--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+ "http://www.w3.org/TR/REC-html40/loose.dtd">
+<HTML>
+<HEAD>
+
+<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<META name="GENERATOR" content="hevea 1.06">
+<TITLE>
+ Configuring the smbldap-tools
+</TITLE>
+</HEAD>
+<BODY >
+<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
+<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
+<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
+<HR>
+
+<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><UL>
+<LI><A HREF="smbldap-tools004.html#toc6"> The smbldap.conf file</A>
+<LI><A HREF="smbldap-tools004.html#toc7"> The smbldap_bind.conf file</A>
+</UL>
+
+As mentioned in the previous section, you'll have to update two
+configuration files. The first (<TT>smbldap.conf</TT>) allows you to
+set global parameter that are readable by everybody, and the second
+(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
+bind to a slave and a master ldap server: this file must thus be
+readable only by root.<BR>
+<BR>
+A script is named <TT>configure.pl</TT> can help you to set their contents
+up. It is located in the tarball
+downloaded or in the documentation directory if you got the RPM
+archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it:
+<PRE>
+/usr/share/doc/smbldap-tools/configure.pl
+</PRE>It will ask for the default values defined in your
+<TT>smb.conf</TT> file, and will update the two configuration files used
+by the scripts. Note that you can stop the script at any moment with
+the <TT>Crtl-c</TT> keys.<BR>
+Before using this script :
+<UL><LI>
+the two configuration files <B>must</B> be present in the
+ <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory
+<LI>check that samba is configured and running, as the script will try to
+ get your workgroup's domain secure id (SID).
+</UL>
+In those files are parameters are defined like this:
+<PRE>
+key="value"
+</PRE>Full example configuration files can be found at
+<A HREF="smbldap-tools009.html#configuration::files">8.1</A>.<BR>
+<BR>
+<A NAME="toc6"></A>
+<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3>
+This file is used to define parameters that can be readable by
+everybody. A full example file is available in section <A HREF="smbldap-tools009.html#configuration::file::smbldap">8.1.1</A>.<BR>
+<BR>
+Let's have a look at all available parameters.
+<UL><LI>
+<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters
+ are deprecated. Available uid and gid are now defined in the default
+ new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>.
+<LI><TT>SID</TT> : Secure Identifier Domain
+ <UL><LI>
+ Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
+ <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT>
+ command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
+</UL>
+<LI><TT>slaveLDAP</TT> : slave LDAP server
+ <UL><LI>
+ Example: <TT>slaveLDAP="127.0.0.1"</TT>
+ <LI>Remark: must be a resolvable DNS name or it's IP address
+ </UL>
+<LI><TT>slavePort</TT> : port to contact the slave server
+ <UL><LI>
+ Example: <TT>slavePort="389"</TT>
+ </UL>
+<LI><TT>masterLDAP</TT> : master LDAP server
+ <UL><LI>
+ Example: <TT>masterLDAP="127.0.0.1"</TT>
+ </UL>
+<LI><TT>masterPort</TT> : port to contact the master server
+ <UL><LI>
+ Example: <TT>masterPort="389"</TT>
+ </UL>
+<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
+ ldap servers ?
+ <UL><LI>
+ Example: <TT>ldapTLS="1"</TT>
+ <LI>Remark: the LDAP severs must be configured to accept TLS
+ connections. See section the Samba-LDAP Howto for more
+ details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to
+ the master and slave directories.
+ </UL>
+<LI><TT>verify</TT> : How to verify the server's certificate (none,
+ optional or require). See "man Net::LDAP" in start_tls section for
+ more details
+ <UL><LI>
+ Example: <TT>verify="require"</TT>
+ </UL>
+<LI><TT>cafile</TT> : the PEM-format file containing certificates
+ for the CA that slapd will trust
+ <UL><LI>
+ Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
+ </UL>
+<LI><TT>clientcert</TT> : the file that contains the client certificate
+ <UL><LI>
+ Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
+ </UL>
+<LI><TT>clientkey</TT> : the file that contains the private key that
+ matches the certificate stored in the clientcert file
+ <UL><LI>
+ Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
+ </UL>
+<LI><TT>suffix</TT> : The distinguished name of the search base
+ <UL><LI>
+ Example: <TT>suffix="dc=idealx,dc=com"</TT>
+ </UL>
+<LI><TT>usersdn</TT> : branch in which users account can be found or
+ must be added
+ <UL><LI>
+ Example: <TT>usersdn="ou=Users,${suffix}"</TT>
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
+ </UL>
+<LI><TT>computersdn</TT> : branch in which computers account can be
+ found or must be added
+ <UL><LI>
+ Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
+ </UL>
+<LI><TT>groupsdn</TT> : branch in which groups account can be found
+ or must be added
+ <UL><LI>
+ Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+ </UL>
+<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
+<UL><LI>
+ Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+</UL>
+<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
+<UL><LI>
+ Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+</UL>
+<LI><TT>scope</TT> : the search scope.
+<UL><LI>
+ Example: <TT>scope="sub"</TT>
+</UL>
+<LI><TT>hash_encrypt</TT> : hash to be used when generating a
+ user password.
+ <UL><LI>
+ Example: <TT>hash_encrypt="SSHA"</TT>
+ <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
+ </UL>
+<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
+ CRYPT, you may set a salt format. Default is "%s", but many systems
+ will generate MD5 hashed passwords if you use "$1$%.8s". This
+ parameter is optional.
+<LI><TT>userLoginShell</TT> : default shell given to users.
+ <UL><LI>
+ Example: <TT>userLoginShell="/bin/bash"</TT>
+ <LI>Remark: This is stored in <I>loginShell</I> attribute.
+ </UL>
+<LI><TT>userHome</TT> : default directory where users's home
+ directory are located.
+ <UL><LI>
+ Example: <TT>userHome="/home/%U"</TT>
+ <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
+ </UL>
+<LI><TT>userGecos</TT> : gecos used for users
+ <UL><LI>
+ Example: <TT>userGecos="System User"</TT>
+ </UL>
+<LI><TT>defaultUserGid</TT> : default primary group set to users accounts
+ <UL><LI>
+ Example: <TT>defaultUserGid="513"</TT>
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
+</UL>
+<LI><TT>defaultComputerGid</TT> : default primary group set to
+ computers accounts
+ <UL><LI>
+ Example: <TT>defaultComputerGid="550"</TT>
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
+</UL>
+<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
+ <UL><LI>
+ Example: <TT>skeletonDir="/etc/skel"</TT>
+ <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
+ </UL>
+<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a
+ password (in days)
+ <UL><LI>
+ Example: <TT>defaultMaxPassword="55"</TT>
+ </UL>
+<LI><TT>userSmbHome</TT> : samba share used to store user's home directory
+ <UL><LI>
+ Example:
+ <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
+ <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
+</UL>
+<LI><TT>userProfile</TT> : samba share used to store user's profile
+ <UL><LI>
+ Example:
+ <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
+ </UL>
+<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
+ <UL><LI>
+ Example:
+ <TT>userScript="%U"</TT>
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
+ </UL>
+<LI><TT>userHomeDrive</TT> : letter used on windows system to map
+ the home directory
+ <UL><LI>
+ Example: <TT>userHomeDrive="K:"</TT>
+ </UL>
+<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
+ to set the user's password (instead of the <I>mkntpwd</I> utility) ?
+ <UL><LI>
+ Example: <TT>with_smbpasswd="0"</TT>
+ <LI>Remark: must be a boolean value (0 or 1).
+ </UL>
+<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
+ <UL><LI>
+ Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
+ </UL>
+<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary
+ <UL><LI>
+ Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT>
+ <LI>Remark: the rpm package of the smbldap-tools will install this
+ utility. If you are using the tarball archive, you have to install
+ it yourself (sources are also in the smbldap-tools archive).
+ </UL>
+<LI><TT>mailDomain</TT> : Domain appended to the users "mail"
+ attribute.
+ <UL><LI>
+ Example: <TT>mailDomain="idealx.org"</TT>
+ </UL>
+</UL>
+<A NAME="toc7"></A>
+<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3>
+This file is only used by <I>root</I> to modify the content of the directory.
+It contains distinguised names and credentials to connect to
+both the master and slave directories. A full example file is available
+in section <A HREF="smbldap-tools009.html#configuration::file::smbldap::bind">8.1.2</A>.<BR>
+<BR>
+Let's have a look at all available parameters.
+<UL><LI>
+<TT>slaveDN</TT> : distinguished name used to bind to the slave server
+ <UL><LI>
+ Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
+ <LI>Example 2: <TT>slaveDN=""</TT>
+ <LI>Remark: this can be the manager account of the directory or
+ any LDAP account that has sufficient permissions to read the full
+ directory (Slave directory is only used for reading). Anonymous
+ connections uses the second example form.
+ </UL>
+<LI><TT>slavePw</TT> : the credentials to bind to the slave server
+ <UL><LI>
+ Example 1: <TT>slavePw="secret"</TT>
+ <LI>Example 2: <TT>slavePw=""</TT>
+ <LI>Remark: the password must be stored here in clear form. This
+ file must then be readable only by root! All anonymous connections
+ use the second form provided in our example.
+ </UL>
+<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
+ <UL><LI>
+ Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
+ <LI>Remark: this can be the manager account of the directory or
+ any LDAP account that has enough permissions to modify the content
+ of the directory. Anonymous access does not make any sense here.
+</UL>
+<LI><TT>masterPw</TT> : the credentials to bind to the master server
+ <UL><LI>
+ Example: <TT>masterPw="secret"</TT>
+ <LI>Remark: the password must be in clear text. Be sure to protect
+ this file against unauthorized readers!
+ </UL>
+</UL>
+ <HR>
+<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
+<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
+<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
+</BODY>
+</HTML>
projects / samba / blobdiff