificate (none,
96
optional or require). See "man Net::LDAP" in start_tls section for
99
Example: <TT>verify="require"</TT>
101
<LI><TT>cafile</TT> : the PEM-format file containing certificates
102
for the CA that slapd will trust
104
Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
106
<LI><TT>clientcert</TT> : the file that contains the client certificate
108
Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
110
<LI><TT>clientkey</TT> : the file that contains the private key that
111
matches the certificate stored in the clientcert file
113
Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
115
<LI><TT>suffix</TT> : The distinguished name of the search base
117
Example: <TT>suffix="dc=idealx,dc=com"</TT>
119
<LI><TT>usersdn</TT> : branch in which users account can be found or
122
Example: <TT>usersdn="ou=Users,${suffix}"</TT>
123
<LI>Remark: this branch is <B>not</B> relative to the suffix value
125
<LI><TT>computersdn</TT> : branch in which computers account can be
126
found or must be added
128
Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
129
<LI>Remark: this branch is <B>not</B> relative to the suffix value
131
<LI><TT>groupsdn</TT> : branch in which groups account can be found
134
Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
135
<LI>Remarks: this branch is <B>not</B> relative to the suffix value
137
<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
139
Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
140
<LI>Remarks: this branch is <B>not</B> relative to the suffix value
142
<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
144
Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
145
<LI>Remarks: this branch is <B>not</B> relative to the suffix value
147
<LI><TT>scope</TT> : the search scope.
149
Example: <TT>scope="sub"</TT>
151
<LI><TT>hash_encrypt</TT> : hash to be used when generating a
154
Example: <TT>hash_encrypt="SSHA"</TT>
155
<LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
157
<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
158
CRYPT, you may set a salt format. Default is "%s", but many systems
159
will generate MD5 hashed passwords if you use "$1$%.8s". This
160
parameter is optional.
161
<LI><TT>userLoginShell</TT> : default shell given to users.
163
Example: <TT>userLoginShell="/bin/bash"</TT>
164
<LI>Remark: This is stored in <I>loginShell</I> attribute.
166
<LI><TT>userHome</TT> : default directory where users's home
167
directory are located.
169
Example: <TT>userHome="/home/%U"</TT>
170
<LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
172
<LI><TT>userGecos</TT> : gecos used for users
174
Example: <TT>userGecos="System User"</TT>
176
<LI><TT>defaultUserGid</TT> : default primary group set to users accounts
178
Example: <TT>defaultUserGid="513"</TT>
179
<LI>Remark: this is stored in <I>gidNumber</I> attribute.
181
<LI><TT>defaultComputerGid</TT> : default primary group set to
184
Example: <TT>defaultComputerGid="550"</TT>
185
<LI>Remark: this is stored in <I>gidNumber</I> attribute.
187
<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
189
Example: <TT>skeletonDir="/etc/skel"</TT>
190
<LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
192
<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a
195
Example: <TT>defaultMaxPassword="55"</TT>
197
<LI><TT>userSmbHome</TT> : samba share used to store user's home directory
200
<TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
201
<LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
203
<LI><TT>userProfile</TT> : samba share used to store user's profile
206
<TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
207
<LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
209
<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
212
<TT>userScript="%U"</TT>
213
<LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
215
<LI><TT>userHomeDrive</TT> : letter used on windows system to map
218
Example: <TT>userHomeDrive="K:"</TT>
220
<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
221
to set the user's password (instead of the <I>mkntpwd</I> utility) ?
223
Example: <TT>with_smbpasswd="0"</TT>
224
<LI>Remark: must be a boolean value (0 or 1).
226
<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
228
Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
230
<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary
232
Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT>
233
<LI>Remark: the rpm package of the smbldap-tools will install this
234
utility. If you are using the tarball archive, you have to install
235
it yourself (sources are also in the smbldap-tools archive).
237
<LI><TT>mailDomain</TT> : Domain appended to the users "mail"
240
Example: <TT>mailDomain="idealx.org"</TT>
244
<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3>
245
This file is only used by <I>root</I> to modify the content of the directory.
246
It contains distinguised names and credentials to connect to
247
both the master and slave directories. A full example file is available
248
in section <A HREF="smbldap-tools009.html#configuration::file::smbldap::bind">8.1.2</A>.<BR>
250
Let's have a look at all available parameters.
252
<TT>slaveDN</TT> : distinguished name used to bind to the slave server
254
Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
255
<LI>Example 2: <TT>slaveDN=""</TT>
256
<LI>Remark: this can be the manager account of the directory or
257
any LDAP account that has sufficient permissions to read the full
258
directory (Slave directory is only used for reading). Anonymous
259
connections uses the second example form.
261
<LI><TT>slavePw</TT> : the credentials to bind to the slave server
263
Example 1: <TT>slavePw="secret"</TT>
264
<LI>Example 2: <TT>slavePw=""</TT>
265
<LI>Remark: the password must be stored here in clear form. This
266
file must then be readable only by root! All anonymous connections
267
use the second form provided in our example.
269
<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
271
Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
272
<LI>Remark: this can be the manager account of the directory or
273
any LDAP account that has enough permissions to modify the content
274
of the directory. Anonymous access does not make any sense here.
276
<LI><TT>masterPw</TT> : the credentials to bind to the master server
278
Example: <TT>masterPw="secret"</TT>
279
<LI>Remark: the password must be in clear text. Be sure to protect
280
this file against unauthorized readers!
284
<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A>
285
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
286
<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>