X-Git-Url: https://vcs.maemo.org/git/?p=samba;a=blobdiff_plain;f=examples%2FLDAP%2Fsmbldap-tools-0.9.1%2Fdoc%2Fhtml%2Fsmbldap-tools004.html;fp=examples%2FLDAP%2Fsmbldap-tools-0.9.1%2Fdoc%2Fhtml%2Fsmbldap-tools004.html;h=b86f2f6ec12bbadebaee49b1358e452cedaee6ae;hp=0000000000000000000000000000000000000000;hb=6bca4ca307d55b6dc888e56cee47aebcddbce786;hpb=7fd70fa738b636089bcc6c961aa3eaa02f20dda2
diff --git a/examples/LDAP/smbldap-tools-0.9.1/doc/html/smbldap-tools004.html b/examples/LDAP/smbldap-tools-0.9.1/doc/html/smbldap-tools004.html
new file mode 100644
index 0000000..b86f2f6
--- /dev/null
+++ b/examples/LDAP/smbldap-tools-0.9.1/doc/html/smbldap-tools004.html
@@ -0,0 +1,288 @@
+
+
+
+
+
+
+
+ Configuring the smbldap-tools
+
+
+
+
+
+
+
+
+3 Configuring the smbldap-tools
+
+As mentioned in the previous section, you'll have to update two
+configuration files. The first (smbldap.conf) allows you to
+set global parameter that are readable by everybody, and the second
+(smbldap_bind.conf) defines two administrative accounts to
+bind to a slave and a master ldap server: this file must thus be
+readable only by root.
+
+A script is named configure.pl can help you to set their contents
+up. It is located in the tarball
+downloaded or in the documentation directory if you got the RPM
+archive (see /usr/share/doc/smbldap-tools/). Just invoke it:
+
+/usr/share/doc/smbldap-tools/configure.pl
+
It will ask for the default values defined in your
+smb.conf file, and will update the two configuration files used
+by the scripts. Note that you can stop the script at any moment with
+the Crtl-c keys.
+Before using this script :
+-
+the two configuration files must be present in the
+ /etc/opt/IDEALX/smbldap-tools/ directory
+
- check that samba is configured and running, as the script will try to
+ get your workgroup's domain secure id (SID).
+
+In those files are parameters are defined like this:
+
+key="value"
+
Full example configuration files can be found at
+8.1.
+
+
+3.1 The smbldap.conf file
+This file is used to define parameters that can be readable by
+everybody. A full example file is available in section 8.1.1.
+
+Let's have a look at all available parameters.
+-
+UID_START and GID_START : those parameters
+ are deprecated. Available uid and gid are now defined in the default
+ new entry cn=NextFreeUnixId,dc=idealx,dc=org.
+
- SID : Secure Identifier Domain
+
-
+ Example: SID="S-1-5-21-3703471949-3718591838-2324585696"
+
- Remark: you can get the SID for your domain using the net getlocalsid
+ command. Samba must be up and running for this to work (it can take several minutes for a Samba server to correctly negotiate its status with other network servers).
+
+ - slaveLDAP : slave LDAP server
+
-
+ Example: slaveLDAP="127.0.0.1"
+
- Remark: must be a resolvable DNS name or it's IP address
+
+ - slavePort : port to contact the slave server
+
-
+ Example: slavePort="389"
+
+ - masterLDAP : master LDAP server
+
-
+ Example: masterLDAP="127.0.0.1"
+
+ - masterPort : port to contact the master server
+
-
+ Example: masterPort="389"
+
+ - ldapTLS : should we use TLS connection to contact the
+ ldap servers ?
+
-
+ Example: ldapTLS="1"
+
- Remark: the LDAP severs must be configured to accept TLS
+ connections. See section the Samba-LDAP Howto for more
+ details (http://samba.idealx.org/smbldap-howto.fr.html). If you are using TLS support, select port 389 to connect to
+ the master and slave directories.
+
+ - verify : How to verify the server's certificate (none,
+ optional or require). See "man Net::LDAP" in start_tls section for
+ more details
+
-
+ Example: verify="require"
+
+ - cafile : the PEM-format file containing certificates
+ for the CA that slapd will trust
+
-
+ Example: cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
+
+ - clientcert : the file that contains the client certificate
+
-
+ Example: clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"
+
+ - clientkey : the file that contains the private key that
+ matches the certificate stored in the clientcert file
+
-
+ Example: clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"
+
+ - suffix : The distinguished name of the search base
+
-
+ Example: suffix="dc=idealx,dc=com"
+
+ - usersdn : branch in which users account can be found or
+ must be added
+
-
+ Example: usersdn="ou=Users,${suffix}"
+
- Remark: this branch is not relative to the suffix value
+
+ - computersdn : branch in which computers account can be
+ found or must be added
+
-
+ Example: computersdn"ou=Computers,${suffix}"
+
- Remark: this branch is not relative to the suffix value
+
+ - groupsdn : branch in which groups account can be found
+ or must be added
+
-
+ Example: groupsdn="ou=Groups,${suffix}"
+
- Remarks: this branch is not relative to the suffix value
+
+ - idmapdn : where are stored Idmap entries (used if samba is a domain member server)
+
-
+ Example: idmapdn="ou=Idmap,${suffix}"
+
- Remarks: this branch is not relative to the suffix value
+
+ - sambaUnixIdPooldn : object in which next uidNumber and gidNumber available are stored
+
-
+ Example: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+
- Remarks: this branch is not relative to the suffix value
+
+ - scope : the search scope.
+
+
- hash_encrypt : hash to be used when generating a
+ user password.
+
-
+ Example: hash_encrypt="SSHA"
+
- Remark: This is used for the unix password stored in userPassword attribute.
+
+ - crypt_salt_format="%s" : if hash_encrypt is set to
+ CRYPT, you may set a salt format. Default is "%s", but many systems
+ will generate MD5 hashed passwords if you use "$1$%.8s". This
+ parameter is optional.
+
- userLoginShell : default shell given to users.
+
-
+ Example: userLoginShell="/bin/bash"
+
- Remark: This is stored in loginShell attribute.
+
+ - userHome : default directory where users's home
+ directory are located.
+
-
+ Example: userHome="/home/%U"
+
- Remark: This is stored in homeDirectory attribute.
+
+ - userGecos : gecos used for users
+
-
+ Example: userGecos="System User"
+
+ - defaultUserGid : default primary group set to users accounts
+
-
+ Example: defaultUserGid="513"
+
- Remark: this is stored in gidNumber attribute.
+
+ - defaultComputerGid : default primary group set to
+ computers accounts
+
-
+ Example: defaultComputerGid="550"
+
- Remark: this is stored in gidNumber attribute.
+
+ - skeletonDir : skeleton directory used for users accounts
+
-
+ Example: skeletonDir="/etc/skel"
+
- Remark: this option is used only if you ask for home directory creation when adding a new user.
+
+ - defaultMaxPasswordAge : default validation time for a
+ password (in days)
+
-
+ Example: defaultMaxPassword="55"
+
+ - userSmbHome : samba share used to store user's home directory
+
-
+ Example:
+ userSmbHome="\\PDC-SMB3\ home\%U"
+
- Remark: this is stored in sambaHomePath attribute.
+
+ - userProfile : samba share used to store user's profile
+
-
+ Example:
+ userProfile="\\PDC-SMB3\ profiles\%U"
+
- Remark: this is stored in sambaProfilePath attribute.
+
+ - userScript : default user netlogon script name. If not used, will be automatically username.cmd
+
-
+ Example:
+ userScript="%U"
+
- Remark: this is stored in sambaProfilePath attribute.
+
+ - userHomeDrive : letter used on windows system to map
+ the home directory
+
-
+ Example: userHomeDrive="K:"
+
+ - with_smbpasswd : should we use the smbpasswd command
+ to set the user's password (instead of the mkntpwd utility) ?
+
-
+ Example: with_smbpasswd="0"
+
- Remark: must be a boolean value (0 or 1).
+
+ - smbpasswd : path to the smbpasswd binary
+
-
+ Example: smbpasswd="/usr/bin/smbpasswd"
+
+ - mk_ntpasswd : path to the mkntpwd binary
+
-
+ Example: mk_ntpasswd="/usr/local/sbin/mkntpwd"
+
- Remark: the rpm package of the smbldap-tools will install this
+ utility. If you are using the tarball archive, you have to install
+ it yourself (sources are also in the smbldap-tools archive).
+
+ - mailDomain : Domain appended to the users "mail"
+ attribute.
+
-
+ Example: mailDomain="idealx.org"
+
+
+
+3.2 The smbldap_bind.conf file
+This file is only used by root to modify the content of the directory.
+It contains distinguised names and credentials to connect to
+both the master and slave directories. A full example file is available
+in section 8.1.2.
+
+Let's have a look at all available parameters.
+-
+slaveDN : distinguished name used to bind to the slave server
+
-
+ Example 1: slaveDN="cn=Manager,dc=idealx,dc=com"
+
- Example 2: slaveDN=""
+
- Remark: this can be the manager account of the directory or
+ any LDAP account that has sufficient permissions to read the full
+ directory (Slave directory is only used for reading). Anonymous
+ connections uses the second example form.
+
+ - slavePw : the credentials to bind to the slave server
+
-
+ Example 1: slavePw="secret"
+
- Example 2: slavePw=""
+
- Remark: the password must be stored here in clear form. This
+ file must then be readable only by root! All anonymous connections
+ use the second form provided in our example.
+
+ - masterDN : the distinguished name used to bind to the master server
+
-
+ Example: masterDN="cn=Manager,dc=idealx,dc=com"
+
- Remark: this can be the manager account of the directory or
+ any LDAP account that has enough permissions to modify the content
+ of the directory. Anonymous access does not make any sense here.
+
+ - masterPw : the credentials to bind to the master server
+
-
+ Example: masterPw="secret"
+
- Remark: the password must be in clear text. Be sure to protect
+ this file against unauthorized readers!
+
+
+
+
+
+
+
+