Initial import

[samba] / examples / LDAP / smbldap-tools-0.9.1 / doc / html / smbldap-tools004.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
            "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>

<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META name="GENERATOR" content="hevea 1.06">
<TITLE>
 Configuring the smbldap-tools
</TITLE>
</HEAD>
<BODY >
<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
<HR>

<H2><A NAME="htoc10">3</A>&nbsp;&nbsp;Configuring the smbldap-tools</H2><UL>
<LI><A HREF="smbldap-tools004.html#toc6"> The smbldap.conf file</A>
<LI><A HREF="smbldap-tools004.html#toc7"> The smbldap_bind.conf file</A>
</UL>

As mentioned in the previous section, you'll have to update two
configuration files. The first (<TT>smbldap.conf</TT>) allows you to
set global parameter that are readable by everybody, and the second
(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
bind to a slave and a master ldap server: this file must thus be
readable only by root.<BR>
<BR>
A script is named <TT>configure.pl</TT> can help you to set their contents
up. It is located in the tarball
downloaded or in the documentation directory if you got the RPM
archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it:
<PRE>
/usr/share/doc/smbldap-tools/configure.pl
</PRE>It will ask for the default values defined in your
<TT>smb.conf</TT> file, and will update the two configuration files used
by the scripts. Note that you can stop the script at any moment with
the <TT>Crtl-c</TT> keys.<BR>
Before using this script :
<UL><LI>
the two configuration files <B>must</B> be present in the
 <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory
<LI>check that samba is configured and running, as the script will try to
 get your workgroup's domain secure id (SID).
</UL>
In those files are parameters are defined like this:
<PRE>
key="value"
</PRE>Full example configuration files can be found at
<A HREF="smbldap-tools009.html#configuration::files">8.1</A>.<BR>
<BR>
<A NAME="toc6"></A>
<H3><A NAME="htoc11">3.1</A>&nbsp;&nbsp;The smbldap.conf file</H3>
This file is used to define parameters that can be readable by
everybody. A full example file is available in section <A HREF="smbldap-tools009.html#configuration::file::smbldap">8.1.1</A>.<BR>
<BR>
Let's have a look at all available parameters.
<UL><LI>
<TT>UID_START</TT> and <TT>GID_START</TT>&nbsp;: those parameters
 are deprecated. Available uid and gid are now defined in the default
 new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>.
<LI><TT>SID</TT>&nbsp;: Secure Identifier Domain
 <UL><LI>
 Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
 <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT>
 command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
</UL>
<LI><TT>slaveLDAP</TT>&nbsp;: slave LDAP server
 <UL><LI>
 Example: <TT>slaveLDAP="127.0.0.1"</TT>
 <LI>Remark: must be a resolvable DNS name or it's IP address
 </UL>
<LI><TT>slavePort</TT>&nbsp;: port to contact the slave server
 <UL><LI>
 Example: <TT>slavePort="389"</TT>
 </UL>
<LI><TT>masterLDAP</TT>&nbsp;: master LDAP server
 <UL><LI>
 Example: <TT>masterLDAP="127.0.0.1"</TT>
 </UL>
<LI><TT>masterPort</TT>&nbsp;: port to contact the master server
 <UL><LI>
 Example: <TT>masterPort="389"</TT>
 </UL>
<LI><TT>ldapTLS</TT>&nbsp;: should we use TLS connection to contact the
 ldap servers ?
 <UL><LI>
 Example: <TT>ldapTLS="1"</TT>
 <LI>Remark: the LDAP severs must be configured to accept TLS
 connections. See section the Samba-LDAP Howto for more
 details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to
 the master and slave directories.
 </UL>
<LI><TT>verify</TT>&nbsp;: How to verify the server's certificate (none,
 optional or require). See "man Net::LDAP" in start_tls section for
 more details
 <UL><LI>
 Example: <TT>verify="require"</TT>
 </UL> 
<LI><TT>cafile</TT>&nbsp;: the PEM-format file containing certificates
 for the CA that slapd will trust
 <UL><LI>
 Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
 </UL>
<LI><TT>clientcert</TT>&nbsp;: the file that contains the client certificate
 <UL><LI>
 Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
 </UL>
<LI><TT>clientkey</TT>&nbsp;: the file that contains the private key that
 matches the certificate stored in the clientcert file
 <UL><LI>
 Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
 </UL>
<LI><TT>suffix</TT>&nbsp;: The distinguished name of the search base
 <UL><LI>
 Example: <TT>suffix="dc=idealx,dc=com"</TT>
 </UL>
<LI><TT>usersdn</TT>&nbsp;: branch in which users account can be found or
 must be added
 <UL><LI>
 Example: <TT>usersdn="ou=Users,${suffix}"</TT>
 <LI>Remark: this branch is <B>not</B> relative to the suffix value
 </UL>
<LI><TT>computersdn</TT>&nbsp;: branch in which computers account can be
 found or must be added
 <UL><LI>
 Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
 <LI>Remark: this branch is <B>not</B> relative to the suffix value
 </UL>
<LI><TT>groupsdn</TT>&nbsp;: branch in which groups account can be found
 or must be added
 <UL><LI>
 Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
 <LI>Remarks: this branch is <B>not</B> relative to the suffix value
 </UL>
<LI><TT>idmapdn</TT>&nbsp;: where are stored Idmap entries (used if samba is a domain member server)
<UL><LI>
 Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
 <LI>Remarks: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>sambaUnixIdPooldn</TT>&nbsp;: object in which next uidNumber and gidNumber available are stored
<UL><LI>
 Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
 <LI>Remarks: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>scope</TT>&nbsp;: the search scope.
<UL><LI>
 Example: <TT>scope="sub"</TT>
</UL>
<LI><TT>hash_encrypt</TT>&nbsp;: hash to be used when generating a
 user password.
 <UL><LI>
 Example: <TT>hash_encrypt="SSHA"</TT>
 <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
 </UL>
<LI><TT>crypt_salt_format="%s"</TT>&nbsp;: if hash_encrypt is set to
 CRYPT, you may set a salt format. Default is "%s", but many systems
 will generate MD5 hashed passwords if you use "$1$%.8s". This
 parameter is optional.
<LI><TT>userLoginShell</TT>&nbsp;: default shell given to users.
 <UL><LI>
 Example: <TT>userLoginShell="/bin/bash"</TT>
 <LI>Remark: This is stored in <I>loginShell</I> attribute.
 </UL>
<LI><TT>userHome</TT>&nbsp;: default directory where users's home
 directory are located.
 <UL><LI>
 Example: <TT>userHome="/home/%U"</TT>
 <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
 </UL>
<LI><TT>userGecos</TT>&nbsp;: gecos used for users
 <UL><LI>
 Example: <TT>userGecos="System User"</TT>
 </UL>
<LI><TT>defaultUserGid</TT>&nbsp;: default primary group set to users accounts
 <UL><LI>
 Example: <TT>defaultUserGid="513"</TT>
 <LI>Remark: this is stored in <I>gidNumber</I> attribute.
</UL>
<LI><TT>defaultComputerGid</TT>&nbsp;: default primary group set to
 computers accounts
 <UL><LI>
 Example: <TT>defaultComputerGid="550"</TT>
 <LI>Remark: this is stored in <I>gidNumber</I> attribute.
</UL>
<LI><TT>skeletonDir</TT>&nbsp;: skeleton directory used for users accounts
 <UL><LI>
 Example: <TT>skeletonDir="/etc/skel"</TT>
 <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
 </UL>
<LI><TT>defaultMaxPasswordAge</TT>&nbsp;: default validation time for a
 password (in days)
 <UL><LI>
 Example: <TT>defaultMaxPassword="55"</TT>
 </UL>
<LI><TT>userSmbHome</TT>&nbsp;: samba share used to store user's home directory
 <UL><LI>
 Example:
 <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
 <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
</UL>
<LI><TT>userProfile</TT>&nbsp;: samba share used to store user's profile
 <UL><LI>
 Example:
 <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
 </UL>
<LI><TT>userScript</TT>&nbsp;: default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
 <UL><LI>
 Example:
 <TT>userScript="%U"</TT>
 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
 </UL>
<LI><TT>userHomeDrive</TT>&nbsp;: letter used on windows system to map
 the home directory
 <UL><LI>
 Example: <TT>userHomeDrive="K:"</TT>
 </UL>
<LI><TT>with_smbpasswd</TT>&nbsp;: should we use the <I>smbpasswd</I> command
 to set the user's password (instead of the <I>mkntpwd</I> utility) ?
 <UL><LI>
 Example: <TT>with_smbpasswd="0"</TT>
 <LI>Remark: must be a boolean value (0 or 1).
 </UL>
<LI><TT>smbpasswd</TT>&nbsp;: path to the <TT>smbpasswd</TT> binary
 <UL><LI>
 Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
 </UL>
<LI><TT>mk_ntpasswd</TT>&nbsp;: path to the mkntpwd binary
 <UL><LI>
 Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT>
 <LI>Remark: the rpm package of the smbldap-tools will install this
 utility. If you are using the tarball archive, you have to install
 it yourself (sources are also in the smbldap-tools archive).
 </UL>
<LI><TT>mailDomain</TT>&nbsp;: Domain appended to the users "mail"
 attribute.
 <UL><LI>
 Example: <TT>mailDomain="idealx.org"</TT>
 </UL>
</UL>
<A NAME="toc7"></A>
<H3><A NAME="htoc12">3.2</A>&nbsp;&nbsp;The smbldap_bind.conf file</H3>
This file is only used by <I>root</I> to modify the content of the directory.
It contains distinguised names and credentials to connect to
both the master and slave directories. A full example file is available
in section <A HREF="smbldap-tools009.html#configuration::file::smbldap::bind">8.1.2</A>.<BR>
<BR>
Let's have a look at all available parameters.
<UL><LI>
<TT>slaveDN</TT>&nbsp;: distinguished name used to bind to the slave server 
 <UL><LI>
 Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT> 
 <LI>Example 2: <TT>slaveDN=""</TT>
 <LI>Remark: this can be the manager account of the directory or
 any LDAP account that has sufficient permissions to read the full
 directory (Slave directory is only used for reading). Anonymous
 connections uses the second example form.
 </UL>
<LI><TT>slavePw</TT>&nbsp;: the credentials to bind to the slave server
 <UL><LI>
 Example 1: <TT>slavePw="secret"</TT> 
 <LI>Example 2: <TT>slavePw=""</TT>
 <LI>Remark: the password must be stored here in clear form. This
 file must then be readable only by root! All anonymous connections
 use the second form provided in our example.
 </UL>
<LI><TT>masterDN</TT>&nbsp;: the distinguished name used to bind to the master server
 <UL><LI>
 Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
 <LI>Remark: this can be the manager account of the directory or
 any LDAP account that has enough permissions to modify the content
 of the directory. Anonymous access does not make any sense here.
</UL>
<LI><TT>masterPw</TT>&nbsp;: the credentials to bind to the master server
 <UL><LI>
 Example: <TT>masterPw="secret"</TT>
 <LI>Remark: the password must be in clear text. Be sure to protect
 this file against unauthorized readers!
 </UL>
</UL>
 <HR>
<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
</BODY>
</HTML>