1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" 2 "http://www.w3.org/TR/REC-html40/loose.dtd"> 3<HTML> 4<HEAD> 5 6<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 7<META name="GENERATOR" content="hevea 1.06"> 8<TITLE> 9 Configuring the smbldap-tools 10</TITLE> 11</HEAD> 12<BODY > 13<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A> 14<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A> 15<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A> 16<HR> 17 18<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><UL> 19<LI><A HREF="smbldap-tools004.html#toc6"> The smbldap.conf file</A> 20<LI><A HREF="smbldap-tools004.html#toc7"> The smbldap_bind.conf file</A> 21</UL> 22 23As mentioned in the previous section, you'll have to update two 24configuration files. The first (<TT>smbldap.conf</TT>) allows you to 25set global parameter that are readable by everybody, and the second 26(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to 27bind to a slave and a master ldap server: this file must thus be 28readable only by root.<BR> 29<BR> 30A script is named <TT>configure.pl</TT> can help you to set their contents 31up. It is located in the tarball 32downloaded or in the documentation directory if you got the RPM 33archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it: 34<PRE> 35/usr/share/doc/smbldap-tools/configure.pl 36</PRE>It will ask for the default values defined in your 37<TT>smb.conf</TT> file, and will update the two configuration files used 38by the scripts. Note that you can stop the script at any moment with 39the <TT>Crtl-c</TT> keys.<BR> 40Before using this script : 41<UL><LI> 42the two configuration files <B>must</B> be present in the 43 <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory 44<LI>check that samba is configured and running, as the script will try to 45 get your workgroup's domain secure id (SID). 46</UL> 47In those files are parameters are defined like this: 48<PRE> 49key="value" 50</PRE>Full example configuration files can be found at 51<A HREF="smbldap-tools009.html#configuration::files">8.1</A>.<BR> 52<BR> 53<A NAME="toc6"></A> 54<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3> 55This file is used to define parameters that can be readable by 56everybody. A full example file is available in section <A HREF="smbldap-tools009.html#configuration::file::smbldap">8.1.1</A>.<BR> 57<BR> 58Let's have a look at all available parameters. 59<UL><LI> 60<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters 61 are deprecated. Available uid and gid are now defined in the default 62 new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>. 63<LI><TT>SID</TT> : Secure Identifier Domain 64 <UL><LI> 65 Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT> 66 <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT> 67 command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers). 68</UL> 69<LI><TT>slaveLDAP</TT> : slave LDAP server 70 <UL><LI> 71 Example: <TT>slaveLDAP="127.0.0.1"</TT> 72 <LI>Remark: must be a resolvable DNS name or it's IP address 73 </UL> 74<LI><TT>slavePort</TT> : port to contact the slave server 75 <UL><LI> 76 Example: <TT>slavePort="389"</TT> 77 </UL> 78<LI><TT>masterLDAP</TT> : master LDAP server 79 <UL><LI> 80 Example: <TT>masterLDAP="127.0.0.1"</TT> 81 </UL> 82<LI><TT>masterPort</TT> : port to contact the master server 83 <UL><LI> 84 Example: <TT>masterPort="389"</TT> 85 </UL> 86<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the 87 ldap servers ? 88 <UL><LI> 89 Example: <TT>ldapTLS="1"</TT> 90 <LI>Remark: the LDAP severs must be configured to accept TLS 91 connections. See section the Samba-LDAP Howto for more 92 details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to 93 the master and slave directories. 94 </UL> 95<LI><TT>verify</TT> : How to verify the server's certificate (none, 96 optional or require). See "man Net::LDAP" in start_tls section for 97 more details 98 <UL><LI> 99 Example: <TT>verify="require"</TT> 100 </UL> 101<LI><TT>cafile</TT> : the PEM-format file containing certificates 102 for the CA that slapd will trust 103 <UL><LI> 104 Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT> 105 </UL> 106<LI><TT>clientcert</TT> : the file that contains the client certificate 107 <UL><LI> 108 Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT> 109 </UL> 110<LI><TT>clientkey</TT> : the file that contains the private key that 111 matches the certificate stored in the clientcert file 112 <UL><LI> 113 Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT> 114 </UL> 115<LI><TT>suffix</TT> : The distinguished name of the search base 116 <UL><LI> 117 Example: <TT>suffix="dc=idealx,dc=com"</TT> 118 </UL> 119<LI><TT>usersdn</TT> : branch in which users account can be found or 120 must be added 121 <UL><LI> 122 Example: <TT>usersdn="ou=Users,${suffix}"</TT> 123 <LI>Remark: this branch is <B>not</B> relative to the suffix value 124 </UL> 125<LI><TT>computersdn</TT> : branch in which computers account can be 126 found or must be added 127 <UL><LI> 128 Example: <TT>computersdn"ou=Computers,${suffix}"</TT> 129 <LI>Remark: this branch is <B>not</B> relative to the suffix value 130 </UL> 131<LI><TT>groupsdn</TT> : branch in which groups account can be found 132 or must be added 133 <UL><LI> 134 Example: <TT>groupsdn="ou=Groups,${suffix}"</TT> 135 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 136 </UL> 137<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server) 138<UL><LI> 139 Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT> 140 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 141</UL> 142<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored 143<UL><LI> 144 Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT> 145 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 146</UL> 147<LI><TT>scope</TT> : the search scope. 148<UL><LI> 149 Example: <TT>scope="sub"</TT> 150</UL> 151<LI><TT>hash_encrypt</TT> : hash to be used when generating a 152 user password. 153 <UL><LI> 154 Example: <TT>hash_encrypt="SSHA"</TT> 155 <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute. 156 </UL> 157<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to 158 CRYPT, you may set a salt format. Default is "%s", but many systems 159 will generate MD5 hashed passwords if you use "$1$%.8s". This 160 parameter is optional. 161<LI><TT>userLoginShell</TT> : default shell given to users. 162 <UL><LI> 163 Example: <TT>userLoginShell="/bin/bash"</TT> 164 <LI>Remark: This is stored in <I>loginShell</I> attribute. 165 </UL> 166<LI><TT>userHome</TT> : default directory where users's home 167 directory are located. 168 <UL><LI> 169 Example: <TT>userHome="/home/%U"</TT> 170 <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute. 171 </UL> 172<LI><TT>userGecos</TT> : gecos used for users 173 <UL><LI> 174 Example: <TT>userGecos="System User"</TT> 175 </UL> 176<LI><TT>defaultUserGid</TT> : default primary group set to users accounts 177 <UL><LI> 178 Example: <TT>defaultUserGid="513"</TT> 179 <LI>Remark: this is stored in <I>gidNumber</I> attribute. 180</UL> 181<LI><TT>defaultComputerGid</TT> : default primary group set to 182 computers accounts 183 <UL><LI> 184 Example: <TT>defaultComputerGid="550"</TT> 185 <LI>Remark: this is stored in <I>gidNumber</I> attribute. 186</UL> 187<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts 188 <UL><LI> 189 Example: <TT>skeletonDir="/etc/skel"</TT> 190 <LI>Remark: this option is used only if you ask for home directory creation when adding a new user. 191 </UL> 192<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a 193 password (in days) 194 <UL><LI> 195 Example: <TT>defaultMaxPassword="55"</TT> 196 </UL> 197<LI><TT>userSmbHome</TT> : samba share used to store user's home directory 198 <UL><LI> 199 Example: 200 <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT> 201 <LI>Remark: this is stored in <I>sambaHomePath</I> attribute. 202</UL> 203<LI><TT>userProfile</TT> : samba share used to store user's profile 204 <UL><LI> 205 Example: 206 <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT> 207 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. 208 </UL> 209<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I> 210 <UL><LI> 211 Example: 212 <TT>userScript="%U"</TT> 213 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. 214 </UL> 215<LI><TT>userHomeDrive</TT> : letter used on windows system to map 216 the home directory 217 <UL><LI> 218 Example: <TT>userHomeDrive="K:"</TT> 219 </UL> 220<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command 221 to set the user's password (instead of the <I>mkntpwd</I> utility) ? 222 <UL><LI> 223 Example: <TT>with_smbpasswd="0"</TT> 224 <LI>Remark: must be a boolean value (0 or 1). 225 </UL> 226<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary 227 <UL><LI> 228 Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT> 229 </UL> 230<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary 231 <UL><LI> 232 Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT> 233 <LI>Remark: the rpm package of the smbldap-tools will install this 234 utility. If you are using the tarball archive, you have to install 235 it yourself (sources are also in the smbldap-tools archive). 236 </UL> 237<LI><TT>mailDomain</TT> : Domain appended to the users "mail" 238 attribute. 239 <UL><LI> 240 Example: <TT>mailDomain="idealx.org"</TT> 241 </UL> 242</UL> 243<A NAME="toc7"></A> 244<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3> 245This file is only used by <I>root</I> to modify the content of the directory. 246It contains distinguised names and credentials to connect to 247both the master and slave directories. A full example file is available 248in section <A HREF="smbldap-tools009.html#configuration::file::smbldap::bind">8.1.2</A>.<BR> 249<BR> 250Let's have a look at all available parameters. 251<UL><LI> 252<TT>slaveDN</TT> : distinguished name used to bind to the slave server 253 <UL><LI> 254 Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT> 255 <LI>Example 2: <TT>slaveDN=""</TT> 256 <LI>Remark: this can be the manager account of the directory or 257 any LDAP account that has sufficient permissions to read the full 258 directory (Slave directory is only used for reading). Anonymous 259 connections uses the second example form. 260 </UL> 261<LI><TT>slavePw</TT> : the credentials to bind to the slave server 262 <UL><LI> 263 Example 1: <TT>slavePw="secret"</TT> 264 <LI>Example 2: <TT>slavePw=""</TT> 265 <LI>Remark: the password must be stored here in clear form. This 266 file must then be readable only by root! All anonymous connections 267 use the second form provided in our example. 268 </UL> 269<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server 270 <UL><LI> 271 Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT> 272 <LI>Remark: this can be the manager account of the directory or 273 any LDAP account that has enough permissions to modify the content 274 of the directory. Anonymous access does not make any sense here. 275</UL> 276<LI><TT>masterPw</TT> : the credentials to bind to the master server 277 <UL><LI> 278 Example: <TT>masterPw="secret"</TT> 279 <LI>Remark: the password must be in clear text. Be sure to protect 280 this file against unauthorized readers! 281 </UL> 282</UL> 283 <HR> 284<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A> 285<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A> 286<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A> 287</BODY> 288</HTML> 289