"o" for self service
This commit is contained in:
parent
eaa09a2799
commit
a6952f1d9f
|
@ -1,7 +1,7 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
||||
<chapter id="a_selfService">
|
||||
<chapter id="a_selfService">
|
||||
<title>Self service (LAM Pro)</title>
|
||||
|
||||
<section>
|
||||
|
@ -11,8 +11,8 @@
|
|||
<title>OpenLDAP ACLs</title>
|
||||
|
||||
<para>By default only a few administrative users have write access to
|
||||
the LDAP database. Before your users may change their settings you
|
||||
must allow them to change their LDAP data.</para>
|
||||
the LDAP database. Before your users may change their settings you must
|
||||
allow them to change their LDAP data.</para>
|
||||
|
||||
<para>Hint: The ACLs below are not required if you decide to run all
|
||||
operations as the LDAP bind user (option "Use for all
|
||||
|
@ -56,17 +56,17 @@
|
|||
<section>
|
||||
<title>Other LDAP servers</title>
|
||||
|
||||
<para>There exist many LDAP implementations. If you do not use
|
||||
OpenLDAP you need to write your own ACLs. Please check the manual of
|
||||
your LDAP server for instructions.</para>
|
||||
<para>There exist many LDAP implementations. If you do not use OpenLDAP
|
||||
you need to write your own ACLs. Please check the manual of your LDAP
|
||||
server for instructions.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Creating a self service profile</title>
|
||||
|
||||
<para>A self service profile defines what input fields your users see
|
||||
and some other general settings like the login caption.</para>
|
||||
<para>A self service profile defines what input fields your users see and
|
||||
some other general settings like the login caption.</para>
|
||||
|
||||
<para>When you go to the LAM configuration page you will see the self
|
||||
service link at the bottom. This will lead you to the self service
|
||||
|
@ -80,8 +80,8 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Now we need to create a new self service profile. Click on the
|
||||
link to manage the self service profiles.</para>
|
||||
<para>Now we need to create a new self service profile. Click on the link
|
||||
to manage the self service profiles.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -102,8 +102,8 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Now go back to the profile login and enter your master
|
||||
configuration password to edit your new profile.</para>
|
||||
<para>Now go back to the profile login and enter your master configuration
|
||||
password to edit your new profile.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -140,8 +140,8 @@
|
|||
<row>
|
||||
<entry>Activate TLS</entry>
|
||||
|
||||
<entry>Activates TLS encryption. Please note that this cannot
|
||||
be combined with LDAP+SSL ("ldaps://").</entry>
|
||||
<entry>Activates TLS encryption. Please note that this cannot be
|
||||
combined with LDAP+SSL ("ldaps://").</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -161,30 +161,29 @@
|
|||
<row>
|
||||
<entry>Follow referrals</entry>
|
||||
|
||||
<entry>By default LAM will not follow LDAP referrals. This is
|
||||
ok for most installations. If you use LDAP referrals please
|
||||
<entry>By default LAM will not follow LDAP referrals. This is ok
|
||||
for most installations. If you use LDAP referrals please
|
||||
activate the referral option in advanced settings.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>LDAP user + password</entry>
|
||||
|
||||
<entry>The DN and password which is used to search for users
|
||||
in the LDAP database. It is sufficient if this DN has only
|
||||
read rights. If you leave these fields empty LAM will try to
|
||||
connect anonymously.</entry>
|
||||
<entry>The DN and password which is used to search for users in
|
||||
the LDAP database. It is sufficient if this DN has only read
|
||||
rights. If you leave these fields empty LAM will try to connect
|
||||
anonymously.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Use for all operations</entry>
|
||||
|
||||
<entry>By default LAM will use the credentials of the user
|
||||
that logged in to self service for read/modify operations. If
|
||||
you select this box then the connection user specified before
|
||||
will be used instead. Please note that this can be a security
|
||||
risk because the user requires write access to all users. You
|
||||
need to make sure that your LAM server is well
|
||||
protected.</entry>
|
||||
<entry>By default LAM will use the credentials of the user that
|
||||
logged in to self service for read/modify operations. If you
|
||||
select this box then the connection user specified before will
|
||||
be used instead. Please note that this can be a security risk
|
||||
because the user requires write access to all users. You need to
|
||||
make sure that your LAM server is well protected.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -200,9 +199,8 @@
|
|||
|
||||
<entry>You can enable HTTP authentication for your users. This
|
||||
way the web server is responsible to authenticate your users.
|
||||
LAM will use the given user name + password for the LDAP
|
||||
login. To setup HTTP authentication in Apache please see this
|
||||
<ulink
|
||||
LAM will use the given user name + password for the LDAP login.
|
||||
To setup HTTP authentication in Apache please see this <ulink
|
||||
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry>
|
||||
</row>
|
||||
|
||||
|
@ -210,16 +208,15 @@
|
|||
<entry>Login attribute label</entry>
|
||||
|
||||
<entry>This is the description for the LDAP search attribute.
|
||||
Set it to something which your users are familiar
|
||||
with.</entry>
|
||||
Set it to something which your users are familiar with.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Password field label</entry>
|
||||
|
||||
<entry>This text is placed as label for the password field on
|
||||
the login page. LAM will use "Password" if you do not enter
|
||||
any text.</entry>
|
||||
the login page. LAM will use "Password" if you do not enter any
|
||||
text.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -239,9 +236,9 @@
|
|||
<row>
|
||||
<entry>Page header</entry>
|
||||
|
||||
<entry>This HTML code will be placed on top of all self
|
||||
service pages. E.g. you can use this to place your custom
|
||||
logo. Any HTML code is permitted.</entry>
|
||||
<entry>This HTML code will be placed on top of all self service
|
||||
pages. E.g. you can use this to place your custom logo. Any HTML
|
||||
code is permitted.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -261,11 +258,11 @@
|
|||
<section>
|
||||
<title>2-factor authentication</title>
|
||||
|
||||
<para>LAM supports 2-factor authentication for your users. This
|
||||
means the user will not only authenticate by user+password but also
|
||||
with e.g. a token generated by a mobile device. This adds more
|
||||
security because the token is generated on a physically separated
|
||||
device (typically mobile phone).</para>
|
||||
<para>LAM supports 2-factor authentication for your users. This means
|
||||
the user will not only authenticate by user+password but also with
|
||||
e.g. a token generated by a mobile device. This adds more security
|
||||
because the token is generated on a physically separated device
|
||||
(typically mobile phone).</para>
|
||||
|
||||
<para>The token is validated by a second application. LAM currently
|
||||
supports:</para>
|
||||
|
@ -277,9 +274,9 @@
|
|||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>By default LAM will enforce to use a token and reject users
|
||||
that did not setup one. You can set this check to optional. But if a
|
||||
user has setup a token then this will always be required.</para>
|
||||
<para>By default LAM will enforce to use a token and reject users that
|
||||
did not setup one. You can set this check to optional. But if a user
|
||||
has setup a token then this will always be required.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -290,8 +287,8 @@
|
|||
</screenshot>
|
||||
|
||||
<para>After logging in with user + password LAM will ask for the 2nd
|
||||
factor. If the user has setup multiple factors then he can choose
|
||||
one of them.</para>
|
||||
factor. If the user has setup multiple factors then he can choose one
|
||||
of them.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -312,14 +309,14 @@
|
|||
<para>Please use the arrow signs to change the order of the
|
||||
fields/groups.</para>
|
||||
|
||||
<para>You may also set some fields as read-only for your users. This
|
||||
can be done by clicking on the lock symbol. Read-only fields can be
|
||||
used to show your users additional data on the self service page that
|
||||
must not be changed by themselves (e.g. first/last name).</para>
|
||||
<para>You may also set some fields as read-only for your users. This can
|
||||
be done by clicking on the lock symbol. Read-only fields can be used to
|
||||
show your users additional data on the self service page that must not
|
||||
be changed by themselves (e.g. first/last name).</para>
|
||||
|
||||
<para>Sometimes, you may want to set a custom label for an input
|
||||
field. Click on the edit icon to set your own label text (Personal:
|
||||
Department is relabeled as "Business unit" here).</para>
|
||||
<para>Sometimes, you may want to set a custom label for an input field.
|
||||
Click on the edit icon to set your own label text (Personal: Department
|
||||
is relabeled as "Business unit" here).</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -432,7 +429,7 @@
|
|||
</row>
|
||||
|
||||
<row>
|
||||
<entry morerows="26"><inlinemediaobject>
|
||||
<entry morerows="27"><inlinemediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/schema_user.png" />
|
||||
</imageobject>
|
||||
|
@ -521,6 +518,12 @@
|
|||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Organisation</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Organisational unit</entry>
|
||||
|
||||
|
@ -530,8 +533,8 @@
|
|||
<row>
|
||||
<entry>Photo</entry>
|
||||
|
||||
<entry>Shows the user photo if set. The user may also remove
|
||||
the photo or upload a new one.</entry>
|
||||
<entry>Shows the user photo if set. The user may also remove the
|
||||
photo or upload a new one.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -585,8 +588,7 @@
|
|||
<row>
|
||||
<entry>User certificates</entry>
|
||||
|
||||
<entry>Upload of user certificates in PEM or DER
|
||||
format</entry>
|
||||
<entry>Upload of user certificates in PEM or DER format</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -744,8 +746,8 @@
|
|||
<row>
|
||||
<entry>Sync Unix password with Windows password</entry>
|
||||
|
||||
<entry>This is a hidden field. It will update the Unix
|
||||
password each time the Windows password is changed.</entry>
|
||||
<entry>This is a hidden field. It will update the Unix password
|
||||
each time the Windows password is changed.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -803,8 +805,8 @@
|
|||
<section>
|
||||
<title>Module settings</title>
|
||||
|
||||
<para>This allows to configure some module specific options (e.g.
|
||||
custom scripts or password hash type).</para>
|
||||
<para>This allows to configure some module specific options (e.g. custom
|
||||
scripts or password hash type).</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -818,9 +820,9 @@
|
|||
<section>
|
||||
<title>Samba 3</title>
|
||||
|
||||
<para>LAM Pro can check the password history and minimum age for Samba
|
||||
3 password changes. In this case please provide the LDAP suffix where
|
||||
your Samba 3 domain(s) are stored.</para>
|
||||
<para>LAM Pro can check the password history and minimum age for Samba 3
|
||||
password changes. In this case please provide the LDAP suffix where your
|
||||
Samba 3 domain(s) are stored.</para>
|
||||
|
||||
<para>If you leave the field empty then no history and age checks will
|
||||
be done.</para>
|
||||
|
@ -848,16 +850,16 @@
|
|||
|
||||
<para><emphasis role="bold">Settings</emphasis></para>
|
||||
|
||||
<para>You can allow your users to reset their passwords themselves.
|
||||
This will reduce your administrative costs for cases where users
|
||||
forget their passwords.</para>
|
||||
<para>You can allow your users to reset their passwords themselves. This
|
||||
will reduce your administrative costs for cases where users forget their
|
||||
passwords.</para>
|
||||
|
||||
<para>To enable this feature please activate the checkbox "Enable
|
||||
password self reset link".</para>
|
||||
|
||||
<para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro
|
||||
uses security questions by default. Activate confirmation mails and
|
||||
then deactivate security questions if you want to use only email
|
||||
uses security questions by default. Activate confirmation mails and then
|
||||
deactivate security questions if you want to use only email
|
||||
validation.</para>
|
||||
|
||||
<screenshot>
|
||||
|
@ -868,23 +870,23 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>You can now configure the minimum answer length for password
|
||||
reset answers. This is checked when you allow you users to specify
|
||||
their answers via the self service. Additionally, you can specify the
|
||||
text of the password reset link (default: "Forgot password?"). The
|
||||
link is displayed below the password field on the self service login
|
||||
<para>You can now configure the minimum answer length for password reset
|
||||
answers. This is checked when you allow you users to specify their
|
||||
answers via the self service. Additionally, you can specify the text of
|
||||
the password reset link (default: "Forgot password?"). The link is
|
||||
displayed below the password field on the self service login
|
||||
page.</para>
|
||||
|
||||
<para>Next, please enter the DN and password of an LDAP entry that is
|
||||
allowed to reset the passwords. This entry needs write access to the
|
||||
attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
|
||||
also needs read access to uid, mail, passwordSelfResetQuestion and
|
||||
passwordSelfResetAnswer. Please note that LAM Pro saves the password
|
||||
on your server file system. Therefore, it is required to protect your
|
||||
passwordSelfResetAnswer. Please note that LAM Pro saves the password on
|
||||
your server file system. Therefore, it is required to protect your
|
||||
server against unauthorised access.</para>
|
||||
|
||||
<para>Please also specify the list of password reset questions that
|
||||
the user can choose.</para>
|
||||
<para>Please also specify the list of password reset questions that the
|
||||
user can choose.</para>
|
||||
|
||||
<para>Please note that self service and LAM admin interface are
|
||||
separated functionalities. You need to specify the list of possible
|
||||
|
@ -895,9 +897,9 @@
|
|||
|
||||
<para>You can inform your users via mail about their password change.
|
||||
The mail can include the new password by using the special wildcard
|
||||
"@@newPassword@@". Additionally, you may want to insert other
|
||||
wildcards that are replaced by the corresponding LDAP attributes. E.g.
|
||||
"@@uid@@" will be replaced by the user name. Please see <link
|
||||
"@@newPassword@@". Additionally, you may want to insert other wildcards
|
||||
that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@"
|
||||
will be replaced by the user name. Please see <link
|
||||
linkend="mailEOL">email format option</link> in case of broken mails.
|
||||
See <link linkend="mailSetup">here</link> for setting up your SMTP
|
||||
server.</para>
|
||||
|
@ -905,19 +907,19 @@
|
|||
<literallayout> </literallayout>
|
||||
|
||||
<para>LAM Pro can send your users an email with a confirmation link to
|
||||
validate their email address. Of course, this should only be used if
|
||||
the email account is independent from the user password (e.g. at
|
||||
external provider) or you use the backup email address feature. The
|
||||
mail body must include the confirmation link by using the special
|
||||
wildcard "@@resetLink@@". Additionally, you may want to insert other
|
||||
wildcards that are replaced by the corresponding LDAP attributes. E.g.
|
||||
"@@uid@@" will be replaced by the user name.</para>
|
||||
validate their email address. Of course, this should only be used if the
|
||||
email account is independent from the user password (e.g. at external
|
||||
provider) or you use the backup email address feature. The mail body
|
||||
must include the confirmation link by using the special wildcard
|
||||
"@@resetLink@@". Additionally, you may want to insert other wildcards
|
||||
that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@"
|
||||
will be replaced by the user name.</para>
|
||||
|
||||
<para>There is also an option to skip the security question at all if
|
||||
email verification is enabled. In this case the password can be reset
|
||||
directly after clicking on the confirmation link. Please handle with
|
||||
care since anybody with access to the user's mail account can reset
|
||||
the password.</para>
|
||||
care since anybody with access to the user's mail account can reset the
|
||||
password.</para>
|
||||
|
||||
<para><emphasis role="bold">Troubleshooting:</emphasis></para>
|
||||
|
||||
|
@ -943,22 +945,22 @@
|
|||
<para>Turn on logging in LAM's main configuration settings. The exact
|
||||
reason is logged on notice level.</para>
|
||||
|
||||
<para>2. You do not see security question and answer fields when
|
||||
logged into self service.</para>
|
||||
<para>2. You do not see security question and answer fields when logged
|
||||
into self service.</para>
|
||||
|
||||
<para>Probably, the user does not have the object class
|
||||
"passwordSelfReset" set. You can do this in admin interface. If you
|
||||
have multiple users to change then use the <link
|
||||
"passwordSelfReset" set. You can do this in admin interface. If you have
|
||||
multiple users to change then use the <link
|
||||
linkend="toolMultiEdit">Multi Edit Tool</link> to add the object
|
||||
class.</para>
|
||||
|
||||
<para><emphasis role="bold">New fields for self service
|
||||
page</emphasis></para>
|
||||
|
||||
<para>There are special fields that you may put on the self service
|
||||
page for your users. These fields allow them to change the reset
|
||||
questions and its answers. It is also possible to set a backup email
|
||||
address to reset passwords with an external email address.</para>
|
||||
<para>There are special fields that you may put on the self service page
|
||||
for your users. These fields allow them to change the reset questions
|
||||
and its answers. It is also possible to set a backup email address to
|
||||
reset passwords with an external email address.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -968,8 +970,8 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>This is an example how can be presented to your users on the
|
||||
self service page:</para>
|
||||
<para>This is an example how can be presented to your users on the self
|
||||
service page:</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1007,9 +1009,8 @@
|
|||
<para>LAM Pro will use this information to find the correct LDAP entry
|
||||
of this user. It then displays the user's security questions and input
|
||||
fields for his new password. If the answer is correct then the new
|
||||
password will be set. Additionally, pwdAccountLockedTime will be
|
||||
removed and shadowLastChange updated to the current time if
|
||||
existing.</para>
|
||||
password will be set. Additionally, pwdAccountLockedTime will be removed
|
||||
and shadowLastChange updated to the current time if existing.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1023,11 +1024,11 @@
|
|||
<section>
|
||||
<title>User self registration</title>
|
||||
|
||||
<para>With LAM Pro your users can create their own accounts if you
|
||||
like. LAM Pro will display an additional link on the self service
|
||||
login page that allows you users to create a new account including
|
||||
email validation (see <link linkend="mailSetup">here</link> for
|
||||
setting up your SMTP server).</para>
|
||||
<para>With LAM Pro your users can create their own accounts if you like.
|
||||
LAM Pro will display an additional link on the self service login page
|
||||
that allows you users to create a new account including email validation
|
||||
(see <link linkend="mailSetup">here</link> for setting up your SMTP
|
||||
server).</para>
|
||||
|
||||
<para>You enable this feature in your self service profile. Just
|
||||
activate the checkbox "Enable self registration link".</para>
|
||||
|
@ -1042,14 +1043,14 @@
|
|||
|
||||
<para><emphasis role="bold">Options:</emphasis></para>
|
||||
|
||||
<para><emphasis>Link text:</emphasis> This is the label for the link
|
||||
to the self registration. If empty "Register new account" will be
|
||||
<para><emphasis>Link text:</emphasis> This is the label for the link to
|
||||
the self registration. If empty "Register new account" will be
|
||||
used.</para>
|
||||
|
||||
<para><emphasis>Admin DN and password:</emphasis> Please enter the
|
||||
LDAP DN and its password that should be used to create new users. This
|
||||
DN also needs to be able to do LDAP searches by uid in the self
|
||||
service part of your LDAP tree.</para>
|
||||
<para><emphasis>Admin DN and password:</emphasis> Please enter the LDAP
|
||||
DN and its password that should be used to create new users. This DN
|
||||
also needs to be able to do LDAP searches by uid in the self service
|
||||
part of your LDAP tree.</para>
|
||||
|
||||
<para><emphasis>Object classes:</emphasis> This is a list of object
|
||||
classes that are used to build the new user accounts. Please enter one
|
||||
|
@ -1057,9 +1058,8 @@
|
|||
feature then do not forget to add "passwordSelfReset" here.</para>
|
||||
|
||||
<para><emphasis>Attributes:</emphasis> This is a list of additional
|
||||
attributes that the user can enter. Please note that user name,
|
||||
password and email address are mandatory anyway and need not be
|
||||
specified.</para>
|
||||
attributes that the user can enter. Please note that user name, password
|
||||
and email address are mandatory anyway and need not be specified.</para>
|
||||
|
||||
<para>Each line represents one LDAP attribute. The settings are
|
||||
separated by "::". The first setting specifies the field type. The
|
||||
|
@ -1138,9 +1138,9 @@
|
|||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Auto-numbering for attributes such as uidNumber. Will
|
||||
do a search for attribute values in the given range and use
|
||||
highest value + 1.</entry>
|
||||
<entry>Auto-numbering for attributes such as uidNumber. Will do
|
||||
a search for attribute values in the given range and use highest
|
||||
value + 1.</entry>
|
||||
|
||||
<entry>autorange</entry>
|
||||
|
||||
|
@ -1163,25 +1163,25 @@
|
|||
|
||||
<para><emphasis role="bold">Example:</emphasis></para>
|
||||
|
||||
<para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please
|
||||
enter a valid first name.</para>
|
||||
<para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please enter
|
||||
a valid first name.</para>
|
||||
|
||||
<para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a
|
||||
valid last name.</para>
|
||||
<para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a valid
|
||||
last name.</para>
|
||||
|
||||
<para>constant::homeDirectory::/home/@@uid@@</para>
|
||||
|
||||
<para>autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000</para>
|
||||
|
||||
<para>If you use the object class "inetOrgPerson" and do not provide
|
||||
the "cn" attribute then LAM will set it to the user name value.</para>
|
||||
<para>If you use the object class "inetOrgPerson" and do not provide the
|
||||
"cn" attribute then LAM will set it to the user name value.</para>
|
||||
|
||||
<literallayout>
|
||||
</literallayout>
|
||||
|
||||
<para>Please note that only simple input boxes are supported for
|
||||
account registration. The user may log in to self service when his
|
||||
account was created to manage all his attributes.</para>
|
||||
<para>Please note that only simple input boxes are supported for account
|
||||
registration. The user may log in to self service when his account was
|
||||
created to manage all his attributes.</para>
|
||||
|
||||
<literallayout>
|
||||
</literallayout>
|
||||
|
@ -1190,14 +1190,14 @@
|
|||
|
||||
<para>LAM Pro can optionally display a captcha to verify that
|
||||
registrations are not from robots. The supported captcha provider is
|
||||
Google reCAPTCHA. You will need the site and secret key for your
|
||||
domain. They can be retrieved from here: <ulink
|
||||
Google reCAPTCHA. You will need the site and secret key for your domain.
|
||||
They can be retrieved from here: <ulink
|
||||
url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para>
|
||||
|
||||
<para>Please note that your web server must be able to access
|
||||
"https://www.google.com/recaptcha/api/siteverify" to verify the
|
||||
captchas. Captchas will be displayed automatically when site+secret
|
||||
key are filled.</para>
|
||||
captchas. Captchas will be displayed automatically when site+secret key
|
||||
are filled.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1223,8 +1223,8 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Here he can insert the data that you specified in the self
|
||||
service profile:</para>
|
||||
<para>Here he can insert the data that you specified in the self service
|
||||
profile:</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1235,9 +1235,9 @@
|
|||
</screenshot>
|
||||
|
||||
<para>LAM will then send him an email with a validation link that is
|
||||
valid for 24 hours. When he clicks on this link then the account will
|
||||
be created in the self service user suffix. The DN will look like
|
||||
this: <emphasis>uid=<user name>,...</emphasis></para>
|
||||
valid for 24 hours. When he clicks on this link then the account will be
|
||||
created in the self service user suffix. The DN will look like this:
|
||||
<emphasis>uid=<user name>,...</emphasis></para>
|
||||
|
||||
<para>Please see <link linkend="mailEOL">email format option</link> in
|
||||
case of broken mails.</para>
|
||||
|
@ -1247,8 +1247,8 @@
|
|||
<title>Custom fields (LAM Pro)</title>
|
||||
|
||||
<para>This module allows you to manage LDAP attributes that are not
|
||||
covered by the other LAM modules (e.g. if you use custom LDAP
|
||||
schemas). You can fully define how your input fields look like:</para>
|
||||
covered by the other LAM modules (e.g. if you use custom LDAP schemas).
|
||||
You can fully define how your input fields look like:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -1285,12 +1285,12 @@
|
|||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>To create custom fields for the Self Service please edit your
|
||||
Self Service profile and switch to tab "Module settings". Here you can
|
||||
add a new field. Simply fill the fields and press on "Add".</para>
|
||||
<para>To create custom fields for the Self Service please edit your Self
|
||||
Service profile and switch to tab "Module settings". Here you can add a
|
||||
new field. Simply fill the fields and press on "Add".</para>
|
||||
|
||||
<para>Please note that the field name cannot be changed later. It is
|
||||
the unique ID for this field.</para>
|
||||
<para>Please note that the field name cannot be changed later. It is the
|
||||
unique ID for this field.</para>
|
||||
|
||||
<para>After you created your fields please press on "Sync fields with
|
||||
page layout". Now you can switch to tab "Page layout" and add your new
|
||||
|
@ -1313,11 +1313,10 @@
|
|||
linkend="customFields_validation_expressions">validation
|
||||
expression</link> and error message.</para>
|
||||
|
||||
<para>You can also enable auto-completion. In this case LAM will
|
||||
search all accounts for the given attribute and provide
|
||||
auto-completion hints when the user edits this field. This should only
|
||||
be used if there is a limited number of different values for this
|
||||
attribute.</para>
|
||||
<para>You can also enable auto-completion. In this case LAM will search
|
||||
all accounts for the given attribute and provide auto-completion hints
|
||||
when the user edits this field. This should only be used if there is a
|
||||
limited number of different values for this attribute.</para>
|
||||
|
||||
<para>In case your field is a date value you can show a calendar for
|
||||
easy editing.</para>
|
||||
|
@ -1363,8 +1362,8 @@
|
|||
<para><emphasis role="bold">Password field:</emphasis></para>
|
||||
|
||||
<para>You can also manage custom password fields. LAM Pro will display
|
||||
two fields where the user must enter the same password. You can hash
|
||||
the password if needed.</para>
|
||||
two fields where the user must enter the same password. You can hash the
|
||||
password if needed.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1509,8 +1508,8 @@
|
|||
|
||||
<para>Examples:</para>
|
||||
|
||||
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must
|
||||
not be empty ("+").</para>
|
||||
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
|
||||
be empty ("+").</para>
|
||||
|
||||
<para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
|
||||
means ignore case) and numbers. The value must not be empty
|
||||
|
@ -1526,8 +1525,8 @@
|
|||
|
||||
<para><emphasis role="bold">File upload:</emphasis></para>
|
||||
|
||||
<para>This is used for binary data. You can restrict uploaded data to
|
||||
a given file extension and set the maximum file size.</para>
|
||||
<para>This is used for binary data. You can restrict uploaded data to a
|
||||
given file extension and set the maximum file size.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1561,9 +1560,9 @@
|
|||
<section>
|
||||
<title>Custom header</title>
|
||||
|
||||
<para>The default LAM Pro header includes a logo and a horizontal
|
||||
line. You can enter any HTML code here. It will be included in the
|
||||
self services pages after the body tag.</para>
|
||||
<para>The default LAM Pro header includes a logo and a horizontal line.
|
||||
You can enter any HTML code here. It will be included in the self
|
||||
services pages after the body tag.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1579,9 +1578,9 @@
|
|||
|
||||
<para>Usually, companies have regulations about their corporate design
|
||||
and use common CSS files. This assures a common appearance of all
|
||||
intranet pages (e.g. colors and fonts). To include additional CSS
|
||||
files just use the following setting for this task. The additional CSS
|
||||
links will be added after LAM Pro's default CSS link. This way you can
|
||||
intranet pages (e.g. colors and fonts). To include additional CSS files
|
||||
just use the following setting for this task. The additional CSS links
|
||||
will be added after LAM Pro's default CSS link. This way you can
|
||||
overwrite LAM Pro's style.</para>
|
||||
|
||||
<screenshot>
|
||||
|
@ -1593,4 +1592,4 @@
|
|||
</screenshot>
|
||||
</section>
|
||||
</section>
|
||||
</chapter>
|
||||
</chapter>
|
||||
|
|
|
@ -159,12 +159,13 @@ class inetOrgPerson extends baseModule implements passwordService {
|
|||
'homePhone' => _('Home telephone number'), 'pager' => _('Pager'), 'roomNumber' => _('Room number'), 'carLicense' => _('Car license'),
|
||||
'location' => _('Location'), 'state' => _('State'), 'officeName' => _('Office name'), 'businessCategory' => _('Business category'),
|
||||
'departmentNumber' => _('Department'), 'initials' => _('Initials'), 'title' => _('Job title'), 'labeledURI' => _('Web site'),
|
||||
'userCertificate' => _('User certificates'), 'ou' => _('Organisational unit'), 'description' => _('Description'), 'uid' => _('User name'));
|
||||
'userCertificate' => _('User certificates'), 'o' => _('Organisation'), 'ou' => _('Organisational unit'), 'description' => _('Description'),
|
||||
'uid' => _('User name'));
|
||||
// possible self service read-only fields
|
||||
$return['selfServiceReadOnlyFields'] = array('firstName', 'lastName', 'mail', 'telephoneNumber', 'mobile', 'faxNumber', 'pager', 'street',
|
||||
'postalAddress', 'registeredAddress', 'postalCode', 'postOfficeBox', 'jpegPhoto', 'homePhone', 'roomNumber', 'carLicense',
|
||||
'location', 'state', 'officeName', 'businessCategory', 'departmentNumber', 'initials', 'title', 'labeledURI', 'userCertificate',
|
||||
'ou', 'description', 'uid');
|
||||
'o', 'ou', 'description', 'uid');
|
||||
// profile checks and mappings
|
||||
if (!$this->isBooleanConfigOptionSet('inetOrgPerson_hideInitials')) {
|
||||
$return['profile_mappings']['inetOrgPerson_initials'] = 'initials';
|
||||
|
@ -2799,6 +2800,42 @@ class inetOrgPerson extends baseModule implements passwordService {
|
|||
$certLabel = new htmlOutputText($this->getSelfServiceLabel('userCertificate', _('User certificates')));
|
||||
$return['userCertificate'] = new htmlResponsiveRow($certLabel, $certTable);
|
||||
}
|
||||
// o
|
||||
if (in_array('o', $fields)) {
|
||||
$o = '';
|
||||
if (isset($attributes['o'][0])) $o = $attributes['o'][0];
|
||||
if (in_array('o', $readOnlyFields)) {
|
||||
$oField = new htmlOutputText(getAbstractDN($o));
|
||||
}
|
||||
else {
|
||||
$filter = '(|(objectClass=organizationalunit)(objectClass=country)(objectClass=organization)(objectClass=krbRealmContainer)(objectClass=container))';
|
||||
$suffix = $_SESSION['selfServiceProfile']->LDAPSuffix;
|
||||
$foundOs = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0);
|
||||
$oList = array();
|
||||
foreach ($foundOs as $foundO) {
|
||||
$oList[] = $foundO['dn'];
|
||||
}
|
||||
if (!empty($attributes['o'][0]) && !in_array($attributes['o'][0], $oList)) {
|
||||
$oList[] = $attributes['o'][0];
|
||||
usort($oList, 'compareDN');
|
||||
}
|
||||
$oSelectionList = array('' => '');
|
||||
foreach ($oList as $singleOU) {
|
||||
$oSelectionList[getAbstractDN($singleOU)] = $singleOU;
|
||||
}
|
||||
$oSelectionListSelected = array();
|
||||
if (!empty($attributes['o'][0])) {
|
||||
$oSelectionListSelected[] = $attributes['o'][0];
|
||||
}
|
||||
$oField = new htmlSelect('inetOrgPerson_o', $oSelectionList, $oSelectionListSelected);
|
||||
$oField->setHasDescriptiveElements(true);
|
||||
$oField->setRightToLeftTextDirection(true);
|
||||
$oField->setSortElements(false);
|
||||
}
|
||||
$return['o'] = new htmlResponsiveRow(
|
||||
new htmlOutputText($this->getSelfServiceLabel('o', _('Organisation'))), $oField
|
||||
);
|
||||
}
|
||||
// ou
|
||||
if (in_array('ou', $fields)) {
|
||||
$ou = '';
|
||||
|
@ -2807,8 +2844,7 @@ class inetOrgPerson extends baseModule implements passwordService {
|
|||
$ouField = new htmlOutputText(getAbstractDN($ou));
|
||||
}
|
||||
else {
|
||||
$userObj = new user();
|
||||
$filter = $userObj->getSuffixFilter();
|
||||
$filter = '(|(objectClass=organizationalunit)(objectClass=country)(objectClass=organization)(objectClass=krbRealmContainer)(objectClass=container))';
|
||||
$suffix = $_SESSION['selfServiceProfile']->LDAPSuffix;
|
||||
$foundOus = searchLDAPPaged($_SESSION['ldapHandle'], $suffix, $filter, array('dn'), false, 0);
|
||||
$ouList = array();
|
||||
|
@ -3272,6 +3308,14 @@ class inetOrgPerson extends baseModule implements passwordService {
|
|||
}
|
||||
elseif (isset($attributes['ou'])) unset($attributesNew['ou']);
|
||||
}
|
||||
// o
|
||||
if (in_array('o', $fields) && !in_array('o', $readOnlyFields)) {
|
||||
$attributeNames[] = 'o';
|
||||
if (!empty($_POST['inetOrgPerson_o'])) {
|
||||
$attributesNew['o'][0] = $_POST['inetOrgPerson_o'];
|
||||
}
|
||||
elseif (isset($attributes['o'])) unset($attributesNew['o']);
|
||||
}
|
||||
// uid
|
||||
if (in_array('uid', $fields) && !in_array('uid', $readOnlyFields)) {
|
||||
$attributeNames[] = 'uid';
|
||||
|
|
Loading…
Reference in New Issue