idmap_ldap(8) idmap_ldap(8)
NAME
idmap_ldap - Samba's idmap_ldap Backend for Winbind
DESCRIPTION
The idmap_ldap plugin provides a means for Winbind to store and
retrieve SID/uid/gid mapping tables in an LDAP directory service. The
module implements both the "idmap" and "idmap alloc" APIs.
IDMAP OPTIONS
ldap_base_dn = DN
Defines the directory base suffix to use when searching for
SID/uid/gid mapping entries. If not defined, idmap_ldap will default
to using the "ldap idmap suffix" option from smb.conf.
ldap_user_dn = DN
Defines the user DN to be used for authentication. If absent an
anonymous bind will be performed.
ldap_url = ldap://server/
Specifies the LDAP server to use when searching for existing
SID/uid/gid map entries. If not defined, idmap_ldap will assume that
ldap://localhost/ should be used.
range = low - high
Defines the available matching uid and gid range for which the back-
end is authoritative. Note that the range commonly matches the allo-
cation range due to the fact that the same backend will store and
retrieve SID/uid/gid mapping entries. If the parameter is absent,
Winbind fail over to use the "idmap uid" and "idmap gid" options
from smb.conf.
IDMAP ALLOC OPTIONS
ldap_base_dn = DN
Defines the directory base suffix under which new SID/uid/gid map-
ping entries should be stored. If not defined, idmap_ldap will
default to using the "ldap idmap suffix" option from smb.conf.
ldap_user_dn = DN
Defines the user DN to be used for authentication. If absent an
anonymous bind will be performed.
ldap_url = ldap://server/
Specifies the LDAP server to which modify/add/delete requests should
be sent. If not defined, idmap_ldap will assume that ldap://local-
host/ should be used.
range = low - high
Defines the available matching uid and gid range from which winbindd
can allocate for users and groups. If the parameter is absent, Win-
bind fail over to use the "idmap uid" and "idmap gid" options from
smb.conf.
EXAMPLES
The follow sets of a LDAP configuration which uses a slave server run-
ning on localhost for fast fetching SID/gid/uid mappings, it implies
correct configuration of referrals. The idmap alloc backend is pointed
directly to the master to skip the referral (and consequent reconnec-
tion to the master) that the slave would return as allocation requires
writing on the master.
[global]
idmap domains = ALLDOMAINS
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:backend = ldap
idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com
idmap config ALLDOMAINS:ldap_url = ldap://localhost/
idmap config ALLDOMAINS:range = 10000 - 50000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com
idmap alloc config:ldap_url = ldap://master.example.com/
idmap alloc config:range = 10000 - 50000
NOTE
In order to use authentication against ldap servers you may need to
provide a DN and a password. To avoid exposing the password in plain
text in the configuration file we store it into a security store. The
"net idmap " command is used to store a secret for the DN specified in
a specific idmap domain.
AUTHOR
The original Samba software and related utilities were created by
Andrew Tridgell. Samba is now developed by the Samba Team as an Open
Source project similar to the way the Linux kernel is developed.
idmap_ldap(8)
Mac OS X 10.6 - Generated Thu Sep 17 20:25:56 CDT 2009