idmap_ldap — Samba's idmap_ldap Backend for Winbind
The idmap_ldap plugin provides a means for Winbind to store and retrieve SID/uid/gid mapping tables in an LDAP directory service.
In contrast to read only backends like idmap_rid, it is an allocating
backend: This means that it needs to allocate new user and group IDs in
order to create new mappings. The allocator can be provided by the
idmap_ldap backend itself or by any other allocating backend like
idmap_tdb or idmap_tdb2. This is configured with the
parameter idmap alloc backend.
Note that in order for this (or any other allocating) backend to function at all, the default backend needs to be writeable. The ranges used for uid and gid allocation are the default ranges configured by "idmap uid" and "idmap gid".
Furthermore, since there is only one global allocating backend responsible for all domains using writeable idmap backends, any explicitly configured domain with idmap backend ldap should have the same range as the default range, since it needs to use the global uid / gid allocator. See the example below.
Defines the directory base suffix to use when searching for SID/uid/gid mapping entries. If not defined, idmap_ldap will default to using the "ldap idmap suffix" option from smb.conf.
Defines the user DN to be used for authentication. If absent an anonymous bind will be performed.
Specifies the LDAP server to use when searching for existing SID/uid/gid map entries. If not defined, idmap_ldap will assume that ldap://localhost/ should be used.
Defines the available matching uid and gid range for which the backend is authoritative. If the parameter is absent, Winbind fails over to use the "idmap uid" and "idmap gid" options from smb.conf.
Defines the directory base suffix under which new SID/uid/gid mapping entries should be stored. If not defined, idmap_ldap will default to using the "ldap idmap suffix" option from smb.conf.
Defines the user DN to be used for authentication. If absent an anonymous bind will be performed.
Specifies the LDAP server to which modify/add/delete requests should be sent. If not defined, idmap_ldap will assume that ldap://localhost/ should be used.
The follow sets of a LDAP configuration which uses two LDAP directories, one for storing the ID mappings and one for retrieving new IDs.
[global] idmap backend = ldap:ldap://localhost/ idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://id-master/ idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com
In order to use authentication against ldap servers you may need to provide a DN and a password. To avoid exposing the password in plain text in the configuration file we store it into a security store. The "net idmap " command is used to store a secret for the DN specified in a specific idmap domain.