Provided by: slapd-contrib_2.5.13+dfsg-1ubuntu1_amd64 bug


       slapo-smbk5pwd - Samba & Kerberos password sync overlay to slapd



              include <path to>/krb5-kdc.schema

              include <path to>/samba.schema



              database mdb


              overlay smbk5pwd


       The  smbk5pwd  overlay  to  slapd(8) overloads the Password Modify Extended Operation (RFC
       3062) to update Kerberos keys and Samba password hashes for  an  LDAP  user,  as  well  as
       updating password change related attributes for Kerberos, Samba and/or UNIX user accounts.

       The  Samba support is written using the Samba 3.0 LDAP schema; Kerberos support is written
       for Heimdal using its hdb-ldap backend.

       Additionally, a new {K5KEY} password hash mechanism is provided.  For krb5KDCEntry objects
       that  have  this  scheme  specifier  in their userPassword attribute, Simple Binds will be
       checked against the Kerberos keys of the entry.  No  data  is  needed  after  the  {K5KEY}
       scheme specifier in the userPassword, it is looked up from the entry directly.


       The smbk5pwd overlay supports the following slapd.conf configuration options, which should
       appear after the overlay directive:

       smbk5pwd-enable <module>
              can be used to enable only the desired modules.  Legal values for <module> are

              krb5   If the user  has  the  krb5KDCEntry  objectclass,  update  the  krb5Key  and
                     krb5KeyVersionNumber  attributes  using  the  new  password  in the Password
                     Modify operation, provided the Kerberos account is not  expired.   Exiration
                     is determined by evaluating the krb5ValidEnd attribute.

              samba  If  the user is a sambaSamAccount object, synchronize the sambaNTPassword to
                     the  password  entered  in  the  Password  Modify  operation,   and   update
                     sambaPwdLastSet accordingly.

              shadow Update  the  attribute  shadowLastChange,  if  the entry has the objectclass

              By default all modules compiled in  are  enabled.   Setting  the  config  statement
              restricts the enabled modules to the ones explicitly mentioned.

       smbk5pwd-can-change <seconds>
              If  the  samba  module  is  enabled  and  the user is a sambaSamAccount, update the
              attribute sambaPwdCanChange to point <seconds> into the future, essentially denying
              any Samba password change until then.  A value of 0 disables this feature.

       smbk5pwd-must-change <seconds>
              If  the  samba  module  is  enabled  and  the user is a sambaSamAccount, update the
              attribute sambaPwdMustChange  to  point  <seconds>  into  the  future,  essentially
              setting the Samba password expiration time.  A value of 0 disables this feature.

       Alternatively,  the  overlay supports table-driven configuration, and thus can be run-time
       loaded and configured via back-config.


       The layout of a slapd.d based, table-driven configuration entry looks like:

               # {0}smbk5pwd, {1}mdb, config
               dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
               objectClass: olcOverlayConfig
               objectClass: olcSmbK5PwdConfig
               olcOverlay: {0}smbk5pwd
               olcSmbK5PwdEnable: krb5
               olcSmbK5PwdEnable: samba
               olcSmbK5PwdMustChange: 2592000

       which enables both krb5 and samba modules with a Samba password expiration time of 30 days
       (= 2592000 seconds).


       slapd.conf(5), ldappasswd(1), ldap(3),

       "OpenLDAP Administrator's Guide" (


       This  manual  page  has  been written by Peter Marschall based on the module's README file
       written by Howard Chu.

       OpenLDAP is developed and maintained by The OpenLDAP  Project  (
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.