'\" t .\" Title: idmap_rfc2307 .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 11/25/2024 .\" Manual: System Administration tools .\" Source: Samba 4.21.2 .\" Language: English .\" .TH "IDMAP_RFC2307" "8" "11/25/2024" "Samba 4\&.21\&.2" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" idmap_rfc2307 \- Samba\*(Aqs idmap_rfc2307 Backend for Winbind .SH "DESCRIPTION" .PP The idmap_rfc2307 plugin provides a way for winbind to read id mappings from records in an LDAP server as defined in RFC 2307\&. The LDAP server can be stand\-alone or the LDAP server provided by the AD server\&. An AD server is always required to provide the mapping between name and SID, and the LDAP server is queried for the mapping between name and uid/gid\&. This module implements only the "idmap" API, and is READONLY\&. .PP Mappings must be provided in advance by the administrator by creating the user accounts in the Active Directory server and the posixAccount and posixGroup objects in the LDAP server\&. The names in the Active Directory server and in the LDAP server have to be the same\&. .PP This id mapping approach allows the reuse of existing LDAP authentication servers that store records in the RFC 2307 format\&. .PP When connecting to the LDAP server provided by an AD server, the parameter \m[blue]\fBldap ssl ads\fR\m[] determines whether SSL should be used\&. When using a stand\-alone LDAP server, \m[blue]\fBldap ssl\fR\m[] applies\&. .SH "IDMAP OPTIONS" .PP range = low \- high .RS 4 Defines the available matching UID and GID range for which the backend is authoritative\&. Note that the range acts as a filter\&. If specified any UID or GID stored in AD that fall outside the range is ignored and the corresponding map is discarded\&. It is intended as a way to avoid accidental UID/GID overlaps between local and remotely defined IDs\&. .RE .PP ldap_server = .RS 4 Defines the type of LDAP server to use\&. This can either be the LDAP server provided by the Active Directory server (ad) or a stand\-alone LDAP server\&. .RE .PP bind_path_user .RS 4 Specifies the search base where user objects can be found in the LDAP server\&. .RE .PP bind_path_group .RS 4 Specifies the search base where group objects can be found in the LDAP server\&. .RE .PP user_cn = .RS 4 Query cn attribute instead of uid attribute for the user name in LDAP\&. This option is not required, the default is no\&. .RE .PP realm .RS 4 Append @realm to cn for groups (and users if user_cn is set) in LDAP queries\&. This option is not required, the default is not to append the realm\&. .RE .PP ldap_domain .RS 4 When using the LDAP server in the Active Directory server, this allows one to specify the domain where to access the Active Directory server\&. This allows using trust relationships while keeping all RFC 2307 records in one place\&. This parameter is optional, the default is to access the AD server in the current domain to query LDAP records\&. .RE .PP ldap_url .RS 4 When using a stand\-alone LDAP server, this parameter specifies the ldap URL for accessing the LDAP server\&. .RE .PP ldap_user_dn .RS 4 Defines the user DN to be used for authentication\&. The secret for authenticating this user should be stored with net idmap secret (see \fBnet\fR(8))\&. If absent, an anonymous bind will be performed\&. .RE .SH "EXAMPLES" .PP The following example shows how to retrieve id mappings from a stand\-alone LDAP server\&. This example also shows how to leave a small non conflicting range for local id allocation that may be used in internal backends like BUILTIN\&. .sp .if n \{\ .RS 4 .\} .nf [global] idmap config * : backend = tdb idmap config * : range = 1000000\-1999999 idmap config DOMAIN : backend = rfc2307 idmap config DOMAIN : range = 2000000\-2999999 idmap config DOMAIN : ldap_server = stand\-alone idmap config DOMAIN : ldap_url = ldap://ldap1\&.example\&.com idmap config DOMAIN : ldap_user_dn = cn=ldapmanager,dc=example,dc=com idmap config DOMAIN : bind_path_user = ou=People,dc=example,dc=com idmap config DOMAIN : bind_path_group = ou=Group,dc=example,dc=com .fi .if n \{\ .RE .\} .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.