diff --git a/lam/docs/manual-sources/appendix-cluster.xml b/lam/docs/manual-sources/appendix-cluster.xml
new file mode 100644
index 00000000..af1391d4
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-cluster.xml
@@ -0,0 +1,75 @@
+
+
+
+ Clustering LAM
+
+ LAM is a web application based on PHP. Therefore, clustering is not
+ directly a part of the application.
+
+ But here are some hints to run LAM in a clustered
+ environment.
+
+ Application parts:
+
+ LAM can be divided into three parts
+
+
+
+ Software
+
+
+
+ Configuration files
+
+
+
+ Session files and temporary data
+
+
+
+ Software:
+
+ This is the simplest part. Just install LAM on each cluster node.
+ Please note that if you run LAM Pro you will need either one license for
+ each active cluster node or a company license.
+
+ Configuration files:
+
+ These files include the LAM server profiles, account profiles, PDF
+ structures, ... Usually, they do not change frequently and can be put on a
+ shared file system (e.g. NFS, AFS, ...).
+
+ Please link "config" or "/var/lib/ldap-account-manager/config" to a
+ directory on your shared file system.
+
+ Session data and temporary
+ files:
+
+ These are critical because the files may change on every page load.
+ There are basically two options:
+
+
+
+ load balancer with session stickiness: In this case your load
+ balancer will forward all requests of a user to the same cluster node.
+ In this case you can keep the files locally on your cluster nodes. If
+ you already have a load balancer then this is the simplest solution
+ and performs best. The disadvantage is that if a node fails then all
+ users connected to this node will loose their session and need to
+ relogin.
+
+
+
+ shared file system: This should only be used if your load
+ balancer does not support session stickiness or you use a different
+ system to distribute request across the cluster. A shared file system
+ will decrease performance for all page loads.
+
+
+
+ Session data and temporary files are located in "tmp" + "sess" or
+ "/var/lib/ldap-account-manager/tmp" +
+ "/var/lib/ldap-account-manager/sess".
+
+
diff --git a/lam/docs/manual-sources/appendix-design.xml b/lam/docs/manual-sources/appendix-design.xml
new file mode 100644
index 00000000..4b66a322
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-design.xml
@@ -0,0 +1,98 @@
+
+
+
+ Adapt LAM to your corporate design
+
+ There are cases where you might want to change LAM's default
+ look'n'feel to better integrate it in your company network. Changes can be
+ done like this:
+
+ Change colors, fonts and other parts with
+ custom CSS
+
+ You can integrate custom CSS files in LAM. It is recommended to
+ write a separate CSS file instead of modifying LAM's default files.
+
+ The CSS files are located in
+
+ DEB/RPM: /usr/share/ldap-account-manager/style
+ tar.bz2: style
+
+
+ LAM will automatically integrate all CSS files in alphabetical
+ order. E.g. you can create a file called "900_myCompany.css" which will be
+ added as last file.
+
+ Example:
+
+ This will change the background color of all pages to turquoise. See
+ 500_layout.css for LAM's default settings.
+
+ body {
+ background-color: #b6eeff;
+}
+
+
+ You can use the same way to change fonts, sizes and more.
+
+ E.g. this will reduce the default font size to 80%:
+
+ body {
+ font-size: 80%;
+}
+
+.ui-button-text-only {
+ font-size: 100%;
+}
+
+.ui-button-text-icon-primary {
+ font-size: 100%;
+}
+
+
+ Custom logo/* image in login box */
+td.loginLogo {
+ background-image: url(/logos/mylogo.png);
+}
+
+/* image (24x24) in header line */
+a.lamLogo {
+ background-image: url(/logos/mylogo.png);
+}
+
+ Other images
+
+ All images are located in
+
+ DEB/RPM: /usr/share/ldap-account-manager/graphics
+ tar.bz2: graphics
+
+ Please note that if you replace images then you need to reapply your
+ changes every time you upgrade LAM.
+
+ Special changes with custom
+ JavaScript
+
+ In rare cases it might not be sufficient to write custom CSS or
+ replace some image files. E.g. you might want to add custom content to all
+ pages.
+
+ For these cases you can add a custom JavaScript file that contains
+ your code.
+
+ The JavaScript files are located in
+
+ DEB/RPM: /usr/share/ldap-account-manager/templates/lib
+ tar.bz2: templates/lib
+
+ LAM will automatically integrate all .js files in alphabetical
+ order. E.g. you can create a file called "900_myCompany.js" which will be
+ added as last file.
+
+ Self service
+
+ See here for self
+ service customisations.
+
+
diff --git a/lam/docs/manual-sources/appendix-email.xml b/lam/docs/manual-sources/appendix-email.xml
new file mode 100644
index 00000000..6f8429f3
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-email.xml
@@ -0,0 +1,28 @@
+
+
+
+ Setup of email (SMTP) server
+
+ LAM always uses a local SMTP email server on the machine where LAM
+ is installed. Therefore, there is no need to configure any SMTP settings
+ inside LAM itself.
+
+ The local email server should be configured to forward all emails to
+ your company mail server (so-called smarthost). You can use any SMTP
+ software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or
+ Sendmail itself).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/appendix-lamdaemon.xml b/lam/docs/manual-sources/appendix-lamdaemon.xml
new file mode 100644
index 00000000..38640d2f
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-lamdaemon.xml
@@ -0,0 +1,205 @@
+
+
+
+ Setup for home directory and quota management
+
+ Lamdaemon.pl is used to modify quota and home directories on a
+ remote or local host via SSH (even if homedirs are located on
+ localhost).
+
+ If you want wo use it you have to set up the following things to get
+ it to work:
+
+
+ Installation
+
+ First of all, you need to install lamdaemon.pl on your remote
+ server where LAM should manage homedirs and/or quota. This is usually a
+ different server than the one where LAM is installed. But there is no
+ problem if it is the same.
+
+
+
+
+
+
+
+
+
+
+
+ Debian based (e.g. also
+ Ubuntu)
+
+ Please install the lamdaemon DEB package on your quota/homedir
+ server.
+
+ RPM based (Fedora, CentOS, Suse,
+ ...)
+
+ Please install the lamdaemon RPM package on your quota/homedir
+ server.
+
+ Other
+
+ Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your
+ quota/homedir server. The location may be anywhere (e.g. use
+ /opt/lamdaemon). Please make the lamdaemon.pl script executable.
+
+
+
+ LDAP Account Manager configuration
+
+
+
+ Set the remote or local host in the configuration (e.g.
+ 127.0.0.1)
+
+
+
+ Path to lamdaemon.pl, e.g.
+ /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
+ RPM package then the script will be located at
+ /usr/share/ldap-account-manager/lib/lamdaemon.pl.
+
+
+
+ Your LAM admin user must be a valid Unix account. It needs to
+ have the object class "posixAccount" and an attribute "uid". This
+ account must be accepted by the SSH daemon of your home directory
+ server. Do not create a second local account but change your system
+ to accept LDAP users. You can use LAM to add the Unix account part
+ to your admin user or create a new account. Please do not forget to
+ setup LDAP write access (ACLs)
+ if you create a new account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Note that the builtin admin/manager entries do not work for
+ lamdaemon. You need to login with a Unix account.
+
+
+
+
+
+
+
+
+
+ OpenLDAP ACL location:
+
+ The access rights for OpenLDAP are configured in
+ /etc/ldap/slapd.conf or
+ /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.
+
+
+
+ Setup sudo
+
+ The perl script has to run as root. Therefore we need a wrapper,
+ sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
+ and add the following line:
+
+ $admin All= NOPASSWD: $path_to_lamdaemon *
+
+ $admin is the admin user from
+ LAM (must be a valid Unix account) and
+ $path_to_lamdaemon is the path to
+ lamdaemon.pl.
+
+ Example:
+
+ myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
+ *
+
+ You might need to run the sudo command once manually to init sudo.
+ The command "sudo -l" will show all possible sudo commands of the
+ current user.
+
+ Attention: Please do not use the
+ options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
+ Otherwise you might get errors like "you must have a tty to run sudo" or
+ "no tty present and no askpass program specified".
+
+
+
+ Setup Perl
+
+ We need an extra Perl module - Quota. To install it, run:
+
+
+ perl -MCPAN -e shell
+
+ install Quota
+
+
+ If your Perl executable is not located in /usr/bin/perl you will
+ have to edit the path in the first line of lamdaemon.pl. If you have
+ problems compiling the Perl modules try installing a newer release of
+ your GCC compiler and the "make" application.
+
+ Several Linux distributions already include a quota package for
+ Perl.
+
+
+
+ Set up SSH
+
+ Your SSH daemon must offer the password authentication method. To
+ activate it just use this configuration option in
+ /etc/ssh/sshd_config:
+
+ PasswordAuthentication yes
+
+
+
+ Troubleshooting
+
+ If you have problems managing quotas and home directories then
+ these points might help:
+
+
+
+ There is a test page for lamdaemon: Login to LAM and open
+ Tools -> Tests -> Lamdaemon test
+
+
+
+ Check /var/log/auth.log or its equivalent on your system. This
+ file contains messages about all logins. If the ssh login failed
+ then you will find a description about the reason here.
+
+
+
+ Set sshd in debug mode. In /etc/ssh/sshd_conf add these
+ lines:
+
+
+ SyslogFacility AUTH
+
+ LogLevel DEBUG3
+
+
+ Now check /var/log/syslog for messages from sshd.
+
+
+
+ Error message "Your LAM admin user (...)
+ must be a valid Unix account to work with lamdaemon!": This
+ happens if you use the default LDAP admin/manager user to login to LAM.
+ Please see here and setup a Unix
+ account.
+
+
diff --git a/lam/docs/manual-sources/appendix-ldapConfig.xml b/lam/docs/manual-sources/appendix-ldapConfig.xml
new file mode 100644
index 00000000..4354ec7f
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-ldapConfig.xml
@@ -0,0 +1,81 @@
+
+
+
+ Typical OpenLDAP settings
+
+ Some basic hints to configure the OpenLDAP server:
+
+ Size
+ limit:
+
+ You will get a message like "LDAP sizelimit exceeded, not all
+ entries are shown." when you hit the LDAP search limit.
+
+ OpenLDAP allows by default 500 return values per search, if you have
+ more users/groups/hosts please change this:
+
+ slapd.conf:
+
+ e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
+ values
+
+ slapd.d:
+
+ e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
+ return values in /etc/ldap/slapd.d/cn=config.ldif
+
+
+
+
+ Unique
+ attributes:
+
+ There are cases where you do not want that same attribute values
+ exist multiple times in your database. A good example are UID/GID
+ numbers.
+
+ OpenLDAP provides the attribute
+ uniqueness overlay for this task.
+
+ Example to force unique UID numbers:
+
+ In
+ /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add
+ "olcModuleLoad: {3}unique" (replace "3" with the highest existing number
+ plus one).
+
+ Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
+ "olcUniqueURI: ldap:///?uidNumber?sub"
+
+
+
+
+ Indices:
+
+ Indices will improve the performance when searching for entries in
+ the LDAP directory. The following indices are recommended:
+
+
+ index objectClass eq
+
+ index default sub
+
+ index uidNumber eq
+
+ index gidNumber eq
+
+ index memberUid eq
+
+ index cn,sn,uid,displayName pres,sub,eq
+
+ # Samba 3.x
+
+ index sambaSID eq
+
+ index sambaPrimaryGroupSID eq
+
+ index sambaDomainName eq
+
+
diff --git a/lam/docs/manual-sources/appendix-schema.xml b/lam/docs/manual-sources/appendix-schema.xml
new file mode 100644
index 00000000..ef8fe804
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-schema.xml
@@ -0,0 +1,700 @@
+
+
+
+ LDAP schema files
+
+ Here is a list of needed LDAP schema files for the different LAM
+ modules. For OpenLDAP we also provide a source where you can get the
+ files.
+
+
+ LDAP schema files
+
+
+
+
+
+
+ Account type
+
+ Object class(es)
+
+ Schema name
+
+ Source
+
+ Notes
+
+
+
+
+
+
+
+
+
+
+
+ Unix accounts
+
+ posixAccount, shadowAccount, hostObject, posixGroup
+
+ nis.schema, rfc2307bis.schema, ldapns.schema
+ (hostObject)
+
+ Part of OpenLDAP installation, part of libpam-ldap
+ (ldapns.schema)
+
+ The rfc2307bis.schema is only supported by LAM Pro. Use the
+ nis.schema if you do not want to upgrade to LAM Pro.
+
+
+
+
+
+
+
+
+
+ Address book entries
+
+ inetOrgPerson
+
+ inetorgperson.schema
+
+ Part of OpenLDAP installation
+
+
+
+
+
+
+
+
+
+
+
+ Samba 3 accounts
+
+ sambaSamAccount, sambaGroupMapping, sambaDomain
+
+ samba.schema
+
+ Part of Samba tarball (examples/LDAP/samba.schema)
+
+
+
+
+
+
+
+
+
+
+
+ Windows AD (Samba 4)
+
+ user, group, computer
+
+
+
+ Samba 4 built-in
+
+
+
+
+
+
+
+
+
+
+
+ Kolab 2/3 users
+
+ kolabUser
+
+ kolab2/3.schema, rfc2739.schema
+
+ Part of Kolab 2/3 installation
+
+
+
+
+
+
+
+
+
+
+
+ Asterisk (extension)
+
+ AsteriskSIPUser, AsteriskExtension
+
+ asterisk.schema
+
+ Part of Asterisk installation
+
+
+
+
+
+
+
+
+
+
+
+ PyKota users, groups, printers and billing codes
+
+ pykotaObject, pykotaAccount, pykotaAccountBalance,
+ pykotaGroup, pykotaPrinter, pykotaBilling
+
+ pykota.schema
+
+ Part of PyKota installation
+
+
+
+
+
+
+
+
+
+
+
+ Mail routing
+
+ inetLocalMailRecipient
+
+ misc.schema
+
+ Part of OpenLDAP installation
+
+
+
+
+
+
+
+
+
+
+
+ Hosts
+
+ hostObject, device
+
+ ldapns.schema
+
+ Part of libpam-ldap installation
+
+ The device object class is only available in LAM
+ Pro.
+
+
+
+
+
+
+
+
+
+ Authorized services
+
+ authorizedServiceObject
+
+ ldapns.schema
+
+ Part of libpam-ldap installation
+
+
+
+
+
+
+
+
+
+
+
+ Mail aliases
+
+ nisMailAlias
+
+ misc.schema
+
+ Part of OpenLDAP installation
+
+
+
+
+
+
+
+
+
+
+
+ Qmail user
+
+ qmailUser
+
+ qmail.schema
+
+ Part of qmail_ldap
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ MAC addresses
+
+ ieee802device
+
+ nis.schema
+
+ Part of OpenLDAP installation
+
+
+
+
+
+
+
+
+
+
+
+ IP addresses
+
+ ipHost
+
+ nis.schema
+
+ Part of OpenLDAP installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Puppet
+
+ puppetClient
+
+ puppet.schema
+
+ Puppet
+ on GitHub
+
+
+
+
+
+
+
+
+
+
+
+ EDU person
+
+ eduPerson
+
+ eduperson.schema
+
+ http://middleware.internet2.edu
+
+
+
+
+
+
+
+
+
+
+
+ Simple Accounts
+
+ account
+
+ cosine.schema
+
+ Part of OpenLDAP installation
+
+
+
+
+
+
+
+
+
+
+
+ SSH public keys
+
+ ldapPublicKey
+
+ openssh-lpk.schema
+
+ Included in patch from http://code.google.com/p/openssh-lpk/
+
+
+
+
+
+
+
+
+
+
+
+ Filesystem quotas
+
+ systemQuotas
+
+ quota.schema
+
+ Linux
+ DiskQuota
+
+
+
+
+
+
+
+
+
+
+
+ Group of (unique) names
+
+ groupOfNames, groupOfUniqueNames, groupOfMembers
+
+ core.schema
+
+ Part of OpenLDAP installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Groups
+
+ organizationalRole
+
+ core.schema
+
+ Part of OpenLDAP installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ DHCP
+
+ dhcpOptions, dhcpSubnet, dhcpServer
+
+ dhcp.schema
+
+ docs/schema/dhcp.schema
+
+ The LDAP suffix should be set to your dhcpServer
+ entry.
+
+
+
+
+
+
+
+
+
+ Bind DLZ DNS
+
+ dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord,
+ dlzMXRecord, dlzCNameRecord, dlzPTRRecord
+
+ dlz.schema
+
+ part of Bind
+ DLZ patch
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Aliases
+
+ alias, uidObject
+
+ core.schema
+
+ Part of OpenLDAP installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ NIS netgroups
+
+ nisNetgroup
+
+ nis.schema
+
+ Part of OpenLDAP installation
+
+
+
+
+
+
+
+
+
+
+
+ NIS objects
+
+ nisObject
+
+ nis.schema
+
+ Part of OpenLDAP installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Automount objects
+
+ automount
+
+ autofs.schema, rfc2307bis.schema
+
+ Autofs LDAP
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Oracle databases
+
+ orclNetService
+
+ oidbase.schema, oidnet.schema, oidrdbms.schema,
+ alias.schema
+
+ Preinstalled on Oracle directory server, OpenLDAP schemas
+ can be downloaded e.g. here
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Password policies
+
+ pwdPolicy, device
+
+ ppolicy.schema, core.schema
+
+ Part of OpenLDAP installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ FreeRadius users
+
+ radiusprofile
+
+ openldap.schema
+
+ Part of FreeRadius installation
+
+
+
+
+
+
+
+
+
+
+
+ Heimdal Kerberos
+
+ krb5KDCEntry
+
+ hdb.schema
+
+ Part of Heimdal Kerberos installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ MIT Kerberos
+
+ krbPrincipal, krbPrincipalAux, krbTicketPolicyAux
+
+ kerberos.schema
+
+ Part of MIT Kerberos installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Sudo roles
+
+ sudoRole
+
+ sudo.schema
+
+ Part of sudo-ldap installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ Zarafa
+
+ zarafa-user, zarafa-group, zarafa-server
+
+ zarafa.schema
+
+ Part of Zarafa installation
+
+ LAM Pro only
+
+
+
+
+
+
+
+
+
+ IMAP mailboxes
+
+ -
+
+ -
+
+ -
+
+ Does not require any schema.
+
+
+
+
+
+
+
+
+
+ LDAP views
+
+ nsview, organizationalunit
+
+ built-in
+
+ Part of LDAP server installation (e.g. 389 server)
+
+ LAM Pro only
+
+
+
+
+
diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml
new file mode 100644
index 00000000..68c58673
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-security.xml
@@ -0,0 +1,443 @@
+
+
+
+ Security
+
+
+ LAM configuration passwords
+
+ LAM supports a two level authorization system for its
+ configuration. Therefore, there are two types of configuration
+ passwords:
+
+
+
+ master configuration
+ password: needed to change general settings,
+ create/delete server profiles and self service profiles
+
+
+
+ server profile password: used
+ to change the settings of a server profile (e.g. LDAP server and
+ account types to manage)
+
+
+
+ The master configuration password can be used to reset a server
+ profile password. Each server profile has its own profile
+ password.
+
+ Both password types are stored as hash values in the configuration
+ files for enhanced security.
+
+
+
+ Use of SSL
+
+ The data which is transfered between you and LAM is very
+ sensitive. Please always use SSL encrypted connections between LAM and
+ your browser to protect yourself against network sniffers.
+
+
+
+ LDAP with SSL and TLS
+
+ SSL will be used if you use ldaps://servername in your
+ configuration profile. TLS can be activated with the "Activate TLS"
+ option.
+
+ If your LDAP server uses a SSL certificate of a well-know
+ certificate authority (CA) then you probably need no changes. If you use
+ a custom CA in your company then there are two ways to setup the CA
+ certificates.
+
+
+ Setup SSL certificates in LAM general settings
+
+ This is much easier than system level setup and will only affect
+ LAM. There might be some cases where other web applications on the
+ same web server are influenced.
+
+ See here for details.
+
+
+
+ Setup SSL certificates on system level
+
+ This will make the CA certificates available also to other
+ applications on your system (e.g. other web applications).
+
+ You will need to setup ldap.conf to trust your server
+ certificate. Some installations use /etc/ldap.conf and some use
+ /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
+ /etc/ldap/ldap.conf. Specify the server CA certificate with the
+ following option:
+
+ TLS_CACERT /etc/ldap/ca/myCA/cacert.pem
+
+ This needs to be the public part of the signing certificate
+ authority. See "man ldap.conf" for additional options.
+
+
+
+
+ You may also need to specify the CA certificate in your Apache
+ configuration by using the option "LDAPTrustedGlobalCert":
+
+ LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem
+
+
+
+
+ Selinux
+
+ In case your server has selinux installed you might need to extend
+ the selinux ruleset. E.g. your webserver might not be allowed to write
+ in /var/lib.
+
+ Read selinux status
+
+ The following command will tell you if selinux is running in
+ Enforcing or Permissive mode.
+
+ Enforcing: access that does not match rules is denied
+
+ Permissive: access that does not match rules is granted but logged
+ to audit.log
+
+ getenforce
+
+ Set selinux to Permissive
+ mode
+
+ This will just log any access violations. You will need this to
+ get a list of missing rights.
+
+ setenforce Permissive
+
+ Now do any actions inside LAM that you need for your daily work
+ (e.g. edit server profiles, manage LDAP entries, ...).
+
+ Extend selinux rules
+
+ Selinux now has logged any violations to audit.log. You can use
+ this now to extend your ruleset and enable enforcing later.
+
+ The following example is for httpd. You can also adapt it to e.g.
+ nginx.
+
+ # build additional selinux rules from audit.log
+grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
+
+
+ The httpdlocal.te might look like this:
+
+ module httpdlocal 1.0;
+
+require {
+ type httpd_t;
+ type var_lib_t;
+ class file { setattr write };
+}
+
+#============= httpd_t ==============
+
+#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
+#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
+#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
+allow httpd_t var_lib_t:file { setattr write };
+
+
+ Now we can compile and install this rule:
+
+ # build module
+checkmodule -M -m -o httpdlocal.mod httpdlocal.te
+# package module
+semodule_package -o httpdlocal.pp -m httpdlocal.mod
+# install module
+semodule -i httpdlocal.pp
+
+ Now you can switch back to Enforcing mode:
+
+ setenforce Enforcing
+
+ LAM should now work as expected with active selinux.
+
+
+
+ Chrooted servers
+
+ If your server is chrooted and you have no access to /dev/random
+ or /dev/urandom this can be a security risk. LAM stores your LDAP
+ password encrypted in the session. LAM uses rand() to generate the key
+ if /dev/random and /dev/urandom are not accessible. Therefore the key
+ can be easily guessed. An attaker needs read access to the session file
+ (e.g. by another Apache instance) to exploit this.
+
+
+
+ Protection of your LDAP password and directory contents
+
+ You have to install the MCrypt extension for PHP to enable
+ encryption.
+
+ Your LDAP password is stored encrypted in the session file. The
+ key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
+ encrypt the password. All data that was read from LDAP and needs to be
+ stored in the session file is also encrypted.
+
+
+
+ Apache configuration
+
+
+ Sensitive directories
+
+ LAM includes several .htaccess files to protect your
+ configuration files and temporary data. Apache is often configured to
+ not use .htaccess files by default. Therefore, please check your
+ Apache configuration and change the override setting to:
+
+ AllowOverride All
+
+ If you are experienced in configuring Apache then you can also
+ copy the security settings from the .htaccess files to your main
+ Apache configuration.
+
+ If possible, you should not rely on .htaccess files but also
+ move the config and sess directory to a place outside of your WWW
+ root. You can put a symbolic link in the LAM directory so that LAM
+ finds the configuration/session files.
+
+ Security sensitive directories:
+
+ config: Contains your LAM
+ configuration and account profiles
+
+
+
+ LAM configuration passwords (SSHA hashed)
+
+
+
+ default values for new accounts
+
+
+
+ directory must be accessibly by Apache but needs not to be
+ accessible by the browser
+
+
+
+ sess: PHP session files
+
+
+
+ LAM admin password in clear text or MCrypt encrypted
+
+
+
+ cached LDAP entries in clear text or MCrypt encrypted
+
+
+
+ directory must be accessibly by Apache but needs not to be
+ accessible by the browser
+
+
+
+ tmp: temporary files
+
+
+
+ PDF documents which may also include passwords
+
+
+
+ images of your users
+
+
+
+ directory contents must be accessible by browser but
+ directory itself needs not to be browseable
+
+
+
+
+
+ Use LDAP HTTP authentication for LAM
+
+ With HTTP authentication Apache will be responsible to ask for
+ the user name and password. Both will then be forwarded to LAM which
+ will use it to access LDAP. This approach gives you more flexibility
+ to restrict the number of users that may access LAM (e.g. by requiring
+ group memberships).
+
+ First of all you need to load additional Apache modules. These
+ are "mod_ldap"
+ and "mod_authnz_ldap".
+
+ Next you can add a file called "lam_auth_ldap" to
+ /etc/apache/conf.d. This simple example restricts access to all URLs
+ beginning with "lam" to LDAP authentication.
+
+ <location /lam>
+ AuthType Basic
+ AuthBasicProvider ldap
+ AuthName "LAM"
+ AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
+ Require valid-user
+</location>
+
+ You can also require that your users belong to a certain Unix
+ group in LDAP:
+
+ <location /lam>
+ AuthType Basic
+ AuthBasicProvider ldap
+ AuthName "LAM"
+ AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
+ Require valid-user
+ # force membership of lam-admins
+ AuthLDAPGroupAttribute memberUid
+ AuthLDAPGroupAttributeIsDN off
+ Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
+</location>
+
+ Please see the Apache
+ documentation for more details.
+
+
+
+ Self Service behind proxy in DMZ (LAM Pro)
+
+ In some cases you might want to make the self service accessible
+ via the internet. Here is an Apache config to forward only the
+ required URLs via a proxy server (lamproxy.company.com) in your DMZ to
+ the internal LAM server (lam.company.com).
+
+
+
+
+
+
+
+ This configuration allows your users to open
+ https://lamproxy.company.com which will then proxy the self service on
+ the internal server.
+
+ <VirtualHost lamproxy.company.com:443>
+ ServerName lamproxy.company.com
+ ErrorLog /var/log/apache2/lam-proxy-error.log
+ CustomLog /var/log/apache2/lam-proxy-access.log combined
+ DocumentRoot /var/www/lam-proxy
+ <Proxy *>
+ Order deny,allow
+ Allow from all
+ </Proxy>
+ SSLProxyEngine on
+ SSLEngine on
+ SSLCertificateFile /etc/apache2/ssl/apache.pem
+ ProxyPreserveHost On
+ ProxyRequests off
+ loglevel info
+
+ # redirect front page to self service login page
+ RewriteEngine on
+ RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
+
+ # proxy required URLs
+ ProxyPass /tmp https://lam.company.com/lam/tmp
+ ProxyPass /sess https://lam.company.com/lam/sess
+ ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
+ ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
+ ProxyPass /style https://lam.company.com/lam/style
+ ProxyPass /graphics https://lam.company.com/lam/graphics
+
+ ProxyPassReverse /tmp https://lam.company.com/lam/tmp
+ ProxyPassReverse /sess https://lam.company.com/lam/sess
+ ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
+ ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
+ ProxyPassReverse /style https://lam.company.com/lam/style
+ ProxyPassReverse /graphics https://lam.company.com/lam/graphics
+</VirtualHost>
+
+
+
+
+ Nginx configuration
+
+ There is no fully automatic setup of Nginx but LAM provides a
+ ready-to-use configuration file.
+
+
+ RPM based installations
+
+ The RPM package has dependencies on Apache. Therefore, Nginx is
+ not officially supported with this installation mode. Use tar.bz2 if
+ you are unsure.
+
+ However, the package also includes an Nginx configuration file.
+ Please include it in your server directive like this:
+
+ server {
+ ...
+
+ include /etc/ldap-account-manager/lam.nginx.conf;
+
+ ...
+}
+
+
+
+ DEB based installations
+
+ The LAM installation package ships with an Nginx configuration
+ file. Please include it in your server directive like this:
+
+ server {
+ ...
+
+ include /etc/ldap-account-manager/lam.nginx.conf;
+
+ ...
+}
+
+
+
+ tar.bz2 based installations
+
+ Please add the following configuration snippet to your server
+ directive.
+
+ You will need to change the alias location
+ ("/usr/share/ldap-account-manager") and fastcgi_pass
+ ("/var/run/php5-fpm.sock") to match your installation.
+
+ location /lam {
+ index index.html;
+ alias /usr/share/ldap-account-manager;
+ autoindex off;
+
+ location ~ \.php$ {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass unix:/var/run/php5-fpm.sock;
+ fastcgi_index index.php;
+ include fastcgi_params;
+ }
+
+ location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
+ deny all;
+ return 403;
+ }
+
+}
+
+
+
+
diff --git a/lam/docs/manual-sources/appendix-selfResetSchema.xml b/lam/docs/manual-sources/appendix-selfResetSchema.xml
new file mode 100644
index 00000000..6067d28e
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-selfResetSchema.xml
@@ -0,0 +1,245 @@
+
+
+
+ Setup password self reset schema (LAM Pro)
+
+
+ New installation
+
+ Please see here if you want to
+ upgrade an existing schema version.
+
+ Schema installation
+
+ Please install the schema that comes with LAM Pro. The schema
+ files are located in:
+
+
+
+ tar.bz2: docs/schema
+
+
+
+ DEB: /usr/share/doc/ldap-account-manager/docs/schema
+
+
+
+ RPM:
+ /usr/share/doc/ldap-account-manager-{VERSION}/schema
+
+
+
+
+
+
+ OpenLDAP with slapd.conf
+ configuration
+
+ For a configuration with slapd.conf-file copy
+ passwordSelfReset.schema to /etc/ldap/schema/ and add this line to
+ slapd.conf:
+
+ include /etc/ldap/schema/passwordSelfReset.schema
+
+
+
+ OpenLDAP with slapd.d
+ configuration
+
+ For slapd.d configurations you need to upload the schema file
+ passwordSelfReset.ldif via ldapadd command:
+
+ ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f
+ passwordSelfReset.ldif
+
+ Please replace "localhost" with your LDAP server and
+ "cn=admin,o=test,c=de" with your LDAP admin user (usually starts with
+ cn=admin or cn=manager).
+
+
+
+
+ 389 server
+
+ Please replace INSTANCE with installation ID, e.g.
+ slapd-389ds.
+
+ cp passwordSelfReset-389server.ldif /etc/dirsrv/INSTANCE/schema/70pwdreset.ldif
+ systemctl restart dirsrv.target
+
+
+
+ Samba 4
+
+ The schema files are passwordSelfReset-Samba4-attributes.ldif and
+ passwordSelfReset-Samba4-objectClass.ldif.
+
+ First, you need to edit them and replace "DOMAIN_TOP_DN" with your
+ LDAP suffix (e.g. dc=samba4,dc=test).
+
+ Then install the attribute and afterwards the object class schema
+ file:
+
+ ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true
+ ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true
+
+
+
+ Windows
+
+ The schema file is passwordSelfReset-Windows.ldif.
+
+ First, you need to edit it and replace "DOMAIN_TOP_DN" with your
+ LDAP suffix (e.g. dc=windows,dc=test).
+
+ Then install the schema file as administrator on a command
+ line:
+
+ ldifde -v -i -f passwordSelfReset-Windows.ldif
+
+
+
+ This allows to set a security question + answer for each
+ account.
+
+
+
+ Schema update
+
+ The schema files are located in:
+
+
+
+ tar.bz2: docs/schema/updates
+
+
+
+ DEB:
+ /usr/share/doc/ldap-account-manager/docs/schema/updates
+
+
+
+ RPM:
+ /usr/share/doc/ldap-account-manager-{VERSION}/schema/updates
+
+
+
+
+
+
+ Schema versions:
+
+
+
+ Initial version (LAM Pro 3.6 - 4.4)
+
+
+
+ Added passwordSelfResetBackupMail (LAM Pro 4.5 - 5.5)
+
+
+
+ Multiple security questions (LAM Pro 5.6)
+
+
+
+
+
+
+ OpenLDAP with slapd.conf
+ configuration
+
+ Install the schema file like a new install (skip
+ modification of slapd.conf file).
+
+
+
+
+ OpenLDAP with slapd.d
+ configuration
+
+ The upgrade requires to stop the LDAP server.
+
+ Steps:
+
+
+
+ Stop OpenLDAP with e.g. "/etc/init.d/slapd stop"
+
+
+
+ Delete the old schema file. It is located in e.g.
+ "/etc/ldap/slapd.d/cn=config/cn=schema" and called
+ "cn={XX}passwordselfreset.ldif" (XX can be any number)
+
+
+
+ Start OpenLDAP with e.g. "/etc/init.d/slapd start"
+
+
+
+ Install the schema file like a new install
+
+
+
+
+
+
+ Samba 4
+
+ Install the these update files by following the install
+ instructions in the file. In case you you upgrade with a version
+ difference of 2 or more you will need to apply all intermediate update
+ scripts.
+
+
+
+ samba4_version_1_to_2_attributes.ldif (upgrade from version 1
+ only)
+
+
+
+ samba4_version_1_to_2_objectClass.ldif (upgrade from version 1
+ only)
+
+
+
+ samba4_version_2_to_3_attributes.ldif (upgrade from version
+ 2)
+
+
+
+ samba4_version_2_to_3_objectClass.ldif (upgrade from version
+ 2)
+
+
+
+ Please note that attributes file needs to be installed
+ first.
+
+
+
+
+ Windows
+
+ Install the file(s) by following the install instructions in the
+ file. In case you you upgrade with a version difference of 2 or more you
+ will need to apply all intermediate update scripts.
+
+
+
+ windows_version_1_to_2.ldif (upgrade from version 1
+ only)
+
+
+
+ windows_version_2_to_3.ldif (upgrade from version 2)
+
+
+
+
+
diff --git a/lam/docs/manual-sources/appendix-troubleshooting.xml b/lam/docs/manual-sources/appendix-troubleshooting.xml
new file mode 100644
index 00000000..8d23c04a
--- /dev/null
+++ b/lam/docs/manual-sources/appendix-troubleshooting.xml
@@ -0,0 +1,263 @@
+
+
+
+ Troubleshooting
+
+
+ Reset configuration password
+
+ The password for the server profiles can be reset using the master
+ configuration password. Open LAM configuration -> Edit server
+ profiles ->Manage server profiles for this.
+
+ In case you lost your master configuration password you need to
+ manually edit the main configuration file (config.cfg) on the file
+ system.
+
+
+
+ Locate config.cfg: On DEB/RPM installations it is in
+ /usr/share/ldap-account-manager/config and for tar.bz2 in config
+ folder.
+
+
+
+ Locate the "password" entry in the file
+
+
+
+ Replace the password hash after "password: " with your new
+ clear-text password (e.g. "secret")
+
+
+
+ After the change the line should look like this:
+
+ password: secret
+
+ You can now login using your new password. Set the password once
+ again via GUI in main configuration settings. This will then put again a
+ hash value in the config.cfg file.
+
+
+
+ Functional issues
+
+ Size limit
+
+ You will get a message like "LDAP sizelimit exceeded, not all
+ entries are shown." when you hit the LDAP search limit.
+
+
+
+ OpenLDAP: See the OpenLDAP
+ settings to fix this.
+
+
+
+ 389 server: set nsslapd-sizelimit in cn=config (may also be
+ set per user)
+
+
+
+ other LDAP servers: please see your server
+ documentation
+
+
+
+
+
+
+ Invalid syntax errors:
+
+ If you get any strange errors like "Invalid syntax" or "Invalid DN
+ syntax" please check if your LDAP schema matches LAM's
+ requirements.
+
+
+
+
+ Schema test:
+
+ This can be done by running "Tools" -> "Tests" -> "Schema
+ test" inside LAM.
+
+ If there are any object classes or attributes missing you will get
+ a notice. See LDAP schema files for a
+ list of used schemas. You may also want to deactive unused modules in
+ your LAM server profile (tab "Modules").
+
+
+
+
+
+
+
+
+
+
+LDAP Logging:
+
+ If your schema is correct you can turn on LDAP logging to get more
+ detailed error messages from your LDAP server.
+
+
+
+
+ OpenLDAP logging:
+
+
+
+ slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
+ line "loglevel 256".
+
+
+
+ slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
+ attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
+ Stats" if the attribute is missing.
+
+
+
+ After changing the configuration please restart OpenLDAP. It
+ usually uses /var/log/syslog for log output.
+
+
+
+
+ PHP logging
+
+ Sometimes it can help to enable PHP logging inside LAM. You can do
+ this in the logging area of LAM's
+ main configuration. Set the logging option to "all" and check if there
+ are any messages printed in your browser window. Please note that not
+ every notice message is an error but it may help to find the
+ problem.
+
+
+
+ Performance issues
+
+ LAM is tested to work with 10000 users with acceptable
+ performance. If you have a larger directory or slow hardware then here
+ are some points to increase performance.
+
+
+
+
+ The first step is to check if performance problems are caused by
+ the LAM web server or the LDAP server. Please check which machine
+ suffers from high system load (CPU/memory consumption).
+
+ High network latency may also be a problem. For large
+ installations please make sure that LAM web server and LDAP server are
+ located in the same building/server room.
+
+ If you run LAM on multiple nodes (DNS load balancing/hardware load
+ balancer) then also check the clustering
+ section.
+
+
+ LDAP server
+
+ Use indices
+
+ Depending on the queries it may help to add some more indices on
+ the LDAP server. Depending on your LDAP software it may already
+ suggest indices in its log files. See here for typical OpenLDAP indices.
+
+
+
+
+ Reduce query results by splitting LDAP
+ management into multiple server profiles
+
+ If you manage a very large directory then it might already be
+ separated into multiple subtrees (e.g. by country, subsidiary, ...).
+ Do not use a single LAM server profile to manage your whole directory.
+ Use different server profiles for each separated LDAP subtree where
+ possible (e.g. one for German users and one for French ones).
+
+
+
+
+ Limit query results
+
+ LAM allows to set an LDAP search
+ limit for each server profile. This will limit the number of
+ entries returned by your LDAP server. Use with caution because it can
+ cause problems (e.g. with automatic UID generation) when LAM is not
+ able to read all entries.
+
+
+
+
+
+
+
+
+
+
+
+ LAM web server
+
+ Install a PHP
+ accelerator
+
+ There are tools like APC/OpCache (free)
+ or Zend
+ Server (commercial) that provide caching of PHP pages to
+ improve performance. They will reduce the time for parsing the PHP
+ pages and IO load.
+
+ This is a simply way to enhance performance since APC/OpCache is
+ part of most Linux distributions.
+
+ If you use APC then make sure that it uses enough memory (e.g.
+ "apc.shm_size=128M"). You can check the memory usage with the file
+ apc.php that is shipped with APC.
+
+
+
+
+
+
+
+
+
+
+
+
+ OpCache statistics can be shown with opcache-status.
+
+
+
+
+
+
+
+
+
+ Disable session
+ encryption
+
+ LAM encrypts sensitive data in your session files. You can disable it to reduce CPU
+ load.
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/chapter-accessLevel.xml b/lam/docs/manual-sources/chapter-accessLevel.xml
new file mode 100644
index 00000000..033fcdbd
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-accessLevel.xml
@@ -0,0 +1,186 @@
+
+
+
+ Access levels and password reset page (LAM Pro)
+
+ You can define different access levels for each profile to allow or
+ disallow write access. The password reset page helps your deskside support
+ staff to reset user passwords.
+
+
+ Access levels
+
+ There are three access levels:
+
+
+
+ Write access (default)
+
+ There are no restrictions. LAM admin users can manage account,
+ create profiles and set passwords.
+
+
+
+ Change passwords
+
+ Similar to "Read only" except that the password reset page is available.
+
+
+
+ Read only
+
+ No write access to the LDAP database is allowed. It is also
+ impossible to manage account and PDF profiles.
+
+ Accounts may be viewed but no changes can be saved.
+
+
+
+ The access level can be set on the server configuration
+ page:
+
+
+
+
+
+
+
+
+
+
+
+ Password reset page
+
+ This special page allows your deskside support staff to reset the
+ Unix and Samba passwords of your users. Account may also be (un)locked
+ If you set the access level to
+ "Change passwords" then LAM will not allow any changes to the LDAP
+ database except password changes via this page. The account pages will
+ be still available in read-only mode.
+
+ You can open the password reset page by clicking on the key symbol
+ on each user account:
+
+
+
+
+
+
+
+ There are three different options to set a new password.
+ You can further restrict these options in server profile
+ settings.
+
+
+
+ set random password and display it on
+ screen
+
+ This will set the user's password to a random value. The
+ password will be 11 characters long with a random combination of
+ letters, digits and ".-_".
+
+ You may want to use this method to tell users their new
+ passwords via phone.
+
+
+
+ set random password and mail it to
+ user
+
+ If the user account has set the mail attribute then LAM can
+ send your user a mail with the new password. You can change the mail
+ template to fit your needs. Please configure your LAM server profile
+ to setup the sender address, subject and mail body. Please see email format option in case of broken
+ mails. See here for setting up your
+ SMTP server.
+
+ Using this method will prevent that your support staff knows
+ the new password.
+
+
+
+ set specific password
+
+ Here you can specify your own password.
+
+
+
+
+
+
+
+
+
+
+
+ LAM will display contact information about the user like the
+ user's name, email address and telephone number. This will help your
+ deskside support to easily contact your users.
+
+ Options:
+
+ Depending on the account there may be additional options
+ available.
+
+
+
+ Sync Samba NT/LM password with Unix
+ password: If a user account has Samba passwords set then
+ LAM will offer to synchronize the passwords.
+
+
+
+ Unlock Samba account: Locked
+ Samba accounts can be unlocked with the password change.
+
+
+
+ Update Samba password
+ timestamps: This will set the timestamps when the
+ password was changed (sambaPwdLastSet). Only existing attributes are
+ updated. No new attributes are added.
+
+
+
+ Sync Kerberos password with Unix
+ password: This will also update the Heimdal Kerberos
+ password.
+
+
+
+ Sync Asterisk (voicemail) password with
+ Unix password: Changes also the Asterisk
+ passwords.
+
+
+
+ Force password change: This
+ will force the user to change his password at next login. This
+ option supports Shadow, Samba 3 and PPolicy (automatically
+ detected).
+
+
+
+
+
+
+ Account (un)locking:
+
+ Depending if the account includes a Unix/Samba extension and
+ PPolicy is activated the page will show options to (un)lock the account.
+ E.g. if the account is fully unlocked then there will be no unlocking
+ options printed.
+
+
+
+
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/chapter-bigPicture.xml b/lam/docs/manual-sources/chapter-bigPicture.xml
new file mode 100644
index 00000000..724bcaa3
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-bigPicture.xml
@@ -0,0 +1,312 @@
+
+
+
+ Big picture
+
+
+ Overview
+
+ LAM has two major areas:
+
+
+
+ Admin interface to manage all sorts of different LDAP entries
+ (e.g. users/groups/hosts)
+
+
+
+ Self service (LAM Pro) where end users can edit their own
+ data
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Admin interface
+
+ This is the main part of the application. It allows to manage a
+ large list of LDAP entries (e.g. users, groups, DNS entries, ...). This
+ part is accessed by LDAP admins and support staff.
+
+
+
+
+
+
+
+
+
+ Functional areas:
+
+
+
+ Account tabs: These tabs allow to switsch between different
+ account types
+
+
+
+ Tree view: Provides an LDAP browser to edit LDAP entries on
+ attribute level
+
+
+
+ Tools menu: Contains useful tools such as profile and PDF
+ editor
+
+
+
+ Help: Link to manual
+
+
+
+ Logout: Logout of the application
+
+
+
+ List view: Lists all entries of the selected account type
+ (e.g. users)
+
+
+
+ List configuration: Configuration settings for list view (e.g.
+ number of entries per page)
+
+
+
+ Filter: Filter boxes allow to enter simple filters like
+ "a*"
+
+
+
+ Self Service
+
+ The self service provides a simple interface for your users to
+ edit their own data (e.g. telephone number). It also supports user self
+ registration and password reset functionality.
+
+ You can fully customize the layout of the self service
+ page.
+
+
+
+
+
+
+
+
+
+ Configuration
+
+ Configuration is done on multiple levels:
+
+ Global
+
+ Effective for all parts of LAM (e.g. logging and password
+ policy).
+
+ Configured via LAM admin login -> LAM configuration -> Edit general settings.
+
+ Server profile
+
+ All settings for an LDAP connection (e.g. server name, LDAP
+ suffixes, account types/modules to activate) in admin interface. There
+ may be multiple for one LDAP server (e.g. for multiple departments,
+ different user groups, ...).
+
+ Configured via LAM admin login -> LAM configuration -> Edit server profile.
+
+ Self service
+
+ All settings for a self service interface (e.g. fields that can be
+ edited, password reset functionality, ...).
+
+ Configured via LAM admin login -> LAM configuration -> Edit self service.
+
+ Profiles
+
+ Account profiles store
+ default values for new LDAP entries.
+
+ PDF structures
+
+ PDF structures define the layout
+ and list of data fields to include in PDF export.
+
+
+
+ Glossary
+
+ Here you can find a list of common terms used in LAM.
+
+
+ Glossary
+
+
+
+
+ Term
+
+ Description
+
+
+
+
+
+ Account module
+
+ Plugin for a specific account type (e.g. Unix plugin for
+ user type)
+
+
+
+ Account type
+
+ Type of an LDAP entry (e.g. user/group/host)
+
+
+
+ Admin interface
+
+ LAM webpages for admin user (e.g. to create new
+ users)
+
+
+
+ Lamdaemon
+
+ Support script to manage user file system quotas and
+ create home directories
+
+
+
+ PDF editor
+
+ Manages PDF structures
+
+
+
+ PDF export
+
+ Exports an entry to PDF by using a PDF structure
+
+
+
+ PDF structure
+
+ Defines the layout and list of data fields to include in
+ PDF export
+
+
+
+ Profile
+
+ Template for creation of LDAP entries, contains default
+ values
+
+
+
+ Profile editor
+
+ Manages profiles for all account types
+
+
+
+ Self Service
+
+ LAM webpages for normal users where they can edit their
+ own data
+
+
+
+ Self service profile
+
+ Configuration for self service pages (multiple
+ configurations can exist)
+
+
+
+ Tree view
+
+ LDAP browser that allows to modify LDAP entries on
+ attribute/object class level
+
+
+
+
+
+
+
+ Architecture
+
+ There are basically two groups of users for LAM:
+
+
+
+ LDAP administrators and support
+ staff:
+
+ These people administer LDAP entries like user accounts,
+ groups, ...
+
+
+
+ Users:
+
+ This includes all people who need to manage their own data
+ inside the LDAP directory. E.g. these people edit their contact
+ information with LAM self service (LAM Pro).
+
+
+
+
+
+
+
+
+
+
+
+ Therefore, LAM is split into two separate parts, LAM for admins
+ and for users. LAM for admins allows to manage various types of LDAP
+ entries (e.g. users, groups, hosts, ...). It also contains tools like
+ batch upload, account profiles, LDAP schema viewer and an LDAP browser.
+ LAM for users focuses on end users. It provides a self service for the
+ users to edit their personal data (e.g. contact information). The LAM
+ administrator is able to specify what data may be changed by the users.
+ The design is also adaptable to your corporate design.
+
+ LAM for admins/users is accessible via HTTP(S) by all major web
+ browsers (Firefox, IE, Opera, ...).
+
+ LAM runtime environment:
+
+ LAM runs on PHP. Therefore, it is independant of CPU architecture
+ and operating system (OS). You can run LAM on any OS which supports
+ Apache, Nginx or other PHP compatible web servers.
+
+ Home directory server:
+
+ You can manage user home directories and their quotas inside LAM.
+ The home directories may reside on the server where LAM is installed or
+ any remote server. The commands for home directory management are
+ secured by SSH. LAM will use the user name and password of the logged in
+ LAM administrator for authentication.
+
+ LDAP directory:
+
+ LAM connects to your LDAP server via standard LDAP protocol. It
+ also supports encrypted connections with SSL and TLS.
+
+
diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
new file mode 100644
index 00000000..7a0bede6
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -0,0 +1,1479 @@
+
+
+
+ Configuration
+
+ After you installed LAM you
+ can configure it to fit your needs. The complete configuration can be done
+ inside the application. There is no need to edit configuration
+ files.
+
+ Please point you browser to the location where you installed LAM.
+ E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
+ via the tar.bz2 then this may vary. You should see the following
+ page:
+
+
+
+
+
+
+
+
+
+ If you see an error message then you might need to install an
+ additional PHP extension. Please follow the instructions and reload the
+ page afterwards.
+
+ Now you are ready to configure LAM. Click on the "LAM configuration"
+ link to proceed.
+
+
+
+
+
+
+
+
+
+ Here you can change LAM's general settings, setup server profiles
+ for your LDAP server(s) and configure the self service (LAM Pro). You should start
+ with the general settings and then setup a server profile.
+
+
+ General settings
+
+ After selecting "Edit general settings" you will need to enter the
+ master configuration password.
+ The default password for new installations is "lam". Now you can edit
+ the general settings.
+
+
+ License (LAM Pro only)
+
+ This is only required when you run LAM Pro. Please enter the
+ license key from your customer
+ profile. In case you have purchased multiple licenses please
+ only enter one license key block per installation.
+
+ When you entered the license key then the license details can be
+ seen on LAM configuration overview page.
+
+
+
+
+
+
+
+
+
+
+
+ Security settings
+
+ Here you can set a time period after which inactive sessions are
+ automatically invalidated. The selected value represents minutes of
+ inactivity.
+
+ You may also set a list of IP addresses which are allowed to
+ access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
+ or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
+ access LAM via an untrusted IP only get blank pages. There is a
+ separate field for LAM Pro self service.
+
+ Session encryption will encrypt sensitive
+ data like passwords in your session files. This is only available when
+ PHP MCrypt is active. This
+ adds extra security but also costs performance. If you manage a large
+ directory you might want to disable this and take other actions to
+ secure your LAM server.
+
+
+
+
+
+
+
+
+
+ SSL certificate
+ setup:
+
+ By default, LAM uses the CA certificates that are preinstalled
+ on your system. This will work if you connect via SSL/TLS to an LDAP
+ server that uses a certificate signed by a well-known CA. In case you
+ use your own CA (e.g. company internal CA) you can import the CA
+ certificates here.
+
+ Please note that this can affect other web applications on the
+ same server if they require different certificates. There seem to be
+ problems on Debian systems and you may also need to restart Apache. In
+ case of any problems please delete the uploaded certificates and use
+ the system setup.
+
+ You can either upload a DER/PEM formatted certificate file or
+ import the certificates directly from an LDAP server that is available
+ with LDAP+SSL (ldaps://). LAM will automatically override system
+ certificates if at least one certificate is uploaded/imported.
+
+ The whole certificate list can be downloaded in PEM format. You
+ can also delete single certificates from the list.
+
+ Please note that you might need to restart your webserver if you
+ do any changes to this configuration.
+
+
+
+
+
+
+
+
+
+
+
+ Password policy
+
+ This allows you to specify a central password policy for LAM.
+ The policy is valid for all password fields inside LAM admin
+ (excluding tree view) and LAM self service. Configuration passwords do
+ not need to follow this policy.
+
+
+
+
+
+
+
+
+
+ You can set the minimum password length and also the complexity
+ of the passwords.
+
+
+
+ Logging
+
+ LAM can log events (e.g. user logins). You can use system
+ logging (syslog for Unix, event viewer for Windows) or log to a
+ separate file. Please note that LAM may log sensitive data (e.g.
+ passwords) at log level "Debug". Production systems should be set to
+ "Warning" or "Error".
+
+ The PHP error reporting is only for developers. By default LAM
+ does not show PHP notice messages in the web pages. You can select to
+ use the php.ini setting here or printing all errors and
+ notices.
+
+
+
+
+
+
+
+
+
+
+
+ Additional options
+
+ Email
+ format
+
+ Some email servers are not standards compatible. If you receive
+ mails that look broken you can change the line endings for sent mails
+ here. Default is to use "\r\n".
+
+ At the moment, this option is only available in LAM Pro as there
+ is no mail sending in the free version. See here for setting up your SMTP
+ server.
+
+
+
+
+
+
+
+
+
+
+
+ Change master password
+
+ If you would like to change the master configuration password
+ then enter a new password here.
+
+
+
+
+
+
+
+
+
+
+
+
+ Server profiles
+
+ The server profiles store information about your LDAP server (e.g.
+ host name) and what kind of accounts (e.g. users and groups) you would
+ like to manage. There is no limit on the number of server profiles. See
+ the typical scenarios about
+ how to structure your server profiles.
+
+
+ Manage server profiles
+
+ Select "Manage server profiles" to open the profile management
+ page.
+
+
+
+
+
+
+
+
+
+ Here you can create, rename and delete server profiles. The
+ passwords of your server
+ profiles can also be reset.
+
+ You may also specify the default server profile. This is the
+ server profile which is preselected at the login page. It also
+ specifies the language of the login and configuration pages.
+
+ Templates for new server
+ profiles
+
+ You can create a new server profile based on one of the built-in
+ templates or any existing profile. Of course, the account types and
+ selected modules can be changed after you created your profile.
+
+ Built-in templates:
+
+
+
+ addressbook: simple profile for user management with
+ inetOrgPerson object class
+
+
+
+ samba3: Samba 3 users, groups, hosts and domains
+
+
+
+ unix: Unix users and groups (posixAccount/Group)
+
+
+
+ windows_samba4: Active Directory user, group and host
+ management
+
+
+
+
+
+
+
+
+
+
+
+ All operations on the profile management page require that you
+ authenticate yourself with the configuration master
+ password.
+
+
+
+ Editing a server profile
+
+ Please select you server profile and enter its password to edit
+ a server profile.
+
+
+
+
+
+
+
+
+
+ Each server profile contains the following information:
+
+
+
+ General settings: general
+ settings about your LDAP server (e.g. host name and security
+ settings)
+
+
+
+ Account types: list of
+ account types (e.g. users and groups) that you would like to
+ manage and type specific settings (e.g. LDAP suffix)
+
+
+
+ Modules: list of modules
+ which define what account aspects (e.g. Unix, Samba, Kolab) you
+ would like to manage
+
+
+
+ Module settings: settings
+ which are specific for the selected account modules on the page
+ before
+
+
+
+
+ General settings
+
+ Here you can specify the LDAP server and some security
+ settings.
+
+
+
+
+
+
+
+
+
+ The server address of your LDAP server can be a DNS name or an
+ IP address. Use ldap:// for unencrypted LDAP connections or TLS
+ encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
+ specified with ldaps://. The port value is optional. TLS cannot be
+ combined with ldaps://.
+
+ Hint: If you use a master/slave setup with referrals then
+ point LAM to your master server. Due to bugs in the underlying LDAP
+ libraries pointing to a slave might cause issues on write
+ operations.
+
+ LAM includes an LDAP browser which allows direct modification
+ of LDAP entries. If you would like to use it then enter the LDAP
+ suffix at "Tree suffix".
+
+ The search limit is used to reduce the number of search
+ results which are returned by your LDAP server.
+
+ The access level specifies if LAM should allow to modify LDAP
+ entries. This feature is only available in LAM Pro. LAM non-Pro
+ releases use write access. See this page for details on
+ the different access levels.
+
+ Advanced options
+
+ Sometimes, you may not want to display the server address on
+ the login page. In this case you can setup a display name here (e.g.
+ "Production").
+
+ By default LAM will not follow LDAP referrals. This is ok for
+ most installations. If you use LDAP referrals please activate the
+ referral option in advanced settings.
+
+ Paged results should be activated only if you encounter any
+ problems regarding size limits on Active Directory. LAM will then
+ query LDAP to return results in chunks of 999 entries.
+
+
+
+
+ LAM is translated to many different languages. Here you can
+ select the default language for this server profile. The language
+ setting may be overriden at the LAM login page.
+
+ Please also set your time zone here.
+
+
+
+
+
+
+
+
+
+ LAM can manage user home directories and quotas with an
+ external script. You can specify the home directory server and where
+ the script is located. The default rights for new home directories
+ can be set, too.
+
+ You can provide a fixed user name. If you leave the field
+ empty then LAM will use your current account (the account you used
+ to login to LAM).
+
+ There are two possibilities to connect to your home
+ directory/quota server:
+
+
+
+ SSH key (recommended): Please generate a SSH key pair and
+ provide the location to the private key file. If the key is protected
+ by a password you can also specify it here.
+
+
+
+ Password: If you do not set a SSH key then LAM will try to
+ connect with your current account (the password you used to
+ login to LAM).
+
+
+
+
+
+
+
+
+
+
+
+ LAM Pro users may directly set passwords
+ from list view. You can configure if it should be possible to set
+ specific passwords and showing password on screen is allowed.
+
+
+
+
+
+
+
+
+
+ LAM Pro users can send out changed passwords to their users.
+ Here you can specify the options for these mails.
+
+ If you select "Allow alternate address" then password mails
+ can be sent to any address (e.g. a secondary address if the user
+ account is also bound to the mailbox).
+
+
+
+
+
+
+
+
+
+ LAM supports two methods for login.
+
+
+
+
+
+
+
+
+
+ The first one is to specify a fixed list of LDAP DNs that are
+ allowed to login. Please enter one DN per line.
+
+ The second one is to let LAM search for the DN in your
+ directory. E.g. if a user logs in with the user name "joe" then LAM
+ will do an LDAP search for this user name. When it finds a matching
+ DN then it will use this to authenticate the user. The wildcard
+ "%USER%" will be replaced by "joe" in this example. This way you can
+ provide login by user name, email address or other LDAP
+ attributes.
+
+ Additionally, you can enable HTTP authentication when using
+ "LDAP search". This way the web server is responsible to
+ authenticate your users. LAM will use the given user name + password
+ for the LDAP login. You can also configure this to setup advanced
+ login restrictions (e.g. require group memberships for login). To
+ setup HTTP authentication in Apache please see this link
+ and an example for LDAP authentication here.
+
+ Hint: LDAP search with group
+ membership check can be done with either HTTP authentication or LDAP
+ overlays like "memberOf"
+ or "Dynamic
+ lists". Dynamic lists allow to insert virtual attributes to
+ your user entries. These can then be used for the LDAP filter (e.g.
+ "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").
+
+
+
+
+
+
+
+
+
+ You may also change the password of this server profile.
+ Please just enter the new password in both password fields.
+
+
+
+ Account types
+
+ LAM supports to manage various types of LDAP entries (e.g.
+ users, groups, DHCP entries, ...). On this page you can select which
+ types of entries you want to manage with LAM.
+
+
+
+
+
+
+
+
+
+ The section at the top shows a list of possible types. You can
+ activate them by simply clicking on the plus sign next to it.
+
+ Each account type has the following options:
+
+
+
+ LDAP suffix: the LDAP
+ suffix where entries of this type should be managed
+
+
+
+ List attributes: a list
+ of attributes which are shown in the account lists
+
+
+
+ Additional LDAP filter:
+ LAM will automatically detect the right LDAP entries for each
+ account type. This can be used to further limit the number of
+ visible entries (e.g. if you want to manage only some specific
+ groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
+ "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
+ user who is logged in.
+
+
+
+ Hidden: This is used to
+ hide account types that should not be displayed but are required
+ by other account types. E.g. you can hide the Samba domains
+ account type and still assign domains when you edit your
+ users.
+
+
+
+ Read-only (LAM Pro only):
+ This allows to set a single account type to read-only mode.
+ Please note that this is a restriction on functional level (e.g.
+ group memberships can be changed on user page even if groups are
+ read-only) and is no replacement for setting up proper ACLs on
+ your LDAP server.
+
+
+
+ Custom label: Here you
+ can set a custom label for the account types. Use this if the
+ standard label does not fit for you (e.g. enter "Servers" for
+ hosts).
+
+
+
+ No new entries (LAM Pro
+ only): Use this if you want to prevent that new
+ accounts of this type are created by your users. The GUI will
+ hide buttons to create new entries and also disable file upload
+ for this type.
+
+
+
+ Disallow delete (LAM Pro
+ only): Use this if you want to prevent that accounts
+ of this type are deleted by your users.
+
+
+
+
+
+
+
+
+
+
+
+ On the next page you can specify in detail what extensions
+ should be enabled for each account type.
+
+
+
+ Modules
+
+ The modules specify the active extensions for each account
+ type. E.g. here you can setup if your user entries should be address
+ book entries only or also support Unix or Samba.
+
+
+
+
+
+
+
+
+
+ Each account type needs a so called "base module". This is the
+ basement for all LDAP entries of this type. Usually, it provides the
+ structural object class for the LDAP entries. There must be exactly
+ one active base module for each account type.
+
+ Furthermore, there may be any number of additional active
+ account modules. E.g. you may select "Personal" as base module and
+ Unix + Samba as additional modules.
+
+
+
+ Module settings
+
+ Depending on the activated account modules there may be
+ additional configuration options available. They can be found on the
+ "Module settings" tab. E.g. the Personal account module allows to
+ hide several input fields and the Unix module requires to specify
+ ranges for UID numbers.
+
+
+
+
+
+
+
+
+
+
+
+
+ Cron jobs (LAM Pro)
+
+ LAM Pro can execute common tasks via cron job. This can be used
+ to e.g. notify your users before their passwords expire.
+
+
+ LDAP and database configuration
+
+ Please add the LDAP bind user and password for all jobs. This
+ LDAP account will be used to perform all LDAP read and write
+ operations.
+
+ Next, select the database type where LAM should store job
+ related data. Supported databases are SQLite and MySQL.
+
+ SQLite
+
+ This is a simple file based database. It needs no special
+ database server. The database file will be located next to the
+ server profile in config directory.
+
+ You will need to install the SQLite PDO module for PHP
+ (pdo_sqlite.so). For Debian this is located in package
+ php5-sqlite.
+
+
+
+
+
+
+
+
+
+ MySQL
+
+ This will store all job data in an external MySQL
+ database.
+
+ You will need to install the MySQL PDO module for PHP
+ (pdo_mysql.so). For Debian this is located in package
+ php5-mysql.
+
+ Steps to create a MySQL database and user:
+
+ # login
+mysql -u root -p
+# create a database
+mysql> create database lam_cron;
+#
+mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password';
+mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password';
+# grant access for new user
+mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%';
+mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
+
+
+
+
+
+
+
+
+
+
+
+Test your settings
+
+ After the LDAP and database settings are done you can test
+ your settings.
+
+ Cron entry
+
+ LAM also prints the crontab line that you need to run the
+ configured jobs on a daily basis. The command must be run as the
+ same user as your webserver is running. You are free to change the
+ starting time of the script or run it more often.
+
+
+
+ Adding jobs
+
+ To add a new job just click on the "Add job" button and select
+ the job type you need. The list of available jobs depends on your
+ active account modules. E.g. the PPolicy job will only be available
+ if you activated PPolicy user module.
+
+ Depending on the job type jobs may be added multiple times
+ with different configurations. For descriptions about the available
+ job types see next chapters.
+
+
+
+
+
+
+
+
+
+
+ PPolicy: Notify users about password expiration
+
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the PPolicy module for users to be able
+ to add this job. The job can be added multiple times (e.g. to send
+ a second warning at a later time).
+
+ LAM calculates the expiration date based on the last
+ password change and the assigned password policy (or the default
+ policy) using attributes pwdMaxAge and pwdExpireWarning.
+
+ Examples:
+
+ Warning time (pwdExpireWarning) = 14 days, notification
+ period = 10: LAM will send out the email 24 days before the
+ password expires
+
+ Warning time (pwdExpireWarning) = 14 days, notification
+ period = 0: LAM will send out the email 14 days before the
+ password expires
+
+ No warning time (pwdExpireWarning), notification period =
+ 10: LAM will send out the email 10 days before the password
+ expires
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+ Default password policy
+
+ Default PPolicy password policy entry (object class
+ "pwdPolicy").
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
+ "@@cn@@". For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration
+ date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
+ "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ 389ds: Notify users about password expiration
+
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the Account Locking module for users to
+ be able to add this job. The job can be added multiple times (e.g.
+ to send a second warning at a later time).
+
+ LAM calculates the expiration date based on the attribute
+ passwordExpirationTime.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
+ "@@cn@@". For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration
+ date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
+ "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ Shadow: Notify users about password expiration
+
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the Shadow module for users to be able
+ to add this job. The job can be added multiple times (e.g. to send
+ a second warning at a later time).
+
+ LAM calculates the expiration date based on the last
+ password change, the password warning time (attribute
+ "shadowWarning") and the specified notification period.
+
+ Examples:
+
+ Warning time = 14, notification period = 10: LAM will send
+ out the email 24 days before the password expires
+
+ Warning time = 14, notification period = 0: LAM will send
+ out the email 14 days before the password expires
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
+ "@@cn@@". For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration
+ date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
+ "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ Shadow: Delete or move expired accounts
+
+ You can automatically delete or move expired accounts. The
+ job checks Shadow account expiration dates (not password
+ expiration dates).
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+ Windows: Notify users about password expiration
+
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the Windows module for users to be able
+ to add this job. The job can be added multiple times (e.g. to send
+ a second warning at a later time).
+
+ LAM calculates the expiration date based on the last
+ password change and the domain policy.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
+ "@@cn@@". For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration
+ date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
+ "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ Windows: Delete or move expired accounts
+
+ You can automatically delete or move expired
+ accounts.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+ FreeRadius: Delete or move expired accounts
+
+ You can automatically delete or move expired
+ accounts.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+ Qmail: Delete or move expired accounts
+
+ You can automatically delete or move expired accounts. The
+ job reads the qmail deletion date of user accounts.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+
+ Job history
+
+ This will show the list of all executed job runs and their
+ result.
+
+
+
+
+
+
+
+
+
+
+
+
+ Typical scenarios
+
+ This is a list of typical scenarios how your LDAP environment
+ may look like and how to structure the server profiles for it.
+
+
+ Simple: One LDAP directory managed by a small group of
+ admins
+
+ This is the easiest and most common scenario. You want to
+ manage a single LDAP server and there is only one or a few admins.
+ In this case just create one server profile and you are done. The
+ admins may be either specified as a fixed list or by using an LDAP
+ search at login time.
+
+
+
+
+
+
+
+
+
+
+
+ Advanced: One LDAP server which is managed by different admin
+ groups
+
+ Large organisations may have one big LDAP directory for all
+ user/group accounts. But the users are managed by different groups
+ of admins (e.g. departments, locations, subsidiaries, ...). The
+ users are typically divided into organisational units in the LDAP
+ tree. Admins may only manage the users in their part of the
+ tree.
+
+
+
+
+
+
+
+
+
+ In this situation it is recommended to create one server
+ profile for each admin group (e.g. department). Setup the LDAP
+ suffixes in the server profiles to point to the needed
+ organisational units. E.g. use
+ ou=people,ou=department1,dc=company,dc=com or
+ ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
+ Do the same for groups, hosts, ... This way each admin group will
+ only see its own users. You may want to use LDAP search for the LAM
+ login in this scenario. This will prevent that you need to update a
+ server profile if the number of admins changes.
+
+ Attention: LAM's feature to
+ automatically find free UIDs/GIDs for new users/groups will not work
+ in this case. LAM uses the user/group suffix to search for already
+ assigned UIDs/GIDs. As an alternative you can specify different
+ UID/GID ranges for each department. Then the UIDs/GIDs will stay
+ unique for the whole directory.
+
+
+
+ Multiple LDAP servers
+
+ You can manage as many LDAP servers with LAM as you wish. This
+ scenario is similar to the advanced scenario above. Just create one
+ server profile for each LDAP server.
+
+
+
+
+
+
+
+
+
+
+
+ Single LDAP directory with lots of users (>10 000)
+
+ LAM was tested to work with 10 000 users. If you have a lot
+ more users then you have basically two options.
+
+
+
+ Divide your LDAP tree in organisational units: This is
+ usually the best performing option. Put your accounts in several
+ organisational units and setup LAM as in the advanced scenario
+ above.
+
+
+
+ Increase memory limit: Increase the memory_limit parameter
+ in your php.ini. This will allow LAM to read more entries. But
+ this will slow down the response times of LAM.
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml
new file mode 100644
index 00000000..dbb4b616
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-installation.xml
@@ -0,0 +1,904 @@
+
+
+
+ Installation
+
+
+ New installation
+
+
+ Requirements
+
+ LAM has the following requirements to run:
+
+
+
+ Apache/Nginx webserver (SSL recommended) with PHP module
+ (PHP 5 (>= 5.2.4) with ldap, gettext, xml, openssl and optional
+ mcrypt)
+
+
+
+ Some LAM plugins may require additional PHP extensions (you
+ will get a note on the login page if something is missing)
+
+
+
+ Perl (optional, needed only for lamdaemon)
+
+
+
+ Any standard LDAP server (e.g. OpenLDAP, Active Directory,
+ Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...)
+
+
+
+ A recent web browser that supports CSS2 and JavaScript, at
+ minimum:
+
+
+
+ Firefox (max. 2 years old)
+
+
+
+ Internet Explorer 9 (compatibility mode turned
+ off)
+
+
+
+ Opera (max. 2 years old)
+
+
+
+ Chrome (max. 2 years old)
+
+
+
+
+
+ MCrypt will be used to store your LDAP password encrypted in the
+ session file.
+
+ Please note that LAM does not ship with a selinux policy. Please
+ disable selinux or create your own
+ policy.
+
+ See LDAP schema fles for
+ information about used LDAP schema files.
+
+
+
+ Prepackaged releases
+
+ LAM is available as prepackaged version for various
+ platforms.
+
+
+ Debian
+
+
+
+
+
+
+
+
+
+
+
+ LAM is part of the official Debian repository. New
+ releases are uploaded to unstable and will be available
+ automatically in testing and the stable releases. You can
+ runapt-get
+ install ldap-account-managerto install LAM
+ on your server. Additionally, you may download the latest
+ LAM Debian packages from the LAM
+ homepage or the Debian
+ package homepage.Installation of the latest packages on
+ Debian
+
+ Install the LAM package
+
+ dpkg -i ldap-account-manager_*.deb
+
+ If you get any messages about missing
+ dependencies run now: apt-get -f install
+
+
+
+ Install the lamdaemon package (optional)
+
+ dpkg -i
+ ldap-account-manager-lamdaemon_*.deb
+
+
+
+
+
+
+
+
+
+ Suse/Fedora/CentOS
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ There are RPM packages available on the LAM
+ homepage. The packages can be installed with these
+ commands:rpm -e
+ ldap-account-manager
+ ldap-account-manager-lamdaemon (if an older
+ version is installed)rpm
+ -i <path to LAM
+ package>
+Note: The RPM packages
+ for Fedora/CentOS do not contain a dependency to PHP due to
+ the various package names for it. Please make sure that you
+ install Apache/Nginx with PHP.
+
+
+
+
+
+
+
+ Other RPM based distributions
+
+ The RPM packages for Suse/Fedora are very generic and should
+ be installable on other RPM-based distributions, too. The Fedora
+ packages use apache:apache as file owner and the Suse ones use
+ wwwrun:www.
+
+
+
+ FreeBSD
+
+
+
+
+
+
+
+
+
+
+
+ LAM is part of the official FreeBSD ports tree. For
+ more details see these pages:FreeBSD-SVN: http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/FreshPorts:
+ http://www.freshports.org/sysutils/ldap-account-manager
+
+
+
+
+
+
+
+
+ Installing the tar.bz2
+
+
+ Extract the archive
+
+ Please extract the archive with the following command:
+
+ tar xjf ldap-account-manager-<version>.tar.bz2
+
+
+
+ Install the files
+
+
+ Manual copy
+
+ Copy the files into the html-file scope of the web server.
+ For example /apache/htdocs or /var/www/html.
+
+ Then set the appropriate file permissions inside the LAM
+ directory:
+
+
+
+ sess: write permission for apache/nginx user
+
+
+
+ tmp: write permission for apache/nginx user
+
+
+
+ tmp/internal: write permission for apache/nginx
+ user
+
+
+
+ config (with subdirectories): write permission for
+ apache/nginx user
+
+
+
+ lib/lamdaemon.pl: set executable
+
+
+
+
+
+ With configure script
+
+ Instead of manually copying files you can also use the
+ included configure script to install LAM. Just run these commands
+ in the extracted directory:
+
+
+
+ ./configure
+
+
+
+ make install
+
+
+
+ Options for "./configure":
+
+
+
+ --with-httpd-user=USER USER is the name of your
+ Apache/Nginx user account (default httpd)
+
+
+
+ --with-httpd-group=GROUP GROUP is the name of your
+ Apache/Nginx group (default httpd)
+
+
+
+ --with-web-root=DIRECTORY DIRECTORY is the name where
+ LAM should be installed (default /usr/local/lam)
+
+
+
+
+
+
+ Configuration files
+
+ Copy config/config.cfg.sample to config/config.cfg. Open the
+ index.html in your web browser:
+
+
+
+ Follow the link "LAM configuration" from the start page to
+ configure LAM.
+
+
+
+ Select "Edit general settings" to setup global settings
+ and to change the master
+ configuration password (default is "lam").
+
+
+
+ Select "Edit server profiles" to setup a server
+ profile.
+
+
+
+
+
+ Webserver configuration
+
+ Please see the Apache or Nginx chapter.
+
+
+
+
+ System configuration
+
+
+ PHP
+
+ LAM runs with PHP5 (>= 5.2.4). Needed changes in your
+ php.ini:
+
+ memory_limit = 64M
+
+ For large installations (>10000 LDAP entries) you may need
+ to increase the memory limit to 256M.
+
+ If you run PHP with activated Suhosin
+ extension please check your logs for alerts. E.g. LAM requires that
+ "suhosin.post.max_name_length" and
+ "suhosin.request.max_varname_length" are increased (e.g. to
+ 256).
+
+
+
+ Locales for non-English translation
+
+ If you want to use a translated version of LAM be sure to
+ install the needed locales. The following table shows the needed
+ locales for the different languages.
+
+
+
+ You can get a list of all installed locales on your system by
+ executing:
+
+ locale -a
+
+ Debian users can add locales with "dpkg-reconfigure
+ locales".
+
+
+
+
+
+ Upgrading LAM or migrate from LAM to LAM Pro
+
+ Upgrading from LAM to LAM Pro is like installing a new LAM
+ version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM
+ ones.
+
+
+ Upgrade LAM
+
+ Backup configuration
+ files
+
+ Configuration files need only to be backed up for .tar.bz2
+ installations. DEB/RPM installations do not require this step.
+
+ LAM stores all configuration files in the "config" folder.
+ Please backup the following files and copy them after the new version
+ is installed.
+
+
+ config/*.conf
+
+ config/config.cfg
+
+ config/pdf/*.xml
+
+ config/profiles/*
+
+
+ LAM Pro only:
+
+
+ config/selfService/*.*
+
+
+ Uninstall current LAM (Pro)
+ version
+
+ If you used the RPM installation packages then remove the
+ ldap-account-manager and ldap-account-manager-lamdaemon packages by
+ calling "rpm -e ldap-account-manager
+ ldap-account-manager-lamdaemon".
+
+ Debian needs no removal of old packages.
+
+ For tar.bz2 please remove the folder where you installed LAM via
+ configure or by copying the files.
+
+ Install new LAM (Pro)
+ version
+
+ Please install the new LAM
+ (Pro) release. Skip the part about setting up LAM configuration
+ files.
+
+ Restore configuration
+ files
+
+ RPM:
+
+ Please check if there are any files ending with ".rpmsave" in
+ /var/lib/ldap-account-manager/config. In this case you need to
+ manually remove the .rpmsave extension by overwriting the package
+ file. E.g. rename default.user.rpmsave to default.user.
+
+ DEB:
+
+ Nothing needs to be restored.
+
+ tar.bz2:
+
+ Please restore your configuration files from the backup. Copy
+ all files from the backup folder to the config folder in your LAM Pro
+ installation. Do not simply replace the folder because the new LAM
+ (Pro) release might include additional files in this folder. Overwrite
+ any existing files with your backup files.
+
+ Final steps
+
+ Now open your webbrowser and point it to the LAM login page. All
+ your settings should be migrated.
+
+ Please check also the version
+ specific instructions. They might include additional
+ actions.
+
+
+
+ Version specific upgrade instructions
+
+
+ 5.5 -> 5.6
+
+ Mail routing: No longer added by default. Use profile editor
+ to activate by default for new users/groups.
+
+ Personal/Unix/Windows: no more replacement of e.g.
+ $user/$group on user upload
+
+
+
+ 5.4 -> 5.5
+
+ LAM Pro requires a license key. You can find it in your customer
+ profile.
+
+
+
+ 5.1 -> 5.4
+
+ No special actions needed.
+
+
+
+ 5.0 -> 5.1
+
+ Self Service: There were large changes to provide a responsive
+ design that works for desktop and mobile. If you use custom CSS to
+ style Self Service then this must be updated.
+
+
+
+ 4.9 -> 5.0
+
+ Samba 3: If you used logon hours then you need to set the
+ correct time zone on tab "Generel settings" in server
+ profile.
+
+
+
+ 4.5 -> 4.9
+
+ No special actions needed.
+
+
+
+ 4.4 -> 4.5
+
+ LAM will no longer follow referrals by default. This is ok for
+ most installations. If you use LDAP referrals please activate
+ referral following for your server profile (tab General settings
+ -> Server settings -> Advanced options).
+
+ The self service pages now have an own option for allowed IPs.
+ If your LAM installation uses IP restrictions please update the LAM
+ main configuration.
+
+ Password self reset (LAM Pro) allows to set a backup email
+ address. You need to update the LDAP
+ schema if you want to use this feature.
+
+
+
+ 4.3 -> 4.4
+
+ Apache configuration: LAM supports Apache 2.2 and 2.4. This
+ requires that your Apache server has enabled the "version" module.
+ For Debian and Fedora this is the default setup. The Suse RPM will
+ try to enable the version module during installation.
+
+ Kolab: User accounts get the object class "mailrecipient" by
+ default. You can change this behaviour in the module settings
+ section of your LAM server profile.
+
+ Windows: sAMAccountName is no longer set by default. Enable it
+ in server profile if needed. The possible domains for the user name
+ can also be set in server profile.
+
+
+
+ 4.2.1 -> 4.3
+
+ LAM is no more shipped as tar.gz package but as tar.bz2 which
+ allows smaller file sizes.
+
+
+
+ 4.1 -> 4.2/4.2.1
+
+ Zarafa users: The default attribute for mail aliases is now
+ "dn". If you use "uid" and did not change the server profile for a
+ long time please check your LAM server profile for this setting and
+ save it.
+
+
+
+ 4.0 -> 4.1
+
+ Unix: The list of valid login
+ shells is no longer configured in "config/shells" but in the
+ server/self service profiles (Unix settings). LAM will use the
+ following shells by default: /bin/bash, /bin/csh, /bin/dash,
+ /bin/false, /bin/ksh, /bin/sh.
+
+ Please update your server/self service profile if you would
+ like to change the list of valid login shells.
+
+
+
+ 3.9 -> 4.0
+
+ The account profiles and PDF structures are now separated by
+ server profile. This means that if you edit e.g. an account profile
+ in server profile A then this change will not affect the account
+ profiles in server profile B.
+
+ LAM will automatically migrate your existing files as soon as
+ the login page is loaded.
+
+ Special install instructions:
+
+
+
+ Debian: none, config files will be migrated when opening
+ LAM's login page
+
+
+
+ Suse/Fedora RPM:
+
+
+
+ Run "rpm -e ldap-account-manager
+ ldap-account-manager-lamdaemon"
+
+
+
+ You may get warnings like "warning:
+ /var/lib/ldap-account-manager/config/profiles/default.user
+ saved as
+ /var/lib/ldap-account-manager/config/profiles/default.user.rpmsave"
+
+
+
+ Please rename all files "*.rpmsave" and remove the
+ file extension ".rpmsave". E.g. "default.user.rpmsave" needs
+ to be renamed to "default.user".
+
+
+
+ Install the LAM packages with "rpm -i". E.g. "rpm -i
+ ldap-account-manager-4.0-0.suse.1.noarch.rpm".
+
+
+
+ Open LAM's login page in your browser to complete the
+ migration
+
+
+
+
+
+ tar.gz: standard upgrade steps, config files will be
+ migrated when opening LAM's login page
+
+
+
+
+
+ 3.7 -> 3.9
+
+ No changes.
+
+
+
+ 3.6 -> 3.7
+
+ Asterisk extensions: The extension entries are now grouped by
+ extension name and account context. LAM will automatically assign
+ priorities and set same owners for all entries.
+
+
+
+ 3.5.0 -> 3.6
+
+ Debian users: LAM 3.6
+ requires to install FPDF 1.7. You can download the package here.
+ If you use Debian Stable (Squeeze) please use the package from
+ Testing (Wheezy).
+
+
+
+ 3.4.0 -> 3.5.0
+
+ LAM Pro: The global
+ config/passwordMailTemplate.txt is no longer supported. You can
+ setup the mail settings now for each LAM server profile which
+ provides more flexibility.
+
+ Suse/Fedora RPM
+ installations: LAM is now installed to
+ /usr/share/ldap-account-manager and
+ /var/lib/ldap-account-manager.
+
+ Please note that configuration files are not migrated
+ automatically. Please move the files from /srv/www/htdocs/lam/config
+ (Suse) or /var/www/html/lam/config (Fedora) to
+ /var/lib/ldap-account-manager/config.
+
+
+
+ 3.3.0 -> 3.4.0
+
+ No changes.
+
+
+
+ 3.2.0 -> 3.3.0
+
+ If you use custom images for the PDF export then these images
+ need to be 5 times bigger than before (e.g. 250x250px instead of
+ 50x50px). This allows to use images with higher resolution.
+
+
+
+ 3.1.0 -> 3.2.0
+
+ No changes.
+
+
+
+ 3.0.0 -> 3.1.0
+
+ LAM supported to set a list of valid workstations on the
+ "Personal" page. This required to change the LDAP schema. Since
+ 3.1.0 this is replaced by the new "Hosts" module for users.
+
+ Lamdaemon: The sudo entry needs to be changed to
+ ".../lamdaemon.pl *".
+
+
+
+ 2.3.0 -> 3.0.0
+
+ No changes.
+
+
+
+ 2.2.0 -> 2.3.0
+
+ LAM Pro: There is now a
+ separate account type for group of (unique) names. Please edit your
+ server profiles to activate the new account type.
+
+
+
+ 1.1.0 -> 2.2.0
+
+ No changes.
+
+
+
+
+
+ Uninstallation of LAM (Pro)
+
+ If you used the prepackaged installation packages then remove the
+ ldap-account-manager and ldap-account-manager-lamdaemon packages.
+
+ Otherwise, remove the folder where you installed LAM via configure
+ or by copying the files.
+
+
+
+ Migration to a new server
+
+ To move LAM (Pro) from one server to another please follow these
+ steps:
+
+
+
+ Install LAM (Pro) on your new server
+
+
+
+ Copy the following files from the old server to the new one
+ (base directory for RPM/DEB is
+ /usr/share/ldap-account-manager/):
+
+
+
+ config/*.conf
+
+
+
+ config/config.cfg
+
+
+
+ config/pdf/*
+
+
+
+ config/profiles/*
+
+
+
+ config/selfService/*.* (needed for LAM Pro only)
+
+
+
+ The files must be writable for the webserver user.
+
+
+
+ Open LAM (Pro) login page on new server and verify
+ installation.
+
+
+
+ Uninstall LAM (Pro) on old server.
+
+
+
+
diff --git a/lam/docs/manual-sources/chapter-modules.xml b/lam/docs/manual-sources/chapter-modules.xml
new file mode 100644
index 00000000..70332fe3
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-modules.xml
@@ -0,0 +1,5058 @@
+
+
+
+ Managing entries in your LDAP directory
+
+ This chapter will give you instructions how to manage the different
+ LDAP entries in your directory.
+
+ Please note that not all account types are manageable with the free
+ LAM release. LAM Pro provides some more account types (e.g. group of
+ names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to
+ support additional LDAP object classes. All LAM Pro features are marked in
+ this manual.
+
+ Basic page layout:
+
+ After the login LAM will present you its main page. It consists of a
+ header part which is equal for all pages and the content area which covers
+ most the of the page.
+
+ The header part includes the links to manage all account types (e.g.
+ users and groups) and open the tree view (LDAP browser). There is also the
+ logout link and a tools entry.
+
+ When you login the you will see an account listing in the content
+ area.
+
+
+
+
+
+
+
+
+
+ Here you can create, delete and modify accounts. Use the action
+ buttons at the left or double click on an entry to edit it.
+
+ The suffix selection box allows you to list only the accounts which
+ are located in a subtree of your LDAP directory.
+
+
+
+
+
+
+
+
+
+ You can change the number of shown entries per page with "Change
+ settings". Depending on the account type there may be additional settings.
+ E.g. the user list can convert group numbers to group names.
+
+ When you select to edit an entry then LAM will show all its data on
+ a tabbed view. There is one tab for each functional part of the account.
+ You can set default values by loading an account profile.
+
+
+
+
+
+
+
+
+
+
+ Typical usage scenarios
+
+ Here is a list of typical usage scenarios and what account types
+ and modules you need to configure.
+
+ Address book entries:
+
+ Account types:
+
+
+
+ Users (Personal)
+
+
+
+ Unix accounts:
+
+ Account types:
+
+
+
+ Users (Personal + Unix)
+
+
+
+ Groups (Unix (posixGroup))
+
+
+
+ Suse users may need to use Group (Group of names + Unix
+ (rfc2307bisPosixGroup)) because of Suse's special LDAP schema.
+
+ Samba 3 accounts:
+
+ Account types:
+
+
+
+ Users (Personal + User + Samba 3)
+
+
+
+ Groups (Unix + Samba 3)
+
+
+
+ Hosts (Account + Unix + Samba 3)
+
+
+
+ Samba domains (Samba domain)
+
+
+
+ Samba 4/Active Directory:
+
+ Account types:
+
+
+
+ Users (Windows)
+
+
+
+ Groups (Windows)
+
+
+
+ Hosts (Windows)
+
+
+
+ Please note that must change the attributes that are shown in the
+ account lists. Otherwise, the account tables will show empty lines. See
+ the documentation for the Windows user/group/host modules.
+
+ For Samba 4 with Zarafa use the following modules:
+
+
+
+ Users (Windows + Zarafa (+ Zarafa contact))
+
+
+
+ Groups (Windows + Zarafa)
+
+
+
+ Hosts (Windows + Zarafa)
+
+
+
+ Zarafa dynamic groups (Zarafa dynamic group)
+
+
+
+ Zarafa address lists (Zarafa address list)
+
+
+
+ See also the Zarafa section for
+ additional settings (e.g. using Zarafa AD schema).
+
+ Asterisk:
+
+ Account types:
+
+
+
+ Users (Personal + Asterisk)
+
+
+
+ Asterisk extensions (Asterisk extension)
+
+
+
+ Zarafa:
+
+ Account types:
+
+
+
+ Users (Personal + Unix + Zarafa (+ Zarafa contact))
+
+
+
+ Groups (Unix + Zarafa)
+
+
+
+ Zarafa dynamic groups (Zarafa dynamic group)
+
+
+
+ Zarafa address lists (Zarafa address list)
+
+
+
+ Hosts (Device + Zarafa + IP Address)
+
+
+
+ PyKota:
+
+ Account types:
+
+
+
+ Users (Personal + Unix + PyKota)
+
+
+
+ Groups (Unix + PyKota)
+
+
+
+ Printers (PyKota)
+
+
+
+ Billing codes (PyKota)
+
+
+
+
+
+ Users
+
+ LAM manages various types of user accounts. This includes address
+ book entries, Unix, Samba, Zarafa and much more.
+
+
+
+
+ Account list settings:
+
+ The user list includes two special options to change how your
+ users are displayed.
+
+
+
+
+
+
+
+
+
+ Translate GID number to group name: By
+ default the user list can show the primary group IDs (GIDs) of your
+ users. There are often cases where it is more suitable to show the group
+ name instead. This can be done by activating this option. Please note
+ that LAM will execute more LDAP queries which may result in decreased
+ performance.
+
+
+
+
+
+
+
+
+
+ Show account status: If you activate this
+ option then there will be an additional column displayed that shows if
+ the account is locked. You can see more details when moving the mouse
+ cursor over the lock icon. This function supports Unix, Samba, PPolicy,
+ Windows and 389ds locking+deactivation.
+
+
+
+
+
+
+
+
+
+
+
+
+ Password:
+
+ Click the "Set password" button to change the user's password(s).
+ Depending on the active account modules LAM will offer to change
+ multiple passwords at the same time.
+
+ If a module supports to enforce a password change then you will
+ see the appropriate checkbox. LAM Pro also offers to send the password
+ via email after the account is saved. Email options are specified in
+ your LAM server profile.
+
+
+
+
+
+
+
+
+
+
+
+
+ Quick account (un)locking:
+
+ When you edit an user then LAM supports to quickly lock/unlock the
+ whole account. This includes Unix, Samba and PPolicy. LAM can also
+ remove group memberships if an account is locked.
+
+ You will see the current status of all account parts in the title
+ area of the account.
+
+
+
+
+
+
+
+
+
+ If you click on the lock icon then a dialog will be opened to
+ change these values. Depending on which parts are locked LAM will
+ provide options to lock/unlock account parts.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Personal
+
+ This module is the most common basis for user accounts in LAM.
+ You can use it stand-alone to manage address book entries or in
+ combination with Unix, Samba or other modules.
+
+ The Personal module provides support for managing various
+ personal data of your users including mail addresses and telephone
+ numbers. You can also add photos of your users (please install PHP
+ Imagick/ImageMagick for full file format support). If you do
+ not need to manage all attributes then you can deactivate them in your
+ server profile.
+
+ Configuration
+
+ Please activate the module "Personal (inetOrgPerson)" for
+ users.
+
+
+
+
+
+
+
+
+
+ The module manages lots of fields. Probably, you will not need
+ all of them. You can hide fields in module settings.
+
+ In advanced options you may also set fields to read-only (for
+ existing accounts) and define limits for photo files. Additionally,
+ you can add an "ou=addressbook" subentry to each user in case you
+ manage user addressbooks.
+
+
+
+
+
+
+
+
+
+
+
+
+ User management
+
+
+
+
+
+
+
+
+
+ User certificates can be uploaded and downloaded. LAM will
+ automatically convert PEM to DER format.
+
+
+
+
+
+
+
+
+
+
+ LDAP attribute mappings
+
+
+
+
+ Attribute name
+
+ Name inside LAM
+
+
+
+
+
+ businessCategory
+
+ Business category
+
+
+
+ carLicense
+
+ Car license
+
+
+
+ cn/commonName
+
+ Common name
+
+
+
+ departmentNumber
+
+ Department(s)
+
+
+
+ description
+
+ Description
+
+
+
+ employeeNumber
+
+ Employee number
+
+
+
+ employeeType
+
+ Employee type
+
+
+
+ facsimileTelephoneNumber/fax
+
+ Fax number
+
+
+
+ givenName/gn
+
+ First name
+
+
+
+ homePhone
+
+ Home telephone number
+
+
+
+ initials
+
+ Initials
+
+
+
+ jpegPhoto
+
+ Photo
+
+
+
+ l
+
+ Location
+
+
+
+ labeledURI
+
+ Web site
+
+
+
+ mail/rfc822Mailbox
+
+ Email address
+
+
+
+ manager
+
+ Manager
+
+
+
+ mobile/mobileTelephoneNumber
+
+ Mobile number
+
+
+
+ organizationName/o
+
+ Organisation
+
+
+
+ ou
+
+ Organizational unit
+
+
+
+ pager
+
+ Pager number
+
+
+
+ physicalDeliveryOfficeName
+
+ Office name
+
+
+
+ postalAddress
+
+ Postal address
+
+
+
+ postalCode
+
+ Postal code
+
+
+
+ postOfficeBox
+
+ Post office box
+
+
+
+ registeredAddress
+
+ Registered address
+
+
+
+ roomNumber
+
+ Room number
+
+
+
+ sn/surname
+
+ Last name
+
+
+
+ st
+
+ State
+
+
+
+ street/streetAddress
+
+ Street
+
+
+
+ telephoneNumber
+
+ Telephone number
+
+
+
+ title
+
+ Job title
+
+
+
+ userCertificate
+
+ User certificates
+
+
+
+ uid/userid
+
+ User name
+
+
+
+ userPassword
+
+ Password
+
+
+
+
+
+ Wildcards
+
+ This module provides the following wildcards (others may be
+ provided by other modules):
+
+
+
+ $firstname: First name
+
+
+
+ $lastname: Last name
+
+
+
+ $user: User name
+
+
+
+ $commonname: Common name
+
+
+
+ $email: Email address
+
+
+
+ You can use them in the following input fields on user edit
+ screen:
+
+
+
+ Common name
+
+
+
+ Description
+
+
+
+ Mail
+
+
+
+ Postal address
+
+
+
+ Registered address
+
+
+
+ Web site
+
+
+
+ Use this when some of your data always follows the same schema.
+ E.g. using "$firstname $lastname" in common name field can be used
+ like this to get "First Last". You can set the wildcards in profile
+ editor so they are automatically applied for new users.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Unix
+
+ The Unix module manages Unix user accounts including group
+ memberships.
+
+ There are several configuration options for this module:
+
+
+
+ UID generator: LAM will suggest UID numbers for your
+ accounts. Please note that it may happen that there are duplicate
+ IDs assigned if users create accounts at the same time. Use an
+ overlay
+ like "Attribute Uniqueness" (example) if you have lots of
+ LAM admins creating accounts.
+
+
+
+ Fixed range: LAM searches for free numbers within the
+ given limits. LAM always tries to use a free UID that is
+ greater than the existing UIDs to prevent collisions with
+ deleted accounts.
+
+
+
+ Samba ID pool: This uses a special LDAP entry that
+ includes attributes that store a counter for the last used
+ UID/GID. Please note that this requires that you install the
+ Samba schema and create an LDAP entry of object class
+ "sambaUnixIdPool".
+
+
+
+ Magic number: Use this if your LDAP server assigns the
+ UID numbers automatically (e.g. DNA by 389 server). Enter the
+ server's magic number setting.
+
+
+
+
+
+ Password hash type: If possible use CRYPT-SHA512 or SSHA to
+ protect your user's passwords. The option SASL will set the
+ password to "{SASL}<user name>".
+
+
+
+ Login shells: List of valid login shells that can be
+ selected when editing an account.
+
+
+
+ Hidden options: Some input fields can be hidden to simplify
+ the GUI if you do not need them.
+
+
+
+ Set primary group as memberUid: By default primary group
+ membership is not set on group objects but only on user
+ (gidNumber). Activate this if you need to have the primary group
+ membership in group object, too.
+
+
+
+ Do not add object class: This is for Windows only. When the
+ checkbox is activated then the posixAccount object class will not
+ be added to a user.
+
+
+
+ User name suggestion: The user name is automatically filled
+ as specified in the configuration (default smiller for Steve
+ Miller). Of course, the suggested value can be changed any time.
+ Common name is also filled with first/last name by default.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Group memberships can be changed when clicking on "Edit groups".
+ Here you can select the Unix groups and group of names
+ memberships.
+
+ To enable "Group of names" please either add the groups module
+ "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
+ names".
+
+
+
+
+
+
+
+
+
+ You can also create home directories for your users if you setup
+ lamdaemon. This allows you to
+ create the directories on the local or remote servers.
+
+ It is also possible to check the status of the user's home
+ directories. If needed the directories can be created or removed at
+ any time.
+
+
+
+
+
+
+
+
+
+ Wildcards
+
+ This module provides the following wildcards (others may be
+ provided by other modules):
+
+
+
+ $user: User name
+
+
+
+ $group: Groupe name (not numeric number)
+
+
+
+ You can use them in the following input fields on user edit
+ screen:
+
+
+
+ Common name
+
+
+
+ Gecos
+
+
+
+ Home directory
+
+
+
+ Use this when some of your data always follows the same schema.
+ E.g. using "/home/$user" in home directory field can be used like this
+ to get "/home/myuser". You can set the wildcards in profile editor so
+ they are automatically applied for new users.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Group of names and group of members (LAM Pro)
+
+ This module manages memberships in group of (unique) names and
+ also group of members.
+
+ Please note that this module cannot be used if the Unix module
+ is active. In this case group memberships may be managed with the Unix
+ module.
+
+ Configuration
+
+ To activate this feature please add the user module "Group of
+ names (groupOfNamesUser)" to your LAM server profile.
+
+
+
+
+
+
+
+
+
+ The module automatically detects if groups are based on
+ "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the
+ correct attribute.
+
+
+
+
+
+
+
+
+
+
+
+ Organizational roles (LAM Pro)
+
+ LAM can manage role memberships in organizationalRole objects. To
+ activate this feature please add the user module "Roles
+ (organizationalRoleUser)" to your LAM server profile.
+
+
+
+
+
+
+
+
+
+ User editing
+
+ Now, there will be a new tab "Roles" when you edit your user
+ accounts. Here you can select the role memberships.
+
+
+
+
+
+
+
+
+
+
+
+ Shadow
+
+ LAM supports the management of the LDAP substitution of
+ /etc/shadow. Here you can setup password policies for your Unix
+ accounts and also view the last password change of a user.
+
+
+
+
+
+
+
+
+
+
+
+ NIS net groups
+
+ Configuration
+
+ Please add the module "NIS net groups (nisNetGroupUser)" to the
+ list of active user modules.
+
+
+
+
+
+
+
+
+
+ User editing
+
+ You will now see a new tab when editing users. Here you can
+ assign memberships in NIS net groups and also set host/domain.
+
+
+
+
+
+
+
+
+
+
+
+ Password self reset (LAM
+ Pro)
+
+ LAM Pro allows your users to reset their passwords by answering
+ a security question. The reset link is displayed on the self service page. Additionally,
+ you can set question + answer in the admin interface.
+
+ Please note that self service and LAM admin interface are
+ separated functionalities. You need to specify the list of possible
+ security questions in both self service profile(s) and server
+ profile(s).
+
+ Schema installation
+
+ Please install the LDAP schema as described here.
+
+ Activate password self reset
+ module
+
+ Please activate the password self reset module in your LAM Pro
+ server profile.
+
+
+
+
+
+
+
+
+
+ Now select the tab "Module settings" and specify the list of
+ possible security questions. Only these questions will be selectable
+ when you later edit accounts unless you explicitly allow to enter
+ custom questions. LAM Pro supports to set up to three security
+ questions per user.
+
+ If you do not want to set backup email addresses then you can
+ hide this option.
+
+
+
+
+
+
+
+
+
+ Edit users
+
+ After everything is setup please login to LAM Pro and edit your
+ users. You will see a new tab called "Password self reset". Here you
+ can activate/remove the password self reset function for each user.
+ You can also change the security question and answer.
+
+ If you set a backup email address then confirmation emails will
+ also be sent to this address. This is useful if the user password
+ grants access to the user's primary mailbox. So passwords can be
+ unlocked with an external email address.
+
+ Hint: You can add the
+ passwordSelfReset object class to all your users with the multi edit tool.
+
+ Samba 4 note: Due to a bug in
+ Samba 4 you need to add the extension, save, and then select a
+ question and set the answer. If you add the extension, set
+ question/answer and then save all together this will cause an LDAP
+ error and no changes will be saved.
+
+
+
+
+
+
+
+
+
+
+
+ Hosts
+
+ You can specify a list of valid host names where the user may
+ login. If you add the value "*" then the user may login to any host.
+ This can be further restricted by adding explicit deny entries which
+ are prefixed with "!" (e.g. "!hr_server").
+
+ Please note that your PAM settings need to support host
+ restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the
+ account facility of pam_ldap will perform the checks and return an
+ error when no proper host attribute is present. Please note that users
+ without host attribute cannot login to such a configured
+ server.
+
+
+
+
+
+
+
+
+
+
+
+ Samba 3
+
+ LAM supports full Samba 3 user management including logon hours
+ and terminal server options.
+
+ The module is enabled by adding "Samba 3 (sambaSamAccount)" to
+ your user modules.
+
+
+
+
+
+
+
+
+
+ In the configuration options you can enable password history
+ checking. Depending on your LDAP server you might need ascending or
+ descending order. Just switch the setting if the password history is
+ not correctly updated.
+
+ In case you have no very old Windows clients (e.g. Windows 98)
+ it is recommended to disable LM hashes. They are considered to be
+ insecure.
+
+ You can also hide some input fields if you do not need
+ them.
+
+
+
+
+
+
+
+
+
+ After configuring the module you will see the Samba 3 tab when
+ you edit a user.
+
+
+
+
+
+
+
+
+
+ Logon hours can be changed.
+
+
+
+
+
+
+
+
+
+ You can also setup terminal server settings.
+
+
+
+
+
+
+
+
+
+
+
+ Windows (Samba 4)
+
+ Please activate the account type "Users" in your LAM server
+ profile and then add the user module "Windows
+ (windowsUser)(*)".
+
+
+
+
+
+
+
+
+
+ The default list attributes are for Unix and not suitable for
+ Windows (blank lines in account table). Please use
+ "#cn;#givenName;#sn;#mail" or select your own attributes to display in
+ the account list.
+
+
+
+
+
+
+
+
+
+ On tab "Module settings" you can specify the possible Windows
+ domain names and if pre-Windows 2000 user names should be
+ managed.
+
+ NIS support is deactivated by default. Enable it if
+ needed.
+
+
+
+
+
+
+
+
+
+ Now you can manage your Windows users and e.g. assign groups.
+ You might want to set the default domain name in the profile editor.
+
+ Attention:
+
+
+
+ Password changes require a secure connection via ldaps://.
+ Check your LAM server profile if password changes are refused by
+ the server.
+
+
+
+ Your server must run a 64bit operating system. Otherwise,
+ the module might not work.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Wildcards
+
+ This module provides the following wildcards (others may be
+ provided by other modules):
+
+
+
+ $firstname: First name
+
+
+
+ $lastname: Last name
+
+
+
+ $user: User name
+
+
+
+ $commonname: Common name
+
+
+
+ $email: Email address
+
+
+
+ You can use them in the following input fields on user edit
+ screen:
+
+
+
+ Common name
+
+
+
+ Display name
+
+
+
+ Email
+
+
+
+ Email alias
+
+
+
+ Home directory
+
+
+
+ Profile path
+
+
+
+ Script path
+
+
+
+ Use this when some of your data always follows the same schema.
+ E.g. using "$firstname $lastname" in common name field can be used
+ like this to get "First Last". You can set the wildcards in profile
+ editor so they are automatically applied for new users.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Filesystem quota (lamdaemon)
+
+ You can manage file system quotas with LAM. This requires to
+ setup lamdaemon. LAM connects to
+ your server via SSH and manages the disk filesystem quotas. The quotas
+ are stored directly on the filesystem. This is the default mechanism
+ to store quotas for most systems.
+
+ Please add the module "Quota (quota)" for users to your LAM
+ server profile to enable this feature.
+
+ If you store the quota information directly inside LDAP please
+ see the next section.
+
+
+
+
+
+
+
+
+
+
+
+ Filesystem quota (LDAP)
+
+ You can store your filesystem quotas directly in LDAP. See
+ Linux
+ DiskQuota for details since it requires quota tools that
+ support LDAP. You will need to install the quota LDAP schema to manage
+ the object class "systemQuotas".
+
+ Please add the module "Quota (systemQuotas)" for users to your
+ LAM server profile to enable this feature.
+
+ If you store the quota information on the filesystem please see
+ the previous section.
+
+
+
+
+
+
+
+
+
+
+
+ Kolab
+
+ This module supports to manage Kolab accounts with LAM. E.g. you
+ can set the user's mail quota and define invitation policies.
+
+ Please add the Kolab user module in your LAM server profile to
+ activate Kolab support.
+
+
+
+
+
+
+
+
+
+ Attention: LAM will add the object class "mailrecipient" by
+ default. This object class is available on 389 directory server but
+ may not be present on e.g. OpenLDAP. Please deactivate the following
+ setting (LAM server profile, module settings) if you do not use this
+ object class.
+
+
+
+
+
+
+
+
+
+ Please enter an email address at the Personal page and set a
+ Unix password first. Both are required that Kolab accepts the
+ accounts. The email address ("Personal" page) must match your Kolab
+ domain, otherwise the account will not work.
+
+ Attention: The mailbox server
+ cannot be changed after the account has been saved. Please make sure
+ that the value is correct.
+
+ Kolab users should not be directly deleted with LAM. You can
+ mark an account for deletion which then is done by the Kolab server
+ itself. This makes sure that the mailbox etc. is also deleted.
+
+
+
+
+
+
+
+
+
+ If you upgrade existing non-Kolab accounts please make sure that
+ the account has an Unix password.
+
+
+
+ Asterisk
+
+ LAM supports Asterisk accounts, too. See the Asterisk section for details.
+
+
+
+ EDU person
+
+ EDU person accounts are mainly used in university networks. You
+ can specify the principal name, nick names and much more.
+
+
+
+
+
+
+
+
+
+
+
+ PyKota
+
+ There are two LAM user modules depending if your user entries
+ should be built on object class "pykotaObject" or a different
+ structural object class (e.g. "inetOrgPerson"). For "pykotaObject"
+ please select "PyKota (pykotaUserStructural(*))" and "PyKota
+ (pykotaUser)" in all other cases.
+
+
+
+
+
+
+
+
+
+ To display the job history please setup the job DN on tab
+ "Module settings":
+
+
+
+
+
+
+
+
+
+ Now you can add the PyKota extension to your user accounts. Here
+ you can setup the printing options and add payments for this
+ user.
+
+ For LAM Pro there are also self service fields to allow users
+ e.g. to view their current balance and job history.
+
+
+
+
+
+
+
+
+
+ You may also view the payment and job history.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Password policy (LAM Pro)
+
+ OpenLDAP supports the ppolicy overlay
+ to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to
+ user accounts.
+
+ Please add the account type "Password policies" to your LAM
+ server profile and activate the "Password policy" module for the user
+ type.
+
+
+
+
+
+
+
+
+
+ You can select the password policy and force a password change
+ on next login. Accounts can also be (un)locked.
+
+
+
+
+
+
+
+
+
+ You can assign any password policy which is found in the LDAP
+ suffix of the "Password policies" type. When you set the policy to
+ "default" then OpenLDAP will use the default policy as defined in your
+ slapd.conf file.
+
+ Attention: Locking and
+ unlocking requires that you also activate the option "Lockout users"
+ in the assigned password policy.
+ Otherwise, it will have no effect.
+
+
+
+ Account locking for 389ds (LAM Pro)
+
+ This module allows you to display if users are locked by 389ds
+ server. You can (de)activate your users. The password expiration time
+ can also be managed.
+
+ Requirements: 389ds LDAP server
+
+ Configuration
+
+ Please add the user module "Account locking
+ (locking389ds)".
+
+
+
+
+
+
+
+
+
+ This will show the password expiration time. You can edit the
+ value if needed.
+
+ If there are any failed login attempts then LAM displays their
+ number and till when the user is locked by the system.
+
+ The limit of failed login attempts and lockout duration is
+ configured on your LDAP server and not within LAM.
+
+
+
+
+
+
+
+
+
+ You can unlock the user by clicking on the lock icon.
+
+ Here you can also (de)activate the account.
+
+ Note: Accounts are only locked by the LDAP server due to failed
+ password attempts. You cannot manually lock an account. Deactivate it
+ in case you want to disable login for a user.
+
+
+
+
+
+
+
+
+
+
+
+ FreeRadius
+
+ FreeRadius is a software that implements the RADIUS
+ authentication protocol. LAM allows you to mange several of the
+ FreeRadius attributes.
+
+ To activate the FreeRadius plugin please activate the FreeRadius
+ user module in your server profile:
+
+
+
+
+
+
+
+
+
+ You can disable unneeded fields on the tab "Module settings".
+ Here you can also set the DN where your Radius profile templates are
+ stored if you use the option "Profile".
+
+
+
+
+
+
+
+
+
+ Now you will see the tab "FreeRadius" when editing users. The
+ extension can be (de)activated for each user. You can setup e.g.
+ realm, IP and expiration date.
+
+
+
+
+
+
+
+
+
+
+
+ Heimdal Kerberos (LAM Pro)
+
+ You can manage your Heimdal Kerberos accounts with LAM Pro.
+ Please add the user module "Kerberos (heimdalKerberos)" to activate
+ this feature.
+
+ Setup password changing
+
+ LAM Pro cannot generate the password hashes itself because
+ Heimdal uses a propietary format for them. Therefore, LAM Pro needs to
+ call e.g. kadmin to set the password.
+
+ The wildcards @@password@@ and @@principal@@ are replaced with
+ password and principal name. Please use keytab authentication for this
+ command since it must run without any interaction.
+
+ Example to create a keytab: ktutil -k /root/lam.keytab add -p
+ lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1
+
+ Security hint: Please secure your LAM Pro server since the new
+ passwords will be visible for a short term in the process list during
+ password change.
+
+
+
+
+
+
+
+
+
+ User management
+
+ You can specify the principal/user name, ticket lifetimes and
+ expiration dates. Additionally, you can set various account
+ options.
+
+
+
+
+
+
+
+
+
+
+
+ MIT Kerberos (LAM Pro)
+
+ You can manage your MIT Kerberos accounts with LAM Pro. Please
+ add the user module "Kerberos (mitKerberos)" to activate this feature.
+ If you want to manage entries based on the structural object class
+ "krbPrincipal" please use "Kerberos (mitKerberosStructural)"
+ instead.
+
+ Setup password changing
+
+ LAM Pro cannot generate the password hashes itself because MIT
+ uses a propietary format for them. Therefore, LAM Pro needs to call
+ kadmin/kadmin.local to set the password.
+
+ LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
+ set the password. Please use keytab authentication for this command
+ since it must run without any interaction.
+
+ Keytabs may be created with the "ktutil" application.
+
+ Security hint: Please secure your LAM Pro server since the new
+ passwords will be visible for a short term in the process list during
+ password change.
+
+ Example commands:
+
+
+
+ /usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
+ realm/changepwd
+
+
+
+ sudo /usr/sbin/kadmin.local
+
+
+
+
+
+
+
+
+
+
+
+ User management
+
+ You can specify the principal/user name, ticket lifetimes and
+ expiration dates. Additionally, you can set various account
+ options.
+
+
+
+
+
+
+
+
+
+
+
+ Mail aliases
+
+ This module allows to add/remove the user in mail alias
+ entries.
+
+ Note: You need to activate the
+ mail alias type for this
+ module.
+
+ To activate mail aliases for users please select the module
+ "Mail aliases (nisMailAliasUser)":
+
+
+
+
+
+
+
+
+
+ On tab Module settings you can select if you want to set the
+ user name or email as recipient in alias entries.
+
+
+
+
+
+
+
+
+
+ Now you will see the mail aliases tab when editing an
+ user.
+
+ The red cross will only remove the user from the alias entry. If
+ you click the trash can button then the whole alias entry (which may
+ contain other users) will be deleted.
+
+
+
+
+
+
+
+
+
+ You can add the user to existing alias entries or create
+ completly new ones.
+
+
+
+
+
+
+
+
+
+
+
+ Qmail (LAM Pro)
+
+ LAM Pro manages all qmail attributes for users. This includes
+ mail addresses, ID numbers and quota settings.
+
+ Please note that the main mail address is managed on tab
+ "Personal" if this module is active. Otherwise, it will be on the
+ qmail tab.
+
+
+
+
+
+
+
+
+
+ You can hide several qmail options if you do not want to manage
+ them with LAM. This can be done on the module settings tab of your LAM
+ server profile.
+
+
+
+
+
+
+
+
+
+
+
+ Mail routing
+
+ LAM supports to manage mail routing for user accounts.
+
+ Module activation:
+
+ This feature can be activated by adding the "Mail routing"
+ module to the user account type in your server profile.
+
+
+
+
+
+
+
+
+
+ Usage:
+
+ You can specify a routing address, the mail server and a number
+ of local addresses to route.
+
+ In case you want to add this extension by default for new users
+ there is an option in profile editor.
+
+
+
+
+
+
+
+
+
+
+
+ SSH keys
+
+ You can manage your public keys for SSH in LAM if you installed
+ the LPK patch for
+ SSH. Activate the "SSH public key" module for users in the
+ server profile and you can add keys to your user entries.
+
+
+
+
+
+
+
+
+
+
+
+ Authorized services
+
+ You can setup PAM to check if a user is allowed to run a
+ specific service (e.g. sshd) by reading the LDAP attribute
+ "authorizedService". This way you can manage all allowed services via
+ LAM.
+
+
+
+ To activate this PAM feature please setup your /etc/libnss-ldap.conf and set
+ "pam_check_service_attr" to "yes".
+
+
+
+ Inside LAM you can now set the allowed services. You may also
+ setup default services in your account profiles.
+
+
+
+
+
+
+
+
+
+ You can define a list of services in your LAM server profile
+ that is used for autocompletion.
+
+
+
+
+
+
+
+
+
+ The autocompletion will show all values that contains the
+ entered text. To display the whole list you can press backspace in the
+ empty input field. Of course, you can also insert a service name that
+ is not in the list.
+
+
+
+
+
+
+
+
+
+
+
+ IMAP mailboxes
+
+ LAM may create and delete mailboxes on an IMAP server for your
+ user accounts. You will need an IMAP server that supports either SSL
+ or TLS for this feature.
+
+ To activate the mailbox management module please add the
+ "Mailbox (imapAccess)" module for the type user in your LAM server
+ profile:
+
+
+
+
+
+
+
+
+
+ Now configure the module on the tab "Module settings". Here you
+ can specify the IMAP server name, encryption options, the
+ authentication for the IMAP connection and the valid mail domains. LAM
+ can use either your LAM login password for the IMAP connection or
+ display a dialog where you need to enter the password. It is also
+ possible to store the admin password in your server profile. This is
+ not recommended for security reasons.
+
+ The user name can either be a fixed name (e.g. "admin") or it
+ can be generated with LDAP attributes of the LAM admn user. E.g. $uid$
+ will be transformed to "myUser" if you login with
+ "uid=myUser,ou=people,dc=example,dc=com".
+
+ The mail domains specify for which accounts mailboxes may be
+ created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can
+ be managed for "user@lam-demo.org" but not for "user@example.com". Use
+ "*" for any domain.
+
+ You need to install the SSL certificate of the CA that signed
+ your server certificate. This is usually done by installing the
+ certificate in /etc/ssl/certs. Different Linux distributions may offer
+ different ways to do this. For Debian please copy the certificate in
+ "/usr/local/share/ca-certificates" and run "update-ca-certificates" as
+ root.
+
+ It is not recommended to disable the validation of IMAP server
+ certificates.
+
+ The prefix, user name attribute and path separator specifies how
+ your mailboxes are named (e.g. "user.myUser@localhost" or
+ "user/myUser"). Select the values depending on your IMAP server
+ settings.
+
+ You can specify a list of initial folder names to create for new
+ mailboxes. LAM will then create them with each new mailbox.
+
+
+
+
+
+
+
+
+
+ When you edit an user account then you will now see the tab
+ "Mailbox". Here you can create/delete the mailbox for this
+ user.
+
+
+
+
+
+
+
+
+
+
+
+ IP addresses (LAM Pro)
+
+ You can manage the IP addresses of user accounts (e.g. assigned
+ by DHCP) with the ipHost module.
+
+ Configuration
+
+
+
+
+
+
+
+
+
+ User editing
+
+
+
+
+
+
+
+
+
+
+
+ Account
+
+ This is a very simple module to manage accounts based on the
+ object class "account". Usually, this is used for host accounts only.
+ Please pay attention that users based on the "account" object class
+ cannot have contact information (e.g. telephone number) as with
+ "inetOrgPerson".
+
+ You can enter a user/host name and a description for your
+ accounts.
+
+
+
+
+
+
+
+
+
+
+
+
+ Groups
+
+
+
+
+ Unix
+
+ This module is used to manage Unix group entries. This is the
+ default module to manage Unix groups and uses the nis.schema. Suse
+ users who use the rfc2307bis.schema need to use
+ LAM Pro.
+
+ Configuration
+
+ Please add the account type "Groups" and then select account
+ module "Unix (posixGroup)".
+
+
+
+
+
+
+
+
+
+ GID generator: LAM will suggest GID numbers for your accounts.
+ Please note that it may happen that there are duplicate IDs assigned
+ if users create groups at the same time. Use an overlay
+ like "Attribute Uniqueness" (example) if you have lots of LAM
+ admins creating groups.
+
+
+
+ Fixed range: LAM searches for free numbers within the given
+ limits. LAM always tries to use a free GID that is greater than
+ the existing GIDs to prevent collisions with deleted
+ groups.
+
+
+
+ Samba ID pool: This uses a special LDAP entry that includes
+ attributes that store a counter for the last used UID/GID. Please
+ note that this requires that you install the Samba schema and
+ create an LDAP entry of object class "sambaUnixIdPool".
+
+
+
+ Magic number: Use this if your LDAP server assigns the GID
+ numbers automatically (e.g. DNA by 389 server). Enter the server's
+ magic number setting.
+
+
+
+ Disable membership management: Disables group membership
+ management. This is useful if memberships are e.g. managed via group
+ of names.
+
+
+
+
+
+
+
+
+
+ Group management:
+
+
+
+
+
+
+
+
+
+ Group membership management:
+
+
+
+
+
+
+
+
+
+
+
+ Unix groups with rfc2307bis schema (LAM Pro)
+
+ Some applications (e.g. Suse Linux) use the rfc2307bis schema
+ for Unix accounts instead of the nis schema. In this case group
+ accounts are based on the object class groupOf(Unique)Names or namedObject.
+ The object class posixGroup is auxiliary in this case.
+
+ LAM Pro supports these groups with a special account module:
+ rfc2307bisPosixGroup
+
+ Use this module only if your system depends on the rfc2307bis
+ schema. The module can be selected in the LAM configuration. Instead
+ of using groupOfNames as basis for your groups you may also use
+ namedObject.
+
+ Module activation:
+
+
+
+
+
+
+
+
+
+ GID generator: LAM will suggest GID numbers for your accounts.
+ Please note that it may happen that there are duplicate IDs assigned
+ if users create groups at the same time. Use an overlay
+ like "Attribute Uniqueness" (example) if you have lots of LAM
+ admins creating groups.
+
+
+
+ Fixed range: LAM searches for free numbers within the given
+ limits. LAM always tries to use a free GID that is greater than
+ the existing GIDs to prevent collisions with deleted
+ groups.
+
+
+
+ Samba ID pool: This uses a special LDAP entry that includes
+ attributes that store a counter for the last used UID/GID. Please
+ note that this requires that you install the Samba schema and
+ create an LDAP entry of object class "sambaUnixIdPool".
+
+
+
+ Magic number: Use this if your LDAP server assigns the GID
+ numbers automatically (e.g. DNA by 389 server). Enter the server's
+ magic number setting.
+
+
+
+ Disable membership management: Disables group membership
+ management. This is useful if memberships are e.g. managed via group
+ of names.
+
+ Force sync with group of names: This will automatically set the
+ group memberships of the Unix part to the same members as set on group
+ of names tab.
+
+
+
+
+
+
+
+
+
+ The GID number will be filled automatically based on the server
+ profile configuration.
+
+
+
+
+
+
+
+
+
+ Group members can be edited and also synced with Group of
+ (unique) names.
+
+
+
+
+
+
+
+
+
+
+
+ Samba 3
+
+ LAM supports managing Samba 3 groups. You can set special group
+ types and also create Windows predefined groups like "Domain
+ admins".
+
+ Module activation:
+
+
+
+
+
+
+
+
+
+ Group editing:
+
+
+
+
+
+
+
+
+
+
+
+ Windows (Samba 4)
+
+ LAM can manage your Windows groups. Please enable the account
+ type "Groups" in your LAM server profile and then add the group module
+ "Windows (windowsGroup)(*)".
+
+
+
+
+
+
+
+
+
+ The default list attributes are for Unix and not suitable for
+ Windows (blank lines in account table). Please use
+ "#cn;#member;#description" or select your own attributes to display in
+ the account list.
+
+
+
+
+
+
+
+
+
+ NIS support is deactivated by default. Enable it if needed on
+ tab "Module settings".
+
+
+
+
+
+
+
+
+
+ Now you can edit your groups inside LAM. You can manage the
+ group name, description and its type. Of course, you can also set the
+ group members.
+
+ Group scopes:
+
+
+
+ Global: Use this for groups with frequent changes. Global
+ groups are not replicated to other domains.
+
+
+
+ Universal: Groups with universal scope are used to
+ consolidate groups that span domains. They are globally
+ replicated.
+
+
+
+ Domain local: Groups with domain local scope can be used to
+ set permissions inside one domain. They are not replicated to
+ other domains.
+
+
+
+ Group type:
+
+
+
+ Security: Use this group type to control permissions.
+
+
+
+ Distribution: These groups are only used for email
+ applications. They cannot be used to control permissions.
+
+
+
+ With "Show effective members" you can show a list of all members
+ of this group including members of subgroups and their
+ subgroups.
+
+
+
+
+
+
+
+
+
+
+
+ Kolab
+
+ Please activate the Kolab group module in your LAM server
+ profile to activate Kolab support.
+
+
+
+
+
+
+
+
+
+ You can specify the email address and also set allowed sender
+ and recipient addresses.
+
+
+
+
+
+
+
+
+
+
+
+ Mail routing
+
+ LAM supports to manage mail routing for group accounts.
+
+ Module activation:
+
+ This feature can be activated by adding the "Mail routing"
+ module to the group account type in your server profile.
+
+
+
+
+
+
+
+
+
+ Usage:
+
+ You can specify a routing address, the mail server and a number
+ of local addresses to route.
+
+ In case you want to add this extension by default for new groups
+ there is an option in profile editor.
+
+
+
+
+
+
+
+
+
+
+
+ Quota
+
+ You can manage file system quotas with LAM. This requires to
+ setup lamdaemon. File system quotas
+ are not stored inside LAM but managed directly on the specified
+ servers.
+
+
+
+
+
+
+
+
+
+
+
+ PyKota
+
+ There are two LAM group modules depending if your group entries
+ should be built on object class "pykotaObject" or a different
+ structural object class (e.g. "posixGroup"). For "pykotaObject" please
+ select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)"
+ in all other cases.
+
+
+
+
+
+
+
+
+
+ Now you can add the PyKota extension to your groups.
+
+
+
+
+
+
+
+
+
+
+
+
+ Hosts
+
+
+ Account
+
+ Please see the description here.
+
+
+
+ Device (LAM Pro)
+
+ The device object class allows to manage general information
+ about all sorts of devices (e.g. computers, network hardware, ...).
+ You can enter the serial number, location and a describing text. It is
+ also possible to specify the owner of the device.
+
+
+
+
+
+
+
+
+
+
+
+ Samba 3
+
+ You can manage Samba 3 host entries by adding the Unix and Samba
+ 3 account modules.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Windows (Samba 4)
+
+ LAM can manage your Windows servers and workstations. Please
+ enable the account type "Hosts" in your LAM server profile and then
+ add the host module "Windows (windowsHost)(*)".
+
+
+
+
+
+
+
+
+
+ The default list attributes are for Unix and not suitable for
+ Windows (blank lines in account table). Please use
+ "#cn;#description;#location" or select your own attributes to display
+ in the account list.
+
+
+
+
+
+
+
+
+
+ Now you will see you computer accounts inside LAM. You can set
+ e.g. the server's description and location information.
+
+
+
+
+
+
+
+
+
+
+
+ IP addresses (LAM Pro)
+
+ You can manage the IP addresses of host accounts with the ipHost
+ module. It manages the following information:
+
+
+
+ IP addresses (IPv4/IPv6)
+
+
+
+ location of the host
+
+
+
+ manager: the person who is responsible for the host
+
+
+
+ You can activate this extension by adding the module ipHost to
+ the list of active host modules.
+
+
+
+
+
+
+
+
+
+
+
+ MAC addresses
+
+ Hosts can have an unlimited number of MAC addresses. To enable
+ this feature just add the "MAC address" module to the host account
+ type.
+
+
+
+
+
+
+
+
+
+
+
+ Puppet
+
+ LAM supports to manage your Puppet configuration. You can
+ edit all attributes like environment, classes, variables and parent
+ node.
+
+ Configuration
+
+ To activate this feature please edit your LAM server profile and
+ add the host module "Puppet (puppetClient)" on tab "Modules". This
+ will add the Puppet tab to your host pages.
+
+
+
+
+
+
+
+
+
+ On tab "Module settings" in your LAM server profile you may also
+ setup some common environment names. LAM will use them to provide
+ autocompletion hints when editing the environment for a node.
+
+ If you enter any value in "Enforce classes" then LAM will only
+ accept this list of classes.
+
+
+
+
+
+
+
+
+
+ Editing nodes
+
+ When you edit a host entry then you will see the tab "Puppet".
+ Here you can add/remove the Puppet extension and edit all
+ attributes.
+
+
+
+
+
+
+
+
+
+
+
+ NIS net groups
+
+ NIS netgroups can be used to e.g. restrict SSH access to your
+ machines.
+
+ Configuration
+
+ Please add the module "NIS net groups (nisNetGroupHost)" to the
+ list of active host modules.
+
+
+
+
+
+
+
+
+
+ Host editing
+
+ You will now see a new tab when editing hosts. Here you can
+ assign memberships in NIS net groups and also set user/domain.
+
+
+
+
+
+
+
+
+
+
+
+
+ Samba 3 domains
+
+ Samba 3 stores information about its domain settings inside LDAP.
+ This includes the domain name, its SID and some policies. You can manage
+ all these attributes with LAM.
+
+ Please activate the account type "Samba domains" in your LAM
+ server profile. Please notice that Samba by default uses the LDAP root
+ for domain objects (e.g. dc=example,dc=com).
+
+
+
+
+
+
+
+
+
+ This will add a new tab to LAM where you can manage domain
+ information.
+
+ The domain name, SID and RID base can only be specified for new
+ domains and are not changeable via LAM at a later time. You may setup
+ several password policies for your Samba domains and also some RID
+ options that influence the creation of SIDs for
+ users/groups/hosts.
+
+
+
+
+
+
+
+
+
+
+
+ Group of (unique) names and group of members (LAM Pro)
+
+ These classes can be used to represent group relations. Since they
+ allow DNs as members you can also use them to represent nested
+ groups.
+
+ Configuration:
+
+ Activate the account type "Group of names" in your LAM server
+ profile to use these account modules. Alternatively, you can use the
+ account type "Groups".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Then add the module "Group of names (groupOfNames)", "Group of
+ unique names (groupOfUniqueNames)" or "Group of members
+ (groupOfMembers)".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ On the module settings tab you set some options like the display
+ format for members/owners and if fields like description should not be
+ displayed.
+
+
+
+
+
+
+
+
+
+ Group management:
+
+ Group of (unique) names have four basic attributes:
+
+
+
+ Name: a unique name for the group
+
+
+
+ Description: optional description
+
+
+
+ Owner: the account which owns this group (optional)
+
+
+
+ Members: the members of the group (at least one is
+ required)
+
+
+
+ You can add any accounts as members. This includes other groups
+ which leads to nested groups.
+
+ To show members of nested groups click on "Show effective
+ members". Please note that for large groups this will run lots of
+ queries against your LDAP server.
+
+
+
+
+
+
+
+
+
+
+
+ Organizational roles (LAM Pro)
+
+ This module manages roles via the organizationalRole object class.
+ There is also a user
+ module to manage memberships on the user edit page.
+
+ Configuration:
+
+ Activate the account type "Groups" in your LAM server profile to
+ use this account module. Alternatively, you can use the account type
+ "Group of names".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Then add the module "Role (organizationalRole)".
+
+
+
+
+
+
+
+
+
+ On the module settings tab you set some options like the display
+ format for members and if description should not be displayed.
+
+
+
+
+
+
+
+
+
+ Role management:
+
+ You can add any accounts as members. This includes other roles
+ which leads to nested roles (needs to be supported by LDAP client
+ applications).
+
+ To show members of nested roles click on "Show effective members".
+ Please note that for large roles this will run lots of queries against
+ your LDAP server.
+
+
+
+
+
+
+
+
+
+
+
+ Asterisk
+
+ LAM includes large support for Asterisk. You can add Asterisk
+ extensions (including voicemail) to your users and also manage Asterisk
+ extensions.
+
+ The Asterisk support for users can be added by selecting the
+ Asterisk and Asterisk voicemail modules for users in your LAM server
+ profile. This will add the following tabs to your user accounts.
+
+
+
+
+
+
+
+
+
+ The Asterisk module allows to edit a large amount of attributes.
+ Therefore, you can hide unused fields. Please edit you server profile
+ (Module settings) to do so.
+
+
+
+
+
+
+
+
+
+ Of course, the voicemail part of Asterisk is also
+ supported.
+
+
+
+
+
+
+
+
+
+ If you also want to manage Asterisk extensions then simply add the
+ account type "Asterisk extensions" and its module to your server
+ profile.
+
+ LAM groups your Asterisk extension entries by extension name and
+ account context. If you edit an extension then you will see the Asterisk
+ entries as rules. LAM manages that all rule entries have the same owners
+ and assigns the priorities.
+
+
+
+
+
+
+
+
+
+
+
+ Zarafa (LAM Pro)
+
+ Zarafa is an OpenSource collaboration software. LAM Pro provides
+ support to manage Zarafa server entries, users and groups. It covers all
+ settings for these types including resource and quota settings.
+
+ LAM Pro is an official Zarafa Certified Integration.
+
+
+
+
+
+
+
+
+ Configuration
+
+ To enable Zarafa support in LAM Pro please activate the Zarafa
+ modules for the Users, Groups and Hosts account types in you server
+ profile:
+
+
+
+
+
+
+
+
+
+ Attention: LAM Pro uses the
+ Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
+ OpenDJ, Apache Directory server and other common LDAP servers. If you
+ run Samba 4 or Active Directory then you need to switch the schema to
+ "Active Directory" on the module settings tab:
+
+
+
+
+
+
+
+
+
+ You can configure which parts of the Zarafa user options should
+ be enabled. E.g. if you do not want to manage quotas per user then you
+ can hide these options on the tab "Module settings".
+
+
+
+
+ "Send as" attribute: Here you
+ can specify how "Send as" privileges should be managed. LAM supports
+ "uid" and "dn".
+
+ If you select "uid" the LAM will store user names in the
+ zarafaSendAsPrivilege attribute. This way you are restricted to
+ specify user accounts as "Send as" allowed.
+
+ You can also set this option to "dn" and LAM will store DNs in
+ the zarafaSendAsPrivilege attribute. In this case you may specify
+ users and groups as "Send as" allowed.
+
+
+
+
+ Examples for your Zarafa ldap.cfg:
+
+ "Send as" attribute: dn
+
+ ldap_user_sendas_attribute_type = dn
+
+
+
+
+ "Send as" attribute: uid
+
+ ldap_user_sendas_attribute_type = text
+
+ ldap_user_sendas_relation_attribute = uid
+
+
+Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.
+
+
+
+
+ Features: Zarafa 7 allows to
+ enable IMAP/POP3 for each user. Please hide the option "Features" if
+ you use Zarafa 6.x.
+
+
+
+
+
+
+
+
+
+
+ Users
+
+ This is an example of the user edit page with all possible
+ settings. This includes email settings, quotas and some options
+ (e.g. hide from address book). You can also set the resource type
+ and capacity for meeting rooms and equipment. The Zarafa extension
+ can be added and removed at any time for every user.
+
+ Please note that the option "Features" requires Zarafa 7.
+ Please hide this option in the LAM server profile if you run Zarafa
+ 6.x.
+
+
+
+
+
+
+
+
+
+
+
+ Contacts
+
+ LAM Pro can manage your Zarafa contact entries. You can set
+ the email aliases and "send as" privileges. Additionally, accounts
+ may be hidden in the address book or disabled.
+
+ Please note that you can either use the Zarafa user module or
+ Zarafa contact. LAM Pro will disable the other tab when enabling one
+ of them.
+
+
+
+
+
+
+
+
+
+
+
+ Groups
+
+ This is the edit page for groups. You can enter an email
+ address and additional aliases for your groups. It is also possible
+ to specify options (e.g. hide from address book). The extension can
+ be added/removed dynamically.
+
+ Please note that the option "Send-as privileges" requires the
+ Zarafa 7.0.3 schema. Please hide this option in the LAM server
+ profile if you run Zarafa < 7.0.3.
+
+
+
+
+
+
+
+
+
+
+
+ Servers
+
+ The Zarafa extension for host accounts allows to set the
+ connection ports and file path. You can add/remove the extension at
+ any time.
+
+ Setting the public store option is only possible for new host
+ entries.
+
+ Please note that the proxy URL option requires the Zarafa 7.1
+ schema. Please hide this option in your LAM server profile if you
+ use an older version.
+
+
+
+
+
+
+
+
+
+
+
+ Address lists
+
+ Zarafa allows to store address lists in LDAP. You need to
+ define a search base and LDAP filter for each address list. E.g.
+ entering "ou=people,dc=company,dc=com" as base and "uid=*" will
+ select all users that are stored in
+ "ou=people,dc=company,dc=com".
+
+ You can also hide your lists from the address book or
+ temporarily disable them.
+
+
+
+
+
+
+
+
+
+
+
+ Dynamic groups
+
+ Zarafa allows to define dynamic groups in LDAP. You need to
+ define a search base and LDAP filter for each group. E.g. entering
+ "ou=people,dc=company,dc=com" as base and "uid=*" will select all
+ users that are stored in "ou=people,dc=company,dc=com".
+
+ Dynamic groups may have an email address and multiple email
+ alias addresses.
+
+ You can also hide your dynamic groups from the address book or
+ temporarily disable them.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Kolab shared folders
+
+ Please add the account type "Kolab shared folders" in your LAM
+ server profile and set the correct LDAP suffix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Then add the "Kolab shared folder" module on tab "Modules".
+
+
+
+
+
+
+
+
+
+ Now you can start to add shared folders inside LAM.
+
+
+
+
+
+
+
+
+
+
+
+ DHCP
+
+ You can mange your DHCP server with LAM. It supports to manage
+ subnets, fixed IP entries, IP ranges and DDNS.
+
+ Configuration
+
+ The DHCP management can be activated by adding the account type
+ DHCP to your server profile. Please also add the DHCP modules.
+
+ LAM requires that you use an LDAP entry with the object class
+ "dhcpService" or "dhcpServer" as suffix for this account type. If the
+ "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
+ then you need to use the DN of the "dhcpService" entry as LDAP suffix
+ for DHCP.
+
+
+
+
+ Add account type:
+
+
+
+
+
+
+
+
+
+ Set suffix:
+
+
+
+
+
+
+
+
+
+ Add modules:
+
+
+
+
+
+
+
+
+
+ Example server
+ entry:
+
+ dn:
+ cn=server,ou=dhcp,dc=ldap-account-manager,dc=org
+
+ objectclass: dhcpServer
+
+ objectclass: dhcpOptions
+
+ objectclass: top
+
+ cn: server
+
+ dhcpcomments: My DHCP server
+
+ dhcpoption: domain-name
+ "ldap-account-manager.org"
+
+ dhcpoption: domain-name-servers 192.168.1.1
+
+ dhcpoption: routers 192.168.1.1
+
+ dhcpoption: netbios-name-servers 192.168.1.1
+
+ dhcpoption: subnet-mask 255.255.255.0
+
+ dhcpoption: netbios-node-type 8
+
+ dhcpstatements: default-lease-time 3600
+
+ dhcpstatements: max-lease-time 7200
+
+ dhcpstatements: include "mykey"
+
+ dhcpstatements: ddns-update-style interim
+
+ dhcpstatements: update-static-leases true
+
+ dhcpstatements: ignore client-updates
+
+
+
+
+ Example settings for
+ dhcpd.conf:
+
+ ddns-update-style none;
+
+ deny unknown-clients;
+
+ ldap-server "server";
+
+ ldap-dhcp-server-cn "server";
+
+ ldap-port 389;
+
+ ldap-username
+ "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";
+
+ ldap-password "{SSHA}XXXXXXXXXXXX";
+
+ ldap-base-dn
+ "ou=dhcp,dc=ldap-account-manager,dc=org";
+
+ ldap-method dynamic;
+
+ ldap-debug-file
+ "/var/log/dhcp-ldap-startup.log";
+
+
+
+
+
+
+ slapd.conf changes:
+
+ include /etc/ldap/schema/dhcp.schema
+
+ index dhcpHWAddress eq
+
+ index dhcpClassData eq
+Run slapindex to rebuild the index.
+
+
+
+ You can manage the settings of your DHCP service/server
+ entry:
+
+
+
+
+
+
+
+
+
+ You can easily create new subnet entries.
+
+
+
+
+
+
+
+
+
+ It is also possible to specify a list of fixed IPs.
+
+
+
+
+
+
+
+
+
+ IP ranges may be specified.
+
+ If you use failover pools for your IP ranges please use the pool
+ options on the bottom. Here you can add DHCP pools (object class
+ "dhcpPool") and specify the failover peer.
+
+
+
+
+
+
+
+
+
+ If you activated DDNS in the server entry then you may also
+ specify the DDNS settings for this subnet.
+
+
+
+
+
+
+
+
+
+
+
+ Bind DLZ (LAM Pro)
+
+ Bind DLZ is
+ an extension to the DNS server Bind that allows to store
+ DNS entries inside LDAP. Please install the Bind DLZ schema file on your
+ LDAP server. It is part of the DLZ patch.
+
+ Configuration
+
+ First, you need to add the Bind DNS account type and the Bind DLZ
+ module:
+
+
+
+
+
+
+
+
+
+ Please set the LDAP suffix either to an existing DNS zone
+ (dlzZone) or an organizational unit that should include your DNS
+ zones.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatic PTR management
+
+ LAM can automatically create/delete PTR entries for the entered
+ IPv4/6 records. You can enable this feature on the module settings
+ tab.
+
+ PTR records will get the same TTL as IP records. Please note that
+ you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
+ under the same suffix as your other DNS entries.
+
+
+
+
+
+
+
+
+
+ Zone management
+
+ If you do not yet have a DNS zone then LAM can create one for you.
+ In list view switch the suffix to an organizational unit DN. Now you
+ will see a button "New zone".
+
+ This will create the zone container entry and a default DNS entry
+ "@" for authoritative information. Now switch the suffix to your new
+ zone and start adding DNS entries.
+
+
+
+
+
+
+
+
+
+ DNS entries
+
+ LAM supports the following DNS record types:
+
+
+
+ SOA: authoritative information
+
+
+
+ NS: name servers
+
+
+
+ A/AAAA: IP addresses
+
+
+
+ PTR: reverse DNS entries
+
+
+
+ CNAME: alias names
+
+
+
+ MX: mail servers
+
+
+
+ TXT: text records
+
+
+
+ SRV: service entries
+
+
+
+
+
+
+ Authoritative (SOA) and name server (NS)
+ records
+
+ Here you can manage general information about the zone like
+ timeouts and name servers. Please note that name servers must be
+ inserted in a special format (dot at the end).
+
+
+
+
+
+
+
+
+
+
+
+
+ IP addresses (A/AAAA)
+
+ LAM will automatically set the correct type (A/AAAA) depending if
+ you enter an IPv4 or IPv6 address.
+
+
+
+
+
+
+
+
+
+
+
+
+ Reverse DNS entries
+
+ Reverse DNS entries are important when you need to find the DNS
+ name that is associated with a given IP address. Reverse DNS entries are
+ stored in a separate DNS zone.
+
+
+
+
+
+
+
+
+
+
+
+
+ Alias names (CNAME)
+
+ Sometimes a DNS entry should simply point to a different DNS entry
+ (e.g. for migrations). This can be done by adding an alias name.
+
+
+
+
+
+
+
+
+
+
+
+
+ Mail servers (MX)
+
+ The mail server entries define where mails to a domain should be
+ delivered. The server with the lowest preference has the highest
+ priority.
+
+
+
+
+
+
+
+
+
+
+
+
+ Text records (TXT)
+
+ Text records can be added to store a description or other data
+ (e.g. SPF information).
+
+
+
+
+
+
+
+
+
+
+
+
+ Services (SRV)
+
+ Service records can be used to specify which servers provide
+ common services such as LDAP. Please note that the host name must be
+ _SERVICE._PROTOCOL (e.g. _ldap._tcp).
+
+
+
+
+ Priority: The priority of the target host, lower value means more
+ preferred.
+
+ Weight: A relative weight for records with the same priority. E.g.
+ weights 20 and 80 for a service will result in 20% queries to the one
+ server and 80% to the other.
+
+ Port: The port number that is used for your service.
+
+ Server: DNS name where service can be reached (with dot at the
+ end).
+
+
+
+
+
+
+
+
+
+
+
+
+ File upload
+
+ You can upload complete DNS zones via LAM's file upload. Here is
+ an example for a zone file and the corresponding CSV file.
+
+
+ Zone file
+
+
+
+
+ @
+
+ IN
+
+ SOA
+
+ ns1.example.com admin.ns1.example.com (1 360000 3600
+ 3600000 370000)
+
+
+
+
+
+ IN
+
+ NS
+
+ ns1.example.com.
+
+
+
+
+
+ IN
+
+ NS
+
+ ns2.example.com.
+
+
+
+
+
+ IN
+
+ MX
+
+ 10 mail1.example.com
+
+
+
+
+
+ IN
+
+ MX
+
+ 20 mail2.example.com
+
+
+
+ foo
+
+ IN
+
+ A
+
+ 123.123.123.100
+
+
+
+ foo2
+
+ IN
+
+ CNAME
+
+ foo.example.com
+
+
+
+ bar
+
+ IN
+
+ A
+
+ 123.123.123.101
+
+
+
+
+
+ IN
+
+ AAAA
+
+ 1:2:3:4:5
+
+
+
+
+
+ Please check that you have an existing zone entry that can be used
+ for the file upload. See above to create a new zone.
+
+ Hint: If you use the function above to create a new zone then
+ please skip the "@" entry in the CSV file below. LAM creates this entry
+ with sample data.
+
+ In this example we assume that the following zone extry
+ exists:
+
+ dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
+dlzzonename: example.com
+objectclass: dlzZone
+objectclass: top
+
+
+
+ Here is the corresponding CSV file: bindUpload.csv
+
+
+
+ Aliases (LAM Pro)
+
+ Some applications use the object class "alias" to link LDAP
+ entries to other parts of the LDAP tree. Activate the account type
+ "Aliases" in your LAM server profile to use this account type.
+
+ Currently, only user accounts can be aliased with the "uidObject"
+ object class.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Mail aliases
+
+ You can manage mail aliases (e.g. for NIS) inside LAM. This can be
+ used to replace local /etc/aliases files with LDAP.
+
+ Note: Use the mail alias user
+ module to manage mail aliases on user pages.
+
+ All accounts of this type are based on the "nisMailAlias" object
+ class and may have "cn" and "rfc822MailMember" attributes. To activate
+ this type please add "Mail aliases" in your LAM server profile:
+
+
+
+
+
+
+
+
+
+ You need to select the Mail aliases module on the next tab.
+
+
+
+
+
+
+
+
+
+ The mail aliases will then appear as separate tab inside LAM. You
+ may then manage the aliases with their names and recipient
+ addresses.
+
+ There are mail/user icons that allow to select a mail address/user
+ name from the existing users.
+
+
+
+
+
+
+
+
+
+
+
+ NIS net groups
+
+ LAM supports to define NIS netgroups. You can use them e.g. to
+ restrict SSH access to your machines.
+
+ Add the NIS net group account type and its module to your server
+ profile. Then you can manage net groups in LAM. Net groups may contain
+ other net groups as child groups. You can either insert the host/user
+ names manually or print the search buttons next to the input fields to
+ find existing entries in your directory.
+
+
+
+
+
+
+
+
+
+
+
+ NIS objects (LAM Pro)
+
+ You can manage NIS objects with LAM Pro. This allows you define
+ network mount points in LDAP.
+
+ Add the NIS objects type to your LAM configuration and then the
+ NIS objects module. This will add the NIS objects tab to LAM.
+
+
+
+
+
+
+
+
+
+
+
+ Automount objects (LAM Pro)
+
+ LAM Pro allows you to manage automount entries. Please activate
+ the account type "Automount objects" in your LAM Pro server
+ profile.
+
+
+
+
+
+
+
+
+
+ Then add the correct automount module. Usually, this is "Automount
+ entry (automount)". If you use Suse Linux with RFC2307bis schema please
+ select "Automount entry (rfc2307bisAutomount)".
+
+
+
+
+
+
+
+
+
+ This will add a new tab to LAM Pro's main screen which includes a
+ list of all automount entries. Here you can easily create new
+ entries.
+
+
+
+
+
+
+
+
+
+ Please see the following external HowTos for more information on
+ automounting and LDAP:
+
+
+
+ AutofsLDAP
+
+
+
+ Automount
+ über LDAP (German)
+
+
+
+
+
+ Oracle databases (LAM Pro)
+
+ Oracle allows to manage connection data that is stored in
+ tnsnames.ora to be stored in an LDAP directory.
+
+ Initial setup
+
+ LDAP server setup:
+
+ You will need to install the correct Oracle LDAP schema files on
+ your LDAP server. If you run no Oracle LDAP server then you can get them
+ (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
+ here.
+
+ Next you need to create the root entry for Oracle. It should look
+ like this:
+
+ dn: cn=OracleContext,dc=example,dc=com
+objectclass: orclContext
+cn: OracleContext
+
+ You can create it with LAM's tree view. Please note that "cn" must
+ be set to "OracleContext".
+
+
+
+
+ LAM setup:
+
+ Edit your LAM server profile and add the Oracle account
+ type:
+
+
+
+
+
+
+
+
+
+ In case you manage a single Oracle context just enter the
+ cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
+ context entries then set the LDAP suffix to a parent entry of
+ them.
+
+
+
+
+
+
+
+
+
+ Next, add the Oracle module:
+
+
+
+
+
+
+
+
+
+ Now you can login to LAM and start to add database
+ entries.
+
+
+ Managing database entries
+
+ Each database has a service name, the connection string and an
+ optional description.
+
+
+
+
+
+
+
+
+
+ Database client setup for
+ LDAP
+
+ You need to activate the LDAP adapter to make the database tools
+ reading LDAP. Edit network/admin/sqlnet.ora like this:
+
+ NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)
+
+ Then add a file called ldap.ora next to your sqlnet.ora and set
+ the LDAP server and DN suffix where cn=OracleContext is stored:
+
+ DIRECTORY_SERVERS= (ldap.example.com:389:636)
+DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
+DIRECTORY_SERVER_TYPE = OID
+
+ This will allow e.g. tnsping to get the connection data from
+ LDAP:
+
+ [oracle@oracle bin]$ tnsping mydb
+
+TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54
+
+Copyright (c) 1997, 2013, Oracle. All rights reserved.
+
+Used parameter files:
+/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
+
+Used LDAP adapter to resolve the alias
+Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
+OK (10 msec)
+
+
+
+ Password policies (LAM Pro)
+
+ OpenLDAP supports the ppolicy overlay
+ to manage password policies for LDAP entries. This allows you to set
+ password policies which are independent from your applications. The
+ policies are managed internally by the LDAP server.
+
+ You can manage these policies with LAM Pro with the account type
+ "Password policies".
+
+
+
+
+
+
+
+
+
+ You will need to add the ppolicy schema to your OpenLDAP
+ configuration and activate the ppolicy overlay
+ module in slapd.conf to use this feature.
+
+
+
+ PyKota printers
+
+ Please add the account type "Printers (PyKota printers)" on tab
+ "Account types" in your server profile and setup the LDAP suffix where
+ printers are stored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Then add the PyKota printer module on tab "Account
+ modules".
+
+
+
+
+
+
+
+
+
+ Next you can start managing printers inside LAM. Here you can
+ setup the costs for a print job. LAM will also show if the printer is
+ member of any printer groups.
+
+
+
+
+
+
+
+
+
+ You can also setup printer groups. Just add some members to your
+ new group.
+
+
+
+
+
+
+
+
+
+
+
+ PyKota billing codes
+
+ Please add the account type "Billing codes" on tab "Account types"
+ in your server profile and setup the LDAP suffix where billing codes are
+ stored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Then add the PyKota billing code module on tab "Account
+ modules".
+
+
+
+
+
+
+
+
+
+ Now login to LAM and you will see the billing code tab where you
+ can manage your entries. If jobs were printed with a billing code then
+ you will also see the balance and page count.
+
+
+
+
+
+
+
+
+
+
+
+ Custom fields (LAM Pro)
+
+ This module allows you to manage LDAP attributes that are not
+ covered by the other LAM modules (e.g. if you use custom LDAP schemas).
+ You can fully define how your input fields look like:
+
+
+
+ Label
+
+
+
+ LDAP attribute name
+
+
+
+ Unique name for field
+
+
+
+ Help text
+
+
+
+ Read-only display
+
+
+
+ Field type: text, password, text area, checkbox, radio
+ buttons, select list, file upload
+
+
+
+ Validation via regular expression
+
+
+
+ Error message if validation fails
+
+
+
+ Limitations:
+
+ Custom fields cannot manage
+
+
+
+ structural object classes
+
+
+
+ attributes that require validation rules across multiple
+ attributes or cannot be described by a simple regular
+ expression
+
+
+
+ Activating the custom fields
+ module:
+
+ You may specify custom fields for all of your account types.
+ Please enter tab "Modules" in your server profile. Now activate the
+ "Custom fields (customFields)" module for all needed account
+ types.
+
+
+
+
+
+
+
+
+
+ Setting label and icon:
+
+ You may set the label that is displayed e.g. on the tab when
+ editing an account. It is also possible to specify an icon (must be a
+ valid URL like "/images/icon.png" or "http://server/images/icon.png").
+ The icon size should be 32x32 pixels.
+
+ LAM will display a default icon and "Custom fields" as label if
+ you do not enter any values.
+
+ You may also specify how LAM displays cutom fields when there are
+ multiple field groups. The default is accordion view where you can
+ switch field groups by clicking on the title. You may also deactivate
+ this mode. Then all field groups are displayed one below the
+ other.
+
+
+
+
+
+
+
+
+
+ Defining groups:
+
+ All input fields are devided into groups. A group may contain one
+ or more object classes and allows you to add/remove a certain set of
+ input fields.
+
+ E.g. you may define two groups - "My application A" and "My
+ application B" - that manage different LDAP attributes and object
+ classes. This way you will be able to control both attribute sets
+ independently.
+
+ To create a group please edit your server profile and switch to
+ tab "Module settings". You will see the section "Custom fields" which
+ allows you to add new groups. Now select your account type (e.g. Users)
+ and specify an alias for your group. This alias will be printed as group
+ header when you later edit an account in the admin interface.
+
+
+
+
+
+
+
+
+
+ After you created your new group you can setup the managed object
+ classes. If you specify any object classes then you will later be able
+ to add/remove a complete set of attributes including their object
+ classes.
+
+ Skipping the object classes field is only useful if you want to
+ manage some attributes that are not yet supported by LAM but there is
+ already a LAM module that manages the object class.
+
+
+
+
+
+
+
+
+
+ The group may look like when you edit a user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Adding fields:
+
+ Now you can add a new field that manages an LDAP attribute. Simply
+ fill the fields and press on "Add".
+
+ Please note that the field name cannot be changed later. It is the
+ unique ID for this field.
+
+
+
+
+
+
+
+
+
+ Examples for fields and their representation:
+
+ Text field:
+
+ Text fields allow to specify a validation
+ expression and error message.
+
+ You can also enable auto-completion. In this case LAM will search
+ all accounts for the given attribute and provide auto-completion hints
+ when the user edits this field. This should only be used if there is a
+ limited number of different values for this attribute.
+
+ In case your field is a date value you can show a calendar for
+ easy editing.
+
+ Example calendar formats:
+
+
+
+ dd.mm.yy: 31.12.2016
+
+
+
+ yy-mm-dd: 2016-12-31
+
+
+
+ d M, y: 31 Dec, 16
+
+
+
+ d MM, y: 31 December, 2016
+
+
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+
+
+
+
+
+
+
+
+ Password field:
+
+ You can also manage custom password fields. LAM Pro will display
+ two fields where the user must enter the same password. You can hash the
+ password if needed.
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+
+
+
+
+
+
+
+
+ Text area:
+
+ This adds a multi-line field. The options are similar to text
+ fields. Additionally, you can set the size with the number of columns
+ and rows.
+
+ Please note that the validation
+ expression should be set to multi-line. This is done by adding
+ "m" at the end.
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+
+
+
+
+
+
+
+
+ Checkbox:
+
+ Sometimes you may want to allow only yes/no values for your LDAP
+ attributes. This can be represented by a checkbox. You can specify the
+ values for checked and unchecked. The default value is set if the LDAP
+ attribute has no value.
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+
+
+
+
+
+
+
+
+ Radio buttons:
+
+ This displays a list of radio buttons where the user can select
+ one value.
+
+ You can specify a mapping of LDAP attribute values and their
+ display (label) on the Self Service page. To add more mapping fields
+ please press "Add more mapping fields".
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+
+
+
+
+
+
+
+
+ Select list:
+
+ Select lists allow the user to select a value in a large list of
+ options. The definition of the possible values and their display is
+ similar to radio buttons.
+
+ You can also allow multiple values.
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Validation expressions:
+
+ The validation expressions follow the standard of Perl regular
+ expressions. They start and end with a "/". The beginning of a
+ line is specified by "^" and the end by "$".
+
+ Examples:
+
+ /^[a-z0-9]+$/ allows small letters and numbers. The value must not
+ be empty ("+").
+
+ /^[a-z0-9]+$/i allows small and capital letters ("i" at the end
+ means ignore case) and numbers. The value must not be empty
+ ("+").
+
+ Special characters that must be escaped with "\": "\", ".", "(",
+ ")"
+
+ E.g. /^[a-z0-9\.]$/i
+
+
+
+
+ File upload:
+
+ This is used for binary data. You can restrict uploaded data to a
+ given file extension and set the maximum file size.
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+ The uploaded data may also be downloaded via LAM.
+
+
+
+
+
+
+
+
+
+
+
+ Custom scripts (LAM Pro)
+
+ LAM Pro allows you to execute scripts whenever an account is
+ created, modified or deleted. This can be useful to automate processes
+ which needed manual work afterwards (e.g. sending your user a welcome
+ mail or register a mailbox). Additionally, you can specify manual scipts
+ that can be executed from within LAM Pro.
+
+ To activate this feature please add the "Custom scripts" module to
+ all needed account types on the configuration pages.
+
+
+
+
+
+
+
+
+
+ In "Module settings" you can specify multiple scripts for each
+ action type (e.g. modify) and account type (e.g. user). The scripts need
+ to be located on the filesystem of your webserver and will be executed
+ in its user environment. E.g. if you webserver runs as user www-data
+ with the group www-data then the custom scripts will be run under this
+ user with his rights. The output of the scripts will be shown in
+ LAM.
+
+ You can specify the scripts on the LAM configuration pages.
+
+
+
+
+
+
+
+
+
+ Syntax:
+
+ Please enter one script per line. Each line has the following
+ format: <account type> <action> <script>
+
+ E.g.: user preModify /usr/bin/myCustomScript -u $uid$
+
+ Account types:
+
+ You can setup scripts for all available account types (e.g. user,
+ group, host, ...). Please see the help on the configuration page about
+ your current active account types.
+
+ Actions:
+
+
+ Action types
+
+
+
+
+ Action name
+
+ Description
+
+
+
+ preCreate
+
+ Executed before creating a new account (cancels operation
+ if a script returns an exit code > 0, not available for file
+ upload)
+
+
+
+ postCreate
+
+ Executed after creating a new account (does not run if preCreate or LDAP operations
+ fail)
+
+
+
+ preModify
+
+ Executed before an account is modified (cancels operation
+ if a script returns an exit code > 0)
+
+
+
+ postModify
+
+ Executed after an account was modified (does not run if preModify or LDAP operations
+ fail)
+
+
+
+ preDelete
+
+ Executed before an account is modified (cancels operation
+ if a script returns an exit code > 0)
+
+
+
+ postDelete
+
+ Executed after an account was modified (does not run if preDelete or LDAP operations
+ fail)
+
+
+
+ manual
+
+ Can be run manually on account page. If you add
+ LAMLABEL="text" before the command then LAM will use the text as
+ label for the button in account edit screen.
+
+
+
+
+
+ Script:
+
+ You can execute any script which is located on the filesystem of
+ your webserver. The path may be absolute or relative to the
+ PATH-variable of the environment of your webserver process. It is also
+ possible to add commandline arguments to your scripts. Additionally, LAM
+ will resolve wildcards to LDAP attributes. If your script includes an
+ wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
+ attribute value of the current LDAP entry. The values of multi-value
+ attributes are separated by commas. E.g. if you create an account with
+ the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
+ "steve".
+
+ Please note that manual scripts can only use the current LDAP
+ attribute values of the account. Any modifications done that are not
+ saved will not be available. Manual scripts are also not available for
+ new accounts that are not yet saved to LDAP.
+
+ You can switch LAM's logging to debug mode if you are unsure which
+ attributes with which values are available.
+
+ The following special wildcards are available for automatical
+ scripts:
+
+
+
+ $INFO.userPasswordClearText$:
+ cleartext password when Unix/Windows password is changed (e.g.
+ useful for external password synchronisation) for new/modified
+ accounts
+
+
+
+ $INFO.userPasswordStatusChange$: provides
+ additional information if the Personal/Unix password locking status
+ was changed, possible values: locked, unlocked, unchanged
+
+
+
+ $INFO.passwordSelfResetAnswerClearText$:
+ cleartext answer to security question
+
+
+
+ $INFO.389lockingStatusChange$: for 389ds
+ account locking, provides information if account was unlocked.
+ Possible values: unchanged, unlocked
+
+
+
+ $INFO.389deactivationStatusChange$: for 389ds
+ account locking, provides information if account was deactivated.
+ Possible values: unchanged, activated, deactivated
+
+
+
+ $NEW.<attribute>$: the
+ value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
+ accounts
+
+
+
+ $DEL.<attribute>$: the
+ value of a deleted attribute (e.g. $DEL.telephoneNumber$) for
+ modified accounts
+
+
+
+ $MOD.<attribute>$: the
+ new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
+ modified accounts
+
+
+
+ $ORIG.<attribute>$: the
+ original value of an attribute (e.g. $ORIG.telephoneNumber$) for
+ modified accounts
+
+
+
+ Output may contain HTML: If your
+ scripts generate HTML output then activate this option.
+
+ Hide command in messages: You may
+ want to prevent that your users see the executed commands. In this case
+ activating this option will only show the command output but not the
+ command itself.
+
+
+
+ You can see a preview of the commands which will be automatically
+ executed on the "Custom scripts" tab. Here you can also run the manual
+ scripts.
+
+
+
+
+
+
+
+
+
+
+
+ Sudo roles (LAM Pro)
+
+ You can manage your sudo roles in LDAP if you have installed the
+ sudo-ldap package or compiled sudo with LDAP
+ support.
+
+ To activate sudo management in LAM Pro edit your server profile
+ and add the type "Sudo roles".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Now you can create sudo commands.
+
+
+
+
+
+
+
+
+
+ The sudo roles in LDAP work similar to those in /etc/sudoers. You
+ can specify who may run which commands as which user. It is also
+ possible to specify options like NOPASSWD.
+
+
+
+ LDAP views based on nsview (LAM Pro)
+
+ LAM Pro supports LDAP views based on the "nsview" object class.
+ These views allow to create an organizational unit that shows a subset
+ of your LDAP content. The subset is determined by an LDAP filter.
+
+ Configuration:
+
+ To activate view management in LAM Pro edit your server profile
+ and add the type "LDAP views".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Now you are ready to create your views. Each view has a name, LDAP
+ filter and an optional description.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ General information
+
+ This module is available for all account types. It shows some
+ internal information about the LDAP entries like the creation time and
+ who modified the entry.
+
+ If you use the "memberOf" overlay in OpenLDAP then this will also
+ show group memberships done by the overlay.
+
+
+
+
+
+
+
+
+
+
+
+ Tree view (LDAP browser)
+
+ The tree view provides a raw view on your LDAP directory. This
+ feature is for people who are experienced with LDAP and need special
+ functionality which the LAM account modules not provide. E.g. if you
+ want to add a special object class to an account or edit attributes
+ ignoring LAM's syntax checks.
+
+
+
+
+
+
+
+
+
+ There are also some special functions available:
+
+ Export: This allows you to export
+ entries to a file (e.g. LDIF or CSV format).
+
+ Show internal attributes: Shows
+ internal attributes of the current entry. This includes information
+ about the creator and creation time of the entry.
+
+
diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml
new file mode 100644
index 00000000..22701267
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-selfService.xml
@@ -0,0 +1,1596 @@
+
+
+
+ Self service (LAM Pro)
+
+
+ Preparations
+
+
+ OpenLDAP ACLs
+
+ By default only a few administrative users have write access to
+ the LDAP database. Before your users may change their settings you
+ must allow them to change their LDAP data.
+
+ Hint: The ACLs below are not required if you decide to run all
+ operations as the LDAP bind user (option "Use for all
+ operations").
+
+ This can be done by adding ACLs to your slapd.conf or
+ slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to
+ these:
+
+ access to
+
+ attrs=userPassword
+
+ by self write
+
+ by anonymous auth
+
+ by * none
+
+
+
+
+ access to
+
+
+ attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail
+
+ by self write
+
+ by * read
+
+ If you do not want them to change all attributes then reduce the
+ list to fit your needs. Some modules may require additional LDAP
+ attributes. You can use the tree view to get the technical attribute
+ names e.g. by selecting an user account.
+
+ Usually, the slapd.conf file is located in /etc/ldap or
+ /etc/openldap.
+
+
+
+ Other LDAP servers
+
+ There exist many LDAP implementations. If you do not use
+ OpenLDAP you need to write your own ACLs. Please check the manual of
+ your LDAP server for instructions.
+
+
+
+
+ Creating a self service profile
+
+ A self service profile defines what input fields your users see
+ and some other general settings like the login caption.
+
+ When you go to the LAM configuration page you will see the self
+ service link at the bottom. This will lead you to the self service
+ configuration pages
+
+
+
+
+
+
+
+
+
+ Now we need to create a new self service profile. Click on the
+ link to manage the self service profiles.
+
+
+
+
+
+
+
+
+
+ Specify a name for the new profile and enter your master
+ configuration password (default is "lam") to save the profile.
+
+
+
+
+
+
+
+
+
+ Now go back to the profile login and enter your master
+ configuration password to edit your new profile.
+
+
+
+ Edit your new profile
+
+
+ General settings
+
+ On top of the page you see the link to the user login page. Copy
+ this link address and give it to your users.
+
+ Below the link you can specify several options.
+
+
+
+
+
+
+
+
+
+
+ General options
+
+
+
+
+ Server address
+
+ The address of your LDAP server. For LDAP+SSL use
+ "ldaps://myserver"
+
+
+
+ Activate TLS
+
+ Activates TLS encryption. Please note that this cannot
+ be combined with LDAP+SSL ("ldaps://").
+
+
+
+ LDAP suffix
+
+ The part of the LDAP tree where LAM should search for
+ users
+
+
+
+ LDAP search attribute
+
+ Here you can specify if your users can login with user
+ name + password, email + password or other attributes.
+
+
+
+ Follow referrals
+
+ By default LAM will not follow LDAP referrals. This is
+ ok for most installations. If you use LDAP referrals please
+ activate the referral option in advanced settings.
+
+
+
+ LDAP user + password
+
+ The DN and password which is used to search for users
+ in the LDAP database. It is sufficient if this DN has only
+ read rights. If you leave these fields empty LAM will try to
+ connect anonymously.
+
+
+
+ Use for all operations
+
+ By default LAM will use the credentials of the user
+ that logged in to self service for read/modify operations. If
+ you select this box then the connection user specified before
+ will be used instead. Please note that this can be a security
+ risk because the user requires write access to all users. You
+ need to make sure that your LAM server is well
+ protected.
+
+
+
+ Additional LDAP filter
+
+ Use this to enter an additional LDAP filter (e.g.
+ "(objectClass=passwordSelfReset)") to reduce the number of
+ accounts who may use self service.
+
+
+
+ HTTP authentication
+
+ You can enable HTTP authentication for your users. This
+ way the web server is responsible to authenticate your users.
+ LAM will use the given user name + password for the LDAP
+ login. To setup HTTP authentication in Apache please see this
+ link.
+
+
+
+ Login attribute label
+
+ This is the description for the LDAP search attribute.
+ Set it to something which your users are familiar
+ with.
+
+
+
+ Password field label
+
+ This text is placed as label for the password field on
+ the login page. LAM will use "Password" if you do not enter
+ any text.
+
+
+
+ Login caption
+
+ This text is displayed at the login page. You can input
+ HTML, too.
+
+
+
+ Main page caption
+
+ This text is displayed at self service main page where
+ your users change their data. You can input HTML, too.
+
+
+
+ Page header
+
+ This HTML code will be placed on top of all self
+ service pages. E.g. you can use this to place your custom
+ logo. Any HTML code is permitted.
+
+
+
+ Additional CSS links
+
+ Here you can specify additional CSS links to change the
+ layout of the self service pages. This is useful to adapt them
+ to your corporate design. Please enter one link per
+ line.
+
+
+
+
+
+
+
+
+ 2-factor authentication
+
+ LAM supports 2-factor authentication for your users. This
+ means the user will not only authenticate by user+password but also
+ with e.g. a token generated by a mobile device. This adds more
+ security because the token is generated on a physically separated
+ device (typically mobile phone).
+
+ The token is validated by a second application. LAM currently
+ supports:
+
+
+
+ privacyIdea
+
+
+
+ By default LAM will enforce to use a token and reject users
+ that did not setup one. You can set this check to optional. But if a
+ user has setup a token then this will always be required.
+
+
+
+
+
+
+
+
+
+ After logging in with user + password LAM will ask for the 2nd
+ factor. If the user has setup multiple factors then he can choose
+ one of them.
+
+
+
+
+
+
+
+
+
+
+
+
+ Page layout
+
+ Here you can specify what input fields your users can see. It is
+ also possible to group several input fields.
+
+ Please use the arrow signs to change the order of the
+ fields/groups.
+
+ You may also set some fields as read-only for your users. This
+ can be done by clicking on the lock symbol. Read-only fields can be
+ used to show your users additional data on the self service page that
+ must not be changed by themselves (e.g. first/last name).
+
+ Sometimes, you may want to set a custom label for an input
+ field. Click on the edit icon to set your own label text (Personal:
+ Department is relabeled as "Business unit" here).
+
+
+
+
+
+
+
+
+
+ Possible input fields
+
+ This is a list of input fields you may add to the self service
+ page.
+
+
+ Self service fields
+
+
+
+
+ Account
+ type
+
+ Option
+
+ Description
+
+
+
+
+
+
+
+ Asterisk (voicemail)
+
+ Sync Asterisk password with Unix password
+
+ This is a hidden field. It will update the Asterisk
+ password each time the Unix password is changed.
+
+
+
+
+
+
+
+ Kerberos
+
+ Sync Kerberos password with Unix password
+
+ This is a hidden field. It will update the Kerberos
+ password each time the Unix password is changed.
+
+
+
+
+
+
+
+ Kolab
+
+ Delegates
+
+ Allows to manage delegate permissions
+
+
+
+ Invitation policy
+
+ Invitation policy management
+
+
+
+
+
+
+
+ Password policy
+
+ Last password change
+
+ read-only
+
+
+
+
+
+
+
+ Password self reset
+
+ Question
+
+ Security question selection
+
+
+
+ Answer
+
+ Security answer
+
+
+
+ Backup email
+
+ (External) backup email address that has no relation to
+ user password.
+
+
+
+
+
+
+
+ Personal
+
+ Business category
+
+
+
+
+
+ Car license
+
+
+
+
+
+ Department
+
+
+
+
+
+ Description
+
+
+
+
+
+ Email address
+
+
+
+
+
+ Fax number
+
+
+
+
+
+ First name
+
+
+
+
+
+ Home telephone number
+
+
+
+
+
+ Initials
+
+
+
+
+
+ Job title
+
+
+
+
+
+ Last name
+
+
+
+
+
+ Location
+
+
+
+
+
+ Mobile number
+
+
+
+
+
+ Office name
+
+
+
+
+
+ Organisational unit
+
+
+
+
+
+ Photo
+
+ Shows the user photo if set. The user may also remove
+ the photo or upload a new one.
+
+
+
+ Postal address
+
+
+
+
+
+ Postal code
+
+
+
+
+
+ Post office box
+
+
+
+
+
+ Registered address
+
+
+
+
+
+ Room number
+
+
+
+
+
+ State
+
+
+
+
+
+ Street
+
+
+
+
+
+ Telephone number
+
+
+
+
+
+ User certificates
+
+ Upload of user certificates in PEM or DER
+ format
+
+
+
+ User name
+
+
+
+
+
+ Web site
+
+
+
+
+
+
+
+
+
+ Samba 3
+
+ Password
+
+ Input field to set a new NT/LM password. The attribute
+ "sambaPwdLastSet" is updated if it existed before.
+
+
+
+ Sync Samba LM password with Unix password
+
+ This is a hidden field. It will update the Samba LM
+ password each time the Unix password is changed.
+
+
+
+ Sync Samba NT password with Unix password
+
+ This is a hidden field. It will update the Samba NT
+ password each time the Unix password is changed.
+
+
+
+ Update attribute "sambaPwdLastSet" on password
+ change
+
+ Updates the password timestamp when password is
+ synchronized with Unix.
+
+
+
+ Last password change (read-only)
+
+ Displays the date and time of the user's last password
+ change.
+
+
+
+
+
+
+
+ Shadow
+
+ Last password change (read-only)
+
+ Displays the date and time of the user's last password
+ change (Unix).
+
+
+
+
+
+
+
+ Windows
+
+ Password
+
+ Change the user's password
+
+
+
+ Location
+
+
+
+
+
+ Office name
+
+
+
+
+
+ Postal code
+
+
+
+
+
+ Post office box
+
+
+
+
+
+ State
+
+
+
+
+
+ Street
+
+
+
+
+
+ Telephone number
+
+
+
+
+
+ Web site
+
+
+
+
+
+
+
+
+
+ Unix
+
+ Common name
+
+
+
+
+
+ Login shell
+
+
+
+
+
+ Password
+
+ This is also the source for several password
+ synchronization options.
+
+
+
+ Sync Unix password with Windows password
+
+ This is a hidden field. It will update the Unix
+ password each time the Windows password is changed.
+
+
+
+
+
+
+
+ Zarafa
+
+ "Send as" privileges
+
+ Define user who may send mails as this user
+
+
+
+ Email aliases
+
+ Email aliases
+
+
+
+
+
+
+
+ PyKota
+
+ Balance (read-only)
+
+ Current balance for printing
+
+
+
+ Total paid (read-only)
+
+ Total money paid
+
+
+
+ Payment history
+
+ History of user payments
+
+
+
+ Job history
+
+ History of printed jobs
+
+
+
+
+
+
+
+ Module settings
+
+ This allows to configure some module specific options (e.g.
+ custom scripts or password hash type).
+
+
+
+
+
+
+
+
+
+
+
+ Samba 3
+
+ LAM Pro can check the password history and minimum age for Samba
+ 3 password changes. In this case please provide the LDAP suffix where
+ your Samba 3 domain(s) are stored.
+
+ If you leave the field empty then no history and age checks will
+ be done.
+
+ Password history: depending on your LDAP server you might need
+ ascending or descending order. Just switch the setting if the password
+ history is not correctly updated.
+
+
+
+
+
+
+
+
+
+
+
+ Password self reset
+
+ Schema installation
+
+ Please install the LDAP schema as described here.
+
+ Settings
+
+ You can allow your users to reset their passwords themselves.
+ This will reduce your administrative costs for cases where users
+ forget their passwords.
+
+ To enable this feature please activate the checkbox "Enable
+ password self reset link".
+
+ Hint: Plese note that LAM Pro
+ uses security questions by default. Activate confirmation mails and
+ then deactivate security questions if you want to use only email
+ validation.
+
+
+
+
+
+
+
+
+
+ You can now configure the minimum answer length for password
+ reset answers. This is checked when you allow you users to specify
+ their answers via the self service. Additionally, you can specify the
+ text of the password reset link (default: "Forgot password?"). The
+ link is displayed below the password field on the self service login
+ page.
+
+ Next, please enter the DN and password of an LDAP entry that is
+ allowed to reset the passwords. This entry needs write access to the
+ attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
+ also needs read access to uid, mail, passwordSelfResetQuestion and
+ passwordSelfResetAnswer. Please note that LAM Pro saves the password
+ on your server file system. Therefore, it is required to protect your
+ server against unauthorised access.
+
+ Please also specify the list of password reset questions that
+ the user can choose.
+
+ Please note that self service and LAM admin interface are
+ separated functionalities. You need to specify the list of possible
+ security questions in both self service profile(s) and server
+ profile(s).
+
+
+
+ You can inform your users via mail about their password change.
+ The mail can include the new password by using the special wildcard
+ "@@newPassword@@". Additionally, you may want to insert other
+ wildcards that are replaced by the corresponding LDAP attributes. E.g.
+ "@@uid@@" will be replaced by the user name. Please see email format option in case of broken mails.
+ See here for setting up your SMTP
+ server.
+
+
+
+ LAM Pro can send your users an email with a confirmation link to
+ validate their email address. Of course, this should only be used if
+ the email account is independent from the user password (e.g. at
+ external provider) or you use the backup email address feature. The
+ mail body must include the confirmation link by using the special
+ wildcard "@@resetLink@@". Additionally, you may want to insert other
+ wildcards that are replaced by the corresponding LDAP attributes. E.g.
+ "@@uid@@" will be replaced by the user name.
+
+ There is also an option to skip the security question at all if
+ email verification is enabled. In this case the password can be reset
+ directly after clicking on the confirmation link. Please handle with
+ care since anybody with access to the user's mail account can reset
+ the password.
+
+ Troubleshooting:
+
+ 1. You get messages like "Unable to find user account."
+
+ This can have multiple reasons:
+
+
+
+ security questions enabled but no security question and/or
+ answer set for this user
+
+
+
+ user name + email combination does not exist
+
+
+
+ no connection to LDAP server
+
+
+
+ Turn on logging in LAM's main configuration settings. The exact
+ reason is logged on notice level.
+
+ 2. You do not see security question and answer fields when
+ logged into self service.
+
+ Probably, the user does not have the object class
+ "passwordSelfReset" set. You can do this in admin interface. If you
+ have multiple users to change then use the Multi Edit Tool to add the object
+ class.
+
+ New fields for self service
+ page
+
+ There are special fields that you may put on the self service
+ page for your users. These fields allow them to change the reset
+ questions and its answers. It is also possible to set a backup email
+ address to reset passwords with an external email address.
+
+
+
+
+
+
+
+
+
+ This is an example how can be presented to your users on the
+ self service page:
+
+
+
+
+
+
+
+
+
+ Password reset link
+
+ After activating the password self reset feature there will be a
+ new link on the self service login page. The text can be configured as
+ described above (default: "Forgot password?").
+
+
+
+
+
+
+
+
+
+ When a user clicks on the link then he will be asked for
+ identification with his user name and email address.
+
+
+
+
+
+
+
+
+
+ LAM Pro will use this information to find the correct LDAP entry
+ of this user. It then displays the user's security questions and input
+ fields for his new password. If the answer is correct then the new
+ password will be set. Additionally, pwdAccountLockedTime will be
+ removed and shadowLastChange updated to the current time if
+ existing.
+
+
+
+
+
+
+
+
+
+
+
+ User self registration
+
+ With LAM Pro your users can create their own accounts if you
+ like. LAM Pro will display an additional link on the self service
+ login page that allows you users to create a new account including
+ email validation (see here for
+ setting up your SMTP server).
+
+ You enable this feature in your self service profile. Just
+ activate the checkbox "Enable self registration link".
+
+
+
+
+
+
+
+
+
+ Options:
+
+ Link text: This is the label for the link
+ to the self registration. If empty "Register new account" will be
+ used.
+
+ Admin DN and password: Please enter the
+ LDAP DN and its password that should be used to create new users. This
+ DN also needs to be able to do LDAP searches by uid in the self
+ service part of your LDAP tree.
+
+ Object classes: This is a list of object
+ classes that are used to build the new user accounts. Please enter one
+ object class in each line. If you use LAM Pro password self reset
+ feature then do not forget to add "passwordSelfReset" here.
+
+ Attributes: This is a list of additional
+ attributes that the user can enter. Please note that user name,
+ password and email address are mandatory anyway and need not be
+ specified.
+
+ Each line represents one LDAP attribute. The settings are
+ separated by "::". The first setting specifies the field type. The
+ second setting is the LDAP attribute name. Depending on the field type
+ you can enter additional options:
+
+
+
+
+
+
+
+ Description
+
+ Type
+
+ Attribute name
+
+ First option
+
+ Second option
+
+ Third option
+
+
+
+ An optional input field that is displayed on the
+ registration page.
+
+ optional
+
+ e.g. "givenName"
+
+ Label that is displayed on page
+
+ optional regular expression for validation (e.g.
+ "/^[0-9a-zA-Z]+$/")
+
+ validation message if value does not match validation
+ expression
+
+
+
+ A required input field that is displayed on the
+ registration page. Self registration cannot be done if such a
+ field is left empty by the user.
+
+ required
+
+ e.g. "sn"
+
+ Label that is displayed on page
+
+ optional regular expression for validation (e.g.
+ "/^[0-9a-zA-Z]+$/")
+
+ validation message if value does not match validation
+ expression
+
+
+
+ Constant attribute value, not visible for the user. Can
+ be used to set some initial values or data that must not be
+ edited by the user.
+
+ constant
+
+ e.g. "homeDirectory"
+
+ attribute value, supports wirldcards to insert other
+ attribute values (e.g. "@@uid@@")
+
+
+
+
+
+
+
+ Auto-numbering for attributes such as uidNumber. Will
+ do a search for attribute values in the given range and use
+ highest value + 1.
+
+ autorange
+
+ e.g. uidNumber
+
+ LDAP search base, e.g.
+ ou=people,dc=company,dc=com
+
+ Minimum value, e.g. 1000
+
+ Maximum value, e.g. 2000
+
+
+
+
+
+ For a syntax description of validation expressions see here. Validation is
+ optional, you can leave these options blank.
+
+ Example:
+
+ optional::givenName::First name::/^[[:alnum:] ]+$/u::Please
+ enter a valid first name.
+
+ required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a
+ valid last name.
+
+ constant::homeDirectory::/home/@@uid@@
+
+ autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000
+
+ If you use the object class "inetOrgPerson" and do not provide
+ the "cn" attribute then LAM will set it to the user name value.
+
+
+
+
+ Please note that only simple input boxes are supported for
+ account registration. The user may log in to self service when his
+ account was created to manage all his attributes.
+
+
+
+
+ Captcha support
+
+ LAM Pro can optionally display a captcha to verify that
+ registrations are not from robots. The supported captcha provider is
+ Google reCAPTCHA. You will need the site and secret key for your
+ domain. They can be retrieved from here: https://www.google.com/recaptcha
+
+ Please note that your web server must be able to access
+ "https://www.google.com/recaptcha/api/siteverify" to verify the
+ captchas. Captchas will be displayed automatically when site+secret
+ key are filled.
+
+
+
+
+
+
+
+
+
+
+
+
+ User view:
+
+ The user can register by clicking on a link on the self service
+ login page:
+
+
+
+
+
+
+
+
+
+ Here he can insert the data that you specified in the self
+ service profile:
+
+
+
+
+
+
+
+
+
+ LAM will then send him an email with a validation link that is
+ valid for 24 hours. When he clicks on this link then the account will
+ be created in the self service user suffix. The DN will look like
+ this: uid=<user name>,...
+
+ Please see email format option in
+ case of broken mails.
+
+
+
+ Custom fields (LAM Pro)
+
+ This module allows you to manage LDAP attributes that are not
+ covered by the other LAM modules (e.g. if you use custom LDAP
+ schemas). You can fully define how your input fields look like:
+
+
+
+ Label
+
+
+
+ LDAP attribute name
+
+
+
+ Unique name for field
+
+
+
+ Help text
+
+
+
+ Read-only display
+
+
+
+ Field type: text, password, text area, checkbox, radio
+ buttons, select list, file upload
+
+
+
+ Validation via regular expression
+
+
+
+ Error message if validation fails
+
+
+
+ To create custom fields for the Self Service please edit your
+ Self Service profile and switch to tab "Module settings". Here you can
+ add a new field. Simply fill the fields and press on "Add".
+
+ Please note that the field name cannot be changed later. It is
+ the unique ID for this field.
+
+ After you created your fields please press on "Sync fields with
+ page layout". Now you can switch to tab "Page layout" and add your new
+ fields like any other standard field.
+
+
+
+
+
+
+
+
+
+ Examples for fields and their representation in Self
+ Service:
+
+ Text field:
+
+ Text fields allow to specify a validation
+ expression and error message.
+
+ You can also enable auto-completion. In this case LAM will
+ search all accounts for the given attribute and provide
+ auto-completion hints when the user edits this field. This should only
+ be used if there is a limited number of different values for this
+ attribute.
+
+ In case your field is a date value you can show a calendar for
+ easy editing.
+
+ Example calendar formats:
+
+
+
+ dd.mm.yy: 31.12.2016
+
+
+
+ yy-mm-dd: 2016-12-31
+
+
+
+ d M, y: 31 Dec, 16
+
+
+
+ d MM, y: 31 December, 2016
+
+
+
+
+
+
+
+
+
+
+
+ Presentation in Self Service:
+
+
+
+
+
+
+
+
+
+ Password field:
+
+ You can also manage custom password fields. LAM Pro will display
+ two fields where the user must enter the same password. You can hash
+ the password if needed.
+
+
+
+
+
+
+
+
+
+ Presentation in Self Service:
+
+
+
+
+
+
+
+
+
+ Text area:
+
+ This adds a multi-line field. The options are similar to text
+ fields. Additionally, you can set the size with the number of columns
+ and rows.
+
+ Please note that the validation
+ expression should be set to multi-line. This is done by adding
+ "m" at the end.
+
+
+
+
+
+
+
+
+
+ Presentation in Self Service:
+
+
+
+
+
+
+
+
+
+ Checkbox:
+
+ Sometimes you may want to allow only yes/no values for your LDAP
+ attributes. This can be represented by a checkbox. You can specify the
+ values for checked and unchecked. The default value is set if the LDAP
+ attribute has no value.
+
+
+
+
+
+
+
+
+
+ Presentation in Self Service:
+
+
+
+
+
+
+
+
+
+ Radio buttons:
+
+ This displays a list of radio buttons where the user can select
+ one value.
+
+ You can specify a mapping of LDAP attribute values and their
+ display (label) on the Self Service page. To add more mapping fields
+ please press "Add more mapping fields".
+
+
+
+
+
+
+
+
+
+ Presentation in Self Service:
+
+
+
+
+
+
+
+
+
+ Select list:
+
+ Select lists allow the user to select a value in a large list of
+ options. The definition of the possible values and their display is
+ similar to radio buttons.
+
+ You can also allow multiple values.
+
+
+
+
+
+
+
+
+
+ Presentation in Self Service:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Validation expressions:
+
+ The validation expressions follow the standard of Perl regular
+ expressions. They start and end with a "/". The beginning of a
+ line is specified by "^" and the end by "$".
+
+ Examples:
+
+ /^[a-z0-9]+$/ allows small letters and numbers. The value must
+ not be empty ("+").
+
+ /^[a-z0-9]+$/i allows small and capital letters ("i" at the end
+ means ignore case) and numbers. The value must not be empty
+ ("+").
+
+ Special characters that must be escaped with "\": "\", ".", "(",
+ ")"
+
+ E.g. /^[a-z0-9\.]$/i
+
+
+
+
+ File upload:
+
+ This is used for binary data. You can restrict uploaded data to
+ a given file extension and set the maximum file size.
+
+
+
+
+
+
+
+
+
+ Presentation:
+
+ The uploaded data may also be downloaded via LAM.
+
+
+
+
+
+
+
+
+
+
+
+
+ Adapt the self service to your corporate design
+
+ LAM Pro allows you to integrate customs CSS style definitions and
+ design the header of all self service pages. This way you can integrate
+ you own logo and use your company's colors.
+
+
+ Custom header
+
+ The default LAM Pro header includes a logo and a horizontal
+ line. You can enter any HTML code here. It will be included in the
+ self services pages after the body tag.
+
+
+
+
+
+
+
+
+
+
+
+ CSS files
+
+ Usually, companies have regulations about their corporate design
+ and use common CSS files. This assures a common appearance of all
+ intranet pages (e.g. colors and fonts). To include additional CSS
+ files just use the following setting for this task. The additional CSS
+ links will be added after LAM Pro's default CSS link. This way you can
+ overwrite LAM Pro's style.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/chapter-tools.xml b/lam/docs/manual-sources/chapter-tools.xml
new file mode 100644
index 00000000..b2aaae30
--- /dev/null
+++ b/lam/docs/manual-sources/chapter-tools.xml
@@ -0,0 +1,410 @@
+
+
+
+ Tools
+
+
+
+
+ Profile editor
+
+ The account profiles are templates for your accounts. Here you can
+ specify default values which can then be loaded when you create
+ accounts. You may also load a template for an existing account to reset
+ it to default values. When you create a new account then LAM will always
+ load the profile named "default". This
+ account profile can include default values for all your accounts.
+
+
+
+
+
+
+
+
+
+ You can enter the LDAP suffix, RDN identifier and various other
+ attributes depending on account type and activated modules.
+
+
+
+
+
+
+
+
+
+ Import/export:
+
+ Profiles can be exported to and imported from other server
+ profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ There is a special export target called "*Global templates". All
+ profiles exported here will be copied to all other server profiles
+ (incl. new ones). But existing profiles with the same name are not
+ overwritten. So a profile in global templates is treated as default
+ profile for all server profiles.
+
+ Use this if you would like to setup default profiles that are
+ valid for all server profiles.
+
+
+
+
+
+
+
+
+
+
+
+ File upload
+
+ When you need to create lots of accounts then you can use LAM's
+ file upload to create them. LAM will read a CSV formatted file and
+ create the related LDAP entries. Please check the data in you CSV file
+ carefully. LAM will do less checks for the file upload than for single
+ account creation.
+
+ At the first page please select the account type and what
+ extensions should be activated.
+
+
+
+
+
+
+
+
+
+ The next page shows all available options for the file upload. You
+ will also find a sample CSV file which can be used as template for your
+ CSV file. All red options are required columns in the file. You need to
+ specify a value for each account.
+
+ When you upload the CSV file then LAM first does some checks on
+ this file. This includes syntax checks and if all required data was
+ entered. No changes in the LDAP directory are done at this time.
+
+ If the checks were successful then LAM will ask again if you want
+ to create the accounts. You will also have the chance to check the
+ upload by viewing the changes in LDIF format.
+
+
+
+
+
+
+
+
+
+
+
+ Multi edit
+
+ This tool allows you to modify a large list of LDAP entries in
+ batch mode. You can add new attributes/object classes, remove attributes
+ and set attributes to a specific value.
+
+ At the beginning, you need to specify where the entries are stored
+ that should be changed. You can select an account suffix, the tree
+ suffix or enter your own DN by selecting "Other".
+
+ Next, enter an additional LDAP filter to limit the entries that
+ should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for
+ users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to
+ match all accounts that do not yet have the password self reset
+ feature.
+
+
+
+
+ Now, it is time to define the changes that should be done. The
+ following operations are possible:
+
+
+
+ Add: Adds an attribute value if not yet existing. Please do
+ not use for single-value attributes that already have a
+ value.
+
+
+
+ Modify: Sets an attribute to the given value. If the attribute
+ does not yet exist then it is added. If the attribute has multiple
+ values then all other values are removed.
+
+
+
+ Delete: Deletes the specified value from this attribute. If
+ you leave the value field blank then all attribute values are
+ removed.
+
+
+
+ Please note that all actions are run as separate LDAP commands.
+ You cannot add an object class and a required attribute at the same
+ time.
+
+
+
+
+
+
+
+
+
+ Dry run
+
+ You should always start with a dry run. It will not do any changes
+ to your LDAP directory but print out all modifications that will be
+ done. You will also be able to download the changes in LDIF format to
+ use with ldapmodify. This is useful if you want to adjust some actions
+ manually.
+
+
+
+
+
+
+
+
+
+ Apply changes
+
+ This will run the actions against your LDAP directory. You will
+ see which accounts are edited in the progress area and also if any
+ errors occured.
+
+
+
+
+
+
+
+
+
+
+
+ OU editor
+
+ This is a simple editor to add/delete organisational units in your
+ LDAP tree. This way you can structure the accounts.
+
+
+
+
+
+
+
+
+
+
+
+ PDF editor
+
+ All accounts in LAM may be exported as PDF files. You can specify
+ the page structure and displayed information by editing the PDF
+ profiles.
+
+
+
+
+
+
+
+
+
+ When you export accounts to PDF then each account will get its own
+ page inside the PDF. There is a headline on each page where you can show
+ a page title. You may also add a logo to each page. To add more logos
+ please use the logo management on the PDF editor main page.
+
+
+
+
+
+
+
+
+
+ The main part is structured into sections of information. Each
+ section has a title. This can either be static text or the value of an
+ attribute. You may also insert a static text block as section. Sections
+ can be moved by using the arrows next to the section title.
+
+ Each section can contain multiple fields which usually represent
+ LDAP attributes. You can simply add new fields by selecting the field
+ name and its position. Then use the arrows to move the field inside the
+ section.
+
+
+
+
+ Import/export:
+
+ PDF structures can be exported to and imported from other server
+ profiles.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ There is a special export target called "*Global templates". All
+ PDF structures exported here will be copied to all other server profiles
+ (incl. new ones). But existing PDF structures with the same name are not
+ overwritten. So a PDF structure in global templates is treated as
+ default structure for all server profiles.
+
+ Use this if you would like to setup default PDF structures that
+ are valid for all server profiles.
+
+
+
+
+
+
+
+
+
+ Logo management:
+
+ You can upload image files to put a custom logo on the PDF files.
+ The image file name must end with .png or .jpg and the size must not
+ exceed 2000x300px.
+
+
+
+
+
+
+
+
+
+
+
+ Schema browser
+
+ Here you browse the schema of your LDAP server. You can view what
+ object classes, attributes, syntaxes and matching rules are available.
+ This is useful if you need to check if a certain object class is
+ available.
+
+
+
+
+
+
+
+
+
+
+
+ Server information
+
+ This shows information and statistics about your LDAP server. This
+ includes the suffixes, used overlays, connection data and operation
+ statistics. You will need "cn=monitor" setup to see all details. Some
+ data may not be available depending on your LDAP server software.
+
+ Please see the following links how to setup "cn=monitor":
+
+
+
+ OpenLDAP
+
+
+
+ 389
+ server
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Tests
+
+ This allows you to check if your LDAP schema is compatible with
+ LAM and to find possible problems.
+
+
+ Lamdaemon test
+
+ LAM provides an external script to manage home directories and
+ quotas. You can test here if everything is setup correctly.
+
+ If you get an error like "no tty present and no askpass program
+ specified" then the path to the lamdaemon.pl may be wrong. Please see
+ the lamdaemon installation
+ instructions for setup details.
+
+
+
+
+
+
+
+
+
+
+
+ Schema test
+
+ This will test if your LDAP schema supports all object classes
+ and attributes of the active LAM modules. If you get a message that
+ something is missing please check that you installed all required schemas.
+
+ If you get error messages about object class violations then
+ this test can tell you what is missing.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/overview.xml b/lam/docs/manual-sources/overview.xml
new file mode 100644
index 00000000..31699384
--- /dev/null
+++ b/lam/docs/manual-sources/overview.xml
@@ -0,0 +1,115 @@
+
+
+
+ Overview
+
+ LDAP Account Manager (LAM) manages user, group and host accounts in
+ an LDAP directory. LAM runs on any webserver with PHP5 support and
+ connects to your LDAP server unencrypted or via SSL/TLS.
+
+ LAM supports Samba 3/4, Unix, Zarafa, Kolab 2/3, address book
+ entries, NIS mail aliases, MAC addresses and much more. There is a tree
+ viewer included to allow access to the raw LDAP attributes. You can use
+ templates for account creation and use multiple configuration
+ profiles.
+
+ https://www.ldap-account-manager.org/
+
+ Copyright (C) 2003 - 2016 Roland Gruber
+ <post@rolandgruber.de>
+
+ Key features:
+
+
+
+ managing user/group/host/domain entries
+
+
+
+ account profiles
+
+
+
+ account creation via file upload
+
+
+
+ multiple configuration profiles
+
+
+
+ LDAP browser
+
+
+
+ schema browser
+
+
+
+ OU editor
+
+
+
+ PDF export for all accounts
+
+
+
+ manage user/group Quota and create home directories
+
+
+
+ Requirements:
+
+
+
+ PHP5 (>= 5.4.0)
+
+
+
+ Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba
+ 4, OpenDJ, 389 Directory Server, Apache DS, ...)
+
+
+
+ A recent web browser that supports CSS2 and JavaScript, at
+ minimum:
+
+
+
+ Firefox (max. 2 years old)
+
+
+
+ Chrome (max. 2 years old)
+
+
+
+ Internet Explorer 9 (compatibility
+ mode turned off)
+
+
+
+ Opera (max. 2 years old)
+
+
+
+
+
+ The default password to edit the configuration options is
+ "lam".
+
+ License:
+
+ LAM is published under the GNU General Public License. The complete
+ list of licenses can be found in the copyright file.
+
+ Default password:
+
+ The default password for the LAM configuration is "lam".
+
+
+Have fun!
+ The LAM development team
+