Provided by: slapd-contrib_2.6.9+dfsg-2ubuntu1_amd64 
NAME
slapo-smbk5pwd - Samba & Kerberos password sync overlay to slapd
SYNOPSIS
ETCDIR/slapd.conf
include <path to>/krb5-kdc.schema
include <path to>/samba.schema
moduleload smbk5pwd.so
...
database mdb
...
overlay smbk5pwd
DESCRIPTION
The smbk5pwd overlay to slapd(8) overloads the Password Modify Extended Operation (RFC 3062) to update
Kerberos keys and Samba password hashes for an LDAP user, as well as updating password change related
attributes for Kerberos, Samba and/or UNIX user accounts.
The Samba support is written using the Samba 3.0 LDAP schema; Kerberos support is written for Heimdal
using its hdb-ldap backend.
Additionally, a new {K5KEY} password hash mechanism is provided. For krb5KDCEntry objects that have this
scheme specifier in their userPassword attribute, Simple Binds will be checked against the Kerberos keys
of the entry. No data is needed after the {K5KEY} scheme specifier in the userPassword, it is looked up
from the entry directly.
CONFIGURATION
The smbk5pwd overlay supports the following slapd.conf configuration options, which should appear after
the overlay directive:
smbk5pwd-enable <module>
can be used to enable only the desired modules. Legal values for <module> are
krb5 If the user has the krb5KDCEntry objectclass, update the krb5Key and krb5KeyVersionNumber
attributes using the new password in the Password Modify operation, provided the Kerberos
account is not expired. Exiration is determined by evaluating the krb5ValidEnd attribute.
samba If the user is a sambaSamAccount object, synchronize the sambaNTPassword to the password
entered in the Password Modify operation, and update sambaPwdLastSet accordingly.
shadow Update the attribute shadowLastChange, if the entry has the objectclass shadowAccount.
By default all modules compiled in are enabled. Setting the config statement restricts the
enabled modules to the ones explicitly mentioned.
smbk5pwd-can-change <seconds>
If the samba module is enabled and the user is a sambaSamAccount, update the attribute
sambaPwdCanChange to point <seconds> into the future, essentially denying any Samba password
change until then. A value of 0 disables this feature.
smbk5pwd-must-change <seconds>
If the samba module is enabled and the user is a sambaSamAccount, update the attribute
sambaPwdMustChange to point <seconds> into the future, essentially setting the Samba password
expiration time. A value of 0 disables this feature.
Alternatively, the overlay supports table-driven configuration, and thus can be run-time loaded and
configured via back-config.
EXAMPLE
The layout of a slapd.d based, table-driven configuration entry looks like:
# {0}smbk5pwd, {1}mdb, config
dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSmbK5PwdConfig
olcOverlay: {0}smbk5pwd
olcSmbK5PwdEnable: krb5
olcSmbK5PwdEnable: samba
olcSmbK5PwdMustChange: 2592000
which enables both krb5 and samba modules with a Samba password expiration time of 30 days (= 2592000
seconds).
SEE ALSO
slapd.conf(5), ldappasswd(1), ldap(3),
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
ACKNOWLEDGEMENTS
This manual page has been written by Peter Marschall based on the module's README file written by Howard
Chu.
OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OpenLDAP is
derived from University of Michigan LDAP 3.3 Release.
OpenLDAP LDVERSION RELEASEDATE SLAPO-SMBK5PWD(5)