external-software/github_OpenIdentityPlatform_OpenDJ.git

New file
			@@ -0,0 +1,146 @@
			<?xml version="1.0" encoding="UTF-8"?>
			<!--
			! CCPL HEADER START
			!
			! This work is licensed under the Creative Commons
			! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
			! To view a copy of this license, visit
			! http://creativecommons.org/licenses/by-nc-nd/3.0/
			! or send a letter to Creative Commons, 444 Castro Street,
			! Suite 900, Mountain View, California, 94041, USA.
			!
			! You can also obtain a copy of the license at
			! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
			! See the License for the specific language governing permissions
			! and limitations under the License.
			!
			! If applicable, add the following below this CCPL HEADER, with the fields
			! enclosed by brackets "[]" replaced with your own identifying information:
			! Portions Copyright [yyyy] [name of copyright owner]
			!
			! CCPL HEADER END
			!
			! Copyright 2011 ForgeRock AS
			!
			-->
			<chapter xml:id='chap-samba'
			xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
			xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
			xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
			xmlns:xlink='http://www.w3.org/1999/xlink'
			xmlns:xinclude='http://www.w3.org/2001/XInclude'>
			<title>Samba Password Synchronization</title>

			<para>When you store Samba profiles in OpenDJ, Samba stores its own attributes
			as defined in the Samba schema. Samba does not use the LDAP standard
			<literal>userPassword</literal> attribute to store users' Samba passwords.
			You can configure Samba to apply changes to Samba passwords to LDAP passwords
			as well, too. Yet, if a user modifies her LDAP password directly without
			updating the Samba password, the LDAP and Samba passwords get out of
			sync.</para>

			<para>The OpenDJ Samba Password plugin resolves this problem for you. The
			plugin intercepts password changes to Samba user profiles, synchronizing Samba
			password and LDAP password values. For an incoming Password Modify Extended
			Request or modify request changing the user password, the OpenDJ Samba Password
			plugin detects whether the user's entry reflects a Samba user profile (entry
			has object class <literal>sambaSAMAccount</literal>), hashes the incoming
			password value, and applies the password change to the appropriate password
			attribute, keeping the password values in sync. The OpenDJ Samba Password
			plugin can perform synchronization as long as new passwords values are
			provided in clear text in the modification request. If you configure Samba
			to synchronize LDAP passwords when it changes Samba passwords, then the
			plugin can ignore changes by the Samba user to avoid duplicate
			synchronization.</para>

			<procedure xml:id="setup-samba-administrator-account">
			<title>To Set Up a Samba Administrator Account</title>

			<para>The Samba Administrator synchronizes LDAP passwords after changing
			Samba passwords by issuing a Password Modify Extended Request. In Samba's
			<filename>smb.conf</filename> configuration file, the value of
			<literal>ldap admin dn</literal> is set to the DN of this account. When
			the Samba Administrator changes a user password, the plugin ignores
			the changes, so choose a distinct account different from Directory Manager
			and other administrators.</para>

			<step>
			<para>Create or choose an account for the Samba Administrator.</para>
			<screen>$ cat samba.ldif
			dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
			cn: Samba Administrator
			givenName: Samba
			mail: samba@example.com
			objectClass: person
			objectClass: inetOrgPerson
			objectClass: organizationalPerson
			objectClass: top
			sn: Administrator
			uid: samba-admin
			userPassword: password

			$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f samba.ldif
			Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
			ADD operation successful for DN uid=samba-admin,ou=Special Users,
			dc=example,dc=com</screen>
			</step>
			<step>
			<para>Ensure the Samba Administrator can reset user passwords.</para>
			<screen>$ cat samba-rights.ldif
			dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
			changetype: modify
			add: ds-privilege-name
			ds-privilege-name: password-reset

			dn: dc=example,dc=com
			changetype: modify
			add: aci
			aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
			Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
			Special Users,dc=example,dc=com";)

			$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f samba-rights.ldif
			Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
			MODIFY operation successful for DN uid=samba-admin,ou=Special Users,dc=example,dc=com
			Processing MODIFY request for dc=example,dc=com
			MODIFY operation successful for DN dc=example,dc=com</screen>
			</step>
			</procedure>

			<procedure xml:id="setup-samba-pwd-plugin">
			<title>To Set Up the Samba Password Plugin</title>

			<step>
			<para>Determine whether the plugin must store passwords hashed like
			LanManager (<literal>sync-lm-password</literal>) or like Windows NT
			(<literal>sync-nt-password</literal>), based on how you set up Samba
			in your environment.</para>
			</step>
			<step>
			<para>Enable the plugin.</para>
			<screen>$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
			create-plugin
			--plugin-name "Samba Password Synchronisation"
			--type samba-password
			--set enabled:true
			--set pwd-sync-policy:sync-nt-password
			--set
			samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com"
			-X -n</screen>
			<para>At this point the Samba Password plugin is active.</para>
			</step>
			<step performance="optional">
			<para>When troubleshooting Samba Password plugin issues, you can turn on
			debug logging as follows.</para>
			<screen>$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
			create-debug-target
			--publisher-name "File-Based Debug Logger"
			--target-name org.opends.server.plugins.SambaPasswordPlugin
			--set debug-level:all -X -n
			$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
			set-log-publisher-prop
			--publisher-name "File-Based Debug Logger"
			--set enabled:true -X -n</screen>
			</step>
			</procedure>
			</chapter>

	opendj3/src/main/docbkx/admin-guide/OpenDJ-Admin-Guide.xml	4 ●●●●● patch \| view \| raw \| blame \| history
	opendj3/src/main/docbkx/admin-guide/chap-samba.xml	146 ●●●●● patch \| view \| raw \| blame \| history

			@@ -43,6 +43,9 @@
			<author>
			<personname><firstname>Mark</firstname><surname>Craig</surname></personname>
			</author>
			<author>
			<personname><firstname>Nemanja</firstname><surname>Lukić</surname></personname>
			</author>
			</authorgroup>
			<xinclude:include href='../legal.xml' />
			<date><?dbtimestamp format="B d, Y"?></date>
			@@ -70,6 +73,7 @@
			<xinclude:include href='chap-referrals.xml' />
			<xinclude:include href='chap-virtual-attrs-collective-attrs.xml' />
			<xinclude:include href='chap-pta.xml' />
			<xinclude:include href='chap-samba.xml' />
			<xinclude:include href='chap-load-balancing.xml' />
			<xinclude:include href='chap-failover.xml' />
			<xinclude:include href='chap-chaining.xml' />