1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
<refentry id="idmap_ldap.8">
6
<refentrytitle>idmap_ldap</refentrytitle>
7
<manvolnum>8</manvolnum>
8
<refmiscinfo class="source">Samba</refmiscinfo>
9
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
10
<refmiscinfo class="version">3.4</refmiscinfo>
15
<refname>idmap_ldap</refname>
16
<refpurpose>Samba's idmap_ldap Backend for Winbind</refpurpose>
20
<title>DESCRIPTION</title>
22
<para>The idmap_ldap plugin provides a means for Winbind to
23
store and retrieve SID/uid/gid mapping tables in an LDAP directory
28
In contrast to read only backends like idmap_rid, it is an allocating
29
backend: This means that it needs to allocate new user and group IDs in
30
order to create new mappings. The allocator can be provided by the
31
idmap_ldap backend itself or by any other allocating backend like
32
idmap_tdb or idmap_tdb2. This is configured with the
33
parameter <parameter>idmap alloc backend</parameter>.
37
Note that in order for this (or any other allocating) backend to
38
function at all, the default backend needs to be writeable.
39
The ranges used for uid and gid allocation are the default ranges
40
configured by "idmap uid" and "idmap gid".
44
Furthermore, since there is only one global allocating backend
45
responsible for all domains using writeable idmap backends,
46
any explicitly configured domain with idmap backend ldap
47
should have the same range as the default range, since it needs
48
to use the global uid / gid allocator. See the example below.
53
<title>IDMAP OPTIONS</title>
57
<term>ldap_base_dn = DN</term>
59
Defines the directory base suffix to use when searching for
60
SID/uid/gid mapping entries. If not defined, idmap_ldap will default
61
to using the "ldap idmap suffix" option from smb.conf.
66
<term>ldap_user_dn = DN</term>
68
Defines the user DN to be used for authentication. If absent an
69
anonymous bind will be performed.
74
<term>ldap_url = ldap://server/</term>
76
Specifies the LDAP server to use when searching for existing
77
SID/uid/gid map entries. If not defined, idmap_ldap will
78
assume that ldap://localhost/ should be used.
83
<term>range = low - high</term>
85
Defines the available matching uid and gid range for which the
86
backend is authoritative.
87
If the parameter is absent, Winbind fails over to use the
88
"idmap uid" and "idmap gid" options
96
<title>IDMAP ALLOC OPTIONS</title>
100
<term>ldap_base_dn = DN</term>
102
Defines the directory base suffix under which new SID/uid/gid mapping
103
entries should be stored. If not defined, idmap_ldap will default
104
to using the "ldap idmap suffix" option from smb.conf.
109
<term>ldap_user_dn = DN</term>
111
Defines the user DN to be used for authentication. If absent an
112
anonymous bind will be performed.
117
<term>ldap_url = ldap://server/</term>
119
Specifies the LDAP server to which modify/add/delete requests should
120
be sent. If not defined, idmap_ldap will assume that ldap://localhost/
128
<title>EXAMPLES</title>
131
The follow sets of a LDAP configuration which uses two LDAP
132
directories, one for storing the ID mappings and one for retrieving
138
idmap backend = ldap:ldap://localhost/
139
idmap uid = 1000000-1999999
140
idmap gid = 1000000-1999999
142
idmap alloc backend = ldap
143
idmap alloc config : ldap_url = ldap://id-master/
144
idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com
151
<para>In order to use authentication against ldap servers you may
152
need to provide a DN and a password. To avoid exposing the password
153
in plain text in the configuration file we store it into a security
154
store. The "net idmap " command is used to store a secret
155
for the DN specified in a specific idmap domain.
160
<title>AUTHOR</title>
163
The original Samba software and related utilities
164
were created by Andrew Tridgell. Samba is now developed
165
by the Samba Team as an Open Source project similar
166
to the way the Linux kernel is developed.