NAME

       slapo-homedir - Home directory provisioning overlay

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  homedir  overlay  causes slapd(8) to notice changes involving RFC-2307bis style user-
       objects and make appropriate changes to the local filesystem.  This can  be  performed  on
       both  master  and  replica  systems,  so  it  is possible to perform remote home directory
       provisioning.

CONFIGURATION

       Both slapd.conf and back-config style configuration is supported.

       overlay homedir
              This directive adds the  homedir  overlay  to  the  current  database,  or  to  the
              frontend, if used before any database instantiation; see slapd.conf(5) for details.

       homedir-skeleton-path <pathname>

       olcSkeletonPath: pathname
              These  options  set  the  path  to  the  skeleton  account  directory.  (Generally,
              /etc/skel) Files  in  this  directory  will  be  copied  into  newly  created  home
              directories.   Copying  is  recursive and handles symlinks and fifos, but will skip
              most specials.

       homedir-min-uidnumber <user id number>

       olcMinimumUidNumber: number
              These options configure the minimum userid to use in any  home  directory  attempt.
              This  is a basic safety measure to prevent accidentally using system accounts.  See
              REPLICATION for more flexible options for selecting accounts.

       homedir-regexp <regexp> <path>

       olcHomedirRegexp: regexp path
              These options configure a set of  regular  expressions  to  use  for  matching  and
              optionally  remapping  incoming  homeDirectory attribute values to pathnames on the
              local filesystem.  $number expansion is supported  to  access  values  captured  in
              parentheses.

              For  example, to accept any directory starting with home and use it verbatim on the
              local filesystem:

              homedir-regexp ^(/home/[-_/a-z0-9]+)$ $1

              To match the same set of directories, but create them instead under exporthome,  as
              is popular on Solaris NFS servers:

              homedir-regexp ^(/home/[-_/a-z0-9]+)$ /export$1

       homedir-delete-style style

       olcHomedirDeleteStyle: style
              These options configure how deletes of posixAccount entries or their attributes are
              handled; valid styles are IGNORE, which does nothing, and DELETE, which immediately
              performs  a recursive delete on the home directory, and ARCHIVE, which archives the
              home directory contents in a TAR  file  for  later  examination.   The  default  is
              IGNORE.   Use with caution.  ARCHIVE requires homedir-archive-path to be set, or it
              functions similar to IGNORE.

       homedir-archive-path <pathname>

       olcHomedirArchivePath: pathname
              These options specify the destination path for TAR files  created  by  the  ARCHIVE
              delete style.

REPLICATION

       The  homedir overlay can operate on either master or replica systems with no changes.  See
       slapd.conf(5) or slapd-config(5) for more information on configure syncrepl.

       Partial replication (e.g. with filters)  is  especially  useful  for  providing  different
       provisioning options to different sets of users.

EXAMPLE

       The following LDIF could be used to add this overlay to cn=config (adjust to suit)

              dn: cn=module{0},cn=config
              changetype: modify
              add: olcModuleLoad
              olcModuleLoad: homedir

              dn: olcOverlay=homedir,olcDatabase={1}mdb,cn=config
              changetype: add
              objectClass: olcOverlayConfig
              objectClass: olcHomedirConfig
              olcOverlay: homedir
              olcSkeletonPath: /etc/skel
              olcMinimumUidNumber: 1000
              olcHomedirRegexp: ^(/home/[-_/a-z0-9]+)$ /export/$1
              olcHomedirDeleteStyle: ARCHIVE
              olcHomedirArchivePath: /archive

BUGS

       DELETE,  MOD,  and  MODRDN operations that remove the unix attributes when delete style is
       set to DELETE will recursively delete the (regex modified) home directory from  the  disk.
       Please be careful when deleting or changing values.

       MOD  and  MODRDN  will  correctly  respond  to  homeDirectory  changes  and perform a non-
       destructive rename() operation on the filesystem, but this does not correctly retry with a
       recursive copy when moving between filesystems.

       The  recursive copy/delete/chown/tar functions are not aware of ACLs, extended attributes,
       forks, sparse files, or hard links.  Block and character device archival is  non-portable,
       but should not be an issue in home directories, hopefully.

       Copying  and archiving may not support files larger than 2GiB on some architectures.  Bare
       POSIX UStar archives cannot support internal files larger  than  8GiB.   The  current  tar
       generator does not attempt to resolve uid/gid into symbolic names.

       No  attempt  is  made  to  try  to  mkdir() the parent directories needed for a given home
       directory or archive path.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

       /etc/skel (or similar)
              source of new homedir files.

SEE ALSO

       slapd.conf(5), slapd-config(5), slapd(8), RFC-2307, RFC-2307bis.

ACKNOWLEDGEMENTS

       This module was written in 2009 by Emily Backes for Symas Corporation.