libcli/security: remove sec_ace_equal

[Samba/wip.git] / docs-xml / manpages / idmap_ldap.8.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="idmap_ldap.8">

<refmeta>
        <refentrytitle>idmap_ldap</refentrytitle>
        <manvolnum>8</manvolnum>
        <refmiscinfo class="source">Samba</refmiscinfo>
        <refmiscinfo class="manual">System Administration tools</refmiscinfo>
        <refmiscinfo class="version">4.1</refmiscinfo>
</refmeta>


<refnamediv>
        <refname>idmap_ldap</refname>
        <refpurpose>Samba's idmap_ldap Backend for Winbind</refpurpose>
</refnamediv>

<refsynopsisdiv>
        <title>DESCRIPTION</title>

        <para>The idmap_ldap plugin provides a means for Winbind to
        store and retrieve SID/uid/gid mapping tables in an LDAP directory
        service.
        </para>

        <para>
        In contrast to read only backends like idmap_rid, it is an allocating
        backend: This means that it needs to allocate new user and group IDs in
        order to create new mappings.
        </para>

</refsynopsisdiv>

<refsect1>
        <title>IDMAP OPTIONS</title>

        <variablelist>
                <varlistentry>
                <term>ldap_base_dn = DN</term>
                <listitem><para>
                        Defines the directory base suffix to use for
                        SID/uid/gid mapping entries.  If not defined, idmap_ldap will default
                        to using the &quot;ldap idmap suffix&quot; option from smb.conf.
                </para></listitem>
                </varlistentry>

                <varlistentry>
                <term>ldap_user_dn = DN</term>
                <listitem><para>
                        Defines the user DN to be used for authentication.
                        The secret for authenticating this user should be
                        stored with net idmap secret
                        (see <citerefentry><refentrytitle>net</refentrytitle>
                        <manvolnum>8</manvolnum></citerefentry>).
                        If absent, the ldap credentials from the ldap passdb configuration
                        are used, and if these are also absent, an anonymous
                        bind will be performed as last fallback.
                </para></listitem>
                </varlistentry>

                <varlistentry>
                <term>ldap_url = ldap://server/</term>
                <listitem><para>
                        Specifies the LDAP server to use for
                        SID/uid/gid map entries. If not defined, idmap_ldap will
                        assume that ldap://localhost/ should be used.
                </para></listitem>
                </varlistentry>

                <varlistentry>
                <term>range = low - high</term>
                <listitem><para>
                        Defines the available matching uid and gid range for which the
                        backend is authoritative.
                </para></listitem>
                </varlistentry>
        </variablelist>
</refsect1>

<refsect1>
        <title>EXAMPLES</title>

        <para>
        The following example shows how an ldap directory is used as the
        default idmap backend. It also configures the idmap range and base
        directory suffix. The secret for the ldap_user_dn has to be set with
        &quot;net idmap secret '*' password&quot;.
        </para>

        <programlisting>
        [global]
        idmap config * : backend      = ldap
        idmap config * : range        = 1000000-1999999
        idmap config * : ldap_url     = ldap://localhost/
        idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
        idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
        </programlisting>

        <para>
        This example shows how ldap can be used as a readonly backend while
        tdb is the default backend used to store the mappings.
        It adds an explicit configuration for some domain DOM1, that
        uses the ldap idmap backend. Note that a range disjoint from the
        default range is used.
        </para>

        <programlisting>
        [global]
        # "backend = tdb" is redundant here since it is the default
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999

        idmap config DOM1 : backend = ldap
        idmap config DOM1 : range = 2000000-2999999
        idmap config DOM1 : read only = yes
        idmap config DOM1 : ldap_url = ldap://server/
        idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
        idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
        </programlisting>
</refsect1>

<refsynopsisdiv>
        <title>NOTE</title>

        <para>In order to use authentication against ldap servers you may
        need to provide a DN and a password. To avoid exposing the password
        in plain text in the configuration file we store it into a security
        store. The &quot;net idmap &quot; command is used to store a secret
        for the DN specified in a specific idmap domain.
        </para>
</refsynopsisdiv>

<refsect1>
        <title>AUTHOR</title>

        <para>
        The original Samba software and related utilities
        were created by Andrew Tridgell. Samba is now developed
        by the Samba Team as an Open Source project similar
        to the way the Linux kernel is developed.
        </para>
</refsect1>

</refentry>