From a6952f1d9f2a2f786a2d0500857aea5b063db5e6 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 13 May 2017 11:10:38 +0200 Subject: [PATCH] "o" for self service --- .../manual-sources/chapter-selfService.xml | 2989 ++++++++--------- lam/lib/modules/inetOrgPerson.inc | 52 +- 2 files changed, 1542 insertions(+), 1499 deletions(-) diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml index 22701267..cab0d870 100644 --- a/lam/docs/manual-sources/chapter-selfService.xml +++ b/lam/docs/manual-sources/chapter-selfService.xml @@ -1,1550 +1,299 @@ - - Self service (LAM Pro) +"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> + + Self service (LAM Pro) -
- Preparations +
+ Preparations -
- OpenLDAP ACLs +
+ OpenLDAP ACLs - By default only a few administrative users have write access to - the LDAP database. Before your users may change their settings you - must allow them to change their LDAP data. + By default only a few administrative users have write access to + the LDAP database. Before your users may change their settings you must + allow them to change their LDAP data. - Hint: The ACLs below are not required if you decide to run all - operations as the LDAP bind user (option "Use for all - operations"). + Hint: The ACLs below are not required if you decide to run all + operations as the LDAP bind user (option "Use for all + operations"). - This can be done by adding ACLs to your slapd.conf or - slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to - these: + This can be done by adding ACLs to your slapd.conf or + slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to + these: - access to + access to - attrs=userPassword + attrs=userPassword - by self write + by self write - by anonymous auth + by anonymous auth - by * none + by * none - + - access to + access to - - attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail + + attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail - by self write + by self write - by * read + by * read - If you do not want them to change all attributes then reduce the - list to fit your needs. Some modules may require additional LDAP - attributes. You can use the tree view to get the technical attribute - names e.g. by selecting an user account. + If you do not want them to change all attributes then reduce the + list to fit your needs. Some modules may require additional LDAP + attributes. You can use the tree view to get the technical attribute + names e.g. by selecting an user account. - Usually, the slapd.conf file is located in /etc/ldap or - /etc/openldap. -
- -
- Other LDAP servers - - There exist many LDAP implementations. If you do not use - OpenLDAP you need to write your own ACLs. Please check the manual of - your LDAP server for instructions. -
+ Usually, the slapd.conf file is located in /etc/ldap or + /etc/openldap.
- Creating a self service profile + Other LDAP servers - A self service profile defines what input fields your users see - and some other general settings like the login caption. + There exist many LDAP implementations. If you do not use OpenLDAP + you need to write your own ACLs. Please check the manual of your LDAP + server for instructions. +
+
- When you go to the LAM configuration page you will see the self - service link at the bottom. This will lead you to the self service - configuration pages +
+ Creating a self service profile + + A self service profile defines what input fields your users see and + some other general settings like the login caption. + + When you go to the LAM configuration page you will see the self + service link at the bottom. This will lead you to the self service + configuration pages + + + + + + + + + + Now we need to create a new self service profile. Click on the link + to manage the self service profiles. + + + + + + + + + + Specify a name for the new profile and enter your master + configuration password (default is "lam") to save the profile. + + + + + + + + + + Now go back to the profile login and enter your master configuration + password to edit your new profile. +
+ +
+ Edit your new profile + +
+ General settings + + On top of the page you see the link to the user login page. Copy + this link address and give it to your users. + + Below the link you can specify several options. - + - Now we need to create a new self service profile. Click on the - link to manage the self service profiles. + + General options - - - - - - - + + + + Server address - Specify a name for the new profile and enter your master - configuration password (default is "lam") to save the profile. + The address of your LDAP server. For LDAP+SSL use + "ldaps://myserver" + - - - - - - - + + Activate TLS - Now go back to the profile login and enter your master - configuration password to edit your new profile. - + Activates TLS encryption. Please note that this cannot be + combined with LDAP+SSL ("ldaps://"). + -
- Edit your new profile + + LDAP suffix -
- General settings + The part of the LDAP tree where LAM should search for + users + - On top of the page you see the link to the user login page. Copy - this link address and give it to your users. + + LDAP search attribute - Below the link you can specify several options. + Here you can specify if your users can login with user + name + password, email + password or other attributes. + - - - - - - - + + Follow referrals -
- General options + By default LAM will not follow LDAP referrals. This is ok + for most installations. If you use LDAP referrals please + activate the referral option in advanced settings. + - - - - Server address + + LDAP user + password - The address of your LDAP server. For LDAP+SSL use - "ldaps://myserver" - + The DN and password which is used to search for users in + the LDAP database. It is sufficient if this DN has only read + rights. If you leave these fields empty LAM will try to connect + anonymously. + - - Activate TLS + + Use for all operations - Activates TLS encryption. Please note that this cannot - be combined with LDAP+SSL ("ldaps://"). - + By default LAM will use the credentials of the user that + logged in to self service for read/modify operations. If you + select this box then the connection user specified before will + be used instead. Please note that this can be a security risk + because the user requires write access to all users. You need to + make sure that your LAM server is well protected. + - - LDAP suffix + + Additional LDAP filter - The part of the LDAP tree where LAM should search for - users - + Use this to enter an additional LDAP filter (e.g. + "(objectClass=passwordSelfReset)") to reduce the number of + accounts who may use self service. + - - LDAP search attribute + + HTTP authentication - Here you can specify if your users can login with user - name + password, email + password or other attributes. - + You can enable HTTP authentication for your users. This + way the web server is responsible to authenticate your users. + LAM will use the given user name + password for the LDAP login. + To setup HTTP authentication in Apache please see this link. + - - Follow referrals + + Login attribute label - By default LAM will not follow LDAP referrals. This is - ok for most installations. If you use LDAP referrals please - activate the referral option in advanced settings. - + This is the description for the LDAP search attribute. + Set it to something which your users are familiar with. + - - LDAP user + password + + Password field label - The DN and password which is used to search for users - in the LDAP database. It is sufficient if this DN has only - read rights. If you leave these fields empty LAM will try to - connect anonymously. - + This text is placed as label for the password field on + the login page. LAM will use "Password" if you do not enter any + text. + - - Use for all operations + + Login caption - By default LAM will use the credentials of the user - that logged in to self service for read/modify operations. If - you select this box then the connection user specified before - will be used instead. Please note that this can be a security - risk because the user requires write access to all users. You - need to make sure that your LAM server is well - protected. - + This text is displayed at the login page. You can input + HTML, too. + - - Additional LDAP filter + + Main page caption - Use this to enter an additional LDAP filter (e.g. - "(objectClass=passwordSelfReset)") to reduce the number of - accounts who may use self service. - + This text is displayed at self service main page where + your users change their data. You can input HTML, too. + - - HTTP authentication + + Page header - You can enable HTTP authentication for your users. This - way the web server is responsible to authenticate your users. - LAM will use the given user name + password for the LDAP - login. To setup HTTP authentication in Apache please see this - link. - + This HTML code will be placed on top of all self service + pages. E.g. you can use this to place your custom logo. Any HTML + code is permitted. + - - Login attribute label + + Additional CSS links - This is the description for the LDAP search attribute. - Set it to something which your users are familiar - with. - + Here you can specify additional CSS links to change the + layout of the self service pages. This is useful to adapt them + to your corporate design. Please enter one link per + line. + + + +
- - Password field label - - This text is placed as label for the password field on - the login page. LAM will use "Password" if you do not enter - any text. - - - - Login caption - - This text is displayed at the login page. You can input - HTML, too. - - - - Main page caption - - This text is displayed at self service main page where - your users change their data. You can input HTML, too. - - - - Page header - - This HTML code will be placed on top of all self - service pages. E.g. you can use this to place your custom - logo. Any HTML code is permitted. - - - - Additional CSS links - - Here you can specify additional CSS links to change the - layout of the self service pages. This is useful to adapt them - to your corporate design. Please enter one link per - line. - - - - - - - -
- 2-factor authentication - - LAM supports 2-factor authentication for your users. This - means the user will not only authenticate by user+password but also - with e.g. a token generated by a mobile device. This adds more - security because the token is generated on a physically separated - device (typically mobile phone). - - The token is validated by a second application. LAM currently - supports: - - - - privacyIdea - - - - By default LAM will enforce to use a token and reject users - that did not setup one. You can set this check to optional. But if a - user has setup a token then this will always be required. - - - - - - - - - - After logging in with user + password LAM will ask for the 2nd - factor. If the user has setup multiple factors then he can choose - one of them. - - - - - - - - -
-
+
- Page layout + 2-factor authentication - Here you can specify what input fields your users can see. It is - also possible to group several input fields. + LAM supports 2-factor authentication for your users. This means + the user will not only authenticate by user+password but also with + e.g. a token generated by a mobile device. This adds more security + because the token is generated on a physically separated device + (typically mobile phone). - Please use the arrow signs to change the order of the - fields/groups. - - You may also set some fields as read-only for your users. This - can be done by clicking on the lock symbol. Read-only fields can be - used to show your users additional data on the self service page that - must not be changed by themselves (e.g. first/last name). - - Sometimes, you may want to set a custom label for an input - field. Click on the edit icon to set your own label text (Personal: - Department is relabeled as "Business unit" here). - - - - - - - - - - Possible input fields - - This is a list of input fields you may add to the self service - page. - - - Self service fields - - - - - Account - type - - Option - - Description - - - - - - - - Asterisk (voicemail) - - Sync Asterisk password with Unix password - - This is a hidden field. It will update the Asterisk - password each time the Unix password is changed. - - - - - - - - Kerberos - - Sync Kerberos password with Unix password - - This is a hidden field. It will update the Kerberos - password each time the Unix password is changed. - - - - - - - - Kolab - - Delegates - - Allows to manage delegate permissions - - - - Invitation policy - - Invitation policy management - - - - - - - - Password policy - - Last password change - - read-only - - - - - - - - Password self reset - - Question - - Security question selection - - - - Answer - - Security answer - - - - Backup email - - (External) backup email address that has no relation to - user password. - - - - - - - - Personal - - Business category - - - - - - Car license - - - - - - Department - - - - - - Description - - - - - - Email address - - - - - - Fax number - - - - - - First name - - - - - - Home telephone number - - - - - - Initials - - - - - - Job title - - - - - - Last name - - - - - - Location - - - - - - Mobile number - - - - - - Office name - - - - - - Organisational unit - - - - - - Photo - - Shows the user photo if set. The user may also remove - the photo or upload a new one. - - - - Postal address - - - - - - Postal code - - - - - - Post office box - - - - - - Registered address - - - - - - Room number - - - - - - State - - - - - - Street - - - - - - Telephone number - - - - - - User certificates - - Upload of user certificates in PEM or DER - format - - - - User name - - - - - - Web site - - - - - - - - - - Samba 3 - - Password - - Input field to set a new NT/LM password. The attribute - "sambaPwdLastSet" is updated if it existed before. - - - - Sync Samba LM password with Unix password - - This is a hidden field. It will update the Samba LM - password each time the Unix password is changed. - - - - Sync Samba NT password with Unix password - - This is a hidden field. It will update the Samba NT - password each time the Unix password is changed. - - - - Update attribute "sambaPwdLastSet" on password - change - - Updates the password timestamp when password is - synchronized with Unix. - - - - Last password change (read-only) - - Displays the date and time of the user's last password - change. - - - - - - - - Shadow - - Last password change (read-only) - - Displays the date and time of the user's last password - change (Unix). - - - - - - - - Windows - - Password - - Change the user's password - - - - Location - - - - - - Office name - - - - - - Postal code - - - - - - Post office box - - - - - - State - - - - - - Street - - - - - - Telephone number - - - - - - Web site - - - - - - - - - - Unix - - Common name - - - - - - Login shell - - - - - - Password - - This is also the source for several password - synchronization options. - - - - Sync Unix password with Windows password - - This is a hidden field. It will update the Unix - password each time the Windows password is changed. - - - - - - - - Zarafa - - "Send as" privileges - - Define user who may send mails as this user - - - - Email aliases - - Email aliases - - - - - - - - PyKota - - Balance (read-only) - - Current balance for printing - - - - Total paid (read-only) - - Total money paid - - - - Payment history - - History of user payments - - - - Job history - - History of printed jobs - - - -
-
- -
- Module settings - - This allows to configure some module specific options (e.g. - custom scripts or password hash type). - - - - - - - - -
- -
- Samba 3 - - LAM Pro can check the password history and minimum age for Samba - 3 password changes. In this case please provide the LDAP suffix where - your Samba 3 domain(s) are stored. - - If you leave the field empty then no history and age checks will - be done. - - Password history: depending on your LDAP server you might need - ascending or descending order. Just switch the setting if the password - history is not correctly updated. - - - - - - - - -
- -
- Password self reset - - Schema installation - - Please install the LDAP schema as described here. - - Settings - - You can allow your users to reset their passwords themselves. - This will reduce your administrative costs for cases where users - forget their passwords. - - To enable this feature please activate the checkbox "Enable - password self reset link". - - Hint: Plese note that LAM Pro - uses security questions by default. Activate confirmation mails and - then deactivate security questions if you want to use only email - validation. - - - - - - - - - - You can now configure the minimum answer length for password - reset answers. This is checked when you allow you users to specify - their answers via the self service. Additionally, you can specify the - text of the password reset link (default: "Forgot password?"). The - link is displayed below the password field on the self service login - page. - - Next, please enter the DN and password of an LDAP entry that is - allowed to reset the passwords. This entry needs write access to the - attributes shadowLastChange, pwdAccountLockedTime and userPassword. It - also needs read access to uid, mail, passwordSelfResetQuestion and - passwordSelfResetAnswer. Please note that LAM Pro saves the password - on your server file system. Therefore, it is required to protect your - server against unauthorised access. - - Please also specify the list of password reset questions that - the user can choose. - - Please note that self service and LAM admin interface are - separated functionalities. You need to specify the list of possible - security questions in both self service profile(s) and server - profile(s). - - - - You can inform your users via mail about their password change. - The mail can include the new password by using the special wildcard - "@@newPassword@@". Additionally, you may want to insert other - wildcards that are replaced by the corresponding LDAP attributes. E.g. - "@@uid@@" will be replaced by the user name. Please see email format option in case of broken mails. - See here for setting up your SMTP - server. - - - - LAM Pro can send your users an email with a confirmation link to - validate their email address. Of course, this should only be used if - the email account is independent from the user password (e.g. at - external provider) or you use the backup email address feature. The - mail body must include the confirmation link by using the special - wildcard "@@resetLink@@". Additionally, you may want to insert other - wildcards that are replaced by the corresponding LDAP attributes. E.g. - "@@uid@@" will be replaced by the user name. - - There is also an option to skip the security question at all if - email verification is enabled. In this case the password can be reset - directly after clicking on the confirmation link. Please handle with - care since anybody with access to the user's mail account can reset - the password. - - Troubleshooting: - - 1. You get messages like "Unable to find user account." - - This can have multiple reasons: + The token is validated by a second application. LAM currently + supports: - security questions enabled but no security question and/or - answer set for this user - - - - user name + email combination does not exist - - - - no connection to LDAP server + privacyIdea - Turn on logging in LAM's main configuration settings. The exact - reason is logged on notice level. - - 2. You do not see security question and answer fields when - logged into self service. - - Probably, the user does not have the object class - "passwordSelfReset" set. You can do this in admin interface. If you - have multiple users to change then use the Multi Edit Tool to add the object - class. - - New fields for self service - page - - There are special fields that you may put on the self service - page for your users. These fields allow them to change the reset - questions and its answers. It is also possible to set a backup email - address to reset passwords with an external email address. + By default LAM will enforce to use a token and reject users that + did not setup one. You can set this check to optional. But if a user + has setup a token then this will always be required. - + - This is an example how can be presented to your users on the - self service page: + After logging in with user + password LAM will ask for the 2nd + factor. If the user has setup multiple factors then he can choose one + of them. - - - - - - Password reset link - - After activating the password self reset feature there will be a - new link on the self service login page. The text can be configured as - described above (default: "Forgot password?"). - - - - - - - - - - When a user clicks on the link then he will be asked for - identification with his user name and email address. - - - - - - - - - - LAM Pro will use this information to find the correct LDAP entry - of this user. It then displays the user's security questions and input - fields for his new password. If the answer is correct then the new - password will be set. Additionally, pwdAccountLockedTime will be - removed and shadowLastChange updated to the current time if - existing. - - - - - - - - -
- -
- User self registration - - With LAM Pro your users can create their own accounts if you - like. LAM Pro will display an additional link on the self service - login page that allows you users to create a new account including - email validation (see here for - setting up your SMTP server). - - You enable this feature in your self service profile. Just - activate the checkbox "Enable self registration link". - - - - - - - - - - Options: - - Link text: This is the label for the link - to the self registration. If empty "Register new account" will be - used. - - Admin DN and password: Please enter the - LDAP DN and its password that should be used to create new users. This - DN also needs to be able to do LDAP searches by uid in the self - service part of your LDAP tree. - - Object classes: This is a list of object - classes that are used to build the new user accounts. Please enter one - object class in each line. If you use LAM Pro password self reset - feature then do not forget to add "passwordSelfReset" here. - - Attributes: This is a list of additional - attributes that the user can enter. Please note that user name, - password and email address are mandatory anyway and need not be - specified. - - Each line represents one LDAP attribute. The settings are - separated by "::". The first setting specifies the field type. The - second setting is the LDAP attribute name. Depending on the field type - you can enter additional options: - - - - - - - - Description - - Type - - Attribute name - - First option - - Second option - - Third option - - - - An optional input field that is displayed on the - registration page. - - optional - - e.g. "givenName" - - Label that is displayed on page - - optional regular expression for validation (e.g. - "/^[0-9a-zA-Z]+$/") - - validation message if value does not match validation - expression - - - - A required input field that is displayed on the - registration page. Self registration cannot be done if such a - field is left empty by the user. - - required - - e.g. "sn" - - Label that is displayed on page - - optional regular expression for validation (e.g. - "/^[0-9a-zA-Z]+$/") - - validation message if value does not match validation - expression - - - - Constant attribute value, not visible for the user. Can - be used to set some initial values or data that must not be - edited by the user. - - constant - - e.g. "homeDirectory" - - attribute value, supports wirldcards to insert other - attribute values (e.g. "@@uid@@") - - - - - - - - Auto-numbering for attributes such as uidNumber. Will - do a search for attribute values in the given range and use - highest value + 1. - - autorange - - e.g. uidNumber - - LDAP search base, e.g. - ou=people,dc=company,dc=com - - Minimum value, e.g. 1000 - - Maximum value, e.g. 2000 - - - -
- - For a syntax description of validation expressions see here. Validation is - optional, you can leave these options blank. - - Example: - - optional::givenName::First name::/^[[:alnum:] ]+$/u::Please - enter a valid first name. - - required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a - valid last name. - - constant::homeDirectory::/home/@@uid@@ - - autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000 - - If you use the object class "inetOrgPerson" and do not provide - the "cn" attribute then LAM will set it to the user name value. - - - - - Please note that only simple input boxes are supported for - account registration. The user may log in to self service when his - account was created to manage all his attributes. - - - - - Captcha support - - LAM Pro can optionally display a captcha to verify that - registrations are not from robots. The supported captcha provider is - Google reCAPTCHA. You will need the site and secret key for your - domain. They can be retrieved from here: https://www.google.com/recaptcha - - Please note that your web server must be able to access - "https://www.google.com/recaptcha/api/siteverify" to verify the - captchas. Captchas will be displayed automatically when site+secret - key are filled. - - - - - - - - - - - - - User view: - - The user can register by clicking on a link on the self service - login page: - - - - - - - - - - Here he can insert the data that you specified in the self - service profile: - - - - - - - - - - LAM will then send him an email with a validation link that is - valid for 24 hours. When he clicks on this link then the account will - be created in the self service user suffix. The DN will look like - this: uid=<user name>,... - - Please see email format option in - case of broken mails. -
- -
- Custom fields (LAM Pro) - - This module allows you to manage LDAP attributes that are not - covered by the other LAM modules (e.g. if you use custom LDAP - schemas). You can fully define how your input fields look like: - - - - Label - - - - LDAP attribute name - - - - Unique name for field - - - - Help text - - - - Read-only display - - - - Field type: text, password, text area, checkbox, radio - buttons, select list, file upload - - - - Validation via regular expression - - - - Error message if validation fails - - - - To create custom fields for the Self Service please edit your - Self Service profile and switch to tab "Module settings". Here you can - add a new field. Simply fill the fields and press on "Add". - - Please note that the field name cannot be changed later. It is - the unique ID for this field. - - After you created your fields please press on "Sync fields with - page layout". Now you can switch to tab "Page layout" and add your new - fields like any other standard field. - - - - - - - - - - Examples for fields and their representation in Self - Service: - - Text field: - - Text fields allow to specify a validation - expression and error message. - - You can also enable auto-completion. In this case LAM will - search all accounts for the given attribute and provide - auto-completion hints when the user edits this field. This should only - be used if there is a limited number of different values for this - attribute. - - In case your field is a date value you can show a calendar for - easy editing. - - Example calendar formats: - - - - dd.mm.yy: 31.12.2016 - - - - yy-mm-dd: 2016-12-31 - - - - d M, y: 31 Dec, 16 - - - - d MM, y: 31 December, 2016 - - - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Password field: - - You can also manage custom password fields. LAM Pro will display - two fields where the user must enter the same password. You can hash - the password if needed. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Text area: - - This adds a multi-line field. The options are similar to text - fields. Additionally, you can set the size with the number of columns - and rows. - - Please note that the validation - expression should be set to multi-line. This is done by adding - "m" at the end. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Checkbox: - - Sometimes you may want to allow only yes/no values for your LDAP - attributes. This can be represented by a checkbox. You can specify the - values for checked and unchecked. The default value is set if the LDAP - attribute has no value. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Radio buttons: - - This displays a list of radio buttons where the user can select - one value. - - You can specify a mapping of LDAP attribute values and their - display (label) on the Self Service page. To add more mapping fields - please press "Add more mapping fields". - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Select list: - - Select lists allow the user to select a value in a large list of - options. The definition of the possible values and their display is - similar to radio buttons. - - You can also allow multiple values. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - - - - - - - - - Validation expressions: - - The validation expressions follow the standard of Perl regular - expressions. They start and end with a "/". The beginning of a - line is specified by "^" and the end by "$". - - Examples: - - /^[a-z0-9]+$/ allows small letters and numbers. The value must - not be empty ("+"). - - /^[a-z0-9]+$/i allows small and capital letters ("i" at the end - means ignore case) and numbers. The value must not be empty - ("+"). - - Special characters that must be escaped with "\": "\", ".", "(", - ")" - - E.g. /^[a-z0-9\.]$/i - - - - - File upload: - - This is used for binary data. You can restrict uploaded data to - a given file extension and set the maximum file size. - - - - - - - - - - Presentation: - - The uploaded data may also be downloaded via LAM. - - - - - + @@ -1552,45 +301,1295 @@
- Adapt the self service to your corporate design + Page layout - LAM Pro allows you to integrate customs CSS style definitions and - design the header of all self service pages. This way you can integrate - you own logo and use your company's colors. + Here you can specify what input fields your users can see. It is + also possible to group several input fields. -
- Custom header + Please use the arrow signs to change the order of the + fields/groups. - The default LAM Pro header includes a logo and a horizontal - line. You can enter any HTML code here. It will be included in the - self services pages after the body tag. + You may also set some fields as read-only for your users. This can + be done by clicking on the lock symbol. Read-only fields can be used to + show your users additional data on the self service page that must not + be changed by themselves (e.g. first/last name). - - - - - - - -
+ Sometimes, you may want to set a custom label for an input field. + Click on the edit icon to set your own label text (Personal: Department + is relabeled as "Business unit" here). -
- CSS files + + + + + + + - Usually, companies have regulations about their corporate design - and use common CSS files. This assures a common appearance of all - intranet pages (e.g. colors and fonts). To include additional CSS - files just use the following setting for this task. The additional CSS - links will be added after LAM Pro's default CSS link. This way you can - overwrite LAM Pro's style. + Possible input fields - - - - - - - -
+ This is a list of input fields you may add to the self service + page. + + + Self service fields + + + + + Account + type + + Option + + Description + + + + + + + + Asterisk (voicemail) + + Sync Asterisk password with Unix password + + This is a hidden field. It will update the Asterisk + password each time the Unix password is changed. + + + + + + + + Kerberos + + Sync Kerberos password with Unix password + + This is a hidden field. It will update the Kerberos + password each time the Unix password is changed. + + + + + + + + Kolab + + Delegates + + Allows to manage delegate permissions + + + + Invitation policy + + Invitation policy management + + + + + + + + Password policy + + Last password change + + read-only + + + + + + + + Password self reset + + Question + + Security question selection + + + + Answer + + Security answer + + + + Backup email + + (External) backup email address that has no relation to + user password. + + + + + + + + Personal + + Business category + + + + + + Car license + + + + + + Department + + + + + + Description + + + + + + Email address + + + + + + Fax number + + + + + + First name + + + + + + Home telephone number + + + + + + Initials + + + + + + Job title + + + + + + Last name + + + + + + Location + + + + + + Mobile number + + + + + + Office name + + + + + + Organisation + + + + + + Organisational unit + + + + + + Photo + + Shows the user photo if set. The user may also remove the + photo or upload a new one. + + + + Postal address + + + + + + Postal code + + + + + + Post office box + + + + + + Registered address + + + + + + Room number + + + + + + State + + + + + + Street + + + + + + Telephone number + + + + + + User certificates + + Upload of user certificates in PEM or DER format + + + + User name + + + + + + Web site + + + + + + + + + + Samba 3 + + Password + + Input field to set a new NT/LM password. The attribute + "sambaPwdLastSet" is updated if it existed before. + + + + Sync Samba LM password with Unix password + + This is a hidden field. It will update the Samba LM + password each time the Unix password is changed. + + + + Sync Samba NT password with Unix password + + This is a hidden field. It will update the Samba NT + password each time the Unix password is changed. + + + + Update attribute "sambaPwdLastSet" on password + change + + Updates the password timestamp when password is + synchronized with Unix. + + + + Last password change (read-only) + + Displays the date and time of the user's last password + change. + + + + + + + + Shadow + + Last password change (read-only) + + Displays the date and time of the user's last password + change (Unix). + + + + + + + + Windows + + Password + + Change the user's password + + + + Location + + + + + + Office name + + + + + + Postal code + + + + + + Post office box + + + + + + State + + + + + + Street + + + + + + Telephone number + + + + + + Web site + + + + + + + + + + Unix + + Common name + + + + + + Login shell + + + + + + Password + + This is also the source for several password + synchronization options. + + + + Sync Unix password with Windows password + + This is a hidden field. It will update the Unix password + each time the Windows password is changed. + + + + + + + + Zarafa + + "Send as" privileges + + Define user who may send mails as this user + + + + Email aliases + + Email aliases + + + + + + + + PyKota + + Balance (read-only) + + Current balance for printing + + + + Total paid (read-only) + + Total money paid + + + + Payment history + + History of user payments + + + + Job history + + History of printed jobs + + + +
- + +
+ Module settings + + This allows to configure some module specific options (e.g. custom + scripts or password hash type). + + + + + + + + +
+ +
+ Samba 3 + + LAM Pro can check the password history and minimum age for Samba 3 + password changes. In this case please provide the LDAP suffix where your + Samba 3 domain(s) are stored. + + If you leave the field empty then no history and age checks will + be done. + + Password history: depending on your LDAP server you might need + ascending or descending order. Just switch the setting if the password + history is not correctly updated. + + + + + + + + +
+ +
+ Password self reset + + Schema installation + + Please install the LDAP schema as described here. + + Settings + + You can allow your users to reset their passwords themselves. This + will reduce your administrative costs for cases where users forget their + passwords. + + To enable this feature please activate the checkbox "Enable + password self reset link". + + Hint: Plese note that LAM Pro + uses security questions by default. Activate confirmation mails and then + deactivate security questions if you want to use only email + validation. + + + + + + + + + + You can now configure the minimum answer length for password reset + answers. This is checked when you allow you users to specify their + answers via the self service. Additionally, you can specify the text of + the password reset link (default: "Forgot password?"). The link is + displayed below the password field on the self service login + page. + + Next, please enter the DN and password of an LDAP entry that is + allowed to reset the passwords. This entry needs write access to the + attributes shadowLastChange, pwdAccountLockedTime and userPassword. It + also needs read access to uid, mail, passwordSelfResetQuestion and + passwordSelfResetAnswer. Please note that LAM Pro saves the password on + your server file system. Therefore, it is required to protect your + server against unauthorised access. + + Please also specify the list of password reset questions that the + user can choose. + + Please note that self service and LAM admin interface are + separated functionalities. You need to specify the list of possible + security questions in both self service profile(s) and server + profile(s). + + + + You can inform your users via mail about their password change. + The mail can include the new password by using the special wildcard + "@@newPassword@@". Additionally, you may want to insert other wildcards + that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@" + will be replaced by the user name. Please see email format option in case of broken mails. + See here for setting up your SMTP + server. + + + + LAM Pro can send your users an email with a confirmation link to + validate their email address. Of course, this should only be used if the + email account is independent from the user password (e.g. at external + provider) or you use the backup email address feature. The mail body + must include the confirmation link by using the special wildcard + "@@resetLink@@". Additionally, you may want to insert other wildcards + that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@" + will be replaced by the user name. + + There is also an option to skip the security question at all if + email verification is enabled. In this case the password can be reset + directly after clicking on the confirmation link. Please handle with + care since anybody with access to the user's mail account can reset the + password. + + Troubleshooting: + + 1. You get messages like "Unable to find user account." + + This can have multiple reasons: + + + + security questions enabled but no security question and/or + answer set for this user + + + + user name + email combination does not exist + + + + no connection to LDAP server + + + + Turn on logging in LAM's main configuration settings. The exact + reason is logged on notice level. + + 2. You do not see security question and answer fields when logged + into self service. + + Probably, the user does not have the object class + "passwordSelfReset" set. You can do this in admin interface. If you have + multiple users to change then use the Multi Edit Tool to add the object + class. + + New fields for self service + page + + There are special fields that you may put on the self service page + for your users. These fields allow them to change the reset questions + and its answers. It is also possible to set a backup email address to + reset passwords with an external email address. + + + + + + + + + + This is an example how can be presented to your users on the self + service page: + + + + + + + + + + Password reset link + + After activating the password self reset feature there will be a + new link on the self service login page. The text can be configured as + described above (default: "Forgot password?"). + + + + + + + + + + When a user clicks on the link then he will be asked for + identification with his user name and email address. + + + + + + + + + + LAM Pro will use this information to find the correct LDAP entry + of this user. It then displays the user's security questions and input + fields for his new password. If the answer is correct then the new + password will be set. Additionally, pwdAccountLockedTime will be removed + and shadowLastChange updated to the current time if existing. + + + + + + + + +
+ +
+ User self registration + + With LAM Pro your users can create their own accounts if you like. + LAM Pro will display an additional link on the self service login page + that allows you users to create a new account including email validation + (see here for setting up your SMTP + server). + + You enable this feature in your self service profile. Just + activate the checkbox "Enable self registration link". + + + + + + + + + + Options: + + Link text: This is the label for the link to + the self registration. If empty "Register new account" will be + used. + + Admin DN and password: Please enter the LDAP + DN and its password that should be used to create new users. This DN + also needs to be able to do LDAP searches by uid in the self service + part of your LDAP tree. + + Object classes: This is a list of object + classes that are used to build the new user accounts. Please enter one + object class in each line. If you use LAM Pro password self reset + feature then do not forget to add "passwordSelfReset" here. + + Attributes: This is a list of additional + attributes that the user can enter. Please note that user name, password + and email address are mandatory anyway and need not be specified. + + Each line represents one LDAP attribute. The settings are + separated by "::". The first setting specifies the field type. The + second setting is the LDAP attribute name. Depending on the field type + you can enter additional options: + + + + + + + + Description + + Type + + Attribute name + + First option + + Second option + + Third option + + + + An optional input field that is displayed on the + registration page. + + optional + + e.g. "givenName" + + Label that is displayed on page + + optional regular expression for validation (e.g. + "/^[0-9a-zA-Z]+$/") + + validation message if value does not match validation + expression + + + + A required input field that is displayed on the + registration page. Self registration cannot be done if such a + field is left empty by the user. + + required + + e.g. "sn" + + Label that is displayed on page + + optional regular expression for validation (e.g. + "/^[0-9a-zA-Z]+$/") + + validation message if value does not match validation + expression + + + + Constant attribute value, not visible for the user. Can + be used to set some initial values or data that must not be + edited by the user. + + constant + + e.g. "homeDirectory" + + attribute value, supports wirldcards to insert other + attribute values (e.g. "@@uid@@") + + + + + + + + Auto-numbering for attributes such as uidNumber. Will do + a search for attribute values in the given range and use highest + value + 1. + + autorange + + e.g. uidNumber + + LDAP search base, e.g. + ou=people,dc=company,dc=com + + Minimum value, e.g. 1000 + + Maximum value, e.g. 2000 + + + +
+ + For a syntax description of validation expressions see here. Validation is + optional, you can leave these options blank. + + Example: + + optional::givenName::First name::/^[[:alnum:] ]+$/u::Please enter + a valid first name. + + required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a valid + last name. + + constant::homeDirectory::/home/@@uid@@ + + autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000 + + If you use the object class "inetOrgPerson" and do not provide the + "cn" attribute then LAM will set it to the user name value. + + + + + Please note that only simple input boxes are supported for account + registration. The user may log in to self service when his account was + created to manage all his attributes. + + + + + Captcha support + + LAM Pro can optionally display a captcha to verify that + registrations are not from robots. The supported captcha provider is + Google reCAPTCHA. You will need the site and secret key for your domain. + They can be retrieved from here: https://www.google.com/recaptcha + + Please note that your web server must be able to access + "https://www.google.com/recaptcha/api/siteverify" to verify the + captchas. Captchas will be displayed automatically when site+secret key + are filled. + + + + + + + + + + + + + User view: + + The user can register by clicking on a link on the self service + login page: + + + + + + + + + + Here he can insert the data that you specified in the self service + profile: + + + + + + + + + + LAM will then send him an email with a validation link that is + valid for 24 hours. When he clicks on this link then the account will be + created in the self service user suffix. The DN will look like this: + uid=<user name>,... + + Please see email format option in + case of broken mails. +
+ +
+ Custom fields (LAM Pro) + + This module allows you to manage LDAP attributes that are not + covered by the other LAM modules (e.g. if you use custom LDAP schemas). + You can fully define how your input fields look like: + + + + Label + + + + LDAP attribute name + + + + Unique name for field + + + + Help text + + + + Read-only display + + + + Field type: text, password, text area, checkbox, radio + buttons, select list, file upload + + + + Validation via regular expression + + + + Error message if validation fails + + + + To create custom fields for the Self Service please edit your Self + Service profile and switch to tab "Module settings". Here you can add a + new field. Simply fill the fields and press on "Add". + + Please note that the field name cannot be changed later. It is the + unique ID for this field. + + After you created your fields please press on "Sync fields with + page layout". Now you can switch to tab "Page layout" and add your new + fields like any other standard field. + + + + + + + + + + Examples for fields and their representation in Self + Service: + + Text field: + + Text fields allow to specify a validation + expression and error message. + + You can also enable auto-completion. In this case LAM will search + all accounts for the given attribute and provide auto-completion hints + when the user edits this field. This should only be used if there is a + limited number of different values for this attribute. + + In case your field is a date value you can show a calendar for + easy editing. + + Example calendar formats: + + + + dd.mm.yy: 31.12.2016 + + + + yy-mm-dd: 2016-12-31 + + + + d M, y: 31 Dec, 16 + + + + d MM, y: 31 December, 2016 + + + + + + + + + + + + Presentation in Self Service: + + + + + + + + + + Password field: + + You can also manage custom password fields. LAM Pro will display + two fields where the user must enter the same password. You can hash the + password if needed. + + + + + + + + + + Presentation in Self Service: + + + + + + + + + + Text area: + + This adds a multi-line field. The options are similar to text + fields. Additionally, you can set the size with the number of columns + and rows. + + Please note that the validation + expression should be set to multi-line. This is done by adding + "m" at the end. + + + + + + + + + + Presentation in Self Service: + + + + + + + + + + Checkbox: + + Sometimes you may want to allow only yes/no values for your LDAP + attributes. This can be represented by a checkbox. You can specify the + values for checked and unchecked. The default value is set if the LDAP + attribute has no value. + + + + + + + + + + Presentation in Self Service: + + + + + + + + + + Radio buttons: + + This displays a list of radio buttons where the user can select + one value. + + You can specify a mapping of LDAP attribute values and their + display (label) on the Self Service page. To add more mapping fields + please press "Add more mapping fields". + + + + + + + + + + Presentation in Self Service: + + + + + + + + + + Select list: + + Select lists allow the user to select a value in a large list of + options. The definition of the possible values and their display is + similar to radio buttons. + + You can also allow multiple values. + + + + + + + + + + Presentation in Self Service: + + + + + + + + + + + + + + + + + + Validation expressions: + + The validation expressions follow the standard of Perl regular + expressions. They start and end with a "/". The beginning of a + line is specified by "^" and the end by "$". + + Examples: + + /^[a-z0-9]+$/ allows small letters and numbers. The value must not + be empty ("+"). + + /^[a-z0-9]+$/i allows small and capital letters ("i" at the end + means ignore case) and numbers. The value must not be empty + ("+"). + + Special characters that must be escaped with "\": "\", ".", "(", + ")" + + E.g. /^[a-z0-9\.]$/i + + + + + File upload: + + This is used for binary data. You can restrict uploaded data to a + given file extension and set the maximum file size. + + + + + + + + + + Presentation: + + The uploaded data may also be downloaded via LAM. + + + + + + + + +
+
+ +
+ Adapt the self service to your corporate design + + LAM Pro allows you to integrate customs CSS style definitions and + design the header of all self service pages. This way you can integrate + you own logo and use your company's colors. + +
+ Custom header + + The default LAM Pro header includes a logo and a horizontal line. + You can enter any HTML code here. It will be included in the self + services pages after the body tag. + + + + + + + + +
+ +
+ CSS files + + Usually, companies have regulations about their corporate design + and use common CSS files. This assures a common appearance of all + intranet pages (e.g. colors and fonts). To include additional CSS files + just use the following setting for this task. The additional CSS links + will be added after LAM Pro's default CSS link. This way you can + overwrite LAM Pro's style. + + + + + + + + +
+
+ diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc index b1ba364f..7eaf32b0 100644 --- a/lam/lib/modules/inetOrgPerson.inc +++ b/lam/lib/modules/inetOrgPerson.inc @@ -159,12 +159,13 @@ class inetOrgPerson extends baseModule implements passwordService { 'homePhone' => _('Home telephone number'), 'pager' => _('Pager'), 'roomNumber' => _('Room number'), 'carLicense' => _('Car license'), 'location' => _('Location'), 'state' => _('State'), 'officeName' => _('Office name'), 'businessCategory' => _('Business category'), 'departmentNumber' => _('Department'), 'initials' => _('Initials'), 'title' => _('Job title'), 'labeledURI' => _('Web site'), - 'userCertificate' => _('User certificates'), 'ou' => _('Organisational unit'), 'description' => _('Description'), 'uid' => _('User name')); + 'userCertificate' => _('User certificates'), 'o' => _('Organisation'), 'ou' => _('Organisational unit'), 'description' => _('Description'), + 'uid' => _('User name')); // possible self service read-only fields $return['selfServiceReadOnlyFields'] = array('firstName', 'lastName', 'mail', 'telephoneNumber', 'mobile', 'faxNumber', 'pager', 'street', 'postalAddress', 'registeredAddress', 'postalCode', 'postOfficeBox', 'jpegPhoto', 'homePhone', 'roomNumber', 'carLicense', 'location', 'state', 'officeName', 'businessCategory', 'departmentNumber', 'initials', 'title', 'labeledURI', 'userCertificate', - 'ou', 'description', 'uid'); + 'o', 'ou', 'description', 'uid'); // profile checks and mappings if (!$this->isBooleanConfigOptionSet('inetOrgPerson_hideInitials')) { $return['profile_mappings']['inetOrgPerson_initials'] = 'initials'; @@ -2799,6 +2800,42 @@ class inetOrgPerson extends baseModule implements passwordService { $certLabel = new htmlOutputText($this->getSelfServiceLabel('userCertificate', _('User certificates'))); $return['userCertificate'] = new htmlResponsiveRow($certLabel, $certTable); } + // o + if (in_array('o', $fields)) { + $o = ''; + if (isset($attributes['o'][0])) $o = $attributes['o'][0]; + if (in_array('o', $readOnlyFields)) { + $oField = new htmlOutputText(getAbstractDN($o)); + } + else { + $filter = '(|(objectClass=organizationalunit)(objectClass=country)(objectClass=organization)(objectClass=krbRealmContainer)(objectClass=container))'; + $suffix = $_SESSION['selfServiceProfile']->LDAPSuffix; + $foundOs = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0); + $oList = array(); + foreach ($foundOs as $foundO) { + $oList[] = $foundO['dn']; + } + if (!empty($attributes['o'][0]) && !in_array($attributes['o'][0], $oList)) { + $oList[] = $attributes['o'][0]; + usort($oList, 'compareDN'); + } + $oSelectionList = array('' => ''); + foreach ($oList as $singleOU) { + $oSelectionList[getAbstractDN($singleOU)] = $singleOU; + } + $oSelectionListSelected = array(); + if (!empty($attributes['o'][0])) { + $oSelectionListSelected[] = $attributes['o'][0]; + } + $oField = new htmlSelect('inetOrgPerson_o', $oSelectionList, $oSelectionListSelected); + $oField->setHasDescriptiveElements(true); + $oField->setRightToLeftTextDirection(true); + $oField->setSortElements(false); + } + $return['o'] = new htmlResponsiveRow( + new htmlOutputText($this->getSelfServiceLabel('o', _('Organisation'))), $oField + ); + } // ou if (in_array('ou', $fields)) { $ou = ''; @@ -2807,8 +2844,7 @@ class inetOrgPerson extends baseModule implements passwordService { $ouField = new htmlOutputText(getAbstractDN($ou)); } else { - $userObj = new user(); - $filter = $userObj->getSuffixFilter(); + $filter = '(|(objectClass=organizationalunit)(objectClass=country)(objectClass=organization)(objectClass=krbRealmContainer)(objectClass=container))'; $suffix = $_SESSION['selfServiceProfile']->LDAPSuffix; $foundOus = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0); $ouList = array(); @@ -3272,6 +3308,14 @@ class inetOrgPerson extends baseModule implements passwordService { } elseif (isset($attributes['ou'])) unset($attributesNew['ou']); } + // o + if (in_array('o', $fields) && !in_array('o', $readOnlyFields)) { + $attributeNames[] = 'o'; + if (!empty($_POST['inetOrgPerson_o'])) { + $attributesNew['o'][0] = $_POST['inetOrgPerson_o']; + } + elseif (isset($attributes['o'])) unset($attributesNew['o']); + } // uid if (in_array('uid', $fields) && !in_array('uid', $readOnlyFields)) { $attributeNames[] = 'uid';