The idmap_ldap plugin provides a means for Winbind to store and retrieve SID/uid/gid mapping tables in an LDAP directory service.
ldap_base_dn = DN
ldap_user_dn = DN
ldap_url = ldap://server/
range = low - high
The following example shows how an ldap directory is used as the default idmap backend. It also configures the idmap range and base directory suffix. The secret for the ldap_user_dn has to be set with "net idmap secret '*' password".
[global] idmap config * : backend = ldap idmap config * : range = 1000000-1999999 idmap config * : ldap_url = ldap://localhost/ idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
This example shows how ldap can be used as a readonly backend while tdb is the default backend used to store the mappings. It adds an explicit configuration for some domain DOM1, that uses the ldap idmap backend. Note that a range disjoint from the default range is used.
[global] # "backend = tdb" is redundant here since it is the default idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config DOM1 : backend = ldap idmap config DOM1 : range = 2000000-2999999 idmap config DOM1 : read only = yes idmap config DOM1 : ldap_url = ldap://server/ idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
In order to use authentication against ldap servers you may need to provide a DN and a password. To avoid exposing the password in plain text in the configuration file we store it into a security store. The "net idmap " command is used to store a secret for the DN specified in a specific idmap domain.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.