[Samba] Questions about the new idmap interface
simo
idra at samba.org
Tue Sep 11 13:40:31 GMT 2007
On Tue, 2007-09-11 at 14:39 +0200, Marc Muehlfeld wrote:
> Hi,
>
> I tried to configure the new idmap interface. Currently without much success.
>
> I have two samba domains, trusting each other. Each PDC using it's own LDAP
> server. I tried
>
> idmap domains = DOM1, DOM2
> idmap config DOM1:default = yes
> idmap config DOM1:backend = ldap
> idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
> idmap config DOM1:ldap_url = ldap://192.168.0.1
> idmap config DOM1:range = 10000 - 20000
> idmap alloc backend = ldap
-----------^^^^^^^^^^^^^^^^^^^^^^^^^^
this is not enough, you have to explicitly configure the alloc backend
For example:
idmap alloc config:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
idmap alloc config:ldap_user_dn = <the privileged user dn>
idmap alloc config:ldap_url = ldap://192.168.0.1
idmap alloc config:range = 10000-20000
> idmap config DOM2:default = no
> idmap config DOM2:backend = ldap
> idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de
> idmap config DOM2:ldap_url = ldap://192.168.1.1
> idmap config DOM2:range = 10000 - 20000
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
no need to add these if you use the new options
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/false
> winbind nested groups = yes
> winbind cache time = 300
> winbind nss info = template
> winbind use default domain = yes
>
> But then I have the problem, that samba used the "ldap admin dn" account and
> password for both LDAP server, but each have it's own. How can I configure a
> second password for my trusted domain?
you have to specify the ldap_user_dn option for each domain and the use
net idmap secret
In your case probably
net idmap secret DOM1 <secret1>
net idmap secret alloc <secret1>
net idmap secret DOM2 <secret2>
However if you read the man pages for idamp_ldap you will find all these
informations.
> Is there any usefull documentation, best would be with different samples, of
> the new idmap interface? The manpage didn't helped me much for understanding this.
Maybe because you didn't read the actually relevant man page:
man idmap_ldap
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba
mailing list