2-factor documentation
|
@ -4,15 +4,13 @@
|
|||
<chapter id="a_configuration">
|
||||
<title>Configuration</title>
|
||||
|
||||
<para>After you <link linkend="a_installation">installed</link> LAM you
|
||||
can configure it to fit your needs. The complete configuration can be done
|
||||
inside the application. There is no need to edit configuration
|
||||
files.</para>
|
||||
<para>After you <link linkend="a_installation">installed</link> LAM you can
|
||||
configure it to fit your needs. The complete configuration can be done
|
||||
inside the application. There is no need to edit configuration files.</para>
|
||||
|
||||
<para>Please point you browser to the location where you installed LAM.
|
||||
E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
|
||||
via the tar.bz2 then this may vary. You should see the following
|
||||
page:</para>
|
||||
<para>Please point you browser to the location where you installed LAM. E.g.
|
||||
for Debian/RPM this is http://yourServer/lam. If you installed LAM via the
|
||||
tar.bz2 then this may vary. You should see the following page:</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -23,8 +21,8 @@
|
|||
</screenshot>
|
||||
|
||||
<para>If you see an error message then you might need to install an
|
||||
additional PHP extension. Please follow the instructions and reload the
|
||||
page afterwards.</para>
|
||||
additional PHP extension. Please follow the instructions and reload the page
|
||||
afterwards.</para>
|
||||
|
||||
<para>Now you are ready to configure LAM. Click on the "LAM configuration"
|
||||
link to proceed.</para>
|
||||
|
@ -37,18 +35,18 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Here you can change LAM's general settings, setup server profiles
|
||||
for your LDAP server(s) and configure the <link
|
||||
linkend="a_selfService">self service</link> (LAM Pro). You should start
|
||||
with the general settings and then setup a server profile.</para>
|
||||
<para>Here you can change LAM's general settings, setup server profiles for
|
||||
your LDAP server(s) and configure the <link linkend="a_selfService">self
|
||||
service</link> (LAM Pro). You should start with the general settings and
|
||||
then setup a server profile.</para>
|
||||
|
||||
<section id="generalSettings">
|
||||
<title>General settings</title>
|
||||
|
||||
<para>After selecting "Edit general settings" you will need to enter the
|
||||
<link linkend="a_configPasswords">master configuration password</link>.
|
||||
The default password for new installations is "lam". Now you can edit
|
||||
the general settings.</para>
|
||||
The default password for new installations is "lam". Now you can edit the
|
||||
general settings.</para>
|
||||
|
||||
<section>
|
||||
<title>License (LAM Pro only)</title>
|
||||
|
@ -80,9 +78,9 @@
|
|||
|
||||
<para>You may also set a list of IP addresses which are allowed to
|
||||
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
|
||||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
||||
access LAM via an untrusted IP only get blank pages. There is a
|
||||
separate field for LAM Pro self service.</para>
|
||||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access
|
||||
LAM via an untrusted IP only get blank pages. There is a separate field
|
||||
for LAM Pro self service.</para>
|
||||
|
||||
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||
data like passwords in your session files. This is only available when
|
||||
|
@ -102,17 +100,17 @@
|
|||
<para id="conf_sslCert"><emphasis role="bold">SSL certificate
|
||||
setup:</emphasis></para>
|
||||
|
||||
<para>By default, LAM uses the CA certificates that are preinstalled
|
||||
on your system. This will work if you connect via SSL/TLS to an LDAP
|
||||
server that uses a certificate signed by a well-known CA. In case you
|
||||
use your own CA (e.g. company internal CA) you can import the CA
|
||||
certificates here.</para>
|
||||
<para>By default, LAM uses the CA certificates that are preinstalled on
|
||||
your system. This will work if you connect via SSL/TLS to an LDAP server
|
||||
that uses a certificate signed by a well-known CA. In case you use your
|
||||
own CA (e.g. company internal CA) you can import the CA certificates
|
||||
here.</para>
|
||||
|
||||
<para>Please note that this can affect other web applications on the
|
||||
same server if they require different certificates. There seem to be
|
||||
problems on Debian systems and you may also need to restart Apache. In
|
||||
case of any problems please delete the uploaded certificates and use
|
||||
the <link linkend="ssl_certSystem">system setup</link>.</para>
|
||||
case of any problems please delete the uploaded certificates and use the
|
||||
<link linkend="ssl_certSystem">system setup</link>.</para>
|
||||
|
||||
<para>You can either upload a DER/PEM formatted certificate file or
|
||||
import the certificates directly from an LDAP server that is available
|
||||
|
@ -137,10 +135,10 @@
|
|||
<section>
|
||||
<title>Password policy</title>
|
||||
|
||||
<para>This allows you to specify a central password policy for LAM.
|
||||
The policy is valid for all password fields inside LAM admin
|
||||
(excluding tree view) and LAM self service. Configuration passwords do
|
||||
not need to follow this policy.</para>
|
||||
<para>This allows you to specify a central password policy for LAM. The
|
||||
policy is valid for all password fields inside LAM admin (excluding tree
|
||||
view) and LAM self service. Configuration passwords do not need to
|
||||
follow this policy.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -150,23 +148,22 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>You can set the minimum password length and also the complexity
|
||||
of the passwords.</para>
|
||||
<para>You can set the minimum password length and also the complexity of
|
||||
the passwords.</para>
|
||||
</section>
|
||||
|
||||
<section id="conf_logging">
|
||||
<title>Logging</title>
|
||||
|
||||
<para>LAM can log events (e.g. user logins). You can use system
|
||||
logging (syslog for Unix, event viewer for Windows) or log to a
|
||||
separate file. Please note that LAM may log sensitive data (e.g.
|
||||
passwords) at log level "Debug". Production systems should be set to
|
||||
"Warning" or "Error".</para>
|
||||
<para>LAM can log events (e.g. user logins). You can use system logging
|
||||
(syslog for Unix, event viewer for Windows) or log to a separate file.
|
||||
Please note that LAM may log sensitive data (e.g. passwords) at log
|
||||
level "Debug". Production systems should be set to "Warning" or
|
||||
"Error".</para>
|
||||
|
||||
<para>The PHP error reporting is only for developers. By default LAM
|
||||
does not show PHP notice messages in the web pages. You can select to
|
||||
use the php.ini setting here or printing all errors and
|
||||
notices.</para>
|
||||
use the php.ini setting here or printing all errors and notices.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -180,8 +177,7 @@
|
|||
<section>
|
||||
<title>Additional options</title>
|
||||
|
||||
<para id="mailEOL"><emphasis role="bold">Email
|
||||
format</emphasis></para>
|
||||
<para id="mailEOL"><emphasis role="bold">Email format</emphasis></para>
|
||||
|
||||
<para>Some email servers are not standards compatible. If you receive
|
||||
mails that look broken you can change the line endings for sent mails
|
||||
|
@ -189,8 +185,7 @@
|
|||
|
||||
<para>At the moment, this option is only available in LAM Pro as there
|
||||
is no mail sending in the free version. See <link
|
||||
linkend="mailSetup">here</link> for setting up your SMTP
|
||||
server.</para>
|
||||
linkend="mailSetup">here</link> for setting up your SMTP server.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -204,8 +199,8 @@
|
|||
<section>
|
||||
<title>Change master password</title>
|
||||
|
||||
<para>If you would like to change the master configuration password
|
||||
then enter a new password here.</para>
|
||||
<para>If you would like to change the master configuration password then
|
||||
enter a new password here.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -240,13 +235,13 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Here you can create, rename and delete server profiles. The
|
||||
<link linkend="a_configPasswords">passwords</link> of your server
|
||||
profiles can also be reset.</para>
|
||||
<para>Here you can create, rename and delete server profiles. The <link
|
||||
linkend="a_configPasswords">passwords</link> of your server profiles can
|
||||
also be reset.</para>
|
||||
|
||||
<para>You may also specify the default server profile. This is the
|
||||
server profile which is preselected at the login page. It also
|
||||
specifies the language of the login and configuration pages.</para>
|
||||
server profile which is preselected at the login page. It also specifies
|
||||
the language of the login and configuration pages.</para>
|
||||
|
||||
<para><emphasis role="bold">Templates for new server
|
||||
profiles</emphasis></para>
|
||||
|
@ -287,15 +282,14 @@
|
|||
|
||||
<para>All operations on the profile management page require that you
|
||||
authenticate yourself with the <link
|
||||
linkend="a_configPasswords">configuration master
|
||||
password</link>.</para>
|
||||
linkend="a_configPasswords">configuration master password</link>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Editing a server profile</title>
|
||||
|
||||
<para>Please select you server profile and enter its password to edit
|
||||
a server profile.</para>
|
||||
<para>Please select you server profile and enter its password to edit a
|
||||
server profile.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -316,8 +310,8 @@
|
|||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Account types:</emphasis> list of
|
||||
account types (e.g. users and groups) that you would like to
|
||||
manage and type specific settings (e.g. LDAP suffix)</para>
|
||||
account types (e.g. users and groups) that you would like to manage
|
||||
and type specific settings (e.g. LDAP suffix)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -353,17 +347,17 @@
|
|||
specified with ldaps://. The port value is optional. TLS cannot be
|
||||
combined with ldaps://.</para>
|
||||
|
||||
<para>Hint: If you use a master/slave setup with referrals then
|
||||
point LAM to your master server. Due to bugs in the underlying LDAP
|
||||
<para>Hint: If you use a master/slave setup with referrals then point
|
||||
LAM to your master server. Due to bugs in the underlying LDAP
|
||||
libraries pointing to a slave might cause issues on write
|
||||
operations.</para>
|
||||
|
||||
<para>LAM includes an LDAP browser which allows direct modification
|
||||
of LDAP entries. If you would like to use it then enter the LDAP
|
||||
suffix at "Tree suffix".</para>
|
||||
<para>LAM includes an LDAP browser which allows direct modification of
|
||||
LDAP entries. If you would like to use it then enter the LDAP suffix
|
||||
at "Tree suffix".</para>
|
||||
|
||||
<para>The search limit is used to reduce the number of search
|
||||
results which are returned by your LDAP server.</para>
|
||||
<para>The search limit is used to reduce the number of search results
|
||||
which are returned by your LDAP server.</para>
|
||||
|
||||
<para>The access level specifies if LAM should allow to modify LDAP
|
||||
entries. This feature is only available in LAM Pro. LAM non-Pro
|
||||
|
@ -373,8 +367,8 @@
|
|||
|
||||
<para><emphasis role="bold">Advanced options</emphasis></para>
|
||||
|
||||
<para>Sometimes, you may not want to display the server address on
|
||||
the login page. In this case you can setup a display name here (e.g.
|
||||
<para>Sometimes, you may not want to display the server address on the
|
||||
login page. In this case you can setup a display name here (e.g.
|
||||
"Production").</para>
|
||||
|
||||
<para>By default LAM will not follow LDAP referrals. This is ok for
|
||||
|
@ -402,14 +396,14 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>LAM can manage user home directories and quotas with an
|
||||
external script. You can specify the home directory server and where
|
||||
the script is located. The default rights for new home directories
|
||||
can be set, too.</para>
|
||||
<para>LAM can manage user home directories and quotas with an external
|
||||
script. You can specify the home directory server and where the script
|
||||
is located. The default rights for new home directories can be set,
|
||||
too.</para>
|
||||
|
||||
<para>You can provide a fixed user name. If you leave the field
|
||||
empty then LAM will use your current account (the account you used
|
||||
to login to LAM).</para>
|
||||
<para>You can provide a fixed user name. If you leave the field empty
|
||||
then LAM will use your current account (the account you used to login
|
||||
to LAM).</para>
|
||||
|
||||
<para>There are two possibilities to connect to your home
|
||||
directory/quota server:</para>
|
||||
|
@ -424,8 +418,8 @@
|
|||
|
||||
<listitem>
|
||||
<para>Password: If you do not set a SSH key then LAM will try to
|
||||
connect with your current account (the password you used to
|
||||
login to LAM).</para>
|
||||
connect with your current account (the password you used to login
|
||||
to LAM).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
|
@ -437,9 +431,9 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para id="profile_mail">LAM Pro users may directly set passwords
|
||||
from list view. You can configure if it should be possible to set
|
||||
specific passwords and showing password on screen is allowed.</para>
|
||||
<para id="profile_mail">LAM Pro users may directly set passwords from
|
||||
list view. You can configure if it should be possible to set specific
|
||||
passwords and showing password on screen is allowed.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -452,9 +446,9 @@
|
|||
<para>LAM Pro users can send out changed passwords to their users.
|
||||
Here you can specify the options for these mails.</para>
|
||||
|
||||
<para>If you select "Allow alternate address" then password mails
|
||||
can be sent to any address (e.g. a secondary address if the user
|
||||
account is also bound to the mailbox).</para>
|
||||
<para>If you select "Allow alternate address" then password mails can
|
||||
be sent to any address (e.g. a secondary address if the user account
|
||||
is also bound to the mailbox).</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -464,7 +458,17 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>LAM supports two methods for login.</para>
|
||||
<para>LAM supports two methods for login:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Fixed list</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>LDAP search</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -479,26 +483,25 @@
|
|||
|
||||
<para>The second one is to let LAM search for the DN in your
|
||||
directory. E.g. if a user logs in with the user name "joe" then LAM
|
||||
will do an LDAP search for this user name. When it finds a matching
|
||||
DN then it will use this to authenticate the user. The wildcard
|
||||
"%USER%" will be replaced by "joe" in this example. This way you can
|
||||
provide login by user name, email address or other LDAP
|
||||
attributes.</para>
|
||||
will do an LDAP search for this user name. When it finds a matching DN
|
||||
then it will use this to authenticate the user. The wildcard "%USER%"
|
||||
will be replaced by "joe" in this example. This way you can provide
|
||||
login by user name, email address or other LDAP attributes.</para>
|
||||
|
||||
<para>Additionally, you can enable HTTP authentication when using
|
||||
"LDAP search". This way the web server is responsible to
|
||||
authenticate your users. LAM will use the given user name + password
|
||||
for the LDAP login. You can also configure this to setup advanced
|
||||
login restrictions (e.g. require group memberships for login). To
|
||||
setup HTTP authentication in Apache please see this <ulink
|
||||
"LDAP search". This way the web server is responsible to authenticate
|
||||
your users. LAM will use the given user name + password for the LDAP
|
||||
login. You can also configure this to setup advanced login
|
||||
restrictions (e.g. require group memberships for login). To setup HTTP
|
||||
authentication in Apache please see this <ulink
|
||||
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>
|
||||
and an example for LDAP authentication <link lang=""
|
||||
linkend="apache_http_auth">here</link>.</para>
|
||||
|
||||
<para><emphasis role="bold">Hint:</emphasis> LDAP search with group
|
||||
membership check can be done with either <link
|
||||
linkend="apache_http_auth">HTTP authentication</link> or LDAP
|
||||
overlays like <ulink
|
||||
linkend="apache_http_auth">HTTP authentication</link> or LDAP overlays
|
||||
like <ulink
|
||||
url="http://www.openldap.org/doc/admin24/overlays.html">"memberOf"</ulink>
|
||||
or <ulink
|
||||
url="http://www.openldap.org/doc/admin24/overlays.html">"Dynamic
|
||||
|
@ -514,8 +517,60 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>You may also change the password of this server profile.
|
||||
Please just enter the new password in both password fields.</para>
|
||||
<para><emphasis role="bold">2-factor authentication</emphasis></para>
|
||||
|
||||
<para>LAM supports 2-factor authentication for your users. This means
|
||||
the user will not only authenticate by user+password but also with
|
||||
e.g. a token generated by a mobile device. This adds more security
|
||||
because the token is generated on a physically separated device
|
||||
(typically mobile phone).</para>
|
||||
|
||||
<para>The token is validated by a second application. LAM currently
|
||||
supports:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="https://www.privacyidea.org/">privacyIdea</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>By default LAM will enforce to use a token and reject users that
|
||||
did not setup one. You can set this check to optional. But if a user
|
||||
has setup a token then this will always be required.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles11.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>After logging in with user + password LAM will ask for the 2nd
|
||||
factor. If the user has setup multiple factors then he can choose one
|
||||
of them.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles12.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para><emphasis role="bold">Password</emphasis></para>
|
||||
|
||||
<para>You may also change the password of this server profile. Please
|
||||
just enter the new password in both password fields.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles13.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -545,18 +600,18 @@
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">List attributes:</emphasis> a list
|
||||
of attributes which are shown in the account lists</para>
|
||||
<para><emphasis role="bold">List attributes:</emphasis> a list of
|
||||
attributes which are shown in the account lists</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Additional LDAP filter:</emphasis>
|
||||
LAM will automatically detect the right LDAP entries for each
|
||||
account type. This can be used to further limit the number of
|
||||
visible entries (e.g. if you want to manage only some specific
|
||||
groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
|
||||
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
|
||||
user who is logged in.</para>
|
||||
<para><emphasis role="bold">Additional LDAP filter:</emphasis> LAM
|
||||
will automatically detect the right LDAP entries for each account
|
||||
type. This can be used to further limit the number of visible
|
||||
entries (e.g. if you want to manage only some specific groups).
|
||||
You can use "@@LOGIN_DN@@" as wildcard (e.g.
|
||||
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the user
|
||||
who is logged in.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -569,32 +624,32 @@
|
|||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Read-only (LAM Pro only):</emphasis>
|
||||
This allows to set a single account type to read-only mode.
|
||||
Please note that this is a restriction on functional level (e.g.
|
||||
group memberships can be changed on user page even if groups are
|
||||
This allows to set a single account type to read-only mode. Please
|
||||
note that this is a restriction on functional level (e.g. group
|
||||
memberships can be changed on user page even if groups are
|
||||
read-only) and is no replacement for setting up proper ACLs on
|
||||
your LDAP server.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Custom label:</emphasis> Here you
|
||||
can set a custom label for the account types. Use this if the
|
||||
standard label does not fit for you (e.g. enter "Servers" for
|
||||
<para><emphasis role="bold">Custom label:</emphasis> Here you can
|
||||
set a custom label for the account types. Use this if the standard
|
||||
label does not fit for you (e.g. enter "Servers" for
|
||||
hosts).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">No new entries (LAM Pro
|
||||
only):</emphasis> Use this if you want to prevent that new
|
||||
accounts of this type are created by your users. The GUI will
|
||||
hide buttons to create new entries and also disable file upload
|
||||
for this type.</para>
|
||||
accounts of this type are created by your users. The GUI will hide
|
||||
buttons to create new entries and also disable file upload for
|
||||
this type.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Disallow delete (LAM Pro
|
||||
only):</emphasis> Use this if you want to prevent that accounts
|
||||
of this type are deleted by your users.</para>
|
||||
only):</emphasis> Use this if you want to prevent that accounts of
|
||||
this type are deleted by your users.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
|
@ -613,9 +668,9 @@
|
|||
<section>
|
||||
<title>Modules</title>
|
||||
|
||||
<para>The modules specify the active extensions for each account
|
||||
type. E.g. here you can setup if your user entries should be address
|
||||
book entries only or also support Unix or Samba.</para>
|
||||
<para>The modules specify the active extensions for each account type.
|
||||
E.g. here you can setup if your user entries should be address book
|
||||
entries only or also support Unix or Samba.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -640,9 +695,9 @@
|
|||
|
||||
<para>Depending on the activated account modules there may be
|
||||
additional configuration options available. They can be found on the
|
||||
"Module settings" tab. E.g. the Personal account module allows to
|
||||
hide several input fields and the Unix module requires to specify
|
||||
ranges for UID numbers.</para>
|
||||
"Module settings" tab. E.g. the Personal account module allows to hide
|
||||
several input fields and the Unix module requires to specify ranges
|
||||
for UID numbers.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -657,8 +712,8 @@
|
|||
<section>
|
||||
<title>Cron jobs (LAM Pro)</title>
|
||||
|
||||
<para>LAM Pro can execute common tasks via cron job. This can be used
|
||||
to e.g. notify your users before their passwords expire.</para>
|
||||
<para>LAM Pro can execute common tasks via cron job. This can be used to
|
||||
e.g. notify your users before their passwords expire.</para>
|
||||
|
||||
<section>
|
||||
<title>LDAP and database configuration</title>
|
||||
|
@ -673,8 +728,8 @@
|
|||
<para><emphasis role="bold">SQLite</emphasis></para>
|
||||
|
||||
<para>This is a simple file based database. It needs no special
|
||||
database server. The database file will be located next to the
|
||||
server profile in config directory.</para>
|
||||
database server. The database file will be located next to the server
|
||||
profile in config directory.</para>
|
||||
|
||||
<para>You will need to install the SQLite PDO module for PHP
|
||||
(pdo_sqlite.so). For Debian this is located in package
|
||||
|
@ -722,15 +777,15 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para><literallayout>
|
||||
</literallayout><emphasis role="bold">Test your settings</emphasis></para>
|
||||
|
||||
<para>After the LDAP and database settings are done you can test
|
||||
your settings.</para>
|
||||
<para>After the LDAP and database settings are done you can test your
|
||||
settings.</para>
|
||||
|
||||
<para><emphasis role="bold">Cron entry</emphasis></para>
|
||||
|
||||
<para>LAM also prints the crontab line that you need to run the
|
||||
configured jobs on a daily basis. The command must be run as the
|
||||
same user as your webserver is running. You are free to change the
|
||||
starting time of the script or run it more often.</para>
|
||||
configured jobs on a daily basis. The command must be run as the same
|
||||
user as your webserver is running. You are free to change the starting
|
||||
time of the script or run it more often.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -738,12 +793,12 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
|
||||
<para>To add a new job just click on the "Add job" button and select
|
||||
the job type you need. The list of available jobs depends on your
|
||||
active account modules. E.g. the PPolicy job will only be available
|
||||
if you activated PPolicy user module.</para>
|
||||
active account modules. E.g. the PPolicy job will only be available if
|
||||
you activated PPolicy user module.</para>
|
||||
|
||||
<para>Depending on the job type jobs may be added multiple times
|
||||
with different configurations. For descriptions about the available
|
||||
job types see next chapters.</para>
|
||||
<para>Depending on the job type jobs may be added multiple times with
|
||||
different configurations. For descriptions about the available job
|
||||
types see next chapters.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -760,25 +815,25 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
password expires.</para>
|
||||
|
||||
<para>You need to activate the PPolicy module for users to be able
|
||||
to add this job. The job can be added multiple times (e.g. to send
|
||||
a second warning at a later time).</para>
|
||||
to add this job. The job can be added multiple times (e.g. to send a
|
||||
second warning at a later time).</para>
|
||||
|
||||
<para>LAM calculates the expiration date based on the last
|
||||
password change and the assigned password policy (or the default
|
||||
policy) using attributes pwdMaxAge and pwdExpireWarning.</para>
|
||||
<para>LAM calculates the expiration date based on the last password
|
||||
change and the assigned password policy (or the default policy)
|
||||
using attributes pwdMaxAge and pwdExpireWarning.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification
|
||||
period = 10: LAM will send out the email 24 days before the
|
||||
password expires</para>
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification period
|
||||
= 10: LAM will send out the email 24 days before the password
|
||||
expires</para>
|
||||
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification
|
||||
period = 0: LAM will send out the email 14 days before the
|
||||
password expires</para>
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification period
|
||||
= 0: LAM will send out the email 14 days before the password
|
||||
expires</para>
|
||||
|
||||
<para>No warning time (pwdExpireWarning), notification period =
|
||||
10: LAM will send out the email 10 days before the password
|
||||
<para>No warning time (pwdExpireWarning), notification period = 10:
|
||||
LAM will send out the email 10 days before the password
|
||||
expires</para>
|
||||
|
||||
<screenshot>
|
||||
|
@ -797,8 +852,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -859,12 +913,12 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
|
@ -952,12 +1006,12 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
|
@ -967,21 +1021,21 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>This will send your users an email reminder before their
|
||||
password expires.</para>
|
||||
|
||||
<para>You need to activate the Shadow module for users to be able
|
||||
to add this job. The job can be added multiple times (e.g. to send
|
||||
a second warning at a later time).</para>
|
||||
<para>You need to activate the Shadow module for users to be able to
|
||||
add this job. The job can be added multiple times (e.g. to send a
|
||||
second warning at a later time).</para>
|
||||
|
||||
<para>LAM calculates the expiration date based on the last
|
||||
password change, the password warning time (attribute
|
||||
"shadowWarning") and the specified notification period.</para>
|
||||
<para>LAM calculates the expiration date based on the last password
|
||||
change, the password warning time (attribute "shadowWarning") and
|
||||
the specified notification period.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<para>Warning time = 14, notification period = 10: LAM will send
|
||||
out the email 24 days before the password expires</para>
|
||||
<para>Warning time = 14, notification period = 10: LAM will send out
|
||||
the email 24 days before the password expires</para>
|
||||
|
||||
<para>Warning time = 14, notification period = 0: LAM will send
|
||||
out the email 14 days before the password expires</para>
|
||||
<para>Warning time = 14, notification period = 0: LAM will send out
|
||||
the email 14 days before the password expires</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -999,8 +1053,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1054,21 +1107,21 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shadow: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired accounts. The
|
||||
job checks Shadow account expiration dates (not password
|
||||
expiration dates).</para>
|
||||
<para>You can automatically delete or move expired accounts. The job
|
||||
checks Shadow account expiration dates (not password expiration
|
||||
dates).</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1086,8 +1139,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1121,11 +1173,11 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
password expires.</para>
|
||||
|
||||
<para>You need to activate the Windows module for users to be able
|
||||
to add this job. The job can be added multiple times (e.g. to send
|
||||
a second warning at a later time).</para>
|
||||
to add this job. The job can be added multiple times (e.g. to send a
|
||||
second warning at a later time).</para>
|
||||
|
||||
<para>LAM calculates the expiration date based on the last
|
||||
password change and the domain policy.</para>
|
||||
<para>LAM calculates the expiration date based on the last password
|
||||
change and the domain policy.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1143,8 +1195,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1198,20 +1249,19 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Windows: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired
|
||||
accounts.</para>
|
||||
<para>You can automatically delete or move expired accounts.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1229,8 +1279,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1260,8 +1309,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section>
|
||||
<title>FreeRadius: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired
|
||||
accounts.</para>
|
||||
<para>You can automatically delete or move expired accounts.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1279,8 +1327,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1310,8 +1357,8 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section>
|
||||
<title>Qmail: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired accounts. The
|
||||
job reads the qmail deletion date of user accounts.</para>
|
||||
<para>You can automatically delete or move expired accounts. The job
|
||||
reads the qmail deletion date of user accounts.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1329,8 +1376,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1377,18 +1423,18 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section id="confTypicalScenarios">
|
||||
<title>Typical scenarios</title>
|
||||
|
||||
<para>This is a list of typical scenarios how your LDAP environment
|
||||
may look like and how to structure the server profiles for it.</para>
|
||||
<para>This is a list of typical scenarios how your LDAP environment may
|
||||
look like and how to structure the server profiles for it.</para>
|
||||
|
||||
<section>
|
||||
<title>Simple: One LDAP directory managed by a small group of
|
||||
admins</title>
|
||||
|
||||
<para>This is the easiest and most common scenario. You want to
|
||||
manage a single LDAP server and there is only one or a few admins.
|
||||
In this case just create one server profile and you are done. The
|
||||
admins may be either specified as a fixed list or by using an LDAP
|
||||
search at login time.</para>
|
||||
<para>This is the easiest and most common scenario. You want to manage
|
||||
a single LDAP server and there is only one or a few admins. In this
|
||||
case just create one server profile and you are done. The admins may
|
||||
be either specified as a fixed list or by using an LDAP search at
|
||||
login time.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1404,11 +1450,10 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
groups</title>
|
||||
|
||||
<para>Large organisations may have one big LDAP directory for all
|
||||
user/group accounts. But the users are managed by different groups
|
||||
of admins (e.g. departments, locations, subsidiaries, ...). The
|
||||
users are typically divided into organisational units in the LDAP
|
||||
tree. Admins may only manage the users in their part of the
|
||||
tree.</para>
|
||||
user/group accounts. But the users are managed by different groups of
|
||||
admins (e.g. departments, locations, subsidiaries, ...). The users are
|
||||
typically divided into organisational units in the LDAP tree. Admins
|
||||
may only manage the users in their part of the tree.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1418,16 +1463,15 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>In this situation it is recommended to create one server
|
||||
profile for each admin group (e.g. department). Setup the LDAP
|
||||
suffixes in the server profiles to point to the needed
|
||||
organisational units. E.g. use
|
||||
<para>In this situation it is recommended to create one server profile
|
||||
for each admin group (e.g. department). Setup the LDAP suffixes in the
|
||||
server profiles to point to the needed organisational units. E.g. use
|
||||
ou=people,ou=department1,dc=company,dc=com or
|
||||
ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
|
||||
Do the same for groups, hosts, ... This way each admin group will
|
||||
only see its own users. You may want to use LDAP search for the LAM
|
||||
login in this scenario. This will prevent that you need to update a
|
||||
server profile if the number of admins changes.</para>
|
||||
Do the same for groups, hosts, ... This way each admin group will only
|
||||
see its own users. You may want to use LDAP search for the LAM login
|
||||
in this scenario. This will prevent that you need to update a server
|
||||
profile if the number of admins changes.</para>
|
||||
|
||||
<para><emphasis role="bold">Attention:</emphasis> LAM's feature to
|
||||
automatically find free UIDs/GIDs for new users/groups will not work
|
||||
|
@ -1456,8 +1500,8 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section>
|
||||
<title>Single LDAP directory with lots of users (>10 000)</title>
|
||||
|
||||
<para>LAM was tested to work with 10 000 users. If you have a lot
|
||||
more users then you have basically two options.</para>
|
||||
<para>LAM was tested to work with 10 000 users. If you have a lot more
|
||||
users then you have basically two options.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
|
After Width: | Height: | Size: 32 KiB |
After Width: | Height: | Size: 17 KiB |
After Width: | Height: | Size: 6.4 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 24 KiB |