split howto

This commit is contained in:
Roland Gruber 2017-02-10 19:30:10 +01:00
parent b32ba7feb4
commit af265a3014
17 changed files with 12198 additions and 0 deletions

View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="clustering">
<title>Clustering LAM</title>
<para>LAM is a web application based on PHP. Therefore, clustering is not
directly a part of the application.</para>
<para>But here are some hints to run LAM in a clustered
environment.</para>
<para><emphasis role="bold">Application parts:</emphasis></para>
<para>LAM can be divided into three parts</para>
<itemizedlist>
<listitem>
<para>Software</para>
</listitem>
<listitem>
<para>Configuration files</para>
</listitem>
<listitem>
<para>Session files and temporary data</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">Software:</emphasis></para>
<para>This is the simplest part. Just install LAM on each cluster node.
Please note that if you run LAM Pro you will need either one license for
each active cluster node or a company license.</para>
<para><emphasis role="bold">Configuration files:</emphasis></para>
<para>These files include the LAM server profiles, account profiles, PDF
structures, ... Usually, they do not change frequently and can be put on a
shared file system (e.g. NFS, AFS, ...).</para>
<para>Please link "config" or "/var/lib/ldap-account-manager/config" to a
directory on your shared file system.</para>
<para><emphasis role="bold">Session data and temporary
files:</emphasis></para>
<para>These are critical because the files may change on every page load.
There are basically two options:</para>
<itemizedlist>
<listitem>
<para>load balancer with session stickiness: In this case your load
balancer will forward all requests of a user to the same cluster node.
In this case you can keep the files locally on your cluster nodes. If
you already have a load balancer then this is the simplest solution
and performs best. The disadvantage is that if a node fails then all
users connected to this node will loose their session and need to
relogin.</para>
</listitem>
<listitem>
<para>shared file system: This should only be used if your load
balancer does not support session stickiness or you use a different
system to distribute request across the cluster. A shared file system
will decrease performance for all page loads.</para>
</listitem>
</itemizedlist>
<para>Session data and temporary files are located in "tmp" + "sess" or
"/var/lib/ldap-account-manager/tmp" +
"/var/lib/ldap-account-manager/sess".</para>
</appendix>

View File

@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix>
<title>Adapt LAM to your corporate design</title>
<para>There are cases where you might want to change LAM's default
look'n'feel to better integrate it in your company network. Changes can be
done like this:</para>
<para><emphasis role="bold">Change colors, fonts and other parts with
custom CSS</emphasis></para>
<para>You can integrate custom CSS files in LAM. It is recommended to
write a separate CSS file instead of modifying LAM's default files.</para>
<para>The CSS files are located in</para>
<literallayout> DEB/RPM: /usr/share/ldap-account-manager/style
tar.bz2: style
</literallayout>
<para>LAM will automatically integrate all CSS files in alphabetical
order. E.g. you can create a file called "900_myCompany.css" which will be
added as last file.</para>
<para>Example:</para>
<para>This will change the background color of all pages to turquoise. See
500_layout.css for LAM's default settings.</para>
<programlisting>body {
background-color: #b6eeff;
}
</programlisting>
<para>You can use the same way to change fonts, sizes and more.</para>
<para>E.g. this will reduce the default font size to 80%:</para>
<programlisting>body {
font-size: 80%;
}
.ui-button-text-only {
font-size: 100%;
}
.ui-button-text-icon-primary {
font-size: 100%;
}
</programlisting>
<para><emphasis role="bold">Custom logo</emphasis><programlisting>/* image in login box */
td.loginLogo {
background-image: url(/logos/mylogo.png);
}
/* image (24x24) in header line */
a.lamLogo {
background-image: url(/logos/mylogo.png);
}</programlisting></para>
<para><emphasis role="bold">Other images</emphasis></para>
<para>All images are located in</para>
<literallayout> DEB/RPM: /usr/share/ldap-account-manager/graphics
tar.bz2: graphics</literallayout>
<para>Please note that if you replace images then you need to reapply your
changes every time you upgrade LAM.</para>
<para><emphasis role="bold">Special changes with custom
JavaScript</emphasis></para>
<para>In rare cases it might not be sufficient to write custom CSS or
replace some image files. E.g. you might want to add custom content to all
pages.</para>
<para>For these cases you can add a custom JavaScript file that contains
your code.</para>
<para>The JavaScript files are located in</para>
<literallayout> DEB/RPM: /usr/share/ldap-account-manager/templates/lib
tar.bz2: templates/lib</literallayout>
<para>LAM will automatically integrate all .js files in alphabetical
order. E.g. you can create a file called "900_myCompany.js" which will be
added as last file.</para>
<para><emphasis role="bold">Self service</emphasis></para>
<para>See <link linkend="selfServiceBasicSettings">here</link> for self
service customisations.</para>
</appendix>

View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="mailSetup">
<title>Setup of email (SMTP) server</title>
<para>LAM always uses a local SMTP email server on the machine where LAM
is installed. Therefore, there is no need to configure any SMTP settings
inside LAM itself.</para>
<para>The local email server should be configured to forward all emails to
your company mail server (so-called smarthost). You can use any SMTP
software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or
Sendmail itself).</para>
<literallayout>
</literallayout>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lam_mail.png" />
</imageobject>
</mediaobject>
</screenshot>
</appendix>

View File

@ -0,0 +1,205 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="a_lamdaemon">
<title>Setup for home directory and quota management</title>
<para>Lamdaemon.pl is used to modify quota and home directories on a
remote or local host via SSH (even if homedirs are located on
localhost).</para>
<para>If you want wo use it you have to set up the following things to get
it to work:</para>
<section>
<title>Installation</title>
<para>First of all, you need to install lamdaemon.pl on your remote
server where LAM should manage homedirs and/or quota. This is usually a
different server than the one where LAM is installed. But there is no
problem if it is the same.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lamdaemonServers.png" />
</imageobject>
</mediaobject>
</screenshot>
<para></para>
<para><emphasis role="bold">Debian based (e.g. also
Ubuntu)</emphasis></para>
<para>Please install the lamdaemon DEB package on your quota/homedir
server.</para>
<para><emphasis role="bold">RPM based (Fedora, CentOS, Suse,
...)</emphasis></para>
<para>Please install the lamdaemon RPM package on your quota/homedir
server.</para>
<para><emphasis role="bold">Other</emphasis></para>
<para>Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your
quota/homedir server. The location may be anywhere (e.g. use
/opt/lamdaemon). Please make the lamdaemon.pl script executable.</para>
</section>
<section id="a_lamdaemonConf">
<title>LDAP Account Manager configuration</title>
<itemizedlist>
<listitem>
<para>Set the remote or local host in the configuration (e.g.
127.0.0.1)</para>
</listitem>
<listitem>
<para>Path to lamdaemon.pl, e.g.
/srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
RPM package then the script will be located at
/usr/share/ldap-account-manager/lib/lamdaemon.pl.</para>
</listitem>
<listitem>
<para>Your LAM admin user must be a valid Unix account. It needs to
have the object class "posixAccount" and an attribute "uid". This
account must be accepted by the SSH daemon of your home directory
server. Do not create a second local account but change your system
to accept LDAP users. You can use LAM to add the Unix account part
to your admin user or create a new account. Please do not forget to
setup LDAP write access (<ulink
url="http://www.openldap.org/doc/admin24/access-control.html">ACLs</ulink>)
if you create a new account.</para>
</listitem>
</itemizedlist>
<para></para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lamdaemon.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>Note that the builtin admin/manager entries do not work for
lamdaemon. You need to login with a Unix account.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lamdaemon1.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">OpenLDAP ACL location:</emphasis></para>
<para>The access rights for OpenLDAP are configured in
/etc/ldap/slapd.conf or
/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.</para>
</section>
<section>
<title>Setup sudo</title>
<para>The perl script has to run as root. Therefore we need a wrapper,
sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
and add the following line:</para>
<para>$admin All= NOPASSWD: $path_to_lamdaemon *</para>
<para><emphasis condition="">$admin</emphasis> is the admin user from
LAM (must be a valid Unix account) and
<emphasis>$path_to_lamdaemon</emphasis> is the path to
lamdaemon.pl.</para>
<para><emphasis role="bold">Example:</emphasis></para>
<para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
*</para>
<para>You might need to run the sudo command once manually to init sudo.
The command "sudo -l" will show all possible sudo commands of the
current user.</para>
<para><emphasis role="bold">Attention:</emphasis> Please do not use the
options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
Otherwise you might get errors like "you must have a tty to run sudo" or
"no tty present and no askpass program specified".</para>
</section>
<section>
<title>Setup Perl</title>
<para>We need an extra Perl module - Quota. To install it, run:</para>
<simplelist>
<member>perl -MCPAN -e shell</member>
<member>install Quota</member>
</simplelist>
<para>If your Perl executable is not located in /usr/bin/perl you will
have to edit the path in the first line of lamdaemon.pl. If you have
problems compiling the Perl modules try installing a newer release of
your GCC compiler and the "make" application.</para>
<para>Several Linux distributions already include a quota package for
Perl.</para>
</section>
<section>
<title>Set up SSH</title>
<para>Your SSH daemon must offer the password authentication method. To
activate it just use this configuration option in
/etc/ssh/sshd_config:</para>
<para>PasswordAuthentication yes</para>
</section>
<section>
<title>Troubleshooting</title>
<para>If you have problems managing quotas and home directories then
these points might help:</para>
<itemizedlist>
<listitem>
<para>There is a test page for lamdaemon: Login to LAM and open
Tools -&gt; Tests -&gt; Lamdaemon test</para>
</listitem>
<listitem>
<para>Check /var/log/auth.log or its equivalent on your system. This
file contains messages about all logins. If the ssh login failed
then you will find a description about the reason here.</para>
</listitem>
<listitem>
<para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
lines:</para>
<simplelist>
<member>SyslogFacility AUTH</member>
<member>LogLevel DEBUG3</member>
</simplelist>
<para>Now check /var/log/syslog for messages from sshd.</para>
</listitem>
</itemizedlist>
<para>Error message <emphasis role="bold">"Your LAM admin user (...)
must be a valid Unix account to work with lamdaemon!"</emphasis>: This
happens if you use the default LDAP admin/manager user to login to LAM.
Please see <link linkend="a_lamdaemonConf">here</link> and setup a Unix
account.</para>
</section>
</appendix>

View File

@ -0,0 +1,81 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix>
<title>Typical OpenLDAP settings</title>
<para>Some basic hints to configure the OpenLDAP server:</para>
<para><emphasis id="size_limit_exceeded" role="bold">Size
limit:</emphasis></para>
<para>You will get a message like "LDAP sizelimit exceeded, not all
entries are shown." when you hit the LDAP search limit.</para>
<para>OpenLDAP allows by default 500 return values per search, if you have
more users/groups/hosts please change this:</para>
<para>slapd.conf:</para>
<para>e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
values</para>
<para>slapd.d:</para>
<para>e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
return values in /etc/ldap/slapd.d/cn=config.ldif</para>
<literallayout>
</literallayout>
<para><emphasis id="a_openldap_unique" role="bold">Unique
attributes:</emphasis></para>
<para>There are cases where you do not want that same attribute values
exist multiple times in your database. A good example are UID/GID
numbers.</para>
<para>OpenLDAP provides the <ulink
url="http://www.openldap.org/doc/admin24/overlays.html">attribute
uniqueness overlay</ulink> for this task.</para>
<para>Example to force unique UID numbers:</para>
<para>In
<emphasis>/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif</emphasis> add
"olcModuleLoad: {3}unique" (replace "3" with the highest existing number
plus one).</para>
<para>Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
"olcUniqueURI: ldap:///?uidNumber?sub"</para>
<literallayout>
</literallayout>
<para id="indices"><emphasis role="bold">Indices:</emphasis></para>
<para>Indices will improve the performance when searching for entries in
the LDAP directory. The following indices are recommended:</para>
<simplelist>
<member>index objectClass eq</member>
<member>index default sub</member>
<member>index uidNumber eq</member>
<member>index gidNumber eq</member>
<member>index memberUid eq</member>
<member>index cn,sn,uid,displayName pres,sub,eq</member>
<member># Samba 3.x</member>
<member>index sambaSID eq</member>
<member>index sambaPrimaryGroupSID eq</member>
<member>index sambaDomainName eq</member>
</simplelist>
</appendix>

View File

@ -0,0 +1,700 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="a_schema">
<title>LDAP schema files</title>
<para>Here is a list of needed LDAP schema files for the different LAM
modules. For OpenLDAP we also provide a source where you can get the
files.</para>
<table frame="none" lang="" role="" tabstyle="nogrid">
<title>LDAP schema files</title>
<tgroup cols="6">
<thead>
<row>
<entry></entry>
<entry>Account type</entry>
<entry>Object class(es)</entry>
<entry>Schema name</entry>
<entry>Source</entry>
<entry>Notes</entry>
</row>
</thead>
<tbody>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_unix.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Unix accounts</entry>
<entry>posixAccount, shadowAccount, hostObject, posixGroup</entry>
<entry>nis.schema, rfc2307bis.schema, ldapns.schema
(hostObject)</entry>
<entry>Part of OpenLDAP installation, part of libpam-ldap
(ldapns.schema)</entry>
<entry>The rfc2307bis.schema is only supported by LAM Pro. Use the
nis.schema if you do not want to upgrade to LAM Pro.</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_inetOrgPerson.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Address book entries</entry>
<entry>inetOrgPerson</entry>
<entry>inetorgperson.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_samba.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Samba 3 accounts</entry>
<entry>sambaSamAccount, sambaGroupMapping, sambaDomain</entry>
<entry>samba.schema</entry>
<entry>Part of Samba tarball (examples/LDAP/samba.schema)</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_samba.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Windows AD (Samba 4)</entry>
<entry>user, group, computer</entry>
<entry></entry>
<entry>Samba 4 built-in</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_kolab.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Kolab 2/3 users</entry>
<entry>kolabUser</entry>
<entry>kolab2/3.schema, rfc2739.schema</entry>
<entry>Part of Kolab 2/3 installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_asterisk.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Asterisk (extension)</entry>
<entry>AsteriskSIPUser, AsteriskExtension</entry>
<entry>asterisk.schema</entry>
<entry>Part of Asterisk installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_pykota.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>PyKota users, groups, printers and billing codes</entry>
<entry>pykotaObject, pykotaAccount, pykotaAccountBalance,
pykotaGroup, pykotaPrinter, pykotaBilling</entry>
<entry>pykota.schema</entry>
<entry>Part of PyKota installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_mailAlias.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Mail routing</entry>
<entry>inetLocalMailRecipient</entry>
<entry>misc.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_hostObject.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Hosts</entry>
<entry>hostObject, device</entry>
<entry>ldapns.schema</entry>
<entry>Part of libpam-ldap installation</entry>
<entry>The device object class is only available in LAM
Pro.</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_authorizedServices.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Authorized services</entry>
<entry>authorizedServiceObject</entry>
<entry>ldapns.schema</entry>
<entry>Part of libpam-ldap installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_mailAlias.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Mail aliases</entry>
<entry>nisMailAlias</entry>
<entry>misc.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_mailAlias.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Qmail user</entry>
<entry>qmailUser</entry>
<entry>qmail.schema</entry>
<entry>Part of <ulink
url="http://www.nrg4u.com/">qmail_ldap</ulink></entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_mac.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>MAC addresses</entry>
<entry>ieee802device</entry>
<entry>nis.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_ipHost.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>IP addresses</entry>
<entry>ipHost</entry>
<entry>nis.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_puppet.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Puppet</entry>
<entry>puppetClient</entry>
<entry>puppet.schema</entry>
<entry><ulink
url="https://github.com/puppetlabs/puppet/blob/master/ext/ldap/puppet.schema">Puppet
on GitHub</ulink></entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_eduPerson.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>EDU person</entry>
<entry>eduPerson</entry>
<entry>eduperson.schema</entry>
<entry><ulink
url="http://middleware.internet2.edu/eduperson/">http://middleware.internet2.edu</ulink></entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_user.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Simple Accounts</entry>
<entry>account</entry>
<entry>cosine.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_ssh.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>SSH public keys</entry>
<entry>ldapPublicKey</entry>
<entry>openssh-lpk.schema</entry>
<entry>Included in patch from <ulink
url="http://code.google.com/p/openssh-lpk/">http://code.google.com/p/openssh-lpk/</ulink></entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_quota.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Filesystem quotas</entry>
<entry>systemQuotas</entry>
<entry>quota.schema</entry>
<entry><ulink
url="http://sourceforge.net/projects/linuxquota/">Linux
DiskQuota</ulink></entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_group.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Group of (unique) names</entry>
<entry>groupOfNames, groupOfUniqueNames, groupOfMembers</entry>
<entry>core.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_group.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Groups</entry>
<entry>organizationalRole</entry>
<entry>core.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_dhcp.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>DHCP</entry>
<entry>dhcpOptions, dhcpSubnet, dhcpServer</entry>
<entry>dhcp.schema</entry>
<entry>docs/schema/dhcp.schema</entry>
<entry>The LDAP suffix should be set to your dhcpServer
entry.</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_bind.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Bind DLZ DNS</entry>
<entry>dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord,
dlzMXRecord, dlzCNameRecord, dlzPTRRecord</entry>
<entry>dlz.schema</entry>
<entry>part of <ulink url="http://bind-dlz.sourceforge.net/">Bind
DLZ patch</ulink></entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_alias.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Aliases</entry>
<entry>alias, uidObject</entry>
<entry>core.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_netgroup.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>NIS netgroups</entry>
<entry>nisNetgroup</entry>
<entry>nis.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_nisObject.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>NIS objects</entry>
<entry>nisObject</entry>
<entry>nis.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_nisObject.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Automount objects</entry>
<entry>automount</entry>
<entry>autofs.schema, rfc2307bis.schema</entry>
<entry>Autofs LDAP</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_oracle.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Oracle databases</entry>
<entry>orclNetService</entry>
<entry>oidbase.schema, oidnet.schema, oidrdbms.schema,
alias.schema</entry>
<entry>Preinstalled on Oracle directory server, OpenLDAP schemas
can be downloaded e.g. <ulink
url="http://www.idevelopment.info/data/Oracle/DBA_tips/LDAP/LDAP_8.shtml">here</ulink></entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_ppolicy.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Password policies</entry>
<entry>pwdPolicy, device</entry>
<entry>ppolicy.schema, core.schema</entry>
<entry>Part of OpenLDAP installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_freeRadius.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>FreeRadius users</entry>
<entry>radiusprofile</entry>
<entry>openldap.schema</entry>
<entry>Part of FreeRadius installation</entry>
<entry></entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_heimdal.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Heimdal Kerberos</entry>
<entry>krb5KDCEntry</entry>
<entry>hdb.schema</entry>
<entry>Part of Heimdal Kerberos installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_mitKerberos.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>MIT Kerberos</entry>
<entry>krbPrincipal, krbPrincipalAux, krbTicketPolicyAux</entry>
<entry>kerberos.schema</entry>
<entry>Part of MIT Kerberos installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_sudo.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Sudo roles</entry>
<entry>sudoRole</entry>
<entry>sudo.schema</entry>
<entry>Part of sudo-ldap installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_zarafa.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>Zarafa</entry>
<entry>zarafa-user, zarafa-group, zarafa-server</entry>
<entry>zarafa.schema</entry>
<entry>Part of Zarafa installation</entry>
<entry>LAM Pro only</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_mailAlias.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>IMAP mailboxes</entry>
<entry>-</entry>
<entry>-</entry>
<entry>-</entry>
<entry>Does not require any schema.</entry>
</row>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/schema_nsview.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>LDAP views</entry>
<entry>nsview, organizationalunit</entry>
<entry>built-in</entry>
<entry>Part of LDAP server installation (e.g. 389 server)</entry>
<entry>LAM Pro only</entry>
</row>
</tbody>
</tgroup>
</table>
</appendix>

View File

@ -0,0 +1,443 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="a_security">
<title>Security</title>
<section id="a_configPasswords">
<title>LAM configuration passwords</title>
<para>LAM supports a two level authorization system for its
configuration. Therefore, there are two types of configuration
passwords:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">master configuration
password:</emphasis> needed to change general settings,
create/delete server profiles and self service profiles</para>
</listitem>
<listitem>
<para><emphasis role="bold">server profile password:</emphasis> used
to change the settings of a server profile (e.g. LDAP server and
account types to manage)</para>
</listitem>
</itemizedlist>
<para>The master configuration password can be used to reset a server
profile password. Each server profile has its own profile
password.</para>
<para>Both password types are stored as hash values in the configuration
files for enhanced security.</para>
</section>
<section>
<title>Use of SSL</title>
<para>The data which is transfered between you and LAM is very
sensitive. Please always use SSL encrypted connections between LAM and
your browser to protect yourself against network sniffers.</para>
</section>
<section>
<title>LDAP with SSL and TLS</title>
<para>SSL will be used if you use ldaps://servername in your
configuration profile. TLS can be activated with the "Activate TLS"
option.</para>
<para>If your LDAP server uses a SSL certificate of a well-know
certificate authority (CA) then you probably need no changes. If you use
a custom CA in your company then there are two ways to setup the CA
certificates.</para>
<section>
<title>Setup SSL certificates in LAM general settings</title>
<para>This is much easier than system level setup and will only affect
LAM. There might be some cases where other web applications on the
same web server are influenced.</para>
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
</section>
<section id="ssl_certSystem">
<title>Setup SSL certificates on system level</title>
<para>This will make the CA certificates available also to other
applications on your system (e.g. other web applications).</para>
<para>You will need to setup ldap.conf to trust your server
certificate. Some installations use /etc/ldap.conf and some use
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
/etc/ldap/ldap.conf. Specify the server CA certificate with the
following option:</para>
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
<para>This needs to be the public part of the signing certificate
authority. See "man ldap.conf" for additional options.</para>
<literallayout>
</literallayout>
<para>You may also need to specify the CA certificate in your Apache
configuration by using the option "LDAPTrustedGlobalCert":</para>
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
</section>
</section>
<section id="selinux">
<title>Selinux</title>
<para>In case your server has selinux installed you might need to extend
the selinux ruleset. E.g. your webserver might not be allowed to write
in /var/lib.</para>
<para><emphasis role="bold">Read selinux status</emphasis></para>
<para>The following command will tell you if selinux is running in
Enforcing or Permissive mode.</para>
<para>Enforcing: access that does not match rules is denied</para>
<para>Permissive: access that does not match rules is granted but logged
to audit.log</para>
<programlisting>getenforce</programlisting>
<para><emphasis role="bold">Set selinux to Permissive
mode</emphasis></para>
<para>This will just log any access violations. You will need this to
get a list of missing rights.</para>
<programlisting>setenforce Permissive</programlisting>
<para>Now do any actions inside LAM that you need for your daily work
(e.g. edit server profiles, manage LDAP entries, ...).</para>
<para><emphasis role="bold">Extend selinux rules</emphasis></para>
<para>Selinux now has logged any violations to audit.log. You can use
this now to extend your ruleset and enable enforcing later.</para>
<para>The following example is for httpd. You can also adapt it to e.g.
nginx.</para>
<programlisting># build additional selinux rules from audit.log
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
</programlisting>
<para>The httpdlocal.te might look like this:</para>
<programlisting>module httpdlocal 1.0;
require {
type httpd_t;
type var_lib_t;
class file { setattr write };
}
#============= httpd_t ==============
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
allow httpd_t var_lib_t:file { setattr write };
</programlisting>
<para>Now we can compile and install this rule:</para>
<programlisting># build module
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
# package module
semodule_package -o httpdlocal.pp -m httpdlocal.mod
# install module
semodule -i httpdlocal.pp</programlisting>
<para>Now you can switch back to Enforcing mode:</para>
<programlisting>setenforce Enforcing</programlisting>
<para>LAM should now work as expected with active selinux.</para>
</section>
<section>
<title>Chrooted servers</title>
<para>If your server is chrooted and you have no access to /dev/random
or /dev/urandom this can be a security risk. LAM stores your LDAP
password encrypted in the session. LAM uses rand() to generate the key
if /dev/random and /dev/urandom are not accessible. Therefore the key
can be easily guessed. An attaker needs read access to the session file
(e.g. by another Apache instance) to exploit this.</para>
</section>
<section>
<title>Protection of your LDAP password and directory contents</title>
<para>You have to install the MCrypt extension for PHP to enable
encryption.</para>
<para>Your LDAP password is stored encrypted in the session file. The
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
encrypt the password. All data that was read from LDAP and needs to be
stored in the session file is also encrypted.</para>
</section>
<section id="apache">
<title>Apache configuration</title>
<section>
<title>Sensitive directories</title>
<para>LAM includes several .htaccess files to protect your
configuration files and temporary data. Apache is often configured to
not use .htaccess files by default. Therefore, please check your
Apache configuration and change the override setting to:</para>
<para>AllowOverride All</para>
<para>If you are experienced in configuring Apache then you can also
copy the security settings from the .htaccess files to your main
Apache configuration.</para>
<para>If possible, you should not rely on .htaccess files but also
move the config and sess directory to a place outside of your WWW
root. You can put a symbolic link in the LAM directory so that LAM
finds the configuration/session files.</para>
<para>Security sensitive directories:</para>
<para><emphasis role="bold">config: </emphasis>Contains your LAM
configuration and account profiles</para>
<itemizedlist>
<listitem>
<para>LAM configuration passwords (SSHA hashed)</para>
</listitem>
<listitem>
<para>default values for new accounts</para>
</listitem>
<listitem>
<para>directory must be accessibly by Apache but needs not to be
accessible by the browser</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">sess:</emphasis> PHP session files</para>
<itemizedlist>
<listitem>
<para>LAM admin password in clear text or MCrypt encrypted</para>
</listitem>
<listitem>
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
</listitem>
<listitem>
<para>directory must be accessibly by Apache but needs not to be
accessible by the browser</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">tmp:</emphasis> temporary files</para>
<itemizedlist>
<listitem>
<para>PDF documents which may also include passwords</para>
</listitem>
<listitem>
<para>images of your users</para>
</listitem>
<listitem>
<para>directory contents must be accessible by browser but
directory itself needs not to be browseable</para>
</listitem>
</itemizedlist>
</section>
<section id="apache_http_auth">
<title>Use LDAP HTTP authentication for LAM</title>
<para>With HTTP authentication Apache will be responsible to ask for
the user name and password. Both will then be forwarded to LAM which
will use it to access LDAP. This approach gives you more flexibility
to restrict the number of users that may access LAM (e.g. by requiring
group memberships).</para>
<para>First of all you need to load additional Apache modules. These
are "<ulink
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
and "<ulink type=""
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
<para>Next you can add a file called "lam_auth_ldap" to
/etc/apache/conf.d. This simple example restricts access to all URLs
beginning with "lam" to LDAP authentication.</para>
<programlisting>&lt;location /lam&gt;
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
&lt;/location&gt;</programlisting>
<para>You can also require that your users belong to a certain Unix
group in LDAP:</para>
<programlisting>&lt;location /lam&gt;
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
# force membership of lam-admins
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
&lt;/location&gt;</programlisting>
<para>Please see the <ulink
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache
documentation</ulink> for more details.</para>
</section>
<section>
<title>Self Service behind proxy in DMZ (LAM Pro)</title>
<para>In some cases you might want to make the self service accessible
via the internet. Here is an Apache config to forward only the
required URLs via a proxy server (lamproxy.company.com) in your DMZ to
the internal LAM server (lam.company.com).</para>
<para><inlinemediaobject>
<imageobject>
<imagedata fileref="images/selfServiceProxy.png" />
</imageobject>
</inlinemediaobject></para>
<para>This configuration allows your users to open
https://lamproxy.company.com which will then proxy the self service on
the internal server.</para>
<programlisting>&lt;VirtualHost lamproxy.company.com:443&gt;
ServerName lamproxy.company.com
ErrorLog /var/log/apache2/lam-proxy-error.log
CustomLog /var/log/apache2/lam-proxy-access.log combined
DocumentRoot /var/www/lam-proxy
&lt;Proxy *&gt;
Order deny,allow
Allow from all
&lt;/Proxy&gt;
SSLProxyEngine on
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
ProxyPreserveHost On
ProxyRequests off
loglevel info
# redirect front page to self service login page
RewriteEngine on
RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&amp;name=lam
# proxy required URLs
ProxyPass /tmp https://lam.company.com/lam/tmp
ProxyPass /sess https://lam.company.com/lam/sess
ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
ProxyPass /style https://lam.company.com/lam/style
ProxyPass /graphics https://lam.company.com/lam/graphics
ProxyPassReverse /tmp https://lam.company.com/lam/tmp
ProxyPassReverse /sess https://lam.company.com/lam/sess
ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
ProxyPassReverse /style https://lam.company.com/lam/style
ProxyPassReverse /graphics https://lam.company.com/lam/graphics
&lt;/VirtualHost&gt;</programlisting>
</section>
</section>
<section id="nginx">
<title>Nginx configuration</title>
<para>There is no fully automatic setup of Nginx but LAM provides a
ready-to-use configuration file.</para>
<section>
<title>RPM based installations</title>
<para>The RPM package has dependencies on Apache. Therefore, Nginx is
not officially supported with this installation mode. Use tar.bz2 if
you are unsure.</para>
<para>However, the package also includes an Nginx configuration file.
Please include it in your server directive like this:</para>
<programlisting>server {
...
include /etc/ldap-account-manager/lam.nginx.conf;
...
}</programlisting>
</section>
<section>
<title>DEB based installations</title>
<para>The LAM installation package ships with an Nginx configuration
file. Please include it in your server directive like this:</para>
<programlisting>server {
...
include /etc/ldap-account-manager/lam.nginx.conf;
...
}</programlisting>
</section>
<section>
<title>tar.bz2 based installations</title>
<para>Please add the following configuration snippet to your server
directive.</para>
<para>You will need to change the alias location
("/usr/share/ldap-account-manager") and fastcgi_pass
("/var/run/php5-fpm.sock") to match your installation.</para>
<programlisting>location /lam {
index index.html;
alias /usr/share/ldap-account-manager;
autoindex off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}
}
</programlisting>
</section>
</section>
</appendix>

View File

@ -0,0 +1,245 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix id="a_passwordSelfResetSchema">
<title>Setup password self reset schema (LAM Pro)</title>
<section id="passwordSelfResetSchema_new">
<title>New installation</title>
<para>Please see <link
linkend="passwordSelfResetSchema_update">here</link> if you want to
upgrade an existing schema version.</para>
<para><emphasis role="bold">Schema installation</emphasis></para>
<para>Please install the schema that comes with LAM Pro. The schema
files are located in:</para>
<itemizedlist>
<listitem>
<para>tar.bz2: docs/schema</para>
</listitem>
<listitem>
<para>DEB: /usr/share/doc/ldap-account-manager/docs/schema</para>
</listitem>
<listitem>
<para>RPM:
/usr/share/doc/ldap-account-manager-{VERSION}/schema</para>
</listitem>
</itemizedlist>
<literallayout>
</literallayout>
<para><emphasis role="bold">OpenLDAP with slapd.conf
configuration</emphasis></para>
<para>For a configuration with slapd.conf-file copy
passwordSelfReset.schema to /etc/ldap/schema/ and add this line to
slapd.conf:</para>
<literallayout> include /etc/ldap/schema/passwordSelfReset.schema
</literallayout>
<para><emphasis role="bold">OpenLDAP with slapd.d
configuration</emphasis></para>
<para>For slapd.d configurations you need to upload the schema file
passwordSelfReset.ldif via ldapadd command:</para>
<para>ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f
passwordSelfReset.ldif</para>
<para>Please replace "localhost" with your LDAP server and
"cn=admin,o=test,c=de" with your LDAP admin user (usually starts with
cn=admin or cn=manager).</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">389 server</emphasis></para>
<para>Please replace INSTANCE with installation ID, e.g.
slapd-389ds.</para>
<literallayout> cp passwordSelfReset-389server.ldif /etc/dirsrv/INSTANCE/schema/70pwdreset.ldif
systemctl restart dirsrv.target
</literallayout>
<para><emphasis role="bold">Samba 4</emphasis></para>
<para>The schema files are passwordSelfReset-Samba4-attributes.ldif and
passwordSelfReset-Samba4-objectClass.ldif.</para>
<para>First, you need to edit them and replace "DOMAIN_TOP_DN" with your
LDAP suffix (e.g. dc=samba4,dc=test).</para>
<para>Then install the attribute and afterwards the object class schema
file:</para>
<literallayout> ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true
ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true
</literallayout>
<para><emphasis role="bold">Windows</emphasis></para>
<para>The schema file is passwordSelfReset-Windows.ldif.</para>
<para>First, you need to edit it and replace "DOMAIN_TOP_DN" with your
LDAP suffix (e.g. dc=windows,dc=test).</para>
<para>Then install the schema file as administrator on a command
line:</para>
<literallayout> ldifde -v -i -f passwordSelfReset-Windows.ldif
</literallayout>
<para>This allows to set a security question + answer for each
account.</para>
</section>
<section id="passwordSelfResetSchema_update">
<title>Schema update</title>
<para>The schema files are located in:</para>
<itemizedlist>
<listitem>
<para>tar.bz2: docs/schema/updates</para>
</listitem>
<listitem>
<para>DEB:
/usr/share/doc/ldap-account-manager/docs/schema/updates</para>
</listitem>
<listitem>
<para>RPM:
/usr/share/doc/ldap-account-manager-{VERSION}/schema/updates</para>
</listitem>
</itemizedlist>
<literallayout>
</literallayout>
<para>Schema versions:</para>
<orderedlist>
<listitem>
<para>Initial version (LAM Pro 3.6 - 4.4)</para>
</listitem>
<listitem>
<para>Added passwordSelfResetBackupMail (LAM Pro 4.5 - 5.5)</para>
</listitem>
<listitem>
<para>Multiple security questions (LAM Pro 5.6)</para>
</listitem>
</orderedlist>
<literallayout>
</literallayout>
<para><emphasis role="bold">OpenLDAP with slapd.conf
configuration</emphasis></para>
<para>Install the schema file like a <link
linkend="passwordSelfResetSchema_new">new install</link> (skip
modification of slapd.conf file).</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">OpenLDAP with slapd.d
configuration</emphasis></para>
<para>The upgrade requires to stop the LDAP server.</para>
<para>Steps:</para>
<orderedlist>
<listitem>
<para>Stop OpenLDAP with e.g. "/etc/init.d/slapd stop"</para>
</listitem>
<listitem>
<para>Delete the old schema file. It is located in e.g.
"/etc/ldap/slapd.d/cn=config/cn=schema" and called
"cn={XX}passwordselfreset.ldif" (XX can be any number)</para>
</listitem>
<listitem>
<para>Start OpenLDAP with e.g. "/etc/init.d/slapd start"</para>
</listitem>
<listitem>
<para>Install the schema file like a <link
linkend="passwordSelfResetSchema_new">new install</link></para>
</listitem>
</orderedlist>
<literallayout>
</literallayout>
<para><emphasis role="bold">Samba 4</emphasis></para>
<para>Install the these update files by following the install
instructions in the file. In case you you upgrade with a version
difference of 2 or more you will need to apply all intermediate update
scripts.</para>
<itemizedlist>
<listitem>
<para>samba4_version_1_to_2_attributes.ldif (upgrade from version 1
only)</para>
</listitem>
<listitem>
<para>samba4_version_1_to_2_objectClass.ldif (upgrade from version 1
only)</para>
</listitem>
<listitem>
<para>samba4_version_2_to_3_attributes.ldif (upgrade from version
2)</para>
</listitem>
<listitem>
<para>samba4_version_2_to_3_objectClass.ldif (upgrade from version
2)</para>
</listitem>
</itemizedlist>
<para>Please note that attributes file needs to be installed
first.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">Windows</emphasis></para>
<para>Install the file(s) by following the install instructions in the
file. In case you you upgrade with a version difference of 2 or more you
will need to apply all intermediate update scripts.</para>
<itemizedlist>
<listitem>
<para>windows_version_1_to_2.ldif (upgrade from version 1
only)</para>
</listitem>
<listitem>
<para>windows_version_2_to_3.ldif (upgrade from version 2)</para>
</listitem>
</itemizedlist>
</section>
</appendix>

View File

@ -0,0 +1,263 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<appendix>
<title>Troubleshooting</title>
<section>
<title>Reset configuration password</title>
<para>The password for the server profiles can be reset using the master
configuration password. Open LAM configuration -&gt; Edit server
profiles -&gt;Manage server profiles for this.</para>
<para>In case you lost your master configuration password you need to
manually edit the main configuration file (config.cfg) on the file
system.</para>
<orderedlist>
<listitem>
<para>Locate config.cfg: On DEB/RPM installations it is in
/usr/share/ldap-account-manager/config and for tar.bz2 in config
folder.</para>
</listitem>
<listitem>
<para>Locate the "password" entry in the file</para>
</listitem>
<listitem>
<para>Replace the password hash after "password: " with your new
clear-text password (e.g. "secret")</para>
</listitem>
</orderedlist>
<para>After the change the line should look like this:</para>
<literallayout>password: secret</literallayout>
<para>You can now login using your new password. Set the password once
again via GUI in main configuration settings. This will then put again a
hash value in the config.cfg file.</para>
</section>
<section>
<title>Functional issues</title>
<para><emphasis role="bold">Size limit</emphasis></para>
<para>You will get a message like "LDAP sizelimit exceeded, not all
entries are shown." when you hit the LDAP search limit.</para>
<itemizedlist>
<listitem>
<para>OpenLDAP: See the <link linkend="size_limit_exceeded">OpenLDAP
settings</link> to fix this.</para>
</listitem>
<listitem>
<para>389 server: set nsslapd-sizelimit in cn=config (may also be
set per user)</para>
</listitem>
<listitem>
<para>other LDAP servers: please see your server
documentation</para>
</listitem>
</itemizedlist>
<literallayout>
</literallayout>
<para><emphasis role="bold">Invalid syntax errors:</emphasis></para>
<para>If you get any strange errors like "Invalid syntax" or "Invalid DN
syntax" please check if your LDAP schema matches LAM's
requirements.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">Schema test:</emphasis></para>
<para>This can be done by running "Tools" -&gt; "Tests" -&gt; "Schema
test" inside LAM.</para>
<para>If there are any object classes or attributes missing you will get
a notice. See <link linkend="a_schema">LDAP schema files</link> for a
list of used schemas. You may also want to deactive unused modules in
your LAM server profile (tab "Modules").</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/schemaTest.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><literallayout>
</literallayout><emphasis role="bold">LDAP Logging:</emphasis></para>
<para>If your schema is correct you can turn on LDAP logging to get more
detailed error messages from your LDAP server.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">OpenLDAP logging:</emphasis></para>
<itemizedlist>
<listitem>
<para>slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
line "loglevel 256".</para>
</listitem>
<listitem>
<para>slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
Stats" if the attribute is missing.</para>
</listitem>
</itemizedlist>
<para>After changing the configuration please restart OpenLDAP. It
usually uses /var/log/syslog for log output.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">PHP logging</emphasis></para>
<para>Sometimes it can help to enable PHP logging inside LAM. You can do
this in the <link linkend="conf_logging">logging area</link> of LAM's
main configuration. Set the logging option to "all" and check if there
are any messages printed in your browser window. Please note that not
every notice message is an error but it may help to find the
problem.</para>
</section>
<section>
<title>Performance issues</title>
<para>LAM is tested to work with 10000 users with acceptable
performance. If you have a larger directory or slow hardware then here
are some points to increase performance.</para>
<literallayout>
</literallayout>
<para>The first step is to check if performance problems are caused by
the LAM web server or the LDAP server. Please check which machine
suffers from high system load (CPU/memory consumption).</para>
<para>High network latency may also be a problem. For large
installations please make sure that LAM web server and LDAP server are
located in the same building/server room.</para>
<para>If you run LAM on multiple nodes (DNS load balancing/hardware load
balancer) then also check the <link linkend="clustering">clustering
section</link>.</para>
<section>
<title>LDAP server</title>
<para><emphasis role="bold">Use indices</emphasis></para>
<para>Depending on the queries it may help to add some more indices on
the LDAP server. Depending on your LDAP software it may already
suggest indices in its log files. See <link
linkend="indices">here</link> for typical OpenLDAP indices.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">Reduce query results by splitting LDAP
management into multiple server profiles</emphasis></para>
<para>If you manage a very large directory then it might already be
separated into multiple subtrees (e.g. by country, subsidiary, ...).
Do not use a single LAM server profile to manage your whole directory.
Use different server profiles for each separated LDAP subtree where
possible (e.g. one for German users and one for French ones).</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">Limit query results</emphasis></para>
<para>LAM allows to set an <ulink url="general_settings">LDAP search
limit</ulink> for each server profile. This will limit the number of
entries returned by your LDAP server. Use with caution because it can
cause problems (e.g. with automatic UID generation) when LAM is not
able to read all entries.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configProfiles4.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>LAM web server</title>
<para><emphasis role="bold">Install a PHP
accelerator</emphasis></para>
<para>There are tools like <ulink
url="http://www.php.net/manual/en/book.apc.php">APC</ulink>/<ulink
url="http://php.net/manual/en/book.opcache.php">OpCache</ulink> (free)
or <ulink url="http://www.zend.com/en/products/server/">Zend
Server</ulink> (commercial) that provide caching of PHP pages to
improve performance. They will reduce the time for parsing the PHP
pages and IO load.</para>
<para>This is a simply way to enhance performance since APC/OpCache is
part of most Linux distributions.</para>
<para>If you use APC then make sure that it uses enough memory (e.g.
"apc.shm_size=128M"). You can check the memory usage with the file
apc.php that is shipped with APC.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/apc.png" />
</imageobject>
</mediaobject>
</screenshot>
<literallayout>
</literallayout>
<para>OpCache statistics can be shown with <ulink
url="https://github.com/rlerdorf/opcache-status">opcache-status</ulink>.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/opcache.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Disable session
encryption</emphasis></para>
<para>LAM encrypts sensitive data in your session files. You can <link
linkend="sessionEncryption">disable</link> it to reduce CPU
load.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configGeneral1.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
</section>
</appendix>

View File

@ -0,0 +1,186 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter id="a_accessLevelPasswordReset">
<title>Access levels and password reset page (LAM Pro)</title>
<para>You can define different access levels for each profile to allow or
disallow write access. The password reset page helps your deskside support
staff to reset user passwords.</para>
<section>
<title id="s_accessLevel">Access levels</title>
<para>There are three access levels:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Write access (default)</emphasis></para>
<para>There are no restrictions. LAM admin users can manage account,
create profiles and set passwords.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Change passwords</emphasis></para>
<para>Similar to "Read only" except that the <link
linkend="s_pwdReset">password reset page</link> is available.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Read only</emphasis></para>
<para>No write access to the LDAP database is allowed. It is also
impossible to manage account and PDF profiles.</para>
<para>Accounts may be viewed but no changes can be saved.</para>
</listitem>
</itemizedlist>
<para>The access level can be set on the server configuration
page:</para>
<para><screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/accessLevel.png" />
</imageobject>
</mediaobject>
</screenshot></para>
</section>
<section id="s_pwdReset">
<title>Password reset page</title>
<para>This special page allows your deskside support staff to reset the
Unix and Samba passwords of your users. Account may also be (un)locked
If you set the <link linkend="s_accessLevel">access level</link> to
"Change passwords" then LAM will not allow any changes to the LDAP
database except password changes via this page. The account pages will
be still available in read-only mode.</para>
<para>You can open the password reset page by clicking on the key symbol
on each user account:</para>
<para><screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/passwordReset1.png" />
</imageobject>
</mediaobject>
</screenshot>There are three different options to set a new password.
You can further restrict these options in server profile
settings.</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">set random password and display it on
screen</emphasis></para>
<para>This will set the user's password to a random value. The
password will be 11 characters long with a random combination of
letters, digits and ".-_".</para>
<para>You may want to use this method to tell users their new
passwords via phone.</para>
</listitem>
<listitem>
<para><emphasis role="bold">set random password and mail it to
user</emphasis></para>
<para>If the user account has set the mail attribute then LAM can
send your user a mail with the new password. You can change the mail
template to fit your needs. Please configure your LAM server profile
to setup the sender address, subject and mail body. Please see <link
linkend="mailEOL">email format option</link> in case of broken
mails. See <link linkend="mailSetup">here</link> for setting up your
SMTP server.</para>
<para>Using this method will prevent that your support staff knows
the new password.</para>
</listitem>
<listitem>
<para><emphasis role="bold">set specific password</emphasis></para>
<para>Here you can specify your own password.</para>
</listitem>
</itemizedlist>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/passwordReset2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>LAM will display contact information about the user like the
user's name, email address and telephone number. This will help your
deskside support to easily contact your users.</para>
<para><emphasis role="bold">Options:</emphasis></para>
<para>Depending on the account there may be additional options
available.</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Sync Samba NT/LM password with Unix
password:</emphasis> If a user account has Samba passwords set then
LAM will offer to synchronize the passwords.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Unlock Samba account:</emphasis> Locked
Samba accounts can be unlocked with the password change.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Update Samba password
timestamps:</emphasis> This will set the timestamps when the
password was changed (sambaPwdLastSet). Only existing attributes are
updated. No new attributes are added.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Sync Kerberos password with Unix
password:</emphasis> This will also update the Heimdal Kerberos
password.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Sync Asterisk (voicemail) password with
Unix password:</emphasis> Changes also the Asterisk
passwords.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Force password change:</emphasis> This
will force the user to change his password at next login. This
option supports Shadow, Samba 3 and PPolicy (automatically
detected).</para>
</listitem>
</itemizedlist>
<literallayout>
</literallayout>
<para><emphasis role="bold">Account (un)locking:</emphasis></para>
<para>Depending if the account includes a Unix/Samba extension and
PPolicy is activated the page will show options to (un)lock the account.
E.g. if the account is fully unlocked then there will be no unlocking
options printed.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/passwordReset3.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
</chapter>

View File

@ -0,0 +1,312 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter>
<title>Big picture</title>
<section>
<title>Overview</title>
<para>LAM has two major areas:</para>
<itemizedlist>
<listitem>
<para>Admin interface to manage all sorts of different LDAP entries
(e.g. users/groups/hosts)</para>
</listitem>
<listitem>
<para>Self service (LAM Pro) where end users can edit their own
data</para>
</listitem>
</itemizedlist>
<para></para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/bigPicture1.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Admin interface</emphasis></para>
<para>This is the main part of the application. It allows to manage a
large list of LDAP entries (e.g. users, groups, DNS entries, ...). This
part is accessed by LDAP admins and support staff.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/bigPicture2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>Functional areas:</para>
<orderedlist>
<listitem>
<para>Account tabs: These tabs allow to switsch between different
account types</para>
</listitem>
<listitem>
<para>Tree view: Provides an LDAP browser to edit LDAP entries on
attribute level</para>
</listitem>
<listitem>
<para>Tools menu: Contains useful tools such as profile and PDF
editor</para>
</listitem>
<listitem>
<para>Help: Link to manual</para>
</listitem>
<listitem>
<para>Logout: Logout of the application</para>
</listitem>
<listitem>
<para>List view: Lists all entries of the selected account type
(e.g. users)</para>
</listitem>
<listitem>
<para>List configuration: Configuration settings for list view (e.g.
number of entries per page)</para>
</listitem>
<listitem>
<para>Filter: Filter boxes allow to enter simple filters like
"a*"</para>
</listitem>
</orderedlist>
<para><emphasis role="bold">Self Service</emphasis></para>
<para>The self service provides a simple interface for your users to
edit their own data (e.g. telephone number). It also supports user self
registration and password reset functionality.</para>
<para>You can fully customize the layout of the self service
page.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/bigPicture3.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Configuration</emphasis></para>
<para>Configuration is done on multiple levels:</para>
<para><emphasis role="bold">Global</emphasis></para>
<para>Effective for all parts of LAM (e.g. logging and password
policy).</para>
<para>Configured via LAM admin login -&gt; LAM configuration -&gt; <link
linkend="generalSettings">Edit general settings</link>.</para>
<para><emphasis role="bold">Server profile</emphasis></para>
<para>All settings for an LDAP connection (e.g. server name, LDAP
suffixes, account types/modules to activate) in admin interface. There
may be multiple for one LDAP server (e.g. for multiple departments,
different user groups, ...).</para>
<para>Configured via LAM admin login -&gt; LAM configuration -&gt; <link
linkend="serverProfiles">Edit server profile</link>.</para>
<para><emphasis role="bold">Self service</emphasis></para>
<para>All settings for a self service interface (e.g. fields that can be
edited, password reset functionality, ...).</para>
<para>Configured via LAM admin login -&gt; LAM configuration -&gt; <link
linkend="a_selfService">Edit self service</link>.</para>
<para><emphasis role="bold">Profiles</emphasis></para>
<para><link linkend="a_accountProfile">Account profiles</link> store
default values for new LDAP entries.</para>
<para><emphasis role="bold">PDF structures</emphasis></para>
<para><link linkend="pdfEditor">PDF structures</link> define the layout
and list of data fields to include in PDF export.</para>
</section>
<section>
<title>Glossary</title>
<para>Here you can find a list of common terms used in LAM.</para>
<table>
<title>Glossary</title>
<tgroup cols="2">
<thead>
<row>
<entry align="center">Term</entry>
<entry align="center">Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>Account module</entry>
<entry>Plugin for a specific account type (e.g. Unix plugin for
user type)</entry>
</row>
<row>
<entry>Account type</entry>
<entry>Type of an LDAP entry (e.g. user/group/host)</entry>
</row>
<row>
<entry>Admin interface</entry>
<entry>LAM webpages for admin user (e.g. to create new
users)</entry>
</row>
<row>
<entry>Lamdaemon</entry>
<entry>Support script to manage user file system quotas and
create home directories</entry>
</row>
<row>
<entry>PDF editor</entry>
<entry>Manages PDF structures</entry>
</row>
<row>
<entry>PDF export</entry>
<entry>Exports an entry to PDF by using a PDF structure</entry>
</row>
<row>
<entry>PDF structure</entry>
<entry>Defines the layout and list of data fields to include in
PDF export</entry>
</row>
<row>
<entry>Profile</entry>
<entry>Template for creation of LDAP entries, contains default
values</entry>
</row>
<row>
<entry>Profile editor</entry>
<entry>Manages profiles for all account types</entry>
</row>
<row>
<entry>Self Service</entry>
<entry>LAM webpages for normal users where they can edit their
own data</entry>
</row>
<row>
<entry>Self service profile</entry>
<entry>Configuration for self service pages (multiple
configurations can exist)</entry>
</row>
<row>
<entry>Tree view</entry>
<entry>LDAP browser that allows to modify LDAP entries on
attribute/object class level</entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section>
<title>Architecture</title>
<para>There are basically two groups of users for LAM:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">LDAP administrators and support
staff:</emphasis></para>
<para>These people administer LDAP entries like user accounts,
groups, ...</para>
</listitem>
<listitem>
<para><emphasis role="bold">Users:</emphasis></para>
<para>This includes all people who need to manage their own data
inside the LDAP directory. E.g. these people edit their contact
information with LAM self service (LAM Pro).</para>
</listitem>
</itemizedlist>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lam_architecture.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>Therefore, LAM is split into two separate parts, LAM for admins
and for users. LAM for admins allows to manage various types of LDAP
entries (e.g. users, groups, hosts, ...). It also contains tools like
batch upload, account profiles, LDAP schema viewer and an LDAP browser.
LAM for users focuses on end users. It provides a self service for the
users to edit their personal data (e.g. contact information). The LAM
administrator is able to specify what data may be changed by the users.
The design is also adaptable to your corporate design.</para>
<para>LAM for admins/users is accessible via HTTP(S) by all major web
browsers (Firefox, IE, Opera, ...).</para>
<para><emphasis role="bold">LAM runtime environment:</emphasis></para>
<para>LAM runs on PHP. Therefore, it is independant of CPU architecture
and operating system (OS). You can run LAM on any OS which supports
Apache, Nginx or other PHP compatible web servers.</para>
<para><emphasis role="bold">Home directory server:</emphasis></para>
<para>You can manage user home directories and their quotas inside LAM.
The home directories may reside on the server where LAM is installed or
any remote server. The commands for home directory management are
secured by SSH. LAM will use the user name and password of the logged in
LAM administrator for authentication.</para>
<para><emphasis role="bold">LDAP directory:</emphasis></para>
<para>LAM connects to your LDAP server via standard LDAP protocol. It
also supports encrypted connections with SSL and TLS.</para>
</section>
</chapter>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,904 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter id="a_installation">
<title>Installation</title>
<section id="a_install">
<title>New installation</title>
<section>
<title>Requirements</title>
<para>LAM has the following requirements to run:</para>
<itemizedlist>
<listitem>
<para>Apache/Nginx webserver (SSL recommended) with PHP module
(PHP 5 (&gt;= 5.2.4) with ldap, gettext, xml, openssl and optional
mcrypt)</para>
</listitem>
<listitem>
<para>Some LAM plugins may require additional PHP extensions (you
will get a note on the login page if something is missing)</para>
</listitem>
<listitem>
<para>Perl (optional, needed only for <link
linkend="a_lamdaemon">lamdaemon</link>)</para>
</listitem>
<listitem>
<para>Any standard LDAP server (e.g. OpenLDAP, Active Directory,
Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...)</para>
</listitem>
<listitem>
<para>A recent web browser that supports CSS2 and JavaScript, at
minimum:</para>
<para><itemizedlist>
<listitem>
<para>Firefox (max. 2 years old)</para>
</listitem>
<listitem>
<para>Internet Explorer 9 <emphasis
role="bold">(compatibility mode turned
off)</emphasis></para>
</listitem>
<listitem>
<para>Opera (max. 2 years old)</para>
</listitem>
<listitem>
<para>Chrome (max. 2 years old)</para>
</listitem>
</itemizedlist></para>
</listitem>
</itemizedlist>
<para>MCrypt will be used to store your LDAP password encrypted in the
session file.</para>
<para>Please note that LAM does not ship with a selinux policy. Please
disable selinux or <link linkend="selinux">create your own
policy</link>.</para>
<para>See <link linkend="a_schema">LDAP schema fles</link> for
information about used LDAP schema files.</para>
</section>
<section>
<title>Prepackaged releases</title>
<para>LAM is available as prepackaged version for various
platforms.</para>
<section>
<title>Debian</title>
<informaltable frame="none" tabstyle="noborder">
<tgroup cols="2">
<tbody>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/debian.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>LAM is part of the official Debian repository. New
releases are uploaded to unstable and will be available
automatically in testing and the stable releases. You can
run<literal> </literal><para><emphasis role="bold">apt-get
install ldap-account-manager</emphasis></para>to install LAM
on your server. Additionally, you may download the latest
LAM Debian packages from the <ulink type=""
url="http://www.ldap-account-manager.org/">LAM
homepage</ulink> or the <ulink
url="http://packages.debian.org/search?keywords=ldap-account-manager">Debian
package homepage</ulink>.<para><emphasis
role="bold">Installation of the latest packages on
Debian</emphasis></para><orderedlist>
<listitem>
<para>Install the LAM package</para>
<para>dpkg -i ldap-account-manager_*.deb</para>
<para>If you get any messages about missing
dependencies run now: apt-get -f install</para>
</listitem>
<listitem>
<para>Install the lamdaemon package (optional)</para>
<para>dpkg -i
ldap-account-manager-lamdaemon_*.deb</para>
</listitem>
</orderedlist></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section>
<section>
<title>Suse/Fedora/CentOS</title>
<informaltable frame="none">
<tgroup cols="2">
<tbody>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/suse.png" />
</imageobject>
</inlinemediaobject><para></para><inlinemediaobject>
<imageobject>
<imagedata fileref="images/fedora.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>There are RPM packages available on the <ulink
type="" url="http://www.ldap-account-manager.org/">LAM
homepage</ulink>. The packages can be installed with these
commands:<para><emphasis role="bold">rpm -e
ldap-account-manager
ldap-account-manager-lamdaemon</emphasis> (if an older
version is installed)</para><para><emphasis role="bold">rpm
-i &lt;path to LAM
package&gt;</emphasis></para><literallayout>
</literallayout><para><emphasis role="bold">Note:</emphasis> The RPM packages
for Fedora/CentOS do not contain a dependency to PHP due to
the various package names for it. Please make sure that you
install Apache/Nginx with PHP.</para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section>
<section>
<title>Other RPM based distributions</title>
<para>The RPM packages for Suse/Fedora are very generic and should
be installable on other RPM-based distributions, too. The Fedora
packages use apache:apache as file owner and the Suse ones use
wwwrun:www.</para>
</section>
<section>
<title>FreeBSD</title>
<informaltable frame="none">
<tgroup cols="2">
<tbody>
<row>
<entry><inlinemediaobject>
<imageobject>
<imagedata fileref="images/freebsd.png" />
</imageobject>
</inlinemediaobject></entry>
<entry>LAM is part of the official FreeBSD ports tree. For
more details see these pages:<para>FreeBSD-SVN: <ulink
url="http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/"
userlevel="">http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/</ulink></para><para>FreshPorts:
<ulink
url="http://www.freshports.org/sysutils/ldap-account-manager">http://www.freshports.org/sysutils/ldap-account-manager</ulink></para></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section>
</section>
<section>
<title>Installing the tar.bz2</title>
<section>
<title>Extract the archive</title>
<para>Please extract the archive with the following command:</para>
<para>tar xjf ldap-account-manager-&lt;version&gt;.tar.bz2</para>
</section>
<section>
<title>Install the files</title>
<section>
<title>Manual copy</title>
<para>Copy the files into the html-file scope of the web server.
For example /apache/htdocs or /var/www/html.</para>
<para>Then set the appropriate file permissions inside the LAM
directory:</para>
<itemizedlist>
<listitem>
<para>sess: write permission for apache/nginx user</para>
</listitem>
<listitem>
<para>tmp: write permission for apache/nginx user</para>
</listitem>
<listitem>
<para>tmp/internal: write permission for apache/nginx
user</para>
</listitem>
<listitem>
<para>config (with subdirectories): write permission for
apache/nginx user</para>
</listitem>
<listitem>
<para>lib/lamdaemon.pl: set executable</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>With configure script</title>
<para>Instead of manually copying files you can also use the
included configure script to install LAM. Just run these commands
in the extracted directory:</para>
<itemizedlist>
<listitem>
<para>./configure</para>
</listitem>
<listitem>
<para>make install</para>
</listitem>
</itemizedlist>
<para>Options for "./configure":</para>
<itemizedlist>
<listitem>
<para>--with-httpd-user=USER USER is the name of your
Apache/Nginx user account (default httpd)</para>
</listitem>
<listitem>
<para>--with-httpd-group=GROUP GROUP is the name of your
Apache/Nginx group (default httpd)</para>
</listitem>
<listitem>
<para>--with-web-root=DIRECTORY DIRECTORY is the name where
LAM should be installed (default /usr/local/lam)</para>
</listitem>
</itemizedlist>
</section>
</section>
<section>
<title>Configuration files</title>
<para>Copy config/config.cfg.sample to config/config.cfg. Open the
index.html in your web browser:</para>
<itemizedlist>
<listitem>
<para>Follow the link "LAM configuration" from the start page to
<link linkend="a_configuration">configure LAM</link>.</para>
</listitem>
<listitem>
<para>Select "Edit general settings" to setup global settings
and to change the <link linkend="a_configPasswords">master
configuration password</link> (default is "lam").</para>
</listitem>
<listitem>
<para>Select "Edit server profiles" to setup a server
profile.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Webserver configuration</title>
<para>Please see the <link linkend="apache">Apache</link> or <link
linkend="nginx">Nginx</link> chapter.</para>
</section>
</section>
<section>
<title>System configuration</title>
<section>
<title>PHP</title>
<para>LAM runs with PHP5 (&gt;= 5.2.4). Needed changes in your
php.ini:</para>
<para>memory_limit = 64M</para>
<para>For large installations (&gt;10000 LDAP entries) you may need
to increase the memory limit to 256M.</para>
<para>If you run PHP with activated <ulink
url="http://www.hardened-php.net/suhosin/index.html">Suhosin</ulink>
extension please check your logs for alerts. E.g. LAM requires that
"suhosin.post.max_name_length" and
"suhosin.request.max_varname_length" are increased (e.g. to
256).</para>
</section>
<section>
<title>Locales for non-English translation</title>
<para>If you want to use a translated version of LAM be sure to
install the needed locales. The following table shows the needed
locales for the different languages.</para>
<table>
<title>Locales</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">Language</emphasis></entry>
<entry><emphasis role="bold">Locale</emphasis></entry>
</row>
<row>
<entry>Catalan</entry>
<entry>ca_ES.utf8</entry>
</row>
<row>
<entry>Chinese (Simplified)</entry>
<entry>zh_CN.utf8</entry>
</row>
<row>
<entry>Chinese (Traditional)</entry>
<entry>zh_TW.utf8</entry>
</row>
<row>
<entry>Czech</entry>
<entry>cs_CZ.utf8</entry>
</row>
<row>
<entry>Dutch</entry>
<entry>nl_NL.utf8</entry>
</row>
<row>
<entry>English - Great Britain</entry>
<entry>no extra locale needed</entry>
</row>
<row>
<entry>English - USA</entry>
<entry>en_US.utf8</entry>
</row>
<row>
<entry>French</entry>
<entry>fr_FR.utf8</entry>
</row>
<row>
<entry>German</entry>
<entry>de_DE.utf8</entry>
</row>
<row>
<entry>Hungarian</entry>
<entry>hu_HU.utf8</entry>
</row>
<row>
<entry>Italian</entry>
<entry>it_IT.utf8</entry>
</row>
<row>
<entry>Japanese</entry>
<entry>ja_JP.utf8</entry>
</row>
<row>
<entry>Polish</entry>
<entry>pl_PL.utf8</entry>
</row>
<row>
<entry>Portuguese</entry>
<entry>pt_BR.utf8</entry>
</row>
<row>
<entry>Russian</entry>
<entry>ru_RU.utf8</entry>
</row>
<row>
<entry>Slovak</entry>
<entry>sk_SK.utf8</entry>
</row>
<row>
<entry>Spanish</entry>
<entry>es_ES.utf8</entry>
</row>
<row>
<entry>Turkish</entry>
<entry>tr_TR.utf8</entry>
</row>
<row>
<entry>Ukrainian</entry>
<entry>uk_UA.utf8</entry>
</row>
</tbody>
</tgroup>
</table>
<para>You can get a list of all installed locales on your system by
executing:</para>
<para>locale -a</para>
<para>Debian users can add locales with "dpkg-reconfigure
locales".</para>
</section>
</section>
</section>
<section>
<title>Upgrading LAM or migrate from LAM to LAM Pro</title>
<para>Upgrading from LAM to LAM Pro is like installing a new LAM
version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM
ones.</para>
<section>
<title>Upgrade LAM</title>
<para><emphasis role="bold">Backup configuration
files</emphasis></para>
<para>Configuration files need only to be backed up for .tar.bz2
installations. DEB/RPM installations do not require this step.</para>
<para>LAM stores all configuration files in the "config" folder.
Please backup the following files and copy them after the new version
is installed.</para>
<simplelist>
<member>config/*.conf</member>
<member>config/config.cfg</member>
<member>config/pdf/*.xml</member>
<member>config/profiles/*</member>
</simplelist>
<para>LAM Pro only:</para>
<simplelist>
<member>config/selfService/*.*</member>
</simplelist>
<para><emphasis role="bold">Uninstall current LAM (Pro)
version</emphasis></para>
<para>If you used the RPM installation packages then remove the
ldap-account-manager and ldap-account-manager-lamdaemon packages by
calling "rpm -e ldap-account-manager
ldap-account-manager-lamdaemon".</para>
<para>Debian needs no removal of old packages.</para>
<para>For tar.bz2 please remove the folder where you installed LAM via
configure or by copying the files.</para>
<para><emphasis role="bold">Install new LAM (Pro)
version</emphasis></para>
<para>Please <link linkend="a_install">install</link> the new LAM
(Pro) release. Skip the part about setting up LAM configuration
files.</para>
<para><emphasis role="bold">Restore configuration
files</emphasis></para>
<para>RPM:</para>
<para>Please check if there are any files ending with ".rpmsave" in
/var/lib/ldap-account-manager/config. In this case you need to
manually remove the .rpmsave extension by overwriting the package
file. E.g. rename default.user.rpmsave to default.user.</para>
<para>DEB:</para>
<para>Nothing needs to be restored.</para>
<para>tar.bz2:</para>
<para>Please restore your configuration files from the backup. Copy
all files from the backup folder to the config folder in your LAM Pro
installation. Do not simply replace the folder because the new LAM
(Pro) release might include additional files in this folder. Overwrite
any existing files with your backup files.</para>
<para><emphasis role="bold">Final steps</emphasis></para>
<para>Now open your webbrowser and point it to the LAM login page. All
your settings should be migrated.</para>
<para>Please check also the <link linkend="a_versUpgrade">version
specific instructions</link>. They might include additional
actions.</para>
</section>
<section id="a_versUpgrade">
<title>Version specific upgrade instructions</title>
<section>
<title>5.5 -&gt; 5.6</title>
<para>Mail routing: No longer added by default. Use profile editor
to activate by default for new users/groups.</para>
<para>Personal/Unix/Windows: no more replacement of e.g.
$user/$group on user upload</para>
</section>
<section>
<title>5.4 -&gt; 5.5</title>
<para>LAM Pro requires a license key. You can find it in your <ulink
url="https://www.ldap-account-manager.org/lamcms/user/me">customer
profile</ulink>.</para>
</section>
<section>
<title>5.1 -&gt; 5.4</title>
<para>No special actions needed.</para>
</section>
<section>
<title>5.0 -&gt; 5.1</title>
<para>Self Service: There were large changes to provide a responsive
design that works for desktop and mobile. If you use custom CSS to
style Self Service then this must be updated.</para>
</section>
<section>
<title>4.9 -&gt; 5.0</title>
<para>Samba 3: If you used logon hours then you need to set the
correct time zone on tab "Generel settings" in server
profile.</para>
</section>
<section>
<title>4.5 -&gt; 4.9</title>
<para>No special actions needed.</para>
</section>
<section>
<title>4.4 -&gt; 4.5</title>
<para>LAM will no longer follow referrals by default. This is ok for
most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings
-&gt; Server settings -&gt; Advanced options).</para>
<para>The self service pages now have an own option for allowed IPs.
If your LAM installation uses IP restrictions please update the LAM
main configuration.</para>
<para>Password self reset (LAM Pro) allows to set a backup email
address. You need to <link
linkend="passwordSelfResetSchema_update">update</link> the LDAP
schema if you want to use this feature.</para>
</section>
<section>
<title>4.3 -&gt; 4.4</title>
<para>Apache configuration: LAM supports Apache 2.2 and 2.4. This
requires that your Apache server has enabled the "version" module.
For Debian and Fedora this is the default setup. The Suse RPM will
try to enable the version module during installation.</para>
<para>Kolab: User accounts get the object class "mailrecipient" by
default. You can change this behaviour in the module settings
section of your LAM server profile.</para>
<para>Windows: sAMAccountName is no longer set by default. Enable it
in server profile if needed. The possible domains for the user name
can also be set in server profile.</para>
</section>
<section>
<title>4.2.1 -&gt; 4.3</title>
<para>LAM is no more shipped as tar.gz package but as tar.bz2 which
allows smaller file sizes.</para>
</section>
<section>
<title>4.1 -&gt; 4.2/4.2.1</title>
<para>Zarafa users: The default attribute for mail aliases is now
"dn". If you use "uid" and did not change the server profile for a
long time please check your LAM server profile for this setting and
save it.</para>
</section>
<section>
<title>4.0 -&gt; 4.1</title>
<para><emphasis role="bold">Unix:</emphasis> The list of valid login
shells is no longer configured in "config/shells" but in the
server/self service profiles (Unix settings). LAM will use the
following shells by default: /bin/bash, /bin/csh, /bin/dash,
/bin/false, /bin/ksh, /bin/sh.</para>
<para>Please update your server/self service profile if you would
like to change the list of valid login shells.</para>
</section>
<section>
<title>3.9 -&gt; 4.0</title>
<para>The account profiles and PDF structures are now separated by
server profile. This means that if you edit e.g. an account profile
in server profile A then this change will not affect the account
profiles in server profile B.</para>
<para>LAM will automatically migrate your existing files as soon as
the login page is loaded.</para>
<para>Special install instructions:</para>
<itemizedlist>
<listitem>
<para>Debian: none, config files will be migrated when opening
LAM's login page</para>
</listitem>
<listitem>
<para>Suse/Fedora RPM:</para>
<itemizedlist>
<listitem>
<para>Run "rpm -e ldap-account-manager
ldap-account-manager-lamdaemon"</para>
</listitem>
<listitem>
<para>You may get warnings like "warning:
/var/lib/ldap-account-manager/config/profiles/default.user
saved as
/var/lib/ldap-account-manager/config/profiles/default.user.rpmsave"</para>
</listitem>
<listitem>
<para>Please rename all files "*.rpmsave" and remove the
file extension ".rpmsave". E.g. "default.user.rpmsave" needs
to be renamed to "default.user".</para>
</listitem>
<listitem>
<para>Install the LAM packages with "rpm -i". E.g. "rpm -i
ldap-account-manager-4.0-0.suse.1.noarch.rpm".</para>
</listitem>
<listitem>
<para>Open LAM's login page in your browser to complete the
migration</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>tar.gz: standard upgrade steps, config files will be
migrated when opening LAM's login page</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>3.7 -&gt; 3.9</title>
<para>No changes.</para>
</section>
<section>
<title>3.6 -&gt; 3.7</title>
<para>Asterisk extensions: The extension entries are now grouped by
extension name and account context. LAM will automatically assign
priorities and set same owners for all entries.</para>
</section>
<section>
<title>3.5.0 -&gt; 3.6</title>
<para><emphasis role="bold">Debian users:</emphasis> LAM 3.6
requires to install FPDF 1.7. You can download the package <ulink
url="http://packages.debian.org/search?keywords=php-fpdf&amp;searchon=names&amp;suite=all&amp;section=all">here</ulink>.
If you use Debian Stable (Squeeze) please use the package from
Testing (Wheezy).</para>
</section>
<section>
<title>3.4.0 -&gt; 3.5.0</title>
<para><emphasis role="bold">LAM Pro:</emphasis> The global
config/passwordMailTemplate.txt is no longer supported. You can
setup the mail settings now for each LAM server profile which
provides more flexibility.</para>
<para><emphasis role="bold">Suse/Fedora RPM
installations:</emphasis> LAM is now installed to
/usr/share/ldap-account-manager and
/var/lib/ldap-account-manager.</para>
<para>Please note that configuration files are not migrated
automatically. Please move the files from /srv/www/htdocs/lam/config
(Suse) or /var/www/html/lam/config (Fedora) to
/var/lib/ldap-account-manager/config.</para>
</section>
<section>
<title>3.3.0 -&gt; 3.4.0</title>
<para>No changes.</para>
</section>
<section>
<title>3.2.0 -&gt; 3.3.0</title>
<para>If you use custom images for the PDF export then these images
need to be 5 times bigger than before (e.g. 250x250px instead of
50x50px). This allows to use images with higher resolution.</para>
</section>
<section>
<title>3.1.0 -&gt; 3.2.0</title>
<para>No changes.</para>
</section>
<section>
<title>3.0.0 -&gt; 3.1.0</title>
<para>LAM supported to set a list of valid workstations on the
"Personal" page. This required to change the LDAP schema. Since
3.1.0 this is replaced by the new "Hosts" module for users.</para>
<para>Lamdaemon: The sudo entry needs to be changed to
".../lamdaemon.pl *".</para>
</section>
<section>
<title>2.3.0 -&gt; 3.0.0</title>
<para>No changes.</para>
</section>
<section>
<title>2.2.0 -&gt; 2.3.0</title>
<para><emphasis role="bold">LAM Pro:</emphasis> There is now a
separate account type for group of (unique) names. Please edit your
server profiles to activate the new account type.</para>
</section>
<section>
<title>1.1.0 -&gt; 2.2.0</title>
<para>No changes.</para>
</section>
</section>
</section>
<section id="a_uninstall">
<title>Uninstallation of LAM (Pro)</title>
<para>If you used the prepackaged installation packages then remove the
ldap-account-manager and ldap-account-manager-lamdaemon packages.</para>
<para>Otherwise, remove the folder where you installed LAM via configure
or by copying the files.</para>
</section>
<section>
<title>Migration to a new server</title>
<para>To move LAM (Pro) from one server to another please follow these
steps:</para>
<orderedlist>
<listitem>
<para>Install LAM (Pro) on your new server</para>
</listitem>
<listitem>
<para>Copy the following files from the old server to the new one
(base directory for RPM/DEB is
/usr/share/ldap-account-manager/):</para>
<itemizedlist>
<listitem>
<para>config/*.conf</para>
</listitem>
<listitem>
<para>config/config.cfg</para>
</listitem>
<listitem>
<para>config/pdf/*</para>
</listitem>
<listitem>
<para>config/profiles/*</para>
</listitem>
<listitem>
<para>config/selfService/*.* (needed for LAM Pro only)</para>
</listitem>
</itemizedlist>
<para>The files must be writable for the webserver user.</para>
</listitem>
<listitem>
<para>Open LAM (Pro) login page on new server and verify
installation.</para>
</listitem>
<listitem>
<para>Uninstall LAM (Pro) on old server.</para>
</listitem>
</orderedlist>
</section>
</chapter>

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,410 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter>
<title>Tools</title>
<para></para>
<section id="a_accountProfile">
<title>Profile editor</title>
<para>The account profiles are templates for your accounts. Here you can
specify default values which can then be loaded when you create
accounts. You may also load a template for an existing account to reset
it to default values. When you create a new account then LAM will always
load the profile named <emphasis role="bold">"default"</emphasis>. This
account profile can include default values for all your accounts.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>You can enter the LDAP suffix, RDN identifier and various other
attributes depending on account type and activated modules.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Import/export:</emphasis></para>
<para>Profiles can be exported to and imported from other server
profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor3.png" />
</imageobject>
</mediaobject>
</screenshot>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor4.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>There is a special export target called "*Global templates". All
profiles exported here will be copied to all other server profiles
(incl. new ones). But existing profiles with the same name are not
overwritten. So a profile in global templates is treated as default
profile for all server profiles.</para>
<para>Use this if you would like to setup default profiles that are
valid for all server profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor5.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>File upload</title>
<para>When you need to create lots of accounts then you can use LAM's
file upload to create them. LAM will read a CSV formatted file and
create the related LDAP entries. Please check the data in you CSV file
carefully. LAM will do less checks for the file upload than for single
account creation.</para>
<para>At the first page please select the account type and what
extensions should be activated.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/fileUpload1.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>The next page shows all available options for the file upload. You
will also find a sample CSV file which can be used as template for your
CSV file. All red options are required columns in the file. You need to
specify a value for each account.</para>
<para>When you upload the CSV file then LAM first does some checks on
this file. This includes syntax checks and if all required data was
entered. No changes in the LDAP directory are done at this time.</para>
<para>If the checks were successful then LAM will ask again if you want
to create the accounts. You will also have the chance to check the
upload by viewing the changes in LDIF format.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/fileUpload2.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title id="toolMultiEdit">Multi edit</title>
<para>This tool allows you to modify a large list of LDAP entries in
batch mode. You can add new attributes/object classes, remove attributes
and set attributes to a specific value.</para>
<para>At the beginning, you need to specify where the entries are stored
that should be changed. You can select an account suffix, the tree
suffix or enter your own DN by selecting "Other".</para>
<para>Next, enter an additional LDAP filter to limit the entries that
should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for
users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to
match all accounts that do not yet have the <link
linkend="passwordSelfResetUser">password self reset</link>
feature.</para>
<literallayout>
</literallayout>
<para>Now, it is time to define the changes that should be done. The
following operations are possible:</para>
<itemizedlist>
<listitem>
<para>Add: Adds an attribute value if not yet existing. Please do
not use for single-value attributes that already have a
value.</para>
</listitem>
<listitem>
<para>Modify: Sets an attribute to the given value. If the attribute
does not yet exist then it is added. If the attribute has multiple
values then all other values are removed.</para>
</listitem>
<listitem>
<para>Delete: Deletes the specified value from this attribute. If
you leave the value field blank then all attribute values are
removed.</para>
</listitem>
</itemizedlist>
<para>Please note that all actions are run as separate LDAP commands.
You cannot add an object class and a required attribute at the same
time.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/multiEdit1.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Dry run</emphasis></para>
<para>You should always start with a dry run. It will not do any changes
to your LDAP directory but print out all modifications that will be
done. You will also be able to download the changes in LDIF format to
use with ldapmodify. This is useful if you want to adjust some actions
manually.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/multiEdit2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Apply changes</emphasis></para>
<para>This will run the actions against your LDAP directory. You will
see which accounts are edited in the progress area and also if any
errors occured.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/multiEdit3.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>OU editor</title>
<para>This is a simple editor to add/delete organisational units in your
LDAP tree. This way you can structure the accounts.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/ouEditor.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section id="pdfEditor">
<title>PDF editor</title>
<para>All accounts in LAM may be exported as PDF files. You can specify
the page structure and displayed information by editing the PDF
profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>When you export accounts to PDF then each account will get its own
page inside the PDF. There is a headline on each page where you can show
a page title. You may also add a logo to each page. To add more logos
please use the logo management on the PDF editor main page.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>The main part is structured into sections of information. Each
section has a title. This can either be static text or the value of an
attribute. You may also insert a static text block as section. Sections
can be moved by using the arrows next to the section title.</para>
<para>Each section can contain multiple fields which usually represent
LDAP attributes. You can simply add new fields by selecting the field
name and its position. Then use the arrows to move the field inside the
section.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">Import/export:</emphasis></para>
<para>PDF structures can be exported to and imported from other server
profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor3.png" />
</imageobject>
</mediaobject>
</screenshot>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor4.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>There is a special export target called "*Global templates". All
PDF structures exported here will be copied to all other server profiles
(incl. new ones). But existing PDF structures with the same name are not
overwritten. So a PDF structure in global templates is treated as
default structure for all server profiles.</para>
<para>Use this if you would like to setup default PDF structures that
are valid for all server profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor5.png" />
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Logo management:</emphasis></para>
<para>You can upload image files to put a custom logo on the PDF files.
The image file name must end with .png or .jpg and the size must not
exceed 2000x300px.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor6.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Schema browser</title>
<para>Here you browse the schema of your LDAP server. You can view what
object classes, attributes, syntaxes and matching rules are available.
This is useful if you need to check if a certain object class is
available.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/schemaBrowser.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Server information</title>
<para>This shows information and statistics about your LDAP server. This
includes the suffixes, used overlays, connection data and operation
statistics. You will need "cn=monitor" setup to see all details. Some
data may not be available depending on your LDAP server software.</para>
<para>Please see the following links how to setup "cn=monitor":</para>
<itemizedlist>
<listitem>
<para><ulink
url="http://www.openldap.org/doc/admin24/monitoringslapd.html">OpenLDAP</ulink></para>
</listitem>
<listitem>
<para><ulink type=""
url="http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring">389
server</ulink></para>
</listitem>
</itemizedlist>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/serverInfo.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Tests</title>
<para>This allows you to check if your LDAP schema is compatible with
LAM and to find possible problems.</para>
<section>
<title>Lamdaemon test</title>
<para>LAM provides an external script to manage home directories and
quotas. You can test here if everything is setup correctly.</para>
<para>If you get an error like "no tty present and no askpass program
specified" then the path to the lamdaemon.pl may be wrong. Please see
the <link linkend="a_lamdaemon">lamdaemon installation
instructions</link> for setup details.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lamdaemonTest.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Schema test</title>
<para>This will test if your LDAP schema supports all object classes
and attributes of the active LAM modules. If you get a message that
something is missing please check that you installed all <link
linkend="a_schema">required schemas</link>.</para>
<para>If you get error messages about object class violations then
this test can tell you what is missing.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/schemaTest.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
</section>
</chapter>

View File

@ -0,0 +1,115 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<preface>
<title>Overview</title>
<para>LDAP Account Manager (LAM) manages user, group and host accounts in
an LDAP directory. LAM runs on any webserver with PHP5 support and
connects to your LDAP server unencrypted or via SSL/TLS.</para>
<para>LAM supports Samba 3/4, Unix, Zarafa, Kolab 2/3, address book
entries, NIS mail aliases, MAC addresses and much more. There is a tree
viewer included to allow access to the raw LDAP attributes. You can use
templates for account creation and use multiple configuration
profiles.</para>
<para><ulink
url="https://www.ldap-account-manager.org/">https://www.ldap-account-manager.org/</ulink></para>
<para>Copyright (C) 2003 - 2016 Roland Gruber
&lt;post@rolandgruber.de&gt;</para>
<para><emphasis role="bold">Key features:</emphasis></para>
<itemizedlist>
<listitem>
<para>managing user/group/host/domain entries</para>
</listitem>
<listitem>
<para>account profiles</para>
</listitem>
<listitem>
<para>account creation via file upload</para>
</listitem>
<listitem>
<para>multiple configuration profiles</para>
</listitem>
<listitem>
<para>LDAP browser</para>
</listitem>
<listitem>
<para>schema browser</para>
</listitem>
<listitem>
<para>OU editor</para>
</listitem>
<listitem>
<para>PDF export for all accounts</para>
</listitem>
<listitem>
<para>manage user/group Quota and create home directories</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">Requirements:</emphasis></para>
<itemizedlist>
<listitem>
<para>PHP5 (&gt;= 5.4.0)</para>
</listitem>
<listitem>
<para>Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba
4, OpenDJ, 389 Directory Server, Apache DS, ...)</para>
</listitem>
<listitem>
<para>A recent web browser that supports CSS2 and JavaScript, at
minimum:</para>
<itemizedlist>
<listitem>
<para>Firefox (max. 2 years old)</para>
</listitem>
<listitem>
<para>Chrome (max. 2 years old)</para>
</listitem>
<listitem>
<para>Internet Explorer 9<emphasis role="bold"> (compatibility
mode turned off)</emphasis></para>
</listitem>
<listitem>
<para>Opera (max. 2 years old)</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<para>The default password to edit the configuration options is
"lam".</para>
<para><emphasis role="bold">License:</emphasis></para>
<para>LAM is published under the GNU General Public License. The complete
list of licenses can be found in the copyright file.</para>
<para><emphasis role="bold">Default password:</emphasis></para>
<para>The default password for the LAM configuration is "lam".</para>
<literallayout>
Have fun!
The LAM development team</literallayout>
</preface>