Differences between version 15 and predecessor to the previous major change of Samba3LDAP.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 15 | Last edited on Tuesday, June 13, 2006 10:15:58 am | by JeffDavis | Revert |
| Older page: | version 13 | Last edited on Monday, September 26, 2005 10:34:02 am | by PerryLorier | Revert |
@@ -39,8 +39,40 @@
! LDAP Password Sync
The default setting for this is 'no', which means 'Update the NT and LM passwords in LDAP, and update the last set time'. This *will* cause a lot of grief if you are trying to use another mechanism to set the password, such as a custom script. It can also be set to 'only' which means it will only update the LDAP password (which is the userPassword field, ie the password that unix services will use via pam_ldap). Setting it to 'yes' means it will attempt to update all three passwords and update the last set time. This is almost definitely what you want.
+
+! unix passwd sync
+
+This is a slightly misleading name for this directive. It should really be 'external passwd sync'. The 'passwd program' and 'passwd sync' directives are _only_ called if this parameter is set to yes.
+
+It is probably ok to set 'unix passwd sync = no' and 'ldap password sync = yes', and be fairly happy that your passwords are being updated correctly. However, I have found that this sets passwords that zimbra, for example, cannot deal with. If this is the case, or you want to do something special with your password update such as set other values as well, do the following:
+
+<verbatim>
+ ldap password sync = No
+ unix passwd sync = Yes
+ passwd program = /path/to/program %u
+ passwd chat = *chat*script*
+</verbatim>
+
+Additionally, you may need to tweak your slapd.conf acls to support password sync. The DSA needs access to the root DSE in order to determine the server's capabilities. If you are using the Idealx scripts, this should do the trick:
+
+<verbatim>
+ access to *
+ by dn="cn=samba,ou=dsa,dc=example,dc=com" read
+ by dn="cn=smbldap-tools,ou=dsa,dc=example,dc=com" read
+ by * none
+</verbatim>
+
+Obviously, the passwd program and passwd chat parameters need to be tailored to your script. I use the smbldap-passwd program from IdealX, and have it set to only update the 'userPassword' attribute in LDAP, not the NT/LM hashes (as samba will do this anyway):
+
+<verbatim>
+ ldap passwd sync = No
+ unix password sync = Yes
+ passwd program = /usr/sbin/smbldap-passwd -u %u
+ passwd chat = *New*password* %n\n *Retype*new*password* %n\n
+</verbatim>
+
!IdealX Samba Administration Scripts
The [IdealX smbldap-tools|http://samba.idealx.org/index.en.html] are, in my opinion, essential for running an LDAP-aware Samba server.
