WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

"o" for self service

This commit is contained in:
Roland Gruber 2017-05-13 11:10:38 +02:00
parent eaa09a2799
commit a6952f1d9f
2 changed files with 1542 additions and 1499 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

329
lam/docs/manual-sources/chapter-selfService.xml
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter id="a_selfService"> <chapter id="a_selfService">
<title>Self service (LAM Pro)</title> <title>Self service (LAM Pro)</title>
<section> <section>
@ -11,8 +11,8 @@
<title>OpenLDAP ACLs</title> <title>OpenLDAP ACLs</title>
<para>By default only a few administrative users have write access to <para>By default only a few administrative users have write access to
the LDAP database. Before your users may change their settings you the LDAP database. Before your users may change their settings you must
must allow them to change their LDAP data.</para> allow them to change their LDAP data.</para>
<para>Hint: The ACLs below are not required if you decide to run all <para>Hint: The ACLs below are not required if you decide to run all
operations as the LDAP bind user (option "Use for all operations as the LDAP bind user (option "Use for all
@ -56,17 +56,17 @@
<section> <section>
<title>Other LDAP servers</title> <title>Other LDAP servers</title>
<para>There exist many LDAP implementations. If you do not use <para>There exist many LDAP implementations. If you do not use OpenLDAP
OpenLDAP you need to write your own ACLs. Please check the manual of you need to write your own ACLs. Please check the manual of your LDAP
your LDAP server for instructions.</para> server for instructions.</para>
</section> </section>
</section> </section>
<section> <section>
<title>Creating a self service profile</title> <title>Creating a self service profile</title>
<para>A self service profile defines what input fields your users see <para>A self service profile defines what input fields your users see and
and some other general settings like the login caption.</para> some other general settings like the login caption.</para>
<para>When you go to the LAM configuration page you will see the self <para>When you go to the LAM configuration page you will see the self
service link at the bottom. This will lead you to the self service service link at the bottom. This will lead you to the self service
@ -80,8 +80,8 @@
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>Now we need to create a new self service profile. Click on the <para>Now we need to create a new self service profile. Click on the link
link to manage the self service profiles.</para> to manage the self service profiles.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -102,8 +102,8 @@
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>Now go back to the profile login and enter your master <para>Now go back to the profile login and enter your master configuration
configuration password to edit your new profile.</para> password to edit your new profile.</para>
</section> </section>
<section> <section>
@ -140,8 +140,8 @@
<row> <row>
<entry>Activate TLS</entry> <entry>Activate TLS</entry>
<entry>Activates TLS encryption. Please note that this cannot <entry>Activates TLS encryption. Please note that this cannot be
be combined with LDAP+SSL ("ldaps://").</entry> combined with LDAP+SSL ("ldaps://").</entry>
</row> </row>
<row> <row>
@ -161,30 +161,29 @@
<row> <row>
<entry>Follow referrals</entry> <entry>Follow referrals</entry>
<entry>By default LAM will not follow LDAP referrals. This is <entry>By default LAM will not follow LDAP referrals. This is ok
ok for most installations. If you use LDAP referrals please for most installations. If you use LDAP referrals please
activate the referral option in advanced settings.</entry> activate the referral option in advanced settings.</entry>
</row> </row>
<row> <row>
<entry>LDAP user + password</entry> <entry>LDAP user + password</entry>
<entry>The DN and password which is used to search for users <entry>The DN and password which is used to search for users in
in the LDAP database. It is sufficient if this DN has only the LDAP database. It is sufficient if this DN has only read
read rights. If you leave these fields empty LAM will try to rights. If you leave these fields empty LAM will try to connect
connect anonymously.</entry> anonymously.</entry>
</row> </row>
<row> <row>
<entry>Use for all operations</entry> <entry>Use for all operations</entry>
<entry>By default LAM will use the credentials of the user <entry>By default LAM will use the credentials of the user that
that logged in to self service for read/modify operations. If logged in to self service for read/modify operations. If you
you select this box then the connection user specified before select this box then the connection user specified before will
will be used instead. Please note that this can be a security be used instead. Please note that this can be a security risk
risk because the user requires write access to all users. You because the user requires write access to all users. You need to
need to make sure that your LAM server is well make sure that your LAM server is well protected.</entry>
protected.</entry>
</row> </row>
<row> <row>
@ -200,9 +199,8 @@
<entry>You can enable HTTP authentication for your users. This <entry>You can enable HTTP authentication for your users. This
way the web server is responsible to authenticate your users. way the web server is responsible to authenticate your users.
LAM will use the given user name + password for the LDAP LAM will use the given user name + password for the LDAP login.
login. To setup HTTP authentication in Apache please see this To setup HTTP authentication in Apache please see this <ulink
<ulink
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry> url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry>
</row> </row>
@ -210,16 +208,15 @@
<entry>Login attribute label</entry> <entry>Login attribute label</entry>
<entry>This is the description for the LDAP search attribute. <entry>This is the description for the LDAP search attribute.
Set it to something which your users are familiar Set it to something which your users are familiar with.</entry>
with.</entry>
</row> </row>
<row> <row>
<entry>Password field label</entry> <entry>Password field label</entry>
<entry>This text is placed as label for the password field on <entry>This text is placed as label for the password field on
the login page. LAM will use "Password" if you do not enter the login page. LAM will use "Password" if you do not enter any
any text.</entry> text.</entry>
</row> </row>
<row> <row>
@ -239,9 +236,9 @@
<row> <row>
<entry>Page header</entry> <entry>Page header</entry>
<entry>This HTML code will be placed on top of all self <entry>This HTML code will be placed on top of all self service
service pages. E.g. you can use this to place your custom pages. E.g. you can use this to place your custom logo. Any HTML
logo. Any HTML code is permitted.</entry> code is permitted.</entry>
</row> </row>
<row> <row>
@ -261,11 +258,11 @@
<section> <section>
<title>2-factor authentication</title> <title>2-factor authentication</title>
<para>LAM supports 2-factor authentication for your users. This <para>LAM supports 2-factor authentication for your users. This means
means the user will not only authenticate by user+password but also the user will not only authenticate by user+password but also with
with e.g. a token generated by a mobile device. This adds more e.g. a token generated by a mobile device. This adds more security
security because the token is generated on a physically separated because the token is generated on a physically separated device
device (typically mobile phone).</para> (typically mobile phone).</para>
<para>The token is validated by a second application. LAM currently <para>The token is validated by a second application. LAM currently
supports:</para> supports:</para>
@ -277,9 +274,9 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>By default LAM will enforce to use a token and reject users <para>By default LAM will enforce to use a token and reject users that
that did not setup one. You can set this check to optional. But if a did not setup one. You can set this check to optional. But if a user
user has setup a token then this will always be required.</para> has setup a token then this will always be required.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -290,8 +287,8 @@
</screenshot> </screenshot>
<para>After logging in with user + password LAM will ask for the 2nd <para>After logging in with user + password LAM will ask for the 2nd
factor. If the user has setup multiple factors then he can choose factor. If the user has setup multiple factors then he can choose one
one of them.</para> of them.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -312,14 +309,14 @@
<para>Please use the arrow signs to change the order of the <para>Please use the arrow signs to change the order of the
fields/groups.</para> fields/groups.</para>
<para>You may also set some fields as read-only for your users. This <para>You may also set some fields as read-only for your users. This can
can be done by clicking on the lock symbol. Read-only fields can be be done by clicking on the lock symbol. Read-only fields can be used to
used to show your users additional data on the self service page that show your users additional data on the self service page that must not
must not be changed by themselves (e.g. first/last name).</para> be changed by themselves (e.g. first/last name).</para>
<para>Sometimes, you may want to set a custom label for an input <para>Sometimes, you may want to set a custom label for an input field.
field. Click on the edit icon to set your own label text (Personal: Click on the edit icon to set your own label text (Personal: Department
Department is relabeled as "Business unit" here).</para> is relabeled as "Business unit" here).</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -432,7 +429,7 @@
</row> </row>
<row> <row>
<entry morerows="26"><inlinemediaobject> <entry morerows="27"><inlinemediaobject>
<imageobject> <imageobject>
<imagedata fileref="images/schema_user.png" /> <imagedata fileref="images/schema_user.png" />
</imageobject> </imageobject>
@ -521,6 +518,12 @@
<entry></entry> <entry></entry>
</row> </row>
<row>
<entry>Organisation</entry>
<entry></entry>
</row>
<row> <row>
<entry>Organisational unit</entry> <entry>Organisational unit</entry>
@ -530,8 +533,8 @@
<row> <row>
<entry>Photo</entry> <entry>Photo</entry>
<entry>Shows the user photo if set. The user may also remove <entry>Shows the user photo if set. The user may also remove the
the photo or upload a new one.</entry> photo or upload a new one.</entry>
</row> </row>
<row> <row>
@ -585,8 +588,7 @@
<row> <row>
<entry>User certificates</entry> <entry>User certificates</entry>
<entry>Upload of user certificates in PEM or DER <entry>Upload of user certificates in PEM or DER format</entry>
format</entry>
</row> </row>
<row> <row>
@ -744,8 +746,8 @@
<row> <row>
<entry>Sync Unix password with Windows password</entry> <entry>Sync Unix password with Windows password</entry>
<entry>This is a hidden field. It will update the Unix <entry>This is a hidden field. It will update the Unix password
password each time the Windows password is changed.</entry> each time the Windows password is changed.</entry>
</row> </row>
<row> <row>
@ -803,8 +805,8 @@
<section> <section>
<title>Module settings</title> <title>Module settings</title>
<para>This allows to configure some module specific options (e.g. <para>This allows to configure some module specific options (e.g. custom
custom scripts or password hash type).</para> scripts or password hash type).</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -818,9 +820,9 @@
<section> <section>
<title>Samba 3</title> <title>Samba 3</title>
<para>LAM Pro can check the password history and minimum age for Samba <para>LAM Pro can check the password history and minimum age for Samba 3
3 password changes. In this case please provide the LDAP suffix where password changes. In this case please provide the LDAP suffix where your
your Samba 3 domain(s) are stored.</para> Samba 3 domain(s) are stored.</para>
<para>If you leave the field empty then no history and age checks will <para>If you leave the field empty then no history and age checks will
be done.</para> be done.</para>
@ -848,16 +850,16 @@
<para><emphasis role="bold">Settings</emphasis></para> <para><emphasis role="bold">Settings</emphasis></para>
<para>You can allow your users to reset their passwords themselves. <para>You can allow your users to reset their passwords themselves. This
This will reduce your administrative costs for cases where users will reduce your administrative costs for cases where users forget their
forget their passwords.</para> passwords.</para>
<para>To enable this feature please activate the checkbox "Enable <para>To enable this feature please activate the checkbox "Enable
password self reset link".</para> password self reset link".</para>
<para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro <para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro
uses security questions by default. Activate confirmation mails and uses security questions by default. Activate confirmation mails and then
then deactivate security questions if you want to use only email deactivate security questions if you want to use only email
validation.</para> validation.</para>
<screenshot> <screenshot>
@ -868,23 +870,23 @@
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>You can now configure the minimum answer length for password <para>You can now configure the minimum answer length for password reset
reset answers. This is checked when you allow you users to specify answers. This is checked when you allow you users to specify their
their answers via the self service. Additionally, you can specify the answers via the self service. Additionally, you can specify the text of
text of the password reset link (default: "Forgot password?"). The the password reset link (default: "Forgot password?"). The link is
link is displayed below the password field on the self service login displayed below the password field on the self service login
page.</para> page.</para>
<para>Next, please enter the DN and password of an LDAP entry that is <para>Next, please enter the DN and password of an LDAP entry that is
allowed to reset the passwords. This entry needs write access to the allowed to reset the passwords. This entry needs write access to the
attributes shadowLastChange, pwdAccountLockedTime and userPassword. It attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
also needs read access to uid, mail, passwordSelfResetQuestion and also needs read access to uid, mail, passwordSelfResetQuestion and
passwordSelfResetAnswer. Please note that LAM Pro saves the password passwordSelfResetAnswer. Please note that LAM Pro saves the password on
on your server file system. Therefore, it is required to protect your your server file system. Therefore, it is required to protect your
server against unauthorised access.</para> server against unauthorised access.</para>
<para>Please also specify the list of password reset questions that <para>Please also specify the list of password reset questions that the
the user can choose.</para> user can choose.</para>
<para>Please note that self service and LAM admin interface are <para>Please note that self service and LAM admin interface are
separated functionalities. You need to specify the list of possible separated functionalities. You need to specify the list of possible
@ -895,9 +897,9 @@
<para>You can inform your users via mail about their password change. <para>You can inform your users via mail about their password change.
The mail can include the new password by using the special wildcard The mail can include the new password by using the special wildcard
"@@newPassword@@". Additionally, you may want to insert other "@@newPassword@@". Additionally, you may want to insert other wildcards
wildcards that are replaced by the corresponding LDAP attributes. E.g. that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@"
"@@uid@@" will be replaced by the user name. Please see <link will be replaced by the user name. Please see <link
linkend="mailEOL">email format option</link> in case of broken mails. linkend="mailEOL">email format option</link> in case of broken mails.
See <link linkend="mailSetup">here</link> for setting up your SMTP See <link linkend="mailSetup">here</link> for setting up your SMTP
server.</para> server.</para>
@ -905,19 +907,19 @@
<literallayout> </literallayout> <literallayout> </literallayout>
<para>LAM Pro can send your users an email with a confirmation link to <para>LAM Pro can send your users an email with a confirmation link to
validate their email address. Of course, this should only be used if validate their email address. Of course, this should only be used if the
the email account is independent from the user password (e.g. at email account is independent from the user password (e.g. at external
external provider) or you use the backup email address feature. The provider) or you use the backup email address feature. The mail body
mail body must include the confirmation link by using the special must include the confirmation link by using the special wildcard
wildcard "@@resetLink@@". Additionally, you may want to insert other "@@resetLink@@". Additionally, you may want to insert other wildcards
wildcards that are replaced by the corresponding LDAP attributes. E.g. that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@"
"@@uid@@" will be replaced by the user name.</para> will be replaced by the user name.</para>
<para>There is also an option to skip the security question at all if <para>There is also an option to skip the security question at all if
email verification is enabled. In this case the password can be reset email verification is enabled. In this case the password can be reset
directly after clicking on the confirmation link. Please handle with directly after clicking on the confirmation link. Please handle with
care since anybody with access to the user's mail account can reset care since anybody with access to the user's mail account can reset the
the password.</para> password.</para>
<para><emphasis role="bold">Troubleshooting:</emphasis></para> <para><emphasis role="bold">Troubleshooting:</emphasis></para>
@ -943,22 +945,22 @@
<para>Turn on logging in LAM's main configuration settings. The exact <para>Turn on logging in LAM's main configuration settings. The exact
reason is logged on notice level.</para> reason is logged on notice level.</para>
<para>2. You do not see security question and answer fields when <para>2. You do not see security question and answer fields when logged
logged into self service.</para> into self service.</para>
<para>Probably, the user does not have the object class <para>Probably, the user does not have the object class
"passwordSelfReset" set. You can do this in admin interface. If you "passwordSelfReset" set. You can do this in admin interface. If you have
have multiple users to change then use the <link multiple users to change then use the <link
linkend="toolMultiEdit">Multi Edit Tool</link> to add the object linkend="toolMultiEdit">Multi Edit Tool</link> to add the object
class.</para> class.</para>
<para><emphasis role="bold">New fields for self service <para><emphasis role="bold">New fields for self service
page</emphasis></para> page</emphasis></para>
<para>There are special fields that you may put on the self service <para>There are special fields that you may put on the self service page
page for your users. These fields allow them to change the reset for your users. These fields allow them to change the reset questions
questions and its answers. It is also possible to set a backup email and its answers. It is also possible to set a backup email address to
address to reset passwords with an external email address.</para> reset passwords with an external email address.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -968,8 +970,8 @@
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>This is an example how can be presented to your users on the <para>This is an example how can be presented to your users on the self
self service page:</para> service page:</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1007,9 +1009,8 @@
<para>LAM Pro will use this information to find the correct LDAP entry <para>LAM Pro will use this information to find the correct LDAP entry
of this user. It then displays the user's security questions and input of this user. It then displays the user's security questions and input
fields for his new password. If the answer is correct then the new fields for his new password. If the answer is correct then the new
password will be set. Additionally, pwdAccountLockedTime will be password will be set. Additionally, pwdAccountLockedTime will be removed
removed and shadowLastChange updated to the current time if and shadowLastChange updated to the current time if existing.</para>
existing.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1023,11 +1024,11 @@
<section> <section>
<title>User self registration</title> <title>User self registration</title>
<para>With LAM Pro your users can create their own accounts if you <para>With LAM Pro your users can create their own accounts if you like.
like. LAM Pro will display an additional link on the self service LAM Pro will display an additional link on the self service login page
login page that allows you users to create a new account including that allows you users to create a new account including email validation
email validation (see <link linkend="mailSetup">here</link> for (see <link linkend="mailSetup">here</link> for setting up your SMTP
setting up your SMTP server).</para> server).</para>
<para>You enable this feature in your self service profile. Just <para>You enable this feature in your self service profile. Just
activate the checkbox "Enable self registration link".</para> activate the checkbox "Enable self registration link".</para>
@ -1042,14 +1043,14 @@
<para><emphasis role="bold">Options:</emphasis></para> <para><emphasis role="bold">Options:</emphasis></para>
<para><emphasis>Link text:</emphasis> This is the label for the link <para><emphasis>Link text:</emphasis> This is the label for the link to
to the self registration. If empty "Register new account" will be the self registration. If empty "Register new account" will be
used.</para> used.</para>
<para><emphasis>Admin DN and password:</emphasis> Please enter the <para><emphasis>Admin DN and password:</emphasis> Please enter the LDAP
LDAP DN and its password that should be used to create new users. This DN and its password that should be used to create new users. This DN
DN also needs to be able to do LDAP searches by uid in the self also needs to be able to do LDAP searches by uid in the self service
service part of your LDAP tree.</para> part of your LDAP tree.</para>
<para><emphasis>Object classes:</emphasis> This is a list of object <para><emphasis>Object classes:</emphasis> This is a list of object
classes that are used to build the new user accounts. Please enter one classes that are used to build the new user accounts. Please enter one
@ -1057,9 +1058,8 @@
feature then do not forget to add "passwordSelfReset" here.</para> feature then do not forget to add "passwordSelfReset" here.</para>
<para><emphasis>Attributes:</emphasis> This is a list of additional <para><emphasis>Attributes:</emphasis> This is a list of additional
attributes that the user can enter. Please note that user name, attributes that the user can enter. Please note that user name, password
password and email address are mandatory anyway and need not be and email address are mandatory anyway and need not be specified.</para>
specified.</para>
<para>Each line represents one LDAP attribute. The settings are <para>Each line represents one LDAP attribute. The settings are
separated by "::". The first setting specifies the field type. The separated by "::". The first setting specifies the field type. The
@ -1138,9 +1138,9 @@
</row> </row>
<row> <row>
<entry>Auto-numbering for attributes such as uidNumber. Will <entry>Auto-numbering for attributes such as uidNumber. Will do
do a search for attribute values in the given range and use a search for attribute values in the given range and use highest
highest value + 1.</entry> value + 1.</entry>
<entry>autorange</entry> <entry>autorange</entry>
@ -1163,25 +1163,25 @@
<para><emphasis role="bold">Example:</emphasis></para> <para><emphasis role="bold">Example:</emphasis></para>
<para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please <para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please enter
enter a valid first name.</para> a valid first name.</para>
<para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a <para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a valid
valid last name.</para> last name.</para>
<para>constant::homeDirectory::/home/@@uid@@</para> <para>constant::homeDirectory::/home/@@uid@@</para>
<para>autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000</para> <para>autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000</para>
<para>If you use the object class "inetOrgPerson" and do not provide <para>If you use the object class "inetOrgPerson" and do not provide the
the "cn" attribute then LAM will set it to the user name value.</para> "cn" attribute then LAM will set it to the user name value.</para>
<literallayout> <literallayout>
</literallayout> </literallayout>
<para>Please note that only simple input boxes are supported for <para>Please note that only simple input boxes are supported for account
account registration. The user may log in to self service when his registration. The user may log in to self service when his account was
account was created to manage all his attributes.</para> created to manage all his attributes.</para>
<literallayout> <literallayout>
</literallayout> </literallayout>
@ -1190,14 +1190,14 @@
<para>LAM Pro can optionally display a captcha to verify that <para>LAM Pro can optionally display a captcha to verify that
registrations are not from robots. The supported captcha provider is registrations are not from robots. The supported captcha provider is
Google reCAPTCHA. You will need the site and secret key for your Google reCAPTCHA. You will need the site and secret key for your domain.
domain. They can be retrieved from here: <ulink They can be retrieved from here: <ulink
url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para> url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para>
<para>Please note that your web server must be able to access <para>Please note that your web server must be able to access
"https://www.google.com/recaptcha/api/siteverify" to verify the "https://www.google.com/recaptcha/api/siteverify" to verify the
captchas. Captchas will be displayed automatically when site+secret captchas. Captchas will be displayed automatically when site+secret key
key are filled.</para> are filled.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1223,8 +1223,8 @@
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>Here he can insert the data that you specified in the self <para>Here he can insert the data that you specified in the self service
service profile:</para> profile:</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1235,9 +1235,9 @@
</screenshot> </screenshot>
<para>LAM will then send him an email with a validation link that is <para>LAM will then send him an email with a validation link that is
valid for 24 hours. When he clicks on this link then the account will valid for 24 hours. When he clicks on this link then the account will be
be created in the self service user suffix. The DN will look like created in the self service user suffix. The DN will look like this:
this: <emphasis>uid=&lt;user name&gt;,...</emphasis></para> <emphasis>uid=&lt;user name&gt;,...</emphasis></para>
<para>Please see <link linkend="mailEOL">email format option</link> in <para>Please see <link linkend="mailEOL">email format option</link> in
case of broken mails.</para> case of broken mails.</para>
@ -1247,8 +1247,8 @@
<title>Custom fields (LAM Pro)</title> <title>Custom fields (LAM Pro)</title>
<para>This module allows you to manage LDAP attributes that are not <para>This module allows you to manage LDAP attributes that are not
covered by the other LAM modules (e.g. if you use custom LDAP covered by the other LAM modules (e.g. if you use custom LDAP schemas).
schemas). You can fully define how your input fields look like:</para> You can fully define how your input fields look like:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -1285,12 +1285,12 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>To create custom fields for the Self Service please edit your <para>To create custom fields for the Self Service please edit your Self
Self Service profile and switch to tab "Module settings". Here you can Service profile and switch to tab "Module settings". Here you can add a
add a new field. Simply fill the fields and press on "Add".</para> new field. Simply fill the fields and press on "Add".</para>
<para>Please note that the field name cannot be changed later. It is <para>Please note that the field name cannot be changed later. It is the
the unique ID for this field.</para> unique ID for this field.</para>
<para>After you created your fields please press on "Sync fields with <para>After you created your fields please press on "Sync fields with
page layout". Now you can switch to tab "Page layout" and add your new page layout". Now you can switch to tab "Page layout" and add your new
@ -1313,11 +1313,10 @@
linkend="customFields_validation_expressions">validation linkend="customFields_validation_expressions">validation
expression</link> and error message.</para> expression</link> and error message.</para>
<para>You can also enable auto-completion. In this case LAM will <para>You can also enable auto-completion. In this case LAM will search
search all accounts for the given attribute and provide all accounts for the given attribute and provide auto-completion hints
auto-completion hints when the user edits this field. This should only when the user edits this field. This should only be used if there is a
be used if there is a limited number of different values for this limited number of different values for this attribute.</para>
attribute.</para>
<para>In case your field is a date value you can show a calendar for <para>In case your field is a date value you can show a calendar for
easy editing.</para> easy editing.</para>
@ -1363,8 +1362,8 @@
<para><emphasis role="bold">Password field:</emphasis></para> <para><emphasis role="bold">Password field:</emphasis></para>
<para>You can also manage custom password fields. LAM Pro will display <para>You can also manage custom password fields. LAM Pro will display
two fields where the user must enter the same password. You can hash two fields where the user must enter the same password. You can hash the
the password if needed.</para> password if needed.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1509,8 +1508,8 @@
<para>Examples:</para> <para>Examples:</para>
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must <para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
not be empty ("+").</para> be empty ("+").</para>
<para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end <para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
means ignore case) and numbers. The value must not be empty means ignore case) and numbers. The value must not be empty
@ -1526,8 +1525,8 @@
<para><emphasis role="bold">File upload:</emphasis></para> <para><emphasis role="bold">File upload:</emphasis></para>
<para>This is used for binary data. You can restrict uploaded data to <para>This is used for binary data. You can restrict uploaded data to a
a given file extension and set the maximum file size.</para> given file extension and set the maximum file size.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1561,9 +1560,9 @@
<section> <section>
<title>Custom header</title> <title>Custom header</title>
<para>The default LAM Pro header includes a logo and a horizontal <para>The default LAM Pro header includes a logo and a horizontal line.
line. You can enter any HTML code here. It will be included in the You can enter any HTML code here. It will be included in the self
self services pages after the body tag.</para> services pages after the body tag.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -1579,9 +1578,9 @@
<para>Usually, companies have regulations about their corporate design <para>Usually, companies have regulations about their corporate design
and use common CSS files. This assures a common appearance of all and use common CSS files. This assures a common appearance of all
intranet pages (e.g. colors and fonts). To include additional CSS intranet pages (e.g. colors and fonts). To include additional CSS files
files just use the following setting for this task. The additional CSS just use the following setting for this task. The additional CSS links
links will be added after LAM Pro's default CSS link. This way you can will be added after LAM Pro's default CSS link. This way you can
overwrite LAM Pro's style.</para> overwrite LAM Pro's style.</para>
<screenshot> <screenshot>
@ -1593,4 +1592,4 @@
</screenshot> </screenshot>
</section> </section>
</section> </section>
</chapter> </chapter>

52
lam/lib/modules/inetOrgPerson.inc
View File

@ -159,12 +159,13 @@ class inetOrgPerson extends baseModule implements passwordService {
'homePhone' => _('Home telephone number'), 'pager' => _('Pager'), 'roomNumber' => _('Room number'), 'carLicense' => _('Car license'), 'homePhone' => _('Home telephone number'), 'pager' => _('Pager'), 'roomNumber' => _('Room number'), 'carLicense' => _('Car license'),
'location' => _('Location'), 'state' => _('State'), 'officeName' => _('Office name'), 'businessCategory' => _('Business category'), 'location' => _('Location'), 'state' => _('State'), 'officeName' => _('Office name'), 'businessCategory' => _('Business category'),
'departmentNumber' => _('Department'), 'initials' => _('Initials'), 'title' => _('Job title'), 'labeledURI' => _('Web site'), 'departmentNumber' => _('Department'), 'initials' => _('Initials'), 'title' => _('Job title'), 'labeledURI' => _('Web site'),
'userCertificate' => _('User certificates'), 'ou' => _('Organisational unit'), 'description' => _('Description'), 'uid' => _('User name')); 'userCertificate' => _('User certificates'), 'o' => _('Organisation'), 'ou' => _('Organisational unit'), 'description' => _('Description'),
'uid' => _('User name'));
// possible self service read-only fields // possible self service read-only fields
$return['selfServiceReadOnlyFields'] = array('firstName', 'lastName', 'mail', 'telephoneNumber', 'mobile', 'faxNumber', 'pager', 'street', $return['selfServiceReadOnlyFields'] = array('firstName', 'lastName', 'mail', 'telephoneNumber', 'mobile', 'faxNumber', 'pager', 'street',
'postalAddress', 'registeredAddress', 'postalCode', 'postOfficeBox', 'jpegPhoto', 'homePhone', 'roomNumber', 'carLicense', 'postalAddress', 'registeredAddress', 'postalCode', 'postOfficeBox', 'jpegPhoto', 'homePhone', 'roomNumber', 'carLicense',
'location', 'state', 'officeName', 'businessCategory', 'departmentNumber', 'initials', 'title', 'labeledURI', 'userCertificate', 'location', 'state', 'officeName', 'businessCategory', 'departmentNumber', 'initials', 'title', 'labeledURI', 'userCertificate',
'ou', 'description', 'uid'); 'o', 'ou', 'description', 'uid');
// profile checks and mappings // profile checks and mappings
if (!$this->isBooleanConfigOptionSet('inetOrgPerson_hideInitials')) { if (!$this->isBooleanConfigOptionSet('inetOrgPerson_hideInitials')) {
$return['profile_mappings']['inetOrgPerson_initials'] = 'initials'; $return['profile_mappings']['inetOrgPerson_initials'] = 'initials';
@ -2799,6 +2800,42 @@ class inetOrgPerson extends baseModule implements passwordService {
$certLabel = new htmlOutputText($this->getSelfServiceLabel('userCertificate', _('User certificates'))); $certLabel = new htmlOutputText($this->getSelfServiceLabel('userCertificate', _('User certificates')));
$return['userCertificate'] = new htmlResponsiveRow($certLabel, $certTable); $return['userCertificate'] = new htmlResponsiveRow($certLabel, $certTable);
} }
// o
if (in_array('o', $fields)) {
$o = '';
if (isset($attributes['o'][0])) $o = $attributes['o'][0];
if (in_array('o', $readOnlyFields)) {
$oField = new htmlOutputText(getAbstractDN($o));
}
else {
$filter = '(|(objectClass=organizationalunit)(objectClass=country)(objectClass=organization)(objectClass=krbRealmContainer)(objectClass=container))';
$suffix = $_SESSION['selfServiceProfile']->LDAPSuffix;
$foundOs = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0);
$oList = array();
foreach ($foundOs as $foundO) {
$oList[] = $foundO['dn'];
}
if (!empty($attributes['o'][0]) && !in_array($attributes['o'][0], $oList)) {
$oList[] = $attributes['o'][0];
usort($oList, 'compareDN');
}
$oSelectionList = array('' => '');
foreach ($oList as $singleOU) {
$oSelectionList[getAbstractDN($singleOU)] = $singleOU;
}
$oSelectionListSelected = array();
if (!empty($attributes['o'][0])) {
$oSelectionListSelected[] = $attributes['o'][0];
}
$oField = new htmlSelect('inetOrgPerson_o', $oSelectionList, $oSelectionListSelected);
$oField->setHasDescriptiveElements(true);
$oField->setRightToLeftTextDirection(true);
$oField->setSortElements(false);
}
$return['o'] = new htmlResponsiveRow(
new htmlOutputText($this->getSelfServiceLabel('o', _('Organisation'))), $oField
);
}
// ou // ou
if (in_array('ou', $fields)) { if (in_array('ou', $fields)) {
$ou = ''; $ou = '';
@ -2807,8 +2844,7 @@ class inetOrgPerson extends baseModule implements passwordService {
$ouField = new htmlOutputText(getAbstractDN($ou)); $ouField = new htmlOutputText(getAbstractDN($ou));
} }
else { else {
$userObj = new user(); $filter = '(|(objectClass=organizationalunit)(objectClass=country)(objectClass=organization)(objectClass=krbRealmContainer)(objectClass=container))';
$filter = $userObj->getSuffixFilter();
$suffix = $_SESSION['selfServiceProfile']->LDAPSuffix; $suffix = $_SESSION['selfServiceProfile']->LDAPSuffix;
$foundOus = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0); $foundOus = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0);
$ouList = array(); $ouList = array();
@ -3272,6 +3308,14 @@ class inetOrgPerson extends baseModule implements passwordService {
} }
elseif (isset($attributes['ou'])) unset($attributesNew['ou']); elseif (isset($attributes['ou'])) unset($attributesNew['ou']);
} }
// o
if (in_array('o', $fields) && !in_array('o', $readOnlyFields)) {
$attributeNames[] = 'o';
if (!empty($_POST['inetOrgPerson_o'])) {
$attributesNew['o'][0] = $_POST['inetOrgPerson_o'];
}
elseif (isset($attributes['o'])) unset($attributesNew['o']);
}
// uid // uid
if (in_array('uid', $fields) && !in_array('uid', $readOnlyFields)) { if (in_array('uid', $fields) && !in_array('uid', $readOnlyFields)) {
$attributeNames[] = 'uid'; $attributeNames[] = 'uid';