+++ /dev/null
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<refentry id="idmap_ad.8">
-
-<refmeta>
- <refentrytitle>idmap_ad</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">System Administration tools</refmiscinfo>
- <refmiscinfo class="version">3.6</refmiscinfo>
-</refmeta>
-
-
-<refnamediv>
- <refname>idmap_ad</refname>
- <refpurpose>Samba's idmap_ad Backend for Winbind</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
- <title>DESCRIPTION</title>
- <para>The idmap_ad plugin provides a way for Winbind to read
- id mappings from an AD server that uses RFC2307/SFU schema
- extensions. This module implements only the "idmap"
- API, and is READONLY. Mappings must be provided in advance
- by the administrator by adding the posixAccount/posixGroup
- classes and relative attribute/value pairs to the user and
- group objects in the AD.</para>
-
- <para>
- Note that the idmap_ad module has changed considerably since
- Samba versions 3.0 and 3.2.
- Currently, the <parameter>ad</parameter> backend
- does not work as the the default idmap backend, but one has
- to configure it separately for each domain for which one wants
- to use it, using disjoint ranges. One usually needs to configure
- a writeable default idmap range, using for example the
- <parameter>tdb</parameter> or <parameter>ldap</parameter>
- backend, in order to be able to map the BUILTIN sids and
- possibly other trusted domains. The writeable default config
- is also needed in order to be able to create group mappings.
- This catch-all default idmap configuration should have a range
- that is disjoint from any explicitly configured domain with
- idmap backend <parameter>ad</parameter>. See the example below.
- </para>
-</refsynopsisdiv>
-
-<refsect1>
- <title>IDMAP OPTIONS</title>
-
- <variablelist>
- <varlistentry>
- <term>range = low - high</term>
- <listitem><para>
- Defines the available matching UID and GID range for which the
- backend is authoritative. Note that the range acts as a filter.
- If specified any UID or GID stored in AD that fall outside the
- range is ignored and the corresponding map is discarded.
- It is intended as a way to avoid accidental UID/GID overlaps
- between local and remotely defined IDs.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term>schema_mode = <rfc2307 | sfu | sfu20></term>
- <listitem><para>
- Defines the schema that idmap_ad should use when querying
- Active Directory regarding user and group information.
- This can be either the RFC2307 schema support included
- in Windows 2003 R2 or the Service for Unix (SFU) schema.
- For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
- please choose "sfu20".
-
- Please note that primary group membership is currently always calculated
- via the "primaryGroupID" LDAP attribute.
- </para></listitem>
- </varlistentry>
- </variablelist>
-</refsect1>
-
-<refsect1>
- <title>EXAMPLES</title>
- <para>
- The following example shows how to retrieve idmappings from our principal and
- trusted AD domains. If trusted domains are present id conflicts must be
- resolved beforehand, there is no
- guarantee on the order conflicting mappings would be resolved at this point.
-
- This example also shows how to leave a small non conflicting range for local
- id allocation that may be used in internal backends like BUILTIN.
- </para>
-
- <programlisting>
- [global]
- workgroup = CORP
-
- idmap config * : backend = tdb
- idmap config * : range = 1000000-1999999
-
- idmap config CORP : backend = ad
- idmap config CORP : range = 1000-999999
- </programlisting>
-</refsect1>
-
-<refsect1>
- <title>AUTHOR</title>
-
- <para>
- The original Samba software and related utilities
- were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
- to the way the Linux kernel is developed.
- </para>
-</refsect1>
-
-</refentry>
git.samba.org / kai / samba.git / blobdiff