summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/ldap
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /docs-xml/smbdotconf/ldap
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml41
-rw-r--r--docs-xml/smbdotconf/ldap/ldapadmindn.xml20
-rw-r--r--docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml21
-rw-r--r--docs-xml/smbdotconf/ldap/ldapdeletedn.xml13
-rw-r--r--docs-xml/smbdotconf/ldap/ldapderef.xml23
-rw-r--r--docs-xml/smbdotconf/ldap/ldapfollowreferral.xml23
-rw-r--r--docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml16
-rw-r--r--docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml15
-rw-r--r--docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml17
-rw-r--r--docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml18
-rw-r--r--docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml18
-rw-r--r--docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml18
-rw-r--r--docs-xml/smbdotconf/ldap/ldappagesize.xml17
-rw-r--r--docs-xml/smbdotconf/ldap/ldappasswdsync.xml38
-rw-r--r--docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml24
-rw-r--r--docs-xml/smbdotconf/ldap/ldapsameditposix.xml91
-rw-r--r--docs-xml/smbdotconf/ldap/ldapsamtrusted.xml29
-rw-r--r--docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml26
-rw-r--r--docs-xml/smbdotconf/ldap/ldapssl.xml42
-rw-r--r--docs-xml/smbdotconf/ldap/ldapsuffix.xml17
-rw-r--r--docs-xml/smbdotconf/ldap/ldaptimeout.xml11
-rw-r--r--docs-xml/smbdotconf/ldap/ldapusersuffix.xml16
22 files changed, 554 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
new file mode 100644
index 0000000..21bd209
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -0,0 +1,41 @@
+<samba:parameter name="client ldap sasl wrapping"
+ context="G"
+ type="enum"
+ enumlist="enum_ldap_sasl_wrapping"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The <smbconfoption name="client ldap sasl wrapping"/> defines whether
+ ldap traffic will be signed or signed and encrypted (sealed).
+ Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis>
+ and <emphasis>seal</emphasis>.
+ </para>
+
+ <para>
+ The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are
+ only available if Samba has been compiled against a modern
+ OpenLDAP version (2.3.x or higher).
+ </para>
+
+ <para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
+
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
+ </para>
+
+ <para>
+ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
+ </para>
+</description>
+<value type="default">seal</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
new file mode 100644
index 0000000..1f3d20f
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="ldap admin dn"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ The <smbconfoption name="ldap admin dn"/> defines the Distinguished Name (DN) name used by Samba to contact
+ the ldap server when retrieving user account information. The <smbconfoption name="ldap admin dn"/> is used
+ in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename>
+ file. See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ man page for more information on how to accomplish this.
+ </para>
+
+ <para>
+ The <smbconfoption name="ldap admin dn"/> requires a fully specified DN. The <smbconfoption name="ldap
+ suffix"/> is not appended to the <smbconfoption name="ldap admin dn"/>.
+ </para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml b/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml
new file mode 100644
index 0000000..b176897
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="ldap connection timeout"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter tells the LDAP library calls which timeout in seconds
+ they should honor during initial connection establishments to LDAP servers.
+ It is very useful in failover scenarios in particular. If one or more LDAP
+ servers are not reachable at all, we do not have to wait until TCP
+ timeouts are over. This feature must be supported by your LDAP library.
+ </para>
+
+ <para>
+ This parameter is different from <smbconfoption name="ldap timeout"/>
+ which affects operations on LDAP servers using an existing connection
+ and not establishing an initial connection.
+ </para>
+</description>
+<value type="default">2</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapdeletedn.xml b/docs-xml/smbdotconf/ldap/ldapdeletedn.xml
new file mode 100644
index 0000000..47ffad8
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapdeletedn.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="ldap delete dn"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para> This parameter specifies whether a delete
+ operation in the ldapsam deletes the complete entry or only the attributes
+ specific to Samba.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapderef.xml b/docs-xml/smbdotconf/ldap/ldapderef.xml
new file mode 100644
index 0000000..920d1ae
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapderef.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="ldap deref"
+ context="G"
+ type="enum"
+ enumlist="enum_ldap_deref"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+
+ <para>This option controls whether Samba should tell the LDAP library
+ to use a certain alias dereferencing method. The default is
+ <emphasis>auto</emphasis>, which means that the default setting of the
+ ldap client library will be kept. Other possible values are
+ <emphasis>never</emphasis>, <emphasis>finding</emphasis>,
+ <emphasis>searching</emphasis> and <emphasis>always</emphasis>. Grab
+ your LDAP manual for more information.
+ </para>
+
+</description>
+
+<value type="default">auto</value>
+<value type="example">searching</value>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml b/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml
new file mode 100644
index 0000000..3130a7b
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="ldap follow referral"
+ context="G"
+ type="enum"
+ enumlist="enum_bool_auto"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+
+ <para>This option controls whether to follow LDAP referrals or not when
+ searching for entries in the LDAP database. Possible values are
+ <emphasis>on</emphasis> to enable following referrals,
+ <emphasis>off</emphasis> to disable this, and
+ <emphasis>auto</emphasis>, to use the libldap default settings.
+ libldap's choice of following referrals or not is set in
+ /etc/openldap/ldap.conf with the REFERRALS parameter as documented in
+ ldap.conf(5).</para>
+
+</description>
+
+<value type="default">auto</value>
+<value type="example">off</value>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml b/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml
new file mode 100644
index 0000000..7de0fac
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="ldap group suffix"
+ context="G"
+ type="string"
+ function="_ldap_group_suffix"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the suffix that is
+ used for groups when these are added to the LDAP directory.
+ If this parameter is unset, the value of <smbconfoption
+ name="ldap suffix"/> will be used instead. The suffix string is pre-pended to the
+ <smbconfoption name="ldap suffix"/> string so use a partial DN.</para>
+
+</description>
+<value type="default"></value>
+<value type="example">ou=Groups</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml b/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml
new file mode 100644
index 0000000..1fe7e8a
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="ldap idmap suffix"
+ context="G"
+ type="string"
+ function="_ldap_idmap_suffix"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameters specifies the suffix that is used when storing idmap mappings. If this parameter
+ is unset, the value of <smbconfoption name="ldap suffix"/> will be used instead. The suffix
+ string is pre-pended to the <smbconfoption name="ldap suffix"/> string so use a partial DN.
+ </para>
+</description>
+<value type="default"></value>
+<value type="example">ou=Idmap</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml b/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml
new file mode 100644
index 0000000..e82675b
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="ldap machine suffix"
+ context="G"
+ type="string"
+ function="_ldap_machine_suffix"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+ <para>
+ It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of
+ <smbconfoption name="ldap suffix"/> will be used instead. The suffix string is pre-pended to the
+ <smbconfoption name="ldap suffix"/> string so use a partial DN.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">ou=Computers</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
new file mode 100644
index 0000000..61bdcec
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max anonymous request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP request received on an anonymous connection.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">256000</value>
+<value type="example">500000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
new file mode 100644
index 0000000..c5934f7
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max authenticated request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP request received on an authenticated connection.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">16777216</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
new file mode 100644
index 0000000..ebeb081
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max search request size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the maximum permitted size (in bytes)
+ for an LDAP search request.
+ </para>
+
+ <para>
+ If the request size exceeds this limit the request will be
+ rejected.
+ </para>
+</description>
+<value type="default">256000</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldappagesize.xml b/docs-xml/smbdotconf/ldap/ldappagesize.xml
new file mode 100644
index 0000000..577ea2a
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldappagesize.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="ldap page size"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the number of entries per page.
+ </para>
+
+ <para>If the LDAP server supports paged results, clients can
+ request subsets of search results (pages) instead of the entire list.
+ This parameter specifies the size of these pages.
+ </para>
+</description>
+<value type="default">1000</value>
+<value type="example">512</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldappasswdsync.xml b/docs-xml/smbdotconf/ldap/ldappasswdsync.xml
new file mode 100644
index 0000000..42bc916
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldappasswdsync.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="ldap passwd sync"
+ context="G"
+ type="enum"
+ enumlist="enum_ldap_passwd_sync"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<synonym>ldap password sync</synonym>
+<description>
+ <para>
+ This option is used to define whether or not Samba should sync the LDAP password with the NT
+ and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password
+ change via SAMBA.
+ </para>
+
+ <para>
+ The <smbconfoption name="ldap passwd sync"/> can be set to one of three values:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para><parameter moreinfo="none">Yes</parameter> = Try
+ to update the LDAP, NT and LM passwords and update the pwdLastSet time.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">No</parameter> = Update NT and
+ LM passwords and update the pwdLastSet time.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">Only</parameter> = Only update
+ the LDAP password and let the LDAP server do the rest.</para>
+ </listitem>
+ </itemizedlist>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml b/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml
new file mode 100644
index 0000000..059c77e
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="ldap replication sleep"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server.
+ This server then replicates our changes back to the 'local' server, however the replication might take some seconds,
+ especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success'
+ that does not immediately change the LDAP back-end's data.
+ </para>
+
+ <para>
+ This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly
+ high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly.
+ Be aware that no checking is performed that the data has actually replicated.
+ </para>
+
+ <para>
+ The value is specified in milliseconds, the maximum value is 5000 (5 seconds).
+ </para>
+</description>
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapsameditposix.xml b/docs-xml/smbdotconf/ldap/ldapsameditposix.xml
new file mode 100644
index 0000000..e7f36e6
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapsameditposix.xml
@@ -0,0 +1,91 @@
+<samba:parameter name="ldapsam:editposix"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller
+ eliminating the need to set up custom scripts to add and manage the posix users and groups. This option
+ will instead directly manipulate the ldap tree to create, remove and modify user and group entries.
+ This option also requires a running winbindd as it is used to allocate new uids/gids on user/group
+ creation. The allocation range must be therefore configured.
+ </para>
+
+ <para>
+ To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly
+ configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users,
+ Domain Admins, Domain Guests) can be precreated with the command <command moreinfo="none">net sam
+ provision</command>. To run this command the ldap server must be running, Winbindd must be running and
+ the smb.conf ldap options must be properly configured.
+
+ The typical ldap setup used with the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> option
+ is usually sufficient to use <smbconfoption name="ldapsam:editposix">yes</smbconfoption> as well.
+ </para>
+
+ <para>
+ An example configuration can be the following:
+
+ <programlisting>
+ encrypt passwords = true
+ passdb backend = ldapsam
+
+ ldapsam:trusted=yes
+ ldapsam:editposix=yes
+
+ ldap admin dn = cn=admin,dc=samba,dc=org
+ ldap delete dn = yes
+ ldap group suffix = ou=groups
+ ldap idmap suffix = ou=idmap
+ ldap machine suffix = ou=computers
+ ldap user suffix = ou=users
+ ldap suffix = dc=samba,dc=org
+
+ idmap backend = ldap:"ldap://localhost"
+
+ idmap uid = 5000-50000
+ idmap gid = 5000-50000
+ </programlisting>
+
+ This configuration assumes a directory layout like described in the following ldif:
+
+ <programlisting>
+ dn: dc=samba,dc=org
+ objectClass: top
+ objectClass: dcObject
+ objectClass: organization
+ o: samba.org
+ dc: samba
+
+ dn: cn=admin,dc=samba,dc=org
+ objectClass: simpleSecurityObject
+ objectClass: organizationalRole
+ cn: admin
+ description: LDAP administrator
+ userPassword: secret
+
+ dn: ou=users,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: users
+
+ dn: ou=groups,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: groups
+
+ dn: ou=idmap,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: idmap
+
+ dn: ou=computers,dc=samba,dc=org
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: computers
+ </programlisting>
+ </para>
+
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml b/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml
new file mode 100644
index 0000000..1d593e6
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="ldapsam:trusted"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to
+ access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group
+ this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he
+ is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS
+ counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that
+ are used to deal with user and group attributes lack such optimization.
+ </para>
+
+ <para>
+ To make Samba scale well in large environments, the <smbconfoption name="ldapsam:trusted">yes</smbconfoption>
+ option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
+ standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are
+ stored together with the POSIX data in the same LDAP object. If these assumptions are met,
+ <smbconfoption name="ldapsam:trusted">yes</smbconfoption> can be activated and Samba can bypass the
+ NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and
+ administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries
+ is easily achieved.
+ </para>
+
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
new file mode 100644
index 0000000..02bdd81
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="ldap server require strong auth"
+ context="G"
+ type="enum"
+ enumlist="enum_ldap_server_require_strong_auth_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ The <smbconfoption name="ldap server require strong auth"/> defines whether
+ the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
+ Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+ and <emphasis>yes</emphasis>.
+ </para>
+
+ <para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
+ all transports.</para>
+
+ <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
+ (without sign or seal) over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.</para>
+
+ <para>A value of <emphasis>yes</emphasis> allows only simple binds
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.</para>
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapssl.xml b/docs-xml/smbdotconf/ldap/ldapssl.xml
new file mode 100644
index 0000000..5fe67b1
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapssl.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="ldap ssl"
+ context="G"
+ type="enum"
+ enumlist="enum_ldap_ssl"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option is used to define whether or not Samba should
+ use SSL when connecting to the ldap server
+ This is <emphasis>NOT</emphasis> related to
+ Samba's previous SSL support which was enabled by specifying the
+ <command moreinfo="none">--with-ssl</command> option to the
+ <filename moreinfo="none">configure</filename>
+ script.</para>
+
+ <para>LDAP connections should be secured where possible. This may be
+ done setting <emphasis>either</emphasis> this parameter to
+ <parameter moreinfo="none">start tls</parameter>
+ <emphasis>or</emphasis> by specifying <parameter moreinfo="none">ldaps://</parameter> in
+ the URL argument of <smbconfoption name="passdb backend"/>.</para>
+
+ <para>The <smbconfoption name="ldap ssl"/> can be set to one of
+ two values:</para>
+ <itemizedlist>
+ <listitem>
+ <para><parameter moreinfo="none">Off</parameter> = Never
+ use SSL when querying the directory.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">start tls</parameter> = Use
+ the LDAPv3 StartTLS extended operation (RFC2830) for
+ communicating with the directory server.</para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Please note that this parameter does only affect <emphasis>rpc</emphasis>
+ methods.
+ </para>
+
+</description>
+<value type="default">start tls</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapsuffix.xml b/docs-xml/smbdotconf/ldap/ldapsuffix.xml
new file mode 100644
index 0000000..aeff0dd
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapsuffix.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="ldap suffix"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</para>
+
+ <para>
+ The ldap suffix will be appended to the values specified for the <smbconfoption name="ldap user suffix"/>,
+ <smbconfoption name="ldap group suffix"/>, <smbconfoption name="ldap machine suffix"/>, and the
+ <smbconfoption name="ldap idmap suffix"/>. Each of these should be given only a DN relative to the
+ <smbconfoption name ="ldap suffix"/>.
+ </para>
+</description>
+<value type="default"></value>
+<value type="example">dc=samba,dc=org</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldaptimeout.xml b/docs-xml/smbdotconf/ldap/ldaptimeout.xml
new file mode 100644
index 0000000..f421eeb
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldaptimeout.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="ldap timeout"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter defines the number of seconds that Samba should use as timeout for LDAP operations.
+ </para>
+</description>
+<value type="default">15</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapusersuffix.xml b/docs-xml/smbdotconf/ldap/ldapusersuffix.xml
new file mode 100644
index 0000000..8e6b8a3
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapusersuffix.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="ldap user suffix"
+ context="G"
+ type="string"
+ function="_ldap_user_suffix"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies where users are added to the tree. If this parameter is unset,
+ the value of <smbconfoption name="ldap suffix"/> will be used instead. The suffix
+ string is pre-pended to the <smbconfoption name="ldap suffix"/> string so use a partial DN.
+ </para>
+
+</description>
+<value type="default"/>
+<value type="example">ou=people</value>
+</samba:parameter>