1IDMAP_LDAP(8) IDMAP_LDAP(8)
2
6 idmap_ldap - Samba's idmap_ldap Backend for Winbind
7
9 The idmap_ldap plugin provides a means for Winbind to store and
10 retrieve SID/uid/gid mapping tables in an LDAP directory service. The
11 module implements both the "idmap" and "idmap alloc" APIs.
12
14 ldap_base_dn = DN
15 Defines the directory base suffix to use when searching for
16 SID/uid/gid mapping entries. If not defined, idmap_ldap will default
17 to using the "ldap idmap suffix" option from smb.conf.
18 ldap_user_dn = DN
20 Defines the user DN to be used for authentication. If absent an
21 anonymous bind will be performed.
22 ldap_url = ldap://server/
24 Specifies the LDAP server to use when searching for existing
25 SID/uid/gid map entries. If not defined, idmap_ldap will assume that
26 ldap://localhost/ should be used.
27 range = low - high
29 Defines the available matching uid and gid range for which the back‐
30 end is authoritative. Note that the range commonly matches the allo‐
31 cation range due to the fact that the same backend will store and
32 retrieve SID/uid/gid mapping entries. If the parameter is absent,
33 Winbind fail over to use the "idmap uid" and "idmap gid" options
34 from smb.conf.
35
37 ldap_base_dn = DN
38 Defines the directory base suffix under which new SID/uid/gid map‐
39 ping entries should be stored. If not defined, idmap_ldap will
40 default to using the "ldap idmap suffix" option from smb.conf.
41 ldap_user_dn = DN
43 Defines the user DN to be used for authentication. If absent an
44 anonymous bind will be performed.
45 ldap_url = ldap://server/
47 Specifies the LDAP server to which modify/add/delete requests should
48 be sent. If not defined, idmap_ldap will assume that ldap://local‐
49 host/ should be used.
50 range = low - high
52 Defines the available matching uid and gid range from which winbindd
53 can allocate for users and groups. If the parameter is absent, Win‐
54 bind fail over to use the "idmap uid" and "idmap gid" options from
55 smb.conf.
56
58 The follow sets of a LDAP configuration which uses a slave server run‐
59 ning on localhost for fast fetching SID/gid/uid mappings, it implies
60 correct configuration of referrals. The idmap alloc backend is pointed
61 directly to the master to skip the referral (and consequent reconnec‐
62 tion to the master) that the slave would return as allocation requires
63 writing on the master.
64 [global]
67 idmap domains = ALLDOMAINS
68 idmap config ALLDOMAINS:default = yes
69 idmap config ALLDOMAINS:backend = ldap
70 idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=example,dc=com
71 idmap config ALLDOMAINS:ldap_url = ldap://localhost/
72 idmap config ALLDOMAINS:range = 10000 - 50000
73 idmap alloc backend = ldap
75 idmap alloc config:ldap_base_dn = ou=idmap,dc=example,dc=com
76 idmap alloc config:ldap_url = ldap://master.example.com/
77 idmap alloc config:range = 10000 - 50000
78
81 In order to use authentication against ldap servers you may need to
82 provide a DN and a password. To avoid exposing the password in plain
83 text in the configuration file we store it into a security store. The
84 "net idmap " command is used to store a secret for the DN specified in
85 a specific idmap domain.
86
88 The original Samba software and related utilities were created by
89 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
90 Source project similar to the way the Linux kernel is developed.
91 IDMAP_LDAP(8)