From: franklahm Date: Tue, 3 Feb 2009 15:42:15 +0000 (+0000) Subject: New man pages for ACL option X-Git-Tag: before_new_logger~17 X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=netatalk.git;a=commitdiff_plain;h=fb5b11ca0143deb8df03e8eb8dea2b5e3baf95b6 New man pages for ACL option --- diff --git a/man/man5/Makefile.am b/man/man5/Makefile.am index 7331e44b..e8670277 100644 --- a/man/man5/Makefile.am +++ b/man/man5/Makefile.am @@ -12,10 +12,12 @@ SUFFIXES = .tmpl . <$< >$@ man_MANS = AppleVolumes.default.5 afpd.conf.5 \ - atalkd.conf.5 netatalk.conf.5 papd.conf.5 + atalkd.conf.5 netatalk.conf.5 papd.conf.5 \ + ldap.conf.5 TEMPLATE_FILES = AppleVolumes.default.5.tmpl afpd.conf.5.tmpl \ - atalkd.conf.5.tmpl netatalk.conf.5.tmpl papd.conf.5.tmpl + atalkd.conf.5.tmpl netatalk.conf.5.tmpl papd.conf.5.tmpl \ + ldap.conf.5.tmpl CLEANFILES = $(man_MANS) diff --git a/man/man5/ldap.conf.5.tmpl b/man/man5/ldap.conf.5.tmpl new file mode 100644 index 00000000..b7dc0649 --- /dev/null +++ b/man/man5/ldap.conf.5.tmpl @@ -0,0 +1,224 @@ +.\" Title: ldap.conf +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.74.0 +.\" Date: 31-01-2009 +.\" Manual: Netatalk 2.0 Manual +.\" Source: :NETATALK_VERSION: +.\" Language: English +.\" +.TH "LDAP\&.CONF" "5" "31-01-2009" ":NETATALK_VERSION:" "Netatalk 2.0 Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +ldap.conf \- Configuration file used by afpd(8) to configure a LDAP connection to an LDAP server\&. That is needed for ACL support in order to be able to query LDAP for UUIDs\&. +.SH "Description" +.PP +\FC:ETCDIR:/ldap\&.conf\F[] +is the configuration file used by +\fBafpd\fR +to set up an LDAP connection to an LDAP server\&. +.PP +Any line not prefixed with # is interpreted\&. +.PP +.if n \{\ +.sp +.\} +.RS 4 +.BM yellow +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBNote\fR +.ps -1 +.br +.PP +You can use +\fBuuidtest\fR(1) +to syntactically check your config +.sp .5v +.EM yellow +.RE +The required parameters and their meanings are: +.SH "Parameter" +.PP +ldap_server +.RS 4 +Name or IP address of your LDAP Server +.sp +.RE +.PP +ldap_auth_method +.RS 4 + +.PP +none +.RS 4 +anonymous LDAP bind +.RE +.PP +simple +.RS 4 +simple LDAP bind +.RE +.PP +sasl +.RS 4 +SASL\&. Not yet supported ! +.RE +.RE +.PP +ldap_auth_dn +.RS 4 +Distinguished Name of the user for simple bind\&. +.sp +.RE +.PP +ldap_auth_pw +.RS 4 +Distinguished Name of the user for simple bind\&. +.sp +.RE +.PP +ldap_userbase +.RS 4 +DN of the user container in LDAP\&. +.sp +.RE +.PP +ldap_groupbase +.RS 4 +DN of the group container in LDAP\&. +.sp +.RE +.PP +ldap_uuuid_attr +.RS 4 +Name of the LDAP attribute with the UUIDs\&. +.sp +Note: this is used both for users and groups\&. +.sp +.RE +.PP +ldap_name_attr +.RS 4 +Name of the LDAP attribute with the users short name\&. +.sp +.RE +.PP +ldap_group_attr +.RS 4 +Name of the LDAP attribute with the groups short name\&. +.sp +.RE +.SH "Examples" +.PP +\fBExample.\ \&ldap.conf setup with simple bind\fR +.sp +.if n \{\ +.RS 4 +.\} +.fam C +.ps -1 +.nf +.BB lightgray +ldap_server = localhost +ldap_auth_method = simple +ldap_auth_dn = cn=admin,dc=domain,dc=org +ldap_auth_pw = notthisone +ldap_userbase = ou=users,dc=domain,dc=org +ldap_groupbase = ou=groups,dc=domain,dc=org +ldap_uuid_attr = some_attribute +ldap_name_attr = cn +ldap_group_attr = cn +.EB lightgray +.fi +.fam +.ps +1 +.if n \{\ +.RE +.\} +.SH "See also" +.PP +\fBafpd\fR(8), +\fBAppleVolumes.default\fR(5),\fBuuidtest\fR(1) diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am index 093ec0d6..99d41e39 100644 --- a/man/man8/Makefile.am +++ b/man/man8/Makefile.am @@ -14,8 +14,9 @@ SUFFIXES = .tmpl . <$< >$@ NONGENERATED_MANS = timelord.8 -GENERATED_MANS = afpd.8 atalkd.8 cnid_dbd.8 cnid_metad.8 papd.8 papstatus.8 psf.8 -TEMPLATE_FILES = afpd.8.tmpl atalkd.8.tmpl cnid_dbd.8.tmpl cnid_metad.8.tmpl papd.8.tmpl papstatus.8.tmpl psf.8.tmpl +GENERATED_MANS = afp_acls.8 afpd.8 atalkd.8 cnid_dbd.8 cnid_metad.8 papd.8 papstatus.8 psf.8 +TEMPLATE_FILES = afp_acls.8.tmpl afpd.8.tmpl atalkd.8.tmpl cnid_dbd.8.tmpl \ + cnid_metad.8.tmpl papd.8.tmpl papstatus.8.tmpl psf.8.tmpl man_MANS = $(GENERATED_MANS) $(NONGENERATED_MANS) diff --git a/man/man8/afp_acls.8.tmpl b/man/man8/afp_acls.8.tmpl new file mode 100644 index 00000000..4e7d7d82 --- /dev/null +++ b/man/man8/afp_acls.8.tmpl @@ -0,0 +1,229 @@ +.\" Title: afp_acls +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.74.0 +.\" Date: 31-01-2009 +.\" Manual: Netatalk 2.0 Manual +.\" Source: :NETATALK_VERSION: +.\" Language: English +.\" +.TH "AFP_ACLS" "8" "31-01-2009" ":NETATALK_VERSION:" "Netatalk 2.0 Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +afp_acls \- Setup and Usage Howto for ACLs with Netatalk +.SH "Description" +.PP +ACL support for AFP is implemented with NFSv4 ACLs\&. Few filesystems and fewer OSes support these\&. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and derived distributions\&. +.SH "Configuration" +.PP +In order to be able to support ACLs, the following things have to be configured: +.sp +.RS 4 +.ie n \{\ +\h'-04' 1.\h'+01'\c +.\} +.el \{\ +.sp -1 +.IP " 1." 4.2 +.\} +ZFS Volumes +.sp +You MUST configure two ACL parameters for any volume you want to use with Netatalk: +.sp +.if n \{\ +.RS 4 +.\} +.fam C +.ps -1 +.nf +.BB lightgray +aclinherit = passthrough +aclmode = passthrough +.EB lightgray +.fi +.fam +.ps +1 +.if n \{\ +.RE +.\} +.sp +For an explanation of what these parameters mean and how to apply them see, your hosts ZFS documentation (e\&.g\&. man zfs)\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04' 2.\h'+01'\c +.\} +.el \{\ +.sp -1 +.IP " 2." 4.2 +.\} +Authentication Domain +.sp +Your server and the clients must be part of a security association where identity data is coming from a common source\&. ACLs in Darwin are based on UUIDs and so is the ACL specification in AFP 3\&.2\&. Therefor your source of identity data has to provide an attribute for every user and group where a UUID is stored as a ASCII string\&. +.sp +In other words: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +you need an Open Directory Server or an LDAP server where you store UUIDs in some attribute +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +your clients must be configured to use this server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +your server should be configured to use this server via nsswitch and PAM\&. +.if n \{\ +.sp +.\} +.RS 4 +.BM yellow +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.br +.ps +1 +\fBTip\fR +.ps -1 +.br +This however is not a strict requirement: if you create duplicates of every LDAP/OD user and group with identic attributes (name, uid, gid) in your local data store (/etc/[passwd|group]) ACLs will work +\fIas long as user/group names/ids in the filesystem are equal to their counterparts in the LDAP/OD datastore\fR\&. +.sp .5v +.EM yellow +.RE +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +configure Netatalk via ldap\&.conf so that Netatalk is able to retrieve the UUID for users and groups via LDAP search queries +.RE +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04' 3.\h'+01'\c +.\} +.el \{\ +.sp -1 +.IP " 3." 4.2 +.\} +Netatalk Volumes +.sp +Finally you can add +\fBoptions:acls\fR +to your volume defintion to add ACL support\&. In case your volume basedir doesn\'t grant read permissions via mode (like: +\fB0700 root:adm\fR) but only via ACLs, you MUST add the +\fBnostat\fR +option to the volume defintion\&. +.RE +.SH "SEE ALSO" +.PP +\fBldap.conf\fR(5), +\fBAppleVolumes.default\fR(5)