From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 19:20:00 +0200
Subject: Adding upstream version 2:4.20.0+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../smbdotconf/ldap/clientldapsaslwrapping.xml     | 41 ++++++++++
 docs-xml/smbdotconf/ldap/ldapadmindn.xml           | 20 +++++
 docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml | 21 +++++
 docs-xml/smbdotconf/ldap/ldapdeletedn.xml          | 13 ++++
 docs-xml/smbdotconf/ldap/ldapderef.xml             | 23 ++++++
 docs-xml/smbdotconf/ldap/ldapfollowreferral.xml    | 23 ++++++
 docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml       | 16 ++++
 docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml       | 15 ++++
 docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml     | 17 ++++
 docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml    | 18 +++++
 docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml    | 18 +++++
 docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml  | 18 +++++
 docs-xml/smbdotconf/ldap/ldappagesize.xml          | 17 ++++
 docs-xml/smbdotconf/ldap/ldappasswdsync.xml        | 38 +++++++++
 docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml  | 24 ++++++
 docs-xml/smbdotconf/ldap/ldapsameditposix.xml      | 91 ++++++++++++++++++++++
 docs-xml/smbdotconf/ldap/ldapsamtrusted.xml        | 29 +++++++
 .../ldap/ldapserverrequirestrongauth.xml           | 26 +++++++
 docs-xml/smbdotconf/ldap/ldapssl.xml               | 42 ++++++++++
 docs-xml/smbdotconf/ldap/ldapsuffix.xml            | 17 ++++
 docs-xml/smbdotconf/ldap/ldaptimeout.xml           | 11 +++
 docs-xml/smbdotconf/ldap/ldapusersuffix.xml        | 16 ++++
 22 files changed, 554 insertions(+)
 create mode 100644 docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapadmindn.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapdeletedn.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapderef.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapfollowreferral.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldappagesize.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldappasswdsync.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapsameditposix.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapsamtrusted.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapssl.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapsuffix.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldaptimeout.xml
 create mode 100644 docs-xml/smbdotconf/ldap/ldapusersuffix.xml

(limited to 'docs-xml/smbdotconf/ldap')

diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
new file mode 100644
index 0000000..21bd209
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -0,0 +1,41 @@
+<samba:parameter name="client ldap sasl wrapping"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_sasl_wrapping"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The <smbconfoption name="client ldap sasl wrapping"/> defines whether
+	ldap traffic will be signed or signed and encrypted (sealed). 
+	Possible values are <emphasis>plain</emphasis>, <emphasis>sign</emphasis> 
+	and <emphasis>seal</emphasis>. 	
+	</para>
+
+	<para>
+	The values <emphasis>sign</emphasis> and <emphasis>seal</emphasis> are 
+	only available if Samba has been compiled against a modern 
+	OpenLDAP version (2.3.x or higher).
+	</para>
+	
+	<para>
+	This option is needed firstly to secure the privacy of
+	administrative connections from <command>samba-tool</command>,
+	including in particular new or reset passwords for users. For
+	this reason the default is <emphasis>seal</emphasis>.</para>
+
+	<para>Additionally, <command>winbindd</command> and the
+	<command>net</command> tool can use LDAP to communicate with
+	Domain Controllers, so this option also controls the level of
+	privacy for those connections.  All supported AD DC versions
+	will enforce the usage of at least signed LDAP connections by
+	default, so a value of at least <emphasis>sign</emphasis> is
+	required in practice.
+	</para>
+
+	<para>
+	The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
+	</para>
+</description>
+<value type="default">seal</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
new file mode 100644
index 0000000..1f3d20f
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="ldap admin dn"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	 <para>
+	The <smbconfoption name="ldap admin dn"/> defines the Distinguished  Name (DN) name used by Samba to contact
+	the ldap server when retrieving  user account information. The <smbconfoption name="ldap admin dn"/> is used
+	in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename>
+	file.  See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+	man page for more information on how  to accomplish this.
+	</para>
+
+	<para>
+	The <smbconfoption name="ldap admin dn"/> requires a fully specified DN. The <smbconfoption name="ldap
+	suffix"/> is not appended to the <smbconfoption name="ldap admin dn"/>.
+	</para>
+</description>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml b/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml
new file mode 100644
index 0000000..b176897
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapconnectiontimeout.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="ldap connection timeout"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameter tells the LDAP library calls which timeout in seconds
+	they should honor during initial connection establishments to LDAP servers.
+	It is very useful in failover scenarios in particular. If one or more LDAP
+	servers are not reachable at all, we do not have to wait until TCP
+	timeouts are over. This feature must be supported by your LDAP library.
+	</para>
+
+	<para>
+	This parameter is different from <smbconfoption name="ldap timeout"/>
+	which affects operations on LDAP servers using an existing connection
+	and not establishing an initial connection.
+	</para>
+</description>
+<value type="default">2</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapdeletedn.xml b/docs-xml/smbdotconf/ldap/ldapdeletedn.xml
new file mode 100644
index 0000000..47ffad8
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapdeletedn.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="ldap delete dn"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para> This parameter specifies whether a delete
+	operation in the ldapsam deletes the complete entry or only the attributes
+	specific to Samba.
+	</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapderef.xml b/docs-xml/smbdotconf/ldap/ldapderef.xml
new file mode 100644
index 0000000..920d1ae
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapderef.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="ldap deref"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_deref"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+
+	<para>This option controls whether Samba should tell the LDAP library
+	to use a certain alias dereferencing method. The default is
+	<emphasis>auto</emphasis>, which means that the default setting of the
+	ldap client library will be kept. Other possible values are
+	<emphasis>never</emphasis>, <emphasis>finding</emphasis>,
+	<emphasis>searching</emphasis> and <emphasis>always</emphasis>. Grab
+	your LDAP manual for more information.
+	</para>
+
+</description>
+
+<value type="default">auto</value>
+<value type="example">searching</value>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml b/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml
new file mode 100644
index 0000000..3130a7b
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapfollowreferral.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="ldap follow referral"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_bool_auto"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+
+	<para>This option controls whether to follow LDAP referrals or not when
+	searching for entries in the LDAP database. Possible values are
+	<emphasis>on</emphasis> to enable following referrals,
+	<emphasis>off</emphasis> to disable this, and
+	<emphasis>auto</emphasis>, to use the libldap default settings.
+	libldap's choice of following referrals or not is set in
+	/etc/openldap/ldap.conf with the REFERRALS parameter as documented in
+	ldap.conf(5).</para>
+
+</description>
+
+<value type="default">auto</value>
+<value type="example">off</value>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml b/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml
new file mode 100644
index 0000000..f11b5d5
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapgroupsuffix.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="ldap group suffix"
+                 context="G"
+                 type="string"
+                 function="_ldap_group_suffix"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This parameter specifies the suffix that is 
+	used for groups when these are added to the LDAP directory.
+	If this parameter is unset, the value of <smbconfoption 
+	name="ldap suffix"/> will be used instead.  The suffix string is prepended to the
+        <smbconfoption name="ldap suffix"/> string so use a partial DN.</para>
+
+</description>
+<value type="default"></value>
+<value type="example">ou=Groups</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml b/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml
new file mode 100644
index 0000000..e20e962
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapidmapsuffix.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="ldap idmap suffix"
+                 context="G"
+                 type="string"
+                 function="_ldap_idmap_suffix"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameters specifies the suffix that is used when storing idmap mappings. If this parameter 
+	is unset, the value of <smbconfoption name="ldap suffix"/> will be used instead.  The suffix 
+	string is prepended to the <smbconfoption name="ldap suffix"/> string so use a partial DN.
+	</para>
+</description>
+<value type="default"></value>
+<value type="example">ou=Idmap</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml b/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml
new file mode 100644
index 0000000..d3310ed
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmachinesuffix.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="ldap machine suffix"
+                 context="G"
+                 type="string"
+                 function="_ldap_machine_suffix"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<description>
+	<para>
+	It specifies where machines should be added to the ldap tree.  If this parameter is unset, the value of
+	<smbconfoption name="ldap suffix"/> will be used instead.  The suffix string is prepended to the
+	<smbconfoption name="ldap suffix"/> string so use a partial DN.
+	</para>
+</description>
+
+<value type="default"/>
+<value type="example">ou=Computers</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
new file mode 100644
index 0000000..61bdcec
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max anonymous request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter specifies the maximum permitted size (in bytes)
+		for an LDAP request received on an anonymous connection.
+	</para>
+
+	<para>
+		If the request size exceeds this limit the request will be
+		rejected.
+	</para>
+</description>
+<value type="default">256000</value>
+<value type="example">500000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
new file mode 100644
index 0000000..c5934f7
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max authenticated request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter specifies the maximum permitted size (in bytes)
+		for an LDAP request received on an authenticated connection.
+	</para>
+
+	<para>
+		If the request size exceeds this limit the request will be
+		rejected.
+	</para>
+</description>
+<value type="default">16777216</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
new file mode 100644
index 0000000..ebeb081
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="ldap max search request size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter specifies the maximum permitted size (in bytes)
+		for an LDAP search request. 
+	</para>
+
+	<para>
+		If the request size exceeds this limit the request will be
+		rejected.
+	</para>
+</description>
+<value type="default">256000</value>
+<value type="example">4194304</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldappagesize.xml b/docs-xml/smbdotconf/ldap/ldappagesize.xml
new file mode 100644
index 0000000..577ea2a
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldappagesize.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="ldap page size"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameter specifies the number of entries per page.
+	</para>
+
+	<para>If the LDAP server supports paged results, clients can
+	request	subsets of search results (pages) instead of the entire list.
+	This parameter specifies the size of these pages.
+	</para>
+</description>
+<value type="default">1000</value>
+<value type="example">512</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldappasswdsync.xml b/docs-xml/smbdotconf/ldap/ldappasswdsync.xml
new file mode 100644
index 0000000..42bc916
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldappasswdsync.xml
@@ -0,0 +1,38 @@
+<samba:parameter name="ldap passwd sync"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_passwd_sync"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+
+<synonym>ldap password sync</synonym>
+<description>
+	<para>
+	This option is used to define whether or not Samba should sync the LDAP password with the NT
+	and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password
+	change via SAMBA.  
+	</para>
+
+	<para>
+	The <smbconfoption name="ldap passwd sync"/> can be set to one of three values: 
+	</para>
+	
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">Yes</parameter>  =  Try 
+			to update the LDAP, NT and LM passwords and update the pwdLastSet time.</para>
+		</listitem>
+			
+		<listitem>
+			<para><parameter moreinfo="none">No</parameter> = Update NT and 
+			LM passwords and update the pwdLastSet time.</para>
+		</listitem>
+
+		<listitem>
+			<para><parameter moreinfo="none">Only</parameter> = Only update 
+			the LDAP password and let the LDAP server do the rest.</para>
+		</listitem>
+	</itemizedlist>		
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml b/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml
new file mode 100644
index 0000000..059c77e
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapreplicationsleep.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="ldap replication sleep"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server.
+	This server then replicates our changes back to the 'local' server, however the replication might take some seconds, 
+	especially over slow links.  Certain client activities, particularly domain joins, can become confused by the 'success' 
+	that does not immediately change the LDAP back-end's data.
+	</para>
+        
+	<para>
+	This option simply causes Samba to wait a short time, to allow the LDAP server to catch up.  If you have a particularly
+	high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly.  
+	Be aware that no checking is performed that the data has actually replicated.
+	</para>
+	
+        <para>
+	The value is specified in milliseconds, the maximum value is 5000 (5 seconds).
+	</para>
+</description>
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapsameditposix.xml b/docs-xml/smbdotconf/ldap/ldapsameditposix.xml
new file mode 100644
index 0000000..e7f36e6
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapsameditposix.xml
@@ -0,0 +1,91 @@
+<samba:parameter name="ldapsam:editposix"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller
+	eliminating the need to set up custom scripts to add and manage the posix users and groups. This option
+	will instead directly manipulate the ldap tree to create, remove and modify user and group entries.
+	This option also requires a running winbindd as it is used to allocate new uids/gids on user/group
+	creation. The allocation range must be therefore configured.
+	</para>
+
+	<para>
+	To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly
+	configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users,
+	Domain Admins, Domain Guests) can be precreated with the command <command moreinfo="none">net sam
+	provision</command>. To run this command the ldap server must be running, Winbindd must be running and
+	the smb.conf ldap options must be properly configured.
+
+	The typical ldap setup used with the <smbconfoption name="ldapsam:trusted">yes</smbconfoption> option
+	is usually sufficient to use <smbconfoption name="ldapsam:editposix">yes</smbconfoption> as well.
+	</para>
+
+	<para>
+	An example configuration can be the following:
+
+	<programlisting>
+	encrypt passwords = true
+	passdb backend = ldapsam
+
+	ldapsam:trusted=yes
+	ldapsam:editposix=yes
+
+	ldap admin dn = cn=admin,dc=samba,dc=org
+	ldap delete dn = yes
+	ldap group suffix = ou=groups
+	ldap idmap suffix = ou=idmap
+	ldap machine suffix = ou=computers
+	ldap user suffix = ou=users
+	ldap suffix = dc=samba,dc=org
+
+	idmap backend = ldap:"ldap://localhost"
+
+	idmap uid = 5000-50000
+	idmap gid = 5000-50000
+	</programlisting>
+
+	This configuration assumes a directory layout like described in the following ldif:
+
+	<programlisting>
+	dn: dc=samba,dc=org
+	objectClass: top
+	objectClass: dcObject
+	objectClass: organization
+	o: samba.org
+	dc: samba
+
+	dn: cn=admin,dc=samba,dc=org
+	objectClass: simpleSecurityObject
+	objectClass: organizationalRole
+	cn: admin
+	description: LDAP administrator
+	userPassword: secret
+
+	dn: ou=users,dc=samba,dc=org
+	objectClass: top
+	objectClass: organizationalUnit
+	ou: users
+
+	dn: ou=groups,dc=samba,dc=org
+	objectClass: top
+	objectClass: organizationalUnit
+	ou: groups
+
+	dn: ou=idmap,dc=samba,dc=org
+	objectClass: top
+	objectClass: organizationalUnit
+	ou: idmap
+
+	dn: ou=computers,dc=samba,dc=org
+	objectClass: top
+	objectClass: organizationalUnit
+	ou: computers
+	</programlisting>
+	</para>
+
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml b/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml
new file mode 100644
index 0000000..1d593e6
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapsamtrusted.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="ldapsam:trusted"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to
+	access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group
+	this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he
+	is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS
+	counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that
+	are used to deal with user and group attributes lack such optimization.
+	</para>
+
+	<para>
+	To make Samba scale well in large environments, the <smbconfoption name="ldapsam:trusted">yes</smbconfoption>
+	option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
+	standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are 
+	stored together with the POSIX data in the same LDAP object. If these assumptions are met, 
+	<smbconfoption name="ldapsam:trusted">yes</smbconfoption> can be activated and Samba can bypass the 
+	NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and 
+	administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries 
+	is easily achieved.
+	</para>
+
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
new file mode 100644
index 0000000..02bdd81
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="ldap server require strong auth"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_server_require_strong_auth_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	The <smbconfoption name="ldap server require strong auth"/> defines whether
+	the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
+	Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+	and <emphasis>yes</emphasis>.
+	</para>
+
+	<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
+	all transports.</para>
+
+	<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
+	(without sign or seal) over TLS encrypted connections. Unencrypted connections only
+	allow sasl binds with sign or seal.</para>
+
+	<para>A value of <emphasis>yes</emphasis> allows only simple binds
+	over TLS encrypted connections. Unencrypted connections only
+	allow sasl binds with sign or seal.</para>
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapssl.xml b/docs-xml/smbdotconf/ldap/ldapssl.xml
new file mode 100644
index 0000000..5fe67b1
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapssl.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="ldap ssl"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_ldap_ssl"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option is used to define whether or not Samba should
+	use SSL when connecting to the ldap server
+	This is <emphasis>NOT</emphasis> related to
+	Samba's previous SSL support which was enabled by specifying the
+	<command moreinfo="none">--with-ssl</command> option to the
+	<filename moreinfo="none">configure</filename>
+	script.</para>
+
+	<para>LDAP connections should be secured where possible. This may be
+	done setting <emphasis>either</emphasis> this parameter to
+	<parameter moreinfo="none">start tls</parameter> 
+	<emphasis>or</emphasis> by specifying <parameter moreinfo="none">ldaps://</parameter> in
+        the URL argument of <smbconfoption name="passdb backend"/>.</para>
+
+	<para>The <smbconfoption name="ldap ssl"/> can be set to one of
+	two values:</para>
+	<itemizedlist>
+		<listitem>
+			<para><parameter moreinfo="none">Off</parameter> = Never
+			use SSL when querying the directory.</para>
+		</listitem>
+
+		<listitem>
+			<para><parameter moreinfo="none">start tls</parameter> = Use
+			the LDAPv3 StartTLS extended operation (RFC2830) for
+			communicating with the directory server.</para>
+		</listitem>
+	</itemizedlist>
+	<para>
+	Please note that this parameter does only affect <emphasis>rpc</emphasis>
+	methods.
+        </para>
+
+</description>
+<value type="default">start tls</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapsuffix.xml b/docs-xml/smbdotconf/ldap/ldapsuffix.xml
new file mode 100644
index 0000000..aeff0dd
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapsuffix.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="ldap suffix"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</para>
+
+	<para>
+	The ldap suffix will be appended to the values specified for the <smbconfoption name="ldap user suffix"/>,
+	 <smbconfoption name="ldap group suffix"/>, <smbconfoption name="ldap machine suffix"/>, and the
+	 <smbconfoption name="ldap idmap suffix"/>. Each of these should be given only a DN relative to the
+	 <smbconfoption name ="ldap suffix"/>.
+	</para>
+</description>
+<value type="default"></value>
+<value type="example">dc=samba,dc=org</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldaptimeout.xml b/docs-xml/smbdotconf/ldap/ldaptimeout.xml
new file mode 100644
index 0000000..f421eeb
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldaptimeout.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="ldap timeout"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameter defines the number of seconds that Samba should use as timeout for LDAP operations.
+	</para>
+</description>
+<value type="default">15</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/ldap/ldapusersuffix.xml b/docs-xml/smbdotconf/ldap/ldapusersuffix.xml
new file mode 100644
index 0000000..c8455e4
--- /dev/null
+++ b/docs-xml/smbdotconf/ldap/ldapusersuffix.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="ldap user suffix"
+                 context="G"
+                 type="string"
+                 function="_ldap_user_suffix"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameter specifies where users are added to the tree. If this parameter is unset, 
+	the value of <smbconfoption name="ldap suffix"/> will be used instead.  The suffix 
+	string is prepended to the  <smbconfoption name="ldap suffix"/> string so use a partial DN.
+	</para>
+
+</description>
+<value type="default"/>
+<value type="example">ou=people</value>
+</samba:parameter>
-- 
cgit v1.2.3