1597 lines
		
	
	
		
			51 KiB
		
	
	
	
		
			XML
		
	
	
	
		
		
			
		
	
	
			1597 lines
		
	
	
		
			51 KiB
		
	
	
	
		
			XML
		
	
	
	
|  | <?xml version="1.0" encoding="UTF-8"?> | ||
|  | <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | ||
|  | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">  | ||
|  |   <chapter id="a_selfService"> | ||
|  |     <title>Self service (LAM Pro)</title> | ||
|  | 
 | ||
|  |     <section> | ||
|  |       <title>Preparations</title> | ||
|  | 
 | ||
|  |       <section id="openldapAcls"> | ||
|  |         <title>OpenLDAP ACLs</title> | ||
|  | 
 | ||
|  |         <para>By default only a few administrative users have write access to | ||
|  |         the LDAP database. Before your users may change their settings you | ||
|  |         must allow them to change their LDAP data.</para> | ||
|  | 
 | ||
|  |         <para>Hint: The ACLs below are not required if you decide to run all | ||
|  |         operations as the LDAP bind user (option "Use for all | ||
|  |         operations").</para> | ||
|  | 
 | ||
|  |         <para>This can be done by adding ACLs to your slapd.conf or | ||
|  |         slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to | ||
|  |         these:</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">access to</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> attrs=userPassword</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> by self write</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> by anonymous auth</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> by * none</emphasis></para> | ||
|  | 
 | ||
|  |         <literallayout> | ||
|  | </literallayout> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">access to</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> | ||
|  |         attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> by self write</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold"> by * read</emphasis></para> | ||
|  | 
 | ||
|  |         <para>If you do not want them to change all attributes then reduce the | ||
|  |         list to fit your needs. Some modules may require additional LDAP | ||
|  |         attributes. You can use the tree view to get the technical attribute | ||
|  |         names e.g. by selecting an user account.</para> | ||
|  | 
 | ||
|  |         <para>Usually, the slapd.conf file is located in /etc/ldap or | ||
|  |         /etc/openldap.</para> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>Other LDAP servers</title> | ||
|  | 
 | ||
|  |         <para>There exist many LDAP implementations. If you do not use | ||
|  |         OpenLDAP you need to write your own ACLs. Please check the manual of | ||
|  |         your LDAP server for instructions.</para> | ||
|  |       </section> | ||
|  |     </section> | ||
|  | 
 | ||
|  |     <section> | ||
|  |       <title>Creating a self service profile</title> | ||
|  | 
 | ||
|  |       <para>A self service profile defines what input fields your users see | ||
|  |       and some other general settings like the login caption.</para> | ||
|  | 
 | ||
|  |       <para>When you go to the LAM configuration page you will see the self | ||
|  |       service link at the bottom. This will lead you to the self service | ||
|  |       configuration pages</para> | ||
|  | 
 | ||
|  |       <screenshot> | ||
|  |         <mediaobject> | ||
|  |           <imageobject> | ||
|  |             <imagedata fileref="images/conf1.png" /> | ||
|  |           </imageobject> | ||
|  |         </mediaobject> | ||
|  |       </screenshot> | ||
|  | 
 | ||
|  |       <para>Now we need to create a new self service profile. Click on the | ||
|  |       link to manage the self service profiles.</para> | ||
|  | 
 | ||
|  |       <screenshot> | ||
|  |         <mediaobject> | ||
|  |           <imageobject> | ||
|  |             <imagedata fileref="images/conf2.png" /> | ||
|  |           </imageobject> | ||
|  |         </mediaobject> | ||
|  |       </screenshot> | ||
|  | 
 | ||
|  |       <para>Specify a name for the new profile and enter your master | ||
|  |       configuration password (default is "lam") to save the profile.</para> | ||
|  | 
 | ||
|  |       <screenshot> | ||
|  |         <mediaobject> | ||
|  |           <imageobject> | ||
|  |             <imagedata fileref="images/conf3.png" /> | ||
|  |           </imageobject> | ||
|  |         </mediaobject> | ||
|  |       </screenshot> | ||
|  | 
 | ||
|  |       <para>Now go back to the profile login and enter your master | ||
|  |       configuration password to edit your new profile.</para> | ||
|  |     </section> | ||
|  | 
 | ||
|  |     <section> | ||
|  |       <title>Edit your new profile</title> | ||
|  | 
 | ||
|  |       <section id="selfServiceBasicSettings"> | ||
|  |         <title>General settings</title> | ||
|  | 
 | ||
|  |         <para>On top of the page you see the link to the user login page. Copy | ||
|  |         this link address and give it to your users.</para> | ||
|  | 
 | ||
|  |         <para>Below the link you can specify several options.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/conf4.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <table border="0"> | ||
|  |           <title>General options</title> | ||
|  | 
 | ||
|  |           <tgroup cols="2"> | ||
|  |             <tbody> | ||
|  |               <row> | ||
|  |                 <entry>Server address</entry> | ||
|  | 
 | ||
|  |                 <entry>The address of your LDAP server. For LDAP+SSL use | ||
|  |                 "ldaps://myserver"</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Activate TLS</entry> | ||
|  | 
 | ||
|  |                 <entry>Activates TLS encryption. Please note that this cannot | ||
|  |                 be combined with LDAP+SSL ("ldaps://").</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>LDAP suffix</entry> | ||
|  | 
 | ||
|  |                 <entry>The part of the LDAP tree where LAM should search for | ||
|  |                 users</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>LDAP search attribute</entry> | ||
|  | 
 | ||
|  |                 <entry>Here you can specify if your users can login with user | ||
|  |                 name + password, email + password or other attributes.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Follow referrals</entry> | ||
|  | 
 | ||
|  |                 <entry>By default LAM will not follow LDAP referrals. This is | ||
|  |                 ok for most installations. If you use LDAP referrals please | ||
|  |                 activate the referral option in advanced settings.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>LDAP user + password</entry> | ||
|  | 
 | ||
|  |                 <entry>The DN and password which is used to search for users | ||
|  |                 in the LDAP database. It is sufficient if this DN has only | ||
|  |                 read rights. If you leave these fields empty LAM will try to | ||
|  |                 connect anonymously.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Use for all operations</entry> | ||
|  | 
 | ||
|  |                 <entry>By default LAM will use the credentials of the user | ||
|  |                 that logged in to self service for read/modify operations. If | ||
|  |                 you select this box then the connection user specified before | ||
|  |                 will be used instead. Please note that this can be a security | ||
|  |                 risk because the user requires write access to all users. You | ||
|  |                 need to make sure that your LAM server is well | ||
|  |                 protected.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Additional LDAP filter</entry> | ||
|  | 
 | ||
|  |                 <entry>Use this to enter an additional LDAP filter (e.g. | ||
|  |                 "(objectClass=passwordSelfReset)") to reduce the number of | ||
|  |                 accounts who may use self service.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>HTTP authentication</entry> | ||
|  | 
 | ||
|  |                 <entry>You can enable HTTP authentication for your users. This | ||
|  |                 way the web server is responsible to authenticate your users. | ||
|  |                 LAM will use the given user name + password for the LDAP | ||
|  |                 login. To setup HTTP authentication in Apache please see this | ||
|  |                 <ulink | ||
|  |                 url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Login attribute label</entry> | ||
|  | 
 | ||
|  |                 <entry>This is the description for the LDAP search attribute. | ||
|  |                 Set it to something which your users are familiar | ||
|  |                 with.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Password field label</entry> | ||
|  | 
 | ||
|  |                 <entry>This text is placed as label for the password field on | ||
|  |                 the login page. LAM will use "Password" if you do not enter | ||
|  |                 any text.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Login caption</entry> | ||
|  | 
 | ||
|  |                 <entry>This text is displayed at the login page. You can input | ||
|  |                 HTML, too.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Main page caption</entry> | ||
|  | 
 | ||
|  |                 <entry>This text is displayed at self service main page where | ||
|  |                 your users change their data. You can input HTML, too.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Page header</entry> | ||
|  | 
 | ||
|  |                 <entry>This HTML code will be placed on top of all self | ||
|  |                 service pages. E.g. you can use this to place your custom | ||
|  |                 logo. Any HTML code is permitted.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Additional CSS links</entry> | ||
|  | 
 | ||
|  |                 <entry>Here you can specify additional CSS links to change the | ||
|  |                 layout of the self service pages. This is useful to adapt them | ||
|  |                 to your corporate design. Please enter one link per | ||
|  |                 line.</entry> | ||
|  |               </row> | ||
|  |             </tbody> | ||
|  |           </tgroup> | ||
|  |         </table> | ||
|  | 
 | ||
|  |         <para></para> | ||
|  | 
 | ||
|  |         <section> | ||
|  |           <title>2-factor authentication</title> | ||
|  | 
 | ||
|  |           <para>LAM supports 2-factor authentication for your users. This | ||
|  |           means the user will not only authenticate by user+password but also | ||
|  |           with e.g. a token generated by a mobile device. This adds more | ||
|  |           security because the token is generated on a physically separated | ||
|  |           device (typically mobile phone).</para> | ||
|  | 
 | ||
|  |           <para>The token is validated by a second application. LAM currently | ||
|  |           supports:</para> | ||
|  | 
 | ||
|  |           <itemizedlist> | ||
|  |             <listitem> | ||
|  |               <para><ulink | ||
|  |               url="https://www.privacyidea.org/">privacyIdea</ulink></para> | ||
|  |             </listitem> | ||
|  |           </itemizedlist> | ||
|  | 
 | ||
|  |           <para>By default LAM will enforce to use a token and reject users | ||
|  |           that did not setup one. You can set this check to optional. But if a | ||
|  |           user has setup a token then this will always be required.</para> | ||
|  | 
 | ||
|  |           <screenshot> | ||
|  |             <mediaobject> | ||
|  |               <imageobject> | ||
|  |                 <imagedata fileref="images/conf7.png" /> | ||
|  |               </imageobject> | ||
|  |             </mediaobject> | ||
|  |           </screenshot> | ||
|  | 
 | ||
|  |           <para>After logging in with user + password LAM will ask for the 2nd | ||
|  |           factor. If the user has setup multiple factors then he can choose | ||
|  |           one of them.</para> | ||
|  | 
 | ||
|  |           <screenshot> | ||
|  |             <mediaobject> | ||
|  |               <imageobject> | ||
|  |                 <imagedata fileref="images/conf8.png" /> | ||
|  |               </imageobject> | ||
|  |             </mediaobject> | ||
|  |           </screenshot> | ||
|  |         </section> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>Page layout</title> | ||
|  | 
 | ||
|  |         <para>Here you can specify what input fields your users can see. It is | ||
|  |         also possible to group several input fields.</para> | ||
|  | 
 | ||
|  |         <para>Please use the arrow signs to change the order of the | ||
|  |         fields/groups.</para> | ||
|  | 
 | ||
|  |         <para>You may also set some fields as read-only for your users. This | ||
|  |         can be done by clicking on the lock symbol. Read-only fields can be | ||
|  |         used to show your users additional data on the self service page that | ||
|  |         must not be changed by themselves (e.g. first/last name).</para> | ||
|  | 
 | ||
|  |         <para>Sometimes, you may want to set a custom label for an input | ||
|  |         field. Click on the edit icon to set your own label text (Personal: | ||
|  |         Department is relabeled as "Business unit" here).</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/conf5.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Possible input fields</emphasis></para> | ||
|  | 
 | ||
|  |         <para>This is a list of input fields you may add to the self service | ||
|  |         page.</para> | ||
|  | 
 | ||
|  |         <table> | ||
|  |           <title>Self service fields</title> | ||
|  | 
 | ||
|  |           <tgroup cols="3"> | ||
|  |             <tbody> | ||
|  |               <row> | ||
|  |                 <entry align="center"><emphasis role="bold">Account | ||
|  |                 type</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry align="center"><emphasis | ||
|  |                 role="bold">Option</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry align="center"><emphasis | ||
|  |                 role="bold">Description</emphasis></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows=""><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_asterisk.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Asterisk (voicemail)</entry> | ||
|  | 
 | ||
|  |                 <entry>Sync Asterisk password with Unix password</entry> | ||
|  | 
 | ||
|  |                 <entry>This is a hidden field. It will update the Asterisk | ||
|  |                 password each time the Unix password is changed.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_heimdal.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Kerberos</entry> | ||
|  | 
 | ||
|  |                 <entry>Sync Kerberos password with Unix password</entry> | ||
|  | 
 | ||
|  |                 <entry>This is a hidden field. It will update the Kerberos | ||
|  |                 password each time the Unix password is changed.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="1"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_kolab.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Kolab</entry> | ||
|  | 
 | ||
|  |                 <entry>Delegates</entry> | ||
|  | 
 | ||
|  |                 <entry>Allows to manage delegate permissions</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Invitation policy</entry> | ||
|  | 
 | ||
|  |                 <entry>Invitation policy management</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_ssh.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Password policy</entry> | ||
|  | 
 | ||
|  |                 <entry>Last password change</entry> | ||
|  | 
 | ||
|  |                 <entry>read-only</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="2"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_ssh.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Password self reset</entry> | ||
|  | 
 | ||
|  |                 <entry>Question</entry> | ||
|  | 
 | ||
|  |                 <entry>Security question selection</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Answer</entry> | ||
|  | 
 | ||
|  |                 <entry>Security answer</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Backup email</entry> | ||
|  | 
 | ||
|  |                 <entry>(External) backup email address that has no relation to | ||
|  |                 user password.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="26"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_user.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Personal</entry> | ||
|  | 
 | ||
|  |                 <entry>Business category</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Car license</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Department</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Description</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Email address</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Fax number</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>First name</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Home telephone number</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Initials</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Job title</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Last name</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Location</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Mobile number</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Office name</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Organisational unit</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Photo</entry> | ||
|  | 
 | ||
|  |                 <entry>Shows the user photo if set. The user may also remove | ||
|  |                 the photo or upload a new one.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Postal address</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Postal code</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Post office box</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Registered address</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Room number</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>State</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Street</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Telephone number</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>User certificates</entry> | ||
|  | 
 | ||
|  |                 <entry>Upload of user certificates in PEM or DER | ||
|  |                 format</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>User name</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Web site</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="4"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_samba.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Samba 3</entry> | ||
|  | 
 | ||
|  |                 <entry>Password</entry> | ||
|  | 
 | ||
|  |                 <entry>Input field to set a new NT/LM password. The attribute | ||
|  |                 "sambaPwdLastSet" is updated if it existed before.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Sync Samba LM password with Unix password</entry> | ||
|  | 
 | ||
|  |                 <entry>This is a hidden field. It will update the Samba LM | ||
|  |                 password each time the Unix password is changed.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Sync Samba NT password with Unix password</entry> | ||
|  | 
 | ||
|  |                 <entry>This is a hidden field. It will update the Samba NT | ||
|  |                 password each time the Unix password is changed.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Update attribute "sambaPwdLastSet" on password | ||
|  |                 change</entry> | ||
|  | 
 | ||
|  |                 <entry>Updates the password timestamp when password is | ||
|  |                 synchronized with Unix.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Last password change (read-only)</entry> | ||
|  | 
 | ||
|  |                 <entry>Displays the date and time of the user's last password | ||
|  |                 change.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_ssh.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Shadow</entry> | ||
|  | 
 | ||
|  |                 <entry>Last password change (read-only)</entry> | ||
|  | 
 | ||
|  |                 <entry>Displays the date and time of the user's last password | ||
|  |                 change (Unix).</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="8"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_samba.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Windows</entry> | ||
|  | 
 | ||
|  |                 <entry>Password</entry> | ||
|  | 
 | ||
|  |                 <entry>Change the user's password</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Location</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Office name</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Postal code</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Post office box</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>State</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Street</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Telephone number</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Web site</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="3"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_unix.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Unix</entry> | ||
|  | 
 | ||
|  |                 <entry>Common name</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Login shell</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Password</entry> | ||
|  | 
 | ||
|  |                 <entry>This is also the source for several password | ||
|  |                 synchronization options.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Sync Unix password with Windows password</entry> | ||
|  | 
 | ||
|  |                 <entry>This is a hidden field. It will update the Unix | ||
|  |                 password each time the Windows password is changed.</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="1"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_zarafa.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> Zarafa</entry> | ||
|  | 
 | ||
|  |                 <entry>"Send as" privileges</entry> | ||
|  | 
 | ||
|  |                 <entry>Define user who may send mails as this user</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Email aliases</entry> | ||
|  | 
 | ||
|  |                 <entry>Email aliases</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry morerows="3"><inlinemediaobject> | ||
|  |                     <imageobject> | ||
|  |                       <imagedata fileref="images/schema_pykota.png" /> | ||
|  |                     </imageobject> | ||
|  |                   </inlinemediaobject> PyKota</entry> | ||
|  | 
 | ||
|  |                 <entry>Balance (read-only)</entry> | ||
|  | 
 | ||
|  |                 <entry>Current balance for printing</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Total paid (read-only)</entry> | ||
|  | 
 | ||
|  |                 <entry>Total money paid</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Payment history</entry> | ||
|  | 
 | ||
|  |                 <entry>History of user payments</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Job history</entry> | ||
|  | 
 | ||
|  |                 <entry>History of printed jobs</entry> | ||
|  |               </row> | ||
|  |             </tbody> | ||
|  |           </tgroup> | ||
|  |         </table> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>Module settings</title> | ||
|  | 
 | ||
|  |         <para>This allows to configure some module specific options (e.g. | ||
|  |         custom scripts or password hash type).</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/conf6.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>Samba 3</title> | ||
|  | 
 | ||
|  |         <para>LAM Pro can check the password history and minimum age for Samba | ||
|  |         3 password changes. In this case please provide the LDAP suffix where | ||
|  |         your Samba 3 domain(s) are stored.</para> | ||
|  | 
 | ||
|  |         <para>If you leave the field empty then no history and age checks will | ||
|  |         be done.</para> | ||
|  | 
 | ||
|  |         <para>Password history: depending on your LDAP server you might need | ||
|  |         ascending or descending order. Just switch the setting if the password | ||
|  |         history is not correctly updated.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/selfServiceSambaDomains.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section id="PasswordSelfReset"> | ||
|  |         <title>Password self reset</title> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Schema installation</emphasis></para> | ||
|  | 
 | ||
|  |         <para>Please install the LDAP schema as described <link | ||
|  |         linkend="a_passwordSelfResetSchema">here</link>.</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Settings</emphasis></para> | ||
|  | 
 | ||
|  |         <para>You can allow your users to reset their passwords themselves. | ||
|  |         This will reduce your administrative costs for cases where users | ||
|  |         forget their passwords.</para> | ||
|  | 
 | ||
|  |         <para>To enable this feature please activate the checkbox "Enable | ||
|  |         password self reset link".</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro | ||
|  |         uses security questions by default. Activate confirmation mails and | ||
|  |         then deactivate security questions if you want to use only email | ||
|  |         validation.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/passwordSelfReset1.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>You can now configure the minimum answer length for password | ||
|  |         reset answers. This is checked when you allow you users to specify | ||
|  |         their answers via the self service. Additionally, you can specify the | ||
|  |         text of the password reset link (default: "Forgot password?"). The | ||
|  |         link is displayed below the password field on the self service login | ||
|  |         page.</para> | ||
|  | 
 | ||
|  |         <para>Next, please enter the DN and password of an LDAP entry that is | ||
|  |         allowed to reset the passwords. This entry needs write access to the | ||
|  |         attributes shadowLastChange, pwdAccountLockedTime and userPassword. It | ||
|  |         also needs read access to uid, mail, passwordSelfResetQuestion and | ||
|  |         passwordSelfResetAnswer. Please note that LAM Pro saves the password | ||
|  |         on your server file system. Therefore, it is required to protect your | ||
|  |         server against unauthorised access.</para> | ||
|  | 
 | ||
|  |         <para>Please also specify the list of password reset questions that | ||
|  |         the user can choose.</para> | ||
|  | 
 | ||
|  |         <para>Please note that self service and LAM admin interface are | ||
|  |         separated functionalities. You need to specify the list of possible | ||
|  |         security questions in both self service profile(s) and server | ||
|  |         profile(s).</para> | ||
|  | 
 | ||
|  |         <literallayout> </literallayout> | ||
|  | 
 | ||
|  |         <para>You can inform your users via mail about their password change. | ||
|  |         The mail can include the new password by using the special wildcard | ||
|  |         "@@newPassword@@". Additionally, you may want to insert other | ||
|  |         wildcards that are replaced by the corresponding LDAP attributes. E.g. | ||
|  |         "@@uid@@" will be replaced by the user name. Please see <link | ||
|  |         linkend="mailEOL">email format option</link> in case of broken mails. | ||
|  |         See <link linkend="mailSetup">here</link> for setting up your SMTP | ||
|  |         server.</para> | ||
|  | 
 | ||
|  |         <literallayout> </literallayout> | ||
|  | 
 | ||
|  |         <para>LAM Pro can send your users an email with a confirmation link to | ||
|  |         validate their email address. Of course, this should only be used if | ||
|  |         the email account is independent from the user password (e.g. at | ||
|  |         external provider) or you use the backup email address feature. The | ||
|  |         mail body must include the confirmation link by using the special | ||
|  |         wildcard "@@resetLink@@". Additionally, you may want to insert other | ||
|  |         wildcards that are replaced by the corresponding LDAP attributes. E.g. | ||
|  |         "@@uid@@" will be replaced by the user name.</para> | ||
|  | 
 | ||
|  |         <para>There is also an option to skip the security question at all if | ||
|  |         email verification is enabled. In this case the password can be reset | ||
|  |         directly after clicking on the confirmation link. Please handle with | ||
|  |         care since anybody with access to the user's mail account can reset | ||
|  |         the password.</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Troubleshooting:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>1. You get messages like "Unable to find user account."</para> | ||
|  | 
 | ||
|  |         <para>This can have multiple reasons:</para> | ||
|  | 
 | ||
|  |         <itemizedlist> | ||
|  |           <listitem> | ||
|  |             <para>security questions enabled but no security question and/or | ||
|  |             answer set for this user</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>user name + email combination does not exist</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>no connection to LDAP server</para> | ||
|  |           </listitem> | ||
|  |         </itemizedlist> | ||
|  | 
 | ||
|  |         <para>Turn on logging in LAM's main configuration settings. The exact | ||
|  |         reason is logged on notice level.</para> | ||
|  | 
 | ||
|  |         <para>2. You do not see security question and answer fields when | ||
|  |         logged into self service.</para> | ||
|  | 
 | ||
|  |         <para>Probably, the user does not have the object class | ||
|  |         "passwordSelfReset" set. You can do this in admin interface. If you | ||
|  |         have multiple users to change then use the <link | ||
|  |         linkend="toolMultiEdit">Multi Edit Tool</link> to add the object | ||
|  |         class.</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">New fields for self service | ||
|  |         page</emphasis></para> | ||
|  | 
 | ||
|  |         <para>There are special fields that you may put on the self service | ||
|  |         page for your users. These fields allow them to change the reset | ||
|  |         questions and its answers. It is also possible to set a backup email | ||
|  |         address to reset passwords with an external email address.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/passwordSelfReset2.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>This is an example how can be presented to your users on the | ||
|  |         self service page:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/passwordSelfReset3.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Password reset link</emphasis></para> | ||
|  | 
 | ||
|  |         <para>After activating the password self reset feature there will be a | ||
|  |         new link on the self service login page. The text can be configured as | ||
|  |         described above (default: "Forgot password?").</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/passwordSelfReset4.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>When a user clicks on the link then he will be asked for | ||
|  |         identification with his user name and email address.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/passwordSelfReset5.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>LAM Pro will use this information to find the correct LDAP entry | ||
|  |         of this user. It then displays the user's security questions and input | ||
|  |         fields for his new password. If the answer is correct then the new | ||
|  |         password will be set. Additionally, pwdAccountLockedTime will be | ||
|  |         removed and shadowLastChange updated to the current time if | ||
|  |         existing.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/passwordSelfReset6.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>User self registration</title> | ||
|  | 
 | ||
|  |         <para>With LAM Pro your users can create their own accounts if you | ||
|  |         like. LAM Pro will display an additional link on the self service | ||
|  |         login page that allows you users to create a new account including | ||
|  |         email validation (see <link linkend="mailSetup">here</link> for | ||
|  |         setting up your SMTP server).</para> | ||
|  | 
 | ||
|  |         <para>You enable this feature in your self service profile. Just | ||
|  |         activate the checkbox "Enable self registration link".</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/accountRegistration1.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Options:</emphasis></para> | ||
|  | 
 | ||
|  |         <para><emphasis>Link text:</emphasis> This is the label for the link | ||
|  |         to the self registration. If empty "Register new account" will be | ||
|  |         used.</para> | ||
|  | 
 | ||
|  |         <para><emphasis>Admin DN and password:</emphasis> Please enter the | ||
|  |         LDAP DN and its password that should be used to create new users. This | ||
|  |         DN also needs to be able to do LDAP searches by uid in the self | ||
|  |         service part of your LDAP tree.</para> | ||
|  | 
 | ||
|  |         <para><emphasis>Object classes:</emphasis> This is a list of object | ||
|  |         classes that are used to build the new user accounts. Please enter one | ||
|  |         object class in each line. If you use LAM Pro password self reset | ||
|  |         feature then do not forget to add "passwordSelfReset" here.</para> | ||
|  | 
 | ||
|  |         <para><emphasis>Attributes:</emphasis> This is a list of additional | ||
|  |         attributes that the user can enter. Please note that user name, | ||
|  |         password and email address are mandatory anyway and need not be | ||
|  |         specified.</para> | ||
|  | 
 | ||
|  |         <para>Each line represents one LDAP attribute. The settings are | ||
|  |         separated by "::". The first setting specifies the field type. The | ||
|  |         second setting is the LDAP attribute name. Depending on the field type | ||
|  |         you can enter additional options:</para> | ||
|  | 
 | ||
|  |         <table> | ||
|  |           <title></title> | ||
|  | 
 | ||
|  |           <tgroup cols="6"> | ||
|  |             <tbody> | ||
|  |               <row> | ||
|  |                 <entry><emphasis role="bold">Description</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry><emphasis role="bold">Type</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry><emphasis role="bold">Attribute name</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry><emphasis role="bold">First option</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry><emphasis role="bold">Second option</emphasis></entry> | ||
|  | 
 | ||
|  |                 <entry><emphasis role="bold">Third option</emphasis></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>An optional input field that is displayed on the | ||
|  |                 registration page.</entry> | ||
|  | 
 | ||
|  |                 <entry>optional</entry> | ||
|  | 
 | ||
|  |                 <entry>e.g. "givenName"</entry> | ||
|  | 
 | ||
|  |                 <entry>Label that is displayed on page</entry> | ||
|  | 
 | ||
|  |                 <entry>optional regular expression for validation (e.g. | ||
|  |                 "/^[0-9a-zA-Z]+$/")</entry> | ||
|  | 
 | ||
|  |                 <entry>validation message if value does not match validation | ||
|  |                 expression</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>A required input field that is displayed on the | ||
|  |                 registration page. Self registration cannot be done if such a | ||
|  |                 field is left empty by the user.</entry> | ||
|  | 
 | ||
|  |                 <entry>required</entry> | ||
|  | 
 | ||
|  |                 <entry>e.g. "sn"</entry> | ||
|  | 
 | ||
|  |                 <entry>Label that is displayed on page</entry> | ||
|  | 
 | ||
|  |                 <entry>optional regular expression for validation (e.g. | ||
|  |                 "/^[0-9a-zA-Z]+$/")</entry> | ||
|  | 
 | ||
|  |                 <entry>validation message if value does not match validation | ||
|  |                 expression</entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Constant attribute value, not visible for the user. Can | ||
|  |                 be used to set some initial values or data that must not be | ||
|  |                 edited by the user.</entry> | ||
|  | 
 | ||
|  |                 <entry>constant</entry> | ||
|  | 
 | ||
|  |                 <entry>e.g. "homeDirectory"</entry> | ||
|  | 
 | ||
|  |                 <entry>attribute value, supports wirldcards to insert other | ||
|  |                 attribute values (e.g. "@@uid@@")</entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  | 
 | ||
|  |                 <entry></entry> | ||
|  |               </row> | ||
|  | 
 | ||
|  |               <row> | ||
|  |                 <entry>Auto-numbering for attributes such as uidNumber. Will | ||
|  |                 do a search for attribute values in the given range and use | ||
|  |                 highest value + 1.</entry> | ||
|  | 
 | ||
|  |                 <entry>autorange</entry> | ||
|  | 
 | ||
|  |                 <entry>e.g. uidNumber</entry> | ||
|  | 
 | ||
|  |                 <entry>LDAP search base, e.g. | ||
|  |                 ou=people,dc=company,dc=com</entry> | ||
|  | 
 | ||
|  |                 <entry>Minimum value, e.g. 1000</entry> | ||
|  | 
 | ||
|  |                 <entry>Maximum value, e.g. 2000</entry> | ||
|  |               </row> | ||
|  |             </tbody> | ||
|  |           </tgroup> | ||
|  |         </table> | ||
|  | 
 | ||
|  |         <para>For a syntax description of validation expressions see <ulink | ||
|  |         url="http://perldoc.perl.org/perlre.html">here</ulink>. Validation is | ||
|  |         optional, you can leave these options blank.</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Example:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please | ||
|  |         enter a valid first name.</para> | ||
|  | 
 | ||
|  |         <para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a | ||
|  |         valid last name.</para> | ||
|  | 
 | ||
|  |         <para>constant::homeDirectory::/home/@@uid@@</para> | ||
|  | 
 | ||
|  |         <para>autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000</para> | ||
|  | 
 | ||
|  |         <para>If you use the object class "inetOrgPerson" and do not provide | ||
|  |         the "cn" attribute then LAM will set it to the user name value.</para> | ||
|  | 
 | ||
|  |         <literallayout> | ||
|  | </literallayout> | ||
|  | 
 | ||
|  |         <para>Please note that only simple input boxes are supported for | ||
|  |         account registration. The user may log in to self service when his | ||
|  |         account was created to manage all his attributes.</para> | ||
|  | 
 | ||
|  |         <literallayout> | ||
|  | </literallayout> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Captcha support</emphasis></para> | ||
|  | 
 | ||
|  |         <para>LAM Pro can optionally display a captcha to verify that | ||
|  |         registrations are not from robots. The supported captcha provider is | ||
|  |         Google reCAPTCHA. You will need the site and secret key for your | ||
|  |         domain. They can be retrieved from here: <ulink | ||
|  |         url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para> | ||
|  | 
 | ||
|  |         <para>Please note that your web server must be able to access | ||
|  |         "https://www.google.com/recaptcha/api/siteverify" to verify the | ||
|  |         captchas. Captchas will be displayed automatically when site+secret | ||
|  |         key are filled.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/accountRegistration4.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <literallayout> | ||
|  | </literallayout> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">User view:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>The user can register by clicking on a link on the self service | ||
|  |         login page:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/accountRegistration2.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Here he can insert the data that you specified in the self | ||
|  |         service profile:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/accountRegistration3.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>LAM will then send him an email with a validation link that is | ||
|  |         valid for 24 hours. When he clicks on this link then the account will | ||
|  |         be created in the self service user suffix. The DN will look like | ||
|  |         this: <emphasis>uid=<user name>,...</emphasis></para> | ||
|  | 
 | ||
|  |         <para>Please see <link linkend="mailEOL">email format option</link> in | ||
|  |         case of broken mails.</para> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>Custom fields (LAM Pro)</title> | ||
|  | 
 | ||
|  |         <para>This module allows you to manage LDAP attributes that are not | ||
|  |         covered by the other LAM modules (e.g. if you use custom LDAP | ||
|  |         schemas). You can fully define how your input fields look like:</para> | ||
|  | 
 | ||
|  |         <itemizedlist> | ||
|  |           <listitem> | ||
|  |             <para>Label</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>LDAP attribute name</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>Unique name for field</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>Help text</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>Read-only display</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>Field type: text, password, text area, checkbox, radio | ||
|  |             buttons, select list, file upload</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>Validation via regular expression</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>Error message if validation fails</para> | ||
|  |           </listitem> | ||
|  |         </itemizedlist> | ||
|  | 
 | ||
|  |         <para>To create custom fields for the Self Service please edit your | ||
|  |         Self Service profile and switch to tab "Module settings". Here you can | ||
|  |         add a new field. Simply fill the fields and press on "Add".</para> | ||
|  | 
 | ||
|  |         <para>Please note that the field name cannot be changed later. It is | ||
|  |         the unique ID for this field.</para> | ||
|  | 
 | ||
|  |         <para>After you created your fields please press on "Sync fields with | ||
|  |         page layout". Now you can switch to tab "Page layout" and add your new | ||
|  |         fields like any other standard field.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields1.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Examples for fields and their representation in Self | ||
|  |         Service:</para> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Text field:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>Text fields allow to specify a <link | ||
|  |         linkend="customFields_validation_expressions">validation | ||
|  |         expression</link> and error message.</para> | ||
|  | 
 | ||
|  |         <para>You can also enable auto-completion. In this case LAM will | ||
|  |         search all accounts for the given attribute and provide | ||
|  |         auto-completion hints when the user edits this field. This should only | ||
|  |         be used if there is a limited number of different values for this | ||
|  |         attribute.</para> | ||
|  | 
 | ||
|  |         <para>In case your field is a date value you can show a calendar for | ||
|  |         easy editing.</para> | ||
|  | 
 | ||
|  |         <para>Example calendar formats:</para> | ||
|  | 
 | ||
|  |         <itemizedlist> | ||
|  |           <listitem> | ||
|  |             <para>dd.mm.yy: 31.12.2016</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>yy-mm-dd: 2016-12-31</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>d M, y: 31 Dec, 16</para> | ||
|  |           </listitem> | ||
|  | 
 | ||
|  |           <listitem> | ||
|  |             <para>d MM, y: 31 December, 2016</para> | ||
|  |           </listitem> | ||
|  |         </itemizedlist> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields2.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation in Self Service:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields3.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Password field:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>You can also manage custom password fields. LAM Pro will display | ||
|  |         two fields where the user must enter the same password. You can hash | ||
|  |         the password if needed.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields4.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation in Self Service:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields5.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Text area:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>This adds a multi-line field. The options are similar to text | ||
|  |         fields. Additionally, you can set the size with the number of columns | ||
|  |         and rows.</para> | ||
|  | 
 | ||
|  |         <para>Please note that the <link | ||
|  |         linkend="customFields_validation_expressions">validation | ||
|  |         expression</link> should be set to multi-line. This is done by adding | ||
|  |         "m" at the end.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields6.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation in Self Service:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields7.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Checkbox:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>Sometimes you may want to allow only yes/no values for your LDAP | ||
|  |         attributes. This can be represented by a checkbox. You can specify the | ||
|  |         values for checked and unchecked. The default value is set if the LDAP | ||
|  |         attribute has no value.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields8.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation in Self Service:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields9.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Radio buttons:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>This displays a list of radio buttons where the user can select | ||
|  |         one value.</para> | ||
|  | 
 | ||
|  |         <para>You can specify a mapping of LDAP attribute values and their | ||
|  |         display (label) on the Self Service page. To add more mapping fields | ||
|  |         please press "Add more mapping fields".</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields10.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation in Self Service:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields11.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">Select list:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>Select lists allow the user to select a value in a large list of | ||
|  |         options. The definition of the possible values and their display is | ||
|  |         similar to radio buttons.</para> | ||
|  | 
 | ||
|  |         <para>You can also allow multiple values.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields12.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation in Self Service:</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields13.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields18.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para id="customFields_validation_expressions"><emphasis | ||
|  |         role="bold">Validation expressions:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>The validation expressions follow the standard of <ulink | ||
|  |         url="http://perldoc.perl.org/perlre.html">Perl regular | ||
|  |         expressions</ulink>. They start and end with a "/". The beginning of a | ||
|  |         line is specified by "^" and the end by "$".</para> | ||
|  | 
 | ||
|  |         <para>Examples:</para> | ||
|  | 
 | ||
|  |         <para>/^[a-z0-9]+$/ allows small letters and numbers. The value must | ||
|  |         not be empty ("+").</para> | ||
|  | 
 | ||
|  |         <para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end | ||
|  |         means ignore case) and numbers. The value must not be empty | ||
|  |         ("+").</para> | ||
|  | 
 | ||
|  |         <para>Special characters that must be escaped with "\": "\", ".", "(", | ||
|  |         ")"</para> | ||
|  | 
 | ||
|  |         <para>E.g. /^[a-z0-9\.]$/i</para> | ||
|  | 
 | ||
|  |         <literallayout> | ||
|  | </literallayout> | ||
|  | 
 | ||
|  |         <para><emphasis role="bold">File upload:</emphasis></para> | ||
|  | 
 | ||
|  |         <para>This is used for binary data. You can restrict uploaded data to | ||
|  |         a given file extension and set the maximum file size.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields23.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  | 
 | ||
|  |         <para>Presentation:</para> | ||
|  | 
 | ||
|  |         <para>The uploaded data may also be downloaded via LAM.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/customFields24.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  |       </section> | ||
|  |     </section> | ||
|  | 
 | ||
|  |     <section> | ||
|  |       <title>Adapt the self service to your corporate design</title> | ||
|  | 
 | ||
|  |       <para>LAM Pro allows you to integrate customs CSS style definitions and | ||
|  |       design the header of all self service pages. This way you can integrate | ||
|  |       you own logo and use your company's colors.</para> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>Custom header</title> | ||
|  | 
 | ||
|  |         <para>The default LAM Pro header includes a logo and a horizontal | ||
|  |         line. You can enter any HTML code here. It will be included in the | ||
|  |         self services pages after the body tag.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/configPageHeader.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  |       </section> | ||
|  | 
 | ||
|  |       <section> | ||
|  |         <title>CSS files</title> | ||
|  | 
 | ||
|  |         <para>Usually, companies have regulations about their corporate design | ||
|  |         and use common CSS files. This assures a common appearance of all | ||
|  |         intranet pages (e.g. colors and fonts). To include additional CSS | ||
|  |         files just use the following setting for this task. The additional CSS | ||
|  |         links will be added after LAM Pro's default CSS link. This way you can | ||
|  |         overwrite LAM Pro's style.</para> | ||
|  | 
 | ||
|  |         <screenshot> | ||
|  |           <mediaobject> | ||
|  |             <imageobject> | ||
|  |               <imagedata fileref="images/configCSS.png" /> | ||
|  |             </imageobject> | ||
|  |           </mediaobject> | ||
|  |         </screenshot> | ||
|  |       </section> | ||
|  |     </section> | ||
|  |   </chapter> |