GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
SLAPO-SMBK5PWD(5) FreeBSD File Formats Manual SLAPO-SMBK5PWD(5)

slapo-smbk5pwd - Samba & Kerberos password sync overlay to slapd

ETCDIR/slapd.conf

include <path to>/krb5-kdc.schema

include <path to>/samba.schema

moduleload smbk5pwd.so

...

database mdb

...

overlay smbk5pwd

The smbk5pwd overlay to slapd(8) overloads the Password Modify Extended Operation (RFC 3062) to update Kerberos keys and Samba password hashes for an LDAP user, as well as updating password change related attributes for Kerberos, Samba and/or UNIX user accounts.

The Samba support is written using the Samba 3.0 LDAP schema; Kerberos support is written for Heimdal using its hdb-ldap backend.

Additionally, a new {K5KEY} password hash mechanism is provided. For krb5KDCEntry objects that have this scheme specifier in their userPassword attribute, Simple Binds will be checked against the Kerberos keys of the entry. No data is needed after the {K5KEY} scheme specifier in the userPassword, it is looked up from the entry directly.

The smbk5pwd overlay supports the following slapd.conf configuration options, which should appear after the overlay directive:
smbk5pwd-enable <module>
can be used to enable only the desired modules. Legal values for <module> are

krb5
If the user has the krb5KDCEntry objectclass, update the krb5Key and krb5KeyVersionNumber attributes using the new password in the Password Modify operation, provided the Kerberos account is not expired. Exiration is determined by evaluating the krb5ValidEnd attribute.
samba
If the user is a sambaSamAccount object, synchronize the sambaNTPassword to the password entered in the Password Modify operation, and update sambaPwdLastSet accordingly.
shadow
Update the attribute shadowLastChange, if the entry has the objectclass shadowAccount.

By default all modules compiled in are enabled. Setting the config statement restricts the enabled modules to the ones explicitly mentioned.

smbk5pwd-can-change <seconds>
If the samba module is enabled and the user is a sambaSamAccount, update the attribute sambaPwdCanChange to point <seconds> into the future, essentially denying any Samba password change until then. A value of 0 disables this feature.
smbk5pwd-must-change <seconds>
If the samba module is enabled and the user is a sambaSamAccount, update the attribute sambaPwdMustChange to point <seconds> into the future, essentially setting the Samba password expiration time. A value of 0 disables this feature.

Alternatively, the overlay supports table-driven configuration, and thus can be run-time loaded and configured via back-config.

The layout of a slapd.d based, table-driven configuration entry looks like:

        # {0}smbk5pwd, {1}mdb, config
        dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
        objectClass: olcOverlayConfig
        objectClass: olcSmbK5PwdConfig
        olcOverlay: {0}smbk5pwd
        olcSmbK5PwdEnable: krb5
        olcSmbK5PwdEnable: samba
        olcSmbK5PwdMustChange: 2592000

which enables both krb5 and samba modules with a Samba password expiration time of 30 days (= 2592000 seconds).

slapd.conf(5), ldappasswd(1), ldap(3),

"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

This manual page has been written by Peter Marschall based on the module's README file written by Howard Chu.

OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OpenLDAP is derived from University of Michigan LDAP 3.3 Release.

RELEASEDATE OpenLDAP LDVERSION

Search for    or go to Top of page |  Section 5 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.