1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>idmap_ldap</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="idmap_ldap.8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>idmap_ldap — Samba's idmap_ldap Backend for Winbind</p></div><div class="refsynopsisdiv"><h2>DESCRIPTION</h2><p>The idmap_ldap plugin provides a means for Winbind to 2 store and retrieve SID/uid/gid mapping tables in an LDAP directory 3 service. The module implements both the "idmap" and 4 "idmap alloc" APIs. 5 </p></div><div class="refsect1" lang="en"><a name="id291818"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p> 6 Defines the directory base suffix to use when searching for 7 SID/uid/gid mapping entries. If not defined, idmap_ldap will default 8 to using the "ldap idmap suffix" option from smb.conf. 9 </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p> 10 Defines the user DN to be used for authentication. If absent an 11 anonymous bind will be performed. 12 </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p> 13 Specifies the LDAP server to use when searching for existing 14 SID/uid/gid map entries. If not defined, idmap_ldap will 15 assume that ldap://localhost/ should be used. 16 </p></dd><dt><span class="term">range = low - high</span></dt><dd><p> 17 Defines the available matching uid and gid range for which the 18 backend is authoritative. Note that the range commonly matches 19 the allocation range due to the fact that the same backend will 20 store and retrieve SID/uid/gid mapping entries. If the parameter 21 is absent, Winbind fail over to use the "idmap uid" and 22 "idmap gid" options from smb.conf. 23 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id259565"></a><h2>IDMAP ALLOC OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p> 24 Defines the directory base suffix under which new SID/uid/gid mapping 25 entries should be stored. If not defined, idmap_ldap will default 26 to using the "ldap idmap suffix" option from smb.conf. 27 </p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p> 28 Defines the user DN to be used for authentication. If absent an 29 anonymous bind will be performed. 30 </p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p> 31 Specifies the LDAP server to which modify/add/delete requests should 32 be sent. If not defined, idmap_ldap will assume that ldap://localhost/ 33 should be used. 34 </p></dd><dt><span class="term">range = low - high</span></dt><dd><p> 35 Defines the available matching uid and gid range from which 36 winbindd can allocate for users and groups. If the parameter 37 is absent, Winbind fail over to use the "idmap uid" 38 and "idmap gid" options from smb.conf. 39 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id259376"></a><h2>EXAMPLES</h2><p> 40 The follow sets of a LDAP configuration which uses a slave server 41 running on localhost for fast fetching SID/gid/uid mappings, it 42 implies correct configuration of referrals. 43 The idmap alloc backend is pointed directly to the master to skip 44 the referral (and consequent reconnection to the master) that the 45 slave would return as allocation requires writing on the master. 46 </p><pre class="programlisting"> 47 [global] 48 idmap domains = ALLDOMAINS 49 idmap config ALLDOMAINS:default = yes 50 idmap config ALLDOMAINS:backend = ldap 51 idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com 52 idmap config ALLDOMAINS:ldap_url = ldap://localhost/ 53 idmap config ALLDOMAINS:range = 10000 - 50000 54 55 idmap alloc backend = ldap 56 idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com 57 idmap alloc config:ldap_url = ldap://master.example.com/ 58 idmap alloc config:range = 10000 - 50000 59 </pre></div><div class="refsynopsisdiv"><h2>NOTE</h2><p>In order to use authentication against ldap servers you may 60 need to provide a DN and a password. To avoid exposing the password 61 in plain text in the configuration file we store it into a security 62 store. The "net idmap " command is used to store a secret 63 for the DN specified in a specific idmap domain. 64 </p></div><div class="refsect1" lang="en"><a name="id259411"></a><h2>AUTHOR</h2><p> 65 The original Samba software and related utilities 66 were created by Andrew Tridgell. Samba is now developed 67 by the Samba Team as an Open Source project similar 68 to the way the Linux kernel is developed. 69 </p></div></div></body></html> 70