From 6849f65a5eac02bf455878a9f396851a4b490498 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Wed, 28 Sep 2011 12:55:20 +0000
Subject: [PATCH] Explain Samba Password plugin configuration with content from Nemanja Lukić

---
 opendj3/src/main/docbkx/admin-guide/OpenDJ-Admin-Guide.xml |    4 +
 opendj3/src/main/docbkx/admin-guide/chap-samba.xml         |  146 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 150 insertions(+), 0 deletions(-)

diff --git a/opendj3/src/main/docbkx/admin-guide/OpenDJ-Admin-Guide.xml b/opendj3/src/main/docbkx/admin-guide/OpenDJ-Admin-Guide.xml
index ec43d7e..0042e78 100644
--- a/opendj3/src/main/docbkx/admin-guide/OpenDJ-Admin-Guide.xml
+++ b/opendj3/src/main/docbkx/admin-guide/OpenDJ-Admin-Guide.xml
@@ -43,6 +43,9 @@
    <author>
     <personname><firstname>Mark</firstname><surname>Craig</surname></personname>
    </author>
+   <author>
+    <personname><firstname>Nemanja</firstname><surname>Lukić</surname></personname>
+   </author>
   </authorgroup>
   <xinclude:include href='../legal.xml' />
   <date><?dbtimestamp format="B d, Y"?></date>
@@ -70,6 +73,7 @@
  <xinclude:include href='chap-referrals.xml' />
  <xinclude:include href='chap-virtual-attrs-collective-attrs.xml' />
  <xinclude:include href='chap-pta.xml' />
+ <xinclude:include href='chap-samba.xml' />
  <xinclude:include href='chap-load-balancing.xml' />
  <xinclude:include href='chap-failover.xml' />
  <xinclude:include href='chap-chaining.xml' />
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-samba.xml b/opendj3/src/main/docbkx/admin-guide/chap-samba.xml
new file mode 100644
index 0000000..738bbca
--- /dev/null
+++ b/opendj3/src/main/docbkx/admin-guide/chap-samba.xml
@@ -0,0 +1,146 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets "[]" replaced with your own identifying information:
+  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011 ForgeRock AS
+  !    
+-->
+<chapter xml:id='chap-samba'
+ xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+ xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+ xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
+ xmlns:xlink='http://www.w3.org/1999/xlink'
+ xmlns:xinclude='http://www.w3.org/2001/XInclude'>
+ <title>Samba Password Synchronization</title>
+ 
+ <para>When you store Samba profiles in OpenDJ, Samba stores its own attributes
+ as defined in the Samba schema. Samba does not use the LDAP standard
+ <literal>userPassword</literal> attribute to store users' Samba passwords.
+ You can configure Samba to apply changes to Samba passwords to LDAP passwords
+ as well, too. Yet, if a user modifies her LDAP password directly without
+ updating the Samba password, the LDAP and Samba passwords get out of
+ sync.</para>
+ 
+ <para>The OpenDJ Samba Password plugin resolves this problem for you. The
+ plugin intercepts password changes to Samba user profiles, synchronizing Samba
+ password and LDAP password values. For an incoming Password Modify Extended
+ Request or modify request changing the user password, the OpenDJ Samba Password
+ plugin detects whether the user's entry reflects a Samba user profile (entry
+ has object class <literal>sambaSAMAccount</literal>), hashes the incoming
+ password value, and applies the password change to the appropriate password
+ attribute, keeping the password values in sync. The OpenDJ Samba Password
+ plugin can perform synchronization as long as new passwords values are
+ provided in clear text in the modification request. If you configure Samba
+ to synchronize LDAP passwords when it changes Samba passwords, then the
+ plugin can ignore changes by the Samba user to avoid duplicate
+ synchronization.</para>
+ 
+ <procedure xml:id="setup-samba-administrator-account">
+  <title>To Set Up a Samba Administrator Account</title>
+  
+  <para>The Samba Administrator synchronizes LDAP passwords after changing
+  Samba passwords by issuing a Password Modify Extended Request. In Samba's
+  <filename>smb.conf</filename> configuration file, the value of
+  <literal>ldap admin dn</literal> is set to the DN of this account. When
+  the Samba Administrator changes a user password, the plugin ignores
+  the changes, so choose a distinct account different from Directory Manager
+  and other administrators.</para>
+  
+  <step>
+   <para>Create or choose an account for the Samba Administrator.</para>
+   <screen>$ cat samba.ldif 
+dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
+cn: Samba Administrator
+givenName: Samba
+mail: samba@example.com
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: top
+sn: Administrator
+uid: samba-admin
+userPassword: password
+
+$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f samba.ldif
+Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
+ADD operation successful for DN uid=samba-admin,ou=Special Users,
+ dc=example,dc=com</screen>
+  </step>
+  <step>
+   <para>Ensure the Samba Administrator can reset user passwords.</para>
+   <screen>$ cat samba-rights.ldif
+dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
+changetype: modify
+add: ds-privilege-name
+ds-privilege-name: password-reset
+
+dn: dc=example,dc=com
+changetype: modify
+add: aci
+aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
+ Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
+ Special Users,dc=example,dc=com";)
+
+$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f samba-rights.ldif
+Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
+MODIFY operation successful for DN uid=samba-admin,ou=Special Users,dc=example,dc=com
+Processing MODIFY request for dc=example,dc=com
+MODIFY operation successful for DN dc=example,dc=com</screen>
+  </step>
+ </procedure>
+ 
+ <procedure xml:id="setup-samba-pwd-plugin">
+  <title>To Set Up the Samba Password Plugin</title>
+  
+  <step>
+   <para>Determine whether the plugin must store passwords hashed like
+   LanManager (<literal>sync-lm-password</literal>) or like Windows NT
+   (<literal>sync-nt-password</literal>), based on how you set up Samba
+   in your environment.</para>
+  </step>
+  <step>
+   <para>Enable the plugin.</para>
+   <screen>$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
+ create-plugin
+ --plugin-name "Samba Password Synchronisation"
+ --type samba-password
+ --set enabled:true
+ --set pwd-sync-policy:sync-nt-password
+ --set
+ samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com"
+ -X -n</screen>
+   <para>At this point the Samba Password plugin is active.</para>
+  </step>
+  <step performance="optional">
+   <para>When troubleshooting Samba Password plugin issues, you can turn on
+   debug logging as follows.</para>
+   <screen>$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
+ create-debug-target
+ --publisher-name "File-Based Debug Logger"
+ --target-name org.opends.server.plugins.SambaPasswordPlugin
+ --set debug-level:all -X -n
+$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
+ set-log-publisher-prop
+ --publisher-name "File-Based Debug Logger"
+ --set enabled:true -X -n</screen>
+  </step>
+ </procedure>
+</chapter>

--
Gitblit v1.10.0