1 .TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2015-2017 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd
12 .B "<path to>/krb5-kdc.schema"
15 .B "<path to>/samba.schema"
36 overloads the Password Modify Extended Operation (RFC 3062) to update
37 Kerberos keys and Samba password hashes for an LDAP user, as well as
38 updating password change related attributes for Kerberos, Samba and/or
41 The Samba support is written using the Samba 3.0 LDAP schema;
42 Kerberos support is written for Heimdal using its hdb-ldap backend.
46 password hash mechanism is provided.
49 objects that have this scheme specifier in their
51 attribute, Simple Binds will be checked against the Kerberos keys of the entry.
52 No data is needed after the
54 scheme specifier in the
56 it is looked up from the entry directly.
61 overlay supports the following
63 configuration options, which should appear after the
67 .BI smbk5pwd-enable " <module>"
68 can be used to enable only the desired modules.
78 objectclass, update the
81 .B krb5KeyVersionNumber
82 attributes using the new password in the Password Modify operation,
83 provided the Kerberos account is not expired.
84 Exiration is determined by evaluating the
91 object, synchronize the
95 to the password entered in the Password Modify operation, and update
101 .BR shadowLastChange ,
102 if the entry has the objectclass
105 By default all modules compiled in are enabled.
106 Setting the config statement restricts the enabled modules to the ones
107 explicitly mentioned.
110 .BI smbk5pwd-can-change " <seconds>"
113 module is enabled and the user is a
114 .BR sambaSamAccount ,
119 into the future, essentially denying any Samba password change until then.
122 disables this feature.
124 .BI smbk5pwd-must-change " <seconds>"
127 module is enabled and the user is a
128 .BR sambaSamAccount ,
130 .B sambaPwdMustChange
133 into the future, essentially setting the Samba password expiration time.
136 disables this feature.
138 Alternatively, the overlay supports table-driven configuration,
139 and thus can be run-time loaded and configured via back-config.
142 The layout of a slapd.d based, table-driven configuration entry looks like:
145 # {0}smbk5pwd, {1}mdb, config
146 dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
147 objectClass: olcOverlayConfig
148 objectClass: olcSmbK5PwdConfig
149 olcOverlay: {0}smbk5pwd
150 olcSmbK5PwdEnable: krb5
151 olcSmbK5PwdEnable: samba
152 olcSmbK5PwdMustChange: 2592000
159 modules with a Samba password expiration time of 30 days (=
168 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
172 This manual page has been written by Peter Marschall based on the
173 module's README file written by Howard Chu.
176 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
178 is derived from University of Michigan LDAP 3.3 Release.