diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
index 7a0bede6..43015210 100644
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -1,705 +1,760 @@
-
- Configuration
+
+ Configuration
- After you installed LAM you
- can configure it to fit your needs. The complete configuration can be done
- inside the application. There is no need to edit configuration
- files.
+ After you installed LAM you can
+ configure it to fit your needs. The complete configuration can be done
+ inside the application. There is no need to edit configuration files.
- Please point you browser to the location where you installed LAM.
- E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
- via the tar.bz2 then this may vary. You should see the following
- page:
+ Please point you browser to the location where you installed LAM. E.g.
+ for Debian/RPM this is http://yourServer/lam. If you installed LAM via the
+ tar.bz2 then this may vary. You should see the following page:
-
-
-
-
-
-
-
+
+
+
+
+
+
+
- If you see an error message then you might need to install an
- additional PHP extension. Please follow the instructions and reload the
- page afterwards.
+ If you see an error message then you might need to install an
+ additional PHP extension. Please follow the instructions and reload the page
+ afterwards.
- Now you are ready to configure LAM. Click on the "LAM configuration"
- link to proceed.
+ Now you are ready to configure LAM. Click on the "LAM configuration"
+ link to proceed.
-
-
-
-
-
-
-
+
+
+
+
+
+
+
- Here you can change LAM's general settings, setup server profiles
- for your LDAP server(s) and configure the self service (LAM Pro). You should start
- with the general settings and then setup a server profile.
+ Here you can change LAM's general settings, setup server profiles for
+ your LDAP server(s) and configure the self
+ service (LAM Pro). You should start with the general settings and
+ then setup a server profile.
-
- General settings
+
+ General settings
- After selecting "Edit general settings" you will need to enter the
- master configuration password.
- The default password for new installations is "lam". Now you can edit
- the general settings.
+ After selecting "Edit general settings" you will need to enter the
+ master configuration password.
+ The default password for new installations is "lam". Now you can edit the
+ general settings.
-
- License (LAM Pro only)
+
+ License (LAM Pro only)
- This is only required when you run LAM Pro. Please enter the
- license key from your customer
- profile. In case you have purchased multiple licenses please
- only enter one license key block per installation.
+ This is only required when you run LAM Pro. Please enter the
+ license key from your customer
+ profile. In case you have purchased multiple licenses please
+ only enter one license key block per installation.
- When you entered the license key then the license details can be
- seen on LAM configuration overview page.
+ When you entered the license key then the license details can be
+ seen on LAM configuration overview page.
+
+
+
+
+
+
+
+
+
+
+
+ Security settings
+
+ Here you can set a time period after which inactive sessions are
+ automatically invalidated. The selected value represents minutes of
+ inactivity.
+
+ You may also set a list of IP addresses which are allowed to
+ access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
+ or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access
+ LAM via an untrusted IP only get blank pages. There is a separate field
+ for LAM Pro self service.
+
+ Session encryption will encrypt sensitive
+ data like passwords in your session files. This is only available when
+ PHP MCrypt is active. This
+ adds extra security but also costs performance. If you manage a large
+ directory you might want to disable this and take other actions to
+ secure your LAM server.
+
+
+
+
+
+
+
+
+
+ SSL certificate
+ setup:
+
+ By default, LAM uses the CA certificates that are preinstalled on
+ your system. This will work if you connect via SSL/TLS to an LDAP server
+ that uses a certificate signed by a well-known CA. In case you use your
+ own CA (e.g. company internal CA) you can import the CA certificates
+ here.
+
+ Please note that this can affect other web applications on the
+ same server if they require different certificates. There seem to be
+ problems on Debian systems and you may also need to restart Apache. In
+ case of any problems please delete the uploaded certificates and use the
+ system setup.
+
+ You can either upload a DER/PEM formatted certificate file or
+ import the certificates directly from an LDAP server that is available
+ with LDAP+SSL (ldaps://). LAM will automatically override system
+ certificates if at least one certificate is uploaded/imported.
+
+ The whole certificate list can be downloaded in PEM format. You
+ can also delete single certificates from the list.
+
+ Please note that you might need to restart your webserver if you
+ do any changes to this configuration.
+
+
+
+
+
+
+
+
+
+
+
+ Password policy
+
+ This allows you to specify a central password policy for LAM. The
+ policy is valid for all password fields inside LAM admin (excluding tree
+ view) and LAM self service. Configuration passwords do not need to
+ follow this policy.
+
+
+
+
+
+
+
+
+
+ You can set the minimum password length and also the complexity of
+ the passwords.
+
+
+
+ Logging
+
+ LAM can log events (e.g. user logins). You can use system logging
+ (syslog for Unix, event viewer for Windows) or log to a separate file.
+ Please note that LAM may log sensitive data (e.g. passwords) at log
+ level "Debug". Production systems should be set to "Warning" or
+ "Error".
+
+ The PHP error reporting is only for developers. By default LAM
+ does not show PHP notice messages in the web pages. You can select to
+ use the php.ini setting here or printing all errors and notices.
+
+
+
+
+
+
+
+
+
+
+
+ Additional options
+
+ Email format
+
+ Some email servers are not standards compatible. If you receive
+ mails that look broken you can change the line endings for sent mails
+ here. Default is to use "\r\n".
+
+ At the moment, this option is only available in LAM Pro as there
+ is no mail sending in the free version. See here for setting up your SMTP server.
+
+
+
+
+
+
+
+
+
+
+
+ Change master password
+
+ If you would like to change the master configuration password then
+ enter a new password here.
+
+
+
+
+
+
+
+
+
+
+
+
+ Server profiles
+
+ The server profiles store information about your LDAP server (e.g.
+ host name) and what kind of accounts (e.g. users and groups) you would
+ like to manage. There is no limit on the number of server profiles. See
+ the typical scenarios about
+ how to structure your server profiles.
+
+
+ Manage server profiles
+
+ Select "Manage server profiles" to open the profile management
+ page.
+
+
+
+
+
+
+
+
+
+ Here you can create, rename and delete server profiles. The passwords of your server profiles can
+ also be reset.
+
+ You may also specify the default server profile. This is the
+ server profile which is preselected at the login page. It also specifies
+ the language of the login and configuration pages.
+
+ Templates for new server
+ profiles
+
+ You can create a new server profile based on one of the built-in
+ templates or any existing profile. Of course, the account types and
+ selected modules can be changed after you created your profile.
+
+ Built-in templates:
+
+
+
+ addressbook: simple profile for user management with
+ inetOrgPerson object class
+
+
+
+ samba3: Samba 3 users, groups, hosts and domains
+
+
+
+ unix: Unix users and groups (posixAccount/Group)
+
+
+
+ windows_samba4: Active Directory user, group and host
+ management
+
+
+
+
+
+
+
+
+
+
+
+ All operations on the profile management page require that you
+ authenticate yourself with the configuration master password.
+
+
+
+ Editing a server profile
+
+ Please select you server profile and enter its password to edit a
+ server profile.
+
+
+
+
+
+
+
+
+
+ Each server profile contains the following information:
+
+
+
+ General settings: general
+ settings about your LDAP server (e.g. host name and security
+ settings)
+
+
+
+ Account types: list of
+ account types (e.g. users and groups) that you would like to manage
+ and type specific settings (e.g. LDAP suffix)
+
+
+
+ Modules: list of modules
+ which define what account aspects (e.g. Unix, Samba, Kolab) you
+ would like to manage
+
+
+
+ Module settings: settings
+ which are specific for the selected account modules on the page
+ before
+
+
+
+
+ General settings
+
+ Here you can specify the LDAP server and some security
+ settings.
-
+
+
+
+
+
+ The server address of your LDAP server can be a DNS name or an
+ IP address. Use ldap:// for unencrypted LDAP connections or TLS
+ encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
+ specified with ldaps://. The port value is optional. TLS cannot be
+ combined with ldaps://.
+
+ Hint: If you use a master/slave setup with referrals then point
+ LAM to your master server. Due to bugs in the underlying LDAP
+ libraries pointing to a slave might cause issues on write
+ operations.
+
+ LAM includes an LDAP browser which allows direct modification of
+ LDAP entries. If you would like to use it then enter the LDAP suffix
+ at "Tree suffix".
+
+ The search limit is used to reduce the number of search results
+ which are returned by your LDAP server.
+
+ The access level specifies if LAM should allow to modify LDAP
+ entries. This feature is only available in LAM Pro. LAM non-Pro
+ releases use write access. See this page for details on
+ the different access levels.
+
+ Advanced options
+
+ Sometimes, you may not want to display the server address on the
+ login page. In this case you can setup a display name here (e.g.
+ "Production").
+
+ By default LAM will not follow LDAP referrals. This is ok for
+ most installations. If you use LDAP referrals please activate the
+ referral option in advanced settings.
+
+ Paged results should be activated only if you encounter any
+ problems regarding size limits on Active Directory. LAM will then
+ query LDAP to return results in chunks of 999 entries.
+
+
+
+
+ LAM is translated to many different languages. Here you can
+ select the default language for this server profile. The language
+ setting may be overriden at the LAM login page.
+
+ Please also set your time zone here.
+
+
+
+
+
+
+
+
+
+ LAM can manage user home directories and quotas with an external
+ script. You can specify the home directory server and where the script
+ is located. The default rights for new home directories can be set,
+ too.
+
+ You can provide a fixed user name. If you leave the field empty
+ then LAM will use your current account (the account you used to login
+ to LAM).
+
+ There are two possibilities to connect to your home
+ directory/quota server:
+
+
+
+ SSH key (recommended): Please generate a SSH key pair and
+ provide the location to the private key file. If the key is protected
+ by a password you can also specify it here.
+
+
+
+ Password: If you do not set a SSH key then LAM will try to
+ connect with your current account (the password you used to login
+ to LAM).
+
+
+
+
+
+
+
+
+
+
+
+ LAM Pro users may directly set passwords from
+ list view. You can configure if it should be possible to set specific
+ passwords and showing password on screen is allowed.
+
+
+
+
+
+
+
+
+
+ LAM Pro users can send out changed passwords to their users.
+ Here you can specify the options for these mails.
+
+ If you select "Allow alternate address" then password mails can
+ be sent to any address (e.g. a secondary address if the user account
+ is also bound to the mailbox).
+
+
+
+
+
+
+
+
+
+ LAM supports two methods for login:
+
+
+
+ Fixed list
+
+
+
+ LDAP search
+
+
+
+
+
+
+
+
+
+
+
+ The first one is to specify a fixed list of LDAP DNs that are
+ allowed to login. Please enter one DN per line.
+
+ The second one is to let LAM search for the DN in your
+ directory. E.g. if a user logs in with the user name "joe" then LAM
+ will do an LDAP search for this user name. When it finds a matching DN
+ then it will use this to authenticate the user. The wildcard "%USER%"
+ will be replaced by "joe" in this example. This way you can provide
+ login by user name, email address or other LDAP attributes.
+
+ Additionally, you can enable HTTP authentication when using
+ "LDAP search". This way the web server is responsible to authenticate
+ your users. LAM will use the given user name + password for the LDAP
+ login. You can also configure this to setup advanced login
+ restrictions (e.g. require group memberships for login). To setup HTTP
+ authentication in Apache please see this link
+ and an example for LDAP authentication here.
+
+ Hint: LDAP search with group
+ membership check can be done with either HTTP authentication or LDAP overlays
+ like "memberOf"
+ or "Dynamic
+ lists". Dynamic lists allow to insert virtual attributes to
+ your user entries. These can then be used for the LDAP filter (e.g.
+ "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").
+
+
+
+
+
+
+
+
+
+ 2-factor authentication
+
+ LAM supports 2-factor authentication for your users. This means
+ the user will not only authenticate by user+password but also with
+ e.g. a token generated by a mobile device. This adds more security
+ because the token is generated on a physically separated device
+ (typically mobile phone).
+
+ The token is validated by a second application. LAM currently
+ supports:
+
+
+
+ privacyIdea
+
+
+
+ By default LAM will enforce to use a token and reject users that
+ did not setup one. You can set this check to optional. But if a user
+ has setup a token then this will always be required.
+
+
+
+
+
+
+
+
+
+ After logging in with user + password LAM will ask for the 2nd
+ factor. If the user has setup multiple factors then he can choose one
+ of them.
+
+
+
+
+
+
+
+
+
+ Password
+
+ You may also change the password of this server profile. Please
+ just enter the new password in both password fields.
+
+
+
+
+
- Security settings
+ Account types
- Here you can set a time period after which inactive sessions are
- automatically invalidated. The selected value represents minutes of
- inactivity.
-
- You may also set a list of IP addresses which are allowed to
- access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
- or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
- access LAM via an untrusted IP only get blank pages. There is a
- separate field for LAM Pro self service.
-
- Session encryption will encrypt sensitive
- data like passwords in your session files. This is only available when
- PHP MCrypt is active. This
- adds extra security but also costs performance. If you manage a large
- directory you might want to disable this and take other actions to
- secure your LAM server.
+ LAM supports to manage various types of LDAP entries (e.g.
+ users, groups, DHCP entries, ...). On this page you can select which
+ types of entries you want to manage with LAM.
-
+
- SSL certificate
- setup:
+ The section at the top shows a list of possible types. You can
+ activate them by simply clicking on the plus sign next to it.
- By default, LAM uses the CA certificates that are preinstalled
- on your system. This will work if you connect via SSL/TLS to an LDAP
- server that uses a certificate signed by a well-known CA. In case you
- use your own CA (e.g. company internal CA) you can import the CA
- certificates here.
+ Each account type has the following options:
- Please note that this can affect other web applications on the
- same server if they require different certificates. There seem to be
- problems on Debian systems and you may also need to restart Apache. In
- case of any problems please delete the uploaded certificates and use
- the system setup.
+
+
+ LDAP suffix: the LDAP
+ suffix where entries of this type should be managed
+
- You can either upload a DER/PEM formatted certificate file or
- import the certificates directly from an LDAP server that is available
- with LDAP+SSL (ldaps://). LAM will automatically override system
- certificates if at least one certificate is uploaded/imported.
+
+ List attributes: a list of
+ attributes which are shown in the account lists
+
- The whole certificate list can be downloaded in PEM format. You
- can also delete single certificates from the list.
+
+ Additional LDAP filter: LAM
+ will automatically detect the right LDAP entries for each account
+ type. This can be used to further limit the number of visible
+ entries (e.g. if you want to manage only some specific groups).
+ You can use "@@LOGIN_DN@@" as wildcard (e.g.
+ "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the user
+ who is logged in.
+
- Please note that you might need to restart your webserver if you
- do any changes to this configuration.
+
+ Hidden: This is used to
+ hide account types that should not be displayed but are required
+ by other account types. E.g. you can hide the Samba domains
+ account type and still assign domains when you edit your
+ users.
+
+
+
+ Read-only (LAM Pro only):
+ This allows to set a single account type to read-only mode. Please
+ note that this is a restriction on functional level (e.g. group
+ memberships can be changed on user page even if groups are
+ read-only) and is no replacement for setting up proper ACLs on
+ your LDAP server.
+
+
+
+ Custom label: Here you can
+ set a custom label for the account types. Use this if the standard
+ label does not fit for you (e.g. enter "Servers" for
+ hosts).
+
+
+
+ No new entries (LAM Pro
+ only): Use this if you want to prevent that new
+ accounts of this type are created by your users. The GUI will hide
+ buttons to create new entries and also disable file upload for
+ this type.
+
+
+
+ Disallow delete (LAM Pro
+ only): Use this if you want to prevent that accounts of
+ this type are deleted by your users.
+
+
-
+
+
+ On the next page you can specify in detail what extensions
+ should be enabled for each account type.
- Password policy
+ Modules
- This allows you to specify a central password policy for LAM.
- The policy is valid for all password fields inside LAM admin
- (excluding tree view) and LAM self service. Configuration passwords do
- not need to follow this policy.
+ The modules specify the active extensions for each account type.
+ E.g. here you can setup if your user entries should be address book
+ entries only or also support Unix or Samba.
-
+
- You can set the minimum password length and also the complexity
- of the passwords.
-
+ Each account type needs a so called "base module". This is the
+ basement for all LDAP entries of this type. Usually, it provides the
+ structural object class for the LDAP entries. There must be exactly
+ one active base module for each account type.
-
- Logging
-
- LAM can log events (e.g. user logins). You can use system
- logging (syslog for Unix, event viewer for Windows) or log to a
- separate file. Please note that LAM may log sensitive data (e.g.
- passwords) at log level "Debug". Production systems should be set to
- "Warning" or "Error".
-
- The PHP error reporting is only for developers. By default LAM
- does not show PHP notice messages in the web pages. You can select to
- use the php.ini setting here or printing all errors and
- notices.
-
-
-
-
-
-
-
-
+ Furthermore, there may be any number of additional active
+ account modules. E.g. you may select "Personal" as base module and
+ Unix + Samba as additional modules.
- Additional options
+ Module settings
- Email
- format
-
- Some email servers are not standards compatible. If you receive
- mails that look broken you can change the line endings for sent mails
- here. Default is to use "\r\n".
-
- At the moment, this option is only available in LAM Pro as there
- is no mail sending in the free version. See here for setting up your SMTP
- server.
+ Depending on the activated account modules there may be
+ additional configuration options available. They can be found on the
+ "Module settings" tab. E.g. the Personal account module allows to hide
+ several input fields and the Unix module requires to specify ranges
+ for UID numbers.
-
-
-
-
-
-
-
- Change master password
-
- If you would like to change the master configuration password
- then enter a new password here.
-
-
-
-
-
+
-
- Server profiles
+
+ Cron jobs (LAM Pro)
- The server profiles store information about your LDAP server (e.g.
- host name) and what kind of accounts (e.g. users and groups) you would
- like to manage. There is no limit on the number of server profiles. See
- the typical scenarios about
- how to structure your server profiles.
+ LAM Pro can execute common tasks via cron job. This can be used to
+ e.g. notify your users before their passwords expire.
- Manage server profiles
+ LDAP and database configuration
- Select "Manage server profiles" to open the profile management
- page.
+ Please add the LDAP bind user and password for all jobs. This
+ LDAP account will be used to perform all LDAP read and write
+ operations.
+
+ Next, select the database type where LAM should store job
+ related data. Supported databases are SQLite and MySQL.
+
+ SQLite
+
+ This is a simple file based database. It needs no special
+ database server. The database file will be located next to the server
+ profile in config directory.
+
+ You will need to install the SQLite PDO module for PHP
+ (pdo_sqlite.so). For Debian this is located in package
+ php5-sqlite.
-
+
- Here you can create, rename and delete server profiles. The
- passwords of your server
- profiles can also be reset.
+ MySQL
- You may also specify the default server profile. This is the
- server profile which is preselected at the login page. It also
- specifies the language of the login and configuration pages.
+ This will store all job data in an external MySQL
+ database.
- Templates for new server
- profiles
+ You will need to install the MySQL PDO module for PHP
+ (pdo_mysql.so). For Debian this is located in package
+ php5-mysql.
- You can create a new server profile based on one of the built-in
- templates or any existing profile. Of course, the account types and
- selected modules can be changed after you created your profile.
+ Steps to create a MySQL database and user:
- Built-in templates:
-
-
-
- addressbook: simple profile for user management with
- inetOrgPerson object class
-
-
-
- samba3: Samba 3 users, groups, hosts and domains
-
-
-
- unix: Unix users and groups (posixAccount/Group)
-
-
-
- windows_samba4: Active Directory user, group and host
- management
-
-
-
-
-
-
-
-
-
-
-
- All operations on the profile management page require that you
- authenticate yourself with the configuration master
- password.
-
-
-
- Editing a server profile
-
- Please select you server profile and enter its password to edit
- a server profile.
-
-
-
-
-
-
-
-
-
- Each server profile contains the following information:
-
-
-
- General settings: general
- settings about your LDAP server (e.g. host name and security
- settings)
-
-
-
- Account types: list of
- account types (e.g. users and groups) that you would like to
- manage and type specific settings (e.g. LDAP suffix)
-
-
-
- Modules: list of modules
- which define what account aspects (e.g. Unix, Samba, Kolab) you
- would like to manage
-
-
-
- Module settings: settings
- which are specific for the selected account modules on the page
- before
-
-
-
-
- General settings
-
- Here you can specify the LDAP server and some security
- settings.
-
-
-
-
-
-
-
-
-
- The server address of your LDAP server can be a DNS name or an
- IP address. Use ldap:// for unencrypted LDAP connections or TLS
- encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
- specified with ldaps://. The port value is optional. TLS cannot be
- combined with ldaps://.
-
- Hint: If you use a master/slave setup with referrals then
- point LAM to your master server. Due to bugs in the underlying LDAP
- libraries pointing to a slave might cause issues on write
- operations.
-
- LAM includes an LDAP browser which allows direct modification
- of LDAP entries. If you would like to use it then enter the LDAP
- suffix at "Tree suffix".
-
- The search limit is used to reduce the number of search
- results which are returned by your LDAP server.
-
- The access level specifies if LAM should allow to modify LDAP
- entries. This feature is only available in LAM Pro. LAM non-Pro
- releases use write access. See this page for details on
- the different access levels.
-
- Advanced options
-
- Sometimes, you may not want to display the server address on
- the login page. In this case you can setup a display name here (e.g.
- "Production").
-
- By default LAM will not follow LDAP referrals. This is ok for
- most installations. If you use LDAP referrals please activate the
- referral option in advanced settings.
-
- Paged results should be activated only if you encounter any
- problems regarding size limits on Active Directory. LAM will then
- query LDAP to return results in chunks of 999 entries.
-
-
-
-
- LAM is translated to many different languages. Here you can
- select the default language for this server profile. The language
- setting may be overriden at the LAM login page.
-
- Please also set your time zone here.
-
-
-
-
-
-
-
-
-
- LAM can manage user home directories and quotas with an
- external script. You can specify the home directory server and where
- the script is located. The default rights for new home directories
- can be set, too.
-
- You can provide a fixed user name. If you leave the field
- empty then LAM will use your current account (the account you used
- to login to LAM).
-
- There are two possibilities to connect to your home
- directory/quota server:
-
-
-
- SSH key (recommended): Please generate a SSH key pair and
- provide the location to the private key file. If the key is protected
- by a password you can also specify it here.
-
-
-
- Password: If you do not set a SSH key then LAM will try to
- connect with your current account (the password you used to
- login to LAM).
-
-
-
-
-
-
-
-
-
-
-
- LAM Pro users may directly set passwords
- from list view. You can configure if it should be possible to set
- specific passwords and showing password on screen is allowed.
-
-
-
-
-
-
-
-
-
- LAM Pro users can send out changed passwords to their users.
- Here you can specify the options for these mails.
-
- If you select "Allow alternate address" then password mails
- can be sent to any address (e.g. a secondary address if the user
- account is also bound to the mailbox).
-
-
-
-
-
-
-
-
-
- LAM supports two methods for login.
-
-
-
-
-
-
-
-
-
- The first one is to specify a fixed list of LDAP DNs that are
- allowed to login. Please enter one DN per line.
-
- The second one is to let LAM search for the DN in your
- directory. E.g. if a user logs in with the user name "joe" then LAM
- will do an LDAP search for this user name. When it finds a matching
- DN then it will use this to authenticate the user. The wildcard
- "%USER%" will be replaced by "joe" in this example. This way you can
- provide login by user name, email address or other LDAP
- attributes.
-
- Additionally, you can enable HTTP authentication when using
- "LDAP search". This way the web server is responsible to
- authenticate your users. LAM will use the given user name + password
- for the LDAP login. You can also configure this to setup advanced
- login restrictions (e.g. require group memberships for login). To
- setup HTTP authentication in Apache please see this link
- and an example for LDAP authentication here.
-
- Hint: LDAP search with group
- membership check can be done with either HTTP authentication or LDAP
- overlays like "memberOf"
- or "Dynamic
- lists". Dynamic lists allow to insert virtual attributes to
- your user entries. These can then be used for the LDAP filter (e.g.
- "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").
-
-
-
-
-
-
-
-
-
- You may also change the password of this server profile.
- Please just enter the new password in both password fields.
-
-
-
- Account types
-
- LAM supports to manage various types of LDAP entries (e.g.
- users, groups, DHCP entries, ...). On this page you can select which
- types of entries you want to manage with LAM.
-
-
-
-
-
-
-
-
-
- The section at the top shows a list of possible types. You can
- activate them by simply clicking on the plus sign next to it.
-
- Each account type has the following options:
-
-
-
- LDAP suffix: the LDAP
- suffix where entries of this type should be managed
-
-
-
- List attributes: a list
- of attributes which are shown in the account lists
-
-
-
- Additional LDAP filter:
- LAM will automatically detect the right LDAP entries for each
- account type. This can be used to further limit the number of
- visible entries (e.g. if you want to manage only some specific
- groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
- "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
- user who is logged in.
-
-
-
- Hidden: This is used to
- hide account types that should not be displayed but are required
- by other account types. E.g. you can hide the Samba domains
- account type and still assign domains when you edit your
- users.
-
-
-
- Read-only (LAM Pro only):
- This allows to set a single account type to read-only mode.
- Please note that this is a restriction on functional level (e.g.
- group memberships can be changed on user page even if groups are
- read-only) and is no replacement for setting up proper ACLs on
- your LDAP server.
-
-
-
- Custom label: Here you
- can set a custom label for the account types. Use this if the
- standard label does not fit for you (e.g. enter "Servers" for
- hosts).
-
-
-
- No new entries (LAM Pro
- only): Use this if you want to prevent that new
- accounts of this type are created by your users. The GUI will
- hide buttons to create new entries and also disable file upload
- for this type.
-
-
-
- Disallow delete (LAM Pro
- only): Use this if you want to prevent that accounts
- of this type are deleted by your users.
-
-
-
-
-
-
-
-
-
-
-
- On the next page you can specify in detail what extensions
- should be enabled for each account type.
-
-
-
- Modules
-
- The modules specify the active extensions for each account
- type. E.g. here you can setup if your user entries should be address
- book entries only or also support Unix or Samba.
-
-
-
-
-
-
-
-
-
- Each account type needs a so called "base module". This is the
- basement for all LDAP entries of this type. Usually, it provides the
- structural object class for the LDAP entries. There must be exactly
- one active base module for each account type.
-
- Furthermore, there may be any number of additional active
- account modules. E.g. you may select "Personal" as base module and
- Unix + Samba as additional modules.
-
-
-
- Module settings
-
- Depending on the activated account modules there may be
- additional configuration options available. They can be found on the
- "Module settings" tab. E.g. the Personal account module allows to
- hide several input fields and the Unix module requires to specify
- ranges for UID numbers.
-
-
-
-
-
-
-
-
-
-
-
-
- Cron jobs (LAM Pro)
-
- LAM Pro can execute common tasks via cron job. This can be used
- to e.g. notify your users before their passwords expire.
-
-
- LDAP and database configuration
-
- Please add the LDAP bind user and password for all jobs. This
- LDAP account will be used to perform all LDAP read and write
- operations.
-
- Next, select the database type where LAM should store job
- related data. Supported databases are SQLite and MySQL.
-
- SQLite
-
- This is a simple file based database. It needs no special
- database server. The database file will be located next to the
- server profile in config directory.
-
- You will need to install the SQLite PDO module for PHP
- (pdo_sqlite.so). For Debian this is located in package
- php5-sqlite.
-
-
-
-
-
-
-
-
-
- MySQL
-
- This will store all job data in an external MySQL
- database.
-
- You will need to install the MySQL PDO module for PHP
- (pdo_mysql.so). For Debian this is located in package
- php5-mysql.
-
- Steps to create a MySQL database and user:
-
- # login
+ # login
mysql -u root -p
# create a database
mysql> create database lam_cron;
@@ -711,769 +766,758 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%';
mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
+ Test your settings
- After the LDAP and database settings are done you can test
- your settings.
+ After the LDAP and database settings are done you can test your
+ settings.
- Cron entry
+ Cron entry
- LAM also prints the crontab line that you need to run the
- configured jobs on a daily basis. The command must be run as the
- same user as your webserver is running. You are free to change the
- starting time of the script or run it more often.
-
+ LAM also prints the crontab line that you need to run the
+ configured jobs on a daily basis. The command must be run as the same
+ user as your webserver is running. You are free to change the starting
+ time of the script or run it more often.
+
+
+
+ Adding jobs
+
+ To add a new job just click on the "Add job" button and select
+ the job type you need. The list of available jobs depends on your
+ active account modules. E.g. the PPolicy job will only be available if
+ you activated PPolicy user module.
+
+ Depending on the job type jobs may be added multiple times with
+ different configurations. For descriptions about the available job
+ types see next chapters.
+
+
+
+
+
+
+
+
- Adding jobs
+ PPolicy: Notify users about password expiration
- To add a new job just click on the "Add job" button and select
- the job type you need. The list of available jobs depends on your
- active account modules. E.g. the PPolicy job will only be available
- if you activated PPolicy user module.
+ This will send your users an email reminder before their
+ password expires.
- Depending on the job type jobs may be added multiple times
- with different configurations. For descriptions about the available
- job types see next chapters.
+ You need to activate the PPolicy module for users to be able
+ to add this job. The job can be added multiple times (e.g. to send a
+ second warning at a later time).
+
+ LAM calculates the expiration date based on the last password
+ change and the assigned password policy (or the default policy)
+ using attributes pwdMaxAge and pwdExpireWarning.
+
+ Examples:
+
+ Warning time (pwdExpireWarning) = 14 days, notification period
+ = 10: LAM will send out the email 24 days before the password
+ expires
+
+ Warning time (pwdExpireWarning) = 14 days, notification period
+ = 0: LAM will send out the email 14 days before the password
+ expires
+
+ No warning time (pwdExpireWarning), notification period = 10:
+ LAM will send out the email 10 days before the password
+ expires
-
+
-
- PPolicy: Notify users about password expiration
+
+ Options
- This will send your users an email reminder before their
- password expires.
+
+
+
+ Option
- You need to activate the PPolicy module for users to be able
- to add this job. The job can be added multiple times (e.g. to send
- a second warning at a later time).
+ Description
+
- LAM calculates the expiration date based on the last
- password change and the assigned password policy (or the default
- policy) using attributes pwdMaxAge and pwdExpireWarning.
+
+ From address
- Examples:
+ The email address to set as FROM.
+
- Warning time (pwdExpireWarning) = 14 days, notification
- period = 10: LAM will send out the email 24 days before the
- password expires
+
+ Reply-to address
- Warning time (pwdExpireWarning) = 14 days, notification
- period = 0: LAM will send out the email 14 days before the
- password expires
+ Optional Reply-to address for email.
+
- No warning time (pwdExpireWarning), notification period =
- 10: LAM will send out the email 10 days before the password
- expires
+
+ CC address
-
-
-
-
-
-
-
+ Optional CC mail address.
+
-
- Options
+
+ BCC address
-
-
-
- Option
+ Optional BCC mail address.
+
- Description
-
+
+ Subject
-
- From address
+ The email subject line. Supports wildcards, see
+ below.
+
- The email address to set as FROM.
-
+
+ Text
-
- Reply-to address
+ The email body text. Supports wildcards, see
+ below.
+
- Optional Reply-to address for email.
-
+
+ Notification period
-
- CC address
+ Number of days to notify before password
+ expires.
+
- Optional CC mail address.
-
+
+ Default password policy
-
- BCC address
+ Default PPolicy password policy entry (object class
+ "pwdPolicy").
+
+
+
+
- Optional BCC mail address.
-
+ Wildcards:
-
- Subject
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
+ For the common name it would be "@@cn@@".
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
- Default password policy
-
- Default PPolicy password policy entry (object class
- "pwdPolicy").
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- 389ds: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the Account Locking module for users to
- be able to add this job. The job can be added multiple times (e.g.
- to send a second warning at a later time).
-
- LAM calculates the expiration date based on the attribute
- passwordExpirationTime.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- Shadow: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the Shadow module for users to be able
- to add this job. The job can be added multiple times (e.g. to send
- a second warning at a later time).
-
- LAM calculates the expiration date based on the last
- password change, the password warning time (attribute
- "shadowWarning") and the specified notification period.
-
- Examples:
-
- Warning time = 14, notification period = 10: LAM will send
- out the email 24 days before the password expires
-
- Warning time = 14, notification period = 0: LAM will send
- out the email 14 days before the password expires
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- Shadow: Delete or move expired accounts
-
- You can automatically delete or move expired accounts. The
- job checks Shadow account expiration dates (not password
- expiration dates).
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
- Windows: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the Windows module for users to be able
- to add this job. The job can be added multiple times (e.g. to send
- a second warning at a later time).
-
- LAM calculates the expiration date based on the last
- password change and the domain policy.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- Windows: Delete or move expired accounts
-
- You can automatically delete or move expired
- accounts.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
- FreeRadius: Delete or move expired accounts
-
- You can automatically delete or move expired
- accounts.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
- Qmail: Delete or move expired accounts
-
- You can automatically delete or move expired accounts. The
- job reads the qmail deletion date of user accounts.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
+ There are also two special wildcards for the expiration date.
+ @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
+ @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
- Job history
+ 389ds: Notify users about password expiration
- This will show the list of all executed job runs and their
- result.
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the Account Locking module for users to
+ be able to add this job. The job can be added multiple times (e.g.
+ to send a second warning at a later time).
+
+ LAM calculates the expiration date based on the attribute
+ passwordExpirationTime.
-
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
+ For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration date.
+ @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
+ @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ Shadow: Notify users about password expiration
+
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the Shadow module for users to be able to
+ add this job. The job can be added multiple times (e.g. to send a
+ second warning at a later time).
+
+ LAM calculates the expiration date based on the last password
+ change, the password warning time (attribute "shadowWarning") and
+ the specified notification period.
+
+ Examples:
+
+ Warning time = 14, notification period = 10: LAM will send out
+ the email 24 days before the password expires
+
+ Warning time = 14, notification period = 0: LAM will send out
+ the email 14 days before the password expires
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
+ For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration date.
+ @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
+ @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ Shadow: Delete or move expired accounts
+
+ You can automatically delete or move expired accounts. The job
+ checks Shadow account expiration dates (not password expiration
+ dates).
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+ Windows: Notify users about password expiration
+
+ This will send your users an email reminder before their
+ password expires.
+
+ You need to activate the Windows module for users to be able
+ to add this job. The job can be added multiple times (e.g. to send a
+ second warning at a later time).
+
+ LAM calculates the expiration date based on the last password
+ change and the domain policy.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ From address
+
+ The email address to set as FROM.
+
+
+
+ Reply-to address
+
+ Optional Reply-to address for email.
+
+
+
+ CC address
+
+ Optional CC mail address.
+
+
+
+ BCC address
+
+ Optional BCC mail address.
+
+
+
+ Subject
+
+ The email subject line. Supports wildcards, see
+ below.
+
+
+
+ Text
+
+ The email body text. Supports wildcards, see
+ below.
+
+
+
+ Notification period
+
+ Number of days to notify before password
+ expires.
+
+
+
+
+
+ Wildcards:
+
+ You can enter LDAP attributes as wildcards in the form
+ @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
+ For the common name it would be "@@cn@@".
+
+ There are also two special wildcards for the expiration date.
+ @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
+ @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
+ "2016-12-31".
+
+
+
+ Windows: Delete or move expired accounts
+
+ You can automatically delete or move expired accounts.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+ FreeRadius: Delete or move expired accounts
+
+ You can automatically delete or move expired accounts.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
+
+
+
+ Qmail: Delete or move expired accounts
+
+ You can automatically delete or move expired accounts. The job
+ reads the qmail deletion date of user accounts.
+
+
+
+
+
+
+
+
+
+
+ Options
+
+
+
+
+ Option
+
+ Description
+
+
+
+ Delay
+
+ Number of days to wait after the account is
+ expired.
+
+
+
+ Action
+
+ Delete or move accounts
+
+
+
+ Target DN
+
+ Move only: specifies the DN where accounts are
+ moved
+
+
+
+
-
- Typical scenarios
+
+ Job history
- This is a list of typical scenarios how your LDAP environment
- may look like and how to structure the server profiles for it.
+ This will show the list of all executed job runs and their
+ result.
-
- Simple: One LDAP directory managed by a small group of
- admins
-
- This is the easiest and most common scenario. You want to
- manage a single LDAP server and there is only one or a few admins.
- In this case just create one server profile and you are done. The
- admins may be either specified as a fixed list or by using an LDAP
- search at login time.
-
-
-
-
-
-
-
-
-
-
-
- Advanced: One LDAP server which is managed by different admin
- groups
-
- Large organisations may have one big LDAP directory for all
- user/group accounts. But the users are managed by different groups
- of admins (e.g. departments, locations, subsidiaries, ...). The
- users are typically divided into organisational units in the LDAP
- tree. Admins may only manage the users in their part of the
- tree.
-
-
-
-
-
-
-
-
-
- In this situation it is recommended to create one server
- profile for each admin group (e.g. department). Setup the LDAP
- suffixes in the server profiles to point to the needed
- organisational units. E.g. use
- ou=people,ou=department1,dc=company,dc=com or
- ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
- Do the same for groups, hosts, ... This way each admin group will
- only see its own users. You may want to use LDAP search for the LAM
- login in this scenario. This will prevent that you need to update a
- server profile if the number of admins changes.
-
- Attention: LAM's feature to
- automatically find free UIDs/GIDs for new users/groups will not work
- in this case. LAM uses the user/group suffix to search for already
- assigned UIDs/GIDs. As an alternative you can specify different
- UID/GID ranges for each department. Then the UIDs/GIDs will stay
- unique for the whole directory.
-
-
-
- Multiple LDAP servers
-
- You can manage as many LDAP servers with LAM as you wish. This
- scenario is similar to the advanced scenario above. Just create one
- server profile for each LDAP server.
-
-
-
-
-
-
-
-
-
-
-
- Single LDAP directory with lots of users (>10 000)
-
- LAM was tested to work with 10 000 users. If you have a lot
- more users then you have basically two options.
-
-
-
- Divide your LDAP tree in organisational units: This is
- usually the best performing option. Put your accounts in several
- organisational units and setup LAM as in the advanced scenario
- above.
-
-
-
- Increase memory limit: Increase the memory_limit parameter
- in your php.ini. This will allow LAM to read more entries. But
- this will slow down the response times of LAM.
-
-
-
+
+
+
+
+
+
+
-
+
+
+ Typical scenarios
+
+ This is a list of typical scenarios how your LDAP environment may
+ look like and how to structure the server profiles for it.
+
+
+ Simple: One LDAP directory managed by a small group of
+ admins
+
+ This is the easiest and most common scenario. You want to manage
+ a single LDAP server and there is only one or a few admins. In this
+ case just create one server profile and you are done. The admins may
+ be either specified as a fixed list or by using an LDAP search at
+ login time.
+
+
+
+
+
+
+
+
+
+
+
+ Advanced: One LDAP server which is managed by different admin
+ groups
+
+ Large organisations may have one big LDAP directory for all
+ user/group accounts. But the users are managed by different groups of
+ admins (e.g. departments, locations, subsidiaries, ...). The users are
+ typically divided into organisational units in the LDAP tree. Admins
+ may only manage the users in their part of the tree.
+
+
+
+
+
+
+
+
+
+ In this situation it is recommended to create one server profile
+ for each admin group (e.g. department). Setup the LDAP suffixes in the
+ server profiles to point to the needed organisational units. E.g. use
+ ou=people,ou=department1,dc=company,dc=com or
+ ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
+ Do the same for groups, hosts, ... This way each admin group will only
+ see its own users. You may want to use LDAP search for the LAM login
+ in this scenario. This will prevent that you need to update a server
+ profile if the number of admins changes.
+
+ Attention: LAM's feature to
+ automatically find free UIDs/GIDs for new users/groups will not work
+ in this case. LAM uses the user/group suffix to search for already
+ assigned UIDs/GIDs. As an alternative you can specify different
+ UID/GID ranges for each department. Then the UIDs/GIDs will stay
+ unique for the whole directory.
+
+
+
+ Multiple LDAP servers
+
+ You can manage as many LDAP servers with LAM as you wish. This
+ scenario is similar to the advanced scenario above. Just create one
+ server profile for each LDAP server.
+
+
+
+
+
+
+
+
+
+
+
+ Single LDAP directory with lots of users (>10 000)
+
+ LAM was tested to work with 10 000 users. If you have a lot more
+ users then you have basically two options.
+
+
+
+ Divide your LDAP tree in organisational units: This is
+ usually the best performing option. Put your accounts in several
+ organisational units and setup LAM as in the advanced scenario
+ above.
+
+
+
+ Increase memory limit: Increase the memory_limit parameter
+ in your php.ini. This will allow LAM to read more entries. But
+ this will slow down the response times of LAM.
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index 5039fdcc..3190212c 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -1,12165 +1,25 @@
-
+
LDAP Account Manager - Manual
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- Overview
-
- LDAP Account Manager (LAM) manages user, group and host accounts in
- an LDAP directory. LAM runs on any webserver with PHP5 support and
- connects to your LDAP server unencrypted or via SSL/TLS.
-
- LAM supports Samba 3/4, Unix, Zarafa, Kolab 2/3, address book
- entries, NIS mail aliases, MAC addresses and much more. There is a tree
- viewer included to allow access to the raw LDAP attributes. You can use
- templates for account creation and use multiple configuration
- profiles.
-
- https://www.ldap-account-manager.org/
-
- Copyright (C) 2003 - 2016 Roland Gruber
- <post@rolandgruber.de>
-
- Key features:
-
-
-
- managing user/group/host/domain entries
-
-
-
- account profiles
-
-
-
- account creation via file upload
-
-
-
- multiple configuration profiles
-
-
-
- LDAP browser
-
-
-
- schema browser
-
-
-
- OU editor
-
-
-
- PDF export for all accounts
-
-
-
- manage user/group Quota and create home directories
-
-
-
- Requirements:
-
-
-
- PHP5 (>= 5.4.0)
-
-
-
- Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba
- 4, OpenDJ, 389 Directory Server, Apache DS, ...)
-
-
-
- A recent web browser that supports CSS2 and JavaScript, at
- minimum:
-
-
-
- Firefox (max. 2 years old)
-
-
-
- Chrome (max. 2 years old)
-
-
-
- Internet Explorer 9 (compatibility
- mode turned off)
-
-
-
- Opera (max. 2 years old)
-
-
-
-
-
- The default password to edit the configuration options is
- "lam".
-
- License:
-
- LAM is published under the GNU General Public License. The complete
- list of licenses can be found in the copyright file.
-
- Default password:
-
- The default password for the LAM configuration is "lam".
-
-
-Have fun!
- The LAM development team
-
-
-
- Big picture
-
-
- Overview
-
- LAM has two major areas:
-
-
-
- Admin interface to manage all sorts of different LDAP entries
- (e.g. users/groups/hosts)
-
-
-
- Self service (LAM Pro) where end users can edit their own
- data
-
-
-
-
-
-
-
-
-
-
-
-
-
- Admin interface
-
- This is the main part of the application. It allows to manage a
- large list of LDAP entries (e.g. users, groups, DNS entries, ...). This
- part is accessed by LDAP admins and support staff.
-
-
-
-
-
-
-
-
-
- Functional areas:
-
-
-
- Account tabs: These tabs allow to switsch between different
- account types
-
-
-
- Tree view: Provides an LDAP browser to edit LDAP entries on
- attribute level
-
-
-
- Tools menu: Contains useful tools such as profile and PDF
- editor
-
-
-
- Help: Link to manual
-
-
-
- Logout: Logout of the application
-
-
-
- List view: Lists all entries of the selected account type
- (e.g. users)
-
-
-
- List configuration: Configuration settings for list view (e.g.
- number of entries per page)
-
-
-
- Filter: Filter boxes allow to enter simple filters like
- "a*"
-
-
-
- Self Service
-
- The self service provides a simple interface for your users to
- edit their own data (e.g. telephone number). It also supports user self
- registration and password reset functionality.
-
- You can fully customize the layout of the self service
- page.
-
-
-
-
-
-
-
-
-
- Configuration
-
- Configuration is done on multiple levels:
-
- Global
-
- Effective for all parts of LAM (e.g. logging and password
- policy).
-
- Configured via LAM admin login -> LAM configuration -> Edit general settings.
-
- Server profile
-
- All settings for an LDAP connection (e.g. server name, LDAP
- suffixes, account types/modules to activate) in admin interface. There
- may be multiple for one LDAP server (e.g. for multiple departments,
- different user groups, ...).
-
- Configured via LAM admin login -> LAM configuration -> Edit server profile.
-
- Self service
-
- All settings for a self service interface (e.g. fields that can be
- edited, password reset functionality, ...).
-
- Configured via LAM admin login -> LAM configuration -> Edit self service.
-
- Profiles
-
- Account profiles store
- default values for new LDAP entries.
-
- PDF structures
-
- PDF structures define the layout
- and list of data fields to include in PDF export.
-
-
-
- Glossary
-
- Here you can find a list of common terms used in LAM.
-
-
- Glossary
-
-
-
-
- Term
-
- Description
-
-
-
-
-
- Account module
-
- Plugin for a specific account type (e.g. Unix plugin for
- user type)
-
-
-
- Account type
-
- Type of an LDAP entry (e.g. user/group/host)
-
-
-
- Admin interface
-
- LAM webpages for admin user (e.g. to create new
- users)
-
-
-
- Lamdaemon
-
- Support script to manage user file system quotas and
- create home directories
-
-
-
- PDF editor
-
- Manages PDF structures
-
-
-
- PDF export
-
- Exports an entry to PDF by using a PDF structure
-
-
-
- PDF structure
-
- Defines the layout and list of data fields to include in
- PDF export
-
-
-
- Profile
-
- Template for creation of LDAP entries, contains default
- values
-
-
-
- Profile editor
-
- Manages profiles for all account types
-
-
-
- Self Service
-
- LAM webpages for normal users where they can edit their
- own data
-
-
-
- Self service profile
-
- Configuration for self service pages (multiple
- configurations can exist)
-
-
-
- Tree view
-
- LDAP browser that allows to modify LDAP entries on
- attribute/object class level
-
-
-
-
-
-
-
- Architecture
-
- There are basically two groups of users for LAM:
-
-
-
- LDAP administrators and support
- staff:
-
- These people administer LDAP entries like user accounts,
- groups, ...
-
-
-
- Users:
-
- This includes all people who need to manage their own data
- inside the LDAP directory. E.g. these people edit their contact
- information with LAM self service (LAM Pro).
-
-
-
-
-
-
-
-
-
-
-
- Therefore, LAM is split into two separate parts, LAM for admins
- and for users. LAM for admins allows to manage various types of LDAP
- entries (e.g. users, groups, hosts, ...). It also contains tools like
- batch upload, account profiles, LDAP schema viewer and an LDAP browser.
- LAM for users focuses on end users. It provides a self service for the
- users to edit their personal data (e.g. contact information). The LAM
- administrator is able to specify what data may be changed by the users.
- The design is also adaptable to your corporate design.
-
- LAM for admins/users is accessible via HTTP(S) by all major web
- browsers (Firefox, IE, Opera, ...).
-
- LAM runtime environment:
-
- LAM runs on PHP. Therefore, it is independant of CPU architecture
- and operating system (OS). You can run LAM on any OS which supports
- Apache, Nginx or other PHP compatible web servers.
-
- Home directory server:
-
- You can manage user home directories and their quotas inside LAM.
- The home directories may reside on the server where LAM is installed or
- any remote server. The commands for home directory management are
- secured by SSH. LAM will use the user name and password of the logged in
- LAM administrator for authentication.
-
- LDAP directory:
-
- LAM connects to your LDAP server via standard LDAP protocol. It
- also supports encrypted connections with SSL and TLS.
-
-
-
-
- Installation
-
-
- New installation
-
-
- Requirements
-
- LAM has the following requirements to run:
-
-
-
- Apache/Nginx webserver (SSL recommended) with PHP module
- (PHP 5 (>= 5.2.4) with ldap, gettext, xml, openssl and optional
- mcrypt)
-
-
-
- Some LAM plugins may require additional PHP extensions (you
- will get a note on the login page if something is missing)
-
-
-
- Perl (optional, needed only for lamdaemon)
-
-
-
- Any standard LDAP server (e.g. OpenLDAP, Active Directory,
- Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...)
-
-
-
- A recent web browser that supports CSS2 and JavaScript, at
- minimum:
-
-
-
- Firefox (max. 2 years old)
-
-
-
- Internet Explorer 9 (compatibility mode turned
- off)
-
-
-
- Opera (max. 2 years old)
-
-
-
- Chrome (max. 2 years old)
-
-
-
-
-
- MCrypt will be used to store your LDAP password encrypted in the
- session file.
-
- Please note that LAM does not ship with a selinux policy. Please
- disable selinux or create your own
- policy.
-
- See LDAP schema fles for
- information about used LDAP schema files.
-
-
-
- Prepackaged releases
-
- LAM is available as prepackaged version for various
- platforms.
-
-
- Debian
-
-
-
-
-
-
-
-
-
-
-
- LAM is part of the official Debian repository. New
- releases are uploaded to unstable and will be available
- automatically in testing and the stable releases. You can
- runapt-get
- install ldap-account-managerto install LAM
- on your server. Additionally, you may download the latest
- LAM Debian packages from the LAM
- homepage or the Debian
- package homepage.Installation of the latest packages on
- Debian
-
- Install the LAM package
-
- dpkg -i ldap-account-manager_*.deb
-
- If you get any messages about missing
- dependencies run now: apt-get -f install
-
-
-
- Install the lamdaemon package (optional)
-
- dpkg -i
- ldap-account-manager-lamdaemon_*.deb
-
-
-
-
-
-
-
-
-
- Suse/Fedora/CentOS
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- There are RPM packages available on the LAM
- homepage. The packages can be installed with these
- commands:rpm -e
- ldap-account-manager
- ldap-account-manager-lamdaemon (if an older
- version is installed)rpm
- -i <path to LAM
- package>
-Note: The RPM packages
- for Fedora/CentOS do not contain a dependency to PHP due to
- the various package names for it. Please make sure that you
- install Apache/Nginx with PHP.
-
-
-
-
-
-
-
- Other RPM based distributions
-
- The RPM packages for Suse/Fedora are very generic and should
- be installable on other RPM-based distributions, too. The Fedora
- packages use apache:apache as file owner and the Suse ones use
- wwwrun:www.
-
-
-
- FreeBSD
-
-
-
-
-
-
-
-
-
-
-
- LAM is part of the official FreeBSD ports tree. For
- more details see these pages:FreeBSD-SVN: http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/FreshPorts:
- http://www.freshports.org/sysutils/ldap-account-manager
-
-
-
-
-
-
-
-
- Installing the tar.bz2
-
-
- Extract the archive
-
- Please extract the archive with the following command:
-
- tar xjf ldap-account-manager-<version>.tar.bz2
-
-
-
- Install the files
-
-
- Manual copy
-
- Copy the files into the html-file scope of the web server.
- For example /apache/htdocs or /var/www/html.
-
- Then set the appropriate file permissions inside the LAM
- directory:
-
-
-
- sess: write permission for apache/nginx user
-
-
-
- tmp: write permission for apache/nginx user
-
-
-
- tmp/internal: write permission for apache/nginx
- user
-
-
-
- config (with subdirectories): write permission for
- apache/nginx user
-
-
-
- lib/lamdaemon.pl: set executable
-
-
-
-
-
- With configure script
-
- Instead of manually copying files you can also use the
- included configure script to install LAM. Just run these commands
- in the extracted directory:
-
-
-
- ./configure
-
-
-
- make install
-
-
-
- Options for "./configure":
-
-
-
- --with-httpd-user=USER USER is the name of your
- Apache/Nginx user account (default httpd)
-
-
-
- --with-httpd-group=GROUP GROUP is the name of your
- Apache/Nginx group (default httpd)
-
-
-
- --with-web-root=DIRECTORY DIRECTORY is the name where
- LAM should be installed (default /usr/local/lam)
-
-
-
-
-
-
- Configuration files
-
- Copy config/config.cfg.sample to config/config.cfg. Open the
- index.html in your web browser:
-
-
-
- Follow the link "LAM configuration" from the start page to
- configure LAM.
-
-
-
- Select "Edit general settings" to setup global settings
- and to change the master
- configuration password (default is "lam").
-
-
-
- Select "Edit server profiles" to setup a server
- profile.
-
-
-
-
-
- Webserver configuration
-
- Please see the Apache or Nginx chapter.
-
-
-
-
- System configuration
-
-
- PHP
-
- LAM runs with PHP5 (>= 5.2.4). Needed changes in your
- php.ini:
-
- memory_limit = 64M
-
- For large installations (>10000 LDAP entries) you may need
- to increase the memory limit to 256M.
-
- If you run PHP with activated Suhosin
- extension please check your logs for alerts. E.g. LAM requires that
- "suhosin.post.max_name_length" and
- "suhosin.request.max_varname_length" are increased (e.g. to
- 256).
-
-
-
- Locales for non-English translation
-
- If you want to use a translated version of LAM be sure to
- install the needed locales. The following table shows the needed
- locales for the different languages.
-
-
-
- You can get a list of all installed locales on your system by
- executing:
-
- locale -a
-
- Debian users can add locales with "dpkg-reconfigure
- locales".
-
-
-
-
-
- Upgrading LAM or migrate from LAM to LAM Pro
-
- Upgrading from LAM to LAM Pro is like installing a new LAM
- version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM
- ones.
-
-
- Upgrade LAM
-
- Backup configuration
- files
-
- Configuration files need only to be backed up for .tar.bz2
- installations. DEB/RPM installations do not require this step.
-
- LAM stores all configuration files in the "config" folder.
- Please backup the following files and copy them after the new version
- is installed.
-
-
- config/*.conf
-
- config/config.cfg
-
- config/pdf/*.xml
-
- config/profiles/*
-
-
- LAM Pro only:
-
-
- config/selfService/*.*
-
-
- Uninstall current LAM (Pro)
- version
-
- If you used the RPM installation packages then remove the
- ldap-account-manager and ldap-account-manager-lamdaemon packages by
- calling "rpm -e ldap-account-manager
- ldap-account-manager-lamdaemon".
-
- Debian needs no removal of old packages.
-
- For tar.bz2 please remove the folder where you installed LAM via
- configure or by copying the files.
-
- Install new LAM (Pro)
- version
-
- Please install the new LAM
- (Pro) release. Skip the part about setting up LAM configuration
- files.
-
- Restore configuration
- files
-
- RPM:
-
- Please check if there are any files ending with ".rpmsave" in
- /var/lib/ldap-account-manager/config. In this case you need to
- manually remove the .rpmsave extension by overwriting the package
- file. E.g. rename default.user.rpmsave to default.user.
-
- DEB:
-
- Nothing needs to be restored.
-
- tar.bz2:
-
- Please restore your configuration files from the backup. Copy
- all files from the backup folder to the config folder in your LAM Pro
- installation. Do not simply replace the folder because the new LAM
- (Pro) release might include additional files in this folder. Overwrite
- any existing files with your backup files.
-
- Final steps
-
- Now open your webbrowser and point it to the LAM login page. All
- your settings should be migrated.
-
- Please check also the version
- specific instructions. They might include additional
- actions.
-
-
-
- Version specific upgrade instructions
-
-
- 5.5 -> 5.6
-
- Mail routing: No longer added by default. Use profile editor
- to activate by default for new users/groups.
-
- Personal/Unix/Windows: no more replacement of e.g.
- $user/$group on user upload
-
-
-
- 5.4 -> 5.5
-
- LAM Pro requires a license key. You can find it in your customer
- profile.
-
-
-
- 5.1 -> 5.4
-
- No special actions needed.
-
-
-
- 5.0 -> 5.1
-
- Self Service: There were large changes to provide a responsive
- design that works for desktop and mobile. If you use custom CSS to
- style Self Service then this must be updated.
-
-
-
- 4.9 -> 5.0
-
- Samba 3: If you used logon hours then you need to set the
- correct time zone on tab "Generel settings" in server
- profile.
-
-
-
- 4.5 -> 4.9
-
- No special actions needed.
-
-
-
- 4.4 -> 4.5
-
- LAM will no longer follow referrals by default. This is ok for
- most installations. If you use LDAP referrals please activate
- referral following for your server profile (tab General settings
- -> Server settings -> Advanced options).
-
- The self service pages now have an own option for allowed IPs.
- If your LAM installation uses IP restrictions please update the LAM
- main configuration.
-
- Password self reset (LAM Pro) allows to set a backup email
- address. You need to update the LDAP
- schema if you want to use this feature.
-
-
-
- 4.3 -> 4.4
-
- Apache configuration: LAM supports Apache 2.2 and 2.4. This
- requires that your Apache server has enabled the "version" module.
- For Debian and Fedora this is the default setup. The Suse RPM will
- try to enable the version module during installation.
-
- Kolab: User accounts get the object class "mailrecipient" by
- default. You can change this behaviour in the module settings
- section of your LAM server profile.
-
- Windows: sAMAccountName is no longer set by default. Enable it
- in server profile if needed. The possible domains for the user name
- can also be set in server profile.
-
-
-
- 4.2.1 -> 4.3
-
- LAM is no more shipped as tar.gz package but as tar.bz2 which
- allows smaller file sizes.
-
-
-
- 4.1 -> 4.2/4.2.1
-
- Zarafa users: The default attribute for mail aliases is now
- "dn". If you use "uid" and did not change the server profile for a
- long time please check your LAM server profile for this setting and
- save it.
-
-
-
- 4.0 -> 4.1
-
- Unix: The list of valid login
- shells is no longer configured in "config/shells" but in the
- server/self service profiles (Unix settings). LAM will use the
- following shells by default: /bin/bash, /bin/csh, /bin/dash,
- /bin/false, /bin/ksh, /bin/sh.
-
- Please update your server/self service profile if you would
- like to change the list of valid login shells.
-
-
-
- 3.9 -> 4.0
-
- The account profiles and PDF structures are now separated by
- server profile. This means that if you edit e.g. an account profile
- in server profile A then this change will not affect the account
- profiles in server profile B.
-
- LAM will automatically migrate your existing files as soon as
- the login page is loaded.
-
- Special install instructions:
-
-
-
- Debian: none, config files will be migrated when opening
- LAM's login page
-
-
-
- Suse/Fedora RPM:
-
-
-
- Run "rpm -e ldap-account-manager
- ldap-account-manager-lamdaemon"
-
-
-
- You may get warnings like "warning:
- /var/lib/ldap-account-manager/config/profiles/default.user
- saved as
- /var/lib/ldap-account-manager/config/profiles/default.user.rpmsave"
-
-
-
- Please rename all files "*.rpmsave" and remove the
- file extension ".rpmsave". E.g. "default.user.rpmsave" needs
- to be renamed to "default.user".
-
-
-
- Install the LAM packages with "rpm -i". E.g. "rpm -i
- ldap-account-manager-4.0-0.suse.1.noarch.rpm".
-
-
-
- Open LAM's login page in your browser to complete the
- migration
-
-
-
-
-
- tar.gz: standard upgrade steps, config files will be
- migrated when opening LAM's login page
-
-
-
-
-
- 3.7 -> 3.9
-
- No changes.
-
-
-
- 3.6 -> 3.7
-
- Asterisk extensions: The extension entries are now grouped by
- extension name and account context. LAM will automatically assign
- priorities and set same owners for all entries.
-
-
-
- 3.5.0 -> 3.6
-
- Debian users: LAM 3.6
- requires to install FPDF 1.7. You can download the package here.
- If you use Debian Stable (Squeeze) please use the package from
- Testing (Wheezy).
-
-
-
- 3.4.0 -> 3.5.0
-
- LAM Pro: The global
- config/passwordMailTemplate.txt is no longer supported. You can
- setup the mail settings now for each LAM server profile which
- provides more flexibility.
-
- Suse/Fedora RPM
- installations: LAM is now installed to
- /usr/share/ldap-account-manager and
- /var/lib/ldap-account-manager.
-
- Please note that configuration files are not migrated
- automatically. Please move the files from /srv/www/htdocs/lam/config
- (Suse) or /var/www/html/lam/config (Fedora) to
- /var/lib/ldap-account-manager/config.
-
-
-
- 3.3.0 -> 3.4.0
-
- No changes.
-
-
-
- 3.2.0 -> 3.3.0
-
- If you use custom images for the PDF export then these images
- need to be 5 times bigger than before (e.g. 250x250px instead of
- 50x50px). This allows to use images with higher resolution.
-
-
-
- 3.1.0 -> 3.2.0
-
- No changes.
-
-
-
- 3.0.0 -> 3.1.0
-
- LAM supported to set a list of valid workstations on the
- "Personal" page. This required to change the LDAP schema. Since
- 3.1.0 this is replaced by the new "Hosts" module for users.
-
- Lamdaemon: The sudo entry needs to be changed to
- ".../lamdaemon.pl *".
-
-
-
- 2.3.0 -> 3.0.0
-
- No changes.
-
-
-
- 2.2.0 -> 2.3.0
-
- LAM Pro: There is now a
- separate account type for group of (unique) names. Please edit your
- server profiles to activate the new account type.
-
-
-
- 1.1.0 -> 2.2.0
-
- No changes.
-
-
-
-
-
- Uninstallation of LAM (Pro)
-
- If you used the prepackaged installation packages then remove the
- ldap-account-manager and ldap-account-manager-lamdaemon packages.
-
- Otherwise, remove the folder where you installed LAM via configure
- or by copying the files.
-
-
-
- Migration to a new server
-
- To move LAM (Pro) from one server to another please follow these
- steps:
-
-
-
- Install LAM (Pro) on your new server
-
-
-
- Copy the following files from the old server to the new one
- (base directory for RPM/DEB is
- /usr/share/ldap-account-manager/):
-
-
-
- config/*.conf
-
-
-
- config/config.cfg
-
-
-
- config/pdf/*
-
-
-
- config/profiles/*
-
-
-
- config/selfService/*.* (needed for LAM Pro only)
-
-
-
- The files must be writable for the webserver user.
-
-
-
- Open LAM (Pro) login page on new server and verify
- installation.
-
-
-
- Uninstall LAM (Pro) on old server.
-
-
-
-
-
-
- Configuration
-
- After you installed LAM you
- can configure it to fit your needs. The complete configuration can be done
- inside the application. There is no need to edit configuration
- files.
-
- Please point you browser to the location where you installed LAM.
- E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
- via the tar.bz2 then this may vary. You should see the following
- page:
-
-
-
-
-
-
-
-
-
- If you see an error message then you might need to install an
- additional PHP extension. Please follow the instructions and reload the
- page afterwards.
-
- Now you are ready to configure LAM. Click on the "LAM configuration"
- link to proceed.
-
-
-
-
-
-
-
-
-
- Here you can change LAM's general settings, setup server profiles
- for your LDAP server(s) and configure the self service (LAM Pro). You should start
- with the general settings and then setup a server profile.
-
-
- General settings
-
- After selecting "Edit general settings" you will need to enter the
- master configuration password.
- The default password for new installations is "lam". Now you can edit
- the general settings.
-
-
- License (LAM Pro only)
-
- This is only required when you run LAM Pro. Please enter the
- license key from your customer
- profile. In case you have purchased multiple licenses please
- only enter one license key block per installation.
-
- When you entered the license key then the license details can be
- seen on LAM configuration overview page.
-
-
-
-
-
-
-
-
-
-
-
- Security settings
-
- Here you can set a time period after which inactive sessions are
- automatically invalidated. The selected value represents minutes of
- inactivity.
-
- You may also set a list of IP addresses which are allowed to
- access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
- or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
- access LAM via an untrusted IP only get blank pages. There is a
- separate field for LAM Pro self service.
-
- Session encryption will encrypt sensitive
- data like passwords in your session files. This is only available when
- PHP MCrypt is active. This
- adds extra security but also costs performance. If you manage a large
- directory you might want to disable this and take other actions to
- secure your LAM server.
-
-
-
-
-
-
-
-
-
- SSL certificate
- setup:
-
- By default, LAM uses the CA certificates that are preinstalled
- on your system. This will work if you connect via SSL/TLS to an LDAP
- server that uses a certificate signed by a well-known CA. In case you
- use your own CA (e.g. company internal CA) you can import the CA
- certificates here.
-
- Please note that this can affect other web applications on the
- same server if they require different certificates. There seem to be
- problems on Debian systems and you may also need to restart Apache. In
- case of any problems please delete the uploaded certificates and use
- the system setup.
-
- You can either upload a DER/PEM formatted certificate file or
- import the certificates directly from an LDAP server that is available
- with LDAP+SSL (ldaps://). LAM will automatically override system
- certificates if at least one certificate is uploaded/imported.
-
- The whole certificate list can be downloaded in PEM format. You
- can also delete single certificates from the list.
-
- Please note that you might need to restart your webserver if you
- do any changes to this configuration.
-
-
-
-
-
-
-
-
-
-
-
- Password policy
-
- This allows you to specify a central password policy for LAM.
- The policy is valid for all password fields inside LAM admin
- (excluding tree view) and LAM self service. Configuration passwords do
- not need to follow this policy.
-
-
-
-
-
-
-
-
-
- You can set the minimum password length and also the complexity
- of the passwords.
-
-
-
- Logging
-
- LAM can log events (e.g. user logins). You can use system
- logging (syslog for Unix, event viewer for Windows) or log to a
- separate file. Please note that LAM may log sensitive data (e.g.
- passwords) at log level "Debug". Production systems should be set to
- "Warning" or "Error".
-
- The PHP error reporting is only for developers. By default LAM
- does not show PHP notice messages in the web pages. You can select to
- use the php.ini setting here or printing all errors and
- notices.
-
-
-
-
-
-
-
-
-
-
-
- Additional options
-
- Email
- format
-
- Some email servers are not standards compatible. If you receive
- mails that look broken you can change the line endings for sent mails
- here. Default is to use "\r\n".
-
- At the moment, this option is only available in LAM Pro as there
- is no mail sending in the free version. See here for setting up your SMTP
- server.
-
-
-
-
-
-
-
-
-
-
-
- Change master password
-
- If you would like to change the master configuration password
- then enter a new password here.
-
-
-
-
-
-
-
-
-
-
-
-
- Server profiles
-
- The server profiles store information about your LDAP server (e.g.
- host name) and what kind of accounts (e.g. users and groups) you would
- like to manage. There is no limit on the number of server profiles. See
- the typical scenarios about
- how to structure your server profiles.
-
-
- Manage server profiles
-
- Select "Manage server profiles" to open the profile management
- page.
-
-
-
-
-
-
-
-
-
- Here you can create, rename and delete server profiles. The
- passwords of your server
- profiles can also be reset.
-
- You may also specify the default server profile. This is the
- server profile which is preselected at the login page. It also
- specifies the language of the login and configuration pages.
-
- Templates for new server
- profiles
-
- You can create a new server profile based on one of the built-in
- templates or any existing profile. Of course, the account types and
- selected modules can be changed after you created your profile.
-
- Built-in templates:
-
-
-
- addressbook: simple profile for user management with
- inetOrgPerson object class
-
-
-
- samba3: Samba 3 users, groups, hosts and domains
-
-
-
- unix: Unix users and groups (posixAccount/Group)
-
-
-
- windows_samba4: Active Directory user, group and host
- management
-
-
-
-
-
-
-
-
-
-
-
- All operations on the profile management page require that you
- authenticate yourself with the configuration master
- password.
-
-
-
- Editing a server profile
-
- Please select you server profile and enter its password to edit
- a server profile.
-
-
-
-
-
-
-
-
-
- Each server profile contains the following information:
-
-
-
- General settings: general
- settings about your LDAP server (e.g. host name and security
- settings)
-
-
-
- Account types: list of
- account types (e.g. users and groups) that you would like to
- manage and type specific settings (e.g. LDAP suffix)
-
-
-
- Modules: list of modules
- which define what account aspects (e.g. Unix, Samba, Kolab) you
- would like to manage
-
-
-
- Module settings: settings
- which are specific for the selected account modules on the page
- before
-
-
-
-
- General settings
-
- Here you can specify the LDAP server and some security
- settings.
-
-
-
-
-
-
-
-
-
- The server address of your LDAP server can be a DNS name or an
- IP address. Use ldap:// for unencrypted LDAP connections or TLS
- encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
- specified with ldaps://. The port value is optional. TLS cannot be
- combined with ldaps://.
-
- Hint: If you use a master/slave setup with referrals then
- point LAM to your master server. Due to bugs in the underlying LDAP
- libraries pointing to a slave might cause issues on write
- operations.
-
- LAM includes an LDAP browser which allows direct modification
- of LDAP entries. If you would like to use it then enter the LDAP
- suffix at "Tree suffix".
-
- The search limit is used to reduce the number of search
- results which are returned by your LDAP server.
-
- The access level specifies if LAM should allow to modify LDAP
- entries. This feature is only available in LAM Pro. LAM non-Pro
- releases use write access. See this page for details on
- the different access levels.
-
- Advanced options
-
- Sometimes, you may not want to display the server address on
- the login page. In this case you can setup a display name here (e.g.
- "Production").
-
- By default LAM will not follow LDAP referrals. This is ok for
- most installations. If you use LDAP referrals please activate the
- referral option in advanced settings.
-
- Paged results should be activated only if you encounter any
- problems regarding size limits on Active Directory. LAM will then
- query LDAP to return results in chunks of 999 entries.
-
-
-
-
- LAM is translated to many different languages. Here you can
- select the default language for this server profile. The language
- setting may be overriden at the LAM login page.
-
- Please also set your time zone here.
-
-
-
-
-
-
-
-
-
- LAM can manage user home directories and quotas with an
- external script. You can specify the home directory server and where
- the script is located. The default rights for new home directories
- can be set, too.
-
- You can provide a fixed user name. If you leave the field
- empty then LAM will use your current account (the account you used
- to login to LAM).
-
- There are two possibilities to connect to your home
- directory/quota server:
-
-
-
- SSH key (recommended): Please generate a SSH key pair and
- provide the location to the private key file. If the key is protected
- by a password you can also specify it here.
-
-
-
- Password: If you do not set a SSH key then LAM will try to
- connect with your current account (the password you used to
- login to LAM).
-
-
-
-
-
-
-
-
-
-
-
- LAM Pro users may directly set passwords
- from list view. You can configure if it should be possible to set
- specific passwords and showing password on screen is allowed.
-
-
-
-
-
-
-
-
-
- LAM Pro users can send out changed passwords to their users.
- Here you can specify the options for these mails.
-
- If you select "Allow alternate address" then password mails
- can be sent to any address (e.g. a secondary address if the user
- account is also bound to the mailbox).
-
-
-
-
-
-
-
-
-
- LAM supports two methods for login.
-
-
-
-
-
-
-
-
-
- The first one is to specify a fixed list of LDAP DNs that are
- allowed to login. Please enter one DN per line.
-
- The second one is to let LAM search for the DN in your
- directory. E.g. if a user logs in with the user name "joe" then LAM
- will do an LDAP search for this user name. When it finds a matching
- DN then it will use this to authenticate the user. The wildcard
- "%USER%" will be replaced by "joe" in this example. This way you can
- provide login by user name, email address or other LDAP
- attributes.
-
- Additionally, you can enable HTTP authentication when using
- "LDAP search". This way the web server is responsible to
- authenticate your users. LAM will use the given user name + password
- for the LDAP login. You can also configure this to setup advanced
- login restrictions (e.g. require group memberships for login). To
- setup HTTP authentication in Apache please see this link
- and an example for LDAP authentication here.
-
- Hint: LDAP search with group
- membership check can be done with either HTTP authentication or LDAP
- overlays like "memberOf"
- or "Dynamic
- lists". Dynamic lists allow to insert virtual attributes to
- your user entries. These can then be used for the LDAP filter (e.g.
- "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").
-
-
-
-
-
-
-
-
-
- You may also change the password of this server profile.
- Please just enter the new password in both password fields.
-
-
-
- Account types
-
- LAM supports to manage various types of LDAP entries (e.g.
- users, groups, DHCP entries, ...). On this page you can select which
- types of entries you want to manage with LAM.
-
-
-
-
-
-
-
-
-
- The section at the top shows a list of possible types. You can
- activate them by simply clicking on the plus sign next to it.
-
- Each account type has the following options:
-
-
-
- LDAP suffix: the LDAP
- suffix where entries of this type should be managed
-
-
-
- List attributes: a list
- of attributes which are shown in the account lists
-
-
-
- Additional LDAP filter:
- LAM will automatically detect the right LDAP entries for each
- account type. This can be used to further limit the number of
- visible entries (e.g. if you want to manage only some specific
- groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
- "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
- user who is logged in.
-
-
-
- Hidden: This is used to
- hide account types that should not be displayed but are required
- by other account types. E.g. you can hide the Samba domains
- account type and still assign domains when you edit your
- users.
-
-
-
- Read-only (LAM Pro only):
- This allows to set a single account type to read-only mode.
- Please note that this is a restriction on functional level (e.g.
- group memberships can be changed on user page even if groups are
- read-only) and is no replacement for setting up proper ACLs on
- your LDAP server.
-
-
-
- Custom label: Here you
- can set a custom label for the account types. Use this if the
- standard label does not fit for you (e.g. enter "Servers" for
- hosts).
-
-
-
- No new entries (LAM Pro
- only): Use this if you want to prevent that new
- accounts of this type are created by your users. The GUI will
- hide buttons to create new entries and also disable file upload
- for this type.
-
-
-
- Disallow delete (LAM Pro
- only): Use this if you want to prevent that accounts
- of this type are deleted by your users.
-
-
-
-
-
-
-
-
-
-
-
- On the next page you can specify in detail what extensions
- should be enabled for each account type.
-
-
-
- Modules
-
- The modules specify the active extensions for each account
- type. E.g. here you can setup if your user entries should be address
- book entries only or also support Unix or Samba.
-
-
-
-
-
-
-
-
-
- Each account type needs a so called "base module". This is the
- basement for all LDAP entries of this type. Usually, it provides the
- structural object class for the LDAP entries. There must be exactly
- one active base module for each account type.
-
- Furthermore, there may be any number of additional active
- account modules. E.g. you may select "Personal" as base module and
- Unix + Samba as additional modules.
-
-
-
- Module settings
-
- Depending on the activated account modules there may be
- additional configuration options available. They can be found on the
- "Module settings" tab. E.g. the Personal account module allows to
- hide several input fields and the Unix module requires to specify
- ranges for UID numbers.
-
-
-
-
-
-
-
-
-
-
-
-
- Cron jobs (LAM Pro)
-
- LAM Pro can execute common tasks via cron job. This can be used
- to e.g. notify your users before their passwords expire.
-
-
- LDAP and database configuration
-
- Please add the LDAP bind user and password for all jobs. This
- LDAP account will be used to perform all LDAP read and write
- operations.
-
- Next, select the database type where LAM should store job
- related data. Supported databases are SQLite and MySQL.
-
- SQLite
-
- This is a simple file based database. It needs no special
- database server. The database file will be located next to the
- server profile in config directory.
-
- You will need to install the SQLite PDO module for PHP
- (pdo_sqlite.so). For Debian this is located in package
- php5-sqlite.
-
-
-
-
-
-
-
-
-
- MySQL
-
- This will store all job data in an external MySQL
- database.
-
- You will need to install the MySQL PDO module for PHP
- (pdo_mysql.so). For Debian this is located in package
- php5-mysql.
-
- Steps to create a MySQL database and user:
-
- # login
-mysql -u root -p
-# create a database
-mysql> create database lam_cron;
-#
-mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password';
-mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password';
-# grant access for new user
-mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%';
-mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
-
-
-
-
-
-
-
-
-
-
-
-Test your settings
-
- After the LDAP and database settings are done you can test
- your settings.
-
- Cron entry
-
- LAM also prints the crontab line that you need to run the
- configured jobs on a daily basis. The command must be run as the
- same user as your webserver is running. You are free to change the
- starting time of the script or run it more often.
-
-
-
- Adding jobs
-
- To add a new job just click on the "Add job" button and select
- the job type you need. The list of available jobs depends on your
- active account modules. E.g. the PPolicy job will only be available
- if you activated PPolicy user module.
-
- Depending on the job type jobs may be added multiple times
- with different configurations. For descriptions about the available
- job types see next chapters.
-
-
-
-
-
-
-
-
-
-
- PPolicy: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the PPolicy module for users to be able
- to add this job. The job can be added multiple times (e.g. to send
- a second warning at a later time).
-
- LAM calculates the expiration date based on the last
- password change and the assigned password policy (or the default
- policy) using attributes pwdMaxAge and pwdExpireWarning.
-
- Examples:
-
- Warning time (pwdExpireWarning) = 14 days, notification
- period = 10: LAM will send out the email 24 days before the
- password expires
-
- Warning time (pwdExpireWarning) = 14 days, notification
- period = 0: LAM will send out the email 14 days before the
- password expires
-
- No warning time (pwdExpireWarning), notification period =
- 10: LAM will send out the email 10 days before the password
- expires
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
- Default password policy
-
- Default PPolicy password policy entry (object class
- "pwdPolicy").
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- 389ds: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the Account Locking module for users to
- be able to add this job. The job can be added multiple times (e.g.
- to send a second warning at a later time).
-
- LAM calculates the expiration date based on the attribute
- passwordExpirationTime.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- Shadow: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the Shadow module for users to be able
- to add this job. The job can be added multiple times (e.g. to send
- a second warning at a later time).
-
- LAM calculates the expiration date based on the last
- password change, the password warning time (attribute
- "shadowWarning") and the specified notification period.
-
- Examples:
-
- Warning time = 14, notification period = 10: LAM will send
- out the email 24 days before the password expires
-
- Warning time = 14, notification period = 0: LAM will send
- out the email 14 days before the password expires
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- Shadow: Delete or move expired accounts
-
- You can automatically delete or move expired accounts. The
- job checks Shadow account expiration dates (not password
- expiration dates).
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
- Windows: Notify users about password expiration
-
- This will send your users an email reminder before their
- password expires.
-
- You need to activate the Windows module for users to be able
- to add this job. The job can be added multiple times (e.g. to send
- a second warning at a later time).
-
- LAM calculates the expiration date based on the last
- password change and the domain policy.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- From address
-
- The email address to set as FROM.
-
-
-
- Reply-to address
-
- Optional Reply-to address for email.
-
-
-
- CC address
-
- Optional CC mail address.
-
-
-
- BCC address
-
- Optional BCC mail address.
-
-
-
- Subject
-
- The email subject line. Supports wildcards, see
- below.
-
-
-
- Text
-
- The email body text. Supports wildcards, see
- below.
-
-
-
- Notification period
-
- Number of days to notify before password
- expires.
-
-
-
-
-
- Wildcards:
-
- You can enter LDAP attributes as wildcards in the form
- @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
- "@@cn@@". For the common name it would be "@@cn@@".
-
- There are also two special wildcards for the expiration
- date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
- "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
- "2016-12-31".
-
-
-
- Windows: Delete or move expired accounts
-
- You can automatically delete or move expired
- accounts.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
- FreeRadius: Delete or move expired accounts
-
- You can automatically delete or move expired
- accounts.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
- Qmail: Delete or move expired accounts
-
- You can automatically delete or move expired accounts. The
- job reads the qmail deletion date of user accounts.
-
-
-
-
-
-
-
-
-
-
- Options
-
-
-
-
- Option
-
- Description
-
-
-
- Delay
-
- Number of days to wait after the account is
- expired.
-
-
-
- Action
-
- Delete or move accounts
-
-
-
- Target DN
-
- Move only: specifies the DN where accounts are
- moved
-
-
-
-
-
-
-
-
- Job history
-
- This will show the list of all executed job runs and their
- result.
-
-
-
-
-
-
-
-
-
-
-
-
- Typical scenarios
-
- This is a list of typical scenarios how your LDAP environment
- may look like and how to structure the server profiles for it.
-
-
- Simple: One LDAP directory managed by a small group of
- admins
-
- This is the easiest and most common scenario. You want to
- manage a single LDAP server and there is only one or a few admins.
- In this case just create one server profile and you are done. The
- admins may be either specified as a fixed list or by using an LDAP
- search at login time.
-
-
-
-
-
-
-
-
-
-
-
- Advanced: One LDAP server which is managed by different admin
- groups
-
- Large organisations may have one big LDAP directory for all
- user/group accounts. But the users are managed by different groups
- of admins (e.g. departments, locations, subsidiaries, ...). The
- users are typically divided into organisational units in the LDAP
- tree. Admins may only manage the users in their part of the
- tree.
-
-
-
-
-
-
-
-
-
- In this situation it is recommended to create one server
- profile for each admin group (e.g. department). Setup the LDAP
- suffixes in the server profiles to point to the needed
- organisational units. E.g. use
- ou=people,ou=department1,dc=company,dc=com or
- ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
- Do the same for groups, hosts, ... This way each admin group will
- only see its own users. You may want to use LDAP search for the LAM
- login in this scenario. This will prevent that you need to update a
- server profile if the number of admins changes.
-
- Attention: LAM's feature to
- automatically find free UIDs/GIDs for new users/groups will not work
- in this case. LAM uses the user/group suffix to search for already
- assigned UIDs/GIDs. As an alternative you can specify different
- UID/GID ranges for each department. Then the UIDs/GIDs will stay
- unique for the whole directory.
-
-
-
- Multiple LDAP servers
-
- You can manage as many LDAP servers with LAM as you wish. This
- scenario is similar to the advanced scenario above. Just create one
- server profile for each LDAP server.
-
-
-
-
-
-
-
-
-
-
-
- Single LDAP directory with lots of users (>10 000)
-
- LAM was tested to work with 10 000 users. If you have a lot
- more users then you have basically two options.
-
-
-
- Divide your LDAP tree in organisational units: This is
- usually the best performing option. Put your accounts in several
- organisational units and setup LAM as in the advanced scenario
- above.
-
-
-
- Increase memory limit: Increase the memory_limit parameter
- in your php.ini. This will allow LAM to read more entries. But
- this will slow down the response times of LAM.
-
-
-
-
-
-
-
-
- Managing entries in your LDAP directory
-
- This chapter will give you instructions how to manage the different
- LDAP entries in your directory.
-
- Please note that not all account types are manageable with the free
- LAM release. LAM Pro provides some more account types (e.g. group of
- names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to
- support additional LDAP object classes. All LAM Pro features are marked in
- this manual.
-
- Basic page layout:
-
- After the login LAM will present you its main page. It consists of a
- header part which is equal for all pages and the content area which covers
- most the of the page.
-
- The header part includes the links to manage all account types (e.g.
- users and groups) and open the tree view (LDAP browser). There is also the
- logout link and a tools entry.
-
- When you login the you will see an account listing in the content
- area.
-
-
-
-
-
-
-
-
-
- Here you can create, delete and modify accounts. Use the action
- buttons at the left or double click on an entry to edit it.
-
- The suffix selection box allows you to list only the accounts which
- are located in a subtree of your LDAP directory.
-
-
-
-
-
-
-
-
-
- You can change the number of shown entries per page with "Change
- settings". Depending on the account type there may be additional settings.
- E.g. the user list can convert group numbers to group names.
-
- When you select to edit an entry then LAM will show all its data on
- a tabbed view. There is one tab for each functional part of the account.
- You can set default values by loading an account profile.
-
-
-
-
-
-
-
-
-
-
- Typical usage scenarios
-
- Here is a list of typical usage scenarios and what account types
- and modules you need to configure.
-
- Address book entries:
-
- Account types:
-
-
-
- Users (Personal)
-
-
-
- Unix accounts:
-
- Account types:
-
-
-
- Users (Personal + Unix)
-
-
-
- Groups (Unix (posixGroup))
-
-
-
- Suse users may need to use Group (Group of names + Unix
- (rfc2307bisPosixGroup)) because of Suse's special LDAP schema.
-
- Samba 3 accounts:
-
- Account types:
-
-
-
- Users (Personal + User + Samba 3)
-
-
-
- Groups (Unix + Samba 3)
-
-
-
- Hosts (Account + Unix + Samba 3)
-
-
-
- Samba domains (Samba domain)
-
-
-
- Samba 4/Active Directory:
-
- Account types:
-
-
-
- Users (Windows)
-
-
-
- Groups (Windows)
-
-
-
- Hosts (Windows)
-
-
-
- Please note that must change the attributes that are shown in the
- account lists. Otherwise, the account tables will show empty lines. See
- the documentation for the Windows user/group/host modules.
-
- For Samba 4 with Zarafa use the following modules:
-
-
-
- Users (Windows + Zarafa (+ Zarafa contact))
-
-
-
- Groups (Windows + Zarafa)
-
-
-
- Hosts (Windows + Zarafa)
-
-
-
- Zarafa dynamic groups (Zarafa dynamic group)
-
-
-
- Zarafa address lists (Zarafa address list)
-
-
-
- See also the Zarafa section for
- additional settings (e.g. using Zarafa AD schema).
-
- Asterisk:
-
- Account types:
-
-
-
- Users (Personal + Asterisk)
-
-
-
- Asterisk extensions (Asterisk extension)
-
-
-
- Zarafa:
-
- Account types:
-
-
-
- Users (Personal + Unix + Zarafa (+ Zarafa contact))
-
-
-
- Groups (Unix + Zarafa)
-
-
-
- Zarafa dynamic groups (Zarafa dynamic group)
-
-
-
- Zarafa address lists (Zarafa address list)
-
-
-
- Hosts (Device + Zarafa + IP Address)
-
-
-
- PyKota:
-
- Account types:
-
-
-
- Users (Personal + Unix + PyKota)
-
-
-
- Groups (Unix + PyKota)
-
-
-
- Printers (PyKota)
-
-
-
- Billing codes (PyKota)
-
-
-
-
-
- Users
-
- LAM manages various types of user accounts. This includes address
- book entries, Unix, Samba, Zarafa and much more.
-
-
-
-
- Account list settings:
-
- The user list includes two special options to change how your
- users are displayed.
-
-
-
-
-
-
-
-
-
- Translate GID number to group name: By
- default the user list can show the primary group IDs (GIDs) of your
- users. There are often cases where it is more suitable to show the group
- name instead. This can be done by activating this option. Please note
- that LAM will execute more LDAP queries which may result in decreased
- performance.
-
-
-
-
-
-
-
-
-
- Show account status: If you activate this
- option then there will be an additional column displayed that shows if
- the account is locked. You can see more details when moving the mouse
- cursor over the lock icon. This function supports Unix, Samba, PPolicy,
- Windows and 389ds locking+deactivation.
-
-
-
-
-
-
-
-
-
-
-
-
- Password:
-
- Click the "Set password" button to change the user's password(s).
- Depending on the active account modules LAM will offer to change
- multiple passwords at the same time.
-
- If a module supports to enforce a password change then you will
- see the appropriate checkbox. LAM Pro also offers to send the password
- via email after the account is saved. Email options are specified in
- your LAM server profile.
-
-
-
-
-
-
-
-
-
-
-
-
- Quick account (un)locking:
-
- When you edit an user then LAM supports to quickly lock/unlock the
- whole account. This includes Unix, Samba and PPolicy. LAM can also
- remove group memberships if an account is locked.
-
- You will see the current status of all account parts in the title
- area of the account.
-
-
-
-
-
-
-
-
-
- If you click on the lock icon then a dialog will be opened to
- change these values. Depending on which parts are locked LAM will
- provide options to lock/unlock account parts.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Personal
-
- This module is the most common basis for user accounts in LAM.
- You can use it stand-alone to manage address book entries or in
- combination with Unix, Samba or other modules.
-
- The Personal module provides support for managing various
- personal data of your users including mail addresses and telephone
- numbers. You can also add photos of your users (please install PHP
- Imagick/ImageMagick for full file format support). If you do
- not need to manage all attributes then you can deactivate them in your
- server profile.
-
- Configuration
-
- Please activate the module "Personal (inetOrgPerson)" for
- users.
-
-
-
-
-
-
-
-
-
- The module manages lots of fields. Probably, you will not need
- all of them. You can hide fields in module settings.
-
- In advanced options you may also set fields to read-only (for
- existing accounts) and define limits for photo files. Additionally,
- you can add an "ou=addressbook" subentry to each user in case you
- manage user addressbooks.
-
-
-
-
-
-
-
-
-
-
-
-
- User management
-
-
-
-
-
-
-
-
-
- User certificates can be uploaded and downloaded. LAM will
- automatically convert PEM to DER format.
-
-
-
-
-
-
-
-
-
-
- LDAP attribute mappings
-
-
-
-
- Attribute name
-
- Name inside LAM
-
-
-
-
-
- businessCategory
-
- Business category
-
-
-
- carLicense
-
- Car license
-
-
-
- cn/commonName
-
- Common name
-
-
-
- departmentNumber
-
- Department(s)
-
-
-
- description
-
- Description
-
-
-
- employeeNumber
-
- Employee number
-
-
-
- employeeType
-
- Employee type
-
-
-
- facsimileTelephoneNumber/fax
-
- Fax number
-
-
-
- givenName/gn
-
- First name
-
-
-
- homePhone
-
- Home telephone number
-
-
-
- initials
-
- Initials
-
-
-
- jpegPhoto
-
- Photo
-
-
-
- l
-
- Location
-
-
-
- labeledURI
-
- Web site
-
-
-
- mail/rfc822Mailbox
-
- Email address
-
-
-
- manager
-
- Manager
-
-
-
- mobile/mobileTelephoneNumber
-
- Mobile number
-
-
-
- organizationName/o
-
- Organisation
-
-
-
- ou
-
- Organizational unit
-
-
-
- pager
-
- Pager number
-
-
-
- physicalDeliveryOfficeName
-
- Office name
-
-
-
- postalAddress
-
- Postal address
-
-
-
- postalCode
-
- Postal code
-
-
-
- postOfficeBox
-
- Post office box
-
-
-
- registeredAddress
-
- Registered address
-
-
-
- roomNumber
-
- Room number
-
-
-
- sn/surname
-
- Last name
-
-
-
- st
-
- State
-
-
-
- street/streetAddress
-
- Street
-
-
-
- telephoneNumber
-
- Telephone number
-
-
-
- title
-
- Job title
-
-
-
- userCertificate
-
- User certificates
-
-
-
- uid/userid
-
- User name
-
-
-
- userPassword
-
- Password
-
-
-
-
-
- Wildcards
-
- This module provides the following wildcards (others may be
- provided by other modules):
-
-
-
- $firstname: First name
-
-
-
- $lastname: Last name
-
-
-
- $user: User name
-
-
-
- $commonname: Common name
-
-
-
- $email: Email address
-
-
-
- You can use them in the following input fields on user edit
- screen:
-
-
-
- Common name
-
-
-
- Description
-
-
-
- Mail
-
-
-
- Postal address
-
-
-
- Registered address
-
-
-
- Web site
-
-
-
- Use this when some of your data always follows the same schema.
- E.g. using "$firstname $lastname" in common name field can be used
- like this to get "First Last". You can set the wildcards in profile
- editor so they are automatically applied for new users.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Unix
-
- The Unix module manages Unix user accounts including group
- memberships.
-
- There are several configuration options for this module:
-
-
-
- UID generator: LAM will suggest UID numbers for your
- accounts. Please note that it may happen that there are duplicate
- IDs assigned if users create accounts at the same time. Use an
- overlay
- like "Attribute Uniqueness" (example) if you have lots of
- LAM admins creating accounts.
-
-
-
- Fixed range: LAM searches for free numbers within the
- given limits. LAM always tries to use a free UID that is
- greater than the existing UIDs to prevent collisions with
- deleted accounts.
-
-
-
- Samba ID pool: This uses a special LDAP entry that
- includes attributes that store a counter for the last used
- UID/GID. Please note that this requires that you install the
- Samba schema and create an LDAP entry of object class
- "sambaUnixIdPool".
-
-
-
- Magic number: Use this if your LDAP server assigns the
- UID numbers automatically (e.g. DNA by 389 server). Enter the
- server's magic number setting.
-
-
-
-
-
- Password hash type: If possible use CRYPT-SHA512 or SSHA to
- protect your user's passwords. The option SASL will set the
- password to "{SASL}<user name>".
-
-
-
- Login shells: List of valid login shells that can be
- selected when editing an account.
-
-
-
- Hidden options: Some input fields can be hidden to simplify
- the GUI if you do not need them.
-
-
-
- Set primary group as memberUid: By default primary group
- membership is not set on group objects but only on user
- (gidNumber). Activate this if you need to have the primary group
- membership in group object, too.
-
-
-
- Do not add object class: This is for Windows only. When the
- checkbox is activated then the posixAccount object class will not
- be added to a user.
-
-
-
- User name suggestion: The user name is automatically filled
- as specified in the configuration (default smiller for Steve
- Miller). Of course, the suggested value can be changed any time.
- Common name is also filled with first/last name by default.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Group memberships can be changed when clicking on "Edit groups".
- Here you can select the Unix groups and group of names
- memberships.
-
- To enable "Group of names" please either add the groups module
- "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
- names".
-
-
-
-
-
-
-
-
-
- You can also create home directories for your users if you setup
- lamdaemon. This allows you to
- create the directories on the local or remote servers.
-
- It is also possible to check the status of the user's home
- directories. If needed the directories can be created or removed at
- any time.
-
-
-
-
-
-
-
-
-
- Wildcards
-
- This module provides the following wildcards (others may be
- provided by other modules):
-
-
-
- $user: User name
-
-
-
- $group: Groupe name (not numeric number)
-
-
-
- You can use them in the following input fields on user edit
- screen:
-
-
-
- Common name
-
-
-
- Gecos
-
-
-
- Home directory
-
-
-
- Use this when some of your data always follows the same schema.
- E.g. using "/home/$user" in home directory field can be used like this
- to get "/home/myuser". You can set the wildcards in profile editor so
- they are automatically applied for new users.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Group of names and group of members (LAM Pro)
-
- This module manages memberships in group of (unique) names and
- also group of members.
-
- Please note that this module cannot be used if the Unix module
- is active. In this case group memberships may be managed with the Unix
- module.
-
- Configuration
-
- To activate this feature please add the user module "Group of
- names (groupOfNamesUser)" to your LAM server profile.
-
-
-
-
-
-
-
-
-
- The module automatically detects if groups are based on
- "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the
- correct attribute.
-
-
-
-
-
-
-
-
-
-
-
- Organizational roles (LAM Pro)
-
- LAM can manage role memberships in organizationalRole objects. To
- activate this feature please add the user module "Roles
- (organizationalRoleUser)" to your LAM server profile.
-
-
-
-
-
-
-
-
-
- User editing
-
- Now, there will be a new tab "Roles" when you edit your user
- accounts. Here you can select the role memberships.
-
-
-
-
-
-
-
-
-
-
-
- Shadow
-
- LAM supports the management of the LDAP substitution of
- /etc/shadow. Here you can setup password policies for your Unix
- accounts and also view the last password change of a user.
-
-
-
-
-
-
-
-
-
-
-
- NIS net groups
-
- Configuration
-
- Please add the module "NIS net groups (nisNetGroupUser)" to the
- list of active user modules.
-
-
-
-
-
-
-
-
-
- User editing
-
- You will now see a new tab when editing users. Here you can
- assign memberships in NIS net groups and also set host/domain.
-
-
-
-
-
-
-
-
-
-
-
- Password self reset (LAM
- Pro)
-
- LAM Pro allows your users to reset their passwords by answering
- a security question. The reset link is displayed on the self service page. Additionally,
- you can set question + answer in the admin interface.
-
- Please note that self service and LAM admin interface are
- separated functionalities. You need to specify the list of possible
- security questions in both self service profile(s) and server
- profile(s).
-
- Schema installation
-
- Please install the LDAP schema as described here.
-
- Activate password self reset
- module
-
- Please activate the password self reset module in your LAM Pro
- server profile.
-
-
-
-
-
-
-
-
-
- Now select the tab "Module settings" and specify the list of
- possible security questions. Only these questions will be selectable
- when you later edit accounts unless you explicitly allow to enter
- custom questions. LAM Pro supports to set up to three security
- questions per user.
-
- If you do not want to set backup email addresses then you can
- hide this option.
-
-
-
-
-
-
-
-
-
- Edit users
-
- After everything is setup please login to LAM Pro and edit your
- users. You will see a new tab called "Password self reset". Here you
- can activate/remove the password self reset function for each user.
- You can also change the security question and answer.
-
- If you set a backup email address then confirmation emails will
- also be sent to this address. This is useful if the user password
- grants access to the user's primary mailbox. So passwords can be
- unlocked with an external email address.
-
- Hint: You can add the
- passwordSelfReset object class to all your users with the multi edit tool.
-
- Samba 4 note: Due to a bug in
- Samba 4 you need to add the extension, save, and then select a
- question and set the answer. If you add the extension, set
- question/answer and then save all together this will cause an LDAP
- error and no changes will be saved.
-
-
-
-
-
-
-
-
-
-
-
- Hosts
-
- You can specify a list of valid host names where the user may
- login. If you add the value "*" then the user may login to any host.
- This can be further restricted by adding explicit deny entries which
- are prefixed with "!" (e.g. "!hr_server").
-
- Please note that your PAM settings need to support host
- restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the
- account facility of pam_ldap will perform the checks and return an
- error when no proper host attribute is present. Please note that users
- without host attribute cannot login to such a configured
- server.
-
-
-
-
-
-
-
-
-
-
-
- Samba 3
-
- LAM supports full Samba 3 user management including logon hours
- and terminal server options.
-
- The module is enabled by adding "Samba 3 (sambaSamAccount)" to
- your user modules.
-
-
-
-
-
-
-
-
-
- In the configuration options you can enable password history
- checking. Depending on your LDAP server you might need ascending or
- descending order. Just switch the setting if the password history is
- not correctly updated.
-
- In case you have no very old Windows clients (e.g. Windows 98)
- it is recommended to disable LM hashes. They are considered to be
- insecure.
-
- You can also hide some input fields if you do not need
- them.
-
-
-
-
-
-
-
-
-
- After configuring the module you will see the Samba 3 tab when
- you edit a user.
-
-
-
-
-
-
-
-
-
- Logon hours can be changed.
-
-
-
-
-
-
-
-
-
- You can also setup terminal server settings.
-
-
-
-
-
-
-
-
-
-
-
- Windows (Samba 4)
-
- Please activate the account type "Users" in your LAM server
- profile and then add the user module "Windows
- (windowsUser)(*)".
-
-
-
-
-
-
-
-
-
- The default list attributes are for Unix and not suitable for
- Windows (blank lines in account table). Please use
- "#cn;#givenName;#sn;#mail" or select your own attributes to display in
- the account list.
-
-
-
-
-
-
-
-
-
- On tab "Module settings" you can specify the possible Windows
- domain names and if pre-Windows 2000 user names should be
- managed.
-
- NIS support is deactivated by default. Enable it if
- needed.
-
-
-
-
-
-
-
-
-
- Now you can manage your Windows users and e.g. assign groups.
- You might want to set the default domain name in the profile editor.
-
- Attention:
-
-
-
- Password changes require a secure connection via ldaps://.
- Check your LAM server profile if password changes are refused by
- the server.
-
-
-
- Your server must run a 64bit operating system. Otherwise,
- the module might not work.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Wildcards
-
- This module provides the following wildcards (others may be
- provided by other modules):
-
-
-
- $firstname: First name
-
-
-
- $lastname: Last name
-
-
-
- $user: User name
-
-
-
- $commonname: Common name
-
-
-
- $email: Email address
-
-
-
- You can use them in the following input fields on user edit
- screen:
-
-
-
- Common name
-
-
-
- Display name
-
-
-
- Email
-
-
-
- Email alias
-
-
-
- Home directory
-
-
-
- Profile path
-
-
-
- Script path
-
-
-
- Use this when some of your data always follows the same schema.
- E.g. using "$firstname $lastname" in common name field can be used
- like this to get "First Last". You can set the wildcards in profile
- editor so they are automatically applied for new users.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Filesystem quota (lamdaemon)
-
- You can manage file system quotas with LAM. This requires to
- setup lamdaemon. LAM connects to
- your server via SSH and manages the disk filesystem quotas. The quotas
- are stored directly on the filesystem. This is the default mechanism
- to store quotas for most systems.
-
- Please add the module "Quota (quota)" for users to your LAM
- server profile to enable this feature.
-
- If you store the quota information directly inside LDAP please
- see the next section.
-
-
-
-
-
-
-
-
-
-
-
- Filesystem quota (LDAP)
-
- You can store your filesystem quotas directly in LDAP. See
- Linux
- DiskQuota for details since it requires quota tools that
- support LDAP. You will need to install the quota LDAP schema to manage
- the object class "systemQuotas".
-
- Please add the module "Quota (systemQuotas)" for users to your
- LAM server profile to enable this feature.
-
- If you store the quota information on the filesystem please see
- the previous section.
-
-
-
-
-
-
-
-
-
-
-
- Kolab
-
- This module supports to manage Kolab accounts with LAM. E.g. you
- can set the user's mail quota and define invitation policies.
-
- Please add the Kolab user module in your LAM server profile to
- activate Kolab support.
-
-
-
-
-
-
-
-
-
- Attention: LAM will add the object class "mailrecipient" by
- default. This object class is available on 389 directory server but
- may not be present on e.g. OpenLDAP. Please deactivate the following
- setting (LAM server profile, module settings) if you do not use this
- object class.
-
-
-
-
-
-
-
-
-
- Please enter an email address at the Personal page and set a
- Unix password first. Both are required that Kolab accepts the
- accounts. The email address ("Personal" page) must match your Kolab
- domain, otherwise the account will not work.
-
- Attention: The mailbox server
- cannot be changed after the account has been saved. Please make sure
- that the value is correct.
-
- Kolab users should not be directly deleted with LAM. You can
- mark an account for deletion which then is done by the Kolab server
- itself. This makes sure that the mailbox etc. is also deleted.
-
-
-
-
-
-
-
-
-
- If you upgrade existing non-Kolab accounts please make sure that
- the account has an Unix password.
-
-
-
- Asterisk
-
- LAM supports Asterisk accounts, too. See the Asterisk section for details.
-
-
-
- EDU person
-
- EDU person accounts are mainly used in university networks. You
- can specify the principal name, nick names and much more.
-
-
-
-
-
-
-
-
-
-
-
- PyKota
-
- There are two LAM user modules depending if your user entries
- should be built on object class "pykotaObject" or a different
- structural object class (e.g. "inetOrgPerson"). For "pykotaObject"
- please select "PyKota (pykotaUserStructural(*))" and "PyKota
- (pykotaUser)" in all other cases.
-
-
-
-
-
-
-
-
-
- To display the job history please setup the job DN on tab
- "Module settings":
-
-
-
-
-
-
-
-
-
- Now you can add the PyKota extension to your user accounts. Here
- you can setup the printing options and add payments for this
- user.
-
- For LAM Pro there are also self service fields to allow users
- e.g. to view their current balance and job history.
-
-
-
-
-
-
-
-
-
- You may also view the payment and job history.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Password policy (LAM Pro)
-
- OpenLDAP supports the ppolicy overlay
- to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to
- user accounts.
-
- Please add the account type "Password policies" to your LAM
- server profile and activate the "Password policy" module for the user
- type.
-
-
-
-
-
-
-
-
-
- You can select the password policy and force a password change
- on next login. Accounts can also be (un)locked.
-
-
-
-
-
-
-
-
-
- You can assign any password policy which is found in the LDAP
- suffix of the "Password policies" type. When you set the policy to
- "default" then OpenLDAP will use the default policy as defined in your
- slapd.conf file.
-
- Attention: Locking and
- unlocking requires that you also activate the option "Lockout users"
- in the assigned password policy.
- Otherwise, it will have no effect.
-
-
-
- Account locking for 389ds (LAM Pro)
-
- This module allows you to display if users are locked by 389ds
- server. You can (de)activate your users. The password expiration time
- can also be managed.
-
- Requirements: 389ds LDAP server
-
- Configuration
-
- Please add the user module "Account locking
- (locking389ds)".
-
-
-
-
-
-
-
-
-
- This will show the password expiration time. You can edit the
- value if needed.
-
- If there are any failed login attempts then LAM displays their
- number and till when the user is locked by the system.
-
- The limit of failed login attempts and lockout duration is
- configured on your LDAP server and not within LAM.
-
-
-
-
-
-
-
-
-
- You can unlock the user by clicking on the lock icon.
-
- Here you can also (de)activate the account.
-
- Note: Accounts are only locked by the LDAP server due to failed
- password attempts. You cannot manually lock an account. Deactivate it
- in case you want to disable login for a user.
-
-
-
-
-
-
-
-
-
-
-
- FreeRadius
-
- FreeRadius is a software that implements the RADIUS
- authentication protocol. LAM allows you to mange several of the
- FreeRadius attributes.
-
- To activate the FreeRadius plugin please activate the FreeRadius
- user module in your server profile:
-
-
-
-
-
-
-
-
-
- You can disable unneeded fields on the tab "Module settings".
- Here you can also set the DN where your Radius profile templates are
- stored if you use the option "Profile".
-
-
-
-
-
-
-
-
-
- Now you will see the tab "FreeRadius" when editing users. The
- extension can be (de)activated for each user. You can setup e.g.
- realm, IP and expiration date.
-
-
-
-
-
-
-
-
-
-
-
- Heimdal Kerberos (LAM Pro)
-
- You can manage your Heimdal Kerberos accounts with LAM Pro.
- Please add the user module "Kerberos (heimdalKerberos)" to activate
- this feature.
-
- Setup password changing
-
- LAM Pro cannot generate the password hashes itself because
- Heimdal uses a propietary format for them. Therefore, LAM Pro needs to
- call e.g. kadmin to set the password.
-
- The wildcards @@password@@ and @@principal@@ are replaced with
- password and principal name. Please use keytab authentication for this
- command since it must run without any interaction.
-
- Example to create a keytab: ktutil -k /root/lam.keytab add -p
- lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1
-
- Security hint: Please secure your LAM Pro server since the new
- passwords will be visible for a short term in the process list during
- password change.
-
-
-
-
-
-
-
-
-
- User management
-
- You can specify the principal/user name, ticket lifetimes and
- expiration dates. Additionally, you can set various account
- options.
-
-
-
-
-
-
-
-
-
-
-
- MIT Kerberos (LAM Pro)
-
- You can manage your MIT Kerberos accounts with LAM Pro. Please
- add the user module "Kerberos (mitKerberos)" to activate this feature.
- If you want to manage entries based on the structural object class
- "krbPrincipal" please use "Kerberos (mitKerberosStructural)"
- instead.
-
- Setup password changing
-
- LAM Pro cannot generate the password hashes itself because MIT
- uses a propietary format for them. Therefore, LAM Pro needs to call
- kadmin/kadmin.local to set the password.
-
- LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
- set the password. Please use keytab authentication for this command
- since it must run without any interaction.
-
- Keytabs may be created with the "ktutil" application.
-
- Security hint: Please secure your LAM Pro server since the new
- passwords will be visible for a short term in the process list during
- password change.
-
- Example commands:
-
-
-
- /usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
- realm/changepwd
-
-
-
- sudo /usr/sbin/kadmin.local
-
-
-
-
-
-
-
-
-
-
-
- User management
-
- You can specify the principal/user name, ticket lifetimes and
- expiration dates. Additionally, you can set various account
- options.
-
-
-
-
-
-
-
-
-
-
-
- Mail aliases
-
- This module allows to add/remove the user in mail alias
- entries.
-
- Note: You need to activate the
- mail alias type for this
- module.
-
- To activate mail aliases for users please select the module
- "Mail aliases (nisMailAliasUser)":
-
-
-
-
-
-
-
-
-
- On tab Module settings you can select if you want to set the
- user name or email as recipient in alias entries.
-
-
-
-
-
-
-
-
-
- Now you will see the mail aliases tab when editing an
- user.
-
- The red cross will only remove the user from the alias entry. If
- you click the trash can button then the whole alias entry (which may
- contain other users) will be deleted.
-
-
-
-
-
-
-
-
-
- You can add the user to existing alias entries or create
- completly new ones.
-
-
-
-
-
-
-
-
-
-
-
- Qmail (LAM Pro)
-
- LAM Pro manages all qmail attributes for users. This includes
- mail addresses, ID numbers and quota settings.
-
- Please note that the main mail address is managed on tab
- "Personal" if this module is active. Otherwise, it will be on the
- qmail tab.
-
-
-
-
-
-
-
-
-
- You can hide several qmail options if you do not want to manage
- them with LAM. This can be done on the module settings tab of your LAM
- server profile.
-
-
-
-
-
-
-
-
-
-
-
- Mail routing
-
- LAM supports to manage mail routing for user accounts.
-
- Module activation:
-
- This feature can be activated by adding the "Mail routing"
- module to the user account type in your server profile.
-
-
-
-
-
-
-
-
-
- Usage:
-
- You can specify a routing address, the mail server and a number
- of local addresses to route.
-
- In case you want to add this extension by default for new users
- there is an option in profile editor.
-
-
-
-
-
-
-
-
-
-
-
- SSH keys
-
- You can manage your public keys for SSH in LAM if you installed
- the LPK patch for
- SSH. Activate the "SSH public key" module for users in the
- server profile and you can add keys to your user entries.
-
-
-
-
-
-
-
-
-
-
-
- Authorized services
-
- You can setup PAM to check if a user is allowed to run a
- specific service (e.g. sshd) by reading the LDAP attribute
- "authorizedService". This way you can manage all allowed services via
- LAM.
-
-
-
- To activate this PAM feature please setup your /etc/libnss-ldap.conf and set
- "pam_check_service_attr" to "yes".
-
-
-
- Inside LAM you can now set the allowed services. You may also
- setup default services in your account profiles.
-
-
-
-
-
-
-
-
-
- You can define a list of services in your LAM server profile
- that is used for autocompletion.
-
-
-
-
-
-
-
-
-
- The autocompletion will show all values that contains the
- entered text. To display the whole list you can press backspace in the
- empty input field. Of course, you can also insert a service name that
- is not in the list.
-
-
-
-
-
-
-
-
-
-
-
- IMAP mailboxes
-
- LAM may create and delete mailboxes on an IMAP server for your
- user accounts. You will need an IMAP server that supports either SSL
- or TLS for this feature.
-
- To activate the mailbox management module please add the
- "Mailbox (imapAccess)" module for the type user in your LAM server
- profile:
-
-
-
-
-
-
-
-
-
- Now configure the module on the tab "Module settings". Here you
- can specify the IMAP server name, encryption options, the
- authentication for the IMAP connection and the valid mail domains. LAM
- can use either your LAM login password for the IMAP connection or
- display a dialog where you need to enter the password. It is also
- possible to store the admin password in your server profile. This is
- not recommended for security reasons.
-
- The user name can either be a fixed name (e.g. "admin") or it
- can be generated with LDAP attributes of the LAM admn user. E.g. $uid$
- will be transformed to "myUser" if you login with
- "uid=myUser,ou=people,dc=example,dc=com".
-
- The mail domains specify for which accounts mailboxes may be
- created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can
- be managed for "user@lam-demo.org" but not for "user@example.com". Use
- "*" for any domain.
-
- You need to install the SSL certificate of the CA that signed
- your server certificate. This is usually done by installing the
- certificate in /etc/ssl/certs. Different Linux distributions may offer
- different ways to do this. For Debian please copy the certificate in
- "/usr/local/share/ca-certificates" and run "update-ca-certificates" as
- root.
-
- It is not recommended to disable the validation of IMAP server
- certificates.
-
- The prefix, user name attribute and path separator specifies how
- your mailboxes are named (e.g. "user.myUser@localhost" or
- "user/myUser"). Select the values depending on your IMAP server
- settings.
-
- You can specify a list of initial folder names to create for new
- mailboxes. LAM will then create them with each new mailbox.
-
-
-
-
-
-
-
-
-
- When you edit an user account then you will now see the tab
- "Mailbox". Here you can create/delete the mailbox for this
- user.
-
-
-
-
-
-
-
-
-
-
-
- IP addresses (LAM Pro)
-
- You can manage the IP addresses of user accounts (e.g. assigned
- by DHCP) with the ipHost module.
-
- Configuration
-
-
-
-
-
-
-
-
-
- User editing
-
-
-
-
-
-
-
-
-
-
-
- Account
-
- This is a very simple module to manage accounts based on the
- object class "account". Usually, this is used for host accounts only.
- Please pay attention that users based on the "account" object class
- cannot have contact information (e.g. telephone number) as with
- "inetOrgPerson".
-
- You can enter a user/host name and a description for your
- accounts.
-
-
-
-
-
-
-
-
-
-
-
-
- Groups
-
-
-
-
- Unix
-
- This module is used to manage Unix group entries. This is the
- default module to manage Unix groups and uses the nis.schema. Suse
- users who use the rfc2307bis.schema need to use
- LAM Pro.
-
- Configuration
-
- Please add the account type "Groups" and then select account
- module "Unix (posixGroup)".
-
-
-
-
-
-
-
-
-
- GID generator: LAM will suggest GID numbers for your accounts.
- Please note that it may happen that there are duplicate IDs assigned
- if users create groups at the same time. Use an overlay
- like "Attribute Uniqueness" (example) if you have lots of LAM
- admins creating groups.
-
-
-
- Fixed range: LAM searches for free numbers within the given
- limits. LAM always tries to use a free GID that is greater than
- the existing GIDs to prevent collisions with deleted
- groups.
-
-
-
- Samba ID pool: This uses a special LDAP entry that includes
- attributes that store a counter for the last used UID/GID. Please
- note that this requires that you install the Samba schema and
- create an LDAP entry of object class "sambaUnixIdPool".
-
-
-
- Magic number: Use this if your LDAP server assigns the GID
- numbers automatically (e.g. DNA by 389 server). Enter the server's
- magic number setting.
-
-
-
- Disable membership management: Disables group membership
- management. This is useful if memberships are e.g. managed via group
- of names.
-
-
-
-
-
-
-
-
-
- Group management:
-
-
-
-
-
-
-
-
-
- Group membership management:
-
-
-
-
-
-
-
-
-
-
-
- Unix groups with rfc2307bis schema (LAM Pro)
-
- Some applications (e.g. Suse Linux) use the rfc2307bis schema
- for Unix accounts instead of the nis schema. In this case group
- accounts are based on the object class groupOf(Unique)Names or namedObject.
- The object class posixGroup is auxiliary in this case.
-
- LAM Pro supports these groups with a special account module:
- rfc2307bisPosixGroup
-
- Use this module only if your system depends on the rfc2307bis
- schema. The module can be selected in the LAM configuration. Instead
- of using groupOfNames as basis for your groups you may also use
- namedObject.
-
- Module activation:
-
-
-
-
-
-
-
-
-
- GID generator: LAM will suggest GID numbers for your accounts.
- Please note that it may happen that there are duplicate IDs assigned
- if users create groups at the same time. Use an overlay
- like "Attribute Uniqueness" (example) if you have lots of LAM
- admins creating groups.
-
-
-
- Fixed range: LAM searches for free numbers within the given
- limits. LAM always tries to use a free GID that is greater than
- the existing GIDs to prevent collisions with deleted
- groups.
-
-
-
- Samba ID pool: This uses a special LDAP entry that includes
- attributes that store a counter for the last used UID/GID. Please
- note that this requires that you install the Samba schema and
- create an LDAP entry of object class "sambaUnixIdPool".
-
-
-
- Magic number: Use this if your LDAP server assigns the GID
- numbers automatically (e.g. DNA by 389 server). Enter the server's
- magic number setting.
-
-
-
- Disable membership management: Disables group membership
- management. This is useful if memberships are e.g. managed via group
- of names.
-
- Force sync with group of names: This will automatically set the
- group memberships of the Unix part to the same members as set on group
- of names tab.
-
-
-
-
-
-
-
-
-
- The GID number will be filled automatically based on the server
- profile configuration.
-
-
-
-
-
-
-
-
-
- Group members can be edited and also synced with Group of
- (unique) names.
-
-
-
-
-
-
-
-
-
-
-
- Samba 3
-
- LAM supports managing Samba 3 groups. You can set special group
- types and also create Windows predefined groups like "Domain
- admins".
-
- Module activation:
-
-
-
-
-
-
-
-
-
- Group editing:
-
-
-
-
-
-
-
-
-
-
-
- Windows (Samba 4)
-
- LAM can manage your Windows groups. Please enable the account
- type "Groups" in your LAM server profile and then add the group module
- "Windows (windowsGroup)(*)".
-
-
-
-
-
-
-
-
-
- The default list attributes are for Unix and not suitable for
- Windows (blank lines in account table). Please use
- "#cn;#member;#description" or select your own attributes to display in
- the account list.
-
-
-
-
-
-
-
-
-
- NIS support is deactivated by default. Enable it if needed on
- tab "Module settings".
-
-
-
-
-
-
-
-
-
- Now you can edit your groups inside LAM. You can manage the
- group name, description and its type. Of course, you can also set the
- group members.
-
- Group scopes:
-
-
-
- Global: Use this for groups with frequent changes. Global
- groups are not replicated to other domains.
-
-
-
- Universal: Groups with universal scope are used to
- consolidate groups that span domains. They are globally
- replicated.
-
-
-
- Domain local: Groups with domain local scope can be used to
- set permissions inside one domain. They are not replicated to
- other domains.
-
-
-
- Group type:
-
-
-
- Security: Use this group type to control permissions.
-
-
-
- Distribution: These groups are only used for email
- applications. They cannot be used to control permissions.
-
-
-
- With "Show effective members" you can show a list of all members
- of this group including members of subgroups and their
- subgroups.
-
-
-
-
-
-
-
-
-
-
-
- Kolab
-
- Please activate the Kolab group module in your LAM server
- profile to activate Kolab support.
-
-
-
-
-
-
-
-
-
- You can specify the email address and also set allowed sender
- and recipient addresses.
-
-
-
-
-
-
-
-
-
-
-
- Mail routing
-
- LAM supports to manage mail routing for group accounts.
-
- Module activation:
-
- This feature can be activated by adding the "Mail routing"
- module to the group account type in your server profile.
-
-
-
-
-
-
-
-
-
- Usage:
-
- You can specify a routing address, the mail server and a number
- of local addresses to route.
-
- In case you want to add this extension by default for new groups
- there is an option in profile editor.
-
-
-
-
-
-
-
-
-
-
-
- Quota
-
- You can manage file system quotas with LAM. This requires to
- setup lamdaemon. File system quotas
- are not stored inside LAM but managed directly on the specified
- servers.
-
-
-
-
-
-
-
-
-
-
-
- PyKota
-
- There are two LAM group modules depending if your group entries
- should be built on object class "pykotaObject" or a different
- structural object class (e.g. "posixGroup"). For "pykotaObject" please
- select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)"
- in all other cases.
-
-
-
-
-
-
-
-
-
- Now you can add the PyKota extension to your groups.
-
-
-
-
-
-
-
-
-
-
-
-
- Hosts
-
-
- Account
-
- Please see the description here.
-
-
-
- Device (LAM Pro)
-
- The device object class allows to manage general information
- about all sorts of devices (e.g. computers, network hardware, ...).
- You can enter the serial number, location and a describing text. It is
- also possible to specify the owner of the device.
-
-
-
-
-
-
-
-
-
-
-
- Samba 3
-
- You can manage Samba 3 host entries by adding the Unix and Samba
- 3 account modules.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Windows (Samba 4)
-
- LAM can manage your Windows servers and workstations. Please
- enable the account type "Hosts" in your LAM server profile and then
- add the host module "Windows (windowsHost)(*)".
-
-
-
-
-
-
-
-
-
- The default list attributes are for Unix and not suitable for
- Windows (blank lines in account table). Please use
- "#cn;#description;#location" or select your own attributes to display
- in the account list.
-
-
-
-
-
-
-
-
-
- Now you will see you computer accounts inside LAM. You can set
- e.g. the server's description and location information.
-
-
-
-
-
-
-
-
-
-
-
- IP addresses (LAM Pro)
-
- You can manage the IP addresses of host accounts with the ipHost
- module. It manages the following information:
-
-
-
- IP addresses (IPv4/IPv6)
-
-
-
- location of the host
-
-
-
- manager: the person who is responsible for the host
-
-
-
- You can activate this extension by adding the module ipHost to
- the list of active host modules.
-
-
-
-
-
-
-
-
-
-
-
- MAC addresses
-
- Hosts can have an unlimited number of MAC addresses. To enable
- this feature just add the "MAC address" module to the host account
- type.
-
-
-
-
-
-
-
-
-
-
-
- Puppet
-
- LAM supports to manage your Puppet configuration. You can
- edit all attributes like environment, classes, variables and parent
- node.
-
- Configuration
-
- To activate this feature please edit your LAM server profile and
- add the host module "Puppet (puppetClient)" on tab "Modules". This
- will add the Puppet tab to your host pages.
-
-
-
-
-
-
-
-
-
- On tab "Module settings" in your LAM server profile you may also
- setup some common environment names. LAM will use them to provide
- autocompletion hints when editing the environment for a node.
-
- If you enter any value in "Enforce classes" then LAM will only
- accept this list of classes.
-
-
-
-
-
-
-
-
-
- Editing nodes
-
- When you edit a host entry then you will see the tab "Puppet".
- Here you can add/remove the Puppet extension and edit all
- attributes.
-
-
-
-
-
-
-
-
-
-
-
- NIS net groups
-
- NIS netgroups can be used to e.g. restrict SSH access to your
- machines.
-
- Configuration
-
- Please add the module "NIS net groups (nisNetGroupHost)" to the
- list of active host modules.
-
-
-
-
-
-
-
-
-
- Host editing
-
- You will now see a new tab when editing hosts. Here you can
- assign memberships in NIS net groups and also set user/domain.
-
-
-
-
-
-
-
-
-
-
-
-
- Samba 3 domains
-
- Samba 3 stores information about its domain settings inside LDAP.
- This includes the domain name, its SID and some policies. You can manage
- all these attributes with LAM.
-
- Please activate the account type "Samba domains" in your LAM
- server profile. Please notice that Samba by default uses the LDAP root
- for domain objects (e.g. dc=example,dc=com).
-
-
-
-
-
-
-
-
-
- This will add a new tab to LAM where you can manage domain
- information.
-
- The domain name, SID and RID base can only be specified for new
- domains and are not changeable via LAM at a later time. You may setup
- several password policies for your Samba domains and also some RID
- options that influence the creation of SIDs for
- users/groups/hosts.
-
-
-
-
-
-
-
-
-
-
-
- Group of (unique) names and group of members (LAM Pro)
-
- These classes can be used to represent group relations. Since they
- allow DNs as members you can also use them to represent nested
- groups.
-
- Configuration:
-
- Activate the account type "Group of names" in your LAM server
- profile to use these account modules. Alternatively, you can use the
- account type "Groups".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Then add the module "Group of names (groupOfNames)", "Group of
- unique names (groupOfUniqueNames)" or "Group of members
- (groupOfMembers)".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- On the module settings tab you set some options like the display
- format for members/owners and if fields like description should not be
- displayed.
-
-
-
-
-
-
-
-
-
- Group management:
-
- Group of (unique) names have four basic attributes:
-
-
-
- Name: a unique name for the group
-
-
-
- Description: optional description
-
-
-
- Owner: the account which owns this group (optional)
-
-
-
- Members: the members of the group (at least one is
- required)
-
-
-
- You can add any accounts as members. This includes other groups
- which leads to nested groups.
-
- To show members of nested groups click on "Show effective
- members". Please note that for large groups this will run lots of
- queries against your LDAP server.
-
-
-
-
-
-
-
-
-
-
-
- Organizational roles (LAM Pro)
-
- This module manages roles via the organizationalRole object class.
- There is also a user
- module to manage memberships on the user edit page.
-
- Configuration:
-
- Activate the account type "Groups" in your LAM server profile to
- use this account module. Alternatively, you can use the account type
- "Group of names".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Then add the module "Role (organizationalRole)".
-
-
-
-
-
-
-
-
-
- On the module settings tab you set some options like the display
- format for members and if description should not be displayed.
-
-
-
-
-
-
-
-
-
- Role management:
-
- You can add any accounts as members. This includes other roles
- which leads to nested roles (needs to be supported by LDAP client
- applications).
-
- To show members of nested roles click on "Show effective members".
- Please note that for large roles this will run lots of queries against
- your LDAP server.
-
-
-
-
-
-
-
-
-
-
-
- Asterisk
-
- LAM includes large support for Asterisk. You can add Asterisk
- extensions (including voicemail) to your users and also manage Asterisk
- extensions.
-
- The Asterisk support for users can be added by selecting the
- Asterisk and Asterisk voicemail modules for users in your LAM server
- profile. This will add the following tabs to your user accounts.
-
-
-
-
-
-
-
-
-
- The Asterisk module allows to edit a large amount of attributes.
- Therefore, you can hide unused fields. Please edit you server profile
- (Module settings) to do so.
-
-
-
-
-
-
-
-
-
- Of course, the voicemail part of Asterisk is also
- supported.
-
-
-
-
-
-
-
-
-
- If you also want to manage Asterisk extensions then simply add the
- account type "Asterisk extensions" and its module to your server
- profile.
-
- LAM groups your Asterisk extension entries by extension name and
- account context. If you edit an extension then you will see the Asterisk
- entries as rules. LAM manages that all rule entries have the same owners
- and assigns the priorities.
-
-
-
-
-
-
-
-
-
-
-
- Zarafa (LAM Pro)
-
- Zarafa is an OpenSource collaboration software. LAM Pro provides
- support to manage Zarafa server entries, users and groups. It covers all
- settings for these types including resource and quota settings.
-
- LAM Pro is an official Zarafa Certified Integration.
-
-
-
-
-
-
-
-
- Configuration
-
- To enable Zarafa support in LAM Pro please activate the Zarafa
- modules for the Users, Groups and Hosts account types in you server
- profile:
-
-
-
-
-
-
-
-
-
- Attention: LAM Pro uses the
- Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
- OpenDJ, Apache Directory server and other common LDAP servers. If you
- run Samba 4 or Active Directory then you need to switch the schema to
- "Active Directory" on the module settings tab:
-
-
-
-
-
-
-
-
-
- You can configure which parts of the Zarafa user options should
- be enabled. E.g. if you do not want to manage quotas per user then you
- can hide these options on the tab "Module settings".
-
-
-
-
- "Send as" attribute: Here you
- can specify how "Send as" privileges should be managed. LAM supports
- "uid" and "dn".
-
- If you select "uid" the LAM will store user names in the
- zarafaSendAsPrivilege attribute. This way you are restricted to
- specify user accounts as "Send as" allowed.
-
- You can also set this option to "dn" and LAM will store DNs in
- the zarafaSendAsPrivilege attribute. In this case you may specify
- users and groups as "Send as" allowed.
-
-
-
-
- Examples for your Zarafa ldap.cfg:
-
- "Send as" attribute: dn
-
- ldap_user_sendas_attribute_type = dn
-
-
-
-
- "Send as" attribute: uid
-
- ldap_user_sendas_attribute_type = text
-
- ldap_user_sendas_relation_attribute = uid
-
-
-Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.
-
-
-
-
- Features: Zarafa 7 allows to
- enable IMAP/POP3 for each user. Please hide the option "Features" if
- you use Zarafa 6.x.
-
-
-
-
-
-
-
-
-
-
- Users
-
- This is an example of the user edit page with all possible
- settings. This includes email settings, quotas and some options
- (e.g. hide from address book). You can also set the resource type
- and capacity for meeting rooms and equipment. The Zarafa extension
- can be added and removed at any time for every user.
-
- Please note that the option "Features" requires Zarafa 7.
- Please hide this option in the LAM server profile if you run Zarafa
- 6.x.
-
-
-
-
-
-
-
-
-
-
-
- Contacts
-
- LAM Pro can manage your Zarafa contact entries. You can set
- the email aliases and "send as" privileges. Additionally, accounts
- may be hidden in the address book or disabled.
-
- Please note that you can either use the Zarafa user module or
- Zarafa contact. LAM Pro will disable the other tab when enabling one
- of them.
-
-
-
-
-
-
-
-
-
-
-
- Groups
-
- This is the edit page for groups. You can enter an email
- address and additional aliases for your groups. It is also possible
- to specify options (e.g. hide from address book). The extension can
- be added/removed dynamically.
-
- Please note that the option "Send-as privileges" requires the
- Zarafa 7.0.3 schema. Please hide this option in the LAM server
- profile if you run Zarafa < 7.0.3.
-
-
-
-
-
-
-
-
-
-
-
- Servers
-
- The Zarafa extension for host accounts allows to set the
- connection ports and file path. You can add/remove the extension at
- any time.
-
- Setting the public store option is only possible for new host
- entries.
-
- Please note that the proxy URL option requires the Zarafa 7.1
- schema. Please hide this option in your LAM server profile if you
- use an older version.
-
-
-
-
-
-
-
-
-
-
-
- Address lists
-
- Zarafa allows to store address lists in LDAP. You need to
- define a search base and LDAP filter for each address list. E.g.
- entering "ou=people,dc=company,dc=com" as base and "uid=*" will
- select all users that are stored in
- "ou=people,dc=company,dc=com".
-
- You can also hide your lists from the address book or
- temporarily disable them.
-
-
-
-
-
-
-
-
-
-
-
- Dynamic groups
-
- Zarafa allows to define dynamic groups in LDAP. You need to
- define a search base and LDAP filter for each group. E.g. entering
- "ou=people,dc=company,dc=com" as base and "uid=*" will select all
- users that are stored in "ou=people,dc=company,dc=com".
-
- Dynamic groups may have an email address and multiple email
- alias addresses.
-
- You can also hide your dynamic groups from the address book or
- temporarily disable them.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Kolab shared folders
-
- Please add the account type "Kolab shared folders" in your LAM
- server profile and set the correct LDAP suffix.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Then add the "Kolab shared folder" module on tab "Modules".
-
-
-
-
-
-
-
-
-
- Now you can start to add shared folders inside LAM.
-
-
-
-
-
-
-
-
-
-
-
- DHCP
-
- You can mange your DHCP server with LAM. It supports to manage
- subnets, fixed IP entries, IP ranges and DDNS.
-
- Configuration
-
- The DHCP management can be activated by adding the account type
- DHCP to your server profile. Please also add the DHCP modules.
-
- LAM requires that you use an LDAP entry with the object class
- "dhcpService" or "dhcpServer" as suffix for this account type. If the
- "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
- then you need to use the DN of the "dhcpService" entry as LDAP suffix
- for DHCP.
-
-
-
-
- Add account type:
-
-
-
-
-
-
-
-
-
- Set suffix:
-
-
-
-
-
-
-
-
-
- Add modules:
-
-
-
-
-
-
-
-
-
- Example server
- entry:
-
- dn:
- cn=server,ou=dhcp,dc=ldap-account-manager,dc=org
-
- objectclass: dhcpServer
-
- objectclass: dhcpOptions
-
- objectclass: top
-
- cn: server
-
- dhcpcomments: My DHCP server
-
- dhcpoption: domain-name
- "ldap-account-manager.org"
-
- dhcpoption: domain-name-servers 192.168.1.1
-
- dhcpoption: routers 192.168.1.1
-
- dhcpoption: netbios-name-servers 192.168.1.1
-
- dhcpoption: subnet-mask 255.255.255.0
-
- dhcpoption: netbios-node-type 8
-
- dhcpstatements: default-lease-time 3600
-
- dhcpstatements: max-lease-time 7200
-
- dhcpstatements: include "mykey"
-
- dhcpstatements: ddns-update-style interim
-
- dhcpstatements: update-static-leases true
-
- dhcpstatements: ignore client-updates
-
-
-
-
- Example settings for
- dhcpd.conf:
-
- ddns-update-style none;
-
- deny unknown-clients;
-
- ldap-server "server";
-
- ldap-dhcp-server-cn "server";
-
- ldap-port 389;
-
- ldap-username
- "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";
-
- ldap-password "{SSHA}XXXXXXXXXXXX";
-
- ldap-base-dn
- "ou=dhcp,dc=ldap-account-manager,dc=org";
-
- ldap-method dynamic;
-
- ldap-debug-file
- "/var/log/dhcp-ldap-startup.log";
-
-
-
-
-
-
- slapd.conf changes:
-
- include /etc/ldap/schema/dhcp.schema
-
- index dhcpHWAddress eq
-
- index dhcpClassData eq
-Run slapindex to rebuild the index.
-
-
-
- You can manage the settings of your DHCP service/server
- entry:
-
-
-
-
-
-
-
-
-
- You can easily create new subnet entries.
-
-
-
-
-
-
-
-
-
- It is also possible to specify a list of fixed IPs.
-
-
-
-
-
-
-
-
-
- IP ranges may be specified.
-
- If you use failover pools for your IP ranges please use the pool
- options on the bottom. Here you can add DHCP pools (object class
- "dhcpPool") and specify the failover peer.
-
-
-
-
-
-
-
-
-
- If you activated DDNS in the server entry then you may also
- specify the DDNS settings for this subnet.
-
-
-
-
-
-
-
-
-
-
-
- Bind DLZ (LAM Pro)
-
- Bind DLZ is
- an extension to the DNS server Bind that allows to store
- DNS entries inside LDAP. Please install the Bind DLZ schema file on your
- LDAP server. It is part of the DLZ patch.
-
- Configuration
-
- First, you need to add the Bind DNS account type and the Bind DLZ
- module:
-
-
-
-
-
-
-
-
-
- Please set the LDAP suffix either to an existing DNS zone
- (dlzZone) or an organizational unit that should include your DNS
- zones.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Automatic PTR management
-
- LAM can automatically create/delete PTR entries for the entered
- IPv4/6 records. You can enable this feature on the module settings
- tab.
-
- PTR records will get the same TTL as IP records. Please note that
- you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
- under the same suffix as your other DNS entries.
-
-
-
-
-
-
-
-
-
- Zone management
-
- If you do not yet have a DNS zone then LAM can create one for you.
- In list view switch the suffix to an organizational unit DN. Now you
- will see a button "New zone".
-
- This will create the zone container entry and a default DNS entry
- "@" for authoritative information. Now switch the suffix to your new
- zone and start adding DNS entries.
-
-
-
-
-
-
-
-
-
- DNS entries
-
- LAM supports the following DNS record types:
-
-
-
- SOA: authoritative information
-
-
-
- NS: name servers
-
-
-
- A/AAAA: IP addresses
-
-
-
- PTR: reverse DNS entries
-
-
-
- CNAME: alias names
-
-
-
- MX: mail servers
-
-
-
- TXT: text records
-
-
-
- SRV: service entries
-
-
-
-
-
-
- Authoritative (SOA) and name server (NS)
- records
-
- Here you can manage general information about the zone like
- timeouts and name servers. Please note that name servers must be
- inserted in a special format (dot at the end).
-
-
-
-
-
-
-
-
-
-
-
-
- IP addresses (A/AAAA)
-
- LAM will automatically set the correct type (A/AAAA) depending if
- you enter an IPv4 or IPv6 address.
-
-
-
-
-
-
-
-
-
-
-
-
- Reverse DNS entries
-
- Reverse DNS entries are important when you need to find the DNS
- name that is associated with a given IP address. Reverse DNS entries are
- stored in a separate DNS zone.
-
-
-
-
-
-
-
-
-
-
-
-
- Alias names (CNAME)
-
- Sometimes a DNS entry should simply point to a different DNS entry
- (e.g. for migrations). This can be done by adding an alias name.
-
-
-
-
-
-
-
-
-
-
-
-
- Mail servers (MX)
-
- The mail server entries define where mails to a domain should be
- delivered. The server with the lowest preference has the highest
- priority.
-
-
-
-
-
-
-
-
-
-
-
-
- Text records (TXT)
-
- Text records can be added to store a description or other data
- (e.g. SPF information).
-
-
-
-
-
-
-
-
-
-
-
-
- Services (SRV)
-
- Service records can be used to specify which servers provide
- common services such as LDAP. Please note that the host name must be
- _SERVICE._PROTOCOL (e.g. _ldap._tcp).
-
-
-
-
- Priority: The priority of the target host, lower value means more
- preferred.
-
- Weight: A relative weight for records with the same priority. E.g.
- weights 20 and 80 for a service will result in 20% queries to the one
- server and 80% to the other.
-
- Port: The port number that is used for your service.
-
- Server: DNS name where service can be reached (with dot at the
- end).
-
-
-
-
-
-
-
-
-
-
-
-
- File upload
-
- You can upload complete DNS zones via LAM's file upload. Here is
- an example for a zone file and the corresponding CSV file.
-
-
- Zone file
-
-
-
-
- @
-
- IN
-
- SOA
-
- ns1.example.com admin.ns1.example.com (1 360000 3600
- 3600000 370000)
-
-
-
-
-
- IN
-
- NS
-
- ns1.example.com.
-
-
-
-
-
- IN
-
- NS
-
- ns2.example.com.
-
-
-
-
-
- IN
-
- MX
-
- 10 mail1.example.com
-
-
-
-
-
- IN
-
- MX
-
- 20 mail2.example.com
-
-
-
- foo
-
- IN
-
- A
-
- 123.123.123.100
-
-
-
- foo2
-
- IN
-
- CNAME
-
- foo.example.com
-
-
-
- bar
-
- IN
-
- A
-
- 123.123.123.101
-
-
-
-
-
- IN
-
- AAAA
-
- 1:2:3:4:5
-
-
-
-
-
- Please check that you have an existing zone entry that can be used
- for the file upload. See above to create a new zone.
-
- Hint: If you use the function above to create a new zone then
- please skip the "@" entry in the CSV file below. LAM creates this entry
- with sample data.
-
- In this example we assume that the following zone extry
- exists:
-
- dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
-dlzzonename: example.com
-objectclass: dlzZone
-objectclass: top
-
-
-
- Here is the corresponding CSV file: bindUpload.csv
-
-
-
- Aliases (LAM Pro)
-
- Some applications use the object class "alias" to link LDAP
- entries to other parts of the LDAP tree. Activate the account type
- "Aliases" in your LAM server profile to use this account type.
-
- Currently, only user accounts can be aliased with the "uidObject"
- object class.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Mail aliases
-
- You can manage mail aliases (e.g. for NIS) inside LAM. This can be
- used to replace local /etc/aliases files with LDAP.
-
- Note: Use the mail alias user
- module to manage mail aliases on user pages.
-
- All accounts of this type are based on the "nisMailAlias" object
- class and may have "cn" and "rfc822MailMember" attributes. To activate
- this type please add "Mail aliases" in your LAM server profile:
-
-
-
-
-
-
-
-
-
- You need to select the Mail aliases module on the next tab.
-
-
-
-
-
-
-
-
-
- The mail aliases will then appear as separate tab inside LAM. You
- may then manage the aliases with their names and recipient
- addresses.
-
- There are mail/user icons that allow to select a mail address/user
- name from the existing users.
-
-
-
-
-
-
-
-
-
-
-
- NIS net groups
-
- LAM supports to define NIS netgroups. You can use them e.g. to
- restrict SSH access to your machines.
-
- Add the NIS net group account type and its module to your server
- profile. Then you can manage net groups in LAM. Net groups may contain
- other net groups as child groups. You can either insert the host/user
- names manually or print the search buttons next to the input fields to
- find existing entries in your directory.
-
-
-
-
-
-
-
-
-
-
-
- NIS objects (LAM Pro)
-
- You can manage NIS objects with LAM Pro. This allows you define
- network mount points in LDAP.
-
- Add the NIS objects type to your LAM configuration and then the
- NIS objects module. This will add the NIS objects tab to LAM.
-
-
-
-
-
-
-
-
-
-
-
- Automount objects (LAM Pro)
-
- LAM Pro allows you to manage automount entries. Please activate
- the account type "Automount objects" in your LAM Pro server
- profile.
-
-
-
-
-
-
-
-
-
- Then add the correct automount module. Usually, this is "Automount
- entry (automount)". If you use Suse Linux with RFC2307bis schema please
- select "Automount entry (rfc2307bisAutomount)".
-
-
-
-
-
-
-
-
-
- This will add a new tab to LAM Pro's main screen which includes a
- list of all automount entries. Here you can easily create new
- entries.
-
-
-
-
-
-
-
-
-
- Please see the following external HowTos for more information on
- automounting and LDAP:
-
-
-
- AutofsLDAP
-
-
-
- Automount
- über LDAP (German)
-
-
-
-
-
- Oracle databases (LAM Pro)
-
- Oracle allows to manage connection data that is stored in
- tnsnames.ora to be stored in an LDAP directory.
-
- Initial setup
-
- LDAP server setup:
-
- You will need to install the correct Oracle LDAP schema files on
- your LDAP server. If you run no Oracle LDAP server then you can get them
- (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
- here.
-
- Next you need to create the root entry for Oracle. It should look
- like this:
-
- dn: cn=OracleContext,dc=example,dc=com
-objectclass: orclContext
-cn: OracleContext
-
- You can create it with LAM's tree view. Please note that "cn" must
- be set to "OracleContext".
-
-
-
-
- LAM setup:
-
- Edit your LAM server profile and add the Oracle account
- type:
-
-
-
-
-
-
-
-
-
- In case you manage a single Oracle context just enter the
- cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
- context entries then set the LDAP suffix to a parent entry of
- them.
-
-
-
-
-
-
-
-
-
- Next, add the Oracle module:
-
-
-
-
-
-
-
-
-
- Now you can login to LAM and start to add database
- entries.
-
-
- Managing database entries
-
- Each database has a service name, the connection string and an
- optional description.
-
-
-
-
-
-
-
-
-
- Database client setup for
- LDAP
-
- You need to activate the LDAP adapter to make the database tools
- reading LDAP. Edit network/admin/sqlnet.ora like this:
-
- NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)
-
- Then add a file called ldap.ora next to your sqlnet.ora and set
- the LDAP server and DN suffix where cn=OracleContext is stored:
-
- DIRECTORY_SERVERS= (ldap.example.com:389:636)
-DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
-DIRECTORY_SERVER_TYPE = OID
-
- This will allow e.g. tnsping to get the connection data from
- LDAP:
-
- [oracle@oracle bin]$ tnsping mydb
-
-TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54
-
-Copyright (c) 1997, 2013, Oracle. All rights reserved.
-
-Used parameter files:
-/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
-
-Used LDAP adapter to resolve the alias
-Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
-OK (10 msec)
-
-
-
- Password policies (LAM Pro)
-
- OpenLDAP supports the ppolicy overlay
- to manage password policies for LDAP entries. This allows you to set
- password policies which are independent from your applications. The
- policies are managed internally by the LDAP server.
-
- You can manage these policies with LAM Pro with the account type
- "Password policies".
-
-
-
-
-
-
-
-
-
- You will need to add the ppolicy schema to your OpenLDAP
- configuration and activate the ppolicy overlay
- module in slapd.conf to use this feature.
-
-
-
- PyKota printers
-
- Please add the account type "Printers (PyKota printers)" on tab
- "Account types" in your server profile and setup the LDAP suffix where
- printers are stored.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Then add the PyKota printer module on tab "Account
- modules".
-
-
-
-
-
-
-
-
-
- Next you can start managing printers inside LAM. Here you can
- setup the costs for a print job. LAM will also show if the printer is
- member of any printer groups.
-
-
-
-
-
-
-
-
-
- You can also setup printer groups. Just add some members to your
- new group.
-
-
-
-
-
-
-
-
-
-
-
- PyKota billing codes
-
- Please add the account type "Billing codes" on tab "Account types"
- in your server profile and setup the LDAP suffix where billing codes are
- stored.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Then add the PyKota billing code module on tab "Account
- modules".
-
-
-
-
-
-
-
-
-
- Now login to LAM and you will see the billing code tab where you
- can manage your entries. If jobs were printed with a billing code then
- you will also see the balance and page count.
-
-
-
-
-
-
-
-
-
-
-
- Custom fields (LAM Pro)
-
- This module allows you to manage LDAP attributes that are not
- covered by the other LAM modules (e.g. if you use custom LDAP schemas).
- You can fully define how your input fields look like:
-
-
-
- Label
-
-
-
- LDAP attribute name
-
-
-
- Unique name for field
-
-
-
- Help text
-
-
-
- Read-only display
-
-
-
- Field type: text, password, text area, checkbox, radio
- buttons, select list, file upload
-
-
-
- Validation via regular expression
-
-
-
- Error message if validation fails
-
-
-
- Limitations:
-
- Custom fields cannot manage
-
-
-
- structural object classes
-
-
-
- attributes that require validation rules across multiple
- attributes or cannot be described by a simple regular
- expression
-
-
-
- Activating the custom fields
- module:
-
- You may specify custom fields for all of your account types.
- Please enter tab "Modules" in your server profile. Now activate the
- "Custom fields (customFields)" module for all needed account
- types.
-
-
-
-
-
-
-
-
-
- Setting label and icon:
-
- You may set the label that is displayed e.g. on the tab when
- editing an account. It is also possible to specify an icon (must be a
- valid URL like "/images/icon.png" or "http://server/images/icon.png").
- The icon size should be 32x32 pixels.
-
- LAM will display a default icon and "Custom fields" as label if
- you do not enter any values.
-
- You may also specify how LAM displays cutom fields when there are
- multiple field groups. The default is accordion view where you can
- switch field groups by clicking on the title. You may also deactivate
- this mode. Then all field groups are displayed one below the
- other.
-
-
-
-
-
-
-
-
-
- Defining groups:
-
- All input fields are devided into groups. A group may contain one
- or more object classes and allows you to add/remove a certain set of
- input fields.
-
- E.g. you may define two groups - "My application A" and "My
- application B" - that manage different LDAP attributes and object
- classes. This way you will be able to control both attribute sets
- independently.
-
- To create a group please edit your server profile and switch to
- tab "Module settings". You will see the section "Custom fields" which
- allows you to add new groups. Now select your account type (e.g. Users)
- and specify an alias for your group. This alias will be printed as group
- header when you later edit an account in the admin interface.
-
-
-
-
-
-
-
-
-
- After you created your new group you can setup the managed object
- classes. If you specify any object classes then you will later be able
- to add/remove a complete set of attributes including their object
- classes.
-
- Skipping the object classes field is only useful if you want to
- manage some attributes that are not yet supported by LAM but there is
- already a LAM module that manages the object class.
-
-
-
-
-
-
-
-
-
- The group may look like when you edit a user.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Adding fields:
-
- Now you can add a new field that manages an LDAP attribute. Simply
- fill the fields and press on "Add".
-
- Please note that the field name cannot be changed later. It is the
- unique ID for this field.
-
-
-
-
-
-
-
-
-
- Examples for fields and their representation:
-
- Text field:
-
- Text fields allow to specify a validation
- expression and error message.
-
- You can also enable auto-completion. In this case LAM will search
- all accounts for the given attribute and provide auto-completion hints
- when the user edits this field. This should only be used if there is a
- limited number of different values for this attribute.
-
- In case your field is a date value you can show a calendar for
- easy editing.
-
- Example calendar formats:
-
-
-
- dd.mm.yy: 31.12.2016
-
-
-
- yy-mm-dd: 2016-12-31
-
-
-
- d M, y: 31 Dec, 16
-
-
-
- d MM, y: 31 December, 2016
-
-
-
-
-
-
-
-
-
-
-
- Presentation:
-
-
-
-
-
-
-
-
-
- Password field:
-
- You can also manage custom password fields. LAM Pro will display
- two fields where the user must enter the same password. You can hash the
- password if needed.
-
-
-
-
-
-
-
-
-
- Presentation:
-
-
-
-
-
-
-
-
-
- Text area:
-
- This adds a multi-line field. The options are similar to text
- fields. Additionally, you can set the size with the number of columns
- and rows.
-
- Please note that the validation
- expression should be set to multi-line. This is done by adding
- "m" at the end.
-
-
-
-
-
-
-
-
-
- Presentation:
-
-
-
-
-
-
-
-
-
- Checkbox:
-
- Sometimes you may want to allow only yes/no values for your LDAP
- attributes. This can be represented by a checkbox. You can specify the
- values for checked and unchecked. The default value is set if the LDAP
- attribute has no value.
-
-
-
-
-
-
-
-
-
- Presentation:
-
-
-
-
-
-
-
-
-
- Radio buttons:
-
- This displays a list of radio buttons where the user can select
- one value.
-
- You can specify a mapping of LDAP attribute values and their
- display (label) on the Self Service page. To add more mapping fields
- please press "Add more mapping fields".
-
-
-
-
-
-
-
-
-
- Presentation:
-
-
-
-
-
-
-
-
-
- Select list:
-
- Select lists allow the user to select a value in a large list of
- options. The definition of the possible values and their display is
- similar to radio buttons.
-
- You can also allow multiple values.
-
-
-
-
-
-
-
-
-
- Presentation:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Validation expressions:
-
- The validation expressions follow the standard of Perl regular
- expressions. They start and end with a "/". The beginning of a
- line is specified by "^" and the end by "$".
-
- Examples:
-
- /^[a-z0-9]+$/ allows small letters and numbers. The value must not
- be empty ("+").
-
- /^[a-z0-9]+$/i allows small and capital letters ("i" at the end
- means ignore case) and numbers. The value must not be empty
- ("+").
-
- Special characters that must be escaped with "\": "\", ".", "(",
- ")"
-
- E.g. /^[a-z0-9\.]$/i
-
-
-
-
- File upload:
-
- This is used for binary data. You can restrict uploaded data to a
- given file extension and set the maximum file size.
-
-
-
-
-
-
-
-
-
- Presentation:
-
- The uploaded data may also be downloaded via LAM.
-
-
-
-
-
-
-
-
-
-
-
- Custom scripts (LAM Pro)
-
- LAM Pro allows you to execute scripts whenever an account is
- created, modified or deleted. This can be useful to automate processes
- which needed manual work afterwards (e.g. sending your user a welcome
- mail or register a mailbox). Additionally, you can specify manual scipts
- that can be executed from within LAM Pro.
-
- To activate this feature please add the "Custom scripts" module to
- all needed account types on the configuration pages.
-
-
-
-
-
-
-
-
-
- In "Module settings" you can specify multiple scripts for each
- action type (e.g. modify) and account type (e.g. user). The scripts need
- to be located on the filesystem of your webserver and will be executed
- in its user environment. E.g. if you webserver runs as user www-data
- with the group www-data then the custom scripts will be run under this
- user with his rights. The output of the scripts will be shown in
- LAM.
-
- You can specify the scripts on the LAM configuration pages.
-
-
-
-
-
-
-
-
-
- Syntax:
-
- Please enter one script per line. Each line has the following
- format: <account type> <action> <script>
-
- E.g.: user preModify /usr/bin/myCustomScript -u $uid$
-
- Account types:
-
- You can setup scripts for all available account types (e.g. user,
- group, host, ...). Please see the help on the configuration page about
- your current active account types.
-
- Actions:
-
-
- Action types
-
-
-
-
- Action name
-
- Description
-
-
-
- preCreate
-
- Executed before creating a new account (cancels operation
- if a script returns an exit code > 0, not available for file
- upload)
-
-
-
- postCreate
-
- Executed after creating a new account (does not run if preCreate or LDAP operations
- fail)
-
-
-
- preModify
-
- Executed before an account is modified (cancels operation
- if a script returns an exit code > 0)
-
-
-
- postModify
-
- Executed after an account was modified (does not run if preModify or LDAP operations
- fail)
-
-
-
- preDelete
-
- Executed before an account is modified (cancels operation
- if a script returns an exit code > 0)
-
-
-
- postDelete
-
- Executed after an account was modified (does not run if preDelete or LDAP operations
- fail)
-
-
-
- manual
-
- Can be run manually on account page. If you add
- LAMLABEL="text" before the command then LAM will use the text as
- label for the button in account edit screen.
-
-
-
-
-
- Script:
-
- You can execute any script which is located on the filesystem of
- your webserver. The path may be absolute or relative to the
- PATH-variable of the environment of your webserver process. It is also
- possible to add commandline arguments to your scripts. Additionally, LAM
- will resolve wildcards to LDAP attributes. If your script includes an
- wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
- attribute value of the current LDAP entry. The values of multi-value
- attributes are separated by commas. E.g. if you create an account with
- the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
- "steve".
-
- Please note that manual scripts can only use the current LDAP
- attribute values of the account. Any modifications done that are not
- saved will not be available. Manual scripts are also not available for
- new accounts that are not yet saved to LDAP.
-
- You can switch LAM's logging to debug mode if you are unsure which
- attributes with which values are available.
-
- The following special wildcards are available for automatical
- scripts:
-
-
-
- $INFO.userPasswordClearText$:
- cleartext password when Unix/Windows password is changed (e.g.
- useful for external password synchronisation) for new/modified
- accounts
-
-
-
- $INFO.userPasswordStatusChange$: provides
- additional information if the Personal/Unix password locking status
- was changed, possible values: locked, unlocked, unchanged
-
-
-
- $INFO.passwordSelfResetAnswerClearText$:
- cleartext answer to security question
-
-
-
- $INFO.389lockingStatusChange$: for 389ds
- account locking, provides information if account was unlocked.
- Possible values: unchanged, unlocked
-
-
-
- $INFO.389deactivationStatusChange$: for 389ds
- account locking, provides information if account was deactivated.
- Possible values: unchanged, activated, deactivated
-
-
-
- $NEW.<attribute>$: the
- value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
- accounts
-
-
-
- $DEL.<attribute>$: the
- value of a deleted attribute (e.g. $DEL.telephoneNumber$) for
- modified accounts
-
-
-
- $MOD.<attribute>$: the
- new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
- modified accounts
-
-
-
- $ORIG.<attribute>$: the
- original value of an attribute (e.g. $ORIG.telephoneNumber$) for
- modified accounts
-
-
-
- Output may contain HTML: If your
- scripts generate HTML output then activate this option.
-
- Hide command in messages: You may
- want to prevent that your users see the executed commands. In this case
- activating this option will only show the command output but not the
- command itself.
-
-
-
- You can see a preview of the commands which will be automatically
- executed on the "Custom scripts" tab. Here you can also run the manual
- scripts.
-
-
-
-
-
-
-
-
-
-
-
- Sudo roles (LAM Pro)
-
- You can manage your sudo roles in LDAP if you have installed the
- sudo-ldap package or compiled sudo with LDAP
- support.
-
- To activate sudo management in LAM Pro edit your server profile
- and add the type "Sudo roles".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Now you can create sudo commands.
-
-
-
-
-
-
-
-
-
- The sudo roles in LDAP work similar to those in /etc/sudoers. You
- can specify who may run which commands as which user. It is also
- possible to specify options like NOPASSWD.
-
-
-
- LDAP views based on nsview (LAM Pro)
-
- LAM Pro supports LDAP views based on the "nsview" object class.
- These views allow to create an organizational unit that shows a subset
- of your LDAP content. The subset is determined by an LDAP filter.
-
- Configuration:
-
- To activate view management in LAM Pro edit your server profile
- and add the type "LDAP views".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Now you are ready to create your views. Each view has a name, LDAP
- filter and an optional description.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- General information
-
- This module is available for all account types. It shows some
- internal information about the LDAP entries like the creation time and
- who modified the entry.
-
- If you use the "memberOf" overlay in OpenLDAP then this will also
- show group memberships done by the overlay.
-
-
-
-
-
-
-
-
-
-
-
- Tree view (LDAP browser)
-
- The tree view provides a raw view on your LDAP directory. This
- feature is for people who are experienced with LDAP and need special
- functionality which the LAM account modules not provide. E.g. if you
- want to add a special object class to an account or edit attributes
- ignoring LAM's syntax checks.
-
-
-
-
-
-
-
-
-
- There are also some special functions available:
-
- Export: This allows you to export
- entries to a file (e.g. LDIF or CSV format).
-
- Show internal attributes: Shows
- internal attributes of the current entry. This includes information
- about the creator and creation time of the entry.
-
-
-
-
- Tools
-
-
-
-
- Profile editor
-
- The account profiles are templates for your accounts. Here you can
- specify default values which can then be loaded when you create
- accounts. You may also load a template for an existing account to reset
- it to default values. When you create a new account then LAM will always
- load the profile named "default". This
- account profile can include default values for all your accounts.
-
-
-
-
-
-
-
-
-
- You can enter the LDAP suffix, RDN identifier and various other
- attributes depending on account type and activated modules.
-
-
-
-
-
-
-
-
-
- Import/export:
-
- Profiles can be exported to and imported from other server
- profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- There is a special export target called "*Global templates". All
- profiles exported here will be copied to all other server profiles
- (incl. new ones). But existing profiles with the same name are not
- overwritten. So a profile in global templates is treated as default
- profile for all server profiles.
-
- Use this if you would like to setup default profiles that are
- valid for all server profiles.
-
-
-
-
-
-
-
-
-
-
-
- File upload
-
- When you need to create lots of accounts then you can use LAM's
- file upload to create them. LAM will read a CSV formatted file and
- create the related LDAP entries. Please check the data in you CSV file
- carefully. LAM will do less checks for the file upload than for single
- account creation.
-
- At the first page please select the account type and what
- extensions should be activated.
-
-
-
-
-
-
-
-
-
- The next page shows all available options for the file upload. You
- will also find a sample CSV file which can be used as template for your
- CSV file. All red options are required columns in the file. You need to
- specify a value for each account.
-
- When you upload the CSV file then LAM first does some checks on
- this file. This includes syntax checks and if all required data was
- entered. No changes in the LDAP directory are done at this time.
-
- If the checks were successful then LAM will ask again if you want
- to create the accounts. You will also have the chance to check the
- upload by viewing the changes in LDIF format.
-
-
-
-
-
-
-
-
-
-
-
- Multi edit
-
- This tool allows you to modify a large list of LDAP entries in
- batch mode. You can add new attributes/object classes, remove attributes
- and set attributes to a specific value.
-
- At the beginning, you need to specify where the entries are stored
- that should be changed. You can select an account suffix, the tree
- suffix or enter your own DN by selecting "Other".
-
- Next, enter an additional LDAP filter to limit the entries that
- should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for
- users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to
- match all accounts that do not yet have the password self reset
- feature.
-
-
-
-
- Now, it is time to define the changes that should be done. The
- following operations are possible:
-
-
-
- Add: Adds an attribute value if not yet existing. Please do
- not use for single-value attributes that already have a
- value.
-
-
-
- Modify: Sets an attribute to the given value. If the attribute
- does not yet exist then it is added. If the attribute has multiple
- values then all other values are removed.
-
-
-
- Delete: Deletes the specified value from this attribute. If
- you leave the value field blank then all attribute values are
- removed.
-
-
-
- Please note that all actions are run as separate LDAP commands.
- You cannot add an object class and a required attribute at the same
- time.
-
-
-
-
-
-
-
-
-
- Dry run
-
- You should always start with a dry run. It will not do any changes
- to your LDAP directory but print out all modifications that will be
- done. You will also be able to download the changes in LDIF format to
- use with ldapmodify. This is useful if you want to adjust some actions
- manually.
-
-
-
-
-
-
-
-
-
- Apply changes
-
- This will run the actions against your LDAP directory. You will
- see which accounts are edited in the progress area and also if any
- errors occured.
-
-
-
-
-
-
-
-
-
-
-
- OU editor
-
- This is a simple editor to add/delete organisational units in your
- LDAP tree. This way you can structure the accounts.
-
-
-
-
-
-
-
-
-
-
-
- PDF editor
-
- All accounts in LAM may be exported as PDF files. You can specify
- the page structure and displayed information by editing the PDF
- profiles.
-
-
-
-
-
-
-
-
-
- When you export accounts to PDF then each account will get its own
- page inside the PDF. There is a headline on each page where you can show
- a page title. You may also add a logo to each page. To add more logos
- please use the logo management on the PDF editor main page.
-
-
-
-
-
-
-
-
-
- The main part is structured into sections of information. Each
- section has a title. This can either be static text or the value of an
- attribute. You may also insert a static text block as section. Sections
- can be moved by using the arrows next to the section title.
-
- Each section can contain multiple fields which usually represent
- LDAP attributes. You can simply add new fields by selecting the field
- name and its position. Then use the arrows to move the field inside the
- section.
-
-
-
-
- Import/export:
-
- PDF structures can be exported to and imported from other server
- profiles.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- There is a special export target called "*Global templates". All
- PDF structures exported here will be copied to all other server profiles
- (incl. new ones). But existing PDF structures with the same name are not
- overwritten. So a PDF structure in global templates is treated as
- default structure for all server profiles.
-
- Use this if you would like to setup default PDF structures that
- are valid for all server profiles.
-
-
-
-
-
-
-
-
-
- Logo management:
-
- You can upload image files to put a custom logo on the PDF files.
- The image file name must end with .png or .jpg and the size must not
- exceed 2000x300px.
-
-
-
-
-
-
-
-
-
-
-
- Schema browser
-
- Here you browse the schema of your LDAP server. You can view what
- object classes, attributes, syntaxes and matching rules are available.
- This is useful if you need to check if a certain object class is
- available.
-
-
-
-
-
-
-
-
-
-
-
- Server information
-
- This shows information and statistics about your LDAP server. This
- includes the suffixes, used overlays, connection data and operation
- statistics. You will need "cn=monitor" setup to see all details. Some
- data may not be available depending on your LDAP server software.
-
- Please see the following links how to setup "cn=monitor":
-
-
-
- OpenLDAP
-
-
-
- 389
- server
-
-
-
-
-
-
-
-
-
-
-
-
-
- Tests
-
- This allows you to check if your LDAP schema is compatible with
- LAM and to find possible problems.
-
-
- Lamdaemon test
-
- LAM provides an external script to manage home directories and
- quotas. You can test here if everything is setup correctly.
-
- If you get an error like "no tty present and no askpass program
- specified" then the path to the lamdaemon.pl may be wrong. Please see
- the lamdaemon installation
- instructions for setup details.
-
-
-
-
-
-
-
-
-
-
-
- Schema test
-
- This will test if your LDAP schema supports all object classes
- and attributes of the active LAM modules. If you get a message that
- something is missing please check that you installed all required schemas.
-
- If you get error messages about object class violations then
- this test can tell you what is missing.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Access levels and password reset page (LAM Pro)
-
- You can define different access levels for each profile to allow or
- disallow write access. The password reset page helps your deskside support
- staff to reset user passwords.
-
-
- Access levels
-
- There are three access levels:
-
-
-
- Write access (default)
-
- There are no restrictions. LAM admin users can manage account,
- create profiles and set passwords.
-
-
-
- Change passwords
-
- Similar to "Read only" except that the password reset page is available.
-
-
-
- Read only
-
- No write access to the LDAP database is allowed. It is also
- impossible to manage account and PDF profiles.
-
- Accounts may be viewed but no changes can be saved.
-
-
-
- The access level can be set on the server configuration
- page:
-
-
-
-
-
-
-
-
-
-
-
- Password reset page
-
- This special page allows your deskside support staff to reset the
- Unix and Samba passwords of your users. Account may also be (un)locked
- If you set the access level to
- "Change passwords" then LAM will not allow any changes to the LDAP
- database except password changes via this page. The account pages will
- be still available in read-only mode.
-
- You can open the password reset page by clicking on the key symbol
- on each user account:
-
-
-
-
-
-
-
- There are three different options to set a new password.
- You can further restrict these options in server profile
- settings.
-
-
-
- set random password and display it on
- screen
-
- This will set the user's password to a random value. The
- password will be 11 characters long with a random combination of
- letters, digits and ".-_".
-
- You may want to use this method to tell users their new
- passwords via phone.
-
-
-
- set random password and mail it to
- user
-
- If the user account has set the mail attribute then LAM can
- send your user a mail with the new password. You can change the mail
- template to fit your needs. Please configure your LAM server profile
- to setup the sender address, subject and mail body. Please see email format option in case of broken
- mails. See here for setting up your
- SMTP server.
-
- Using this method will prevent that your support staff knows
- the new password.
-
-
-
- set specific password
-
- Here you can specify your own password.
-
-
-
-
-
-
-
-
-
-
-
- LAM will display contact information about the user like the
- user's name, email address and telephone number. This will help your
- deskside support to easily contact your users.
-
- Options:
-
- Depending on the account there may be additional options
- available.
-
-
-
- Sync Samba NT/LM password with Unix
- password: If a user account has Samba passwords set then
- LAM will offer to synchronize the passwords.
-
-
-
- Unlock Samba account: Locked
- Samba accounts can be unlocked with the password change.
-
-
-
- Update Samba password
- timestamps: This will set the timestamps when the
- password was changed (sambaPwdLastSet). Only existing attributes are
- updated. No new attributes are added.
-
-
-
- Sync Kerberos password with Unix
- password: This will also update the Heimdal Kerberos
- password.
-
-
-
- Sync Asterisk (voicemail) password with
- Unix password: Changes also the Asterisk
- passwords.
-
-
-
- Force password change: This
- will force the user to change his password at next login. This
- option supports Shadow, Samba 3 and PPolicy (automatically
- detected).
-
-
-
-
-
-
- Account (un)locking:
-
- Depending if the account includes a Unix/Samba extension and
- PPolicy is activated the page will show options to (un)lock the account.
- E.g. if the account is fully unlocked then there will be no unlocking
- options printed.
-
-
-
-
-
-
-
-
-
-
-
-
- Self service (LAM Pro)
-
-
- Preparations
-
-
- OpenLDAP ACLs
-
- By default only a few administrative users have write access to
- the LDAP database. Before your users may change their settings you
- must allow them to change their LDAP data.
-
- Hint: The ACLs below are not required if you decide to run all
- operations as the LDAP bind user (option "Use for all
- operations").
-
- This can be done by adding ACLs to your slapd.conf or
- slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to
- these:
-
- access to
-
- attrs=userPassword
-
- by self write
-
- by anonymous auth
-
- by * none
-
-
-
-
- access to
-
-
- attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail
-
- by self write
-
- by * read
-
- If you do not want them to change all attributes then reduce the
- list to fit your needs. Some modules may require additional LDAP
- attributes. You can use the tree view to get the technical attribute
- names e.g. by selecting an user account.
-
- Usually, the slapd.conf file is located in /etc/ldap or
- /etc/openldap.
-
-
-
- Other LDAP servers
-
- There exist many LDAP implementations. If you do not use
- OpenLDAP you need to write your own ACLs. Please check the manual of
- your LDAP server for instructions.
-
-
-
-
- Creating a self service profile
-
- A self service profile defines what input fields your users see
- and some other general settings like the login caption.
-
- When you go to the LAM configuration page you will see the self
- service link at the bottom. This will lead you to the self service
- configuration pages
-
-
-
-
-
-
-
-
-
- Now we need to create a new self service profile. Click on the
- link to manage the self service profiles.
-
-
-
-
-
-
-
-
-
- Specify a name for the new profile and enter your master
- configuration password (default is "lam") to save the profile.
-
-
-
-
-
-
-
-
-
- Now go back to the profile login and enter your master
- configuration password to edit your new profile.
-
-
-
- Edit your new profile
-
-
- General settings
-
- On top of the page you see the link to the user login page. Copy
- this link address and give it to your users.
-
- Below the link you can specify several options.
-
-
-
-
-
-
-
-
-
-
- General options
-
-
-
-
- Server address
-
- The address of your LDAP server. For LDAP+SSL use
- "ldaps://myserver"
-
-
-
- Activate TLS
-
- Activates TLS encryption. Please note that this cannot
- be combined with LDAP+SSL ("ldaps://").
-
-
-
- LDAP suffix
-
- The part of the LDAP tree where LAM should search for
- users
-
-
-
- LDAP search attribute
-
- Here you can specify if your users can login with user
- name + password, email + password or other attributes.
-
-
-
- Follow referrals
-
- By default LAM will not follow LDAP referrals. This is
- ok for most installations. If you use LDAP referrals please
- activate the referral option in advanced settings.
-
-
-
- LDAP user + password
-
- The DN and password which is used to search for users
- in the LDAP database. It is sufficient if this DN has only
- read rights. If you leave these fields empty LAM will try to
- connect anonymously.
-
-
-
- Use for all operations
-
- By default LAM will use the credentials of the user
- that logged in to self service for read/modify operations. If
- you select this box then the connection user specified before
- will be used instead. Please note that this can be a security
- risk because the user requires write access to all users. You
- need to make sure that your LAM server is well
- protected.
-
-
-
- Additional LDAP filter
-
- Use this to enter an additional LDAP filter (e.g.
- "(objectClass=passwordSelfReset)") to reduce the number of
- accounts who may use self service.
-
-
-
- HTTP authentication
-
- You can enable HTTP authentication for your users. This
- way the web server is responsible to authenticate your users.
- LAM will use the given user name + password for the LDAP
- login. To setup HTTP authentication in Apache please see this
- link.
-
-
-
- Login attribute label
-
- This is the description for the LDAP search attribute.
- Set it to something which your users are familiar
- with.
-
-
-
- Password field label
-
- This text is placed as label for the password field on
- the login page. LAM will use "Password" if you do not enter
- any text.
-
-
-
- Login caption
-
- This text is displayed at the login page. You can input
- HTML, too.
-
-
-
- Main page caption
-
- This text is displayed at self service main page where
- your users change their data. You can input HTML, too.
-
-
-
- Page header
-
- This HTML code will be placed on top of all self
- service pages. E.g. you can use this to place your custom
- logo. Any HTML code is permitted.
-
-
-
- Additional CSS links
-
- Here you can specify additional CSS links to change the
- layout of the self service pages. This is useful to adapt them
- to your corporate design. Please enter one link per
- line.
-
-
-
-
-
-
-
-
- 2-factor authentication
-
- LAM supports 2-factor authentication for your users. This
- means the user will not only authenticate by user+password but also
- with e.g. a token generated by a mobile device. This adds more
- security because the token is generated on a physically separated
- device (typically mobile phone).
-
- The token is validated by a second application. LAM currently
- supports:
-
-
-
- privacyIdea
-
-
-
- By default LAM will enforce to use a token and reject users
- that did not setup one. You can set this check to optional. But if a
- user has setup a token then this will always be required.
-
-
-
-
-
-
-
-
-
- After logging in with user + password LAM will ask for the 2nd
- factor. If the user has setup multiple factors then he can choose
- one of them.
-
-
-
-
-
-
-
-
-
-
-
-
- Page layout
-
- Here you can specify what input fields your users can see. It is
- also possible to group several input fields.
-
- Please use the arrow signs to change the order of the
- fields/groups.
-
- You may also set some fields as read-only for your users. This
- can be done by clicking on the lock symbol. Read-only fields can be
- used to show your users additional data on the self service page that
- must not be changed by themselves (e.g. first/last name).
-
- Sometimes, you may want to set a custom label for an input
- field. Click on the edit icon to set your own label text (Personal:
- Department is relabeled as "Business unit" here).
-
-
-
-
-
-
-
-
-
- Possible input fields
-
- This is a list of input fields you may add to the self service
- page.
-
-
- Self service fields
-
-
-
-
- Account
- type
-
- Option
-
- Description
-
-
-
-
-
-
-
- Asterisk (voicemail)
-
- Sync Asterisk password with Unix password
-
- This is a hidden field. It will update the Asterisk
- password each time the Unix password is changed.
-
-
-
-
-
-
-
- Kerberos
-
- Sync Kerberos password with Unix password
-
- This is a hidden field. It will update the Kerberos
- password each time the Unix password is changed.
-
-
-
-
-
-
-
- Kolab
-
- Delegates
-
- Allows to manage delegate permissions
-
-
-
- Invitation policy
-
- Invitation policy management
-
-
-
-
-
-
-
- Password policy
-
- Last password change
-
- read-only
-
-
-
-
-
-
-
- Password self reset
-
- Question
-
- Security question selection
-
-
-
- Answer
-
- Security answer
-
-
-
- Backup email
-
- (External) backup email address that has no relation to
- user password.
-
-
-
-
-
-
-
- Personal
-
- Business category
-
-
-
-
-
- Car license
-
-
-
-
-
- Department
-
-
-
-
-
- Description
-
-
-
-
-
- Email address
-
-
-
-
-
- Fax number
-
-
-
-
-
- First name
-
-
-
-
-
- Home telephone number
-
-
-
-
-
- Initials
-
-
-
-
-
- Job title
-
-
-
-
-
- Last name
-
-
-
-
-
- Location
-
-
-
-
-
- Mobile number
-
-
-
-
-
- Office name
-
-
-
-
-
- Organisational unit
-
-
-
-
-
- Photo
-
- Shows the user photo if set. The user may also remove
- the photo or upload a new one.
-
-
-
- Postal address
-
-
-
-
-
- Postal code
-
-
-
-
-
- Post office box
-
-
-
-
-
- Registered address
-
-
-
-
-
- Room number
-
-
-
-
-
- State
-
-
-
-
-
- Street
-
-
-
-
-
- Telephone number
-
-
-
-
-
- User certificates
-
- Upload of user certificates in PEM or DER
- format
-
-
-
- User name
-
-
-
-
-
- Web site
-
-
-
-
-
-
-
-
-
- Samba 3
-
- Password
-
- Input field to set a new NT/LM password. The attribute
- "sambaPwdLastSet" is updated if it existed before.
-
-
-
- Sync Samba LM password with Unix password
-
- This is a hidden field. It will update the Samba LM
- password each time the Unix password is changed.
-
-
-
- Sync Samba NT password with Unix password
-
- This is a hidden field. It will update the Samba NT
- password each time the Unix password is changed.
-
-
-
- Update attribute "sambaPwdLastSet" on password
- change
-
- Updates the password timestamp when password is
- synchronized with Unix.
-
-
-
- Last password change (read-only)
-
- Displays the date and time of the user's last password
- change.
-
-
-
-
-
-
-
- Shadow
-
- Last password change (read-only)
-
- Displays the date and time of the user's last password
- change (Unix).
-
-
-
-
-
-
-
- Windows
-
- Password
-
- Change the user's password
-
-
-
- Location
-
-
-
-
-
- Office name
-
-
-
-
-
- Postal code
-
-
-
-
-
- Post office box
-
-
-
-
-
- State
-
-
-
-
-
- Street
-
-
-
-
-
- Telephone number
-
-
-
-
-
- Web site
-
-
-
-
-
-
-
-
-
- Unix
-
- Common name
-
-
-
-
-
- Login shell
-
-
-
-
-
- Password
-
- This is also the source for several password
- synchronization options.
-
-
-
- Sync Unix password with Windows password
-
- This is a hidden field. It will update the Unix
- password each time the Windows password is changed.
-
-
-
-
-
-
-
- Zarafa
-
- "Send as" privileges
-
- Define user who may send mails as this user
-
-
-
- Email aliases
-
- Email aliases
-
-
-
-
-
-
-
- PyKota
-
- Balance (read-only)
-
- Current balance for printing
-
-
-
- Total paid (read-only)
-
- Total money paid
-
-
-
- Payment history
-
- History of user payments
-
-
-
- Job history
-
- History of printed jobs
-
-
-
-
-
-
-
- Module settings
-
- This allows to configure some module specific options (e.g.
- custom scripts or password hash type).
-
-
-
-
-
-
-
-
-
-
-
- Samba 3
-
- LAM Pro can check the password history and minimum age for Samba
- 3 password changes. In this case please provide the LDAP suffix where
- your Samba 3 domain(s) are stored.
-
- If you leave the field empty then no history and age checks will
- be done.
-
- Password history: depending on your LDAP server you might need
- ascending or descending order. Just switch the setting if the password
- history is not correctly updated.
-
-
-
-
-
-
-
-
-
-
-
- Password self reset
-
- Schema installation
-
- Please install the LDAP schema as described here.
-
- Settings
-
- You can allow your users to reset their passwords themselves.
- This will reduce your administrative costs for cases where users
- forget their passwords.
-
- To enable this feature please activate the checkbox "Enable
- password self reset link".
-
- Hint: Plese note that LAM Pro
- uses security questions by default. Activate confirmation mails and
- then deactivate security questions if you want to use only email
- validation.
-
-
-
-
-
-
-
-
-
- You can now configure the minimum answer length for password
- reset answers. This is checked when you allow you users to specify
- their answers via the self service. Additionally, you can specify the
- text of the password reset link (default: "Forgot password?"). The
- link is displayed below the password field on the self service login
- page.
-
- Next, please enter the DN and password of an LDAP entry that is
- allowed to reset the passwords. This entry needs write access to the
- attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
- also needs read access to uid, mail, passwordSelfResetQuestion and
- passwordSelfResetAnswer. Please note that LAM Pro saves the password
- on your server file system. Therefore, it is required to protect your
- server against unauthorised access.
-
- Please also specify the list of password reset questions that
- the user can choose.
-
- Please note that self service and LAM admin interface are
- separated functionalities. You need to specify the list of possible
- security questions in both self service profile(s) and server
- profile(s).
-
-
-
- You can inform your users via mail about their password change.
- The mail can include the new password by using the special wildcard
- "@@newPassword@@". Additionally, you may want to insert other
- wildcards that are replaced by the corresponding LDAP attributes. E.g.
- "@@uid@@" will be replaced by the user name. Please see email format option in case of broken mails.
- See here for setting up your SMTP
- server.
-
-
-
- LAM Pro can send your users an email with a confirmation link to
- validate their email address. Of course, this should only be used if
- the email account is independent from the user password (e.g. at
- external provider) or you use the backup email address feature. The
- mail body must include the confirmation link by using the special
- wildcard "@@resetLink@@". Additionally, you may want to insert other
- wildcards that are replaced by the corresponding LDAP attributes. E.g.
- "@@uid@@" will be replaced by the user name.
-
- There is also an option to skip the security question at all if
- email verification is enabled. In this case the password can be reset
- directly after clicking on the confirmation link. Please handle with
- care since anybody with access to the user's mail account can reset
- the password.
-
- Troubleshooting:
-
- 1. You get messages like "Unable to find user account."
-
- This can have multiple reasons:
-
-
-
- security questions enabled but no security question and/or
- answer set for this user
-
-
-
- user name + email combination does not exist
-
-
-
- no connection to LDAP server
-
-
-
- Turn on logging in LAM's main configuration settings. The exact
- reason is logged on notice level.
-
- 2. You do not see security question and answer fields when
- logged into self service.
-
- Probably, the user does not have the object class
- "passwordSelfReset" set. You can do this in admin interface. If you
- have multiple users to change then use the Multi Edit Tool to add the object
- class.
-
- New fields for self service
- page
-
- There are special fields that you may put on the self service
- page for your users. These fields allow them to change the reset
- questions and its answers. It is also possible to set a backup email
- address to reset passwords with an external email address.
-
-
-
-
-
-
-
-
-
- This is an example how can be presented to your users on the
- self service page:
-
-
-
-
-
-
-
-
-
- Password reset link
-
- After activating the password self reset feature there will be a
- new link on the self service login page. The text can be configured as
- described above (default: "Forgot password?").
-
-
-
-
-
-
-
-
-
- When a user clicks on the link then he will be asked for
- identification with his user name and email address.
-
-
-
-
-
-
-
-
-
- LAM Pro will use this information to find the correct LDAP entry
- of this user. It then displays the user's security questions and input
- fields for his new password. If the answer is correct then the new
- password will be set. Additionally, pwdAccountLockedTime will be
- removed and shadowLastChange updated to the current time if
- existing.
-
-
-
-
-
-
-
-
-
-
-
- User self registration
-
- With LAM Pro your users can create their own accounts if you
- like. LAM Pro will display an additional link on the self service
- login page that allows you users to create a new account including
- email validation (see here for
- setting up your SMTP server).
-
- You enable this feature in your self service profile. Just
- activate the checkbox "Enable self registration link".
-
-
-
-
-
-
-
-
-
- Options:
-
- Link text: This is the label for the link
- to the self registration. If empty "Register new account" will be
- used.
-
- Admin DN and password: Please enter the
- LDAP DN and its password that should be used to create new users. This
- DN also needs to be able to do LDAP searches by uid in the self
- service part of your LDAP tree.
-
- Object classes: This is a list of object
- classes that are used to build the new user accounts. Please enter one
- object class in each line. If you use LAM Pro password self reset
- feature then do not forget to add "passwordSelfReset" here.
-
- Attributes: This is a list of additional
- attributes that the user can enter. Please note that user name,
- password and email address are mandatory anyway and need not be
- specified.
-
- Each line represents one LDAP attribute. The settings are
- separated by "::". The first setting specifies the field type. The
- second setting is the LDAP attribute name. Depending on the field type
- you can enter additional options:
-
-
-
-
-
-
-
- Description
-
- Type
-
- Attribute name
-
- First option
-
- Second option
-
- Third option
-
-
-
- An optional input field that is displayed on the
- registration page.
-
- optional
-
- e.g. "givenName"
-
- Label that is displayed on page
-
- optional regular expression for validation (e.g.
- "/^[0-9a-zA-Z]+$/")
-
- validation message if value does not match validation
- expression
-
-
-
- A required input field that is displayed on the
- registration page. Self registration cannot be done if such a
- field is left empty by the user.
-
- required
-
- e.g. "sn"
-
- Label that is displayed on page
-
- optional regular expression for validation (e.g.
- "/^[0-9a-zA-Z]+$/")
-
- validation message if value does not match validation
- expression
-
-
-
- Constant attribute value, not visible for the user. Can
- be used to set some initial values or data that must not be
- edited by the user.
-
- constant
-
- e.g. "homeDirectory"
-
- attribute value, supports wirldcards to insert other
- attribute values (e.g. "@@uid@@")
-
-
-
-
-
-
-
- Auto-numbering for attributes such as uidNumber. Will
- do a search for attribute values in the given range and use
- highest value + 1.
-
- autorange
-
- e.g. uidNumber
-
- LDAP search base, e.g.
- ou=people,dc=company,dc=com
-
- Minimum value, e.g. 1000
-
- Maximum value, e.g. 2000
-
-
-
-
-
- For a syntax description of validation expressions see here. Validation is
- optional, you can leave these options blank.
-
- Example:
-
- optional::givenName::First name::/^[[:alnum:] ]+$/u::Please
- enter a valid first name.
-
- required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a
- valid last name.
-
- constant::homeDirectory::/home/@@uid@@
-
- autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000
-
- If you use the object class "inetOrgPerson" and do not provide
- the "cn" attribute then LAM will set it to the user name value.
-
-
-
-
- Please note that only simple input boxes are supported for
- account registration. The user may log in to self service when his
- account was created to manage all his attributes.
-
-
-
-
- Captcha support
-
- LAM Pro can optionally display a captcha to verify that
- registrations are not from robots. The supported captcha provider is
- Google reCAPTCHA. You will need the site and secret key for your
- domain. They can be retrieved from here: https://www.google.com/recaptcha
-
- Please note that your web server must be able to access
- "https://www.google.com/recaptcha/api/siteverify" to verify the
- captchas. Captchas will be displayed automatically when site+secret
- key are filled.
-
-
-
-
-
-
-
-
-
-
-
-
- User view:
-
- The user can register by clicking on a link on the self service
- login page:
-
-
-
-
-
-
-
-
-
- Here he can insert the data that you specified in the self
- service profile:
-
-
-
-
-
-
-
-
-
- LAM will then send him an email with a validation link that is
- valid for 24 hours. When he clicks on this link then the account will
- be created in the self service user suffix. The DN will look like
- this: uid=<user name>,...
-
- Please see email format option in
- case of broken mails.
-
-
-
- Custom fields (LAM Pro)
-
- This module allows you to manage LDAP attributes that are not
- covered by the other LAM modules (e.g. if you use custom LDAP
- schemas). You can fully define how your input fields look like:
-
-
-
- Label
-
-
-
- LDAP attribute name
-
-
-
- Unique name for field
-
-
-
- Help text
-
-
-
- Read-only display
-
-
-
- Field type: text, password, text area, checkbox, radio
- buttons, select list, file upload
-
-
-
- Validation via regular expression
-
-
-
- Error message if validation fails
-
-
-
- To create custom fields for the Self Service please edit your
- Self Service profile and switch to tab "Module settings". Here you can
- add a new field. Simply fill the fields and press on "Add".
-
- Please note that the field name cannot be changed later. It is
- the unique ID for this field.
-
- After you created your fields please press on "Sync fields with
- page layout". Now you can switch to tab "Page layout" and add your new
- fields like any other standard field.
-
-
-
-
-
-
-
-
-
- Examples for fields and their representation in Self
- Service:
-
- Text field:
-
- Text fields allow to specify a validation
- expression and error message.
-
- You can also enable auto-completion. In this case LAM will
- search all accounts for the given attribute and provide
- auto-completion hints when the user edits this field. This should only
- be used if there is a limited number of different values for this
- attribute.
-
- In case your field is a date value you can show a calendar for
- easy editing.
-
- Example calendar formats:
-
-
-
- dd.mm.yy: 31.12.2016
-
-
-
- yy-mm-dd: 2016-12-31
-
-
-
- d M, y: 31 Dec, 16
-
-
-
- d MM, y: 31 December, 2016
-
-
-
-
-
-
-
-
-
-
-
- Presentation in Self Service:
-
-
-
-
-
-
-
-
-
- Password field:
-
- You can also manage custom password fields. LAM Pro will display
- two fields where the user must enter the same password. You can hash
- the password if needed.
-
-
-
-
-
-
-
-
-
- Presentation in Self Service:
-
-
-
-
-
-
-
-
-
- Text area:
-
- This adds a multi-line field. The options are similar to text
- fields. Additionally, you can set the size with the number of columns
- and rows.
-
- Please note that the validation
- expression should be set to multi-line. This is done by adding
- "m" at the end.
-
-
-
-
-
-
-
-
-
- Presentation in Self Service:
-
-
-
-
-
-
-
-
-
- Checkbox:
-
- Sometimes you may want to allow only yes/no values for your LDAP
- attributes. This can be represented by a checkbox. You can specify the
- values for checked and unchecked. The default value is set if the LDAP
- attribute has no value.
-
-
-
-
-
-
-
-
-
- Presentation in Self Service:
-
-
-
-
-
-
-
-
-
- Radio buttons:
-
- This displays a list of radio buttons where the user can select
- one value.
-
- You can specify a mapping of LDAP attribute values and their
- display (label) on the Self Service page. To add more mapping fields
- please press "Add more mapping fields".
-
-
-
-
-
-
-
-
-
- Presentation in Self Service:
-
-
-
-
-
-
-
-
-
- Select list:
-
- Select lists allow the user to select a value in a large list of
- options. The definition of the possible values and their display is
- similar to radio buttons.
-
- You can also allow multiple values.
-
-
-
-
-
-
-
-
-
- Presentation in Self Service:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Validation expressions:
-
- The validation expressions follow the standard of Perl regular
- expressions. They start and end with a "/". The beginning of a
- line is specified by "^" and the end by "$".
-
- Examples:
-
- /^[a-z0-9]+$/ allows small letters and numbers. The value must
- not be empty ("+").
-
- /^[a-z0-9]+$/i allows small and capital letters ("i" at the end
- means ignore case) and numbers. The value must not be empty
- ("+").
-
- Special characters that must be escaped with "\": "\", ".", "(",
- ")"
-
- E.g. /^[a-z0-9\.]$/i
-
-
-
-
- File upload:
-
- This is used for binary data. You can restrict uploaded data to
- a given file extension and set the maximum file size.
-
-
-
-
-
-
-
-
-
- Presentation:
-
- The uploaded data may also be downloaded via LAM.
-
-
-
-
-
-
-
-
-
-
-
-
- Adapt the self service to your corporate design
-
- LAM Pro allows you to integrate customs CSS style definitions and
- design the header of all self service pages. This way you can integrate
- you own logo and use your company's colors.
-
-
- Custom header
-
- The default LAM Pro header includes a logo and a horizontal
- line. You can enter any HTML code here. It will be included in the
- self services pages after the body tag.
-
-
-
-
-
-
-
-
-
-
-
- CSS files
-
- Usually, companies have regulations about their corporate design
- and use common CSS files. This assures a common appearance of all
- intranet pages (e.g. colors and fonts). To include additional CSS
- files just use the following setting for this task. The additional CSS
- links will be added after LAM Pro's default CSS link. This way you can
- overwrite LAM Pro's style.
-
-
-
-
-
-
-
-
-
-
-
-
-
- LDAP schema files
-
- Here is a list of needed LDAP schema files for the different LAM
- modules. For OpenLDAP we also provide a source where you can get the
- files.
-
-
- LDAP schema files
-
-
-
-
-
-
- Account type
-
- Object class(es)
-
- Schema name
-
- Source
-
- Notes
-
-
-
-
-
-
-
-
-
-
-
- Unix accounts
-
- posixAccount, shadowAccount, hostObject, posixGroup
-
- nis.schema, rfc2307bis.schema, ldapns.schema
- (hostObject)
-
- Part of OpenLDAP installation, part of libpam-ldap
- (ldapns.schema)
-
- The rfc2307bis.schema is only supported by LAM Pro. Use the
- nis.schema if you do not want to upgrade to LAM Pro.
-
-
-
-
-
-
-
-
-
- Address book entries
-
- inetOrgPerson
-
- inetorgperson.schema
-
- Part of OpenLDAP installation
-
-
-
-
-
-
-
-
-
-
-
- Samba 3 accounts
-
- sambaSamAccount, sambaGroupMapping, sambaDomain
-
- samba.schema
-
- Part of Samba tarball (examples/LDAP/samba.schema)
-
-
-
-
-
-
-
-
-
-
-
- Windows AD (Samba 4)
-
- user, group, computer
-
-
-
- Samba 4 built-in
-
-
-
-
-
-
-
-
-
-
-
- Kolab 2/3 users
-
- kolabUser
-
- kolab2/3.schema, rfc2739.schema
-
- Part of Kolab 2/3 installation
-
-
-
-
-
-
-
-
-
-
-
- Asterisk (extension)
-
- AsteriskSIPUser, AsteriskExtension
-
- asterisk.schema
-
- Part of Asterisk installation
-
-
-
-
-
-
-
-
-
-
-
- PyKota users, groups, printers and billing codes
-
- pykotaObject, pykotaAccount, pykotaAccountBalance,
- pykotaGroup, pykotaPrinter, pykotaBilling
-
- pykota.schema
-
- Part of PyKota installation
-
-
-
-
-
-
-
-
-
-
-
- Mail routing
-
- inetLocalMailRecipient
-
- misc.schema
-
- Part of OpenLDAP installation
-
-
-
-
-
-
-
-
-
-
-
- Hosts
-
- hostObject, device
-
- ldapns.schema
-
- Part of libpam-ldap installation
-
- The device object class is only available in LAM
- Pro.
-
-
-
-
-
-
-
-
-
- Authorized services
-
- authorizedServiceObject
-
- ldapns.schema
-
- Part of libpam-ldap installation
-
-
-
-
-
-
-
-
-
-
-
- Mail aliases
-
- nisMailAlias
-
- misc.schema
-
- Part of OpenLDAP installation
-
-
-
-
-
-
-
-
-
-
-
- Qmail user
-
- qmailUser
-
- qmail.schema
-
- Part of qmail_ldap
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- MAC addresses
-
- ieee802device
-
- nis.schema
-
- Part of OpenLDAP installation
-
-
-
-
-
-
-
-
-
-
-
- IP addresses
-
- ipHost
-
- nis.schema
-
- Part of OpenLDAP installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Puppet
-
- puppetClient
-
- puppet.schema
-
- Puppet
- on GitHub
-
-
-
-
-
-
-
-
-
-
-
- EDU person
-
- eduPerson
-
- eduperson.schema
-
- http://middleware.internet2.edu
-
-
-
-
-
-
-
-
-
-
-
- Simple Accounts
-
- account
-
- cosine.schema
-
- Part of OpenLDAP installation
-
-
-
-
-
-
-
-
-
-
-
- SSH public keys
-
- ldapPublicKey
-
- openssh-lpk.schema
-
- Included in patch from http://code.google.com/p/openssh-lpk/
-
-
-
-
-
-
-
-
-
-
-
- Filesystem quotas
-
- systemQuotas
-
- quota.schema
-
- Linux
- DiskQuota
-
-
-
-
-
-
-
-
-
-
-
- Group of (unique) names
-
- groupOfNames, groupOfUniqueNames, groupOfMembers
-
- core.schema
-
- Part of OpenLDAP installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Groups
-
- organizationalRole
-
- core.schema
-
- Part of OpenLDAP installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- DHCP
-
- dhcpOptions, dhcpSubnet, dhcpServer
-
- dhcp.schema
-
- docs/schema/dhcp.schema
-
- The LDAP suffix should be set to your dhcpServer
- entry.
-
-
-
-
-
-
-
-
-
- Bind DLZ DNS
-
- dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord,
- dlzMXRecord, dlzCNameRecord, dlzPTRRecord
-
- dlz.schema
-
- part of Bind
- DLZ patch
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Aliases
-
- alias, uidObject
-
- core.schema
-
- Part of OpenLDAP installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- NIS netgroups
-
- nisNetgroup
-
- nis.schema
-
- Part of OpenLDAP installation
-
-
-
-
-
-
-
-
-
-
-
- NIS objects
-
- nisObject
-
- nis.schema
-
- Part of OpenLDAP installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Automount objects
-
- automount
-
- autofs.schema, rfc2307bis.schema
-
- Autofs LDAP
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Oracle databases
-
- orclNetService
-
- oidbase.schema, oidnet.schema, oidrdbms.schema,
- alias.schema
-
- Preinstalled on Oracle directory server, OpenLDAP schemas
- can be downloaded e.g. here
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Password policies
-
- pwdPolicy, device
-
- ppolicy.schema, core.schema
-
- Part of OpenLDAP installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- FreeRadius users
-
- radiusprofile
-
- openldap.schema
-
- Part of FreeRadius installation
-
-
-
-
-
-
-
-
-
-
-
- Heimdal Kerberos
-
- krb5KDCEntry
-
- hdb.schema
-
- Part of Heimdal Kerberos installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- MIT Kerberos
-
- krbPrincipal, krbPrincipalAux, krbTicketPolicyAux
-
- kerberos.schema
-
- Part of MIT Kerberos installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Sudo roles
-
- sudoRole
-
- sudo.schema
-
- Part of sudo-ldap installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- Zarafa
-
- zarafa-user, zarafa-group, zarafa-server
-
- zarafa.schema
-
- Part of Zarafa installation
-
- LAM Pro only
-
-
-
-
-
-
-
-
-
- IMAP mailboxes
-
- -
-
- -
-
- -
-
- Does not require any schema.
-
-
-
-
-
-
-
-
-
- LDAP views
-
- nsview, organizationalunit
-
- built-in
-
- Part of LDAP server installation (e.g. 389 server)
-
- LAM Pro only
-
-
-
-
-
-
-
- Security
-
-
- LAM configuration passwords
-
- LAM supports a two level authorization system for its
- configuration. Therefore, there are two types of configuration
- passwords:
-
-
-
- master configuration
- password: needed to change general settings,
- create/delete server profiles and self service profiles
-
-
-
- server profile password: used
- to change the settings of a server profile (e.g. LDAP server and
- account types to manage)
-
-
-
- The master configuration password can be used to reset a server
- profile password. Each server profile has its own profile
- password.
-
- Both password types are stored as hash values in the configuration
- files for enhanced security.
-
-
-
- Use of SSL
-
- The data which is transfered between you and LAM is very
- sensitive. Please always use SSL encrypted connections between LAM and
- your browser to protect yourself against network sniffers.
-
-
-
- LDAP with SSL and TLS
-
- SSL will be used if you use ldaps://servername in your
- configuration profile. TLS can be activated with the "Activate TLS"
- option.
-
- If your LDAP server uses a SSL certificate of a well-know
- certificate authority (CA) then you probably need no changes. If you use
- a custom CA in your company then there are two ways to setup the CA
- certificates.
-
-
- Setup SSL certificates in LAM general settings
-
- This is much easier than system level setup and will only affect
- LAM. There might be some cases where other web applications on the
- same web server are influenced.
-
- See here for details.
-
-
-
- Setup SSL certificates on system level
-
- This will make the CA certificates available also to other
- applications on your system (e.g. other web applications).
-
- You will need to setup ldap.conf to trust your server
- certificate. Some installations use /etc/ldap.conf and some use
- /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
- /etc/ldap/ldap.conf. Specify the server CA certificate with the
- following option:
-
- TLS_CACERT /etc/ldap/ca/myCA/cacert.pem
-
- This needs to be the public part of the signing certificate
- authority. See "man ldap.conf" for additional options.
-
-
-
-
- You may also need to specify the CA certificate in your Apache
- configuration by using the option "LDAPTrustedGlobalCert":
-
- LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem
-
-
-
-
- Selinux
-
- In case your server has selinux installed you might need to extend
- the selinux ruleset. E.g. your webserver might not be allowed to write
- in /var/lib.
-
- Read selinux status
-
- The following command will tell you if selinux is running in
- Enforcing or Permissive mode.
-
- Enforcing: access that does not match rules is denied
-
- Permissive: access that does not match rules is granted but logged
- to audit.log
-
- getenforce
-
- Set selinux to Permissive
- mode
-
- This will just log any access violations. You will need this to
- get a list of missing rights.
-
- setenforce Permissive
-
- Now do any actions inside LAM that you need for your daily work
- (e.g. edit server profiles, manage LDAP entries, ...).
-
- Extend selinux rules
-
- Selinux now has logged any violations to audit.log. You can use
- this now to extend your ruleset and enable enforcing later.
-
- The following example is for httpd. You can also adapt it to e.g.
- nginx.
-
- # build additional selinux rules from audit.log
-grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
-
-
- The httpdlocal.te might look like this:
-
- module httpdlocal 1.0;
-
-require {
- type httpd_t;
- type var_lib_t;
- class file { setattr write };
-}
-
-#============= httpd_t ==============
-
-#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
-#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
-#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
-allow httpd_t var_lib_t:file { setattr write };
-
-
- Now we can compile and install this rule:
-
- # build module
-checkmodule -M -m -o httpdlocal.mod httpdlocal.te
-# package module
-semodule_package -o httpdlocal.pp -m httpdlocal.mod
-# install module
-semodule -i httpdlocal.pp
-
- Now you can switch back to Enforcing mode:
-
- setenforce Enforcing
-
- LAM should now work as expected with active selinux.
-
-
-
- Chrooted servers
-
- If your server is chrooted and you have no access to /dev/random
- or /dev/urandom this can be a security risk. LAM stores your LDAP
- password encrypted in the session. LAM uses rand() to generate the key
- if /dev/random and /dev/urandom are not accessible. Therefore the key
- can be easily guessed. An attaker needs read access to the session file
- (e.g. by another Apache instance) to exploit this.
-
-
-
- Protection of your LDAP password and directory contents
-
- You have to install the MCrypt extension for PHP to enable
- encryption.
-
- Your LDAP password is stored encrypted in the session file. The
- key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
- encrypt the password. All data that was read from LDAP and needs to be
- stored in the session file is also encrypted.
-
-
-
- Apache configuration
-
-
- Sensitive directories
-
- LAM includes several .htaccess files to protect your
- configuration files and temporary data. Apache is often configured to
- not use .htaccess files by default. Therefore, please check your
- Apache configuration and change the override setting to:
-
- AllowOverride All
-
- If you are experienced in configuring Apache then you can also
- copy the security settings from the .htaccess files to your main
- Apache configuration.
-
- If possible, you should not rely on .htaccess files but also
- move the config and sess directory to a place outside of your WWW
- root. You can put a symbolic link in the LAM directory so that LAM
- finds the configuration/session files.
-
- Security sensitive directories:
-
- config: Contains your LAM
- configuration and account profiles
-
-
-
- LAM configuration passwords (SSHA hashed)
-
-
-
- default values for new accounts
-
-
-
- directory must be accessibly by Apache but needs not to be
- accessible by the browser
-
-
-
- sess: PHP session files
-
-
-
- LAM admin password in clear text or MCrypt encrypted
-
-
-
- cached LDAP entries in clear text or MCrypt encrypted
-
-
-
- directory must be accessibly by Apache but needs not to be
- accessible by the browser
-
-
-
- tmp: temporary files
-
-
-
- PDF documents which may also include passwords
-
-
-
- images of your users
-
-
-
- directory contents must be accessible by browser but
- directory itself needs not to be browseable
-
-
-
-
-
- Use LDAP HTTP authentication for LAM
-
- With HTTP authentication Apache will be responsible to ask for
- the user name and password. Both will then be forwarded to LAM which
- will use it to access LDAP. This approach gives you more flexibility
- to restrict the number of users that may access LAM (e.g. by requiring
- group memberships).
-
- First of all you need to load additional Apache modules. These
- are "mod_ldap"
- and "mod_authnz_ldap".
-
- Next you can add a file called "lam_auth_ldap" to
- /etc/apache/conf.d. This simple example restricts access to all URLs
- beginning with "lam" to LDAP authentication.
-
- <location /lam>
- AuthType Basic
- AuthBasicProvider ldap
- AuthName "LAM"
- AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
- Require valid-user
-</location>
-
- You can also require that your users belong to a certain Unix
- group in LDAP:
-
- <location /lam>
- AuthType Basic
- AuthBasicProvider ldap
- AuthName "LAM"
- AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
- Require valid-user
- # force membership of lam-admins
- AuthLDAPGroupAttribute memberUid
- AuthLDAPGroupAttributeIsDN off
- Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
-</location>
-
- Please see the Apache
- documentation for more details.
-
-
-
- Self Service behind proxy in DMZ (LAM Pro)
-
- In some cases you might want to make the self service accessible
- via the internet. Here is an Apache config to forward only the
- required URLs via a proxy server (lamproxy.company.com) in your DMZ to
- the internal LAM server (lam.company.com).
-
-
-
-
-
-
-
- This configuration allows your users to open
- https://lamproxy.company.com which will then proxy the self service on
- the internal server.
-
- <VirtualHost lamproxy.company.com:443>
- ServerName lamproxy.company.com
- ErrorLog /var/log/apache2/lam-proxy-error.log
- CustomLog /var/log/apache2/lam-proxy-access.log combined
- DocumentRoot /var/www/lam-proxy
- <Proxy *>
- Order deny,allow
- Allow from all
- </Proxy>
- SSLProxyEngine on
- SSLEngine on
- SSLCertificateFile /etc/apache2/ssl/apache.pem
- ProxyPreserveHost On
- ProxyRequests off
- loglevel info
-
- # redirect front page to self service login page
- RewriteEngine on
- RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
-
- # proxy required URLs
- ProxyPass /tmp https://lam.company.com/lam/tmp
- ProxyPass /sess https://lam.company.com/lam/sess
- ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
- ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
- ProxyPass /style https://lam.company.com/lam/style
- ProxyPass /graphics https://lam.company.com/lam/graphics
-
- ProxyPassReverse /tmp https://lam.company.com/lam/tmp
- ProxyPassReverse /sess https://lam.company.com/lam/sess
- ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
- ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
- ProxyPassReverse /style https://lam.company.com/lam/style
- ProxyPassReverse /graphics https://lam.company.com/lam/graphics
-</VirtualHost>
-
-
-
-
- Nginx configuration
-
- There is no fully automatic setup of Nginx but LAM provides a
- ready-to-use configuration file.
-
-
- RPM based installations
-
- The RPM package has dependencies on Apache. Therefore, Nginx is
- not officially supported with this installation mode. Use tar.bz2 if
- you are unsure.
-
- However, the package also includes an Nginx configuration file.
- Please include it in your server directive like this:
-
- server {
- ...
-
- include /etc/ldap-account-manager/lam.nginx.conf;
-
- ...
-}
-
-
-
- DEB based installations
-
- The LAM installation package ships with an Nginx configuration
- file. Please include it in your server directive like this:
-
- server {
- ...
-
- include /etc/ldap-account-manager/lam.nginx.conf;
-
- ...
-}
-
-
-
- tar.bz2 based installations
-
- Please add the following configuration snippet to your server
- directive.
-
- You will need to change the alias location
- ("/usr/share/ldap-account-manager") and fastcgi_pass
- ("/var/run/php5-fpm.sock") to match your installation.
-
- location /lam {
- index index.html;
- alias /usr/share/ldap-account-manager;
- autoindex off;
-
- location ~ \.php$ {
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:/var/run/php5-fpm.sock;
- fastcgi_index index.php;
- include fastcgi_params;
- }
-
- location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
- deny all;
- return 403;
- }
-
-}
-
-
-
-
-
-
- Typical OpenLDAP settings
-
- Some basic hints to configure the OpenLDAP server:
-
- Size
- limit:
-
- You will get a message like "LDAP sizelimit exceeded, not all
- entries are shown." when you hit the LDAP search limit.
-
- OpenLDAP allows by default 500 return values per search, if you have
- more users/groups/hosts please change this:
-
- slapd.conf:
-
- e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
- values
-
- slapd.d:
-
- e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
- return values in /etc/ldap/slapd.d/cn=config.ldif
-
-
-
-
- Unique
- attributes:
-
- There are cases where you do not want that same attribute values
- exist multiple times in your database. A good example are UID/GID
- numbers.
-
- OpenLDAP provides the attribute
- uniqueness overlay for this task.
-
- Example to force unique UID numbers:
-
- In
- /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add
- "olcModuleLoad: {3}unique" (replace "3" with the highest existing number
- plus one).
-
- Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
- "olcUniqueURI: ldap:///?uidNumber?sub"
-
-
-
-
- Indices:
-
- Indices will improve the performance when searching for entries in
- the LDAP directory. The following indices are recommended:
-
-
- index objectClass eq
-
- index default sub
-
- index uidNumber eq
-
- index gidNumber eq
-
- index memberUid eq
-
- index cn,sn,uid,displayName pres,sub,eq
-
- # Samba 3.x
-
- index sambaSID eq
-
- index sambaPrimaryGroupSID eq
-
- index sambaDomainName eq
-
-
-
-
- Setup of email (SMTP) server
-
- LAM always uses a local SMTP email server on the machine where LAM
- is installed. Therefore, there is no need to configure any SMTP settings
- inside LAM itself.
-
- The local email server should be configured to forward all emails to
- your company mail server (so-called smarthost). You can use any SMTP
- software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or
- Sendmail itself).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Setup for home directory and quota management
-
- Lamdaemon.pl is used to modify quota and home directories on a
- remote or local host via SSH (even if homedirs are located on
- localhost).
-
- If you want wo use it you have to set up the following things to get
- it to work:
-
-
- Installation
-
- First of all, you need to install lamdaemon.pl on your remote
- server where LAM should manage homedirs and/or quota. This is usually a
- different server than the one where LAM is installed. But there is no
- problem if it is the same.
-
-
-
-
-
-
-
-
-
-
-
- Debian based (e.g. also
- Ubuntu)
-
- Please install the lamdaemon DEB package on your quota/homedir
- server.
-
- RPM based (Fedora, CentOS, Suse,
- ...)
-
- Please install the lamdaemon RPM package on your quota/homedir
- server.
-
- Other
-
- Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your
- quota/homedir server. The location may be anywhere (e.g. use
- /opt/lamdaemon). Please make the lamdaemon.pl script executable.
-
-
-
- LDAP Account Manager configuration
-
-
-
- Set the remote or local host in the configuration (e.g.
- 127.0.0.1)
-
-
-
- Path to lamdaemon.pl, e.g.
- /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
- RPM package then the script will be located at
- /usr/share/ldap-account-manager/lib/lamdaemon.pl.
-
-
-
- Your LAM admin user must be a valid Unix account. It needs to
- have the object class "posixAccount" and an attribute "uid". This
- account must be accepted by the SSH daemon of your home directory
- server. Do not create a second local account but change your system
- to accept LDAP users. You can use LAM to add the Unix account part
- to your admin user or create a new account. Please do not forget to
- setup LDAP write access (ACLs)
- if you create a new account.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Note that the builtin admin/manager entries do not work for
- lamdaemon. You need to login with a Unix account.
-
-
-
-
-
-
-
-
-
- OpenLDAP ACL location:
-
- The access rights for OpenLDAP are configured in
- /etc/ldap/slapd.conf or
- /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.
-
-
-
- Setup sudo
-
- The perl script has to run as root. Therefore we need a wrapper,
- sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
- and add the following line:
-
- $admin All= NOPASSWD: $path_to_lamdaemon *
-
- $admin is the admin user from
- LAM (must be a valid Unix account) and
- $path_to_lamdaemon is the path to
- lamdaemon.pl.
-
- Example:
-
- myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
- *
-
- You might need to run the sudo command once manually to init sudo.
- The command "sudo -l" will show all possible sudo commands of the
- current user.
-
- Attention: Please do not use the
- options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
- Otherwise you might get errors like "you must have a tty to run sudo" or
- "no tty present and no askpass program specified".
-
-
-
- Setup Perl
-
- We need an extra Perl module - Quota. To install it, run:
-
-
- perl -MCPAN -e shell
-
- install Quota
-
-
- If your Perl executable is not located in /usr/bin/perl you will
- have to edit the path in the first line of lamdaemon.pl. If you have
- problems compiling the Perl modules try installing a newer release of
- your GCC compiler and the "make" application.
-
- Several Linux distributions already include a quota package for
- Perl.
-
-
-
- Set up SSH
-
- Your SSH daemon must offer the password authentication method. To
- activate it just use this configuration option in
- /etc/ssh/sshd_config:
-
- PasswordAuthentication yes
-
-
-
- Troubleshooting
-
- If you have problems managing quotas and home directories then
- these points might help:
-
-
-
- There is a test page for lamdaemon: Login to LAM and open
- Tools -> Tests -> Lamdaemon test
-
-
-
- Check /var/log/auth.log or its equivalent on your system. This
- file contains messages about all logins. If the ssh login failed
- then you will find a description about the reason here.
-
-
-
- Set sshd in debug mode. In /etc/ssh/sshd_conf add these
- lines:
-
-
- SyslogFacility AUTH
-
- LogLevel DEBUG3
-
-
- Now check /var/log/syslog for messages from sshd.
-
-
-
- Error message "Your LAM admin user (...)
- must be a valid Unix account to work with lamdaemon!": This
- happens if you use the default LDAP admin/manager user to login to LAM.
- Please see here and setup a Unix
- account.
-
-
-
-
- Setup password self reset schema (LAM Pro)
-
-
- New installation
-
- Please see here if you want to
- upgrade an existing schema version.
-
- Schema installation
-
- Please install the schema that comes with LAM Pro. The schema
- files are located in:
-
-
-
- tar.bz2: docs/schema
-
-
-
- DEB: /usr/share/doc/ldap-account-manager/docs/schema
-
-
-
- RPM:
- /usr/share/doc/ldap-account-manager-{VERSION}/schema
-
-
-
-
-
-
- OpenLDAP with slapd.conf
- configuration
-
- For a configuration with slapd.conf-file copy
- passwordSelfReset.schema to /etc/ldap/schema/ and add this line to
- slapd.conf:
-
- include /etc/ldap/schema/passwordSelfReset.schema
-
-
-
- OpenLDAP with slapd.d
- configuration
-
- For slapd.d configurations you need to upload the schema file
- passwordSelfReset.ldif via ldapadd command:
-
- ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f
- passwordSelfReset.ldif
-
- Please replace "localhost" with your LDAP server and
- "cn=admin,o=test,c=de" with your LDAP admin user (usually starts with
- cn=admin or cn=manager).
-
-
-
-
- 389 server
-
- Please replace INSTANCE with installation ID, e.g.
- slapd-389ds.
-
- cp passwordSelfReset-389server.ldif /etc/dirsrv/INSTANCE/schema/70pwdreset.ldif
- systemctl restart dirsrv.target
-
-
-
- Samba 4
-
- The schema files are passwordSelfReset-Samba4-attributes.ldif and
- passwordSelfReset-Samba4-objectClass.ldif.
-
- First, you need to edit them and replace "DOMAIN_TOP_DN" with your
- LDAP suffix (e.g. dc=samba4,dc=test).
-
- Then install the attribute and afterwards the object class schema
- file:
-
- ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true
- ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true
-
-
-
- Windows
-
- The schema file is passwordSelfReset-Windows.ldif.
-
- First, you need to edit it and replace "DOMAIN_TOP_DN" with your
- LDAP suffix (e.g. dc=windows,dc=test).
-
- Then install the schema file as administrator on a command
- line:
-
- ldifde -v -i -f passwordSelfReset-Windows.ldif
-
-
-
- This allows to set a security question + answer for each
- account.
-
-
-
- Schema update
-
- The schema files are located in:
-
-
-
- tar.bz2: docs/schema/updates
-
-
-
- DEB:
- /usr/share/doc/ldap-account-manager/docs/schema/updates
-
-
-
- RPM:
- /usr/share/doc/ldap-account-manager-{VERSION}/schema/updates
-
-
-
-
-
-
- Schema versions:
-
-
-
- Initial version (LAM Pro 3.6 - 4.4)
-
-
-
- Added passwordSelfResetBackupMail (LAM Pro 4.5 - 5.5)
-
-
-
- Multiple security questions (LAM Pro 5.6)
-
-
-
-
-
-
- OpenLDAP with slapd.conf
- configuration
-
- Install the schema file like a new install (skip
- modification of slapd.conf file).
-
-
-
-
- OpenLDAP with slapd.d
- configuration
-
- The upgrade requires to stop the LDAP server.
-
- Steps:
-
-
-
- Stop OpenLDAP with e.g. "/etc/init.d/slapd stop"
-
-
-
- Delete the old schema file. It is located in e.g.
- "/etc/ldap/slapd.d/cn=config/cn=schema" and called
- "cn={XX}passwordselfreset.ldif" (XX can be any number)
-
-
-
- Start OpenLDAP with e.g. "/etc/init.d/slapd start"
-
-
-
- Install the schema file like a new install
-
-
-
-
-
-
- Samba 4
-
- Install the these update files by following the install
- instructions in the file. In case you you upgrade with a version
- difference of 2 or more you will need to apply all intermediate update
- scripts.
-
-
-
- samba4_version_1_to_2_attributes.ldif (upgrade from version 1
- only)
-
-
-
- samba4_version_1_to_2_objectClass.ldif (upgrade from version 1
- only)
-
-
-
- samba4_version_2_to_3_attributes.ldif (upgrade from version
- 2)
-
-
-
- samba4_version_2_to_3_objectClass.ldif (upgrade from version
- 2)
-
-
-
- Please note that attributes file needs to be installed
- first.
-
-
-
-
- Windows
-
- Install the file(s) by following the install instructions in the
- file. In case you you upgrade with a version difference of 2 or more you
- will need to apply all intermediate update scripts.
-
-
-
- windows_version_1_to_2.ldif (upgrade from version 1
- only)
-
-
-
- windows_version_2_to_3.ldif (upgrade from version 2)
-
-
-
-
-
-
- Adapt LAM to your corporate design
-
- There are cases where you might want to change LAM's default
- look'n'feel to better integrate it in your company network. Changes can be
- done like this:
-
- Change colors, fonts and other parts with
- custom CSS
-
- You can integrate custom CSS files in LAM. It is recommended to
- write a separate CSS file instead of modifying LAM's default files.
-
- The CSS files are located in
-
- DEB/RPM: /usr/share/ldap-account-manager/style
- tar.bz2: style
-
-
- LAM will automatically integrate all CSS files in alphabetical
- order. E.g. you can create a file called "900_myCompany.css" which will be
- added as last file.
-
- Example:
-
- This will change the background color of all pages to turquoise. See
- 500_layout.css for LAM's default settings.
-
- body {
- background-color: #b6eeff;
-}
-
-
- You can use the same way to change fonts, sizes and more.
-
- E.g. this will reduce the default font size to 80%:
-
- body {
- font-size: 80%;
-}
-
-.ui-button-text-only {
- font-size: 100%;
-}
-
-.ui-button-text-icon-primary {
- font-size: 100%;
-}
-
-
- Custom logo/* image in login box */
-td.loginLogo {
- background-image: url(/logos/mylogo.png);
-}
-
-/* image (24x24) in header line */
-a.lamLogo {
- background-image: url(/logos/mylogo.png);
-}
-
- Other images
-
- All images are located in
-
- DEB/RPM: /usr/share/ldap-account-manager/graphics
- tar.bz2: graphics
-
- Please note that if you replace images then you need to reapply your
- changes every time you upgrade LAM.
-
- Special changes with custom
- JavaScript
-
- In rare cases it might not be sufficient to write custom CSS or
- replace some image files. E.g. you might want to add custom content to all
- pages.
-
- For these cases you can add a custom JavaScript file that contains
- your code.
-
- The JavaScript files are located in
-
- DEB/RPM: /usr/share/ldap-account-manager/templates/lib
- tar.bz2: templates/lib
-
- LAM will automatically integrate all .js files in alphabetical
- order. E.g. you can create a file called "900_myCompany.js" which will be
- added as last file.
-
- Self service
-
- See here for self
- service customisations.
-
-
-
- Clustering LAM
-
- LAM is a web application based on PHP. Therefore, clustering is not
- directly a part of the application.
-
- But here are some hints to run LAM in a clustered
- environment.
-
- Application parts:
-
- LAM can be divided into three parts
-
-
-
- Software
-
-
-
- Configuration files
-
-
-
- Session files and temporary data
-
-
-
- Software:
-
- This is the simplest part. Just install LAM on each cluster node.
- Please note that if you run LAM Pro you will need either one license for
- each active cluster node or a company license.
-
- Configuration files:
-
- These files include the LAM server profiles, account profiles, PDF
- structures, ... Usually, they do not change frequently and can be put on a
- shared file system (e.g. NFS, AFS, ...).
-
- Please link "config" or "/var/lib/ldap-account-manager/config" to a
- directory on your shared file system.
-
- Session data and temporary
- files:
-
- These are critical because the files may change on every page load.
- There are basically two options:
-
-
-
- load balancer with session stickiness: In this case your load
- balancer will forward all requests of a user to the same cluster node.
- In this case you can keep the files locally on your cluster nodes. If
- you already have a load balancer then this is the simplest solution
- and performs best. The disadvantage is that if a node fails then all
- users connected to this node will loose their session and need to
- relogin.
-
-
-
- shared file system: This should only be used if your load
- balancer does not support session stickiness or you use a different
- system to distribute request across the cluster. A shared file system
- will decrease performance for all page loads.
-
-
-
- Session data and temporary files are located in "tmp" + "sess" or
- "/var/lib/ldap-account-manager/tmp" +
- "/var/lib/ldap-account-manager/sess".
-
-
-
- Troubleshooting
-
-
- Reset configuration password
-
- The password for the server profiles can be reset using the master
- configuration password. Open LAM configuration -> Edit server
- profiles ->Manage server profiles for this.
-
- In case you lost your master configuration password you need to
- manually edit the main configuration file (config.cfg) on the file
- system.
-
-
-
- Locate config.cfg: On DEB/RPM installations it is in
- /usr/share/ldap-account-manager/config and for tar.bz2 in config
- folder.
-
-
-
- Locate the "password" entry in the file
-
-
-
- Replace the password hash after "password: " with your new
- clear-text password (e.g. "secret")
-
-
-
- After the change the line should look like this:
-
- password: secret
-
- You can now login using your new password. Set the password once
- again via GUI in main configuration settings. This will then put again a
- hash value in the config.cfg file.
-
-
-
- Functional issues
-
- Size limit
-
- You will get a message like "LDAP sizelimit exceeded, not all
- entries are shown." when you hit the LDAP search limit.
-
-
-
- OpenLDAP: See the OpenLDAP
- settings to fix this.
-
-
-
- 389 server: set nsslapd-sizelimit in cn=config (may also be
- set per user)
-
-
-
- other LDAP servers: please see your server
- documentation
-
-
-
-
-
-
- Invalid syntax errors:
-
- If you get any strange errors like "Invalid syntax" or "Invalid DN
- syntax" please check if your LDAP schema matches LAM's
- requirements.
-
-
-
-
- Schema test:
-
- This can be done by running "Tools" -> "Tests" -> "Schema
- test" inside LAM.
-
- If there are any object classes or attributes missing you will get
- a notice. See LDAP schema files for a
- list of used schemas. You may also want to deactive unused modules in
- your LAM server profile (tab "Modules").
-
-
-
-
-
-
-
-
-
-
-LDAP Logging:
-
- If your schema is correct you can turn on LDAP logging to get more
- detailed error messages from your LDAP server.
-
-
-
-
- OpenLDAP logging:
-
-
-
- slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
- line "loglevel 256".
-
-
-
- slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
- attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
- Stats" if the attribute is missing.
-
-
-
- After changing the configuration please restart OpenLDAP. It
- usually uses /var/log/syslog for log output.
-
-
-
-
- PHP logging
-
- Sometimes it can help to enable PHP logging inside LAM. You can do
- this in the logging area of LAM's
- main configuration. Set the logging option to "all" and check if there
- are any messages printed in your browser window. Please note that not
- every notice message is an error but it may help to find the
- problem.
-
-
-
- Performance issues
-
- LAM is tested to work with 10000 users with acceptable
- performance. If you have a larger directory or slow hardware then here
- are some points to increase performance.
-
-
-
-
- The first step is to check if performance problems are caused by
- the LAM web server or the LDAP server. Please check which machine
- suffers from high system load (CPU/memory consumption).
-
- High network latency may also be a problem. For large
- installations please make sure that LAM web server and LDAP server are
- located in the same building/server room.
-
- If you run LAM on multiple nodes (DNS load balancing/hardware load
- balancer) then also check the clustering
- section.
-
-
- LDAP server
-
- Use indices
-
- Depending on the queries it may help to add some more indices on
- the LDAP server. Depending on your LDAP software it may already
- suggest indices in its log files. See here for typical OpenLDAP indices.
-
-
-
-
- Reduce query results by splitting LDAP
- management into multiple server profiles
-
- If you manage a very large directory then it might already be
- separated into multiple subtrees (e.g. by country, subsidiary, ...).
- Do not use a single LAM server profile to manage your whole directory.
- Use different server profiles for each separated LDAP subtree where
- possible (e.g. one for German users and one for French ones).
-
-
-
-
- Limit query results
-
- LAM allows to set an LDAP search
- limit for each server profile. This will limit the number of
- entries returned by your LDAP server. Use with caution because it can
- cause problems (e.g. with automatic UID generation) when LAM is not
- able to read all entries.
-
-
-
-
-
-
-
-
-
-
-
- LAM web server
-
- Install a PHP
- accelerator
-
- There are tools like APC/OpCache (free)
- or Zend
- Server (commercial) that provide caching of PHP pages to
- improve performance. They will reduce the time for parsing the PHP
- pages and IO load.
-
- This is a simply way to enhance performance since APC/OpCache is
- part of most Linux distributions.
-
- If you use APC then make sure that it uses enough memory (e.g.
- "apc.shm_size=128M"). You can check the memory usage with the file
- apc.php that is shipped with APC.
-
-
-
-
-
-
-
-
-
-
-
-
- OpCache statistics can be shown with opcache-status.
-
-
-
-
-
-
-
-
-
- Disable session
- encryption
-
- LAM encrypts sensitive data in your session files. You can disable it to reduce CPU
- load.
-
-
-
-
-
-
-
-
-
-
-
diff --git a/lam/docs/manual-sources/images/configProfiles11.png b/lam/docs/manual-sources/images/configProfiles11.png
new file mode 100644
index 00000000..64ae4ea8
Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles11.png differ
diff --git a/lam/docs/manual-sources/images/configProfiles12.png b/lam/docs/manual-sources/images/configProfiles12.png
new file mode 100644
index 00000000..58458a8e
Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles12.png differ
diff --git a/lam/docs/manual-sources/images/configProfiles13.png b/lam/docs/manual-sources/images/configProfiles13.png
new file mode 100644
index 00000000..f58ec4cf
Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles13.png differ
diff --git a/lam/docs/manual-sources/images/configProfiles7.png b/lam/docs/manual-sources/images/configProfiles7.png
index e2bfff4f..8ea5c351 100644
Binary files a/lam/docs/manual-sources/images/configProfiles7.png and b/lam/docs/manual-sources/images/configProfiles7.png differ
diff --git a/lam/docs/manual-sources/images/configProfiles8.png b/lam/docs/manual-sources/images/configProfiles8.png
index 099db889..f6d5e3e3 100644
Binary files a/lam/docs/manual-sources/images/configProfiles8.png and b/lam/docs/manual-sources/images/configProfiles8.png differ