1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="idmap_rfc2307.8">
6 <refentrytitle>idmap_rfc2307</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">4.2</refmiscinfo>
14 <refname>idmap_rfc2307</refname>
15 <refpurpose>Samba's idmap_rfc2307 Backend for Winbind</refpurpose>
19 <title>DESCRIPTION</title>
21 <para>The idmap_rfc2307 plugin provides a way for winbind to
22 read id mappings from records in an LDAP server as defined in
23 RFC 2307. The LDAP server can be stand-alone or the LDAP
24 server provided by the AD server. An AD server is always
25 required to provide the mapping between name and SID, and the
26 LDAP server is queried for the mapping between name and
27 uid/gid. This module implements only the "idmap"
28 API, and is READONLY.</para>
30 <para>Mappings must be provided in advance by the
31 administrator by creating the user accounts in the Active
32 Directory server and the posixAccount and posixGroup objects
33 in the LDAP server. The names in the Active Directory server
34 and in the LDAP server have to be the same.</para>
36 <para>This id mapping approach allows the reuse of existing
37 LDAP authentication servers that store records in the RFC 2307
42 <title>IDMAP OPTIONS</title>
46 <term>range = low - high</term>
47 <listitem><para> Defines the available
48 matching UID and GID range for which the
49 backend is authoritative. Note that the range
50 acts as a filter. If specified any UID or GID
51 stored in AD that fall outside the range is
52 ignored and the corresponding map is
53 discarded. It is intended as a way to avoid
54 accidental UID/GID overlaps between local and
55 remotely defined IDs.</para></listitem>
58 <term>ldap_server = <ad | stand-alone ></term>
59 <listitem><para>Defines the type of LDAP
60 server to use. This can either be the LDAP
61 server provided by the Active Directory server
62 (ad) or a stand-alone LDAP
63 server.</para></listitem>
66 <term>bind_path_user</term>
67 <listitem><para>Specifies the bind path where
68 user objects can be found in the LDAP
69 server.</para></listitem>
72 <term>bind_path_group</term>
73 <listitem><para>Specifies the bind path where
74 group objects can be found in the LDAP
75 server.</para></listitem>
78 <term>user_cn = <yes | no></term>
79 <listitem><para>Query cn attribute instead of
80 uid attribute for the user name in LDAP. This
81 option is not required, the default is
85 <term>cn_realm = <yes | no></term>
86 <listitem><para>Append @realm to cn for groups
87 (and users if user_cn is set) in
88 LDAP. This option is not required, the default
89 is no.</para></listitem>
92 <term>ldap_domain</term>
93 <listitem><para>When using the LDAP server in
94 the Active Directory server, this allows to
95 specify the domain where to access the Active
96 Directory server. This allows using trust
97 relationships while keeping all RFC 2307
98 records in one place. This parameter is
99 optional, the default is to access the AD
100 server in the current domain to query LDAP
101 records.</para></listitem>
104 <term>ldap_url</term>
105 <listitem><para>When using a stand-alone LDAP
106 server, this parameter specifies the ldap URL
107 for accessing the LDAP
108 server.</para></listitem>
111 <term>ldap_user_dn</term>
112 <listitem><para>Defines the user DN to be used
113 for authentication. The secret for
114 authenticating this user should be stored with
115 net idmap secret (see
116 <citerefentry><refentrytitle>net</refentrytitle>
117 <manvolnum>8</manvolnum></citerefentry>). If
118 absent, an anonymous bind will be
119 performed.</para></listitem>
122 <term>ldap_realm</term>
123 <listitem><para>Defines the realm to use in
124 the user and group names. This is only
125 required when using cn_realm together with a
126 stand-alone ldap server.</para></listitem>
132 <title>EXAMPLES</title>
134 <para>The following example shows how to retrieve id mappings
135 from a stand-alone LDAP server. This example also shows how
136 to leave a small non conflicting range for local id allocation
137 that may be used in internal backends like BUILTIN.</para>
141 idmap config * : backend = tdb
142 idmap config * : range = 1000000-1999999
144 idmap config DOMAIN : backend = rfc2307
145 idmap config DOMAIN : range = 2000000-2999999
146 idmap config DOMAIN : ldap_server = stand-alone
147 idmap config DOMAIN : ldap_url = ldap://ldap1.example.com
148 idmap config DOMAIN : ldap_user_dn = cn=ldapmanager,dc=example,dc=com
149 idmap config DOMAIN : bind_path_user = ou=People,dc=example,dc=com
150 idmap config DOMAIN : bind_path_group = ou=Group,dc=example,dc=com
155 <title>AUTHOR</title>
158 The original Samba software and related utilities
159 were created by Andrew Tridgell. Samba is now developed
160 by the Samba Team as an Open Source project similar
161 to the way the Linux kernel is developed.