diff --git a/lam/HISTORY b/lam/HISTORY index e1daa99d..02224f01 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -9,6 +9,7 @@ March 2014 4.5 -> Separate IP restriction list for self service -> Bind DLZ: support TXT/SRV records -> Self Service: added language selection + -> Password self reset: support backup email address -> Custom fields: support help texts -> Support for Oracle databases (orclNetService) (RFE 104) - fixed bugs: diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 2ed1123c..7f403091 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -724,6 +724,11 @@ Have fun! The self service pages now have an own option for allowed IPs. If your LAM installation uses IP restrictions please update the LAM main configuration. + + Password self reset (LAM Pro) allows to set a backup email + address. You need to update the LDAP + schema if you want to use this feature.
@@ -2384,80 +2389,8 @@ Have fun! Schema installation - Please install the schema that comes with LAM Pro. The schema - files are located in: - - - - tar.bz2: docs/schema - - - - DEB: /usr/share/doc/ldap-account-manager/docs/schema - - - - RPM: - /usr/share/doc/ldap-account-manager-{VERSION}/schema - - - - -OpenLDAP: - - For a configuration with slapd.conf-file copy - passwordSelfReset.schema to /etc/ldap/schema/ and add this line to - slapd.conf: - - include /etc/ldap/schema/passwordSelfReset.schema - - - - For slapd.d configurations you need to upload the schema file - passwordSelfReset.ldif via ldapadd command: - - ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f - /daten/dev/lamPro/docs/schema/passwordSelfReset.ldif - - Please replace "localhost" with your LDAP server and - "cn=admin,o=test,c=de" with your LDAP admin user (usually starts with - cn=admin or cn=manager). - - - - - Samba 4: - - The schema files are passwordSelfReset-Samba4-attributes.ldif - and passwordSelfReset-Samba4-objectClass.ldif. - - First, you need to edit them and replace "DOMAIN_TOP_DN" with - your LDAP suffix (e.g. dc=samba4,dc=test). - - Then install the attribute and afterwards the object class - schema file: - - ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true - ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true - - - - Windows: - - The schema file is passwordSelfReset-Windows.ldif. - - First, you need to edit it and replace "DOMAIN_TOP_DN" with your - LDAP suffix (e.g. dc=windows,dc=test). - - Then install the schema file as administrator on a command - line: - - ldifde -v -i -f passwordSelfReset-Windows.ldif - - - - This allows to set a security question + answer for each - account. + Please install the LDAP schema as described here. Activate password self reset module @@ -2492,6 +2425,11 @@ Have fun! can activate/remove the password self reset function for each user. You can also change the security question and answer. + If you set a backup email address then confirmation emails will + also be sent to this address. This is useful if the user password + grants access to the user's primary mailbox. So passwords can be + unlocked with an external email address. + Hint: You can add the passwordSelfReset object class to all your users with the multi edit tool. @@ -6739,7 +6677,7 @@ OK (10 msec) - + @@ -6756,6 +6694,13 @@ OK (10 msec) Security answer + + Backup email + + (External) backup email address that has no relation to user + password. + + @@ -7114,6 +7059,11 @@ OK (10 msec)
Password self reset + Schema installation + + Please install the LDAP schema as described here. + Settings You can allow your users to reset their passwords themselves. @@ -7176,11 +7126,11 @@ OK (10 msec) LAM Pro can send your users an email with a confirmation link to validate their email address. Of course, this should only be used if the email account is independent from the user password (e.g. at - external provider). The mail must include the confirmation link by - using the special wildcard "@@resetLink@@". Additionally, you may - want to insert other wildcards that are replaced by the - corresponding LDAP attributes. E.g. "@@uid@@" will be replaced by - the user name. + external provider) or you use the backup email address feature. The + mail body must include the confirmation link by using the special + wildcard "@@resetLink@@". Additionally, you may want to insert other + wildcards that are replaced by the corresponding LDAP attributes. + E.g. "@@uid@@" will be replaced by the user name. There is also an option to skip the security question at all if email verification is enabled. In this case the password can be @@ -7214,9 +7164,10 @@ OK (10 msec) New fields for self service page - There are two new fields that you may put on the self service + There are special fields that you may put on the self service page for your users. These fields allow them to change the reset - question and its answer. + question and its answer. It is also possible to set a backup email + address to reset passwords with an external email address. @@ -9035,6 +8986,208 @@ OK (10 msec)
+ + Setup password self reset schema (LAM Pro) + +
+ New installation + + Please see here if you want to + upgrade an existing schema version. + + Schema installation + + Please install the schema that comes with LAM Pro. The schema + files are located in: + + + + tar.bz2: docs/schema + + + + DEB: /usr/share/doc/ldap-account-manager/docs/schema + + + + RPM: + /usr/share/doc/ldap-account-manager-{VERSION}/schema + + + + + + + OpenLDAP with slapd.conf + configuration + + For a configuration with slapd.conf-file copy + passwordSelfReset.schema to /etc/ldap/schema/ and add this line to + slapd.conf: + + include /etc/ldap/schema/passwordSelfReset.schema + + + + OpenLDAP with slapd.d + configuration + + For slapd.d configurations you need to upload the schema file + passwordSelfReset.ldif via ldapadd command: + + ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f + passwordSelfReset.ldif + + Please replace "localhost" with your LDAP server and + "cn=admin,o=test,c=de" with your LDAP admin user (usually starts with + cn=admin or cn=manager). + + + + + Samba 4 + + The schema files are passwordSelfReset-Samba4-attributes.ldif and + passwordSelfReset-Samba4-objectClass.ldif. + + First, you need to edit them and replace "DOMAIN_TOP_DN" with your + LDAP suffix (e.g. dc=samba4,dc=test). + + Then install the attribute and afterwards the object class schema + file: + + ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true + ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true + + + + Windows + + The schema file is passwordSelfReset-Windows.ldif. + + First, you need to edit it and replace "DOMAIN_TOP_DN" with your + LDAP suffix (e.g. dc=windows,dc=test). + + Then install the schema file as administrator on a command + line: + + ldifde -v -i -f passwordSelfReset-Windows.ldif + + + + This allows to set a security question + answer for each + account. +
+ +
+ Schema update + + The schema files are located in: + + + + tar.bz2: docs/schema/updates + + + + DEB: + /usr/share/doc/ldap-account-manager/docs/schema/updates + + + + RPM: + /usr/share/doc/ldap-account-manager-{VERSION}/schema/updates + + + + + + + Schema versions: + + + + Initial version (LAM Pro 3.6) + + + + Added passwordSelfResetBackupMail (LAM Pro 4.5) + + + + + + + OpenLDAP with slapd.conf + configuration + + Install the schema file like a new install (skip + modification of slapd.conf file). + + + + + OpenLDAP with slapd.d + configuration + + The upgrade requires to stop the LDAP server. + + Steps: + + + + Stop OpenLDAP with e.g. "/etc/init.d/slapd stop" + + + + Delete the old schema file. It is located in e.g. + "/etc/ldap/slapd.d/cn=config/cn=schema" and called + "cn={XX}passwordselfreset.ldif" (XX can be any number) + + + + Start OpenLDAP with e.g. "/etc/init.d/slapd start" + + + + Install the schema file like a new install + + + + + + + Samba 4 + + Install the these update files by following the install + instructions in the file: + + + + samba4_version_1_to_2_attributes.ldif + + + + samba4_version_1_to_2_objectClass.ldif + + + + Please note that attributes file needs to be installed + first. + + + + + Windows + + Install the file "windows_version_1_to_2.ldif" by following the + install instructions in the file. +
+ + Adapt LAM to your corporate design diff --git a/lam/docs/manual-sources/images/passwordSelfReset2.png b/lam/docs/manual-sources/images/passwordSelfReset2.png index 14a3f0bc..3bcc9f5a 100644 Binary files a/lam/docs/manual-sources/images/passwordSelfReset2.png and b/lam/docs/manual-sources/images/passwordSelfReset2.png differ diff --git a/lam/docs/manual-sources/images/passwordSelfReset3.png b/lam/docs/manual-sources/images/passwordSelfReset3.png index 3bd4fe3d..1b5adde3 100644 Binary files a/lam/docs/manual-sources/images/passwordSelfReset3.png and b/lam/docs/manual-sources/images/passwordSelfReset3.png differ diff --git a/lam/docs/manual-sources/images/passwordSelfReset9.png b/lam/docs/manual-sources/images/passwordSelfReset9.png index 8f2c9677..2f847661 100644 Binary files a/lam/docs/manual-sources/images/passwordSelfReset9.png and b/lam/docs/manual-sources/images/passwordSelfReset9.png differ