smbldap-tools004.html [plain text]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META name="GENERATOR" content="hevea 1.06">
<TITLE>
Configuring the smbldap-tools
</TITLE>
</HEAD>
<BODY >
<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
<HR>
<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><UL>
<LI><A HREF="smbldap-tools004.html#toc6"> The smbldap.conf file</A>
<LI><A HREF="smbldap-tools004.html#toc7"> The smbldap_bind.conf file</A>
</UL>
As mentioned in the previous section, you'll have to update two
configuration files. The first (<TT>smbldap.conf</TT>) allows you to
set global parameter that are readable by everybody, and the second
(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
bind to a slave and a master ldap server: this file must thus be
readable only by root.<BR>
<BR>
A script is named <TT>configure.pl</TT> can help you to set their contents
up. It is located in the tarball
downloaded or in the documentation directory if you got the RPM
archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it:
<PRE>
/usr/share/doc/smbldap-tools/configure.pl
</PRE>It will ask for the default values defined in your
<TT>smb.conf</TT> file, and will update the two configuration files used
by the scripts. Note that you can stop the script at any moment with
the <TT>Crtl-c</TT> keys.<BR>
Before using this script :
<UL><LI>
the two configuration files <B>must</B> be present in the
<TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory
<LI>check that samba is configured and running, as the script will try to
get your workgroup's domain secure id (SID).
</UL>
In those files are parameters are defined like this:
<PRE>
key="value"
</PRE>Full example configuration files can be found at
<A HREF="smbldap-tools009.html#configuration::files">8.1</A>.<BR>
<BR>
<A NAME="toc6"></A>
<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3>
This file is used to define parameters that can be readable by
everybody. A full example file is available in section <A HREF="smbldap-tools009.html#configuration::file::smbldap">8.1.1</A>.<BR>
<BR>
Let's have a look at all available parameters.
<UL><LI>
<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters
are deprecated. Available uid and gid are now defined in the default
new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>.
<LI><TT>SID</TT> : Secure Identifier Domain
<UL><LI>
Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
<LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT>
command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
</UL>
<LI><TT>slaveLDAP</TT> : slave LDAP server
<UL><LI>
Example: <TT>slaveLDAP="127.0.0.1"</TT>
<LI>Remark: must be a resolvable DNS name or it's IP address
</UL>
<LI><TT>slavePort</TT> : port to contact the slave server
<UL><LI>
Example: <TT>slavePort="389"</TT>
</UL>
<LI><TT>masterLDAP</TT> : master LDAP server
<UL><LI>
Example: <TT>masterLDAP="127.0.0.1"</TT>
</UL>
<LI><TT>masterPort</TT> : port to contact the master server
<UL><LI>
Example: <TT>masterPort="389"</TT>
</UL>
<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
ldap servers ?
<UL><LI>
Example: <TT>ldapTLS="1"</TT>
<LI>Remark: the LDAP severs must be configured to accept TLS
connections. See section the Samba-LDAP Howto for more
details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to
the master and slave directories.
</UL>
<LI><TT>verify</TT> : How to verify the server's certificate (none,
optional or require). See "man Net::LDAP" in start_tls section for
more details
<UL><LI>
Example: <TT>verify="require"</TT>
</UL>
<LI><TT>cafile</TT> : the PEM-format file containing certificates
for the CA that slapd will trust
<UL><LI>
Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
</UL>
<LI><TT>clientcert</TT> : the file that contains the client certificate
<UL><LI>
Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
</UL>
<LI><TT>clientkey</TT> : the file that contains the private key that
matches the certificate stored in the clientcert file
<UL><LI>
Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
</UL>
<LI><TT>suffix</TT> : The distinguished name of the search base
<UL><LI>
Example: <TT>suffix="dc=idealx,dc=com"</TT>
</UL>
<LI><TT>usersdn</TT> : branch in which users account can be found or
must be added
<UL><LI>
Example: <TT>usersdn="ou=Users,${suffix}"</TT>
<LI>Remark: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>computersdn</TT> : branch in which computers account can be
found or must be added
<UL><LI>
Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
<LI>Remark: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>groupsdn</TT> : branch in which groups account can be found
or must be added
<UL><LI>
Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
<LI>Remarks: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
<UL><LI>
Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
<LI>Remarks: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
<UL><LI>
Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
<LI>Remarks: this branch is <B>not</B> relative to the suffix value
</UL>
<LI><TT>scope</TT> : the search scope.
<UL><LI>
Example: <TT>scope="sub"</TT>
</UL>
<LI><TT>hash_encrypt</TT> : hash to be used when generating a
user password.
<UL><LI>
Example: <TT>hash_encrypt="SSHA"</TT>
<LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
</UL>
<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
CRYPT, you may set a salt format. Default is "%s", but many systems
will generate MD5 hashed passwords if you use "$1$%.8s". This
parameter is optional.
<LI><TT>userLoginShell</TT> : default shell given to users.
<UL><LI>
Example: <TT>userLoginShell="/bin/bash"</TT>
<LI>Remark: This is stored in <I>loginShell</I> attribute.
</UL>
<LI><TT>userHome</TT> : default directory where users's home
directory are located.
<UL><LI>
Example: <TT>userHome="/home/%U"</TT>
<LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
</UL>
<LI><TT>userGecos</TT> : gecos used for users
<UL><LI>
Example: <TT>userGecos="System User"</TT>
</UL>
<LI><TT>defaultUserGid</TT> : default primary group set to users accounts
<UL><LI>
Example: <TT>defaultUserGid="513"</TT>
<LI>Remark: this is stored in <I>gidNumber</I> attribute.
</UL>
<LI><TT>defaultComputerGid</TT> : default primary group set to
computers accounts
<UL><LI>
Example: <TT>defaultComputerGid="550"</TT>
<LI>Remark: this is stored in <I>gidNumber</I> attribute.
</UL>
<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
<UL><LI>
Example: <TT>skeletonDir="/etc/skel"</TT>
<LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
</UL>
<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a
password (in days)
<UL><LI>
Example: <TT>defaultMaxPassword="55"</TT>
</UL>
<LI><TT>userSmbHome</TT> : samba share used to store user's home directory
<UL><LI>
Example:
<TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
<LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
</UL>
<LI><TT>userProfile</TT> : samba share used to store user's profile
<UL><LI>
Example:
<TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
<LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
</UL>
<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
<UL><LI>
Example:
<TT>userScript="%U"</TT>
<LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
</UL>
<LI><TT>userHomeDrive</TT> : letter used on windows system to map
the home directory
<UL><LI>
Example: <TT>userHomeDrive="K:"</TT>
</UL>
<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
to set the user's password (instead of the <I>mkntpwd</I> utility) ?
<UL><LI>
Example: <TT>with_smbpasswd="0"</TT>
<LI>Remark: must be a boolean value (0 or 1).
</UL>
<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
<UL><LI>
Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
</UL>
<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary
<UL><LI>
Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT>
<LI>Remark: the rpm package of the smbldap-tools will install this
utility. If you are using the tarball archive, you have to install
it yourself (sources are also in the smbldap-tools archive).
</UL>
<LI><TT>mailDomain</TT> : Domain appended to the users "mail"
attribute.
<UL><LI>
Example: <TT>mailDomain="idealx.org"</TT>
</UL>
</UL>
<A NAME="toc7"></A>
<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3>
This file is only used by <I>root</I> to modify the content of the directory.
It contains distinguised names and credentials to connect to
both the master and slave directories. A full example file is available
in section <A HREF="smbldap-tools009.html#configuration::file::smbldap::bind">8.1.2</A>.<BR>
<BR>
Let's have a look at all available parameters.
<UL><LI>
<TT>slaveDN</TT> : distinguished name used to bind to the slave server
<UL><LI>
Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
<LI>Example 2: <TT>slaveDN=""</TT>
<LI>Remark: this can be the manager account of the directory or
any LDAP account that has sufficient permissions to read the full
directory (Slave directory is only used for reading). Anonymous
connections uses the second example form.
</UL>
<LI><TT>slavePw</TT> : the credentials to bind to the slave server
<UL><LI>
Example 1: <TT>slavePw="secret"</TT>
<LI>Example 2: <TT>slavePw=""</TT>
<LI>Remark: the password must be stored here in clear form. This
file must then be readable only by root! All anonymous connections
use the second form provided in our example.
</UL>
<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
<UL><LI>
Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
<LI>Remark: this can be the manager account of the directory or
any LDAP account that has enough permissions to modify the content
of the directory. Anonymous access does not make any sense here.
</UL>
<LI><TT>masterPw</TT> : the credentials to bind to the master server
<UL><LI>
Example: <TT>masterPw="secret"</TT>
<LI>Remark: the password must be in clear text. Be sure to protect
this file against unauthorized readers!
</UL>
</UL>
<HR>
<A HREF="smbldap-tools003.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
<A HREF="smbldap-tools005.html"><IMG SRC ="next_motif.gif" ALT="Suivant"></A>
</BODY>
</HTML>