1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="idmap_rfc2307.8">
6 <refentrytitle>idmap_rfc2307</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
14 <refname>idmap_rfc2307</refname>
15 <refpurpose>Samba's idmap_rfc2307 Backend for Winbind</refpurpose>
19 <title>DESCRIPTION</title>
21 <para>The idmap_rfc2307 plugin provides a way for winbind to
22 read id mappings from records in an LDAP server as defined in
23 RFC 2307. The LDAP server can be stand-alone or the LDAP
24 server provided by the AD server. An AD server is always
25 required to provide the mapping between name and SID, and the
26 LDAP server is queried for the mapping between name and
27 uid/gid. This module implements only the "idmap"
28 API, and is READONLY.</para>
30 <para>Mappings must be provided in advance by the
31 administrator by creating the user accounts in the Active
32 Directory server and the posixAccount and posixGroup objects
33 in the LDAP server. The names in the Active Directory server
34 and in the LDAP server have to be the same.</para>
36 <para>This id mapping approach allows the reuse of existing
37 LDAP authentication servers that store records in the RFC 2307
40 <para>When connecting to the LDAP server provided by an AD
41 server, the parameter <smbconfoption name="ldap ssl ads"/>
42 determines whether SSL should be used. When using a
43 stand-alone LDAP server, <smbconfoption name="ldap ssl"/>
48 <title>IDMAP OPTIONS</title>
52 <term>range = low - high</term>
53 <listitem><para> Defines the available
54 matching UID and GID range for which the
55 backend is authoritative. Note that the range
56 acts as a filter. If specified any UID or GID
57 stored in AD that fall outside the range is
58 ignored and the corresponding map is
59 discarded. It is intended as a way to avoid
60 accidental UID/GID overlaps between local and
61 remotely defined IDs.</para></listitem>
64 <term>ldap_server = <ad | stand-alone ></term>
65 <listitem><para>Defines the type of LDAP
66 server to use. This can either be the LDAP
67 server provided by the Active Directory server
68 (ad) or a stand-alone LDAP
69 server.</para></listitem>
72 <term>bind_path_user</term>
73 <listitem><para>Specifies the search base where
74 user objects can be found in the LDAP
75 server.</para></listitem>
78 <term>bind_path_group</term>
79 <listitem><para>Specifies the search base where
80 group objects can be found in the LDAP
81 server.</para></listitem>
84 <term>user_cn = <yes | no></term>
85 <listitem><para>Query cn attribute instead of
86 uid attribute for the user name in LDAP. This
87 option is not required, the default is
92 <listitem><para>Append @realm to cn for groups
93 (and users if user_cn is set) in
94 LDAP queries. This option is not required, the default
95 is not to append the realm.</para></listitem>
98 <term>ldap_domain</term>
99 <listitem><para>When using the LDAP server in
100 the Active Directory server, this allows one to
101 specify the domain where to access the Active
102 Directory server. This allows using trust
103 relationships while keeping all RFC 2307
104 records in one place. This parameter is
105 optional, the default is to access the AD
106 server in the current domain to query LDAP
107 records.</para></listitem>
110 <term>ldap_url</term>
111 <listitem><para>When using a stand-alone LDAP
112 server, this parameter specifies the ldap URL
113 for accessing the LDAP
114 server.</para></listitem>
117 <term>ldap_user_dn</term>
118 <listitem><para>Defines the user DN to be used
119 for authentication. The secret for
120 authenticating this user should be stored with
121 net idmap secret (see
122 <citerefentry><refentrytitle>net</refentrytitle>
123 <manvolnum>8</manvolnum></citerefentry>). If
124 absent, an anonymous bind will be
125 performed.</para></listitem>
131 <title>EXAMPLES</title>
133 <para>The following example shows how to retrieve id mappings
134 from a stand-alone LDAP server. This example also shows how
135 to leave a small non conflicting range for local id allocation
136 that may be used in internal backends like BUILTIN.</para>
140 idmap config * : backend = tdb
141 idmap config * : range = 1000000-1999999
143 idmap config DOMAIN : backend = rfc2307
144 idmap config DOMAIN : range = 2000000-2999999
145 idmap config DOMAIN : ldap_server = stand-alone
146 idmap config DOMAIN : ldap_url = ldap://ldap1.example.com
147 idmap config DOMAIN : ldap_user_dn = cn=ldapmanager,dc=example,dc=com
148 idmap config DOMAIN : bind_path_user = ou=People,dc=example,dc=com
149 idmap config DOMAIN : bind_path_group = ou=Group,dc=example,dc=com
154 <title>AUTHOR</title>
157 The original Samba software and related utilities
158 were created by Andrew Tridgell. Samba is now developed
159 by the Samba Team as an Open Source project similar
160 to the way the Linux kernel is developed.