2 TITLE INFORMATION: LDAP Support in Samba
3 AUTHOR INFORMATION: Matthew Chapman
4 DATE INFORMATION: 29th November 1998
6 WARNING: This is experimental code. Use at your own risk, and please report
7 any bugs (after reading BUGS.txt).
12 2: Why LDAP and Samba?
13 3: Using LDAP with Samba
14 4: Using LDAP for Unix authentication
15 5: Compatibility with Active Directory
19 A directory is a type of hierarchical database optimised for simple query
20 operations, often used for storing user information. LDAP is the
21 Lightweight Directory Access Protocol, a protocol which is rapidly
22 becoming the Internet standard for accessing directories.
24 Many client applications now support LDAP (including Microsoft's Active
25 Directory), and there are a number of servers available. The most popular
26 implementation for Unix is from the University of Michigan; its
27 homepage is at http://www.umich.edu/~dirsvcs/ldap/.
29 Information in an LDAP tree always comes in attribute=value pairs.
30 The following is an example of a Samba user entry:
32 uid=jbloggs, dc=samba, dc=org
33 objectclass=sambaAccount
36 description=Samba User
41 lmPassword=46E389809F8D55BB78A48108148AD508
42 ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
44 smbHome=\\samba1\jbloggs
47 profile=\\samba1\jbloggs\profile
50 Note that the top line is a special set of attributes called a
51 distinguished name which identifies the location of this entry beneath
52 the directory's root node. Recent Internet standards suggest the use of
53 domain-based naming using dc attributes (for instance, a microsoft.com
54 directory should have a root node of dc=microsoft, dc=com), although
55 this is not strictly necessary for isolated servers.
57 There are a number of LDAP-related FAQ's on the internet, although
58 generally the best source of information is the documentation for the
61 2: Why LDAP and Samba?
63 Using an LDAP directory allows Samba to store user and group information
64 more reliably and flexibly than the current combination of smbpasswd,
65 smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
66 for extra user information to be stored, this can easily be added without
67 loss of backwards compatibility.
69 In addition, the Samba LDAP schema is compatible with RFC2307, allowing
70 Unix password database information to be stored in the same entries. This
71 provides a single, consistent repository for both Unix and Windows user
74 3: Using LDAP with Samba
76 1 Install and configure an LDAP server if you do not already have
77 one. You should read your LDAP server's documentation and set up the
78 configuration file and access control as desired.
80 2 Build Samba (latest CVS is required) with:
82 ./configure --with-ldap
83 make clean; make install
85 3 Add the following options to the global section of smb.conf as
90 This parameter specifies the node of the LDAP tree beneath which
91 Samba should store its information. This parameter MUST be provided
92 when using LDAP with Samba.
96 Example: ldap suffix = "dc=mydomain, dc=org"
100 This parameter specifies the entity to bind to an LDAP directory as.
101 Usually it should be safe to use the LDAP root account; for larger
102 installations it may be preferable to restrict Samba's access.
104 Default: none (bind anonymously)
106 Example: ldap bind as = "uid=root, dc=mydomain, dc=org"
110 This parameter specifies a file containing the password with which
111 Samba should bind to an LDAP server. For obvious security reasons
112 this file must be set to mode 700 or less.
114 Default: none (bind anonymously)
116 Example: ldap passwd file = /usr/local/samba/private/ldappasswd
120 This parameter specifies the DNS name of the LDAP server to use
121 when storing and retrieving information about Samba users and
124 Default: ldap server = localhost
128 This parameter specifies the TCP port number of the LDAP server.
130 Default: ldap port = 389
132 4 You should then be able to use the normal smbpasswd(8) command for
133 account administration (or User Manager in the near future).
135 4: Using LDAP for Unix authentication
137 The Samba LDAP code was designed to utilise RFC2307-compliant directory
138 entries if available. RFC2307 is a proposed standard for LDAP user
139 information which has been adopted by a number of vendors. Further
140 information is available at http://www.xedoc.com.au/~lukeh/ldap/.
142 Of particular interest is Luke Howard's nameservice switch module
143 (nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
144 LDAP-based password databases for Unix. If you are setting up a server to
145 provide integrated Unix/NT services than these are worth investigating.
147 5: Compatibility with Active Directory
149 The current implementation is not designed to be used with Microsoft
150 Active Directory, although compatibility may be added in the future.