diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml index 7a0bede6..43015210 100644 --- a/lam/docs/manual-sources/chapter-configuration.xml +++ b/lam/docs/manual-sources/chapter-configuration.xml @@ -1,705 +1,760 @@ - - Configuration + + Configuration - After you installed LAM you - can configure it to fit your needs. The complete configuration can be done - inside the application. There is no need to edit configuration - files. + After you installed LAM you can + configure it to fit your needs. The complete configuration can be done + inside the application. There is no need to edit configuration files. - Please point you browser to the location where you installed LAM. - E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM - via the tar.bz2 then this may vary. You should see the following - page: + Please point you browser to the location where you installed LAM. E.g. + for Debian/RPM this is http://yourServer/lam. If you installed LAM via the + tar.bz2 then this may vary. You should see the following page: - - - - - - - + + + + + + + - If you see an error message then you might need to install an - additional PHP extension. Please follow the instructions and reload the - page afterwards. + If you see an error message then you might need to install an + additional PHP extension. Please follow the instructions and reload the page + afterwards. - Now you are ready to configure LAM. Click on the "LAM configuration" - link to proceed. + Now you are ready to configure LAM. Click on the "LAM configuration" + link to proceed. - - - - - - - + + + + + + + - Here you can change LAM's general settings, setup server profiles - for your LDAP server(s) and configure the self service (LAM Pro). You should start - with the general settings and then setup a server profile. + Here you can change LAM's general settings, setup server profiles for + your LDAP server(s) and configure the self + service (LAM Pro). You should start with the general settings and + then setup a server profile. -
- General settings +
+ General settings - After selecting "Edit general settings" you will need to enter the - master configuration password. - The default password for new installations is "lam". Now you can edit - the general settings. + After selecting "Edit general settings" you will need to enter the + master configuration password. + The default password for new installations is "lam". Now you can edit the + general settings. -
- License (LAM Pro only) +
+ License (LAM Pro only) - This is only required when you run LAM Pro. Please enter the - license key from your customer - profile. In case you have purchased multiple licenses please - only enter one license key block per installation. + This is only required when you run LAM Pro. Please enter the + license key from your customer + profile. In case you have purchased multiple licenses please + only enter one license key block per installation. - When you entered the license key then the license details can be - seen on LAM configuration overview page. + When you entered the license key then the license details can be + seen on LAM configuration overview page. + + + + + + + + +
+ +
+ Security settings + + Here you can set a time period after which inactive sessions are + automatically invalidated. The selected value represents minutes of + inactivity. + + You may also set a list of IP addresses which are allowed to + access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) + or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access + LAM via an untrusted IP only get blank pages. There is a separate field + for LAM Pro self service. + + Session encryption will encrypt sensitive + data like passwords in your session files. This is only available when + PHP MCrypt is active. This + adds extra security but also costs performance. If you manage a large + directory you might want to disable this and take other actions to + secure your LAM server. + + + + + + + + + + SSL certificate + setup: + + By default, LAM uses the CA certificates that are preinstalled on + your system. This will work if you connect via SSL/TLS to an LDAP server + that uses a certificate signed by a well-known CA. In case you use your + own CA (e.g. company internal CA) you can import the CA certificates + here. + + Please note that this can affect other web applications on the + same server if they require different certificates. There seem to be + problems on Debian systems and you may also need to restart Apache. In + case of any problems please delete the uploaded certificates and use the + system setup. + + You can either upload a DER/PEM formatted certificate file or + import the certificates directly from an LDAP server that is available + with LDAP+SSL (ldaps://). LAM will automatically override system + certificates if at least one certificate is uploaded/imported. + + The whole certificate list can be downloaded in PEM format. You + can also delete single certificates from the list. + + Please note that you might need to restart your webserver if you + do any changes to this configuration. + + + + + + + + +
+ +
+ Password policy + + This allows you to specify a central password policy for LAM. The + policy is valid for all password fields inside LAM admin (excluding tree + view) and LAM self service. Configuration passwords do not need to + follow this policy. + + + + + + + + + + You can set the minimum password length and also the complexity of + the passwords. +
+ +
+ Logging + + LAM can log events (e.g. user logins). You can use system logging + (syslog for Unix, event viewer for Windows) or log to a separate file. + Please note that LAM may log sensitive data (e.g. passwords) at log + level "Debug". Production systems should be set to "Warning" or + "Error". + + The PHP error reporting is only for developers. By default LAM + does not show PHP notice messages in the web pages. You can select to + use the php.ini setting here or printing all errors and notices. + + + + + + + + +
+ +
+ Additional options + + Email format + + Some email servers are not standards compatible. If you receive + mails that look broken you can change the line endings for sent mails + here. Default is to use "\r\n". + + At the moment, this option is only available in LAM Pro as there + is no mail sending in the free version. See here for setting up your SMTP server. + + + + + + + + +
+ +
+ Change master password + + If you would like to change the master configuration password then + enter a new password here. + + + + + + + + +
+
+ +
+ Server profiles + + The server profiles store information about your LDAP server (e.g. + host name) and what kind of accounts (e.g. users and groups) you would + like to manage. There is no limit on the number of server profiles. See + the typical scenarios about + how to structure your server profiles. + +
+ Manage server profiles + + Select "Manage server profiles" to open the profile management + page. + + + + + + + + + + Here you can create, rename and delete server profiles. The passwords of your server profiles can + also be reset. + + You may also specify the default server profile. This is the + server profile which is preselected at the login page. It also specifies + the language of the login and configuration pages. + + Templates for new server + profiles + + You can create a new server profile based on one of the built-in + templates or any existing profile. Of course, the account types and + selected modules can be changed after you created your profile. + + Built-in templates: + + + + addressbook: simple profile for user management with + inetOrgPerson object class + + + + samba3: Samba 3 users, groups, hosts and domains + + + + unix: Unix users and groups (posixAccount/Group) + + + + windows_samba4: Active Directory user, group and host + management + + + + + + + + + + + + All operations on the profile management page require that you + authenticate yourself with the configuration master password. +
+ +
+ Editing a server profile + + Please select you server profile and enter its password to edit a + server profile. + + + + + + + + + + Each server profile contains the following information: + + + + General settings: general + settings about your LDAP server (e.g. host name and security + settings) + + + + Account types: list of + account types (e.g. users and groups) that you would like to manage + and type specific settings (e.g. LDAP suffix) + + + + Modules: list of modules + which define what account aspects (e.g. Unix, Samba, Kolab) you + would like to manage + + + + Module settings: settings + which are specific for the selected account modules on the page + before + + + +
+ General settings + + Here you can specify the LDAP server and some security + settings. - + + + + + + The server address of your LDAP server can be a DNS name or an + IP address. Use ldap:// for unencrypted LDAP connections or TLS + encrypted connections. LDAP+SSL (LDAPS) encrypted connections are + specified with ldaps://. The port value is optional. TLS cannot be + combined with ldaps://. + + Hint: If you use a master/slave setup with referrals then point + LAM to your master server. Due to bugs in the underlying LDAP + libraries pointing to a slave might cause issues on write + operations. + + LAM includes an LDAP browser which allows direct modification of + LDAP entries. If you would like to use it then enter the LDAP suffix + at "Tree suffix". + + The search limit is used to reduce the number of search results + which are returned by your LDAP server. + + The access level specifies if LAM should allow to modify LDAP + entries. This feature is only available in LAM Pro. LAM non-Pro + releases use write access. See this page for details on + the different access levels. + + Advanced options + + Sometimes, you may not want to display the server address on the + login page. In this case you can setup a display name here (e.g. + "Production"). + + By default LAM will not follow LDAP referrals. This is ok for + most installations. If you use LDAP referrals please activate the + referral option in advanced settings. + + Paged results should be activated only if you encounter any + problems regarding size limits on Active Directory. LAM will then + query LDAP to return results in chunks of 999 entries. + + + + + LAM is translated to many different languages. Here you can + select the default language for this server profile. The language + setting may be overriden at the LAM login page. + + Please also set your time zone here. + + + + + + + + + + LAM can manage user home directories and quotas with an external + script. You can specify the home directory server and where the script + is located. The default rights for new home directories can be set, + too. + + You can provide a fixed user name. If you leave the field empty + then LAM will use your current account (the account you used to login + to LAM). + + There are two possibilities to connect to your home + directory/quota server: + + + + SSH key (recommended): Please generate a SSH key pair and + provide the location to the private key file. If the key is protected + by a password you can also specify it here. + + + + Password: If you do not set a SSH key then LAM will try to + connect with your current account (the password you used to login + to LAM). + + + + + + + + + + + + LAM Pro users may directly set passwords from + list view. You can configure if it should be possible to set specific + passwords and showing password on screen is allowed. + + + + + + + + + + LAM Pro users can send out changed passwords to their users. + Here you can specify the options for these mails. + + If you select "Allow alternate address" then password mails can + be sent to any address (e.g. a secondary address if the user account + is also bound to the mailbox). + + + + + + + + + + LAM supports two methods for login: + + + + Fixed list + + + + LDAP search + + + + + + + + + + + + The first one is to specify a fixed list of LDAP DNs that are + allowed to login. Please enter one DN per line. + + The second one is to let LAM search for the DN in your + directory. E.g. if a user logs in with the user name "joe" then LAM + will do an LDAP search for this user name. When it finds a matching DN + then it will use this to authenticate the user. The wildcard "%USER%" + will be replaced by "joe" in this example. This way you can provide + login by user name, email address or other LDAP attributes. + + Additionally, you can enable HTTP authentication when using + "LDAP search". This way the web server is responsible to authenticate + your users. LAM will use the given user name + password for the LDAP + login. You can also configure this to setup advanced login + restrictions (e.g. require group memberships for login). To setup HTTP + authentication in Apache please see this link + and an example for LDAP authentication here. + + Hint: LDAP search with group + membership check can be done with either HTTP authentication or LDAP overlays + like "memberOf" + or "Dynamic + lists". Dynamic lists allow to insert virtual attributes to + your user entries. These can then be used for the LDAP filter (e.g. + "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))"). + + + + + + + + + + 2-factor authentication + + LAM supports 2-factor authentication for your users. This means + the user will not only authenticate by user+password but also with + e.g. a token generated by a mobile device. This adds more security + because the token is generated on a physically separated device + (typically mobile phone). + + The token is validated by a second application. LAM currently + supports: + + + + privacyIdea + + + + By default LAM will enforce to use a token and reject users that + did not setup one. You can set this check to optional. But if a user + has setup a token then this will always be required. + + + + + + + + + + After logging in with user + password LAM will ask for the 2nd + factor. If the user has setup multiple factors then he can choose one + of them. + + + + + + + + + + Password + + You may also change the password of this server profile. Please + just enter the new password in both password fields. + + + + +
- Security settings + Account types - Here you can set a time period after which inactive sessions are - automatically invalidated. The selected value represents minutes of - inactivity. - - You may also set a list of IP addresses which are allowed to - access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) - or with the "*" wildcard (e.g. 123.123.123.*). Users which try to - access LAM via an untrusted IP only get blank pages. There is a - separate field for LAM Pro self service. - - Session encryption will encrypt sensitive - data like passwords in your session files. This is only available when - PHP MCrypt is active. This - adds extra security but also costs performance. If you manage a large - directory you might want to disable this and take other actions to - secure your LAM server. + LAM supports to manage various types of LDAP entries (e.g. + users, groups, DHCP entries, ...). On this page you can select which + types of entries you want to manage with LAM. - + - SSL certificate - setup: + The section at the top shows a list of possible types. You can + activate them by simply clicking on the plus sign next to it. - By default, LAM uses the CA certificates that are preinstalled - on your system. This will work if you connect via SSL/TLS to an LDAP - server that uses a certificate signed by a well-known CA. In case you - use your own CA (e.g. company internal CA) you can import the CA - certificates here. + Each account type has the following options: - Please note that this can affect other web applications on the - same server if they require different certificates. There seem to be - problems on Debian systems and you may also need to restart Apache. In - case of any problems please delete the uploaded certificates and use - the system setup. + + + LDAP suffix: the LDAP + suffix where entries of this type should be managed + - You can either upload a DER/PEM formatted certificate file or - import the certificates directly from an LDAP server that is available - with LDAP+SSL (ldaps://). LAM will automatically override system - certificates if at least one certificate is uploaded/imported. + + List attributes: a list of + attributes which are shown in the account lists + - The whole certificate list can be downloaded in PEM format. You - can also delete single certificates from the list. + + Additional LDAP filter: LAM + will automatically detect the right LDAP entries for each account + type. This can be used to further limit the number of visible + entries (e.g. if you want to manage only some specific groups). + You can use "@@LOGIN_DN@@" as wildcard (e.g. + "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the user + who is logged in. + - Please note that you might need to restart your webserver if you - do any changes to this configuration. + + Hidden: This is used to + hide account types that should not be displayed but are required + by other account types. E.g. you can hide the Samba domains + account type and still assign domains when you edit your + users. + + + + Read-only (LAM Pro only): + This allows to set a single account type to read-only mode. Please + note that this is a restriction on functional level (e.g. group + memberships can be changed on user page even if groups are + read-only) and is no replacement for setting up proper ACLs on + your LDAP server. + + + + Custom label: Here you can + set a custom label for the account types. Use this if the standard + label does not fit for you (e.g. enter "Servers" for + hosts). + + + + No new entries (LAM Pro + only): Use this if you want to prevent that new + accounts of this type are created by your users. The GUI will hide + buttons to create new entries and also disable file upload for + this type. + + + + Disallow delete (LAM Pro + only): Use this if you want to prevent that accounts of + this type are deleted by your users. + + - + + + On the next page you can specify in detail what extensions + should be enabled for each account type.
- Password policy + Modules - This allows you to specify a central password policy for LAM. - The policy is valid for all password fields inside LAM admin - (excluding tree view) and LAM self service. Configuration passwords do - not need to follow this policy. + The modules specify the active extensions for each account type. + E.g. here you can setup if your user entries should be address book + entries only or also support Unix or Samba. - + - You can set the minimum password length and also the complexity - of the passwords. -
+ Each account type needs a so called "base module". This is the + basement for all LDAP entries of this type. Usually, it provides the + structural object class for the LDAP entries. There must be exactly + one active base module for each account type. -
- Logging - - LAM can log events (e.g. user logins). You can use system - logging (syslog for Unix, event viewer for Windows) or log to a - separate file. Please note that LAM may log sensitive data (e.g. - passwords) at log level "Debug". Production systems should be set to - "Warning" or "Error". - - The PHP error reporting is only for developers. By default LAM - does not show PHP notice messages in the web pages. You can select to - use the php.ini setting here or printing all errors and - notices. - - - - - - - - + Furthermore, there may be any number of additional active + account modules. E.g. you may select "Personal" as base module and + Unix + Samba as additional modules.
- Additional options + Module settings - Email - format - - Some email servers are not standards compatible. If you receive - mails that look broken you can change the line endings for sent mails - here. Default is to use "\r\n". - - At the moment, this option is only available in LAM Pro as there - is no mail sending in the free version. See here for setting up your SMTP - server. + Depending on the activated account modules there may be + additional configuration options available. They can be found on the + "Module settings" tab. E.g. the Personal account module allows to hide + several input fields and the Unix module requires to specify ranges + for UID numbers. - - - - -
- -
- Change master password - - If you would like to change the master configuration password - then enter a new password here. - - - - - +
-
- Server profiles +
+ Cron jobs (LAM Pro) - The server profiles store information about your LDAP server (e.g. - host name) and what kind of accounts (e.g. users and groups) you would - like to manage. There is no limit on the number of server profiles. See - the typical scenarios about - how to structure your server profiles. + LAM Pro can execute common tasks via cron job. This can be used to + e.g. notify your users before their passwords expire.
- Manage server profiles + LDAP and database configuration - Select "Manage server profiles" to open the profile management - page. + Please add the LDAP bind user and password for all jobs. This + LDAP account will be used to perform all LDAP read and write + operations. + + Next, select the database type where LAM should store job + related data. Supported databases are SQLite and MySQL. + + SQLite + + This is a simple file based database. It needs no special + database server. The database file will be located next to the server + profile in config directory. + + You will need to install the SQLite PDO module for PHP + (pdo_sqlite.so). For Debian this is located in package + php5-sqlite. - + - Here you can create, rename and delete server profiles. The - passwords of your server - profiles can also be reset. + MySQL - You may also specify the default server profile. This is the - server profile which is preselected at the login page. It also - specifies the language of the login and configuration pages. + This will store all job data in an external MySQL + database. - Templates for new server - profiles + You will need to install the MySQL PDO module for PHP + (pdo_mysql.so). For Debian this is located in package + php5-mysql. - You can create a new server profile based on one of the built-in - templates or any existing profile. Of course, the account types and - selected modules can be changed after you created your profile. + Steps to create a MySQL database and user: - Built-in templates: - - - - addressbook: simple profile for user management with - inetOrgPerson object class - - - - samba3: Samba 3 users, groups, hosts and domains - - - - unix: Unix users and groups (posixAccount/Group) - - - - windows_samba4: Active Directory user, group and host - management - - - - - - - - - - - - All operations on the profile management page require that you - authenticate yourself with the configuration master - password. -
- -
- Editing a server profile - - Please select you server profile and enter its password to edit - a server profile. - - - - - - - - - - Each server profile contains the following information: - - - - General settings: general - settings about your LDAP server (e.g. host name and security - settings) - - - - Account types: list of - account types (e.g. users and groups) that you would like to - manage and type specific settings (e.g. LDAP suffix) - - - - Modules: list of modules - which define what account aspects (e.g. Unix, Samba, Kolab) you - would like to manage - - - - Module settings: settings - which are specific for the selected account modules on the page - before - - - -
- General settings - - Here you can specify the LDAP server and some security - settings. - - - - - - - - - - The server address of your LDAP server can be a DNS name or an - IP address. Use ldap:// for unencrypted LDAP connections or TLS - encrypted connections. LDAP+SSL (LDAPS) encrypted connections are - specified with ldaps://. The port value is optional. TLS cannot be - combined with ldaps://. - - Hint: If you use a master/slave setup with referrals then - point LAM to your master server. Due to bugs in the underlying LDAP - libraries pointing to a slave might cause issues on write - operations. - - LAM includes an LDAP browser which allows direct modification - of LDAP entries. If you would like to use it then enter the LDAP - suffix at "Tree suffix". - - The search limit is used to reduce the number of search - results which are returned by your LDAP server. - - The access level specifies if LAM should allow to modify LDAP - entries. This feature is only available in LAM Pro. LAM non-Pro - releases use write access. See this page for details on - the different access levels. - - Advanced options - - Sometimes, you may not want to display the server address on - the login page. In this case you can setup a display name here (e.g. - "Production"). - - By default LAM will not follow LDAP referrals. This is ok for - most installations. If you use LDAP referrals please activate the - referral option in advanced settings. - - Paged results should be activated only if you encounter any - problems regarding size limits on Active Directory. LAM will then - query LDAP to return results in chunks of 999 entries. - - - - - LAM is translated to many different languages. Here you can - select the default language for this server profile. The language - setting may be overriden at the LAM login page. - - Please also set your time zone here. - - - - - - - - - - LAM can manage user home directories and quotas with an - external script. You can specify the home directory server and where - the script is located. The default rights for new home directories - can be set, too. - - You can provide a fixed user name. If you leave the field - empty then LAM will use your current account (the account you used - to login to LAM). - - There are two possibilities to connect to your home - directory/quota server: - - - - SSH key (recommended): Please generate a SSH key pair and - provide the location to the private key file. If the key is protected - by a password you can also specify it here. - - - - Password: If you do not set a SSH key then LAM will try to - connect with your current account (the password you used to - login to LAM). - - - - - - - - - - - - LAM Pro users may directly set passwords - from list view. You can configure if it should be possible to set - specific passwords and showing password on screen is allowed. - - - - - - - - - - LAM Pro users can send out changed passwords to their users. - Here you can specify the options for these mails. - - If you select "Allow alternate address" then password mails - can be sent to any address (e.g. a secondary address if the user - account is also bound to the mailbox). - - - - - - - - - - LAM supports two methods for login. - - - - - - - - - - The first one is to specify a fixed list of LDAP DNs that are - allowed to login. Please enter one DN per line. - - The second one is to let LAM search for the DN in your - directory. E.g. if a user logs in with the user name "joe" then LAM - will do an LDAP search for this user name. When it finds a matching - DN then it will use this to authenticate the user. The wildcard - "%USER%" will be replaced by "joe" in this example. This way you can - provide login by user name, email address or other LDAP - attributes. - - Additionally, you can enable HTTP authentication when using - "LDAP search". This way the web server is responsible to - authenticate your users. LAM will use the given user name + password - for the LDAP login. You can also configure this to setup advanced - login restrictions (e.g. require group memberships for login). To - setup HTTP authentication in Apache please see this link - and an example for LDAP authentication here. - - Hint: LDAP search with group - membership check can be done with either HTTP authentication or LDAP - overlays like "memberOf" - or "Dynamic - lists". Dynamic lists allow to insert virtual attributes to - your user entries. These can then be used for the LDAP filter (e.g. - "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))"). - - - - - - - - - - You may also change the password of this server profile. - Please just enter the new password in both password fields. -
- -
- Account types - - LAM supports to manage various types of LDAP entries (e.g. - users, groups, DHCP entries, ...). On this page you can select which - types of entries you want to manage with LAM. - - - - - - - - - - The section at the top shows a list of possible types. You can - activate them by simply clicking on the plus sign next to it. - - Each account type has the following options: - - - - LDAP suffix: the LDAP - suffix where entries of this type should be managed - - - - List attributes: a list - of attributes which are shown in the account lists - - - - Additional LDAP filter: - LAM will automatically detect the right LDAP entries for each - account type. This can be used to further limit the number of - visible entries (e.g. if you want to manage only some specific - groups). You can use "@@LOGIN_DN@@" as wildcard (e.g. - "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the - user who is logged in. - - - - Hidden: This is used to - hide account types that should not be displayed but are required - by other account types. E.g. you can hide the Samba domains - account type and still assign domains when you edit your - users. - - - - Read-only (LAM Pro only): - This allows to set a single account type to read-only mode. - Please note that this is a restriction on functional level (e.g. - group memberships can be changed on user page even if groups are - read-only) and is no replacement for setting up proper ACLs on - your LDAP server. - - - - Custom label: Here you - can set a custom label for the account types. Use this if the - standard label does not fit for you (e.g. enter "Servers" for - hosts). - - - - No new entries (LAM Pro - only): Use this if you want to prevent that new - accounts of this type are created by your users. The GUI will - hide buttons to create new entries and also disable file upload - for this type. - - - - Disallow delete (LAM Pro - only): Use this if you want to prevent that accounts - of this type are deleted by your users. - - - - - - - - - - - - On the next page you can specify in detail what extensions - should be enabled for each account type. -
- -
- Modules - - The modules specify the active extensions for each account - type. E.g. here you can setup if your user entries should be address - book entries only or also support Unix or Samba. - - - - - - - - - - Each account type needs a so called "base module". This is the - basement for all LDAP entries of this type. Usually, it provides the - structural object class for the LDAP entries. There must be exactly - one active base module for each account type. - - Furthermore, there may be any number of additional active - account modules. E.g. you may select "Personal" as base module and - Unix + Samba as additional modules. -
- -
- Module settings - - Depending on the activated account modules there may be - additional configuration options available. They can be found on the - "Module settings" tab. E.g. the Personal account module allows to - hide several input fields and the Unix module requires to specify - ranges for UID numbers. - - - - - - - - -
-
- -
- Cron jobs (LAM Pro) - - LAM Pro can execute common tasks via cron job. This can be used - to e.g. notify your users before their passwords expire. - -
- LDAP and database configuration - - Please add the LDAP bind user and password for all jobs. This - LDAP account will be used to perform all LDAP read and write - operations. - - Next, select the database type where LAM should store job - related data. Supported databases are SQLite and MySQL. - - SQLite - - This is a simple file based database. It needs no special - database server. The database file will be located next to the - server profile in config directory. - - You will need to install the SQLite PDO module for PHP - (pdo_sqlite.so). For Debian this is located in package - php5-sqlite. - - - - - - - - - - MySQL - - This will store all job data in an external MySQL - database. - - You will need to install the MySQL PDO module for PHP - (pdo_mysql.so). For Debian this is located in package - php5-mysql. - - Steps to create a MySQL database and user: - - # login + # login mysql -u root -p # create a database mysql> create database lam_cron; @@ -711,769 +766,758 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%'; mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost'; - - - - - - - + + + + + + + - + Test your settings - After the LDAP and database settings are done you can test - your settings. + After the LDAP and database settings are done you can test your + settings. - Cron entry + Cron entry - LAM also prints the crontab line that you need to run the - configured jobs on a daily basis. The command must be run as the - same user as your webserver is running. You are free to change the - starting time of the script or run it more often. -
+ LAM also prints the crontab line that you need to run the + configured jobs on a daily basis. The command must be run as the same + user as your webserver is running. You are free to change the starting + time of the script or run it more often. +
+ +
+ Adding jobs + + To add a new job just click on the "Add job" button and select + the job type you need. The list of available jobs depends on your + active account modules. E.g. the PPolicy job will only be available if + you activated PPolicy user module. + + Depending on the job type jobs may be added multiple times with + different configurations. For descriptions about the available job + types see next chapters. + + + + + + + +
- Adding jobs + PPolicy: Notify users about password expiration - To add a new job just click on the "Add job" button and select - the job type you need. The list of available jobs depends on your - active account modules. E.g. the PPolicy job will only be available - if you activated PPolicy user module. + This will send your users an email reminder before their + password expires. - Depending on the job type jobs may be added multiple times - with different configurations. For descriptions about the available - job types see next chapters. + You need to activate the PPolicy module for users to be able + to add this job. The job can be added multiple times (e.g. to send a + second warning at a later time). + + LAM calculates the expiration date based on the last password + change and the assigned password policy (or the default policy) + using attributes pwdMaxAge and pwdExpireWarning. + + Examples: + + Warning time (pwdExpireWarning) = 14 days, notification period + = 10: LAM will send out the email 24 days before the password + expires + + Warning time (pwdExpireWarning) = 14 days, notification period + = 0: LAM will send out the email 14 days before the password + expires + + No warning time (pwdExpireWarning), notification period = 10: + LAM will send out the email 10 days before the password + expires - + -
- PPolicy: Notify users about password expiration + + Options - This will send your users an email reminder before their - password expires. + + + + Option - You need to activate the PPolicy module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). + Description + - LAM calculates the expiration date based on the last - password change and the assigned password policy (or the default - policy) using attributes pwdMaxAge and pwdExpireWarning. + + From address - Examples: + The email address to set as FROM. + - Warning time (pwdExpireWarning) = 14 days, notification - period = 10: LAM will send out the email 24 days before the - password expires + + Reply-to address - Warning time (pwdExpireWarning) = 14 days, notification - period = 0: LAM will send out the email 14 days before the - password expires + Optional Reply-to address for email. + - No warning time (pwdExpireWarning), notification period = - 10: LAM will send out the email 10 days before the password - expires + + CC address - - - - - - - + Optional CC mail address. + -
- Options + + BCC address - - - - Option + Optional BCC mail address. + - Description - + + Subject - - From address + The email subject line. Supports wildcards, see + below. + - The email address to set as FROM. - + + Text - - Reply-to address + The email body text. Supports wildcards, see + below. + - Optional Reply-to address for email. - + + Notification period - - CC address + Number of days to notify before password + expires. + - Optional CC mail address. - + + Default password policy - - BCC address + Default PPolicy password policy entry (object class + "pwdPolicy"). + + + +
- Optional BCC mail address. - + Wildcards: - - Subject + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - - Default password policy - - Default PPolicy password policy entry (object class - "pwdPolicy"). - - - - - - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- 389ds: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Account Locking module for users to - be able to add this job. The job can be added multiple times (e.g. - to send a second warning at a later time). - - LAM calculates the expiration date based on the attribute - passwordExpirationTime. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Shadow module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change, the password warning time (attribute - "shadowWarning") and the specified notification period. - - Examples: - - Warning time = 14, notification period = 10: LAM will send - out the email 24 days before the password expires - - Warning time = 14, notification period = 0: LAM will send - out the email 14 days before the password expires - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job checks Shadow account expiration dates (not password - expiration dates). - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Windows: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Windows module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change and the domain policy. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Windows: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- FreeRadius: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Qmail: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job reads the qmail deletion date of user accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
+ There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31".
- Job history + 389ds: Notify users about password expiration - This will show the list of all executed job runs and their - result. + This will send your users an email reminder before their + password expires. + + You need to activate the Account Locking module for users to + be able to add this job. The job can be added multiple times (e.g. + to send a second warning at a later time). + + LAM calculates the expiration date based on the attribute + passwordExpirationTime. - + + + + Options + + + + + Option + + Description + + + + From address + + The email address to set as FROM. + + + + Reply-to address + + Optional Reply-to address for email. + + + + CC address + + Optional CC mail address. + + + + BCC address + + Optional BCC mail address. + + + + Subject + + The email subject line. Supports wildcards, see + below. + + + + Text + + The email body text. Supports wildcards, see + below. + + + + Notification period + + Number of days to notify before password + expires. + + + +
+ + Wildcards: + + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". + + There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31". +
+ +
+ Shadow: Notify users about password expiration + + This will send your users an email reminder before their + password expires. + + You need to activate the Shadow module for users to be able to + add this job. The job can be added multiple times (e.g. to send a + second warning at a later time). + + LAM calculates the expiration date based on the last password + change, the password warning time (attribute "shadowWarning") and + the specified notification period. + + Examples: + + Warning time = 14, notification period = 10: LAM will send out + the email 24 days before the password expires + + Warning time = 14, notification period = 0: LAM will send out + the email 14 days before the password expires + + + + + + + + + + + Options + + + + + Option + + Description + + + + From address + + The email address to set as FROM. + + + + Reply-to address + + Optional Reply-to address for email. + + + + CC address + + Optional CC mail address. + + + + BCC address + + Optional BCC mail address. + + + + Subject + + The email subject line. Supports wildcards, see + below. + + + + Text + + The email body text. Supports wildcards, see + below. + + + + Notification period + + Number of days to notify before password + expires. + + + +
+ + Wildcards: + + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". + + There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31". +
+ +
+ Shadow: Delete or move expired accounts + + You can automatically delete or move expired accounts. The job + checks Shadow account expiration dates (not password expiration + dates). + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
+
+ +
+ Windows: Notify users about password expiration + + This will send your users an email reminder before their + password expires. + + You need to activate the Windows module for users to be able + to add this job. The job can be added multiple times (e.g. to send a + second warning at a later time). + + LAM calculates the expiration date based on the last password + change and the domain policy. + + + + + + + + + + + Options + + + + + Option + + Description + + + + From address + + The email address to set as FROM. + + + + Reply-to address + + Optional Reply-to address for email. + + + + CC address + + Optional CC mail address. + + + + BCC address + + Optional BCC mail address. + + + + Subject + + The email subject line. Supports wildcards, see + below. + + + + Text + + The email body text. Supports wildcards, see + below. + + + + Notification period + + Number of days to notify before password + expires. + + + +
+ + Wildcards: + + You can enter LDAP attributes as wildcards in the form + @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". + For the common name it would be "@@cn@@". + + There are also two special wildcards for the expiration date. + @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". + @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. + "2016-12-31". +
+ +
+ Windows: Delete or move expired accounts + + You can automatically delete or move expired accounts. + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
+
+ +
+ FreeRadius: Delete or move expired accounts + + You can automatically delete or move expired accounts. + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
+
+ +
+ Qmail: Delete or move expired accounts + + You can automatically delete or move expired accounts. The job + reads the qmail deletion date of user accounts. + + + + + + + + + + + Options + + + + + Option + + Description + + + + Delay + + Number of days to wait after the account is + expired. + + + + Action + + Delete or move accounts + + + + Target DN + + Move only: specifies the DN where accounts are + moved + + + +
-
- Typical scenarios +
+ Job history - This is a list of typical scenarios how your LDAP environment - may look like and how to structure the server profiles for it. + This will show the list of all executed job runs and their + result. -
- Simple: One LDAP directory managed by a small group of - admins - - This is the easiest and most common scenario. You want to - manage a single LDAP server and there is only one or a few admins. - In this case just create one server profile and you are done. The - admins may be either specified as a fixed list or by using an LDAP - search at login time. - - - - - - - - -
- -
- Advanced: One LDAP server which is managed by different admin - groups - - Large organisations may have one big LDAP directory for all - user/group accounts. But the users are managed by different groups - of admins (e.g. departments, locations, subsidiaries, ...). The - users are typically divided into organisational units in the LDAP - tree. Admins may only manage the users in their part of the - tree. - - - - - - - - - - In this situation it is recommended to create one server - profile for each admin group (e.g. department). Setup the LDAP - suffixes in the server profiles to point to the needed - organisational units. E.g. use - ou=people,ou=department1,dc=company,dc=com or - ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. - Do the same for groups, hosts, ... This way each admin group will - only see its own users. You may want to use LDAP search for the LAM - login in this scenario. This will prevent that you need to update a - server profile if the number of admins changes. - - Attention: LAM's feature to - automatically find free UIDs/GIDs for new users/groups will not work - in this case. LAM uses the user/group suffix to search for already - assigned UIDs/GIDs. As an alternative you can specify different - UID/GID ranges for each department. Then the UIDs/GIDs will stay - unique for the whole directory. -
- -
- Multiple LDAP servers - - You can manage as many LDAP servers with LAM as you wish. This - scenario is similar to the advanced scenario above. Just create one - server profile for each LDAP server. - - - - - - - - -
- -
- Single LDAP directory with lots of users (>10 000) - - LAM was tested to work with 10 000 users. If you have a lot - more users then you have basically two options. - - - - Divide your LDAP tree in organisational units: This is - usually the best performing option. Put your accounts in several - organisational units and setup LAM as in the advanced scenario - above. - - - - Increase memory limit: Increase the memory_limit parameter - in your php.ini. This will allow LAM to read more entries. But - this will slow down the response times of LAM. - - -
+ + + + + + +
- + +
+ Typical scenarios + + This is a list of typical scenarios how your LDAP environment may + look like and how to structure the server profiles for it. + +
+ Simple: One LDAP directory managed by a small group of + admins + + This is the easiest and most common scenario. You want to manage + a single LDAP server and there is only one or a few admins. In this + case just create one server profile and you are done. The admins may + be either specified as a fixed list or by using an LDAP search at + login time. + + + + + + + + +
+ +
+ Advanced: One LDAP server which is managed by different admin + groups + + Large organisations may have one big LDAP directory for all + user/group accounts. But the users are managed by different groups of + admins (e.g. departments, locations, subsidiaries, ...). The users are + typically divided into organisational units in the LDAP tree. Admins + may only manage the users in their part of the tree. + + + + + + + + + + In this situation it is recommended to create one server profile + for each admin group (e.g. department). Setup the LDAP suffixes in the + server profiles to point to the needed organisational units. E.g. use + ou=people,ou=department1,dc=company,dc=com or + ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. + Do the same for groups, hosts, ... This way each admin group will only + see its own users. You may want to use LDAP search for the LAM login + in this scenario. This will prevent that you need to update a server + profile if the number of admins changes. + + Attention: LAM's feature to + automatically find free UIDs/GIDs for new users/groups will not work + in this case. LAM uses the user/group suffix to search for already + assigned UIDs/GIDs. As an alternative you can specify different + UID/GID ranges for each department. Then the UIDs/GIDs will stay + unique for the whole directory. +
+ +
+ Multiple LDAP servers + + You can manage as many LDAP servers with LAM as you wish. This + scenario is similar to the advanced scenario above. Just create one + server profile for each LDAP server. + + + + + + + + +
+ +
+ Single LDAP directory with lots of users (>10 000) + + LAM was tested to work with 10 000 users. If you have a lot more + users then you have basically two options. + + + + Divide your LDAP tree in organisational units: This is + usually the best performing option. Put your accounts in several + organisational units and setup LAM as in the advanced scenario + above. + + + + Increase memory limit: Increase the memory_limit parameter + in your php.ini. This will allow LAM to read more entries. But + this will slow down the response times of LAM. + + +
+
+
+ diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 5039fdcc..3190212c 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -1,12165 +1,25 @@ - + LDAP Account Manager - Manual + + + + + + + + + + + + + + + + + + - - Overview - - LDAP Account Manager (LAM) manages user, group and host accounts in - an LDAP directory. LAM runs on any webserver with PHP5 support and - connects to your LDAP server unencrypted or via SSL/TLS. - - LAM supports Samba 3/4, Unix, Zarafa, Kolab 2/3, address book - entries, NIS mail aliases, MAC addresses and much more. There is a tree - viewer included to allow access to the raw LDAP attributes. You can use - templates for account creation and use multiple configuration - profiles. - - https://www.ldap-account-manager.org/ - - Copyright (C) 2003 - 2016 Roland Gruber - <post@rolandgruber.de> - - Key features: - - - - managing user/group/host/domain entries - - - - account profiles - - - - account creation via file upload - - - - multiple configuration profiles - - - - LDAP browser - - - - schema browser - - - - OU editor - - - - PDF export for all accounts - - - - manage user/group Quota and create home directories - - - - Requirements: - - - - PHP5 (>= 5.4.0) - - - - Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba - 4, OpenDJ, 389 Directory Server, Apache DS, ...) - - - - A recent web browser that supports CSS2 and JavaScript, at - minimum: - - - - Firefox (max. 2 years old) - - - - Chrome (max. 2 years old) - - - - Internet Explorer 9 (compatibility - mode turned off) - - - - Opera (max. 2 years old) - - - - - - The default password to edit the configuration options is - "lam". - - License: - - LAM is published under the GNU General Public License. The complete - list of licenses can be found in the copyright file. - - Default password: - - The default password for the LAM configuration is "lam". - - -Have fun! - The LAM development team - - - - Big picture - -
- Overview - - LAM has two major areas: - - - - Admin interface to manage all sorts of different LDAP entries - (e.g. users/groups/hosts) - - - - Self service (LAM Pro) where end users can edit their own - data - - - - - - - - - - - - - - Admin interface - - This is the main part of the application. It allows to manage a - large list of LDAP entries (e.g. users, groups, DNS entries, ...). This - part is accessed by LDAP admins and support staff. - - - - - - - - - - Functional areas: - - - - Account tabs: These tabs allow to switsch between different - account types - - - - Tree view: Provides an LDAP browser to edit LDAP entries on - attribute level - - - - Tools menu: Contains useful tools such as profile and PDF - editor - - - - Help: Link to manual - - - - Logout: Logout of the application - - - - List view: Lists all entries of the selected account type - (e.g. users) - - - - List configuration: Configuration settings for list view (e.g. - number of entries per page) - - - - Filter: Filter boxes allow to enter simple filters like - "a*" - - - - Self Service - - The self service provides a simple interface for your users to - edit their own data (e.g. telephone number). It also supports user self - registration and password reset functionality. - - You can fully customize the layout of the self service - page. - - - - - - - - - - Configuration - - Configuration is done on multiple levels: - - Global - - Effective for all parts of LAM (e.g. logging and password - policy). - - Configured via LAM admin login -> LAM configuration -> Edit general settings. - - Server profile - - All settings for an LDAP connection (e.g. server name, LDAP - suffixes, account types/modules to activate) in admin interface. There - may be multiple for one LDAP server (e.g. for multiple departments, - different user groups, ...). - - Configured via LAM admin login -> LAM configuration -> Edit server profile. - - Self service - - All settings for a self service interface (e.g. fields that can be - edited, password reset functionality, ...). - - Configured via LAM admin login -> LAM configuration -> Edit self service. - - Profiles - - Account profiles store - default values for new LDAP entries. - - PDF structures - - PDF structures define the layout - and list of data fields to include in PDF export. -
- -
- Glossary - - Here you can find a list of common terms used in LAM. - - - Glossary - - - - - Term - - Description - - - - - - Account module - - Plugin for a specific account type (e.g. Unix plugin for - user type) - - - - Account type - - Type of an LDAP entry (e.g. user/group/host) - - - - Admin interface - - LAM webpages for admin user (e.g. to create new - users) - - - - Lamdaemon - - Support script to manage user file system quotas and - create home directories - - - - PDF editor - - Manages PDF structures - - - - PDF export - - Exports an entry to PDF by using a PDF structure - - - - PDF structure - - Defines the layout and list of data fields to include in - PDF export - - - - Profile - - Template for creation of LDAP entries, contains default - values - - - - Profile editor - - Manages profiles for all account types - - - - Self Service - - LAM webpages for normal users where they can edit their - own data - - - - Self service profile - - Configuration for self service pages (multiple - configurations can exist) - - - - Tree view - - LDAP browser that allows to modify LDAP entries on - attribute/object class level - - - -
-
- -
- Architecture - - There are basically two groups of users for LAM: - - - - LDAP administrators and support - staff: - - These people administer LDAP entries like user accounts, - groups, ... - - - - Users: - - This includes all people who need to manage their own data - inside the LDAP directory. E.g. these people edit their contact - information with LAM self service (LAM Pro). - - - - - - - - - - - - Therefore, LAM is split into two separate parts, LAM for admins - and for users. LAM for admins allows to manage various types of LDAP - entries (e.g. users, groups, hosts, ...). It also contains tools like - batch upload, account profiles, LDAP schema viewer and an LDAP browser. - LAM for users focuses on end users. It provides a self service for the - users to edit their personal data (e.g. contact information). The LAM - administrator is able to specify what data may be changed by the users. - The design is also adaptable to your corporate design. - - LAM for admins/users is accessible via HTTP(S) by all major web - browsers (Firefox, IE, Opera, ...). - - LAM runtime environment: - - LAM runs on PHP. Therefore, it is independant of CPU architecture - and operating system (OS). You can run LAM on any OS which supports - Apache, Nginx or other PHP compatible web servers. - - Home directory server: - - You can manage user home directories and their quotas inside LAM. - The home directories may reside on the server where LAM is installed or - any remote server. The commands for home directory management are - secured by SSH. LAM will use the user name and password of the logged in - LAM administrator for authentication. - - LDAP directory: - - LAM connects to your LDAP server via standard LDAP protocol. It - also supports encrypted connections with SSL and TLS. -
- - - - Installation - -
- New installation - -
- Requirements - - LAM has the following requirements to run: - - - - Apache/Nginx webserver (SSL recommended) with PHP module - (PHP 5 (>= 5.2.4) with ldap, gettext, xml, openssl and optional - mcrypt) - - - - Some LAM plugins may require additional PHP extensions (you - will get a note on the login page if something is missing) - - - - Perl (optional, needed only for lamdaemon) - - - - Any standard LDAP server (e.g. OpenLDAP, Active Directory, - Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...) - - - - A recent web browser that supports CSS2 and JavaScript, at - minimum: - - - - Firefox (max. 2 years old) - - - - Internet Explorer 9 (compatibility mode turned - off) - - - - Opera (max. 2 years old) - - - - Chrome (max. 2 years old) - - - - - - MCrypt will be used to store your LDAP password encrypted in the - session file. - - Please note that LAM does not ship with a selinux policy. Please - disable selinux or create your own - policy. - - See LDAP schema fles for - information about used LDAP schema files. -
- -
- Prepackaged releases - - LAM is available as prepackaged version for various - platforms. - -
- Debian - - - - - - - - - - - - LAM is part of the official Debian repository. New - releases are uploaded to unstable and will be available - automatically in testing and the stable releases. You can - run apt-get - install ldap-account-managerto install LAM - on your server. Additionally, you may download the latest - LAM Debian packages from the LAM - homepage or the Debian - package homepage.Installation of the latest packages on - Debian - - Install the LAM package - - dpkg -i ldap-account-manager_*.deb - - If you get any messages about missing - dependencies run now: apt-get -f install - - - - Install the lamdaemon package (optional) - - dpkg -i - ldap-account-manager-lamdaemon_*.deb - - - - - - -
- -
- Suse/Fedora/CentOS - - - - - - - - - - - - - - - - There are RPM packages available on the LAM - homepage. The packages can be installed with these - commands:rpm -e - ldap-account-manager - ldap-account-manager-lamdaemon (if an older - version is installed)rpm - -i <path to LAM - package> -Note: The RPM packages - for Fedora/CentOS do not contain a dependency to PHP due to - the various package names for it. Please make sure that you - install Apache/Nginx with PHP. - - - - -
- -
- Other RPM based distributions - - The RPM packages for Suse/Fedora are very generic and should - be installable on other RPM-based distributions, too. The Fedora - packages use apache:apache as file owner and the Suse ones use - wwwrun:www. -
- -
- FreeBSD - - - - - - - - - - - - LAM is part of the official FreeBSD ports tree. For - more details see these pages:FreeBSD-SVN: http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/FreshPorts: - http://www.freshports.org/sysutils/ldap-account-manager - - - - -
-
- -
- Installing the tar.bz2 - -
- Extract the archive - - Please extract the archive with the following command: - - tar xjf ldap-account-manager-<version>.tar.bz2 -
- -
- Install the files - -
- Manual copy - - Copy the files into the html-file scope of the web server. - For example /apache/htdocs or /var/www/html. - - Then set the appropriate file permissions inside the LAM - directory: - - - - sess: write permission for apache/nginx user - - - - tmp: write permission for apache/nginx user - - - - tmp/internal: write permission for apache/nginx - user - - - - config (with subdirectories): write permission for - apache/nginx user - - - - lib/lamdaemon.pl: set executable - - -
- -
- With configure script - - Instead of manually copying files you can also use the - included configure script to install LAM. Just run these commands - in the extracted directory: - - - - ./configure - - - - make install - - - - Options for "./configure": - - - - --with-httpd-user=USER USER is the name of your - Apache/Nginx user account (default httpd) - - - - --with-httpd-group=GROUP GROUP is the name of your - Apache/Nginx group (default httpd) - - - - --with-web-root=DIRECTORY DIRECTORY is the name where - LAM should be installed (default /usr/local/lam) - - -
-
- -
- Configuration files - - Copy config/config.cfg.sample to config/config.cfg. Open the - index.html in your web browser: - - - - Follow the link "LAM configuration" from the start page to - configure LAM. - - - - Select "Edit general settings" to setup global settings - and to change the master - configuration password (default is "lam"). - - - - Select "Edit server profiles" to setup a server - profile. - - -
- -
- Webserver configuration - - Please see the Apache or Nginx chapter. -
-
- -
- System configuration - -
- PHP - - LAM runs with PHP5 (>= 5.2.4). Needed changes in your - php.ini: - - memory_limit = 64M - - For large installations (>10000 LDAP entries) you may need - to increase the memory limit to 256M. - - If you run PHP with activated Suhosin - extension please check your logs for alerts. E.g. LAM requires that - "suhosin.post.max_name_length" and - "suhosin.request.max_varname_length" are increased (e.g. to - 256). -
- -
- Locales for non-English translation - - If you want to use a translated version of LAM be sure to - install the needed locales. The following table shows the needed - locales for the different languages. - - - Locales - - - - - Language - - Locale - - - - Catalan - - ca_ES.utf8 - - - - Chinese (Simplified) - - zh_CN.utf8 - - - - Chinese (Traditional) - - zh_TW.utf8 - - - - Czech - - cs_CZ.utf8 - - - - Dutch - - nl_NL.utf8 - - - - English - Great Britain - - no extra locale needed - - - - English - USA - - en_US.utf8 - - - - French - - fr_FR.utf8 - - - - German - - de_DE.utf8 - - - - Hungarian - - hu_HU.utf8 - - - - Italian - - it_IT.utf8 - - - - Japanese - - ja_JP.utf8 - - - - Polish - - pl_PL.utf8 - - - - Portuguese - - pt_BR.utf8 - - - - Russian - - ru_RU.utf8 - - - - Slovak - - sk_SK.utf8 - - - - Spanish - - es_ES.utf8 - - - - Turkish - - tr_TR.utf8 - - - - Ukrainian - - uk_UA.utf8 - - - -
- - You can get a list of all installed locales on your system by - executing: - - locale -a - - Debian users can add locales with "dpkg-reconfigure - locales". -
-
-
- -
- Upgrading LAM or migrate from LAM to LAM Pro - - Upgrading from LAM to LAM Pro is like installing a new LAM - version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM - ones. - -
- Upgrade LAM - - Backup configuration - files - - Configuration files need only to be backed up for .tar.bz2 - installations. DEB/RPM installations do not require this step. - - LAM stores all configuration files in the "config" folder. - Please backup the following files and copy them after the new version - is installed. - - - config/*.conf - - config/config.cfg - - config/pdf/*.xml - - config/profiles/* - - - LAM Pro only: - - - config/selfService/*.* - - - Uninstall current LAM (Pro) - version - - If you used the RPM installation packages then remove the - ldap-account-manager and ldap-account-manager-lamdaemon packages by - calling "rpm -e ldap-account-manager - ldap-account-manager-lamdaemon". - - Debian needs no removal of old packages. - - For tar.bz2 please remove the folder where you installed LAM via - configure or by copying the files. - - Install new LAM (Pro) - version - - Please install the new LAM - (Pro) release. Skip the part about setting up LAM configuration - files. - - Restore configuration - files - - RPM: - - Please check if there are any files ending with ".rpmsave" in - /var/lib/ldap-account-manager/config. In this case you need to - manually remove the .rpmsave extension by overwriting the package - file. E.g. rename default.user.rpmsave to default.user. - - DEB: - - Nothing needs to be restored. - - tar.bz2: - - Please restore your configuration files from the backup. Copy - all files from the backup folder to the config folder in your LAM Pro - installation. Do not simply replace the folder because the new LAM - (Pro) release might include additional files in this folder. Overwrite - any existing files with your backup files. - - Final steps - - Now open your webbrowser and point it to the LAM login page. All - your settings should be migrated. - - Please check also the version - specific instructions. They might include additional - actions. -
- -
- Version specific upgrade instructions - -
- 5.5 -> 5.6 - - Mail routing: No longer added by default. Use profile editor - to activate by default for new users/groups. - - Personal/Unix/Windows: no more replacement of e.g. - $user/$group on user upload -
- -
- 5.4 -> 5.5 - - LAM Pro requires a license key. You can find it in your customer - profile. -
- -
- 5.1 -> 5.4 - - No special actions needed. -
- -
- 5.0 -> 5.1 - - Self Service: There were large changes to provide a responsive - design that works for desktop and mobile. If you use custom CSS to - style Self Service then this must be updated. -
- -
- 4.9 -> 5.0 - - Samba 3: If you used logon hours then you need to set the - correct time zone on tab "Generel settings" in server - profile. -
- -
- 4.5 -> 4.9 - - No special actions needed. -
- -
- 4.4 -> 4.5 - - LAM will no longer follow referrals by default. This is ok for - most installations. If you use LDAP referrals please activate - referral following for your server profile (tab General settings - -> Server settings -> Advanced options). - - The self service pages now have an own option for allowed IPs. - If your LAM installation uses IP restrictions please update the LAM - main configuration. - - Password self reset (LAM Pro) allows to set a backup email - address. You need to update the LDAP - schema if you want to use this feature. -
- -
- 4.3 -> 4.4 - - Apache configuration: LAM supports Apache 2.2 and 2.4. This - requires that your Apache server has enabled the "version" module. - For Debian and Fedora this is the default setup. The Suse RPM will - try to enable the version module during installation. - - Kolab: User accounts get the object class "mailrecipient" by - default. You can change this behaviour in the module settings - section of your LAM server profile. - - Windows: sAMAccountName is no longer set by default. Enable it - in server profile if needed. The possible domains for the user name - can also be set in server profile. -
- -
- 4.2.1 -> 4.3 - - LAM is no more shipped as tar.gz package but as tar.bz2 which - allows smaller file sizes. -
- -
- 4.1 -> 4.2/4.2.1 - - Zarafa users: The default attribute for mail aliases is now - "dn". If you use "uid" and did not change the server profile for a - long time please check your LAM server profile for this setting and - save it. -
- -
- 4.0 -> 4.1 - - Unix: The list of valid login - shells is no longer configured in "config/shells" but in the - server/self service profiles (Unix settings). LAM will use the - following shells by default: /bin/bash, /bin/csh, /bin/dash, - /bin/false, /bin/ksh, /bin/sh. - - Please update your server/self service profile if you would - like to change the list of valid login shells. -
- -
- 3.9 -> 4.0 - - The account profiles and PDF structures are now separated by - server profile. This means that if you edit e.g. an account profile - in server profile A then this change will not affect the account - profiles in server profile B. - - LAM will automatically migrate your existing files as soon as - the login page is loaded. - - Special install instructions: - - - - Debian: none, config files will be migrated when opening - LAM's login page - - - - Suse/Fedora RPM: - - - - Run "rpm -e ldap-account-manager - ldap-account-manager-lamdaemon" - - - - You may get warnings like "warning: - /var/lib/ldap-account-manager/config/profiles/default.user - saved as - /var/lib/ldap-account-manager/config/profiles/default.user.rpmsave" - - - - Please rename all files "*.rpmsave" and remove the - file extension ".rpmsave". E.g. "default.user.rpmsave" needs - to be renamed to "default.user". - - - - Install the LAM packages with "rpm -i". E.g. "rpm -i - ldap-account-manager-4.0-0.suse.1.noarch.rpm". - - - - Open LAM's login page in your browser to complete the - migration - - - - - - tar.gz: standard upgrade steps, config files will be - migrated when opening LAM's login page - - -
- -
- 3.7 -> 3.9 - - No changes. -
- -
- 3.6 -> 3.7 - - Asterisk extensions: The extension entries are now grouped by - extension name and account context. LAM will automatically assign - priorities and set same owners for all entries. -
- -
- 3.5.0 -> 3.6 - - Debian users: LAM 3.6 - requires to install FPDF 1.7. You can download the package here. - If you use Debian Stable (Squeeze) please use the package from - Testing (Wheezy). -
- -
- 3.4.0 -> 3.5.0 - - LAM Pro: The global - config/passwordMailTemplate.txt is no longer supported. You can - setup the mail settings now for each LAM server profile which - provides more flexibility. - - Suse/Fedora RPM - installations: LAM is now installed to - /usr/share/ldap-account-manager and - /var/lib/ldap-account-manager. - - Please note that configuration files are not migrated - automatically. Please move the files from /srv/www/htdocs/lam/config - (Suse) or /var/www/html/lam/config (Fedora) to - /var/lib/ldap-account-manager/config. -
- -
- 3.3.0 -> 3.4.0 - - No changes. -
- -
- 3.2.0 -> 3.3.0 - - If you use custom images for the PDF export then these images - need to be 5 times bigger than before (e.g. 250x250px instead of - 50x50px). This allows to use images with higher resolution. -
- -
- 3.1.0 -> 3.2.0 - - No changes. -
- -
- 3.0.0 -> 3.1.0 - - LAM supported to set a list of valid workstations on the - "Personal" page. This required to change the LDAP schema. Since - 3.1.0 this is replaced by the new "Hosts" module for users. - - Lamdaemon: The sudo entry needs to be changed to - ".../lamdaemon.pl *". -
- -
- 2.3.0 -> 3.0.0 - - No changes. -
- -
- 2.2.0 -> 2.3.0 - - LAM Pro: There is now a - separate account type for group of (unique) names. Please edit your - server profiles to activate the new account type. -
- -
- 1.1.0 -> 2.2.0 - - No changes. -
-
-
- -
- Uninstallation of LAM (Pro) - - If you used the prepackaged installation packages then remove the - ldap-account-manager and ldap-account-manager-lamdaemon packages. - - Otherwise, remove the folder where you installed LAM via configure - or by copying the files. -
- -
- Migration to a new server - - To move LAM (Pro) from one server to another please follow these - steps: - - - - Install LAM (Pro) on your new server - - - - Copy the following files from the old server to the new one - (base directory for RPM/DEB is - /usr/share/ldap-account-manager/): - - - - config/*.conf - - - - config/config.cfg - - - - config/pdf/* - - - - config/profiles/* - - - - config/selfService/*.* (needed for LAM Pro only) - - - - The files must be writable for the webserver user. - - - - Open LAM (Pro) login page on new server and verify - installation. - - - - Uninstall LAM (Pro) on old server. - - -
- - - - Configuration - - After you installed LAM you - can configure it to fit your needs. The complete configuration can be done - inside the application. There is no need to edit configuration - files. - - Please point you browser to the location where you installed LAM. - E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM - via the tar.bz2 then this may vary. You should see the following - page: - - - - - - - - - - If you see an error message then you might need to install an - additional PHP extension. Please follow the instructions and reload the - page afterwards. - - Now you are ready to configure LAM. Click on the "LAM configuration" - link to proceed. - - - - - - - - - - Here you can change LAM's general settings, setup server profiles - for your LDAP server(s) and configure the self service (LAM Pro). You should start - with the general settings and then setup a server profile. - -
- General settings - - After selecting "Edit general settings" you will need to enter the - master configuration password. - The default password for new installations is "lam". Now you can edit - the general settings. - -
- License (LAM Pro only) - - This is only required when you run LAM Pro. Please enter the - license key from your customer - profile. In case you have purchased multiple licenses please - only enter one license key block per installation. - - When you entered the license key then the license details can be - seen on LAM configuration overview page. - - - - - - - - -
- -
- Security settings - - Here you can set a time period after which inactive sessions are - automatically invalidated. The selected value represents minutes of - inactivity. - - You may also set a list of IP addresses which are allowed to - access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) - or with the "*" wildcard (e.g. 123.123.123.*). Users which try to - access LAM via an untrusted IP only get blank pages. There is a - separate field for LAM Pro self service. - - Session encryption will encrypt sensitive - data like passwords in your session files. This is only available when - PHP MCrypt is active. This - adds extra security but also costs performance. If you manage a large - directory you might want to disable this and take other actions to - secure your LAM server. - - - - - - - - - - SSL certificate - setup: - - By default, LAM uses the CA certificates that are preinstalled - on your system. This will work if you connect via SSL/TLS to an LDAP - server that uses a certificate signed by a well-known CA. In case you - use your own CA (e.g. company internal CA) you can import the CA - certificates here. - - Please note that this can affect other web applications on the - same server if they require different certificates. There seem to be - problems on Debian systems and you may also need to restart Apache. In - case of any problems please delete the uploaded certificates and use - the system setup. - - You can either upload a DER/PEM formatted certificate file or - import the certificates directly from an LDAP server that is available - with LDAP+SSL (ldaps://). LAM will automatically override system - certificates if at least one certificate is uploaded/imported. - - The whole certificate list can be downloaded in PEM format. You - can also delete single certificates from the list. - - Please note that you might need to restart your webserver if you - do any changes to this configuration. - - - - - - - - -
- -
- Password policy - - This allows you to specify a central password policy for LAM. - The policy is valid for all password fields inside LAM admin - (excluding tree view) and LAM self service. Configuration passwords do - not need to follow this policy. - - - - - - - - - - You can set the minimum password length and also the complexity - of the passwords. -
- -
- Logging - - LAM can log events (e.g. user logins). You can use system - logging (syslog for Unix, event viewer for Windows) or log to a - separate file. Please note that LAM may log sensitive data (e.g. - passwords) at log level "Debug". Production systems should be set to - "Warning" or "Error". - - The PHP error reporting is only for developers. By default LAM - does not show PHP notice messages in the web pages. You can select to - use the php.ini setting here or printing all errors and - notices. - - - - - - - - -
- -
- Additional options - - Email - format - - Some email servers are not standards compatible. If you receive - mails that look broken you can change the line endings for sent mails - here. Default is to use "\r\n". - - At the moment, this option is only available in LAM Pro as there - is no mail sending in the free version. See here for setting up your SMTP - server. - - - - - - - - -
- -
- Change master password - - If you would like to change the master configuration password - then enter a new password here. - - - - - - - - -
-
- -
- Server profiles - - The server profiles store information about your LDAP server (e.g. - host name) and what kind of accounts (e.g. users and groups) you would - like to manage. There is no limit on the number of server profiles. See - the typical scenarios about - how to structure your server profiles. - -
- Manage server profiles - - Select "Manage server profiles" to open the profile management - page. - - - - - - - - - - Here you can create, rename and delete server profiles. The - passwords of your server - profiles can also be reset. - - You may also specify the default server profile. This is the - server profile which is preselected at the login page. It also - specifies the language of the login and configuration pages. - - Templates for new server - profiles - - You can create a new server profile based on one of the built-in - templates or any existing profile. Of course, the account types and - selected modules can be changed after you created your profile. - - Built-in templates: - - - - addressbook: simple profile for user management with - inetOrgPerson object class - - - - samba3: Samba 3 users, groups, hosts and domains - - - - unix: Unix users and groups (posixAccount/Group) - - - - windows_samba4: Active Directory user, group and host - management - - - - - - - - - - - - All operations on the profile management page require that you - authenticate yourself with the configuration master - password. -
- -
- Editing a server profile - - Please select you server profile and enter its password to edit - a server profile. - - - - - - - - - - Each server profile contains the following information: - - - - General settings: general - settings about your LDAP server (e.g. host name and security - settings) - - - - Account types: list of - account types (e.g. users and groups) that you would like to - manage and type specific settings (e.g. LDAP suffix) - - - - Modules: list of modules - which define what account aspects (e.g. Unix, Samba, Kolab) you - would like to manage - - - - Module settings: settings - which are specific for the selected account modules on the page - before - - - -
- General settings - - Here you can specify the LDAP server and some security - settings. - - - - - - - - - - The server address of your LDAP server can be a DNS name or an - IP address. Use ldap:// for unencrypted LDAP connections or TLS - encrypted connections. LDAP+SSL (LDAPS) encrypted connections are - specified with ldaps://. The port value is optional. TLS cannot be - combined with ldaps://. - - Hint: If you use a master/slave setup with referrals then - point LAM to your master server. Due to bugs in the underlying LDAP - libraries pointing to a slave might cause issues on write - operations. - - LAM includes an LDAP browser which allows direct modification - of LDAP entries. If you would like to use it then enter the LDAP - suffix at "Tree suffix". - - The search limit is used to reduce the number of search - results which are returned by your LDAP server. - - The access level specifies if LAM should allow to modify LDAP - entries. This feature is only available in LAM Pro. LAM non-Pro - releases use write access. See this page for details on - the different access levels. - - Advanced options - - Sometimes, you may not want to display the server address on - the login page. In this case you can setup a display name here (e.g. - "Production"). - - By default LAM will not follow LDAP referrals. This is ok for - most installations. If you use LDAP referrals please activate the - referral option in advanced settings. - - Paged results should be activated only if you encounter any - problems regarding size limits on Active Directory. LAM will then - query LDAP to return results in chunks of 999 entries. - - - - - LAM is translated to many different languages. Here you can - select the default language for this server profile. The language - setting may be overriden at the LAM login page. - - Please also set your time zone here. - - - - - - - - - - LAM can manage user home directories and quotas with an - external script. You can specify the home directory server and where - the script is located. The default rights for new home directories - can be set, too. - - You can provide a fixed user name. If you leave the field - empty then LAM will use your current account (the account you used - to login to LAM). - - There are two possibilities to connect to your home - directory/quota server: - - - - SSH key (recommended): Please generate a SSH key pair and - provide the location to the private key file. If the key is protected - by a password you can also specify it here. - - - - Password: If you do not set a SSH key then LAM will try to - connect with your current account (the password you used to - login to LAM). - - - - - - - - - - - - LAM Pro users may directly set passwords - from list view. You can configure if it should be possible to set - specific passwords and showing password on screen is allowed. - - - - - - - - - - LAM Pro users can send out changed passwords to their users. - Here you can specify the options for these mails. - - If you select "Allow alternate address" then password mails - can be sent to any address (e.g. a secondary address if the user - account is also bound to the mailbox). - - - - - - - - - - LAM supports two methods for login. - - - - - - - - - - The first one is to specify a fixed list of LDAP DNs that are - allowed to login. Please enter one DN per line. - - The second one is to let LAM search for the DN in your - directory. E.g. if a user logs in with the user name "joe" then LAM - will do an LDAP search for this user name. When it finds a matching - DN then it will use this to authenticate the user. The wildcard - "%USER%" will be replaced by "joe" in this example. This way you can - provide login by user name, email address or other LDAP - attributes. - - Additionally, you can enable HTTP authentication when using - "LDAP search". This way the web server is responsible to - authenticate your users. LAM will use the given user name + password - for the LDAP login. You can also configure this to setup advanced - login restrictions (e.g. require group memberships for login). To - setup HTTP authentication in Apache please see this link - and an example for LDAP authentication here. - - Hint: LDAP search with group - membership check can be done with either HTTP authentication or LDAP - overlays like "memberOf" - or "Dynamic - lists". Dynamic lists allow to insert virtual attributes to - your user entries. These can then be used for the LDAP filter (e.g. - "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))"). - - - - - - - - - - You may also change the password of this server profile. - Please just enter the new password in both password fields. -
- -
- Account types - - LAM supports to manage various types of LDAP entries (e.g. - users, groups, DHCP entries, ...). On this page you can select which - types of entries you want to manage with LAM. - - - - - - - - - - The section at the top shows a list of possible types. You can - activate them by simply clicking on the plus sign next to it. - - Each account type has the following options: - - - - LDAP suffix: the LDAP - suffix where entries of this type should be managed - - - - List attributes: a list - of attributes which are shown in the account lists - - - - Additional LDAP filter: - LAM will automatically detect the right LDAP entries for each - account type. This can be used to further limit the number of - visible entries (e.g. if you want to manage only some specific - groups). You can use "@@LOGIN_DN@@" as wildcard (e.g. - "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the - user who is logged in. - - - - Hidden: This is used to - hide account types that should not be displayed but are required - by other account types. E.g. you can hide the Samba domains - account type and still assign domains when you edit your - users. - - - - Read-only (LAM Pro only): - This allows to set a single account type to read-only mode. - Please note that this is a restriction on functional level (e.g. - group memberships can be changed on user page even if groups are - read-only) and is no replacement for setting up proper ACLs on - your LDAP server. - - - - Custom label: Here you - can set a custom label for the account types. Use this if the - standard label does not fit for you (e.g. enter "Servers" for - hosts). - - - - No new entries (LAM Pro - only): Use this if you want to prevent that new - accounts of this type are created by your users. The GUI will - hide buttons to create new entries and also disable file upload - for this type. - - - - Disallow delete (LAM Pro - only): Use this if you want to prevent that accounts - of this type are deleted by your users. - - - - - - - - - - - - On the next page you can specify in detail what extensions - should be enabled for each account type. -
- -
- Modules - - The modules specify the active extensions for each account - type. E.g. here you can setup if your user entries should be address - book entries only or also support Unix or Samba. - - - - - - - - - - Each account type needs a so called "base module". This is the - basement for all LDAP entries of this type. Usually, it provides the - structural object class for the LDAP entries. There must be exactly - one active base module for each account type. - - Furthermore, there may be any number of additional active - account modules. E.g. you may select "Personal" as base module and - Unix + Samba as additional modules. -
- -
- Module settings - - Depending on the activated account modules there may be - additional configuration options available. They can be found on the - "Module settings" tab. E.g. the Personal account module allows to - hide several input fields and the Unix module requires to specify - ranges for UID numbers. - - - - - - - - -
-
- -
- Cron jobs (LAM Pro) - - LAM Pro can execute common tasks via cron job. This can be used - to e.g. notify your users before their passwords expire. - -
- LDAP and database configuration - - Please add the LDAP bind user and password for all jobs. This - LDAP account will be used to perform all LDAP read and write - operations. - - Next, select the database type where LAM should store job - related data. Supported databases are SQLite and MySQL. - - SQLite - - This is a simple file based database. It needs no special - database server. The database file will be located next to the - server profile in config directory. - - You will need to install the SQLite PDO module for PHP - (pdo_sqlite.so). For Debian this is located in package - php5-sqlite. - - - - - - - - - - MySQL - - This will store all job data in an external MySQL - database. - - You will need to install the MySQL PDO module for PHP - (pdo_mysql.so). For Debian this is located in package - php5-mysql. - - Steps to create a MySQL database and user: - - # login -mysql -u root -p -# create a database -mysql> create database lam_cron; -# -mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password'; -mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password'; -# grant access for new user -mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%'; -mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost'; - - - - - - - - - - - -Test your settings - - After the LDAP and database settings are done you can test - your settings. - - Cron entry - - LAM also prints the crontab line that you need to run the - configured jobs on a daily basis. The command must be run as the - same user as your webserver is running. You are free to change the - starting time of the script or run it more often. -
- -
- Adding jobs - - To add a new job just click on the "Add job" button and select - the job type you need. The list of available jobs depends on your - active account modules. E.g. the PPolicy job will only be available - if you activated PPolicy user module. - - Depending on the job type jobs may be added multiple times - with different configurations. For descriptions about the available - job types see next chapters. - - - - - - - - - -
- PPolicy: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the PPolicy module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change and the assigned password policy (or the default - policy) using attributes pwdMaxAge and pwdExpireWarning. - - Examples: - - Warning time (pwdExpireWarning) = 14 days, notification - period = 10: LAM will send out the email 24 days before the - password expires - - Warning time (pwdExpireWarning) = 14 days, notification - period = 0: LAM will send out the email 14 days before the - password expires - - No warning time (pwdExpireWarning), notification period = - 10: LAM will send out the email 10 days before the password - expires - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - - Default password policy - - Default PPolicy password policy entry (object class - "pwdPolicy"). - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- 389ds: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Account Locking module for users to - be able to add this job. The job can be added multiple times (e.g. - to send a second warning at a later time). - - LAM calculates the expiration date based on the attribute - passwordExpirationTime. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Shadow module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change, the password warning time (attribute - "shadowWarning") and the specified notification period. - - Examples: - - Warning time = 14, notification period = 10: LAM will send - out the email 24 days before the password expires - - Warning time = 14, notification period = 0: LAM will send - out the email 14 days before the password expires - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Shadow: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job checks Shadow account expiration dates (not password - expiration dates). - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Windows: Notify users about password expiration - - This will send your users an email reminder before their - password expires. - - You need to activate the Windows module for users to be able - to add this job. The job can be added multiple times (e.g. to send - a second warning at a later time). - - LAM calculates the expiration date based on the last - password change and the domain policy. - - - - - - - - - - - Options - - - - - Option - - Description - - - - From address - - The email address to set as FROM. - - - - Reply-to address - - Optional Reply-to address for email. - - - - CC address - - Optional CC mail address. - - - - BCC address - - Optional BCC mail address. - - - - Subject - - The email subject line. Supports wildcards, see - below. - - - - Text - - The email body text. Supports wildcards, see - below. - - - - Notification period - - Number of days to notify before password - expires. - - - -
- - Wildcards: - - You can enter LDAP attributes as wildcards in the form - @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use - "@@cn@@". For the common name it would be "@@cn@@". - - There are also two special wildcards for the expiration - date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. - "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. - "2016-12-31". -
- -
- Windows: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- FreeRadius: Delete or move expired accounts - - You can automatically delete or move expired - accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
- -
- Qmail: Delete or move expired accounts - - You can automatically delete or move expired accounts. The - job reads the qmail deletion date of user accounts. - - - - - - - - - - - Options - - - - - Option - - Description - - - - Delay - - Number of days to wait after the account is - expired. - - - - Action - - Delete or move accounts - - - - Target DN - - Move only: specifies the DN where accounts are - moved - - - -
-
-
- -
- Job history - - This will show the list of all executed job runs and their - result. - - - - - - - - -
-
- -
- Typical scenarios - - This is a list of typical scenarios how your LDAP environment - may look like and how to structure the server profiles for it. - -
- Simple: One LDAP directory managed by a small group of - admins - - This is the easiest and most common scenario. You want to - manage a single LDAP server and there is only one or a few admins. - In this case just create one server profile and you are done. The - admins may be either specified as a fixed list or by using an LDAP - search at login time. - - - - - - - - -
- -
- Advanced: One LDAP server which is managed by different admin - groups - - Large organisations may have one big LDAP directory for all - user/group accounts. But the users are managed by different groups - of admins (e.g. departments, locations, subsidiaries, ...). The - users are typically divided into organisational units in the LDAP - tree. Admins may only manage the users in their part of the - tree. - - - - - - - - - - In this situation it is recommended to create one server - profile for each admin group (e.g. department). Setup the LDAP - suffixes in the server profiles to point to the needed - organisational units. E.g. use - ou=people,ou=department1,dc=company,dc=com or - ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. - Do the same for groups, hosts, ... This way each admin group will - only see its own users. You may want to use LDAP search for the LAM - login in this scenario. This will prevent that you need to update a - server profile if the number of admins changes. - - Attention: LAM's feature to - automatically find free UIDs/GIDs for new users/groups will not work - in this case. LAM uses the user/group suffix to search for already - assigned UIDs/GIDs. As an alternative you can specify different - UID/GID ranges for each department. Then the UIDs/GIDs will stay - unique for the whole directory. -
- -
- Multiple LDAP servers - - You can manage as many LDAP servers with LAM as you wish. This - scenario is similar to the advanced scenario above. Just create one - server profile for each LDAP server. - - - - - - - - -
- -
- Single LDAP directory with lots of users (>10 000) - - LAM was tested to work with 10 000 users. If you have a lot - more users then you have basically two options. - - - - Divide your LDAP tree in organisational units: This is - usually the best performing option. Put your accounts in several - organisational units and setup LAM as in the advanced scenario - above. - - - - Increase memory limit: Increase the memory_limit parameter - in your php.ini. This will allow LAM to read more entries. But - this will slow down the response times of LAM. - - -
-
-
- - - - Managing entries in your LDAP directory - - This chapter will give you instructions how to manage the different - LDAP entries in your directory. - - Please note that not all account types are manageable with the free - LAM release. LAM Pro provides some more account types (e.g. group of - names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to - support additional LDAP object classes. All LAM Pro features are marked in - this manual. - - Basic page layout: - - After the login LAM will present you its main page. It consists of a - header part which is equal for all pages and the content area which covers - most the of the page. - - The header part includes the links to manage all account types (e.g. - users and groups) and open the tree view (LDAP browser). There is also the - logout link and a tools entry. - - When you login the you will see an account listing in the content - area. - - - - - - - - - - Here you can create, delete and modify accounts. Use the action - buttons at the left or double click on an entry to edit it. - - The suffix selection box allows you to list only the accounts which - are located in a subtree of your LDAP directory. - - - - - - - - - - You can change the number of shown entries per page with "Change - settings". Depending on the account type there may be additional settings. - E.g. the user list can convert group numbers to group names. - - When you select to edit an entry then LAM will show all its data on - a tabbed view. There is one tab for each functional part of the account. - You can set default values by loading an account profile. - - - - - - - - - -
- Typical usage scenarios - - Here is a list of typical usage scenarios and what account types - and modules you need to configure. - - Address book entries: - - Account types: - - - - Users (Personal) - - - - Unix accounts: - - Account types: - - - - Users (Personal + Unix) - - - - Groups (Unix (posixGroup)) - - - - Suse users may need to use Group (Group of names + Unix - (rfc2307bisPosixGroup)) because of Suse's special LDAP schema. - - Samba 3 accounts: - - Account types: - - - - Users (Personal + User + Samba 3) - - - - Groups (Unix + Samba 3) - - - - Hosts (Account + Unix + Samba 3) - - - - Samba domains (Samba domain) - - - - Samba 4/Active Directory: - - Account types: - - - - Users (Windows) - - - - Groups (Windows) - - - - Hosts (Windows) - - - - Please note that must change the attributes that are shown in the - account lists. Otherwise, the account tables will show empty lines. See - the documentation for the Windows user/group/host modules. - - For Samba 4 with Zarafa use the following modules: - - - - Users (Windows + Zarafa (+ Zarafa contact)) - - - - Groups (Windows + Zarafa) - - - - Hosts (Windows + Zarafa) - - - - Zarafa dynamic groups (Zarafa dynamic group) - - - - Zarafa address lists (Zarafa address list) - - - - See also the Zarafa section for - additional settings (e.g. using Zarafa AD schema). - - Asterisk: - - Account types: - - - - Users (Personal + Asterisk) - - - - Asterisk extensions (Asterisk extension) - - - - Zarafa: - - Account types: - - - - Users (Personal + Unix + Zarafa (+ Zarafa contact)) - - - - Groups (Unix + Zarafa) - - - - Zarafa dynamic groups (Zarafa dynamic group) - - - - Zarafa address lists (Zarafa address list) - - - - Hosts (Device + Zarafa + IP Address) - - - - PyKota: - - Account types: - - - - Users (Personal + Unix + PyKota) - - - - Groups (Unix + PyKota) - - - - Printers (PyKota) - - - - Billing codes (PyKota) - - -
- -
- Users - - LAM manages various types of user accounts. This includes address - book entries, Unix, Samba, Zarafa and much more. - - - - - Account list settings: - - The user list includes two special options to change how your - users are displayed. - - - - - - - - - - Translate GID number to group name: By - default the user list can show the primary group IDs (GIDs) of your - users. There are often cases where it is more suitable to show the group - name instead. This can be done by activating this option. Please note - that LAM will execute more LDAP queries which may result in decreased - performance. - - - - - - - - - - Show account status: If you activate this - option then there will be an additional column displayed that shows if - the account is locked. You can see more details when moving the mouse - cursor over the lock icon. This function supports Unix, Samba, PPolicy, - Windows and 389ds locking+deactivation. - - - - - - - - - - - - - Password: - - Click the "Set password" button to change the user's password(s). - Depending on the active account modules LAM will offer to change - multiple passwords at the same time. - - If a module supports to enforce a password change then you will - see the appropriate checkbox. LAM Pro also offers to send the password - via email after the account is saved. Email options are specified in - your LAM server profile. - - - - - - - - - - - - - Quick account (un)locking: - - When you edit an user then LAM supports to quickly lock/unlock the - whole account. This includes Unix, Samba and PPolicy. LAM can also - remove group memberships if an account is locked. - - You will see the current status of all account parts in the title - area of the account. - - - - - - - - - - If you click on the lock icon then a dialog will be opened to - change these values. Depending on which parts are locked LAM will - provide options to lock/unlock account parts. - - - - - - - - - - - - - - - - - -
- Personal - - This module is the most common basis for user accounts in LAM. - You can use it stand-alone to manage address book entries or in - combination with Unix, Samba or other modules. - - The Personal module provides support for managing various - personal data of your users including mail addresses and telephone - numbers. You can also add photos of your users (please install PHP - Imagick/ImageMagick for full file format support). If you do - not need to manage all attributes then you can deactivate them in your - server profile. - - Configuration - - Please activate the module "Personal (inetOrgPerson)" for - users. - - - - - - - - - - The module manages lots of fields. Probably, you will not need - all of them. You can hide fields in module settings. - - In advanced options you may also set fields to read-only (for - existing accounts) and define limits for photo files. Additionally, - you can add an "ou=addressbook" subentry to each user in case you - manage user addressbooks. - - - - - - - - - - - - - User management - - - - - - - - - - User certificates can be uploaded and downloaded. LAM will - automatically convert PEM to DER format. - - - - - - - - - - - LDAP attribute mappings - - - - - Attribute name - - Name inside LAM - - - - - - businessCategory - - Business category - - - - carLicense - - Car license - - - - cn/commonName - - Common name - - - - departmentNumber - - Department(s) - - - - description - - Description - - - - employeeNumber - - Employee number - - - - employeeType - - Employee type - - - - facsimileTelephoneNumber/fax - - Fax number - - - - givenName/gn - - First name - - - - homePhone - - Home telephone number - - - - initials - - Initials - - - - jpegPhoto - - Photo - - - - l - - Location - - - - labeledURI - - Web site - - - - mail/rfc822Mailbox - - Email address - - - - manager - - Manager - - - - mobile/mobileTelephoneNumber - - Mobile number - - - - organizationName/o - - Organisation - - - - ou - - Organizational unit - - - - pager - - Pager number - - - - physicalDeliveryOfficeName - - Office name - - - - postalAddress - - Postal address - - - - postalCode - - Postal code - - - - postOfficeBox - - Post office box - - - - registeredAddress - - Registered address - - - - roomNumber - - Room number - - - - sn/surname - - Last name - - - - st - - State - - - - street/streetAddress - - Street - - - - telephoneNumber - - Telephone number - - - - title - - Job title - - - - userCertificate - - User certificates - - - - uid/userid - - User name - - - - userPassword - - Password - - - -
- - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $firstname: First name - - - - $lastname: Last name - - - - $user: User name - - - - $commonname: Common name - - - - $email: Email address - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Description - - - - Mail - - - - Postal address - - - - Registered address - - - - Web site - - - - Use this when some of your data always follows the same schema. - E.g. using "$firstname $lastname" in common name field can be used - like this to get "First Last". You can set the wildcards in profile - editor so they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Unix - - The Unix module manages Unix user accounts including group - memberships. - - There are several configuration options for this module: - - - - UID generator: LAM will suggest UID numbers for your - accounts. Please note that it may happen that there are duplicate - IDs assigned if users create accounts at the same time. Use an - overlay - like "Attribute Uniqueness" (example) if you have lots of - LAM admins creating accounts. - - - - Fixed range: LAM searches for free numbers within the - given limits. LAM always tries to use a free UID that is - greater than the existing UIDs to prevent collisions with - deleted accounts. - - - - Samba ID pool: This uses a special LDAP entry that - includes attributes that store a counter for the last used - UID/GID. Please note that this requires that you install the - Samba schema and create an LDAP entry of object class - "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the - UID numbers automatically (e.g. DNA by 389 server). Enter the - server's magic number setting. - - - - - - Password hash type: If possible use CRYPT-SHA512 or SSHA to - protect your user's passwords. The option SASL will set the - password to "{SASL}<user name>". - - - - Login shells: List of valid login shells that can be - selected when editing an account. - - - - Hidden options: Some input fields can be hidden to simplify - the GUI if you do not need them. - - - - Set primary group as memberUid: By default primary group - membership is not set on group objects but only on user - (gidNumber). Activate this if you need to have the primary group - membership in group object, too. - - - - Do not add object class: This is for Windows only. When the - checkbox is activated then the posixAccount object class will not - be added to a user. - - - - User name suggestion: The user name is automatically filled - as specified in the configuration (default smiller for Steve - Miller). Of course, the suggested value can be changed any time. - Common name is also filled with first/last name by default. - - - - - - - - - - - - - - - - - - - - - - - Group memberships can be changed when clicking on "Edit groups". - Here you can select the Unix groups and group of names - memberships. - - To enable "Group of names" please either add the groups module - "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of - names". - - - - - - - - - - You can also create home directories for your users if you setup - lamdaemon. This allows you to - create the directories on the local or remote servers. - - It is also possible to check the status of the user's home - directories. If needed the directories can be created or removed at - any time. - - - - - - - - - - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $user: User name - - - - $group: Groupe name (not numeric number) - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Gecos - - - - Home directory - - - - Use this when some of your data always follows the same schema. - E.g. using "/home/$user" in home directory field can be used like this - to get "/home/myuser". You can set the wildcards in profile editor so - they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Group of names and group of members (LAM Pro) - - This module manages memberships in group of (unique) names and - also group of members. - - Please note that this module cannot be used if the Unix module - is active. In this case group memberships may be managed with the Unix - module. - - Configuration - - To activate this feature please add the user module "Group of - names (groupOfNamesUser)" to your LAM server profile. - - - - - - - - - - The module automatically detects if groups are based on - "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the - correct attribute. - - - - - - - - -
- -
- Organizational roles (LAM Pro) - - LAM can manage role memberships in organizationalRole objects. To - activate this feature please add the user module "Roles - (organizationalRoleUser)" to your LAM server profile. - - - - - - - - - - User editing - - Now, there will be a new tab "Roles" when you edit your user - accounts. Here you can select the role memberships. - - - - - - - - -
- -
- Shadow - - LAM supports the management of the LDAP substitution of - /etc/shadow. Here you can setup password policies for your Unix - accounts and also view the last password change of a user. - - - - - - - - -
- -
- NIS net groups - - Configuration - - Please add the module "NIS net groups (nisNetGroupUser)" to the - list of active user modules. - - - - - - - - - - User editing - - You will now see a new tab when editing users. Here you can - assign memberships in NIS net groups and also set host/domain. - - - - - - - - -
- -
- Password self reset (LAM - Pro) - - LAM Pro allows your users to reset their passwords by answering - a security question. The reset link is displayed on the self service page. Additionally, - you can set question + answer in the admin interface. - - Please note that self service and LAM admin interface are - separated functionalities. You need to specify the list of possible - security questions in both self service profile(s) and server - profile(s). - - Schema installation - - Please install the LDAP schema as described here. - - Activate password self reset - module - - Please activate the password self reset module in your LAM Pro - server profile. - - - - - - - - - - Now select the tab "Module settings" and specify the list of - possible security questions. Only these questions will be selectable - when you later edit accounts unless you explicitly allow to enter - custom questions. LAM Pro supports to set up to three security - questions per user. - - If you do not want to set backup email addresses then you can - hide this option. - - - - - - - - - - Edit users - - After everything is setup please login to LAM Pro and edit your - users. You will see a new tab called "Password self reset". Here you - can activate/remove the password self reset function for each user. - You can also change the security question and answer. - - If you set a backup email address then confirmation emails will - also be sent to this address. This is useful if the user password - grants access to the user's primary mailbox. So passwords can be - unlocked with an external email address. - - Hint: You can add the - passwordSelfReset object class to all your users with the multi edit tool. - - Samba 4 note: Due to a bug in - Samba 4 you need to add the extension, save, and then select a - question and set the answer. If you add the extension, set - question/answer and then save all together this will cause an LDAP - error and no changes will be saved. - - - - - - - - -
- -
- Hosts - - You can specify a list of valid host names where the user may - login. If you add the value "*" then the user may login to any host. - This can be further restricted by adding explicit deny entries which - are prefixed with "!" (e.g. "!hr_server"). - - Please note that your PAM settings need to support host - restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the - account facility of pam_ldap will perform the checks and return an - error when no proper host attribute is present. Please note that users - without host attribute cannot login to such a configured - server. - - - - - - - - -
- -
- Samba 3 - - LAM supports full Samba 3 user management including logon hours - and terminal server options. - - The module is enabled by adding "Samba 3 (sambaSamAccount)" to - your user modules. - - - - - - - - - - In the configuration options you can enable password history - checking. Depending on your LDAP server you might need ascending or - descending order. Just switch the setting if the password history is - not correctly updated. - - In case you have no very old Windows clients (e.g. Windows 98) - it is recommended to disable LM hashes. They are considered to be - insecure. - - You can also hide some input fields if you do not need - them. - - - - - - - - - - After configuring the module you will see the Samba 3 tab when - you edit a user. - - - - - - - - - - Logon hours can be changed. - - - - - - - - - - You can also setup terminal server settings. - - - - - - - - -
- -
- Windows (Samba 4) - - Please activate the account type "Users" in your LAM server - profile and then add the user module "Windows - (windowsUser)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#givenName;#sn;#mail" or select your own attributes to display in - the account list. - - - - - - - - - - On tab "Module settings" you can specify the possible Windows - domain names and if pre-Windows 2000 user names should be - managed. - - NIS support is deactivated by default. Enable it if - needed. - - - - - - - - - - Now you can manage your Windows users and e.g. assign groups. - You might want to set the default domain name in the profile editor. - - Attention: - - - - Password changes require a secure connection via ldaps://. - Check your LAM server profile if password changes are refused by - the server. - - - - Your server must run a 64bit operating system. Otherwise, - the module might not work. - - - - - - - - - - - - - - - - - - - - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $firstname: First name - - - - $lastname: Last name - - - - $user: User name - - - - $commonname: Common name - - - - $email: Email address - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Display name - - - - Email - - - - Email alias - - - - Home directory - - - - Profile path - - - - Script path - - - - Use this when some of your data always follows the same schema. - E.g. using "$firstname $lastname" in common name field can be used - like this to get "First Last". You can set the wildcards in profile - editor so they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Filesystem quota (lamdaemon) - - You can manage file system quotas with LAM. This requires to - setup lamdaemon. LAM connects to - your server via SSH and manages the disk filesystem quotas. The quotas - are stored directly on the filesystem. This is the default mechanism - to store quotas for most systems. - - Please add the module "Quota (quota)" for users to your LAM - server profile to enable this feature. - - If you store the quota information directly inside LDAP please - see the next section. - - - - - - - - -
- -
- Filesystem quota (LDAP) - - You can store your filesystem quotas directly in LDAP. See - Linux - DiskQuota for details since it requires quota tools that - support LDAP. You will need to install the quota LDAP schema to manage - the object class "systemQuotas". - - Please add the module "Quota (systemQuotas)" for users to your - LAM server profile to enable this feature. - - If you store the quota information on the filesystem please see - the previous section. - - - - - - - - -
- -
- Kolab - - This module supports to manage Kolab accounts with LAM. E.g. you - can set the user's mail quota and define invitation policies. - - Please add the Kolab user module in your LAM server profile to - activate Kolab support. - - - - - - - - - - Attention: LAM will add the object class "mailrecipient" by - default. This object class is available on 389 directory server but - may not be present on e.g. OpenLDAP. Please deactivate the following - setting (LAM server profile, module settings) if you do not use this - object class. - - - - - - - - - - Please enter an email address at the Personal page and set a - Unix password first. Both are required that Kolab accepts the - accounts. The email address ("Personal" page) must match your Kolab - domain, otherwise the account will not work. - - Attention: The mailbox server - cannot be changed after the account has been saved. Please make sure - that the value is correct. - - Kolab users should not be directly deleted with LAM. You can - mark an account for deletion which then is done by the Kolab server - itself. This makes sure that the mailbox etc. is also deleted. - - - - - - - - - - If you upgrade existing non-Kolab accounts please make sure that - the account has an Unix password. -
- -
- Asterisk - - LAM supports Asterisk accounts, too. See the Asterisk section for details. -
- -
- EDU person - - EDU person accounts are mainly used in university networks. You - can specify the principal name, nick names and much more. - - - - - - - - -
- -
- PyKota - - There are two LAM user modules depending if your user entries - should be built on object class "pykotaObject" or a different - structural object class (e.g. "inetOrgPerson"). For "pykotaObject" - please select "PyKota (pykotaUserStructural(*))" and "PyKota - (pykotaUser)" in all other cases. - - - - - - - - - - To display the job history please setup the job DN on tab - "Module settings": - - - - - - - - - - Now you can add the PyKota extension to your user accounts. Here - you can setup the printing options and add payments for this - user. - - For LAM Pro there are also self service fields to allow users - e.g. to view their current balance and job history. - - - - - - - - - - You may also view the payment and job history. - - - - - - - - - - - - - - - - -
- -
- Password policy (LAM Pro) - - OpenLDAP supports the ppolicy overlay - to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to - user accounts. - - Please add the account type "Password policies" to your LAM - server profile and activate the "Password policy" module for the user - type. - - - - - - - - - - You can select the password policy and force a password change - on next login. Accounts can also be (un)locked. - - - - - - - - - - You can assign any password policy which is found in the LDAP - suffix of the "Password policies" type. When you set the policy to - "default" then OpenLDAP will use the default policy as defined in your - slapd.conf file. - - Attention: Locking and - unlocking requires that you also activate the option "Lockout users" - in the assigned password policy. - Otherwise, it will have no effect. -
- -
- Account locking for 389ds (LAM Pro) - - This module allows you to display if users are locked by 389ds - server. You can (de)activate your users. The password expiration time - can also be managed. - - Requirements: 389ds LDAP server - - Configuration - - Please add the user module "Account locking - (locking389ds)". - - - - - - - - - - This will show the password expiration time. You can edit the - value if needed. - - If there are any failed login attempts then LAM displays their - number and till when the user is locked by the system. - - The limit of failed login attempts and lockout duration is - configured on your LDAP server and not within LAM. - - - - - - - - - - You can unlock the user by clicking on the lock icon. - - Here you can also (de)activate the account. - - Note: Accounts are only locked by the LDAP server due to failed - password attempts. You cannot manually lock an account. Deactivate it - in case you want to disable login for a user. - - - - - - - - -
- -
- FreeRadius - - FreeRadius is a software that implements the RADIUS - authentication protocol. LAM allows you to mange several of the - FreeRadius attributes. - - To activate the FreeRadius plugin please activate the FreeRadius - user module in your server profile: - - - - - - - - - - You can disable unneeded fields on the tab "Module settings". - Here you can also set the DN where your Radius profile templates are - stored if you use the option "Profile". - - - - - - - - - - Now you will see the tab "FreeRadius" when editing users. The - extension can be (de)activated for each user. You can setup e.g. - realm, IP and expiration date. - - - - - - - - -
- -
- Heimdal Kerberos (LAM Pro) - - You can manage your Heimdal Kerberos accounts with LAM Pro. - Please add the user module "Kerberos (heimdalKerberos)" to activate - this feature. - - Setup password changing - - LAM Pro cannot generate the password hashes itself because - Heimdal uses a propietary format for them. Therefore, LAM Pro needs to - call e.g. kadmin to set the password. - - The wildcards @@password@@ and @@principal@@ are replaced with - password and principal name. Please use keytab authentication for this - command since it must run without any interaction. - - Example to create a keytab: ktutil -k /root/lam.keytab add -p - lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1 - - Security hint: Please secure your LAM Pro server since the new - passwords will be visible for a short term in the process list during - password change. - - - - - - - - - - User management - - You can specify the principal/user name, ticket lifetimes and - expiration dates. Additionally, you can set various account - options. - - - - - - - - -
- -
- MIT Kerberos (LAM Pro) - - You can manage your MIT Kerberos accounts with LAM Pro. Please - add the user module "Kerberos (mitKerberos)" to activate this feature. - If you want to manage entries based on the structural object class - "krbPrincipal" please use "Kerberos (mitKerberosStructural)" - instead. - - Setup password changing - - LAM Pro cannot generate the password hashes itself because MIT - uses a propietary format for them. Therefore, LAM Pro needs to call - kadmin/kadmin.local to set the password. - - LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to - set the password. Please use keytab authentication for this command - since it must run without any interaction. - - Keytabs may be created with the "ktutil" application. - - Security hint: Please secure your LAM Pro server since the new - passwords will be visible for a short term in the process list during - password change. - - Example commands: - - - - /usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p - realm/changepwd - - - - sudo /usr/sbin/kadmin.local - - - - - - - - - - - - User management - - You can specify the principal/user name, ticket lifetimes and - expiration dates. Additionally, you can set various account - options. - - - - - - - - -
- -
- Mail aliases - - This module allows to add/remove the user in mail alias - entries. - - Note: You need to activate the - mail alias type for this - module. - - To activate mail aliases for users please select the module - "Mail aliases (nisMailAliasUser)": - - - - - - - - - - On tab Module settings you can select if you want to set the - user name or email as recipient in alias entries. - - - - - - - - - - Now you will see the mail aliases tab when editing an - user. - - The red cross will only remove the user from the alias entry. If - you click the trash can button then the whole alias entry (which may - contain other users) will be deleted. - - - - - - - - - - You can add the user to existing alias entries or create - completly new ones. - - - - - - - - -
- -
- Qmail (LAM Pro) - - LAM Pro manages all qmail attributes for users. This includes - mail addresses, ID numbers and quota settings. - - Please note that the main mail address is managed on tab - "Personal" if this module is active. Otherwise, it will be on the - qmail tab. - - - - - - - - - - You can hide several qmail options if you do not want to manage - them with LAM. This can be done on the module settings tab of your LAM - server profile. - - - - - - - - -
- -
- Mail routing - - LAM supports to manage mail routing for user accounts. - - Module activation: - - This feature can be activated by adding the "Mail routing" - module to the user account type in your server profile. - - - - - - - - - - Usage: - - You can specify a routing address, the mail server and a number - of local addresses to route. - - In case you want to add this extension by default for new users - there is an option in profile editor. - - - - - - - - -
- -
- SSH keys - - You can manage your public keys for SSH in LAM if you installed - the LPK patch for - SSH. Activate the "SSH public key" module for users in the - server profile and you can add keys to your user entries. - - - - - - - - -
- -
- Authorized services - - You can setup PAM to check if a user is allowed to run a - specific service (e.g. sshd) by reading the LDAP attribute - "authorizedService". This way you can manage all allowed services via - LAM. - - - - To activate this PAM feature please setup your /etc/libnss-ldap.conf and set - "pam_check_service_attr" to "yes". - - - - Inside LAM you can now set the allowed services. You may also - setup default services in your account profiles. - - - - - - - - - - You can define a list of services in your LAM server profile - that is used for autocompletion. - - - - - - - - - - The autocompletion will show all values that contains the - entered text. To display the whole list you can press backspace in the - empty input field. Of course, you can also insert a service name that - is not in the list. - - - - - - - - -
- -
- IMAP mailboxes - - LAM may create and delete mailboxes on an IMAP server for your - user accounts. You will need an IMAP server that supports either SSL - or TLS for this feature. - - To activate the mailbox management module please add the - "Mailbox (imapAccess)" module for the type user in your LAM server - profile: - - - - - - - - - - Now configure the module on the tab "Module settings". Here you - can specify the IMAP server name, encryption options, the - authentication for the IMAP connection and the valid mail domains. LAM - can use either your LAM login password for the IMAP connection or - display a dialog where you need to enter the password. It is also - possible to store the admin password in your server profile. This is - not recommended for security reasons. - - The user name can either be a fixed name (e.g. "admin") or it - can be generated with LDAP attributes of the LAM admn user. E.g. $uid$ - will be transformed to "myUser" if you login with - "uid=myUser,ou=people,dc=example,dc=com". - - The mail domains specify for which accounts mailboxes may be - created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can - be managed for "user@lam-demo.org" but not for "user@example.com". Use - "*" for any domain. - - You need to install the SSL certificate of the CA that signed - your server certificate. This is usually done by installing the - certificate in /etc/ssl/certs. Different Linux distributions may offer - different ways to do this. For Debian please copy the certificate in - "/usr/local/share/ca-certificates" and run "update-ca-certificates" as - root. - - It is not recommended to disable the validation of IMAP server - certificates. - - The prefix, user name attribute and path separator specifies how - your mailboxes are named (e.g. "user.myUser@localhost" or - "user/myUser"). Select the values depending on your IMAP server - settings. - - You can specify a list of initial folder names to create for new - mailboxes. LAM will then create them with each new mailbox. - - - - - - - - - - When you edit an user account then you will now see the tab - "Mailbox". Here you can create/delete the mailbox for this - user. - - - - - - - - -
- -
- IP addresses (LAM Pro) - - You can manage the IP addresses of user accounts (e.g. assigned - by DHCP) with the ipHost module. - - Configuration - - - - - - - - - - User editing - - - - - - - - -
- -
- Account - - This is a very simple module to manage accounts based on the - object class "account". Usually, this is used for host accounts only. - Please pay attention that users based on the "account" object class - cannot have contact information (e.g. telephone number) as with - "inetOrgPerson". - - You can enter a user/host name and a description for your - accounts. - - - - - - - - -
-
- -
- Groups - - - -
- Unix - - This module is used to manage Unix group entries. This is the - default module to manage Unix groups and uses the nis.schema. Suse - users who use the rfc2307bis.schema need to use - LAM Pro. - - Configuration - - Please add the account type "Groups" and then select account - module "Unix (posixGroup)". - - - - - - - - - - GID generator: LAM will suggest GID numbers for your accounts. - Please note that it may happen that there are duplicate IDs assigned - if users create groups at the same time. Use an overlay - like "Attribute Uniqueness" (example) if you have lots of LAM - admins creating groups. - - - - Fixed range: LAM searches for free numbers within the given - limits. LAM always tries to use a free GID that is greater than - the existing GIDs to prevent collisions with deleted - groups. - - - - Samba ID pool: This uses a special LDAP entry that includes - attributes that store a counter for the last used UID/GID. Please - note that this requires that you install the Samba schema and - create an LDAP entry of object class "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the GID - numbers automatically (e.g. DNA by 389 server). Enter the server's - magic number setting. - - - - Disable membership management: Disables group membership - management. This is useful if memberships are e.g. managed via group - of names. - - - - - - - - - - Group management: - - - - - - - - - - Group membership management: - - - - - - - - -
- -
- Unix groups with rfc2307bis schema (LAM Pro) - - Some applications (e.g. Suse Linux) use the rfc2307bis schema - for Unix accounts instead of the nis schema. In this case group - accounts are based on the object class groupOf(Unique)Names or namedObject. - The object class posixGroup is auxiliary in this case. - - LAM Pro supports these groups with a special account module: - rfc2307bisPosixGroup - - Use this module only if your system depends on the rfc2307bis - schema. The module can be selected in the LAM configuration. Instead - of using groupOfNames as basis for your groups you may also use - namedObject. - - Module activation: - - - - - - - - - - GID generator: LAM will suggest GID numbers for your accounts. - Please note that it may happen that there are duplicate IDs assigned - if users create groups at the same time. Use an overlay - like "Attribute Uniqueness" (example) if you have lots of LAM - admins creating groups. - - - - Fixed range: LAM searches for free numbers within the given - limits. LAM always tries to use a free GID that is greater than - the existing GIDs to prevent collisions with deleted - groups. - - - - Samba ID pool: This uses a special LDAP entry that includes - attributes that store a counter for the last used UID/GID. Please - note that this requires that you install the Samba schema and - create an LDAP entry of object class "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the GID - numbers automatically (e.g. DNA by 389 server). Enter the server's - magic number setting. - - - - Disable membership management: Disables group membership - management. This is useful if memberships are e.g. managed via group - of names. - - Force sync with group of names: This will automatically set the - group memberships of the Unix part to the same members as set on group - of names tab. - - - - - - - - - - The GID number will be filled automatically based on the server - profile configuration. - - - - - - - - - - Group members can be edited and also synced with Group of - (unique) names. - - - - - - - - -
- -
- Samba 3 - - LAM supports managing Samba 3 groups. You can set special group - types and also create Windows predefined groups like "Domain - admins". - - Module activation: - - - - - - - - - - Group editing: - - - - - - - - -
- -
- Windows (Samba 4) - - LAM can manage your Windows groups. Please enable the account - type "Groups" in your LAM server profile and then add the group module - "Windows (windowsGroup)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#member;#description" or select your own attributes to display in - the account list. - - - - - - - - - - NIS support is deactivated by default. Enable it if needed on - tab "Module settings". - - - - - - - - - - Now you can edit your groups inside LAM. You can manage the - group name, description and its type. Of course, you can also set the - group members. - - Group scopes: - - - - Global: Use this for groups with frequent changes. Global - groups are not replicated to other domains. - - - - Universal: Groups with universal scope are used to - consolidate groups that span domains. They are globally - replicated. - - - - Domain local: Groups with domain local scope can be used to - set permissions inside one domain. They are not replicated to - other domains. - - - - Group type: - - - - Security: Use this group type to control permissions. - - - - Distribution: These groups are only used for email - applications. They cannot be used to control permissions. - - - - With "Show effective members" you can show a list of all members - of this group including members of subgroups and their - subgroups. - - - - - - - - -
- -
- Kolab - - Please activate the Kolab group module in your LAM server - profile to activate Kolab support. - - - - - - - - - - You can specify the email address and also set allowed sender - and recipient addresses. - - - - - - - - -
- -
- Mail routing - - LAM supports to manage mail routing for group accounts. - - Module activation: - - This feature can be activated by adding the "Mail routing" - module to the group account type in your server profile. - - - - - - - - - - Usage: - - You can specify a routing address, the mail server and a number - of local addresses to route. - - In case you want to add this extension by default for new groups - there is an option in profile editor. - - - - - - - - -
- -
- Quota - - You can manage file system quotas with LAM. This requires to - setup lamdaemon. File system quotas - are not stored inside LAM but managed directly on the specified - servers. - - - - - - - - -
- -
- PyKota - - There are two LAM group modules depending if your group entries - should be built on object class "pykotaObject" or a different - structural object class (e.g. "posixGroup"). For "pykotaObject" please - select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" - in all other cases. - - - - - - - - - - Now you can add the PyKota extension to your groups. - - - - - - - - -
-
- -
- Hosts - -
- Account - - Please see the description here. -
- -
- Device (LAM Pro) - - The device object class allows to manage general information - about all sorts of devices (e.g. computers, network hardware, ...). - You can enter the serial number, location and a describing text. It is - also possible to specify the owner of the device. - - - - - - - - -
- -
- Samba 3 - - You can manage Samba 3 host entries by adding the Unix and Samba - 3 account modules. - - - - - - - - - - - - - - - - -
- -
- Windows (Samba 4) - - LAM can manage your Windows servers and workstations. Please - enable the account type "Hosts" in your LAM server profile and then - add the host module "Windows (windowsHost)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#description;#location" or select your own attributes to display - in the account list. - - - - - - - - - - Now you will see you computer accounts inside LAM. You can set - e.g. the server's description and location information. - - - - - - - - -
- -
- IP addresses (LAM Pro) - - You can manage the IP addresses of host accounts with the ipHost - module. It manages the following information: - - - - IP addresses (IPv4/IPv6) - - - - location of the host - - - - manager: the person who is responsible for the host - - - - You can activate this extension by adding the module ipHost to - the list of active host modules. - - - - - - - - -
- -
- MAC addresses - - Hosts can have an unlimited number of MAC addresses. To enable - this feature just add the "MAC address" module to the host account - type. - - - - - - - - -
- -
- Puppet - - LAM supports to manage your Puppet configuration. You can - edit all attributes like environment, classes, variables and parent - node. - - Configuration - - To activate this feature please edit your LAM server profile and - add the host module "Puppet (puppetClient)" on tab "Modules". This - will add the Puppet tab to your host pages. - - - - - - - - - - On tab "Module settings" in your LAM server profile you may also - setup some common environment names. LAM will use them to provide - autocompletion hints when editing the environment for a node. - - If you enter any value in "Enforce classes" then LAM will only - accept this list of classes. - - - - - - - - - - Editing nodes - - When you edit a host entry then you will see the tab "Puppet". - Here you can add/remove the Puppet extension and edit all - attributes. - - - - - - - - -
- -
- NIS net groups - - NIS netgroups can be used to e.g. restrict SSH access to your - machines. - - Configuration - - Please add the module "NIS net groups (nisNetGroupHost)" to the - list of active host modules. - - - - - - - - - - Host editing - - You will now see a new tab when editing hosts. Here you can - assign memberships in NIS net groups and also set user/domain. - - - - - - - - -
-
- -
- Samba 3 domains - - Samba 3 stores information about its domain settings inside LDAP. - This includes the domain name, its SID and some policies. You can manage - all these attributes with LAM. - - Please activate the account type "Samba domains" in your LAM - server profile. Please notice that Samba by default uses the LDAP root - for domain objects (e.g. dc=example,dc=com). - - - - - - - - - - This will add a new tab to LAM where you can manage domain - information. - - The domain name, SID and RID base can only be specified for new - domains and are not changeable via LAM at a later time. You may setup - several password policies for your Samba domains and also some RID - options that influence the creation of SIDs for - users/groups/hosts. - - - - - - - - -
- -
- Group of (unique) names and group of members (LAM Pro) - - These classes can be used to represent group relations. Since they - allow DNs as members you can also use them to represent nested - groups. - - Configuration: - - Activate the account type "Group of names" in your LAM server - profile to use these account modules. Alternatively, you can use the - account type "Groups". - - - - - - - - - - - - - - - - - - Then add the module "Group of names (groupOfNames)", "Group of - unique names (groupOfUniqueNames)" or "Group of members - (groupOfMembers)". - - - - - - - - - - - - - - - - - - - - On the module settings tab you set some options like the display - format for members/owners and if fields like description should not be - displayed. - - - - - - - - - - Group management: - - Group of (unique) names have four basic attributes: - - - - Name: a unique name for the group - - - - Description: optional description - - - - Owner: the account which owns this group (optional) - - - - Members: the members of the group (at least one is - required) - - - - You can add any accounts as members. This includes other groups - which leads to nested groups. - - To show members of nested groups click on "Show effective - members". Please note that for large groups this will run lots of - queries against your LDAP server. - - - - - - - - -
- -
- Organizational roles (LAM Pro) - - This module manages roles via the organizationalRole object class. - There is also a user - module to manage memberships on the user edit page. - - Configuration: - - Activate the account type "Groups" in your LAM server profile to - use this account module. Alternatively, you can use the account type - "Group of names". - - - - - - - - - - - - - - - - - - Then add the module "Role (organizationalRole)". - - - - - - - - - - On the module settings tab you set some options like the display - format for members and if description should not be displayed. - - - - - - - - - - Role management: - - You can add any accounts as members. This includes other roles - which leads to nested roles (needs to be supported by LDAP client - applications). - - To show members of nested roles click on "Show effective members". - Please note that for large roles this will run lots of queries against - your LDAP server. - - - - - - - - -
- -
- Asterisk - - LAM includes large support for Asterisk. You can add Asterisk - extensions (including voicemail) to your users and also manage Asterisk - extensions. - - The Asterisk support for users can be added by selecting the - Asterisk and Asterisk voicemail modules for users in your LAM server - profile. This will add the following tabs to your user accounts. - - - - - - - - - - The Asterisk module allows to edit a large amount of attributes. - Therefore, you can hide unused fields. Please edit you server profile - (Module settings) to do so. - - - - - - - - - - Of course, the voicemail part of Asterisk is also - supported. - - - - - - - - - - If you also want to manage Asterisk extensions then simply add the - account type "Asterisk extensions" and its module to your server - profile. - - LAM groups your Asterisk extension entries by extension name and - account context. If you edit an extension then you will see the Asterisk - entries as rules. LAM manages that all rule entries have the same owners - and assigns the priorities. - - - - - - - - -
- -
- Zarafa (LAM Pro) - - Zarafa is an OpenSource collaboration software. LAM Pro provides - support to manage Zarafa server entries, users and groups. It covers all - settings for these types including resource and quota settings. - - LAM Pro is an official Zarafa Certified Integration. - - - - - - - -
- Configuration - - To enable Zarafa support in LAM Pro please activate the Zarafa - modules for the Users, Groups and Hosts account types in you server - profile: - - - - - - - - - - Attention: LAM Pro uses the - Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP, - OpenDJ, Apache Directory server and other common LDAP servers. If you - run Samba 4 or Active Directory then you need to switch the schema to - "Active Directory" on the module settings tab: - - - - - - - - - - You can configure which parts of the Zarafa user options should - be enabled. E.g. if you do not want to manage quotas per user then you - can hide these options on the tab "Module settings". - - - - - "Send as" attribute: Here you - can specify how "Send as" privileges should be managed. LAM supports - "uid" and "dn". - - If you select "uid" the LAM will store user names in the - zarafaSendAsPrivilege attribute. This way you are restricted to - specify user accounts as "Send as" allowed. - - You can also set this option to "dn" and LAM will store DNs in - the zarafaSendAsPrivilege attribute. In this case you may specify - users and groups as "Send as" allowed. - - - - - Examples for your Zarafa ldap.cfg: - - "Send as" attribute: dn - - ldap_user_sendas_attribute_type = dn - - - - - "Send as" attribute: uid - - ldap_user_sendas_attribute_type = text - - ldap_user_sendas_relation_attribute = uid - - -Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting. - - - - - Features: Zarafa 7 allows to - enable IMAP/POP3 for each user. Please hide the option "Features" if - you use Zarafa 6.x. - - - - - - - - - -
- Users - - This is an example of the user edit page with all possible - settings. This includes email settings, quotas and some options - (e.g. hide from address book). You can also set the resource type - and capacity for meeting rooms and equipment. The Zarafa extension - can be added and removed at any time for every user. - - Please note that the option "Features" requires Zarafa 7. - Please hide this option in the LAM server profile if you run Zarafa - 6.x. - - - - - - - - -
- -
- Contacts - - LAM Pro can manage your Zarafa contact entries. You can set - the email aliases and "send as" privileges. Additionally, accounts - may be hidden in the address book or disabled. - - Please note that you can either use the Zarafa user module or - Zarafa contact. LAM Pro will disable the other tab when enabling one - of them. - - - - - - - - -
- -
- Groups - - This is the edit page for groups. You can enter an email - address and additional aliases for your groups. It is also possible - to specify options (e.g. hide from address book). The extension can - be added/removed dynamically. - - Please note that the option "Send-as privileges" requires the - Zarafa 7.0.3 schema. Please hide this option in the LAM server - profile if you run Zarafa < 7.0.3. - - - - - - - - -
- -
- Servers - - The Zarafa extension for host accounts allows to set the - connection ports and file path. You can add/remove the extension at - any time. - - Setting the public store option is only possible for new host - entries. - - Please note that the proxy URL option requires the Zarafa 7.1 - schema. Please hide this option in your LAM server profile if you - use an older version. - - - - - - - - -
- -
- Address lists - - Zarafa allows to store address lists in LDAP. You need to - define a search base and LDAP filter for each address list. E.g. - entering "ou=people,dc=company,dc=com" as base and "uid=*" will - select all users that are stored in - "ou=people,dc=company,dc=com". - - You can also hide your lists from the address book or - temporarily disable them. - - - - - - - - -
- -
- Dynamic groups - - Zarafa allows to define dynamic groups in LDAP. You need to - define a search base and LDAP filter for each group. E.g. entering - "ou=people,dc=company,dc=com" as base and "uid=*" will select all - users that are stored in "ou=people,dc=company,dc=com". - - Dynamic groups may have an email address and multiple email - alias addresses. - - You can also hide your dynamic groups from the address book or - temporarily disable them. - - - - - - - - -
-
-
- -
- Kolab shared folders - - Please add the account type "Kolab shared folders" in your LAM - server profile and set the correct LDAP suffix. - - - - - - - - - - - - - - - - - - - - - Then add the "Kolab shared folder" module on tab "Modules". - - - - - - - - - - Now you can start to add shared folders inside LAM. - - - - - - - - -
- -
- DHCP - - You can mange your DHCP server with LAM. It supports to manage - subnets, fixed IP entries, IP ranges and DDNS. - - Configuration - - The DHCP management can be activated by adding the account type - DHCP to your server profile. Please also add the DHCP modules. - - LAM requires that you use an LDAP entry with the object class - "dhcpService" or "dhcpServer" as suffix for this account type. If the - "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN" - then you need to use the DN of the "dhcpService" entry as LDAP suffix - for DHCP. - - - - - Add account type: - - - - - - - - - - Set suffix: - - - - - - - - - - Add modules: - - - - - - - - - - Example server - entry: - - dn: - cn=server,ou=dhcp,dc=ldap-account-manager,dc=org - - objectclass: dhcpServer - - objectclass: dhcpOptions - - objectclass: top - - cn: server - - dhcpcomments: My DHCP server - - dhcpoption: domain-name - "ldap-account-manager.org" - - dhcpoption: domain-name-servers 192.168.1.1 - - dhcpoption: routers 192.168.1.1 - - dhcpoption: netbios-name-servers 192.168.1.1 - - dhcpoption: subnet-mask 255.255.255.0 - - dhcpoption: netbios-node-type 8 - - dhcpstatements: default-lease-time 3600 - - dhcpstatements: max-lease-time 7200 - - dhcpstatements: include "mykey" - - dhcpstatements: ddns-update-style interim - - dhcpstatements: update-static-leases true - - dhcpstatements: ignore client-updates - - - - - Example settings for - dhcpd.conf: - - ddns-update-style none; - - deny unknown-clients; - - ldap-server "server"; - - ldap-dhcp-server-cn "server"; - - ldap-port 389; - - ldap-username - "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org"; - - ldap-password "{SSHA}XXXXXXXXXXXX"; - - ldap-base-dn - "ou=dhcp,dc=ldap-account-manager,dc=org"; - - ldap-method dynamic; - - ldap-debug-file - "/var/log/dhcp-ldap-startup.log"; - - - - - - - slapd.conf changes: - - include /etc/ldap/schema/dhcp.schema - - index dhcpHWAddress eq - - index dhcpClassData eq -Run slapindex to rebuild the index. - - - - You can manage the settings of your DHCP service/server - entry: - - - - - - - - - - You can easily create new subnet entries. - - - - - - - - - - It is also possible to specify a list of fixed IPs. - - - - - - - - - - IP ranges may be specified. - - If you use failover pools for your IP ranges please use the pool - options on the bottom. Here you can add DHCP pools (object class - "dhcpPool") and specify the failover peer. - - - - - - - - - - If you activated DDNS in the server entry then you may also - specify the DDNS settings for this subnet. - - - - - - - - -
- -
- Bind DLZ (LAM Pro) - - Bind DLZ is - an extension to the DNS server Bind that allows to store - DNS entries inside LDAP. Please install the Bind DLZ schema file on your - LDAP server. It is part of the DLZ patch. - - Configuration - - First, you need to add the Bind DNS account type and the Bind DLZ - module: - - - - - - - - - - Please set the LDAP suffix either to an existing DNS zone - (dlzZone) or an organizational unit that should include your DNS - zones. - - - - - - - - - - - - - - - - - - - - - Automatic PTR management - - LAM can automatically create/delete PTR entries for the entered - IPv4/6 records. You can enable this feature on the module settings - tab. - - PTR records will get the same TTL as IP records. Please note that - you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa") - under the same suffix as your other DNS entries. - - - - - - - - - - Zone management - - If you do not yet have a DNS zone then LAM can create one for you. - In list view switch the suffix to an organizational unit DN. Now you - will see a button "New zone". - - This will create the zone container entry and a default DNS entry - "@" for authoritative information. Now switch the suffix to your new - zone and start adding DNS entries. - - - - - - - - - - DNS entries - - LAM supports the following DNS record types: - - - - SOA: authoritative information - - - - NS: name servers - - - - A/AAAA: IP addresses - - - - PTR: reverse DNS entries - - - - CNAME: alias names - - - - MX: mail servers - - - - TXT: text records - - - - SRV: service entries - - - - - - - Authoritative (SOA) and name server (NS) - records - - Here you can manage general information about the zone like - timeouts and name servers. Please note that name servers must be - inserted in a special format (dot at the end). - - - - - - - - - - - - - IP addresses (A/AAAA) - - LAM will automatically set the correct type (A/AAAA) depending if - you enter an IPv4 or IPv6 address. - - - - - - - - - - - - - Reverse DNS entries - - Reverse DNS entries are important when you need to find the DNS - name that is associated with a given IP address. Reverse DNS entries are - stored in a separate DNS zone. - - - - - - - - - - - - - Alias names (CNAME) - - Sometimes a DNS entry should simply point to a different DNS entry - (e.g. for migrations). This can be done by adding an alias name. - - - - - - - - - - - - - Mail servers (MX) - - The mail server entries define where mails to a domain should be - delivered. The server with the lowest preference has the highest - priority. - - - - - - - - - - - - - Text records (TXT) - - Text records can be added to store a description or other data - (e.g. SPF information). - - - - - - - - - - - - - Services (SRV) - - Service records can be used to specify which servers provide - common services such as LDAP. Please note that the host name must be - _SERVICE._PROTOCOL (e.g. _ldap._tcp). - - - - - Priority: The priority of the target host, lower value means more - preferred. - - Weight: A relative weight for records with the same priority. E.g. - weights 20 and 80 for a service will result in 20% queries to the one - server and 80% to the other. - - Port: The port number that is used for your service. - - Server: DNS name where service can be reached (with dot at the - end). - - - - - - - - - - - - - File upload - - You can upload complete DNS zones via LAM's file upload. Here is - an example for a zone file and the corresponding CSV file. - - - Zone file - - - - - @ - - IN - - SOA - - ns1.example.com admin.ns1.example.com (1 360000 3600 - 3600000 370000) - - - - - - IN - - NS - - ns1.example.com. - - - - - - IN - - NS - - ns2.example.com. - - - - - - IN - - MX - - 10 mail1.example.com - - - - - - IN - - MX - - 20 mail2.example.com - - - - foo - - IN - - A - - 123.123.123.100 - - - - foo2 - - IN - - CNAME - - foo.example.com - - - - bar - - IN - - A - - 123.123.123.101 - - - - - - IN - - AAAA - - 1:2:3:4:5 - - - -
- - Please check that you have an existing zone entry that can be used - for the file upload. See above to create a new zone. - - Hint: If you use the function above to create a new zone then - please skip the "@" entry in the CSV file below. LAM creates this entry - with sample data. - - In this example we assume that the following zone extry - exists: - - dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com -dlzzonename: example.com -objectclass: dlzZone -objectclass: top - - - - Here is the corresponding CSV file: bindUpload.csv -
- -
- Aliases (LAM Pro) - - Some applications use the object class "alias" to link LDAP - entries to other parts of the LDAP tree. Activate the account type - "Aliases" in your LAM server profile to use this account type. - - Currently, only user accounts can be aliased with the "uidObject" - object class. - - - - - - - - - - - - - - - - -
- -
- Mail aliases - - You can manage mail aliases (e.g. for NIS) inside LAM. This can be - used to replace local /etc/aliases files with LDAP. - - Note: Use the mail alias user - module to manage mail aliases on user pages. - - All accounts of this type are based on the "nisMailAlias" object - class and may have "cn" and "rfc822MailMember" attributes. To activate - this type please add "Mail aliases" in your LAM server profile: - - - - - - - - - - You need to select the Mail aliases module on the next tab. - - - - - - - - - - The mail aliases will then appear as separate tab inside LAM. You - may then manage the aliases with their names and recipient - addresses. - - There are mail/user icons that allow to select a mail address/user - name from the existing users. - - - - - - - - -
- -
- NIS net groups - - LAM supports to define NIS netgroups. You can use them e.g. to - restrict SSH access to your machines. - - Add the NIS net group account type and its module to your server - profile. Then you can manage net groups in LAM. Net groups may contain - other net groups as child groups. You can either insert the host/user - names manually or print the search buttons next to the input fields to - find existing entries in your directory. - - - - - - - - -
- -
- NIS objects (LAM Pro) - - You can manage NIS objects with LAM Pro. This allows you define - network mount points in LDAP. - - Add the NIS objects type to your LAM configuration and then the - NIS objects module. This will add the NIS objects tab to LAM. - - - - - - - - -
- -
- Automount objects (LAM Pro) - - LAM Pro allows you to manage automount entries. Please activate - the account type "Automount objects" in your LAM Pro server - profile. - - - - - - - - - - Then add the correct automount module. Usually, this is "Automount - entry (automount)". If you use Suse Linux with RFC2307bis schema please - select "Automount entry (rfc2307bisAutomount)". - - - - - - - - - - This will add a new tab to LAM Pro's main screen which includes a - list of all automount entries. Here you can easily create new - entries. - - - - - - - - - - Please see the following external HowTos for more information on - automounting and LDAP: - - - - AutofsLDAP - - - - Automount - über LDAP (German) - - -
- -
- Oracle databases (LAM Pro) - - Oracle allows to manage connection data that is stored in - tnsnames.ora to be stored in an LDAP directory. - - Initial setup - - LDAP server setup: - - You will need to install the correct Oracle LDAP schema files on - your LDAP server. If you run no Oracle LDAP server then you can get them - (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from - here. - - Next you need to create the root entry for Oracle. It should look - like this: - - dn: cn=OracleContext,dc=example,dc=com -objectclass: orclContext -cn: OracleContext - - You can create it with LAM's tree view. Please note that "cn" must - be set to "OracleContext". - - - - - LAM setup: - - Edit your LAM server profile and add the Oracle account - type: - - - - - - - - - - In case you manage a single Oracle context just enter the - cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle - context entries then set the LDAP suffix to a parent entry of - them. - - - - - - - - - - Next, add the Oracle module: - - - - - - - - - - Now you can login to LAM and start to add database - entries. - - - Managing database entries - - Each database has a service name, the connection string and an - optional description. - - - - - - - - - - Database client setup for - LDAP - - You need to activate the LDAP adapter to make the database tools - reading LDAP. Edit network/admin/sqlnet.ora like this: - - NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP) - - Then add a file called ldap.ora next to your sqlnet.ora and set - the LDAP server and DN suffix where cn=OracleContext is stored: - - DIRECTORY_SERVERS= (ldap.example.com:389:636) -DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de" -DIRECTORY_SERVER_TYPE = OID - - This will allow e.g. tnsping to get the connection data from - LDAP: - - [oracle@oracle bin]$ tnsping mydb - -TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54 - -Copyright (c) 1997, 2013, Oracle. All rights reserved. - -Used parameter files: -/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora - -Used LDAP adapter to resolve the alias -Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl))) -OK (10 msec) -
- -
- Password policies (LAM Pro) - - OpenLDAP supports the ppolicy overlay - to manage password policies for LDAP entries. This allows you to set - password policies which are independent from your applications. The - policies are managed internally by the LDAP server. - - You can manage these policies with LAM Pro with the account type - "Password policies". - - - - - - - - - - You will need to add the ppolicy schema to your OpenLDAP - configuration and activate the ppolicy overlay - module in slapd.conf to use this feature. -
- -
- PyKota printers - - Please add the account type "Printers (PyKota printers)" on tab - "Account types" in your server profile and setup the LDAP suffix where - printers are stored. - - - - - - - - - - - - - - - - - - Then add the PyKota printer module on tab "Account - modules". - - - - - - - - - - Next you can start managing printers inside LAM. Here you can - setup the costs for a print job. LAM will also show if the printer is - member of any printer groups. - - - - - - - - - - You can also setup printer groups. Just add some members to your - new group. - - - - - - - - -
- -
- PyKota billing codes - - Please add the account type "Billing codes" on tab "Account types" - in your server profile and setup the LDAP suffix where billing codes are - stored. - - - - - - - - - - - - - - - - - - Then add the PyKota billing code module on tab "Account - modules". - - - - - - - - - - Now login to LAM and you will see the billing code tab where you - can manage your entries. If jobs were printed with a billing code then - you will also see the balance and page count. - - - - - - - - -
- -
- Custom fields (LAM Pro) - - This module allows you to manage LDAP attributes that are not - covered by the other LAM modules (e.g. if you use custom LDAP schemas). - You can fully define how your input fields look like: - - - - Label - - - - LDAP attribute name - - - - Unique name for field - - - - Help text - - - - Read-only display - - - - Field type: text, password, text area, checkbox, radio - buttons, select list, file upload - - - - Validation via regular expression - - - - Error message if validation fails - - - - Limitations: - - Custom fields cannot manage - - - - structural object classes - - - - attributes that require validation rules across multiple - attributes or cannot be described by a simple regular - expression - - - - Activating the custom fields - module: - - You may specify custom fields for all of your account types. - Please enter tab "Modules" in your server profile. Now activate the - "Custom fields (customFields)" module for all needed account - types. - - - - - - - - - - Setting label and icon: - - You may set the label that is displayed e.g. on the tab when - editing an account. It is also possible to specify an icon (must be a - valid URL like "/images/icon.png" or "http://server/images/icon.png"). - The icon size should be 32x32 pixels. - - LAM will display a default icon and "Custom fields" as label if - you do not enter any values. - - You may also specify how LAM displays cutom fields when there are - multiple field groups. The default is accordion view where you can - switch field groups by clicking on the title. You may also deactivate - this mode. Then all field groups are displayed one below the - other. - - - - - - - - - - Defining groups: - - All input fields are devided into groups. A group may contain one - or more object classes and allows you to add/remove a certain set of - input fields. - - E.g. you may define two groups - "My application A" and "My - application B" - that manage different LDAP attributes and object - classes. This way you will be able to control both attribute sets - independently. - - To create a group please edit your server profile and switch to - tab "Module settings". You will see the section "Custom fields" which - allows you to add new groups. Now select your account type (e.g. Users) - and specify an alias for your group. This alias will be printed as group - header when you later edit an account in the admin interface. - - - - - - - - - - After you created your new group you can setup the managed object - classes. If you specify any object classes then you will later be able - to add/remove a complete set of attributes including their object - classes. - - Skipping the object classes field is only useful if you want to - manage some attributes that are not yet supported by LAM but there is - already a LAM module that manages the object class. - - - - - - - - - - The group may look like when you edit a user. - - - - - - - - - - - - - - - - - - Adding fields: - - Now you can add a new field that manages an LDAP attribute. Simply - fill the fields and press on "Add". - - Please note that the field name cannot be changed later. It is the - unique ID for this field. - - - - - - - - - - Examples for fields and their representation: - - Text field: - - Text fields allow to specify a validation - expression and error message. - - You can also enable auto-completion. In this case LAM will search - all accounts for the given attribute and provide auto-completion hints - when the user edits this field. This should only be used if there is a - limited number of different values for this attribute. - - In case your field is a date value you can show a calendar for - easy editing. - - Example calendar formats: - - - - dd.mm.yy: 31.12.2016 - - - - yy-mm-dd: 2016-12-31 - - - - d M, y: 31 Dec, 16 - - - - d MM, y: 31 December, 2016 - - - - - - - - - - - - Presentation: - - - - - - - - - - Password field: - - You can also manage custom password fields. LAM Pro will display - two fields where the user must enter the same password. You can hash the - password if needed. - - - - - - - - - - Presentation: - - - - - - - - - - Text area: - - This adds a multi-line field. The options are similar to text - fields. Additionally, you can set the size with the number of columns - and rows. - - Please note that the validation - expression should be set to multi-line. This is done by adding - "m" at the end. - - - - - - - - - - Presentation: - - - - - - - - - - Checkbox: - - Sometimes you may want to allow only yes/no values for your LDAP - attributes. This can be represented by a checkbox. You can specify the - values for checked and unchecked. The default value is set if the LDAP - attribute has no value. - - - - - - - - - - Presentation: - - - - - - - - - - Radio buttons: - - This displays a list of radio buttons where the user can select - one value. - - You can specify a mapping of LDAP attribute values and their - display (label) on the Self Service page. To add more mapping fields - please press "Add more mapping fields". - - - - - - - - - - Presentation: - - - - - - - - - - Select list: - - Select lists allow the user to select a value in a large list of - options. The definition of the possible values and their display is - similar to radio buttons. - - You can also allow multiple values. - - - - - - - - - - Presentation: - - - - - - - - - - - - - - - - - - Validation expressions: - - The validation expressions follow the standard of Perl regular - expressions. They start and end with a "/". The beginning of a - line is specified by "^" and the end by "$". - - Examples: - - /^[a-z0-9]+$/ allows small letters and numbers. The value must not - be empty ("+"). - - /^[a-z0-9]+$/i allows small and capital letters ("i" at the end - means ignore case) and numbers. The value must not be empty - ("+"). - - Special characters that must be escaped with "\": "\", ".", "(", - ")" - - E.g. /^[a-z0-9\.]$/i - - - - - File upload: - - This is used for binary data. You can restrict uploaded data to a - given file extension and set the maximum file size. - - - - - - - - - - Presentation: - - The uploaded data may also be downloaded via LAM. - - - - - - - - -
- -
- Custom scripts (LAM Pro) - - LAM Pro allows you to execute scripts whenever an account is - created, modified or deleted. This can be useful to automate processes - which needed manual work afterwards (e.g. sending your user a welcome - mail or register a mailbox). Additionally, you can specify manual scipts - that can be executed from within LAM Pro. - - To activate this feature please add the "Custom scripts" module to - all needed account types on the configuration pages. - - - - - - - - - - In "Module settings" you can specify multiple scripts for each - action type (e.g. modify) and account type (e.g. user). The scripts need - to be located on the filesystem of your webserver and will be executed - in its user environment. E.g. if you webserver runs as user www-data - with the group www-data then the custom scripts will be run under this - user with his rights. The output of the scripts will be shown in - LAM. - - You can specify the scripts on the LAM configuration pages. - - - - - - - - - - Syntax: - - Please enter one script per line. Each line has the following - format: <account type> <action> <script> - - E.g.: user preModify /usr/bin/myCustomScript -u $uid$ - - Account types: - - You can setup scripts for all available account types (e.g. user, - group, host, ...). Please see the help on the configuration page about - your current active account types. - - Actions: - - - Action types - - - - - Action name - - Description - - - - preCreate - - Executed before creating a new account (cancels operation - if a script returns an exit code > 0, not available for file - upload) - - - - postCreate - - Executed after creating a new account (does not run if preCreate or LDAP operations - fail) - - - - preModify - - Executed before an account is modified (cancels operation - if a script returns an exit code > 0) - - - - postModify - - Executed after an account was modified (does not run if preModify or LDAP operations - fail) - - - - preDelete - - Executed before an account is modified (cancels operation - if a script returns an exit code > 0) - - - - postDelete - - Executed after an account was modified (does not run if preDelete or LDAP operations - fail) - - - - manual - - Can be run manually on account page. If you add - LAMLABEL="text" before the command then LAM will use the text as - label for the button in account edit screen. - - - -
- - Script: - - You can execute any script which is located on the filesystem of - your webserver. The path may be absolute or relative to the - PATH-variable of the environment of your webserver process. It is also - possible to add commandline arguments to your scripts. Additionally, LAM - will resolve wildcards to LDAP attributes. If your script includes an - wildcard in the format $ATTRIBUTE$ then LAM will replace it with the - attribute value of the current LDAP entry. The values of multi-value - attributes are separated by commas. E.g. if you create an account with - the attribute "uid" and value "steve" then LAM will resolve "$uid$" to - "steve". - - Please note that manual scripts can only use the current LDAP - attribute values of the account. Any modifications done that are not - saved will not be available. Manual scripts are also not available for - new accounts that are not yet saved to LDAP. - - You can switch LAM's logging to debug mode if you are unsure which - attributes with which values are available. - - The following special wildcards are available for automatical - scripts: - - - - $INFO.userPasswordClearText$: - cleartext password when Unix/Windows password is changed (e.g. - useful for external password synchronisation) for new/modified - accounts - - - - $INFO.userPasswordStatusChange$: provides - additional information if the Personal/Unix password locking status - was changed, possible values: locked, unlocked, unchanged - - - - $INFO.passwordSelfResetAnswerClearText$: - cleartext answer to security question - - - - $INFO.389lockingStatusChange$: for 389ds - account locking, provides information if account was unlocked. - Possible values: unchanged, unlocked - - - - $INFO.389deactivationStatusChange$: for 389ds - account locking, provides information if account was deactivated. - Possible values: unchanged, activated, deactivated - - - - $NEW.<attribute>$: the - value of a new attribute (e.g. $NEW.telephoneNumber$) for modified - accounts - - - - $DEL.<attribute>$: the - value of a deleted attribute (e.g. $DEL.telephoneNumber$) for - modified accounts - - - - $MOD.<attribute>$: the - new value of a modified attribute (e.g. $MOD.telephoneNumber$) for - modified accounts - - - - $ORIG.<attribute>$: the - original value of an attribute (e.g. $ORIG.telephoneNumber$) for - modified accounts - - - - Output may contain HTML: If your - scripts generate HTML output then activate this option. - - Hide command in messages: You may - want to prevent that your users see the executed commands. In this case - activating this option will only show the command output but not the - command itself. - - - - You can see a preview of the commands which will be automatically - executed on the "Custom scripts" tab. Here you can also run the manual - scripts. - - - - - - - - -
- -
- Sudo roles (LAM Pro) - - You can manage your sudo roles in LDAP if you have installed the - sudo-ldap package or compiled sudo with LDAP - support. - - To activate sudo management in LAM Pro edit your server profile - and add the type "Sudo roles". - - - - - - - - - - - - - - - - - - Now you can create sudo commands. - - - - - - - - - - The sudo roles in LDAP work similar to those in /etc/sudoers. You - can specify who may run which commands as which user. It is also - possible to specify options like NOPASSWD. -
- -
- LDAP views based on nsview (LAM Pro) - - LAM Pro supports LDAP views based on the "nsview" object class. - These views allow to create an organizational unit that shows a subset - of your LDAP content. The subset is determined by an LDAP filter. - - Configuration: - - To activate view management in LAM Pro edit your server profile - and add the type "LDAP views". - - - - - - - - - - - - - - - - - - Now you are ready to create your views. Each view has a name, LDAP - filter and an optional description. - - - - - - - - - - - - - - - - -
- -
- General information - - This module is available for all account types. It shows some - internal information about the LDAP entries like the creation time and - who modified the entry. - - If you use the "memberOf" overlay in OpenLDAP then this will also - show group memberships done by the overlay. - - - - - - - - -
- -
- Tree view (LDAP browser) - - The tree view provides a raw view on your LDAP directory. This - feature is for people who are experienced with LDAP and need special - functionality which the LAM account modules not provide. E.g. if you - want to add a special object class to an account or edit attributes - ignoring LAM's syntax checks. - - - - - - - - - - There are also some special functions available: - - Export: This allows you to export - entries to a file (e.g. LDIF or CSV format). - - Show internal attributes: Shows - internal attributes of the current entry. This includes information - about the creator and creation time of the entry. -
- - - - Tools - - - -
- Profile editor - - The account profiles are templates for your accounts. Here you can - specify default values which can then be loaded when you create - accounts. You may also load a template for an existing account to reset - it to default values. When you create a new account then LAM will always - load the profile named "default". This - account profile can include default values for all your accounts. - - - - - - - - - - You can enter the LDAP suffix, RDN identifier and various other - attributes depending on account type and activated modules. - - - - - - - - - - Import/export: - - Profiles can be exported to and imported from other server - profiles. - - - - - - - - - - - - - - - - - - There is a special export target called "*Global templates". All - profiles exported here will be copied to all other server profiles - (incl. new ones). But existing profiles with the same name are not - overwritten. So a profile in global templates is treated as default - profile for all server profiles. - - Use this if you would like to setup default profiles that are - valid for all server profiles. - - - - - - - - -
- -
- File upload - - When you need to create lots of accounts then you can use LAM's - file upload to create them. LAM will read a CSV formatted file and - create the related LDAP entries. Please check the data in you CSV file - carefully. LAM will do less checks for the file upload than for single - account creation. - - At the first page please select the account type and what - extensions should be activated. - - - - - - - - - - The next page shows all available options for the file upload. You - will also find a sample CSV file which can be used as template for your - CSV file. All red options are required columns in the file. You need to - specify a value for each account. - - When you upload the CSV file then LAM first does some checks on - this file. This includes syntax checks and if all required data was - entered. No changes in the LDAP directory are done at this time. - - If the checks were successful then LAM will ask again if you want - to create the accounts. You will also have the chance to check the - upload by viewing the changes in LDIF format. - - - - - - - - -
- -
- Multi edit - - This tool allows you to modify a large list of LDAP entries in - batch mode. You can add new attributes/object classes, remove attributes - and set attributes to a specific value. - - At the beginning, you need to specify where the entries are stored - that should be changed. You can select an account suffix, the tree - suffix or enter your own DN by selecting "Other". - - Next, enter an additional LDAP filter to limit the entries that - should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for - users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to - match all accounts that do not yet have the password self reset - feature. - - - - - Now, it is time to define the changes that should be done. The - following operations are possible: - - - - Add: Adds an attribute value if not yet existing. Please do - not use for single-value attributes that already have a - value. - - - - Modify: Sets an attribute to the given value. If the attribute - does not yet exist then it is added. If the attribute has multiple - values then all other values are removed. - - - - Delete: Deletes the specified value from this attribute. If - you leave the value field blank then all attribute values are - removed. - - - - Please note that all actions are run as separate LDAP commands. - You cannot add an object class and a required attribute at the same - time. - - - - - - - - - - Dry run - - You should always start with a dry run. It will not do any changes - to your LDAP directory but print out all modifications that will be - done. You will also be able to download the changes in LDIF format to - use with ldapmodify. This is useful if you want to adjust some actions - manually. - - - - - - - - - - Apply changes - - This will run the actions against your LDAP directory. You will - see which accounts are edited in the progress area and also if any - errors occured. - - - - - - - - -
- -
- OU editor - - This is a simple editor to add/delete organisational units in your - LDAP tree. This way you can structure the accounts. - - - - - - - - -
- -
- PDF editor - - All accounts in LAM may be exported as PDF files. You can specify - the page structure and displayed information by editing the PDF - profiles. - - - - - - - - - - When you export accounts to PDF then each account will get its own - page inside the PDF. There is a headline on each page where you can show - a page title. You may also add a logo to each page. To add more logos - please use the logo management on the PDF editor main page. - - - - - - - - - - The main part is structured into sections of information. Each - section has a title. This can either be static text or the value of an - attribute. You may also insert a static text block as section. Sections - can be moved by using the arrows next to the section title. - - Each section can contain multiple fields which usually represent - LDAP attributes. You can simply add new fields by selecting the field - name and its position. Then use the arrows to move the field inside the - section. - - - - - Import/export: - - PDF structures can be exported to and imported from other server - profiles. - - - - - - - - - - - - - - - - - - There is a special export target called "*Global templates". All - PDF structures exported here will be copied to all other server profiles - (incl. new ones). But existing PDF structures with the same name are not - overwritten. So a PDF structure in global templates is treated as - default structure for all server profiles. - - Use this if you would like to setup default PDF structures that - are valid for all server profiles. - - - - - - - - - - Logo management: - - You can upload image files to put a custom logo on the PDF files. - The image file name must end with .png or .jpg and the size must not - exceed 2000x300px. - - - - - - - - -
- -
- Schema browser - - Here you browse the schema of your LDAP server. You can view what - object classes, attributes, syntaxes and matching rules are available. - This is useful if you need to check if a certain object class is - available. - - - - - - - - -
- -
- Server information - - This shows information and statistics about your LDAP server. This - includes the suffixes, used overlays, connection data and operation - statistics. You will need "cn=monitor" setup to see all details. Some - data may not be available depending on your LDAP server software. - - Please see the following links how to setup "cn=monitor": - - - - OpenLDAP - - - - 389 - server - - - - - - - - - - -
- -
- Tests - - This allows you to check if your LDAP schema is compatible with - LAM and to find possible problems. - -
- Lamdaemon test - - LAM provides an external script to manage home directories and - quotas. You can test here if everything is setup correctly. - - If you get an error like "no tty present and no askpass program - specified" then the path to the lamdaemon.pl may be wrong. Please see - the lamdaemon installation - instructions for setup details. - - - - - - - - -
- -
- Schema test - - This will test if your LDAP schema supports all object classes - and attributes of the active LAM modules. If you get a message that - something is missing please check that you installed all required schemas. - - If you get error messages about object class violations then - this test can tell you what is missing. - - - - - - - - -
-
- - - - Access levels and password reset page (LAM Pro) - - You can define different access levels for each profile to allow or - disallow write access. The password reset page helps your deskside support - staff to reset user passwords. - -
- Access levels - - There are three access levels: - - - - Write access (default) - - There are no restrictions. LAM admin users can manage account, - create profiles and set passwords. - - - - Change passwords - - Similar to "Read only" except that the password reset page is available. - - - - Read only - - No write access to the LDAP database is allowed. It is also - impossible to manage account and PDF profiles. - - Accounts may be viewed but no changes can be saved. - - - - The access level can be set on the server configuration - page: - - - - - - - - -
- -
- Password reset page - - This special page allows your deskside support staff to reset the - Unix and Samba passwords of your users. Account may also be (un)locked - If you set the access level to - "Change passwords" then LAM will not allow any changes to the LDAP - database except password changes via this page. The account pages will - be still available in read-only mode. - - You can open the password reset page by clicking on the key symbol - on each user account: - - - - - - - - There are three different options to set a new password. - You can further restrict these options in server profile - settings. - - - - set random password and display it on - screen - - This will set the user's password to a random value. The - password will be 11 characters long with a random combination of - letters, digits and ".-_". - - You may want to use this method to tell users their new - passwords via phone. - - - - set random password and mail it to - user - - If the user account has set the mail attribute then LAM can - send your user a mail with the new password. You can change the mail - template to fit your needs. Please configure your LAM server profile - to setup the sender address, subject and mail body. Please see email format option in case of broken - mails. See here for setting up your - SMTP server. - - Using this method will prevent that your support staff knows - the new password. - - - - set specific password - - Here you can specify your own password. - - - - - - - - - - - - LAM will display contact information about the user like the - user's name, email address and telephone number. This will help your - deskside support to easily contact your users. - - Options: - - Depending on the account there may be additional options - available. - - - - Sync Samba NT/LM password with Unix - password: If a user account has Samba passwords set then - LAM will offer to synchronize the passwords. - - - - Unlock Samba account: Locked - Samba accounts can be unlocked with the password change. - - - - Update Samba password - timestamps: This will set the timestamps when the - password was changed (sambaPwdLastSet). Only existing attributes are - updated. No new attributes are added. - - - - Sync Kerberos password with Unix - password: This will also update the Heimdal Kerberos - password. - - - - Sync Asterisk (voicemail) password with - Unix password: Changes also the Asterisk - passwords. - - - - Force password change: This - will force the user to change his password at next login. This - option supports Shadow, Samba 3 and PPolicy (automatically - detected). - - - - - - - Account (un)locking: - - Depending if the account includes a Unix/Samba extension and - PPolicy is activated the page will show options to (un)lock the account. - E.g. if the account is fully unlocked then there will be no unlocking - options printed. - - - - - - - - -
- - - - Self service (LAM Pro) - -
- Preparations - -
- OpenLDAP ACLs - - By default only a few administrative users have write access to - the LDAP database. Before your users may change their settings you - must allow them to change their LDAP data. - - Hint: The ACLs below are not required if you decide to run all - operations as the LDAP bind user (option "Use for all - operations"). - - This can be done by adding ACLs to your slapd.conf or - slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to - these: - - access to - - attrs=userPassword - - by self write - - by anonymous auth - - by * none - - - - - access to - - - attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail - - by self write - - by * read - - If you do not want them to change all attributes then reduce the - list to fit your needs. Some modules may require additional LDAP - attributes. You can use the tree view to get the technical attribute - names e.g. by selecting an user account. - - Usually, the slapd.conf file is located in /etc/ldap or - /etc/openldap. -
- -
- Other LDAP servers - - There exist many LDAP implementations. If you do not use - OpenLDAP you need to write your own ACLs. Please check the manual of - your LDAP server for instructions. -
-
- -
- Creating a self service profile - - A self service profile defines what input fields your users see - and some other general settings like the login caption. - - When you go to the LAM configuration page you will see the self - service link at the bottom. This will lead you to the self service - configuration pages - - - - - - - - - - Now we need to create a new self service profile. Click on the - link to manage the self service profiles. - - - - - - - - - - Specify a name for the new profile and enter your master - configuration password (default is "lam") to save the profile. - - - - - - - - - - Now go back to the profile login and enter your master - configuration password to edit your new profile. -
- -
- Edit your new profile - -
- General settings - - On top of the page you see the link to the user login page. Copy - this link address and give it to your users. - - Below the link you can specify several options. - - - - - - - - - - - General options - - - - - Server address - - The address of your LDAP server. For LDAP+SSL use - "ldaps://myserver" - - - - Activate TLS - - Activates TLS encryption. Please note that this cannot - be combined with LDAP+SSL ("ldaps://"). - - - - LDAP suffix - - The part of the LDAP tree where LAM should search for - users - - - - LDAP search attribute - - Here you can specify if your users can login with user - name + password, email + password or other attributes. - - - - Follow referrals - - By default LAM will not follow LDAP referrals. This is - ok for most installations. If you use LDAP referrals please - activate the referral option in advanced settings. - - - - LDAP user + password - - The DN and password which is used to search for users - in the LDAP database. It is sufficient if this DN has only - read rights. If you leave these fields empty LAM will try to - connect anonymously. - - - - Use for all operations - - By default LAM will use the credentials of the user - that logged in to self service for read/modify operations. If - you select this box then the connection user specified before - will be used instead. Please note that this can be a security - risk because the user requires write access to all users. You - need to make sure that your LAM server is well - protected. - - - - Additional LDAP filter - - Use this to enter an additional LDAP filter (e.g. - "(objectClass=passwordSelfReset)") to reduce the number of - accounts who may use self service. - - - - HTTP authentication - - You can enable HTTP authentication for your users. This - way the web server is responsible to authenticate your users. - LAM will use the given user name + password for the LDAP - login. To setup HTTP authentication in Apache please see this - link. - - - - Login attribute label - - This is the description for the LDAP search attribute. - Set it to something which your users are familiar - with. - - - - Password field label - - This text is placed as label for the password field on - the login page. LAM will use "Password" if you do not enter - any text. - - - - Login caption - - This text is displayed at the login page. You can input - HTML, too. - - - - Main page caption - - This text is displayed at self service main page where - your users change their data. You can input HTML, too. - - - - Page header - - This HTML code will be placed on top of all self - service pages. E.g. you can use this to place your custom - logo. Any HTML code is permitted. - - - - Additional CSS links - - Here you can specify additional CSS links to change the - layout of the self service pages. This is useful to adapt them - to your corporate design. Please enter one link per - line. - - - -
- - - -
- 2-factor authentication - - LAM supports 2-factor authentication for your users. This - means the user will not only authenticate by user+password but also - with e.g. a token generated by a mobile device. This adds more - security because the token is generated on a physically separated - device (typically mobile phone). - - The token is validated by a second application. LAM currently - supports: - - - - privacyIdea - - - - By default LAM will enforce to use a token and reject users - that did not setup one. You can set this check to optional. But if a - user has setup a token then this will always be required. - - - - - - - - - - After logging in with user + password LAM will ask for the 2nd - factor. If the user has setup multiple factors then he can choose - one of them. - - - - - - - - -
-
- -
- Page layout - - Here you can specify what input fields your users can see. It is - also possible to group several input fields. - - Please use the arrow signs to change the order of the - fields/groups. - - You may also set some fields as read-only for your users. This - can be done by clicking on the lock symbol. Read-only fields can be - used to show your users additional data on the self service page that - must not be changed by themselves (e.g. first/last name). - - Sometimes, you may want to set a custom label for an input - field. Click on the edit icon to set your own label text (Personal: - Department is relabeled as "Business unit" here). - - - - - - - - - - Possible input fields - - This is a list of input fields you may add to the self service - page. - - - Self service fields - - - - - Account - type - - Option - - Description - - - - - - - - Asterisk (voicemail) - - Sync Asterisk password with Unix password - - This is a hidden field. It will update the Asterisk - password each time the Unix password is changed. - - - - - - - - Kerberos - - Sync Kerberos password with Unix password - - This is a hidden field. It will update the Kerberos - password each time the Unix password is changed. - - - - - - - - Kolab - - Delegates - - Allows to manage delegate permissions - - - - Invitation policy - - Invitation policy management - - - - - - - - Password policy - - Last password change - - read-only - - - - - - - - Password self reset - - Question - - Security question selection - - - - Answer - - Security answer - - - - Backup email - - (External) backup email address that has no relation to - user password. - - - - - - - - Personal - - Business category - - - - - - Car license - - - - - - Department - - - - - - Description - - - - - - Email address - - - - - - Fax number - - - - - - First name - - - - - - Home telephone number - - - - - - Initials - - - - - - Job title - - - - - - Last name - - - - - - Location - - - - - - Mobile number - - - - - - Office name - - - - - - Organisational unit - - - - - - Photo - - Shows the user photo if set. The user may also remove - the photo or upload a new one. - - - - Postal address - - - - - - Postal code - - - - - - Post office box - - - - - - Registered address - - - - - - Room number - - - - - - State - - - - - - Street - - - - - - Telephone number - - - - - - User certificates - - Upload of user certificates in PEM or DER - format - - - - User name - - - - - - Web site - - - - - - - - - - Samba 3 - - Password - - Input field to set a new NT/LM password. The attribute - "sambaPwdLastSet" is updated if it existed before. - - - - Sync Samba LM password with Unix password - - This is a hidden field. It will update the Samba LM - password each time the Unix password is changed. - - - - Sync Samba NT password with Unix password - - This is a hidden field. It will update the Samba NT - password each time the Unix password is changed. - - - - Update attribute "sambaPwdLastSet" on password - change - - Updates the password timestamp when password is - synchronized with Unix. - - - - Last password change (read-only) - - Displays the date and time of the user's last password - change. - - - - - - - - Shadow - - Last password change (read-only) - - Displays the date and time of the user's last password - change (Unix). - - - - - - - - Windows - - Password - - Change the user's password - - - - Location - - - - - - Office name - - - - - - Postal code - - - - - - Post office box - - - - - - State - - - - - - Street - - - - - - Telephone number - - - - - - Web site - - - - - - - - - - Unix - - Common name - - - - - - Login shell - - - - - - Password - - This is also the source for several password - synchronization options. - - - - Sync Unix password with Windows password - - This is a hidden field. It will update the Unix - password each time the Windows password is changed. - - - - - - - - Zarafa - - "Send as" privileges - - Define user who may send mails as this user - - - - Email aliases - - Email aliases - - - - - - - - PyKota - - Balance (read-only) - - Current balance for printing - - - - Total paid (read-only) - - Total money paid - - - - Payment history - - History of user payments - - - - Job history - - History of printed jobs - - - -
-
- -
- Module settings - - This allows to configure some module specific options (e.g. - custom scripts or password hash type). - - - - - - - - -
- -
- Samba 3 - - LAM Pro can check the password history and minimum age for Samba - 3 password changes. In this case please provide the LDAP suffix where - your Samba 3 domain(s) are stored. - - If you leave the field empty then no history and age checks will - be done. - - Password history: depending on your LDAP server you might need - ascending or descending order. Just switch the setting if the password - history is not correctly updated. - - - - - - - - -
- -
- Password self reset - - Schema installation - - Please install the LDAP schema as described here. - - Settings - - You can allow your users to reset their passwords themselves. - This will reduce your administrative costs for cases where users - forget their passwords. - - To enable this feature please activate the checkbox "Enable - password self reset link". - - Hint: Plese note that LAM Pro - uses security questions by default. Activate confirmation mails and - then deactivate security questions if you want to use only email - validation. - - - - - - - - - - You can now configure the minimum answer length for password - reset answers. This is checked when you allow you users to specify - their answers via the self service. Additionally, you can specify the - text of the password reset link (default: "Forgot password?"). The - link is displayed below the password field on the self service login - page. - - Next, please enter the DN and password of an LDAP entry that is - allowed to reset the passwords. This entry needs write access to the - attributes shadowLastChange, pwdAccountLockedTime and userPassword. It - also needs read access to uid, mail, passwordSelfResetQuestion and - passwordSelfResetAnswer. Please note that LAM Pro saves the password - on your server file system. Therefore, it is required to protect your - server against unauthorised access. - - Please also specify the list of password reset questions that - the user can choose. - - Please note that self service and LAM admin interface are - separated functionalities. You need to specify the list of possible - security questions in both self service profile(s) and server - profile(s). - - - - You can inform your users via mail about their password change. - The mail can include the new password by using the special wildcard - "@@newPassword@@". Additionally, you may want to insert other - wildcards that are replaced by the corresponding LDAP attributes. E.g. - "@@uid@@" will be replaced by the user name. Please see email format option in case of broken mails. - See here for setting up your SMTP - server. - - - - LAM Pro can send your users an email with a confirmation link to - validate their email address. Of course, this should only be used if - the email account is independent from the user password (e.g. at - external provider) or you use the backup email address feature. The - mail body must include the confirmation link by using the special - wildcard "@@resetLink@@". Additionally, you may want to insert other - wildcards that are replaced by the corresponding LDAP attributes. E.g. - "@@uid@@" will be replaced by the user name. - - There is also an option to skip the security question at all if - email verification is enabled. In this case the password can be reset - directly after clicking on the confirmation link. Please handle with - care since anybody with access to the user's mail account can reset - the password. - - Troubleshooting: - - 1. You get messages like "Unable to find user account." - - This can have multiple reasons: - - - - security questions enabled but no security question and/or - answer set for this user - - - - user name + email combination does not exist - - - - no connection to LDAP server - - - - Turn on logging in LAM's main configuration settings. The exact - reason is logged on notice level. - - 2. You do not see security question and answer fields when - logged into self service. - - Probably, the user does not have the object class - "passwordSelfReset" set. You can do this in admin interface. If you - have multiple users to change then use the Multi Edit Tool to add the object - class. - - New fields for self service - page - - There are special fields that you may put on the self service - page for your users. These fields allow them to change the reset - questions and its answers. It is also possible to set a backup email - address to reset passwords with an external email address. - - - - - - - - - - This is an example how can be presented to your users on the - self service page: - - - - - - - - - - Password reset link - - After activating the password self reset feature there will be a - new link on the self service login page. The text can be configured as - described above (default: "Forgot password?"). - - - - - - - - - - When a user clicks on the link then he will be asked for - identification with his user name and email address. - - - - - - - - - - LAM Pro will use this information to find the correct LDAP entry - of this user. It then displays the user's security questions and input - fields for his new password. If the answer is correct then the new - password will be set. Additionally, pwdAccountLockedTime will be - removed and shadowLastChange updated to the current time if - existing. - - - - - - - - -
- -
- User self registration - - With LAM Pro your users can create their own accounts if you - like. LAM Pro will display an additional link on the self service - login page that allows you users to create a new account including - email validation (see here for - setting up your SMTP server). - - You enable this feature in your self service profile. Just - activate the checkbox "Enable self registration link". - - - - - - - - - - Options: - - Link text: This is the label for the link - to the self registration. If empty "Register new account" will be - used. - - Admin DN and password: Please enter the - LDAP DN and its password that should be used to create new users. This - DN also needs to be able to do LDAP searches by uid in the self - service part of your LDAP tree. - - Object classes: This is a list of object - classes that are used to build the new user accounts. Please enter one - object class in each line. If you use LAM Pro password self reset - feature then do not forget to add "passwordSelfReset" here. - - Attributes: This is a list of additional - attributes that the user can enter. Please note that user name, - password and email address are mandatory anyway and need not be - specified. - - Each line represents one LDAP attribute. The settings are - separated by "::". The first setting specifies the field type. The - second setting is the LDAP attribute name. Depending on the field type - you can enter additional options: - - - - - - - - Description - - Type - - Attribute name - - First option - - Second option - - Third option - - - - An optional input field that is displayed on the - registration page. - - optional - - e.g. "givenName" - - Label that is displayed on page - - optional regular expression for validation (e.g. - "/^[0-9a-zA-Z]+$/") - - validation message if value does not match validation - expression - - - - A required input field that is displayed on the - registration page. Self registration cannot be done if such a - field is left empty by the user. - - required - - e.g. "sn" - - Label that is displayed on page - - optional regular expression for validation (e.g. - "/^[0-9a-zA-Z]+$/") - - validation message if value does not match validation - expression - - - - Constant attribute value, not visible for the user. Can - be used to set some initial values or data that must not be - edited by the user. - - constant - - e.g. "homeDirectory" - - attribute value, supports wirldcards to insert other - attribute values (e.g. "@@uid@@") - - - - - - - - Auto-numbering for attributes such as uidNumber. Will - do a search for attribute values in the given range and use - highest value + 1. - - autorange - - e.g. uidNumber - - LDAP search base, e.g. - ou=people,dc=company,dc=com - - Minimum value, e.g. 1000 - - Maximum value, e.g. 2000 - - - -
- - For a syntax description of validation expressions see here. Validation is - optional, you can leave these options blank. - - Example: - - optional::givenName::First name::/^[[:alnum:] ]+$/u::Please - enter a valid first name. - - required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a - valid last name. - - constant::homeDirectory::/home/@@uid@@ - - autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000 - - If you use the object class "inetOrgPerson" and do not provide - the "cn" attribute then LAM will set it to the user name value. - - - - - Please note that only simple input boxes are supported for - account registration. The user may log in to self service when his - account was created to manage all his attributes. - - - - - Captcha support - - LAM Pro can optionally display a captcha to verify that - registrations are not from robots. The supported captcha provider is - Google reCAPTCHA. You will need the site and secret key for your - domain. They can be retrieved from here: https://www.google.com/recaptcha - - Please note that your web server must be able to access - "https://www.google.com/recaptcha/api/siteverify" to verify the - captchas. Captchas will be displayed automatically when site+secret - key are filled. - - - - - - - - - - - - - User view: - - The user can register by clicking on a link on the self service - login page: - - - - - - - - - - Here he can insert the data that you specified in the self - service profile: - - - - - - - - - - LAM will then send him an email with a validation link that is - valid for 24 hours. When he clicks on this link then the account will - be created in the self service user suffix. The DN will look like - this: uid=<user name>,... - - Please see email format option in - case of broken mails. -
- -
- Custom fields (LAM Pro) - - This module allows you to manage LDAP attributes that are not - covered by the other LAM modules (e.g. if you use custom LDAP - schemas). You can fully define how your input fields look like: - - - - Label - - - - LDAP attribute name - - - - Unique name for field - - - - Help text - - - - Read-only display - - - - Field type: text, password, text area, checkbox, radio - buttons, select list, file upload - - - - Validation via regular expression - - - - Error message if validation fails - - - - To create custom fields for the Self Service please edit your - Self Service profile and switch to tab "Module settings". Here you can - add a new field. Simply fill the fields and press on "Add". - - Please note that the field name cannot be changed later. It is - the unique ID for this field. - - After you created your fields please press on "Sync fields with - page layout". Now you can switch to tab "Page layout" and add your new - fields like any other standard field. - - - - - - - - - - Examples for fields and their representation in Self - Service: - - Text field: - - Text fields allow to specify a validation - expression and error message. - - You can also enable auto-completion. In this case LAM will - search all accounts for the given attribute and provide - auto-completion hints when the user edits this field. This should only - be used if there is a limited number of different values for this - attribute. - - In case your field is a date value you can show a calendar for - easy editing. - - Example calendar formats: - - - - dd.mm.yy: 31.12.2016 - - - - yy-mm-dd: 2016-12-31 - - - - d M, y: 31 Dec, 16 - - - - d MM, y: 31 December, 2016 - - - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Password field: - - You can also manage custom password fields. LAM Pro will display - two fields where the user must enter the same password. You can hash - the password if needed. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Text area: - - This adds a multi-line field. The options are similar to text - fields. Additionally, you can set the size with the number of columns - and rows. - - Please note that the validation - expression should be set to multi-line. This is done by adding - "m" at the end. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Checkbox: - - Sometimes you may want to allow only yes/no values for your LDAP - attributes. This can be represented by a checkbox. You can specify the - values for checked and unchecked. The default value is set if the LDAP - attribute has no value. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Radio buttons: - - This displays a list of radio buttons where the user can select - one value. - - You can specify a mapping of LDAP attribute values and their - display (label) on the Self Service page. To add more mapping fields - please press "Add more mapping fields". - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - Select list: - - Select lists allow the user to select a value in a large list of - options. The definition of the possible values and their display is - similar to radio buttons. - - You can also allow multiple values. - - - - - - - - - - Presentation in Self Service: - - - - - - - - - - - - - - - - - - Validation expressions: - - The validation expressions follow the standard of Perl regular - expressions. They start and end with a "/". The beginning of a - line is specified by "^" and the end by "$". - - Examples: - - /^[a-z0-9]+$/ allows small letters and numbers. The value must - not be empty ("+"). - - /^[a-z0-9]+$/i allows small and capital letters ("i" at the end - means ignore case) and numbers. The value must not be empty - ("+"). - - Special characters that must be escaped with "\": "\", ".", "(", - ")" - - E.g. /^[a-z0-9\.]$/i - - - - - File upload: - - This is used for binary data. You can restrict uploaded data to - a given file extension and set the maximum file size. - - - - - - - - - - Presentation: - - The uploaded data may also be downloaded via LAM. - - - - - - - - -
-
- -
- Adapt the self service to your corporate design - - LAM Pro allows you to integrate customs CSS style definitions and - design the header of all self service pages. This way you can integrate - you own logo and use your company's colors. - -
- Custom header - - The default LAM Pro header includes a logo and a horizontal - line. You can enter any HTML code here. It will be included in the - self services pages after the body tag. - - - - - - - - -
- -
- CSS files - - Usually, companies have regulations about their corporate design - and use common CSS files. This assures a common appearance of all - intranet pages (e.g. colors and fonts). To include additional CSS - files just use the following setting for this task. The additional CSS - links will be added after LAM Pro's default CSS link. This way you can - overwrite LAM Pro's style. - - - - - - - - -
-
- - - - LDAP schema files - - Here is a list of needed LDAP schema files for the different LAM - modules. For OpenLDAP we also provide a source where you can get the - files. - - - LDAP schema files - - - - - - - Account type - - Object class(es) - - Schema name - - Source - - Notes - - - - - - - - - - - - Unix accounts - - posixAccount, shadowAccount, hostObject, posixGroup - - nis.schema, rfc2307bis.schema, ldapns.schema - (hostObject) - - Part of OpenLDAP installation, part of libpam-ldap - (ldapns.schema) - - The rfc2307bis.schema is only supported by LAM Pro. Use the - nis.schema if you do not want to upgrade to LAM Pro. - - - - - - - - - - Address book entries - - inetOrgPerson - - inetorgperson.schema - - Part of OpenLDAP installation - - - - - - - - - - - - Samba 3 accounts - - sambaSamAccount, sambaGroupMapping, sambaDomain - - samba.schema - - Part of Samba tarball (examples/LDAP/samba.schema) - - - - - - - - - - - - Windows AD (Samba 4) - - user, group, computer - - - - Samba 4 built-in - - - - - - - - - - - - Kolab 2/3 users - - kolabUser - - kolab2/3.schema, rfc2739.schema - - Part of Kolab 2/3 installation - - - - - - - - - - - - Asterisk (extension) - - AsteriskSIPUser, AsteriskExtension - - asterisk.schema - - Part of Asterisk installation - - - - - - - - - - - - PyKota users, groups, printers and billing codes - - pykotaObject, pykotaAccount, pykotaAccountBalance, - pykotaGroup, pykotaPrinter, pykotaBilling - - pykota.schema - - Part of PyKota installation - - - - - - - - - - - - Mail routing - - inetLocalMailRecipient - - misc.schema - - Part of OpenLDAP installation - - - - - - - - - - - - Hosts - - hostObject, device - - ldapns.schema - - Part of libpam-ldap installation - - The device object class is only available in LAM - Pro. - - - - - - - - - - Authorized services - - authorizedServiceObject - - ldapns.schema - - Part of libpam-ldap installation - - - - - - - - - - - - Mail aliases - - nisMailAlias - - misc.schema - - Part of OpenLDAP installation - - - - - - - - - - - - Qmail user - - qmailUser - - qmail.schema - - Part of qmail_ldap - - LAM Pro only - - - - - - - - - - MAC addresses - - ieee802device - - nis.schema - - Part of OpenLDAP installation - - - - - - - - - - - - IP addresses - - ipHost - - nis.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - Puppet - - puppetClient - - puppet.schema - - Puppet - on GitHub - - - - - - - - - - - - EDU person - - eduPerson - - eduperson.schema - - http://middleware.internet2.edu - - - - - - - - - - - - Simple Accounts - - account - - cosine.schema - - Part of OpenLDAP installation - - - - - - - - - - - - SSH public keys - - ldapPublicKey - - openssh-lpk.schema - - Included in patch from http://code.google.com/p/openssh-lpk/ - - - - - - - - - - - - Filesystem quotas - - systemQuotas - - quota.schema - - Linux - DiskQuota - - - - - - - - - - - - Group of (unique) names - - groupOfNames, groupOfUniqueNames, groupOfMembers - - core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - Groups - - organizationalRole - - core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - DHCP - - dhcpOptions, dhcpSubnet, dhcpServer - - dhcp.schema - - docs/schema/dhcp.schema - - The LDAP suffix should be set to your dhcpServer - entry. - - - - - - - - - - Bind DLZ DNS - - dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord, - dlzMXRecord, dlzCNameRecord, dlzPTRRecord - - dlz.schema - - part of Bind - DLZ patch - - LAM Pro only - - - - - - - - - - Aliases - - alias, uidObject - - core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - NIS netgroups - - nisNetgroup - - nis.schema - - Part of OpenLDAP installation - - - - - - - - - - - - NIS objects - - nisObject - - nis.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - Automount objects - - automount - - autofs.schema, rfc2307bis.schema - - Autofs LDAP - - LAM Pro only - - - - - - - - - - Oracle databases - - orclNetService - - oidbase.schema, oidnet.schema, oidrdbms.schema, - alias.schema - - Preinstalled on Oracle directory server, OpenLDAP schemas - can be downloaded e.g. here - - LAM Pro only - - - - - - - - - - Password policies - - pwdPolicy, device - - ppolicy.schema, core.schema - - Part of OpenLDAP installation - - LAM Pro only - - - - - - - - - - FreeRadius users - - radiusprofile - - openldap.schema - - Part of FreeRadius installation - - - - - - - - - - - - Heimdal Kerberos - - krb5KDCEntry - - hdb.schema - - Part of Heimdal Kerberos installation - - LAM Pro only - - - - - - - - - - MIT Kerberos - - krbPrincipal, krbPrincipalAux, krbTicketPolicyAux - - kerberos.schema - - Part of MIT Kerberos installation - - LAM Pro only - - - - - - - - - - Sudo roles - - sudoRole - - sudo.schema - - Part of sudo-ldap installation - - LAM Pro only - - - - - - - - - - Zarafa - - zarafa-user, zarafa-group, zarafa-server - - zarafa.schema - - Part of Zarafa installation - - LAM Pro only - - - - - - - - - - IMAP mailboxes - - - - - - - - - - - Does not require any schema. - - - - - - - - - - LDAP views - - nsview, organizationalunit - - built-in - - Part of LDAP server installation (e.g. 389 server) - - LAM Pro only - - - -
- - - - Security - -
- LAM configuration passwords - - LAM supports a two level authorization system for its - configuration. Therefore, there are two types of configuration - passwords: - - - - master configuration - password: needed to change general settings, - create/delete server profiles and self service profiles - - - - server profile password: used - to change the settings of a server profile (e.g. LDAP server and - account types to manage) - - - - The master configuration password can be used to reset a server - profile password. Each server profile has its own profile - password. - - Both password types are stored as hash values in the configuration - files for enhanced security. -
- -
- Use of SSL - - The data which is transfered between you and LAM is very - sensitive. Please always use SSL encrypted connections between LAM and - your browser to protect yourself against network sniffers. -
- -
- LDAP with SSL and TLS - - SSL will be used if you use ldaps://servername in your - configuration profile. TLS can be activated with the "Activate TLS" - option. - - If your LDAP server uses a SSL certificate of a well-know - certificate authority (CA) then you probably need no changes. If you use - a custom CA in your company then there are two ways to setup the CA - certificates. - -
- Setup SSL certificates in LAM general settings - - This is much easier than system level setup and will only affect - LAM. There might be some cases where other web applications on the - same web server are influenced. - - See here for details. -
- -
- Setup SSL certificates on system level - - This will make the CA certificates available also to other - applications on your system (e.g. other web applications). - - You will need to setup ldap.conf to trust your server - certificate. Some installations use /etc/ldap.conf and some use - /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to - /etc/ldap/ldap.conf. Specify the server CA certificate with the - following option: - - TLS_CACERT /etc/ldap/ca/myCA/cacert.pem - - This needs to be the public part of the signing certificate - authority. See "man ldap.conf" for additional options. - - - - - You may also need to specify the CA certificate in your Apache - configuration by using the option "LDAPTrustedGlobalCert": - - LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem -
-
- -
- Selinux - - In case your server has selinux installed you might need to extend - the selinux ruleset. E.g. your webserver might not be allowed to write - in /var/lib. - - Read selinux status - - The following command will tell you if selinux is running in - Enforcing or Permissive mode. - - Enforcing: access that does not match rules is denied - - Permissive: access that does not match rules is granted but logged - to audit.log - - getenforce - - Set selinux to Permissive - mode - - This will just log any access violations. You will need this to - get a list of missing rights. - - setenforce Permissive - - Now do any actions inside LAM that you need for your daily work - (e.g. edit server profiles, manage LDAP entries, ...). - - Extend selinux rules - - Selinux now has logged any violations to audit.log. You can use - this now to extend your ruleset and enable enforcing later. - - The following example is for httpd. You can also adapt it to e.g. - nginx. - - # build additional selinux rules from audit.log -grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te - - - The httpdlocal.te might look like this: - - module httpdlocal 1.0; - -require { - type httpd_t; - type var_lib_t; - class file { setattr write }; -} - -#============= httpd_t ============== - -#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t. -#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf -#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf -allow httpd_t var_lib_t:file { setattr write }; - - - Now we can compile and install this rule: - - # build module -checkmodule -M -m -o httpdlocal.mod httpdlocal.te -# package module -semodule_package -o httpdlocal.pp -m httpdlocal.mod -# install module -semodule -i httpdlocal.pp - - Now you can switch back to Enforcing mode: - - setenforce Enforcing - - LAM should now work as expected with active selinux. -
- -
- Chrooted servers - - If your server is chrooted and you have no access to /dev/random - or /dev/urandom this can be a security risk. LAM stores your LDAP - password encrypted in the session. LAM uses rand() to generate the key - if /dev/random and /dev/urandom are not accessible. Therefore the key - can be easily guessed. An attaker needs read access to the session file - (e.g. by another Apache instance) to exploit this. -
- -
- Protection of your LDAP password and directory contents - - You have to install the MCrypt extension for PHP to enable - encryption. - - Your LDAP password is stored encrypted in the session file. The - key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to - encrypt the password. All data that was read from LDAP and needs to be - stored in the session file is also encrypted. -
- -
- Apache configuration - -
- Sensitive directories - - LAM includes several .htaccess files to protect your - configuration files and temporary data. Apache is often configured to - not use .htaccess files by default. Therefore, please check your - Apache configuration and change the override setting to: - - AllowOverride All - - If you are experienced in configuring Apache then you can also - copy the security settings from the .htaccess files to your main - Apache configuration. - - If possible, you should not rely on .htaccess files but also - move the config and sess directory to a place outside of your WWW - root. You can put a symbolic link in the LAM directory so that LAM - finds the configuration/session files. - - Security sensitive directories: - - config: Contains your LAM - configuration and account profiles - - - - LAM configuration passwords (SSHA hashed) - - - - default values for new accounts - - - - directory must be accessibly by Apache but needs not to be - accessible by the browser - - - - sess: PHP session files - - - - LAM admin password in clear text or MCrypt encrypted - - - - cached LDAP entries in clear text or MCrypt encrypted - - - - directory must be accessibly by Apache but needs not to be - accessible by the browser - - - - tmp: temporary files - - - - PDF documents which may also include passwords - - - - images of your users - - - - directory contents must be accessible by browser but - directory itself needs not to be browseable - - -
- -
- Use LDAP HTTP authentication for LAM - - With HTTP authentication Apache will be responsible to ask for - the user name and password. Both will then be forwarded to LAM which - will use it to access LDAP. This approach gives you more flexibility - to restrict the number of users that may access LAM (e.g. by requiring - group memberships). - - First of all you need to load additional Apache modules. These - are "mod_ldap" - and "mod_authnz_ldap". - - Next you can add a file called "lam_auth_ldap" to - /etc/apache/conf.d. This simple example restricts access to all URLs - beginning with "lam" to LDAP authentication. - - <location /lam> - AuthType Basic - AuthBasicProvider ldap - AuthName "LAM" - AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" - Require valid-user -</location> - - You can also require that your users belong to a certain Unix - group in LDAP: - - <location /lam> - AuthType Basic - AuthBasicProvider ldap - AuthName "LAM" - AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" - Require valid-user - # force membership of lam-admins - AuthLDAPGroupAttribute memberUid - AuthLDAPGroupAttributeIsDN off - Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com -</location> - - Please see the Apache - documentation for more details. -
- -
- Self Service behind proxy in DMZ (LAM Pro) - - In some cases you might want to make the self service accessible - via the internet. Here is an Apache config to forward only the - required URLs via a proxy server (lamproxy.company.com) in your DMZ to - the internal LAM server (lam.company.com). - - - - - - - - This configuration allows your users to open - https://lamproxy.company.com which will then proxy the self service on - the internal server. - - <VirtualHost lamproxy.company.com:443> - ServerName lamproxy.company.com - ErrorLog /var/log/apache2/lam-proxy-error.log - CustomLog /var/log/apache2/lam-proxy-access.log combined - DocumentRoot /var/www/lam-proxy - <Proxy *> - Order deny,allow - Allow from all - </Proxy> - SSLProxyEngine on - SSLEngine on - SSLCertificateFile /etc/apache2/ssl/apache.pem - ProxyPreserveHost On - ProxyRequests off - loglevel info - - # redirect front page to self service login page - RewriteEngine on - RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam - - # proxy required URLs - ProxyPass /tmp https://lam.company.com/lam/tmp - ProxyPass /sess https://lam.company.com/lam/sess - ProxyPass /templates/lib https://lam.company.com/lam/templates/lib - ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService - ProxyPass /style https://lam.company.com/lam/style - ProxyPass /graphics https://lam.company.com/lam/graphics - - ProxyPassReverse /tmp https://lam.company.com/lam/tmp - ProxyPassReverse /sess https://lam.company.com/lam/sess - ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib - ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService - ProxyPassReverse /style https://lam.company.com/lam/style - ProxyPassReverse /graphics https://lam.company.com/lam/graphics -</VirtualHost> -
-
- -
- Nginx configuration - - There is no fully automatic setup of Nginx but LAM provides a - ready-to-use configuration file. - -
- RPM based installations - - The RPM package has dependencies on Apache. Therefore, Nginx is - not officially supported with this installation mode. Use tar.bz2 if - you are unsure. - - However, the package also includes an Nginx configuration file. - Please include it in your server directive like this: - - server { - ... - - include /etc/ldap-account-manager/lam.nginx.conf; - - ... -} -
- -
- DEB based installations - - The LAM installation package ships with an Nginx configuration - file. Please include it in your server directive like this: - - server { - ... - - include /etc/ldap-account-manager/lam.nginx.conf; - - ... -} -
- -
- tar.bz2 based installations - - Please add the following configuration snippet to your server - directive. - - You will need to change the alias location - ("/usr/share/ldap-account-manager") and fastcgi_pass - ("/var/run/php5-fpm.sock") to match your installation. - - location /lam { - index index.html; - alias /usr/share/ldap-account-manager; - autoindex off; - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - include fastcgi_params; - } - - location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { - deny all; - return 403; - } - -} - -
-
- - - - Typical OpenLDAP settings - - Some basic hints to configure the OpenLDAP server: - - Size - limit: - - You will get a message like "LDAP sizelimit exceeded, not all - entries are shown." when you hit the LDAP search limit. - - OpenLDAP allows by default 500 return values per search, if you have - more users/groups/hosts please change this: - - slapd.conf: - - e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return - values - - slapd.d: - - e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited - return values in /etc/ldap/slapd.d/cn=config.ldif - - - - - Unique - attributes: - - There are cases where you do not want that same attribute values - exist multiple times in your database. A good example are UID/GID - numbers. - - OpenLDAP provides the attribute - uniqueness overlay for this task. - - Example to force unique UID numbers: - - In - /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add - "olcModuleLoad: {3}unique" (replace "3" with the highest existing number - plus one). - - Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g. - "olcUniqueURI: ldap:///?uidNumber?sub" - - - - - Indices: - - Indices will improve the performance when searching for entries in - the LDAP directory. The following indices are recommended: - - - index objectClass eq - - index default sub - - index uidNumber eq - - index gidNumber eq - - index memberUid eq - - index cn,sn,uid,displayName pres,sub,eq - - # Samba 3.x - - index sambaSID eq - - index sambaPrimaryGroupSID eq - - index sambaDomainName eq - - - - - Setup of email (SMTP) server - - LAM always uses a local SMTP email server on the machine where LAM - is installed. Therefore, there is no need to configure any SMTP settings - inside LAM itself. - - The local email server should be configured to forward all emails to - your company mail server (so-called smarthost). You can use any SMTP - software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or - Sendmail itself). - - - - - - - - - - - - - - - - Setup for home directory and quota management - - Lamdaemon.pl is used to modify quota and home directories on a - remote or local host via SSH (even if homedirs are located on - localhost). - - If you want wo use it you have to set up the following things to get - it to work: - -
- Installation - - First of all, you need to install lamdaemon.pl on your remote - server where LAM should manage homedirs and/or quota. This is usually a - different server than the one where LAM is installed. But there is no - problem if it is the same. - - - - - - - - - - - - Debian based (e.g. also - Ubuntu) - - Please install the lamdaemon DEB package on your quota/homedir - server. - - RPM based (Fedora, CentOS, Suse, - ...) - - Please install the lamdaemon RPM package on your quota/homedir - server. - - Other - - Please copy lib/lamdaemon.pl from the LAM tar.bz2 package to your - quota/homedir server. The location may be anywhere (e.g. use - /opt/lamdaemon). Please make the lamdaemon.pl script executable. -
- -
- LDAP Account Manager configuration - - - - Set the remote or local host in the configuration (e.g. - 127.0.0.1) - - - - Path to lamdaemon.pl, e.g. - /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or - RPM package then the script will be located at - /usr/share/ldap-account-manager/lib/lamdaemon.pl. - - - - Your LAM admin user must be a valid Unix account. It needs to - have the object class "posixAccount" and an attribute "uid". This - account must be accepted by the SSH daemon of your home directory - server. Do not create a second local account but change your system - to accept LDAP users. You can use LAM to add the Unix account part - to your admin user or create a new account. Please do not forget to - setup LDAP write access (ACLs) - if you create a new account. - - - - - - - - - - - - - - Note that the builtin admin/manager entries do not work for - lamdaemon. You need to login with a Unix account. - - - - - - - - - - OpenLDAP ACL location: - - The access rights for OpenLDAP are configured in - /etc/ldap/slapd.conf or - /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif. -
- -
- Setup sudo - - The perl script has to run as root. Therefore we need a wrapper, - sudo. Edit /etc/sudoers on host where homedirs or quotas should be used - and add the following line: - - $admin All= NOPASSWD: $path_to_lamdaemon * - - $admin is the admin user from - LAM (must be a valid Unix account) and - $path_to_lamdaemon is the path to - lamdaemon.pl. - - Example: - - myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl - * - - You might need to run the sudo command once manually to init sudo. - The command "sudo -l" will show all possible sudo commands of the - current user. - - Attention: Please do not use the - options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers. - Otherwise you might get errors like "you must have a tty to run sudo" or - "no tty present and no askpass program specified". -
- -
- Setup Perl - - We need an extra Perl module - Quota. To install it, run: - - - perl -MCPAN -e shell - - install Quota - - - If your Perl executable is not located in /usr/bin/perl you will - have to edit the path in the first line of lamdaemon.pl. If you have - problems compiling the Perl modules try installing a newer release of - your GCC compiler and the "make" application. - - Several Linux distributions already include a quota package for - Perl. -
- -
- Set up SSH - - Your SSH daemon must offer the password authentication method. To - activate it just use this configuration option in - /etc/ssh/sshd_config: - - PasswordAuthentication yes -
- -
- Troubleshooting - - If you have problems managing quotas and home directories then - these points might help: - - - - There is a test page for lamdaemon: Login to LAM and open - Tools -> Tests -> Lamdaemon test - - - - Check /var/log/auth.log or its equivalent on your system. This - file contains messages about all logins. If the ssh login failed - then you will find a description about the reason here. - - - - Set sshd in debug mode. In /etc/ssh/sshd_conf add these - lines: - - - SyslogFacility AUTH - - LogLevel DEBUG3 - - - Now check /var/log/syslog for messages from sshd. - - - - Error message "Your LAM admin user (...) - must be a valid Unix account to work with lamdaemon!": This - happens if you use the default LDAP admin/manager user to login to LAM. - Please see here and setup a Unix - account. -
- - - - Setup password self reset schema (LAM Pro) - -
- New installation - - Please see here if you want to - upgrade an existing schema version. - - Schema installation - - Please install the schema that comes with LAM Pro. The schema - files are located in: - - - - tar.bz2: docs/schema - - - - DEB: /usr/share/doc/ldap-account-manager/docs/schema - - - - RPM: - /usr/share/doc/ldap-account-manager-{VERSION}/schema - - - - - - - OpenLDAP with slapd.conf - configuration - - For a configuration with slapd.conf-file copy - passwordSelfReset.schema to /etc/ldap/schema/ and add this line to - slapd.conf: - - include /etc/ldap/schema/passwordSelfReset.schema - - - - OpenLDAP with slapd.d - configuration - - For slapd.d configurations you need to upload the schema file - passwordSelfReset.ldif via ldapadd command: - - ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f - passwordSelfReset.ldif - - Please replace "localhost" with your LDAP server and - "cn=admin,o=test,c=de" with your LDAP admin user (usually starts with - cn=admin or cn=manager). - - - - - 389 server - - Please replace INSTANCE with installation ID, e.g. - slapd-389ds. - - cp passwordSelfReset-389server.ldif /etc/dirsrv/INSTANCE/schema/70pwdreset.ldif - systemctl restart dirsrv.target - - - - Samba 4 - - The schema files are passwordSelfReset-Samba4-attributes.ldif and - passwordSelfReset-Samba4-objectClass.ldif. - - First, you need to edit them and replace "DOMAIN_TOP_DN" with your - LDAP suffix (e.g. dc=samba4,dc=test). - - Then install the attribute and afterwards the object class schema - file: - - ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true - ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true - - - - Windows - - The schema file is passwordSelfReset-Windows.ldif. - - First, you need to edit it and replace "DOMAIN_TOP_DN" with your - LDAP suffix (e.g. dc=windows,dc=test). - - Then install the schema file as administrator on a command - line: - - ldifde -v -i -f passwordSelfReset-Windows.ldif - - - - This allows to set a security question + answer for each - account. -
- -
- Schema update - - The schema files are located in: - - - - tar.bz2: docs/schema/updates - - - - DEB: - /usr/share/doc/ldap-account-manager/docs/schema/updates - - - - RPM: - /usr/share/doc/ldap-account-manager-{VERSION}/schema/updates - - - - - - - Schema versions: - - - - Initial version (LAM Pro 3.6 - 4.4) - - - - Added passwordSelfResetBackupMail (LAM Pro 4.5 - 5.5) - - - - Multiple security questions (LAM Pro 5.6) - - - - - - - OpenLDAP with slapd.conf - configuration - - Install the schema file like a new install (skip - modification of slapd.conf file). - - - - - OpenLDAP with slapd.d - configuration - - The upgrade requires to stop the LDAP server. - - Steps: - - - - Stop OpenLDAP with e.g. "/etc/init.d/slapd stop" - - - - Delete the old schema file. It is located in e.g. - "/etc/ldap/slapd.d/cn=config/cn=schema" and called - "cn={XX}passwordselfreset.ldif" (XX can be any number) - - - - Start OpenLDAP with e.g. "/etc/init.d/slapd start" - - - - Install the schema file like a new install - - - - - - - Samba 4 - - Install the these update files by following the install - instructions in the file. In case you you upgrade with a version - difference of 2 or more you will need to apply all intermediate update - scripts. - - - - samba4_version_1_to_2_attributes.ldif (upgrade from version 1 - only) - - - - samba4_version_1_to_2_objectClass.ldif (upgrade from version 1 - only) - - - - samba4_version_2_to_3_attributes.ldif (upgrade from version - 2) - - - - samba4_version_2_to_3_objectClass.ldif (upgrade from version - 2) - - - - Please note that attributes file needs to be installed - first. - - - - - Windows - - Install the file(s) by following the install instructions in the - file. In case you you upgrade with a version difference of 2 or more you - will need to apply all intermediate update scripts. - - - - windows_version_1_to_2.ldif (upgrade from version 1 - only) - - - - windows_version_2_to_3.ldif (upgrade from version 2) - - -
- - - - Adapt LAM to your corporate design - - There are cases where you might want to change LAM's default - look'n'feel to better integrate it in your company network. Changes can be - done like this: - - Change colors, fonts and other parts with - custom CSS - - You can integrate custom CSS files in LAM. It is recommended to - write a separate CSS file instead of modifying LAM's default files. - - The CSS files are located in - - DEB/RPM: /usr/share/ldap-account-manager/style - tar.bz2: style - - - LAM will automatically integrate all CSS files in alphabetical - order. E.g. you can create a file called "900_myCompany.css" which will be - added as last file. - - Example: - - This will change the background color of all pages to turquoise. See - 500_layout.css for LAM's default settings. - - body { - background-color: #b6eeff; -} - - - You can use the same way to change fonts, sizes and more. - - E.g. this will reduce the default font size to 80%: - - body { - font-size: 80%; -} - -.ui-button-text-only { - font-size: 100%; -} - -.ui-button-text-icon-primary { - font-size: 100%; -} - - - Custom logo/* image in login box */ -td.loginLogo { - background-image: url(/logos/mylogo.png); -} - -/* image (24x24) in header line */ -a.lamLogo { - background-image: url(/logos/mylogo.png); -} - - Other images - - All images are located in - - DEB/RPM: /usr/share/ldap-account-manager/graphics - tar.bz2: graphics - - Please note that if you replace images then you need to reapply your - changes every time you upgrade LAM. - - Special changes with custom - JavaScript - - In rare cases it might not be sufficient to write custom CSS or - replace some image files. E.g. you might want to add custom content to all - pages. - - For these cases you can add a custom JavaScript file that contains - your code. - - The JavaScript files are located in - - DEB/RPM: /usr/share/ldap-account-manager/templates/lib - tar.bz2: templates/lib - - LAM will automatically integrate all .js files in alphabetical - order. E.g. you can create a file called "900_myCompany.js" which will be - added as last file. - - Self service - - See here for self - service customisations. - - - - Clustering LAM - - LAM is a web application based on PHP. Therefore, clustering is not - directly a part of the application. - - But here are some hints to run LAM in a clustered - environment. - - Application parts: - - LAM can be divided into three parts - - - - Software - - - - Configuration files - - - - Session files and temporary data - - - - Software: - - This is the simplest part. Just install LAM on each cluster node. - Please note that if you run LAM Pro you will need either one license for - each active cluster node or a company license. - - Configuration files: - - These files include the LAM server profiles, account profiles, PDF - structures, ... Usually, they do not change frequently and can be put on a - shared file system (e.g. NFS, AFS, ...). - - Please link "config" or "/var/lib/ldap-account-manager/config" to a - directory on your shared file system. - - Session data and temporary - files: - - These are critical because the files may change on every page load. - There are basically two options: - - - - load balancer with session stickiness: In this case your load - balancer will forward all requests of a user to the same cluster node. - In this case you can keep the files locally on your cluster nodes. If - you already have a load balancer then this is the simplest solution - and performs best. The disadvantage is that if a node fails then all - users connected to this node will loose their session and need to - relogin. - - - - shared file system: This should only be used if your load - balancer does not support session stickiness or you use a different - system to distribute request across the cluster. A shared file system - will decrease performance for all page loads. - - - - Session data and temporary files are located in "tmp" + "sess" or - "/var/lib/ldap-account-manager/tmp" + - "/var/lib/ldap-account-manager/sess". - - - - Troubleshooting - -
- Reset configuration password - - The password for the server profiles can be reset using the master - configuration password. Open LAM configuration -> Edit server - profiles ->Manage server profiles for this. - - In case you lost your master configuration password you need to - manually edit the main configuration file (config.cfg) on the file - system. - - - - Locate config.cfg: On DEB/RPM installations it is in - /usr/share/ldap-account-manager/config and for tar.bz2 in config - folder. - - - - Locate the "password" entry in the file - - - - Replace the password hash after "password: " with your new - clear-text password (e.g. "secret") - - - - After the change the line should look like this: - - password: secret - - You can now login using your new password. Set the password once - again via GUI in main configuration settings. This will then put again a - hash value in the config.cfg file. -
- -
- Functional issues - - Size limit - - You will get a message like "LDAP sizelimit exceeded, not all - entries are shown." when you hit the LDAP search limit. - - - - OpenLDAP: See the OpenLDAP - settings to fix this. - - - - 389 server: set nsslapd-sizelimit in cn=config (may also be - set per user) - - - - other LDAP servers: please see your server - documentation - - - - - - - Invalid syntax errors: - - If you get any strange errors like "Invalid syntax" or "Invalid DN - syntax" please check if your LDAP schema matches LAM's - requirements. - - - - - Schema test: - - This can be done by running "Tools" -> "Tests" -> "Schema - test" inside LAM. - - If there are any object classes or attributes missing you will get - a notice. See LDAP schema files for a - list of used schemas. You may also want to deactive unused modules in - your LAM server profile (tab "Modules"). - - - - - - - - - - -LDAP Logging: - - If your schema is correct you can turn on LDAP logging to get more - detailed error messages from your LDAP server. - - - - - OpenLDAP logging: - - - - slapd.conf: In /etc/ldap/slapd.conf turn logging on with the - line "loglevel 256". - - - - slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the - attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel: - Stats" if the attribute is missing. - - - - After changing the configuration please restart OpenLDAP. It - usually uses /var/log/syslog for log output. - - - - - PHP logging - - Sometimes it can help to enable PHP logging inside LAM. You can do - this in the logging area of LAM's - main configuration. Set the logging option to "all" and check if there - are any messages printed in your browser window. Please note that not - every notice message is an error but it may help to find the - problem. -
- -
- Performance issues - - LAM is tested to work with 10000 users with acceptable - performance. If you have a larger directory or slow hardware then here - are some points to increase performance. - - - - - The first step is to check if performance problems are caused by - the LAM web server or the LDAP server. Please check which machine - suffers from high system load (CPU/memory consumption). - - High network latency may also be a problem. For large - installations please make sure that LAM web server and LDAP server are - located in the same building/server room. - - If you run LAM on multiple nodes (DNS load balancing/hardware load - balancer) then also check the clustering - section. - -
- LDAP server - - Use indices - - Depending on the queries it may help to add some more indices on - the LDAP server. Depending on your LDAP software it may already - suggest indices in its log files. See here for typical OpenLDAP indices. - - - - - Reduce query results by splitting LDAP - management into multiple server profiles - - If you manage a very large directory then it might already be - separated into multiple subtrees (e.g. by country, subsidiary, ...). - Do not use a single LAM server profile to manage your whole directory. - Use different server profiles for each separated LDAP subtree where - possible (e.g. one for German users and one for French ones). - - - - - Limit query results - - LAM allows to set an LDAP search - limit for each server profile. This will limit the number of - entries returned by your LDAP server. Use with caution because it can - cause problems (e.g. with automatic UID generation) when LAM is not - able to read all entries. - - - - - - - - -
- -
- LAM web server - - Install a PHP - accelerator - - There are tools like APC/OpCache (free) - or Zend - Server (commercial) that provide caching of PHP pages to - improve performance. They will reduce the time for parsing the PHP - pages and IO load. - - This is a simply way to enhance performance since APC/OpCache is - part of most Linux distributions. - - If you use APC then make sure that it uses enough memory (e.g. - "apc.shm_size=128M"). You can check the memory usage with the file - apc.php that is shipped with APC. - - - - - - - - - - - - - OpCache statistics can be shown with opcache-status. - - - - - - - - - - Disable session - encryption - - LAM encrypts sensitive data in your session files. You can disable it to reduce CPU - load. - - - - - - - - -
-
- diff --git a/lam/docs/manual-sources/images/configProfiles11.png b/lam/docs/manual-sources/images/configProfiles11.png new file mode 100644 index 00000000..64ae4ea8 Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles11.png differ diff --git a/lam/docs/manual-sources/images/configProfiles12.png b/lam/docs/manual-sources/images/configProfiles12.png new file mode 100644 index 00000000..58458a8e Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles12.png differ diff --git a/lam/docs/manual-sources/images/configProfiles13.png b/lam/docs/manual-sources/images/configProfiles13.png new file mode 100644 index 00000000..f58ec4cf Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles13.png differ diff --git a/lam/docs/manual-sources/images/configProfiles7.png b/lam/docs/manual-sources/images/configProfiles7.png index e2bfff4f..8ea5c351 100644 Binary files a/lam/docs/manual-sources/images/configProfiles7.png and b/lam/docs/manual-sources/images/configProfiles7.png differ diff --git a/lam/docs/manual-sources/images/configProfiles8.png b/lam/docs/manual-sources/images/configProfiles8.png index 099db889..f6d5e3e3 100644 Binary files a/lam/docs/manual-sources/images/configProfiles8.png and b/lam/docs/manual-sources/images/configProfiles8.png differ