5 <html><head><title>LDAP Support in Samba</title>
7 <link rev="made" href="mailto:samba-bugs@samba.org">
13 <h1>LDAP Support in Samba</h1>
14 <h2>Matthew Chapman</h2>
15 <h2>29th November 1998
17 WARNING: This is experimental code. Use at your own risk, and please report
18 any bugs (after reading BUGS.txt).
23 <a href="LDAP.html#l1"><h2>1: What is LDAP?</h2> </a>
24 <a href="LDAP.html#l2"><h2>2: Why LDAP and Samba?</h2> </a>
25 <a href="LDAP.html#l3"><h2>3: Using LDAP with Samba</h2> </a>
26 <a href="LDAP.html#l4"><h2>4: Using LDAP for Unix authentication</h2> </a>
27 <a href="LDAP.html#l5"><h2>5: Compatibility with Active Directory</h2> </a>
32 <h2>1: What is LDAP?</h2>
33 A directory is a type of hierarchical database optimised for simple query
34 operations, often used for storing user information. LDAP is the
35 Lightweight Directory Access Protocol, a protocol which is rapidly
36 becoming the Internet standard for accessing directories.<p>
37 Many client applications now support LDAP (including Microsoft's Active
38 Directory), and there are a number of servers available. The most popular
39 implementation for Unix is from the <em>University of Michigan</em>; its
40 homepage is at <a href="http://www.umich.edu/~dirsvcs/ldap/"><code>http://www.umich.edu/~dirsvcs/ldap/</code></a>.<p>
41 Information in an LDAP tree always comes in <code>attribute=value</code> pairs.
42 The following is an example of a Samba user entry:<p>
44 uid=jbloggs, dc=samba, dc=org
45 objectclass=sambaAccount
48 description=Samba User
53 lmPassword=46E389809F8D55BB78A48108148AD508
54 ntPassword=1944CCE1AD6F80D8AEC9FC5BE77696F4
56 smbHome=\\samba1\jbloggs
59 profile=\\samba1\jbloggs\profile
63 Note that the top line is a special set of attributes called a
64 <em>distinguished name</em> which identifies the location of this entry beneath
65 the directory's root node. Recent Internet standards suggest the use of
66 domain-based naming using <code>dc</code> attributes (for instance, a microsoft.com
67 directory should have a root node of <code>dc=microsoft, dc=com</code>), although
68 this is not strictly necessary for isolated servers.<p>
69 There are a number of LDAP-related FAQ's on the internet, although
70 generally the best source of information is the documentation for the
71 individual servers.<p>
74 <h2>2: Why LDAP and Samba?</h2><p>
75 Using an LDAP directory allows Samba to store user and group information
76 more reliably and flexibly than the current combination of smbpasswd,
77 smbgroup, groupdb and aliasdb with the Unix databases. If a need emerges
78 for extra user information to be stored, this can easily be added without
79 loss of backwards compatibility.<p>
80 In addition, the Samba LDAP schema is compatible with RFC2307, allowing
81 Unix password database information to be stored in the same entries. This
82 provides a single, consistent repository for both Unix and Windows user
86 <h2>3: Using LDAP with Samba</h2><p>
88 <li> Install and configure an LDAP server if you do not already have
89 one. You should read your LDAP server's documentation and set up the
90 configuration file and access control as desired.<p>
91 <li> Build Samba (latest CVS is required) with:<p>
93 ./configure --with-ldap
94 make clean; make install
97 <li> Add the following options to the global section of <code>smb.conf</code> as
100 <li><strong>ldap suffix</strong><p>
101 This parameter specifies the node of the LDAP tree beneath which
102 Samba should store its information. This parameter MUST be provided
103 when using LDAP with Samba.<p>
104 <strong>Default:</strong> <code>none</code><p>
105 <strong>Example:</strong> <code>ldap suffix = "dc=mydomain, dc=org"</code><p>
106 <li><strong>ldap bind as</strong><p>
107 This parameter specifies the entity to bind to an LDAP directory as.
108 Usually it should be safe to use the LDAP root account; for larger
109 installations it may be preferable to restrict Samba's access.<p>
110 <strong>Default:</strong> <code>none (bind anonymously)</code><p>
111 <strong>Example:</strong> <code>ldap bind as = "uid=root, dc=mydomain, dc=org"</code><p>
112 <li><strong>ldap passwd file</strong><p>
113 This parameter specifies a file containing the password with which
114 Samba should bind to an LDAP server. For obvious security reasons
115 this file must be set to mode 700 or less.<p>
116 <strong>Default:</strong> <code>none (bind anonymously)</code><p>
117 <strong>Example:</strong> <code>ldap passwd file = /usr/local/samba/private/ldappasswd</code><p>
118 <li><strong>ldap server</strong><p>
119 This parameter specifies the DNS name of the LDAP server to use
120 when storing and retrieving information about Samba users and
122 <strong>Default:</strong> <code>ldap server = localhost</code><p>
123 <li><strong>ldap port</strong><p>
124 This parameter specifies the TCP port number of the LDAP server.<p>
125 <strong>Default:</strong> <code>ldap port = 389</code><p>
127 <li> You should then be able to use the normal smbpasswd(8) command for
128 account administration (or User Manager in the near future).<p>
132 <h2>4: Using LDAP for Unix authentication</h2><p>
133 The Samba LDAP code was designed to utilise RFC2307-compliant directory
134 entries if available. RFC2307 is a proposed standard for LDAP user
135 information which has been adopted by a number of vendors. Further
136 information is available at <a href="http://www.xedoc.com.au/~lukeh/ldap"><code>http://www.xedoc.com.au/~lukeh/ldap/</code></a>.<p>
137 Of particular interest is Luke Howard's nameservice switch module
138 (nss_ldap) and PAM module (pam_ldap) implementing this standard, providing
139 LDAP-based password databases for Unix. If you are setting up a server to
140 provide integrated Unix/NT services than these are worth investigating.<p>
143 <h2>5: Compatibility with Active Directory</h2><p>
144 The current implementation is not designed to be used with Microsoft
145 Active Directory, although compatibility may be added in the future.<p>
git.samba.org / ira / wip.git / blob