bionic (5) slapo-smbk5pwd.5.gz

Provided by: slapd-smbk5pwd_2.4.45+dfsg-1ubuntu1.11_amd64 bug

NAME

       slapo-smbk5pwd - Samba & Kerberos password sync overlay to slapd

SYNOPSIS

       ETCDIR/slapd.conf

              include <path to>/krb5-kdc.schema

              include <path to>/samba.schema

              moduleload smbk5pwd.so

               ...

              database mdb

               ...

              overlay smbk5pwd

DESCRIPTION

       The  smbk5pwd  overlay  to slapd(8) overloads the Password Modify Extended Operation (RFC 3062) to update
       Kerberos keys and Samba password hashes for an LDAP user, as well as  updating  password  change  related
       attributes for Kerberos, Samba and/or UNIX user accounts.

       The  Samba  support  is  written using the Samba 3.0 LDAP schema; Kerberos support is written for Heimdal
       using its hdb-ldap backend.

       Additionally, a new {K5KEY} password hash mechanism is provided.  For krb5KDCEntry objects that have this
       scheme  specifier in their userPassword attribute, Simple Binds will be checked against the Kerberos keys
       of the entry.  No data is needed after the {K5KEY} scheme specifier in the userPassword, it is looked  up
       from the entry directly.

CONFIGURATION

       The  smbk5pwd  overlay supports the following slapd.conf configuration options, which should appear after
       the overlay directive:

       smbk5pwd-enable <module>
              can be used to enable only the desired modules.  Legal values for <module> are

              krb5   If the user has the krb5KDCEntry objectclass, update the krb5Key  and  krb5KeyVersionNumber
                     attributes  using  the new password in the Password Modify operation, provided the Kerberos
                     account is not expired.  Exiration is determined by evaluating the krb5ValidEnd attribute.

              samba  If  the  user  is  a  sambaSamAccount   object,   synchronize   the   sambaLMPassword   and
                     sambaNTPassword  to  the  password  entered  in  the  Password Modify operation, and update
                     sambaPwdLastSet accordingly.

              shadow Update the attribute shadowLastChange, if the entry has the objectclass shadowAccount.

              By default all modules compiled in are  enabled.   Setting  the  config  statement  restricts  the
              enabled modules to the ones explicitly mentioned.

       smbk5pwd-can-change <seconds>
              If  the  samba  module  is  enabled  and  the  user  is  a  sambaSamAccount,  update the attribute
              sambaPwdCanChange to point <seconds> into the  future,  essentially  denying  any  Samba  password
              change until then.  A value of 0 disables this feature.

       smbk5pwd-must-change <seconds>
              If  the  samba  module  is  enabled  and  the  user  is  a  sambaSamAccount,  update the attribute
              sambaPwdMustChange to point <seconds> into the future,  essentially  setting  the  Samba  password
              expiration time.  A value of 0 disables this feature.

       Alternatively,  the  overlay  supports  table-driven  configuration,  and thus can be run-time loaded and
       configured via back-config.

EXAMPLE

       The layout of a slapd.d based, table-driven configuration entry looks like:

               # {0}smbk5pwd, {1}bdb, config
               dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
               objectClass: olcOverlayConfig
               objectClass: olcSmbK5PwdConfig
               olcOverlay: {0}smbk5pwd
               olcSmbK5PwdEnable: krb5
               olcSmbK5PwdEnable: samba
               olcSmbK5PwdMustChange: 2592000

       which enables both krb5 and samba modules with a Samba password expiration time of  30  days  (=  2592000
       seconds).

SEE ALSO

       slapd.conf(5), ldappasswd(1), ldap(3),

       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

ACKNOWLEDGEMENTS

       This  manual  page has been writen by Peter Marschall based on the module's README file written by Howard
       Chu.

       OpenLDAP is developed and maintained by The OpenLDAP  Project  (http://www.openldap.org/).   OpenLDAP  is
       derived from University of Michigan LDAP 3.3 Release.