diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /docs-xml/smbdotconf/ldap | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
22 files changed, 554 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml new file mode 100644 index 0000000..21bd209 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -0,0 +1,41 @@ +<samba:parameter name="client ldap sasl wrapping" + context="G" + type="enum" + enumlist="enum_ldap_sasl_wrapping" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The <smbconfoption name="client ldap sasl wrapping"/> defines whether + ldap traffic will be signed or signed and encrypted (sealed). + Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis> + and <emphasis>seal</emphasis>. + </para> + + <para> + The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are + only available if Samba has been compiled against a modern + OpenLDAP version (2.3.x or higher). + </para> + + <para> + This option is needed firstly to secure the privacy of + administrative connections from <command>samba-tool</command>, + including in particular new or reset passwords for users. For + this reason the default is <emphasis>seal</emphasis>.</para> + + <para>Additionally, <command>winbindd</command> and the + <command>net</command> tool can use LDAP to communicate with + Domain Controllers, so this option also controls the level of + privacy for those connections. All supported AD DC versions + will enforce the usage of at least signed LDAP connections by + default, so a value of at least <emphasis>sign</emphasis> is + required in practice. + </para> + + <para> + The default value is <emphasis>seal</emphasis>. That implies synchronizing the time + with the KDC in the case of using <emphasis>Kerberos</emphasis>. + </para> +</description> +<value type="default">seal</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml new file mode 100644 index 0000000..1f3d20f --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml @@ -0,0 +1,20 @@ +<samba:parameter name="ldap admin dn" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + The <smbconfoption name="ldap admin dn"/> defines the Distinguished Name (DN) name used by Samba to contact + the ldap server when retrieving user account information. The <smbconfoption name="ldap admin dn"/> is used + in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename> + file. See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> + man page for more information on how to accomplish this. + </para> + + <para> + The <smbconfoption name="ldap admin dn"/> requires a fully specified DN. The <smbconfoption name="ldap + suffix"/> is not appended to the <smbconfoption name="ldap admin dn"/>. + </para> +</description> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml b/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml new file mode 100644 index 0000000..b176897 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml @@ -0,0 +1,21 @@ +<samba:parameter name="ldap connection timeout" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter tells the LDAP library calls which timeout in seconds + they should honor during initial connection establishments to LDAP servers. + It is very useful in failover scenarios in particular. If one or more LDAP + servers are not reachable at all, we do not have to wait until TCP + timeouts are over. This feature must be supported by your LDAP library. + </para> + + <para> + This parameter is different from <smbconfoption name="ldap timeout"/> + which affects operations on LDAP servers using an existing connection + and not establishing an initial connection. + </para> +</description> +<value type="default">2</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapdeletedn.xml b/docs-xml/smbdotconf/ldap/ldapdeletedn.xml new file mode 100644 index 0000000..47ffad8 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapdeletedn.xml @@ -0,0 +1,13 @@ +<samba:parameter name="ldap delete dn" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> This parameter specifies whether a delete + operation in the ldapsam deletes the complete entry or only the attributes + specific to Samba. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapderef.xml b/docs-xml/smbdotconf/ldap/ldapderef.xml new file mode 100644 index 0000000..920d1ae --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapderef.xml @@ -0,0 +1,23 @@ +<samba:parameter name="ldap deref" + context="G" + type="enum" + enumlist="enum_ldap_deref" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + +<description> + + <para>This option controls whether Samba should tell the LDAP library + to use a certain alias dereferencing method. The default is + <emphasis>auto</emphasis>, which means that the default setting of the + ldap client library will be kept. Other possible values are + <emphasis>never</emphasis>, <emphasis>finding</emphasis>, + <emphasis>searching</emphasis> and <emphasis>always</emphasis>. Grab + your LDAP manual for more information. + </para> + +</description> + +<value type="default">auto</value> +<value type="example">searching</value> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml b/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml new file mode 100644 index 0000000..3130a7b --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml @@ -0,0 +1,23 @@ +<samba:parameter name="ldap follow referral" + context="G" + type="enum" + enumlist="enum_bool_auto" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + +<description> + + <para>This option controls whether to follow LDAP referrals or not when + searching for entries in the LDAP database. Possible values are + <emphasis>on</emphasis> to enable following referrals, + <emphasis>off</emphasis> to disable this, and + <emphasis>auto</emphasis>, to use the libldap default settings. + libldap's choice of following referrals or not is set in + /etc/openldap/ldap.conf with the REFERRALS parameter as documented in + ldap.conf(5).</para> + +</description> + +<value type="default">auto</value> +<value type="example">off</value> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml b/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml new file mode 100644 index 0000000..7de0fac --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml @@ -0,0 +1,16 @@ +<samba:parameter name="ldap group suffix" + context="G" + type="string" + function="_ldap_group_suffix" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of <smbconfoption + name="ldap suffix"/> will be used instead. The suffix string is pre-pended to the + <smbconfoption name="ldap suffix"/> string so use a partial DN.</para> + +</description> +<value type="default"></value> +<value type="example">ou=Groups</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml b/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml new file mode 100644 index 0000000..1fe7e8a --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml @@ -0,0 +1,15 @@ +<samba:parameter name="ldap idmap suffix" + context="G" + type="string" + function="_ldap_idmap_suffix" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameters specifies the suffix that is used when storing idmap mappings. If this parameter + is unset, the value of <smbconfoption name="ldap suffix"/> will be used instead. The suffix + string is pre-pended to the <smbconfoption name="ldap suffix"/> string so use a partial DN. + </para> +</description> +<value type="default"></value> +<value type="example">ou=Idmap</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml b/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml new file mode 100644 index 0000000..e82675b --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml @@ -0,0 +1,17 @@ +<samba:parameter name="ldap machine suffix" + context="G" + type="string" + function="_ldap_machine_suffix" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + +<description> + <para> + It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of + <smbconfoption name="ldap suffix"/> will be used instead. The suffix string is pre-pended to the + <smbconfoption name="ldap suffix"/> string so use a partial DN. + </para> +</description> + +<value type="default"/> +<value type="example">ou=Computers</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml new file mode 100644 index 0000000..61bdcec --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml @@ -0,0 +1,18 @@ +<samba:parameter name="ldap max anonymous request size" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the maximum permitted size (in bytes) + for an LDAP request received on an anonymous connection. + </para> + + <para> + If the request size exceeds this limit the request will be + rejected. + </para> +</description> +<value type="default">256000</value> +<value type="example">500000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml new file mode 100644 index 0000000..c5934f7 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml @@ -0,0 +1,18 @@ +<samba:parameter name="ldap max authenticated request size" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the maximum permitted size (in bytes) + for an LDAP request received on an authenticated connection. + </para> + + <para> + If the request size exceeds this limit the request will be + rejected. + </para> +</description> +<value type="default">16777216</value> +<value type="example">4194304</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml new file mode 100644 index 0000000..ebeb081 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml @@ -0,0 +1,18 @@ +<samba:parameter name="ldap max search request size" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the maximum permitted size (in bytes) + for an LDAP search request. + </para> + + <para> + If the request size exceeds this limit the request will be + rejected. + </para> +</description> +<value type="default">256000</value> +<value type="example">4194304</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldappagesize.xml b/docs-xml/smbdotconf/ldap/ldappagesize.xml new file mode 100644 index 0000000..577ea2a --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldappagesize.xml @@ -0,0 +1,17 @@ +<samba:parameter name="ldap page size" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the number of entries per page. + </para> + + <para>If the LDAP server supports paged results, clients can + request subsets of search results (pages) instead of the entire list. + This parameter specifies the size of these pages. + </para> +</description> +<value type="default">1000</value> +<value type="example">512</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldappasswdsync.xml b/docs-xml/smbdotconf/ldap/ldappasswdsync.xml new file mode 100644 index 0000000..42bc916 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldappasswdsync.xml @@ -0,0 +1,38 @@ +<samba:parameter name="ldap passwd sync" + context="G" + type="enum" + enumlist="enum_ldap_passwd_sync" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + +<synonym>ldap password sync</synonym> +<description> + <para> + This option is used to define whether or not Samba should sync the LDAP password with the NT + and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password + change via SAMBA. + </para> + + <para> + The <smbconfoption name="ldap passwd sync"/> can be set to one of three values: + </para> + + <itemizedlist> + <listitem> + <para><parameter moreinfo="none">Yes</parameter> = Try + to update the LDAP, NT and LM passwords and update the pwdLastSet time.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">No</parameter> = Update NT and + LM passwords and update the pwdLastSet time.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">Only</parameter> = Only update + the LDAP password and let the LDAP server do the rest.</para> + </listitem> + </itemizedlist> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml b/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml new file mode 100644 index 0000000..059c77e --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml @@ -0,0 +1,24 @@ +<samba:parameter name="ldap replication sleep" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. + This server then replicates our changes back to the 'local' server, however the replication might take some seconds, + especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' + that does not immediately change the LDAP back-end's data. + </para> + + <para> + This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly + high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. + Be aware that no checking is performed that the data has actually replicated. + </para> + + <para> + The value is specified in milliseconds, the maximum value is 5000 (5 seconds). + </para> +</description> +<value type="default">1000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapsameditposix.xml b/docs-xml/smbdotconf/ldap/ldapsameditposix.xml new file mode 100644 index 0000000..e7f36e6 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapsameditposix.xml @@ -0,0 +1,91 @@ +<samba:parameter name="ldapsam:editposix" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller + eliminating the need to set up custom scripts to add and manage the posix users and groups. This option + will instead directly manipulate the ldap tree to create, remove and modify user and group entries. + This option also requires a running winbindd as it is used to allocate new uids/gids on user/group + creation. The allocation range must be therefore configured. + </para> + + <para> + To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly + configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, + Domain Admins, Domain Guests) can be precreated with the command <command moreinfo="none">net sam + provision</command>. To run this command the ldap server must be running, Winbindd must be running and + the smb.conf ldap options must be properly configured. + + The typical ldap setup used with the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> option + is usually sufficient to use <smbconfoption name="ldapsam:editposix">yes</smbconfoption> as well. + </para> + + <para> + An example configuration can be the following: + + <programlisting> + encrypt passwords = true + passdb backend = ldapsam + + ldapsam:trusted=yes + ldapsam:editposix=yes + + ldap admin dn = cn=admin,dc=samba,dc=org + ldap delete dn = yes + ldap group suffix = ou=groups + ldap idmap suffix = ou=idmap + ldap machine suffix = ou=computers + ldap user suffix = ou=users + ldap suffix = dc=samba,dc=org + + idmap backend = ldap:"ldap://localhost" + + idmap uid = 5000-50000 + idmap gid = 5000-50000 + </programlisting> + + This configuration assumes a directory layout like described in the following ldif: + + <programlisting> + dn: dc=samba,dc=org + objectClass: top + objectClass: dcObject + objectClass: organization + o: samba.org + dc: samba + + dn: cn=admin,dc=samba,dc=org + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: admin + description: LDAP administrator + userPassword: secret + + dn: ou=users,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: users + + dn: ou=groups,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: groups + + dn: ou=idmap,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: idmap + + dn: ou=computers,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: computers + </programlisting> + </para> + +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml b/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml new file mode 100644 index 0000000..1d593e6 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml @@ -0,0 +1,29 @@ +<samba:parameter name="ldapsam:trusted" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to + access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group + this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he + is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS + counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that + are used to deal with user and group attributes lack such optimization. + </para> + + <para> + To make Samba scale well in large environments, the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> + option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the + standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are + stored together with the POSIX data in the same LDAP object. If these assumptions are met, + <smbconfoption name="ldapsam:trusted">yes</smbconfoption> can be activated and Samba can bypass the + NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and + administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries + is easily achieved. + </para> + +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml new file mode 100644 index 0000000..02bdd81 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml @@ -0,0 +1,26 @@ +<samba:parameter name="ldap server require strong auth" + context="G" + type="enum" + enumlist="enum_ldap_server_require_strong_auth_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The <smbconfoption name="ldap server require strong auth"/> defines whether + the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). + Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis> + and <emphasis>yes</emphasis>. + </para> + + <para>A value of <emphasis>no</emphasis> allows simple and sasl binds over + all transports.</para> + + <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds + (without sign or seal) over TLS encrypted connections. Unencrypted connections only + allow sasl binds with sign or seal.</para> + + <para>A value of <emphasis>yes</emphasis> allows only simple binds + over TLS encrypted connections. Unencrypted connections only + allow sasl binds with sign or seal.</para> +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapssl.xml b/docs-xml/smbdotconf/ldap/ldapssl.xml new file mode 100644 index 0000000..5fe67b1 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapssl.xml @@ -0,0 +1,42 @@ +<samba:parameter name="ldap ssl" + context="G" + type="enum" + enumlist="enum_ldap_ssl" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option is used to define whether or not Samba should + use SSL when connecting to the ldap server + This is <emphasis>NOT</emphasis> related to + Samba's previous SSL support which was enabled by specifying the + <command moreinfo="none">--with-ssl</command> option to the + <filename moreinfo="none">configure</filename> + script.</para> + + <para>LDAP connections should be secured where possible. This may be + done setting <emphasis>either</emphasis> this parameter to + <parameter moreinfo="none">start tls</parameter> + <emphasis>or</emphasis> by specifying <parameter moreinfo="none">ldaps://</parameter> in + the URL argument of <smbconfoption name="passdb backend"/>.</para> + + <para>The <smbconfoption name="ldap ssl"/> can be set to one of + two values:</para> + <itemizedlist> + <listitem> + <para><parameter moreinfo="none">Off</parameter> = Never + use SSL when querying the directory.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">start tls</parameter> = Use + the LDAPv3 StartTLS extended operation (RFC2830) for + communicating with the directory server.</para> + </listitem> + </itemizedlist> + <para> + Please note that this parameter does only affect <emphasis>rpc</emphasis> + methods. + </para> + +</description> +<value type="default">start tls</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapsuffix.xml b/docs-xml/smbdotconf/ldap/ldapsuffix.xml new file mode 100644 index 0000000..aeff0dd --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapsuffix.xml @@ -0,0 +1,17 @@ +<samba:parameter name="ldap suffix" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</para> + + <para> + The ldap suffix will be appended to the values specified for the <smbconfoption name="ldap user suffix"/>, + <smbconfoption name="ldap group suffix"/>, <smbconfoption name="ldap machine suffix"/>, and the + <smbconfoption name="ldap idmap suffix"/>. Each of these should be given only a DN relative to the + <smbconfoption name ="ldap suffix"/>. + </para> +</description> +<value type="default"></value> +<value type="example">dc=samba,dc=org</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldaptimeout.xml b/docs-xml/smbdotconf/ldap/ldaptimeout.xml new file mode 100644 index 0000000..f421eeb --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldaptimeout.xml @@ -0,0 +1,11 @@ +<samba:parameter name="ldap timeout" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter defines the number of seconds that Samba should use as timeout for LDAP operations. + </para> +</description> +<value type="default">15</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/ldap/ldapusersuffix.xml b/docs-xml/smbdotconf/ldap/ldapusersuffix.xml new file mode 100644 index 0000000..8e6b8a3 --- /dev/null +++ b/docs-xml/smbdotconf/ldap/ldapusersuffix.xml @@ -0,0 +1,16 @@ +<samba:parameter name="ldap user suffix" + context="G" + type="string" + function="_ldap_user_suffix" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies where users are added to the tree. If this parameter is unset, + the value of <smbconfoption name="ldap suffix"/> will be used instead. The suffix + string is pre-pended to the <smbconfoption name="ldap suffix"/> string so use a partial DN. + </para> + +</description> +<value type="default"/> +<value type="example">ou=people</value> +</samba:parameter> |