Load samba-3.6.2 into branches/samba/upstream.upstream/3.6.2

git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/samba/upstream@3992 fc4039ab-9d04-0410-8cac-899223bdd6b0

1 files changed, 39 insertions, 45 deletions

diff --git a/docs/htmldocs/manpages/idmap_ldap.8.html b/docs/htmldocs/manpages/idmap_ldap.8.html
index cf03ebc52e..19ada558a3 100644
--- a/docs/htmldocs/manpages/idmap_ldap.8.html
+++ b/docs/htmldocs/manpages/idmap_ldap.8.html
@@ -4,68 +4,62 @@
 	</p><p>
 	In contrast to read only backends like idmap_rid, it is an allocating
 	backend: This means that it needs to allocate new user and group IDs in
-	order to create new mappings. The allocator can be provided by the
-	idmap_ldap backend itself or by any other allocating backend like
-	idmap_tdb or idmap_tdb2. This is configured with the
-	parameter <em class="parameter"><code>idmap alloc backend</code></em>.
-	</p><p>
-	Note that in order for this (or any other allocating) backend to
-	function at all, the default backend needs to be writeable.
-	The ranges used for uid and gid allocation are the default ranges
-	configured by "idmap uid" and "idmap gid".
-	</p><p>
-	Furthermore, since there is only one global allocating backend
-	responsible for all domains using writeable idmap backends,
-	any explicitly configured domain with idmap backend ldap
-	should have the same range as the default range, since it needs
-	to use the global uid / gid allocator. See the example below.
-	</p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266361"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p>
-			Defines the directory base suffix to use when searching for
+	order to create new mappings.
+	</p></div><div class="refsect1" title="IDMAP OPTIONS"><a name="id266343"></a><h2>IDMAP OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p>
+			Defines the directory base suffix to use for
 			SID/uid/gid mapping entries.  If not defined, idmap_ldap will default
 			to using the "ldap idmap suffix" option from smb.conf.
 		</p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p>
-			Defines the user DN to be used for authentication. If absent an
-			anonymous bind will be performed.
+			Defines the user DN to be used for authentication.
+			The secret for authenticating this user should be
+			stored with net idmap secret
+			(see <a class="citerefentry" href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a>).
+			If absent, the ldap credentials from the ldap passdb configuration
+			are used, and if these are also absent, an anonymous
+			bind will be performed as last fallback.
 		</p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p>
-			Specifies the LDAP server to use when searching for existing
+			Specifies the LDAP server to use for
 			SID/uid/gid map entries. If not defined, idmap_ldap will
 			assume that ldap://localhost/ should be used.
 		</p></dd><dt><span class="term">range = low - high</span></dt><dd><p>
 			Defines the available matching uid and gid range for which the
 			backend is authoritative.
-			If the parameter is absent, Winbind fails over to use the
-			"idmap uid" and "idmap gid" options
-			from smb.conf.
-                </p></dd></dl></div></div><div class="refsect1" title="IDMAP ALLOC OPTIONS"><a name="id266878"></a><h2>IDMAP ALLOC OPTIONS</h2><div class="variablelist"><dl><dt><span class="term">ldap_base_dn = DN</span></dt><dd><p>
-			Defines the directory base suffix under which new SID/uid/gid mapping
-			entries should be stored.  If not defined, idmap_ldap will default
-			to using the "ldap idmap suffix" option from smb.conf.
-		</p></dd><dt><span class="term">ldap_user_dn = DN</span></dt><dd><p>
-			Defines the user DN to be used for authentication. If absent an
-			anonymous bind will be performed.
-		</p></dd><dt><span class="term">ldap_url = ldap://server/</span></dt><dd><p>
-			Specifies the LDAP server to which modify/add/delete requests should
-			be sent.  If not defined, idmap_ldap will assume that ldap://localhost/
-			should be used.
-		</p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id265720"></a><h2>EXAMPLES</h2><p>
-	The follow sets of a LDAP configuration which uses two LDAP
-	directories, one for storing the ID mappings and one for retrieving
-	new IDs.
+                </p></dd></dl></div></div><div class="refsect1" title="EXAMPLES"><a name="id266868"></a><h2>EXAMPLES</h2><p>
+	The following example shows how an ldap directory is used as the
+	default idmap backend. It also configures the idmap range and base
+	directory suffix. The secret for the ldap_user_dn has to be set with
+	"net idmap secret '*' password".
+	</p><pre class="programlisting">
+	[global]
+	idmap config * : backend      = ldap
+	idmap config * : range        = 1000000-1999999
+	idmap config * : ldap_url     = ldap://localhost/
+	idmap config * : ldap_base_dn = ou=idmap,dc=example,dc=com
+	idmap config * : ldap_user_dn = cn=idmap_admin,dc=example,dc=com
+	</pre><p>
+	This example shows how ldap can be used as a readonly backend while
+	tdb is the default backend used to store the mappings.
+	It adds an explicit configuration for some domain DOM1, that
+	uses the ldap idmap backend. Note that a range disjoint from the
+	default range is used.
 	</p><pre class="programlisting">
 	[global]
-	idmap backend = ldap:ldap://localhost/
-	idmap uid = 1000000-1999999
-	idmap gid = 1000000-1999999
+	# "backend = tdb" is redundant here since it is the default
+	idmap config * : backend = tdb
+	idmap config * : range = 1000000-1999999
 
-	idmap alloc backend = ldap
-	idmap alloc config : ldap_url	= ldap://id-master/
-	idmap alloc config : ldap_base_dn = ou=idmap,dc=example,dc=com
+	idmap config DOM1 : backend = ldap
+	idmap config DOM1 : range = 2000000-2999999
+	idmap config DOM1 : read only = yes
+	idmap config DOM1 : ldap_url = ldap://server/
+	idmap config DOM1 : ldap_base_dn = ou=idmap,dc=dom1,dc=example,dc=com
+	idmap config DOM1 : ldap_user_dn = cn=idmap_admin,dc=dom1,dc=example,dc=com
 	</pre></div><div class="refsynopsisdiv" title="NOTE"><h2>NOTE</h2><p>In order to use authentication against ldap servers you may
 	need to provide a DN and a password. To avoid exposing the password
 	in plain text in the configuration file we store it into a security
 	store. The "net idmap " command is used to store a secret
 	for the DN specified in a specific idmap domain.
-	</p></div><div class="refsect1" title="AUTHOR"><a name="id265751"></a><h2>AUTHOR</h2><p>
+	</p></div><div class="refsect1" title="AUTHOR"><a name="id265711"></a><h2>AUTHOR</h2><p>
 	The original Samba software and related utilities
 	were created by Andrew Tridgell. Samba is now developed
 	by the Samba Team as an Open Source project similar