diff --git a/lam/docs/manual-sources/appendix-schema.xml b/lam/docs/manual-sources/appendix-schema.xml index ef8fe804..62124840 100644 --- a/lam/docs/manual-sources/appendix-schema.xml +++ b/lam/docs/manual-sources/appendix-schema.xml @@ -1,700 +1,718 @@ - + + LDAP schema files + + Here is a list of needed LDAP schema files for the different LAM + modules. For OpenLDAP we also provide a source where you can get the + files. + + LDAP schema files - Here is a list of needed LDAP schema files for the different LAM - modules. For OpenLDAP we also provide a source where you can get the - files. + + + + -
- LDAP schema files + Account type - - - - + Object class(es) - Account type + Schema name - Object class(es) + Source - Schema name + Notes + + - Source + + + + + + + - Notes - - + Unix accounts - - - - - - - + posixAccount, shadowAccount, hostObject, posixGroup - Unix accounts + nis.schema, rfc2307bis.schema, ldapns.schema + (hostObject) - posixAccount, shadowAccount, hostObject, posixGroup + Part of OpenLDAP installation, part of libpam-ldap + (ldapns.schema) - nis.schema, rfc2307bis.schema, ldapns.schema - (hostObject) + The rfc2307bis.schema is only supported by LAM Pro. Use the + nis.schema if you do not want to upgrade to LAM Pro. + - Part of OpenLDAP installation, part of libpam-ldap - (ldapns.schema) + + + + + + - The rfc2307bis.schema is only supported by LAM Pro. Use the - nis.schema if you do not want to upgrade to LAM Pro. - + Address book entries - - - - - - + inetOrgPerson - Address book entries + inetorgperson.schema - inetOrgPerson + Part of OpenLDAP installation - inetorgperson.schema + + - Part of OpenLDAP installation + + + + + + - - + Samba 3 accounts - - - - - - + sambaSamAccount, sambaGroupMapping, sambaDomain - Samba 3 accounts + samba.schema - sambaSamAccount, sambaGroupMapping, sambaDomain + Part of Samba tarball (examples/LDAP/samba.schema) - samba.schema + + - Part of Samba tarball (examples/LDAP/samba.schema) + + + + + + - - + Windows AD (Samba 4) - - - - - - + user, group, computer - Windows AD (Samba 4) + - user, group, computer + Samba 4 built-in - + + - Samba 4 built-in + + + + + + - - + Kolab 2/3 users - - - - - - + kolabUser - Kolab 2/3 users + kolab2/3.schema, rfc2739.schema - kolabUser + Part of Kolab 2/3 installation - kolab2/3.schema, rfc2739.schema + + - Part of Kolab 2/3 installation + + + + + + - - + Asterisk (extension) - - - - - - + AsteriskSIPUser, AsteriskExtension - Asterisk (extension) + asterisk.schema - AsteriskSIPUser, AsteriskExtension + Part of Asterisk installation - asterisk.schema + + - Part of Asterisk installation + + + + + + - - + PyKota users, groups, printers and billing codes - - - - - - + pykotaObject, pykotaAccount, pykotaAccountBalance, + pykotaGroup, pykotaPrinter, pykotaBilling - PyKota users, groups, printers and billing codes + pykota.schema - pykotaObject, pykotaAccount, pykotaAccountBalance, - pykotaGroup, pykotaPrinter, pykotaBilling + Part of PyKota installation - pykota.schema + + - Part of PyKota installation + + + + + + - - + Mail routing - - - - - - + inetLocalMailRecipient - Mail routing + misc.schema - inetLocalMailRecipient + Part of OpenLDAP installation - misc.schema + + - Part of OpenLDAP installation + + + + + + - - + Hosts - - - - - - + hostObject, device - Hosts + ldapns.schema - hostObject, device + Part of libpam-ldap installation - ldapns.schema + The device object class is only available in LAM Pro. + - Part of libpam-ldap installation + + + + + + - The device object class is only available in LAM - Pro. - + Authorized services - - - - - - + authorizedServiceObject - Authorized services + ldapns.schema - authorizedServiceObject + Part of libpam-ldap installation - ldapns.schema + + - Part of libpam-ldap installation + + + + + + - - + Mail aliases - - - - - - + nisMailAlias - Mail aliases + misc.schema - nisMailAlias + Part of OpenLDAP installation - misc.schema + + - Part of OpenLDAP installation + + + + + + - - + Qmail user - - - - - - + qmailUser - Qmail user + qmail.schema - qmailUser + Part of qmail_ldap - qmail.schema + LAM Pro only + - Part of qmail_ldap + + + + + + - LAM Pro only - + MAC addresses - - - - - - + ieee802device - MAC addresses + nis.schema - ieee802device + Part of OpenLDAP installation - nis.schema + + - Part of OpenLDAP installation + + + + + + - - + IP addresses - - - - - - + ipHost - IP addresses + nis.schema - ipHost + Part of OpenLDAP installation - nis.schema + LAM Pro only + - Part of OpenLDAP installation + + + + + + - LAM Pro only - + Puppet - - - - - - + puppetClient - Puppet + puppet.schema - puppetClient + Puppet + on GitHub - puppet.schema + + - Puppet - on GitHub + + + + + + - - + EDU person - - - - - - + eduPerson - EDU person + eduperson.schema - eduPerson + http://middleware.internet2.edu - eduperson.schema + + - http://middleware.internet2.edu + + + + + + - - + Simple Accounts - - - - - - + account - Simple Accounts + cosine.schema - account + Part of OpenLDAP installation - cosine.schema + + - Part of OpenLDAP installation + + + + + + - - + SSH public keys - - - - - - + ldapPublicKey - SSH public keys + openssh-lpk.schema - ldapPublicKey + Included in patch from http://code.google.com/p/openssh-lpk/ - openssh-lpk.schema + + - Included in patch from http://code.google.com/p/openssh-lpk/ + + + + + + - - + Filesystem quotas - - - - - - + systemQuotas - Filesystem quotas + quota.schema - systemQuotas + Linux + DiskQuota - quota.schema + + - Linux - DiskQuota + + + + + + - - + Group of (unique) names - - - - - - + groupOfNames, groupOfUniqueNames, groupOfMembers - Group of (unique) names + core.schema - groupOfNames, groupOfUniqueNames, groupOfMembers + Part of OpenLDAP installation - core.schema + LAM Pro only + - Part of OpenLDAP installation + + + + + + - LAM Pro only - + Groups - - - - - - + organizationalRole - Groups + core.schema - organizationalRole + Part of OpenLDAP installation - core.schema + LAM Pro only + - Part of OpenLDAP installation + + + + + + - LAM Pro only - + DHCP - - - - - - + dhcpOptions, dhcpSubnet, dhcpServer - DHCP + dhcp.schema - dhcpOptions, dhcpSubnet, dhcpServer + docs/schema/dhcp.schema - dhcp.schema + The LDAP suffix should be set to your dhcpServer + entry. + - docs/schema/dhcp.schema + + + + + + - The LDAP suffix should be set to your dhcpServer - entry. - + Bind DLZ DNS - - - - - - + dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord, + dlzMXRecord, dlzCNameRecord, dlzPTRRecord - Bind DLZ DNS + dlz.schema - dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord, - dlzMXRecord, dlzCNameRecord, dlzPTRRecord + part of Bind + DLZ patch - dlz.schema + LAM Pro only + - part of Bind - DLZ patch + + + + + + - LAM Pro only - + Aliases - - - - - - + alias, uidObject - Aliases + core.schema - alias, uidObject + Part of OpenLDAP installation - core.schema + LAM Pro only + - Part of OpenLDAP installation + + + + + + - LAM Pro only - + NIS netgroups - - - - - - + nisNetgroup - NIS netgroups + nis.schema - nisNetgroup + Part of OpenLDAP installation - nis.schema + + - Part of OpenLDAP installation + + + + + + - - + NIS objects - - - - - - + nisObject - NIS objects + nis.schema - nisObject + Part of OpenLDAP installation - nis.schema + LAM Pro only + - Part of OpenLDAP installation + + + + + + - LAM Pro only - + Automount objects - - - - - - + automount - Automount objects + autofs.schema, rfc2307bis.schema - automount + Autofs LDAP - autofs.schema, rfc2307bis.schema + LAM Pro only + - Autofs LDAP + + + + + + - LAM Pro only - + Oracle databases - - - - - - + orclNetService - Oracle databases + oidbase.schema, oidnet.schema, oidrdbms.schema, + alias.schema - orclNetService + Preinstalled on Oracle directory server, OpenLDAP schemas can + be downloaded e.g. here - oidbase.schema, oidnet.schema, oidrdbms.schema, - alias.schema + LAM Pro only + - Preinstalled on Oracle directory server, OpenLDAP schemas - can be downloaded e.g. here + + + + + + - LAM Pro only - + Password policies - - - - - - + pwdPolicy, device - Password policies + ppolicy.schema, core.schema - pwdPolicy, device + Part of OpenLDAP installation - ppolicy.schema, core.schema + LAM Pro only + - Part of OpenLDAP installation + + + + + + - LAM Pro only - + FreeRadius users - - - - - - + radiusprofile - FreeRadius users + openldap.schema - radiusprofile + Part of FreeRadius installation - openldap.schema + + - Part of FreeRadius installation + + + + + + - - + Heimdal Kerberos - - - - - - + krb5KDCEntry - Heimdal Kerberos + hdb.schema - krb5KDCEntry + Part of Heimdal Kerberos installation - hdb.schema + LAM Pro only + - Part of Heimdal Kerberos installation + + + + + + - LAM Pro only - + MIT Kerberos - - - - - - + krbPrincipal, krbPrincipalAux, krbTicketPolicyAux - MIT Kerberos + kerberos.schema - krbPrincipal, krbPrincipalAux, krbTicketPolicyAux + Part of MIT Kerberos installation - kerberos.schema + LAM Pro only + - Part of MIT Kerberos installation + + + + + + - LAM Pro only - + Sudo roles - - - - - - + sudoRole - Sudo roles + sudo.schema - sudoRole + Part of sudo-ldap installation - sudo.schema + LAM Pro only + - Part of sudo-ldap installation + + + + + + - LAM Pro only - + Kopano - - - - - - + kopano-user, kopano-contact, kopano-group, + kopano-dynamicgroup, kopano-addresslist, kopano-server - Zarafa + kopano.ldif - zarafa-user, zarafa-group, zarafa-server + Part of Kopano installation - zarafa.schema + LAM Pro only + - Part of Zarafa installation + + + + + + - LAM Pro only - + Zarafa - - - - - - + zarafa-user, zarafa-group, zarafa-server - IMAP mailboxes + zarafa.schema - - + Part of Zarafa installation - - + LAM Pro only + - - + + + + + + - Does not require any schema. - + IMAP mailboxes - - - - - - + - - LDAP views + - - nsview, organizationalunit + - - built-in + Does not require any schema. + - Part of LDAP server installation (e.g. 389 server) + + + + + + - LAM Pro only - - - -
- + LDAP views + + nsview, organizationalunit + + built-in + + Part of LDAP server installation (e.g. 389 server) + + LAM Pro only + + + + + diff --git a/lam/docs/manual-sources/chapter-modules.xml b/lam/docs/manual-sources/chapter-modules.xml index 70332fe3..182bc3e0 100644 --- a/lam/docs/manual-sources/chapter-modules.xml +++ b/lam/docs/manual-sources/chapter-modules.xml @@ -1,3516 +1,390 @@ - - Managing entries in your LDAP directory +"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> + + Managing entries in your LDAP directory - This chapter will give you instructions how to manage the different - LDAP entries in your directory. + This chapter will give you instructions how to manage the different + LDAP entries in your directory. - Please note that not all account types are manageable with the free - LAM release. LAM Pro provides some more account types (e.g. group of - names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to - support additional LDAP object classes. All LAM Pro features are marked in - this manual. + Please note that not all account types are manageable with the free + LAM release. LAM Pro provides some more account types (e.g. group of names, + aliases, ...) and modules (e.g. Kopano, custom scripts, ...) to support + additional LDAP object classes. All LAM Pro features are marked in this + manual. - Basic page layout: + Basic page layout: - After the login LAM will present you its main page. It consists of a - header part which is equal for all pages and the content area which covers - most the of the page. + After the login LAM will present you its main page. It consists of a + header part which is equal for all pages and the content area which covers + most the of the page. - The header part includes the links to manage all account types (e.g. - users and groups) and open the tree view (LDAP browser). There is also the - logout link and a tools entry. + The header part includes the links to manage all account types (e.g. + users and groups) and open the tree view (LDAP browser). There is also the + logout link and a tools entry. - When you login the you will see an account listing in the content - area. + When you login the you will see an account listing in the content + area. + + + + + + + + + + Here you can create, delete and modify accounts. Use the action + buttons at the left or double click on an entry to edit it. + + The suffix selection box allows you to list only the accounts which + are located in a subtree of your LDAP directory. + + + + + + + + + + You can change the number of shown entries per page with "Change + settings". Depending on the account type there may be additional settings. + E.g. the user list can convert group numbers to group names. + + When you select to edit an entry then LAM will show all its data on a + tabbed view. There is one tab for each functional part of the account. You + can set default values by loading an account profile. + + + + + + + + + +
+ Typical usage scenarios + + Here is a list of typical usage scenarios and what account types and + modules you need to configure. + + Address book entries: + + Account types: + + + + Users (Personal) + + + + Unix accounts: + + Account types: + + + + Users (Personal + Unix) + + + + Groups (Unix (posixGroup)) + + + + Suse users may need to use Group (Group of names + Unix + (rfc2307bisPosixGroup)) because of Suse's special LDAP schema. + + Samba 3 accounts: + + Account types: + + + + Users (Personal + User + Samba 3) + + + + Groups (Unix + Samba 3) + + + + Hosts (Account + Unix + Samba 3) + + + + Samba domains (Samba domain) + + + + Samba 4/Active Directory: + + Account types: + + + + Users (Windows) + + + + Groups (Windows) + + + + Hosts (Windows) + + + + Please note that must change the attributes that are shown in the + account lists. Otherwise, the account tables will show empty lines. See + the documentation for the Windows user/group/host modules. + + For Samba 4 with Kopano use the following modules: + + + + Users (Windows + Kopano (+ Kopano contact)) + + + + Groups (Windows + Kopano) + + + + Hosts (Windows + Kopano) + + + + Kopano dynamic groups (Kopano dynamic group) + + + + Kopano address lists (Kopano address list) + + + + See also the Kopano section for + additional settings (e.g. using Kopano AD schema). + + Asterisk: + + Account types: + + + + Users (Personal + Asterisk) + + + + Asterisk extensions (Asterisk extension) + + + + Kopano: + + Account types: + + + + Users (Personal + Unix + Kopano (+ Kopano contact)) + + + + Groups (Unix + Kopano) + + + + Kopano dynamic groups (Kopano dynamic group) + + + + Kopano address lists (Kopano address list) + + + + Hosts (Device + Kopano + IP Address) + + + + PyKota: + + Account types: + + + + Users (Personal + Unix + PyKota) + + + + Groups (Unix + PyKota) + + + + Printers (PyKota) + + + + Billing codes (PyKota) + + +
+ +
+ Users + + LAM manages various types of user accounts. This includes address + book entries, Unix, Samba, Kopano and much more. + + + + + Account list settings: + + The user list includes two special options to change how your users + are displayed. - + - Here you can create, delete and modify accounts. Use the action - buttons at the left or double click on an entry to edit it. - - The suffix selection box allows you to list only the accounts which - are located in a subtree of your LDAP directory. + Translate GID number to group name: By default + the user list can show the primary group IDs (GIDs) of your users. There + are often cases where it is more suitable to show the group name instead. + This can be done by activating this option. Please note that LAM will + execute more LDAP queries which may result in decreased + performance. - + - You can change the number of shown entries per page with "Change - settings". Depending on the account type there may be additional settings. - E.g. the user list can convert group numbers to group names. - - When you select to edit an entry then LAM will show all its data on - a tabbed view. There is one tab for each functional part of the account. - You can set default values by loading an account profile. + Show account status: If you activate this + option then there will be an additional column displayed that shows if the + account is locked. You can see more details when moving the mouse cursor + over the lock icon. This function supports Unix, Samba, PPolicy, Windows + and 389ds locking+deactivation. - + + + + + + + + + Password: + + Click the "Set password" button to change the user's password(s). + Depending on the active account modules LAM will offer to change multiple + passwords at the same time. + + If a module supports to enforce a password change then you will see + the appropriate checkbox. LAM Pro also offers to send the password via + email after the account is saved. Email options are specified in your + LAM server profile. + + + + + + + + + + + + + Quick account (un)locking: + + When you edit an user then LAM supports to quickly lock/unlock the + whole account. This includes Unix, Samba and PPolicy. LAM can also remove + group memberships if an account is locked. + + You will see the current status of all account parts in the title + area of the account. + + + + + + + + + + If you click on the lock icon then a dialog will be opened to change + these values. Depending on which parts are locked LAM will provide options + to lock/unlock account parts. + + + + + + + + + + + + +
- Typical usage scenarios - - Here is a list of typical usage scenarios and what account types - and modules you need to configure. - - Address book entries: - - Account types: - - - - Users (Personal) - - - - Unix accounts: - - Account types: - - - - Users (Personal + Unix) - - - - Groups (Unix (posixGroup)) - - - - Suse users may need to use Group (Group of names + Unix - (rfc2307bisPosixGroup)) because of Suse's special LDAP schema. - - Samba 3 accounts: - - Account types: - - - - Users (Personal + User + Samba 3) - - - - Groups (Unix + Samba 3) - - - - Hosts (Account + Unix + Samba 3) - - - - Samba domains (Samba domain) - - - - Samba 4/Active Directory: - - Account types: - - - - Users (Windows) - - - - Groups (Windows) - - - - Hosts (Windows) - - - - Please note that must change the attributes that are shown in the - account lists. Otherwise, the account tables will show empty lines. See - the documentation for the Windows user/group/host modules. - - For Samba 4 with Zarafa use the following modules: - - - - Users (Windows + Zarafa (+ Zarafa contact)) - - - - Groups (Windows + Zarafa) - - - - Hosts (Windows + Zarafa) - - - - Zarafa dynamic groups (Zarafa dynamic group) - - - - Zarafa address lists (Zarafa address list) - - - - See also the Zarafa section for - additional settings (e.g. using Zarafa AD schema). - - Asterisk: - - Account types: - - - - Users (Personal + Asterisk) - - - - Asterisk extensions (Asterisk extension) - - - - Zarafa: - - Account types: - - - - Users (Personal + Unix + Zarafa (+ Zarafa contact)) - - - - Groups (Unix + Zarafa) - - - - Zarafa dynamic groups (Zarafa dynamic group) - - - - Zarafa address lists (Zarafa address list) - - - - Hosts (Device + Zarafa + IP Address) - - - - PyKota: - - Account types: - - - - Users (Personal + Unix + PyKota) - - - - Groups (Unix + PyKota) - - - - Printers (PyKota) - - - - Billing codes (PyKota) - - -
- -
- Users - - LAM manages various types of user accounts. This includes address - book entries, Unix, Samba, Zarafa and much more. - - - - - Account list settings: - - The user list includes two special options to change how your - users are displayed. - - - - - - - - - - Translate GID number to group name: By - default the user list can show the primary group IDs (GIDs) of your - users. There are often cases where it is more suitable to show the group - name instead. This can be done by activating this option. Please note - that LAM will execute more LDAP queries which may result in decreased - performance. - - - - - - - - - - Show account status: If you activate this - option then there will be an additional column displayed that shows if - the account is locked. You can see more details when moving the mouse - cursor over the lock icon. This function supports Unix, Samba, PPolicy, - Windows and 389ds locking+deactivation. - - - - - - - - - - - - - Password: - - Click the "Set password" button to change the user's password(s). - Depending on the active account modules LAM will offer to change - multiple passwords at the same time. - - If a module supports to enforce a password change then you will - see the appropriate checkbox. LAM Pro also offers to send the password - via email after the account is saved. Email options are specified in - your LAM server profile. - - - - - - - - - - - - - Quick account (un)locking: - - When you edit an user then LAM supports to quickly lock/unlock the - whole account. This includes Unix, Samba and PPolicy. LAM can also - remove group memberships if an account is locked. - - You will see the current status of all account parts in the title - area of the account. - - - - - - - - - - If you click on the lock icon then a dialog will be opened to - change these values. Depending on which parts are locked LAM will - provide options to lock/unlock account parts. - - - - - - - - - - - - - - - - - -
- Personal - - This module is the most common basis for user accounts in LAM. - You can use it stand-alone to manage address book entries or in - combination with Unix, Samba or other modules. - - The Personal module provides support for managing various - personal data of your users including mail addresses and telephone - numbers. You can also add photos of your users (please install PHP - Imagick/ImageMagick for full file format support). If you do - not need to manage all attributes then you can deactivate them in your - server profile. - - Configuration - - Please activate the module "Personal (inetOrgPerson)" for - users. - - - - - - - - - - The module manages lots of fields. Probably, you will not need - all of them. You can hide fields in module settings. - - In advanced options you may also set fields to read-only (for - existing accounts) and define limits for photo files. Additionally, - you can add an "ou=addressbook" subentry to each user in case you - manage user addressbooks. - - - - - - - - - - - - - User management - - - - - - - - - - User certificates can be uploaded and downloaded. LAM will - automatically convert PEM to DER format. - - - - - - - - - - - LDAP attribute mappings - - - - - Attribute name - - Name inside LAM - - - - - - businessCategory - - Business category - - - - carLicense - - Car license - - - - cn/commonName - - Common name - - - - departmentNumber - - Department(s) - - - - description - - Description - - - - employeeNumber - - Employee number - - - - employeeType - - Employee type - - - - facsimileTelephoneNumber/fax - - Fax number - - - - givenName/gn - - First name - - - - homePhone - - Home telephone number - - - - initials - - Initials - - - - jpegPhoto - - Photo - - - - l - - Location - - - - labeledURI - - Web site - - - - mail/rfc822Mailbox - - Email address - - - - manager - - Manager - - - - mobile/mobileTelephoneNumber - - Mobile number - - - - organizationName/o - - Organisation - - - - ou - - Organizational unit - - - - pager - - Pager number - - - - physicalDeliveryOfficeName - - Office name - - - - postalAddress - - Postal address - - - - postalCode - - Postal code - - - - postOfficeBox - - Post office box - - - - registeredAddress - - Registered address - - - - roomNumber - - Room number - - - - sn/surname - - Last name - - - - st - - State - - - - street/streetAddress - - Street - - - - telephoneNumber - - Telephone number - - - - title - - Job title - - - - userCertificate - - User certificates - - - - uid/userid - - User name - - - - userPassword - - Password - - - -
- - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $firstname: First name - - - - $lastname: Last name - - - - $user: User name - - - - $commonname: Common name - - - - $email: Email address - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Description - - - - Mail - - - - Postal address - - - - Registered address - - - - Web site - - - - Use this when some of your data always follows the same schema. - E.g. using "$firstname $lastname" in common name field can be used - like this to get "First Last". You can set the wildcards in profile - editor so they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Unix - - The Unix module manages Unix user accounts including group - memberships. - - There are several configuration options for this module: - - - - UID generator: LAM will suggest UID numbers for your - accounts. Please note that it may happen that there are duplicate - IDs assigned if users create accounts at the same time. Use an - overlay - like "Attribute Uniqueness" (example) if you have lots of - LAM admins creating accounts. - - - - Fixed range: LAM searches for free numbers within the - given limits. LAM always tries to use a free UID that is - greater than the existing UIDs to prevent collisions with - deleted accounts. - - - - Samba ID pool: This uses a special LDAP entry that - includes attributes that store a counter for the last used - UID/GID. Please note that this requires that you install the - Samba schema and create an LDAP entry of object class - "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the - UID numbers automatically (e.g. DNA by 389 server). Enter the - server's magic number setting. - - - - - - Password hash type: If possible use CRYPT-SHA512 or SSHA to - protect your user's passwords. The option SASL will set the - password to "{SASL}<user name>". - - - - Login shells: List of valid login shells that can be - selected when editing an account. - - - - Hidden options: Some input fields can be hidden to simplify - the GUI if you do not need them. - - - - Set primary group as memberUid: By default primary group - membership is not set on group objects but only on user - (gidNumber). Activate this if you need to have the primary group - membership in group object, too. - - - - Do not add object class: This is for Windows only. When the - checkbox is activated then the posixAccount object class will not - be added to a user. - - - - User name suggestion: The user name is automatically filled - as specified in the configuration (default smiller for Steve - Miller). Of course, the suggested value can be changed any time. - Common name is also filled with first/last name by default. - - - - - - - - - - - - - - - - - - - - - - - Group memberships can be changed when clicking on "Edit groups". - Here you can select the Unix groups and group of names - memberships. - - To enable "Group of names" please either add the groups module - "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of - names". - - - - - - - - - - You can also create home directories for your users if you setup - lamdaemon. This allows you to - create the directories on the local or remote servers. - - It is also possible to check the status of the user's home - directories. If needed the directories can be created or removed at - any time. - - - - - - - - - - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $user: User name - - - - $group: Groupe name (not numeric number) - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Gecos - - - - Home directory - - - - Use this when some of your data always follows the same schema. - E.g. using "/home/$user" in home directory field can be used like this - to get "/home/myuser". You can set the wildcards in profile editor so - they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Group of names and group of members (LAM Pro) - - This module manages memberships in group of (unique) names and - also group of members. - - Please note that this module cannot be used if the Unix module - is active. In this case group memberships may be managed with the Unix - module. - - Configuration - - To activate this feature please add the user module "Group of - names (groupOfNamesUser)" to your LAM server profile. - - - - - - - - - - The module automatically detects if groups are based on - "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the - correct attribute. - - - - - - - - -
- -
- Organizational roles (LAM Pro) - - LAM can manage role memberships in organizationalRole objects. To - activate this feature please add the user module "Roles - (organizationalRoleUser)" to your LAM server profile. - - - - - - - - - - User editing - - Now, there will be a new tab "Roles" when you edit your user - accounts. Here you can select the role memberships. - - - - - - - - -
- -
- Shadow - - LAM supports the management of the LDAP substitution of - /etc/shadow. Here you can setup password policies for your Unix - accounts and also view the last password change of a user. - - - - - - - - -
- -
- NIS net groups - - Configuration - - Please add the module "NIS net groups (nisNetGroupUser)" to the - list of active user modules. - - - - - - - - - - User editing - - You will now see a new tab when editing users. Here you can - assign memberships in NIS net groups and also set host/domain. - - - - - - - - -
- -
- Password self reset (LAM - Pro) - - LAM Pro allows your users to reset their passwords by answering - a security question. The reset link is displayed on the self service page. Additionally, - you can set question + answer in the admin interface. - - Please note that self service and LAM admin interface are - separated functionalities. You need to specify the list of possible - security questions in both self service profile(s) and server - profile(s). - - Schema installation - - Please install the LDAP schema as described here. - - Activate password self reset - module - - Please activate the password self reset module in your LAM Pro - server profile. - - - - - - - - - - Now select the tab "Module settings" and specify the list of - possible security questions. Only these questions will be selectable - when you later edit accounts unless you explicitly allow to enter - custom questions. LAM Pro supports to set up to three security - questions per user. - - If you do not want to set backup email addresses then you can - hide this option. - - - - - - - - - - Edit users - - After everything is setup please login to LAM Pro and edit your - users. You will see a new tab called "Password self reset". Here you - can activate/remove the password self reset function for each user. - You can also change the security question and answer. - - If you set a backup email address then confirmation emails will - also be sent to this address. This is useful if the user password - grants access to the user's primary mailbox. So passwords can be - unlocked with an external email address. - - Hint: You can add the - passwordSelfReset object class to all your users with the multi edit tool. - - Samba 4 note: Due to a bug in - Samba 4 you need to add the extension, save, and then select a - question and set the answer. If you add the extension, set - question/answer and then save all together this will cause an LDAP - error and no changes will be saved. - - - - - - - - -
- -
- Hosts - - You can specify a list of valid host names where the user may - login. If you add the value "*" then the user may login to any host. - This can be further restricted by adding explicit deny entries which - are prefixed with "!" (e.g. "!hr_server"). - - Please note that your PAM settings need to support host - restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the - account facility of pam_ldap will perform the checks and return an - error when no proper host attribute is present. Please note that users - without host attribute cannot login to such a configured - server. - - - - - - - - -
- -
- Samba 3 - - LAM supports full Samba 3 user management including logon hours - and terminal server options. - - The module is enabled by adding "Samba 3 (sambaSamAccount)" to - your user modules. - - - - - - - - - - In the configuration options you can enable password history - checking. Depending on your LDAP server you might need ascending or - descending order. Just switch the setting if the password history is - not correctly updated. - - In case you have no very old Windows clients (e.g. Windows 98) - it is recommended to disable LM hashes. They are considered to be - insecure. - - You can also hide some input fields if you do not need - them. - - - - - - - - - - After configuring the module you will see the Samba 3 tab when - you edit a user. - - - - - - - - - - Logon hours can be changed. - - - - - - - - - - You can also setup terminal server settings. - - - - - - - - -
- -
- Windows (Samba 4) - - Please activate the account type "Users" in your LAM server - profile and then add the user module "Windows - (windowsUser)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#givenName;#sn;#mail" or select your own attributes to display in - the account list. - - - - - - - - - - On tab "Module settings" you can specify the possible Windows - domain names and if pre-Windows 2000 user names should be - managed. - - NIS support is deactivated by default. Enable it if - needed. - - - - - - - - - - Now you can manage your Windows users and e.g. assign groups. - You might want to set the default domain name in the profile editor. - - Attention: - - - - Password changes require a secure connection via ldaps://. - Check your LAM server profile if password changes are refused by - the server. - - - - Your server must run a 64bit operating system. Otherwise, - the module might not work. - - - - - - - - - - - - - - - - - - - - Wildcards - - This module provides the following wildcards (others may be - provided by other modules): - - - - $firstname: First name - - - - $lastname: Last name - - - - $user: User name - - - - $commonname: Common name - - - - $email: Email address - - - - You can use them in the following input fields on user edit - screen: - - - - Common name - - - - Display name - - - - Email - - - - Email alias - - - - Home directory - - - - Profile path - - - - Script path - - - - Use this when some of your data always follows the same schema. - E.g. using "$firstname $lastname" in common name field can be used - like this to get "First Last". You can set the wildcards in profile - editor so they are automatically applied for new users. - - - - - - - - - - - - - - - - - - -
- -
- Filesystem quota (lamdaemon) - - You can manage file system quotas with LAM. This requires to - setup lamdaemon. LAM connects to - your server via SSH and manages the disk filesystem quotas. The quotas - are stored directly on the filesystem. This is the default mechanism - to store quotas for most systems. - - Please add the module "Quota (quota)" for users to your LAM - server profile to enable this feature. - - If you store the quota information directly inside LDAP please - see the next section. - - - - - - - - -
- -
- Filesystem quota (LDAP) - - You can store your filesystem quotas directly in LDAP. See - Linux - DiskQuota for details since it requires quota tools that - support LDAP. You will need to install the quota LDAP schema to manage - the object class "systemQuotas". - - Please add the module "Quota (systemQuotas)" for users to your - LAM server profile to enable this feature. - - If you store the quota information on the filesystem please see - the previous section. - - - - - - - - -
- -
- Kolab - - This module supports to manage Kolab accounts with LAM. E.g. you - can set the user's mail quota and define invitation policies. - - Please add the Kolab user module in your LAM server profile to - activate Kolab support. - - - - - - - - - - Attention: LAM will add the object class "mailrecipient" by - default. This object class is available on 389 directory server but - may not be present on e.g. OpenLDAP. Please deactivate the following - setting (LAM server profile, module settings) if you do not use this - object class. - - - - - - - - - - Please enter an email address at the Personal page and set a - Unix password first. Both are required that Kolab accepts the - accounts. The email address ("Personal" page) must match your Kolab - domain, otherwise the account will not work. - - Attention: The mailbox server - cannot be changed after the account has been saved. Please make sure - that the value is correct. - - Kolab users should not be directly deleted with LAM. You can - mark an account for deletion which then is done by the Kolab server - itself. This makes sure that the mailbox etc. is also deleted. - - - - - - - - - - If you upgrade existing non-Kolab accounts please make sure that - the account has an Unix password. -
- -
- Asterisk - - LAM supports Asterisk accounts, too. See the Asterisk section for details. -
- -
- EDU person - - EDU person accounts are mainly used in university networks. You - can specify the principal name, nick names and much more. - - - - - - - - -
- -
- PyKota - - There are two LAM user modules depending if your user entries - should be built on object class "pykotaObject" or a different - structural object class (e.g. "inetOrgPerson"). For "pykotaObject" - please select "PyKota (pykotaUserStructural(*))" and "PyKota - (pykotaUser)" in all other cases. - - - - - - - - - - To display the job history please setup the job DN on tab - "Module settings": - - - - - - - - - - Now you can add the PyKota extension to your user accounts. Here - you can setup the printing options and add payments for this - user. - - For LAM Pro there are also self service fields to allow users - e.g. to view their current balance and job history. - - - - - - - - - - You may also view the payment and job history. - - - - - - - - - - - - - - - - -
- -
- Password policy (LAM Pro) - - OpenLDAP supports the ppolicy overlay - to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to - user accounts. - - Please add the account type "Password policies" to your LAM - server profile and activate the "Password policy" module for the user - type. - - - - - - - - - - You can select the password policy and force a password change - on next login. Accounts can also be (un)locked. - - - - - - - - - - You can assign any password policy which is found in the LDAP - suffix of the "Password policies" type. When you set the policy to - "default" then OpenLDAP will use the default policy as defined in your - slapd.conf file. - - Attention: Locking and - unlocking requires that you also activate the option "Lockout users" - in the assigned password policy. - Otherwise, it will have no effect. -
- -
- Account locking for 389ds (LAM Pro) - - This module allows you to display if users are locked by 389ds - server. You can (de)activate your users. The password expiration time - can also be managed. - - Requirements: 389ds LDAP server - - Configuration - - Please add the user module "Account locking - (locking389ds)". - - - - - - - - - - This will show the password expiration time. You can edit the - value if needed. - - If there are any failed login attempts then LAM displays their - number and till when the user is locked by the system. - - The limit of failed login attempts and lockout duration is - configured on your LDAP server and not within LAM. - - - - - - - - - - You can unlock the user by clicking on the lock icon. - - Here you can also (de)activate the account. - - Note: Accounts are only locked by the LDAP server due to failed - password attempts. You cannot manually lock an account. Deactivate it - in case you want to disable login for a user. - - - - - - - - -
- -
- FreeRadius - - FreeRadius is a software that implements the RADIUS - authentication protocol. LAM allows you to mange several of the - FreeRadius attributes. - - To activate the FreeRadius plugin please activate the FreeRadius - user module in your server profile: - - - - - - - - - - You can disable unneeded fields on the tab "Module settings". - Here you can also set the DN where your Radius profile templates are - stored if you use the option "Profile". - - - - - - - - - - Now you will see the tab "FreeRadius" when editing users. The - extension can be (de)activated for each user. You can setup e.g. - realm, IP and expiration date. - - - - - - - - -
- -
- Heimdal Kerberos (LAM Pro) - - You can manage your Heimdal Kerberos accounts with LAM Pro. - Please add the user module "Kerberos (heimdalKerberos)" to activate - this feature. - - Setup password changing - - LAM Pro cannot generate the password hashes itself because - Heimdal uses a propietary format for them. Therefore, LAM Pro needs to - call e.g. kadmin to set the password. - - The wildcards @@password@@ and @@principal@@ are replaced with - password and principal name. Please use keytab authentication for this - command since it must run without any interaction. - - Example to create a keytab: ktutil -k /root/lam.keytab add -p - lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1 - - Security hint: Please secure your LAM Pro server since the new - passwords will be visible for a short term in the process list during - password change. - - - - - - - - - - User management - - You can specify the principal/user name, ticket lifetimes and - expiration dates. Additionally, you can set various account - options. - - - - - - - - -
- -
- MIT Kerberos (LAM Pro) - - You can manage your MIT Kerberos accounts with LAM Pro. Please - add the user module "Kerberos (mitKerberos)" to activate this feature. - If you want to manage entries based on the structural object class - "krbPrincipal" please use "Kerberos (mitKerberosStructural)" - instead. - - Setup password changing - - LAM Pro cannot generate the password hashes itself because MIT - uses a propietary format for them. Therefore, LAM Pro needs to call - kadmin/kadmin.local to set the password. - - LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to - set the password. Please use keytab authentication for this command - since it must run without any interaction. - - Keytabs may be created with the "ktutil" application. - - Security hint: Please secure your LAM Pro server since the new - passwords will be visible for a short term in the process list during - password change. - - Example commands: - - - - /usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p - realm/changepwd - - - - sudo /usr/sbin/kadmin.local - - - - - - - - - - - - User management - - You can specify the principal/user name, ticket lifetimes and - expiration dates. Additionally, you can set various account - options. - - - - - - - - -
- -
- Mail aliases - - This module allows to add/remove the user in mail alias - entries. - - Note: You need to activate the - mail alias type for this - module. - - To activate mail aliases for users please select the module - "Mail aliases (nisMailAliasUser)": - - - - - - - - - - On tab Module settings you can select if you want to set the - user name or email as recipient in alias entries. - - - - - - - - - - Now you will see the mail aliases tab when editing an - user. - - The red cross will only remove the user from the alias entry. If - you click the trash can button then the whole alias entry (which may - contain other users) will be deleted. - - - - - - - - - - You can add the user to existing alias entries or create - completly new ones. - - - - - - - - -
- -
- Qmail (LAM Pro) - - LAM Pro manages all qmail attributes for users. This includes - mail addresses, ID numbers and quota settings. - - Please note that the main mail address is managed on tab - "Personal" if this module is active. Otherwise, it will be on the - qmail tab. - - - - - - - - - - You can hide several qmail options if you do not want to manage - them with LAM. This can be done on the module settings tab of your LAM - server profile. - - - - - - - - -
- -
- Mail routing - - LAM supports to manage mail routing for user accounts. - - Module activation: - - This feature can be activated by adding the "Mail routing" - module to the user account type in your server profile. - - - - - - - - - - Usage: - - You can specify a routing address, the mail server and a number - of local addresses to route. - - In case you want to add this extension by default for new users - there is an option in profile editor. - - - - - - - - -
- -
- SSH keys - - You can manage your public keys for SSH in LAM if you installed - the LPK patch for - SSH. Activate the "SSH public key" module for users in the - server profile and you can add keys to your user entries. - - - - - - - - -
- -
- Authorized services - - You can setup PAM to check if a user is allowed to run a - specific service (e.g. sshd) by reading the LDAP attribute - "authorizedService". This way you can manage all allowed services via - LAM. - - - - To activate this PAM feature please setup your /etc/libnss-ldap.conf and set - "pam_check_service_attr" to "yes". - - - - Inside LAM you can now set the allowed services. You may also - setup default services in your account profiles. - - - - - - - - - - You can define a list of services in your LAM server profile - that is used for autocompletion. - - - - - - - - - - The autocompletion will show all values that contains the - entered text. To display the whole list you can press backspace in the - empty input field. Of course, you can also insert a service name that - is not in the list. - - - - - - - - -
- -
- IMAP mailboxes - - LAM may create and delete mailboxes on an IMAP server for your - user accounts. You will need an IMAP server that supports either SSL - or TLS for this feature. - - To activate the mailbox management module please add the - "Mailbox (imapAccess)" module for the type user in your LAM server - profile: - - - - - - - - - - Now configure the module on the tab "Module settings". Here you - can specify the IMAP server name, encryption options, the - authentication for the IMAP connection and the valid mail domains. LAM - can use either your LAM login password for the IMAP connection or - display a dialog where you need to enter the password. It is also - possible to store the admin password in your server profile. This is - not recommended for security reasons. - - The user name can either be a fixed name (e.g. "admin") or it - can be generated with LDAP attributes of the LAM admn user. E.g. $uid$ - will be transformed to "myUser" if you login with - "uid=myUser,ou=people,dc=example,dc=com". - - The mail domains specify for which accounts mailboxes may be - created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can - be managed for "user@lam-demo.org" but not for "user@example.com". Use - "*" for any domain. - - You need to install the SSL certificate of the CA that signed - your server certificate. This is usually done by installing the - certificate in /etc/ssl/certs. Different Linux distributions may offer - different ways to do this. For Debian please copy the certificate in - "/usr/local/share/ca-certificates" and run "update-ca-certificates" as - root. - - It is not recommended to disable the validation of IMAP server - certificates. - - The prefix, user name attribute and path separator specifies how - your mailboxes are named (e.g. "user.myUser@localhost" or - "user/myUser"). Select the values depending on your IMAP server - settings. - - You can specify a list of initial folder names to create for new - mailboxes. LAM will then create them with each new mailbox. - - - - - - - - - - When you edit an user account then you will now see the tab - "Mailbox". Here you can create/delete the mailbox for this - user. - - - - - - - - -
- -
- IP addresses (LAM Pro) - - You can manage the IP addresses of user accounts (e.g. assigned - by DHCP) with the ipHost module. - - Configuration - - - - - - - - - - User editing - - - - - - - - -
- -
- Account - - This is a very simple module to manage accounts based on the - object class "account". Usually, this is used for host accounts only. - Please pay attention that users based on the "account" object class - cannot have contact information (e.g. telephone number) as with - "inetOrgPerson". - - You can enter a user/host name and a description for your - accounts. - - - - - - - - -
-
- -
- Groups - - - -
- Unix - - This module is used to manage Unix group entries. This is the - default module to manage Unix groups and uses the nis.schema. Suse - users who use the rfc2307bis.schema need to use - LAM Pro. - - Configuration - - Please add the account type "Groups" and then select account - module "Unix (posixGroup)". - - - - - - - - - - GID generator: LAM will suggest GID numbers for your accounts. - Please note that it may happen that there are duplicate IDs assigned - if users create groups at the same time. Use an overlay - like "Attribute Uniqueness" (example) if you have lots of LAM - admins creating groups. - - - - Fixed range: LAM searches for free numbers within the given - limits. LAM always tries to use a free GID that is greater than - the existing GIDs to prevent collisions with deleted - groups. - - - - Samba ID pool: This uses a special LDAP entry that includes - attributes that store a counter for the last used UID/GID. Please - note that this requires that you install the Samba schema and - create an LDAP entry of object class "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the GID - numbers automatically (e.g. DNA by 389 server). Enter the server's - magic number setting. - - - - Disable membership management: Disables group membership - management. This is useful if memberships are e.g. managed via group - of names. - - - - - - - - - - Group management: - - - - - - - - - - Group membership management: - - - - - - - - -
- -
- Unix groups with rfc2307bis schema (LAM Pro) - - Some applications (e.g. Suse Linux) use the rfc2307bis schema - for Unix accounts instead of the nis schema. In this case group - accounts are based on the object class groupOf(Unique)Names or namedObject. - The object class posixGroup is auxiliary in this case. - - LAM Pro supports these groups with a special account module: - rfc2307bisPosixGroup - - Use this module only if your system depends on the rfc2307bis - schema. The module can be selected in the LAM configuration. Instead - of using groupOfNames as basis for your groups you may also use - namedObject. - - Module activation: - - - - - - - - - - GID generator: LAM will suggest GID numbers for your accounts. - Please note that it may happen that there are duplicate IDs assigned - if users create groups at the same time. Use an overlay - like "Attribute Uniqueness" (example) if you have lots of LAM - admins creating groups. - - - - Fixed range: LAM searches for free numbers within the given - limits. LAM always tries to use a free GID that is greater than - the existing GIDs to prevent collisions with deleted - groups. - - - - Samba ID pool: This uses a special LDAP entry that includes - attributes that store a counter for the last used UID/GID. Please - note that this requires that you install the Samba schema and - create an LDAP entry of object class "sambaUnixIdPool". - - - - Magic number: Use this if your LDAP server assigns the GID - numbers automatically (e.g. DNA by 389 server). Enter the server's - magic number setting. - - - - Disable membership management: Disables group membership - management. This is useful if memberships are e.g. managed via group - of names. - - Force sync with group of names: This will automatically set the - group memberships of the Unix part to the same members as set on group - of names tab. - - - - - - - - - - The GID number will be filled automatically based on the server - profile configuration. - - - - - - - - - - Group members can be edited and also synced with Group of - (unique) names. - - - - - - - - -
- -
- Samba 3 - - LAM supports managing Samba 3 groups. You can set special group - types and also create Windows predefined groups like "Domain - admins". - - Module activation: - - - - - - - - - - Group editing: - - - - - - - - -
- -
- Windows (Samba 4) - - LAM can manage your Windows groups. Please enable the account - type "Groups" in your LAM server profile and then add the group module - "Windows (windowsGroup)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#member;#description" or select your own attributes to display in - the account list. - - - - - - - - - - NIS support is deactivated by default. Enable it if needed on - tab "Module settings". - - - - - - - - - - Now you can edit your groups inside LAM. You can manage the - group name, description and its type. Of course, you can also set the - group members. - - Group scopes: - - - - Global: Use this for groups with frequent changes. Global - groups are not replicated to other domains. - - - - Universal: Groups with universal scope are used to - consolidate groups that span domains. They are globally - replicated. - - - - Domain local: Groups with domain local scope can be used to - set permissions inside one domain. They are not replicated to - other domains. - - - - Group type: - - - - Security: Use this group type to control permissions. - - - - Distribution: These groups are only used for email - applications. They cannot be used to control permissions. - - - - With "Show effective members" you can show a list of all members - of this group including members of subgroups and their - subgroups. - - - - - - - - -
- -
- Kolab - - Please activate the Kolab group module in your LAM server - profile to activate Kolab support. - - - - - - - - - - You can specify the email address and also set allowed sender - and recipient addresses. - - - - - - - - -
- -
- Mail routing - - LAM supports to manage mail routing for group accounts. - - Module activation: - - This feature can be activated by adding the "Mail routing" - module to the group account type in your server profile. - - - - - - - - - - Usage: - - You can specify a routing address, the mail server and a number - of local addresses to route. - - In case you want to add this extension by default for new groups - there is an option in profile editor. - - - - - - - - -
- -
- Quota - - You can manage file system quotas with LAM. This requires to - setup lamdaemon. File system quotas - are not stored inside LAM but managed directly on the specified - servers. - - - - - - - - -
- -
- PyKota - - There are two LAM group modules depending if your group entries - should be built on object class "pykotaObject" or a different - structural object class (e.g. "posixGroup"). For "pykotaObject" please - select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" - in all other cases. - - - - - - - - - - Now you can add the PyKota extension to your groups. - - - - - - - - -
-
- -
- Hosts - -
- Account - - Please see the description here. -
- -
- Device (LAM Pro) - - The device object class allows to manage general information - about all sorts of devices (e.g. computers, network hardware, ...). - You can enter the serial number, location and a describing text. It is - also possible to specify the owner of the device. - - - - - - - - -
- -
- Samba 3 - - You can manage Samba 3 host entries by adding the Unix and Samba - 3 account modules. - - - - - - - - - - - - - - - - -
- -
- Windows (Samba 4) - - LAM can manage your Windows servers and workstations. Please - enable the account type "Hosts" in your LAM server profile and then - add the host module "Windows (windowsHost)(*)". - - - - - - - - - - The default list attributes are for Unix and not suitable for - Windows (blank lines in account table). Please use - "#cn;#description;#location" or select your own attributes to display - in the account list. - - - - - - - - - - Now you will see you computer accounts inside LAM. You can set - e.g. the server's description and location information. - - - - - - - - -
- -
- IP addresses (LAM Pro) - - You can manage the IP addresses of host accounts with the ipHost - module. It manages the following information: - - - - IP addresses (IPv4/IPv6) - - - - location of the host - - - - manager: the person who is responsible for the host - - - - You can activate this extension by adding the module ipHost to - the list of active host modules. - - - - - - - - -
- -
- MAC addresses - - Hosts can have an unlimited number of MAC addresses. To enable - this feature just add the "MAC address" module to the host account - type. - - - - - - - - -
- -
- Puppet - - LAM supports to manage your Puppet configuration. You can - edit all attributes like environment, classes, variables and parent - node. - - Configuration - - To activate this feature please edit your LAM server profile and - add the host module "Puppet (puppetClient)" on tab "Modules". This - will add the Puppet tab to your host pages. - - - - - - - - - - On tab "Module settings" in your LAM server profile you may also - setup some common environment names. LAM will use them to provide - autocompletion hints when editing the environment for a node. - - If you enter any value in "Enforce classes" then LAM will only - accept this list of classes. - - - - - - - - - - Editing nodes - - When you edit a host entry then you will see the tab "Puppet". - Here you can add/remove the Puppet extension and edit all - attributes. - - - - - - - - -
- -
- NIS net groups - - NIS netgroups can be used to e.g. restrict SSH access to your - machines. - - Configuration - - Please add the module "NIS net groups (nisNetGroupHost)" to the - list of active host modules. - - - - - - - - - - Host editing - - You will now see a new tab when editing hosts. Here you can - assign memberships in NIS net groups and also set user/domain. - - - - - - - - -
-
- -
- Samba 3 domains - - Samba 3 stores information about its domain settings inside LDAP. - This includes the domain name, its SID and some policies. You can manage - all these attributes with LAM. - - Please activate the account type "Samba domains" in your LAM - server profile. Please notice that Samba by default uses the LDAP root - for domain objects (e.g. dc=example,dc=com). - - - - - - - - - - This will add a new tab to LAM where you can manage domain - information. - - The domain name, SID and RID base can only be specified for new - domains and are not changeable via LAM at a later time. You may setup - several password policies for your Samba domains and also some RID - options that influence the creation of SIDs for - users/groups/hosts. - - - - - - - - -
- -
- Group of (unique) names and group of members (LAM Pro) - - These classes can be used to represent group relations. Since they - allow DNs as members you can also use them to represent nested - groups. - - Configuration: - - Activate the account type "Group of names" in your LAM server - profile to use these account modules. Alternatively, you can use the - account type "Groups". - - - - - - - - - - - - - - - - - - Then add the module "Group of names (groupOfNames)", "Group of - unique names (groupOfUniqueNames)" or "Group of members - (groupOfMembers)". - - - - - - - - - - - - - - - - - - - - On the module settings tab you set some options like the display - format for members/owners and if fields like description should not be - displayed. - - - - - - - - - - Group management: - - Group of (unique) names have four basic attributes: - - - - Name: a unique name for the group - - - - Description: optional description - - - - Owner: the account which owns this group (optional) - - - - Members: the members of the group (at least one is - required) - - - - You can add any accounts as members. This includes other groups - which leads to nested groups. - - To show members of nested groups click on "Show effective - members". Please note that for large groups this will run lots of - queries against your LDAP server. - - - - - - - - -
- -
- Organizational roles (LAM Pro) - - This module manages roles via the organizationalRole object class. - There is also a user - module to manage memberships on the user edit page. - - Configuration: - - Activate the account type "Groups" in your LAM server profile to - use this account module. Alternatively, you can use the account type - "Group of names". - - - - - - - - - - - - - - - - - - Then add the module "Role (organizationalRole)". - - - - - - - - - - On the module settings tab you set some options like the display - format for members and if description should not be displayed. - - - - - - - - - - Role management: - - You can add any accounts as members. This includes other roles - which leads to nested roles (needs to be supported by LDAP client - applications). - - To show members of nested roles click on "Show effective members". - Please note that for large roles this will run lots of queries against - your LDAP server. - - - - - - - - -
- -
- Asterisk - - LAM includes large support for Asterisk. You can add Asterisk - extensions (including voicemail) to your users and also manage Asterisk - extensions. - - The Asterisk support for users can be added by selecting the - Asterisk and Asterisk voicemail modules for users in your LAM server - profile. This will add the following tabs to your user accounts. - - - - - - - - - - The Asterisk module allows to edit a large amount of attributes. - Therefore, you can hide unused fields. Please edit you server profile - (Module settings) to do so. - - - - - - - - - - Of course, the voicemail part of Asterisk is also - supported. - - - - - - - - - - If you also want to manage Asterisk extensions then simply add the - account type "Asterisk extensions" and its module to your server - profile. - - LAM groups your Asterisk extension entries by extension name and - account context. If you edit an extension then you will see the Asterisk - entries as rules. LAM manages that all rule entries have the same owners - and assigns the priorities. - - - - - - - - -
- -
- Zarafa (LAM Pro) - - Zarafa is an OpenSource collaboration software. LAM Pro provides - support to manage Zarafa server entries, users and groups. It covers all - settings for these types including resource and quota settings. - - LAM Pro is an official Zarafa Certified Integration. - - - - - - - -
- Configuration - - To enable Zarafa support in LAM Pro please activate the Zarafa - modules for the Users, Groups and Hosts account types in you server - profile: - - - - - - - - - - Attention: LAM Pro uses the - Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP, - OpenDJ, Apache Directory server and other common LDAP servers. If you - run Samba 4 or Active Directory then you need to switch the schema to - "Active Directory" on the module settings tab: - - - - - - - - - - You can configure which parts of the Zarafa user options should - be enabled. E.g. if you do not want to manage quotas per user then you - can hide these options on the tab "Module settings". - - - - - "Send as" attribute: Here you - can specify how "Send as" privileges should be managed. LAM supports - "uid" and "dn". - - If you select "uid" the LAM will store user names in the - zarafaSendAsPrivilege attribute. This way you are restricted to - specify user accounts as "Send as" allowed. - - You can also set this option to "dn" and LAM will store DNs in - the zarafaSendAsPrivilege attribute. In this case you may specify - users and groups as "Send as" allowed. - - - - - Examples for your Zarafa ldap.cfg: - - "Send as" attribute: dn - - ldap_user_sendas_attribute_type = dn - - - - - "Send as" attribute: uid - - ldap_user_sendas_attribute_type = text - - ldap_user_sendas_relation_attribute = uid - - -Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting. - - - - - Features: Zarafa 7 allows to - enable IMAP/POP3 for each user. Please hide the option "Features" if - you use Zarafa 6.x. - - - - - - - - - -
- Users - - This is an example of the user edit page with all possible - settings. This includes email settings, quotas and some options - (e.g. hide from address book). You can also set the resource type - and capacity for meeting rooms and equipment. The Zarafa extension - can be added and removed at any time for every user. - - Please note that the option "Features" requires Zarafa 7. - Please hide this option in the LAM server profile if you run Zarafa - 6.x. - - - - - - - - -
- -
- Contacts - - LAM Pro can manage your Zarafa contact entries. You can set - the email aliases and "send as" privileges. Additionally, accounts - may be hidden in the address book or disabled. - - Please note that you can either use the Zarafa user module or - Zarafa contact. LAM Pro will disable the other tab when enabling one - of them. - - - - - - - - -
- -
- Groups - - This is the edit page for groups. You can enter an email - address and additional aliases for your groups. It is also possible - to specify options (e.g. hide from address book). The extension can - be added/removed dynamically. - - Please note that the option "Send-as privileges" requires the - Zarafa 7.0.3 schema. Please hide this option in the LAM server - profile if you run Zarafa < 7.0.3. - - - - - - - - -
- -
- Servers - - The Zarafa extension for host accounts allows to set the - connection ports and file path. You can add/remove the extension at - any time. - - Setting the public store option is only possible for new host - entries. - - Please note that the proxy URL option requires the Zarafa 7.1 - schema. Please hide this option in your LAM server profile if you - use an older version. - - - - - - - - -
- -
- Address lists - - Zarafa allows to store address lists in LDAP. You need to - define a search base and LDAP filter for each address list. E.g. - entering "ou=people,dc=company,dc=com" as base and "uid=*" will - select all users that are stored in - "ou=people,dc=company,dc=com". - - You can also hide your lists from the address book or - temporarily disable them. - - - - - - - - -
- -
- Dynamic groups - - Zarafa allows to define dynamic groups in LDAP. You need to - define a search base and LDAP filter for each group. E.g. entering - "ou=people,dc=company,dc=com" as base and "uid=*" will select all - users that are stored in "ou=people,dc=company,dc=com". - - Dynamic groups may have an email address and multiple email - alias addresses. - - You can also hide your dynamic groups from the address book or - temporarily disable them. - - - - - - - - -
-
-
- -
- Kolab shared folders - - Please add the account type "Kolab shared folders" in your LAM - server profile and set the correct LDAP suffix. - - - - - - - - - - - - - - - - - - - - - Then add the "Kolab shared folder" module on tab "Modules". - - - - - - - - - - Now you can start to add shared folders inside LAM. - - - - - - - - -
- -
- DHCP - - You can mange your DHCP server with LAM. It supports to manage - subnets, fixed IP entries, IP ranges and DDNS. + Personal + + This module is the most common basis for user accounts in LAM. You + can use it stand-alone to manage address book entries or in combination + with Unix, Samba or other modules. + + The Personal module provides support for managing various personal + data of your users including mail addresses and telephone numbers. You + can also add photos of your users (please install PHP + Imagick/ImageMagick for full file format support). If you do not + need to manage all attributes then you can deactivate them in your + server profile. Configuration - The DHCP management can be activated by adding the account type - DHCP to your server profile. Please also add the DHCP modules. - - LAM requires that you use an LDAP entry with the object class - "dhcpService" or "dhcpServer" as suffix for this account type. If the - "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN" - then you need to use the DN of the "dhcpService" entry as LDAP suffix - for DHCP. - - - - - Add account type: + Please activate the module "Personal (inetOrgPerson)" for + users. - + - Set suffix: + The module manages lots of fields. Probably, you will not need all + of them. You can hide fields in module settings. + + In advanced options you may also set fields to read-only (for + existing accounts) and define limits for photo files. Additionally, you + can add an "ou=addressbook" subentry to each user in case you manage + user addressbooks. - - - - - - Add modules: - - - - - - - - - - Example server - entry: - - dn: - cn=server,ou=dhcp,dc=ldap-account-manager,dc=org - - objectclass: dhcpServer - - objectclass: dhcpOptions - - objectclass: top - - cn: server - - dhcpcomments: My DHCP server - - dhcpoption: domain-name - "ldap-account-manager.org" - - dhcpoption: domain-name-servers 192.168.1.1 - - dhcpoption: routers 192.168.1.1 - - dhcpoption: netbios-name-servers 192.168.1.1 - - dhcpoption: subnet-mask 255.255.255.0 - - dhcpoption: netbios-node-type 8 - - dhcpstatements: default-lease-time 3600 - - dhcpstatements: max-lease-time 7200 - - dhcpstatements: include "mykey" - - dhcpstatements: ddns-update-style interim - - dhcpstatements: update-static-leases true - - dhcpstatements: ignore client-updates - - - - - Example settings for - dhcpd.conf: - - ddns-update-style none; - - deny unknown-clients; - - ldap-server "server"; - - ldap-dhcp-server-cn "server"; - - ldap-port 389; - - ldap-username - "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org"; - - ldap-password "{SSHA}XXXXXXXXXXXX"; - - ldap-base-dn - "ou=dhcp,dc=ldap-account-manager,dc=org"; - - ldap-method dynamic; - - ldap-debug-file - "/var/log/dhcp-ldap-startup.log"; - - - - - - - slapd.conf changes: - - include /etc/ldap/schema/dhcp.schema - - index dhcpHWAddress eq - - index dhcpClassData eq -Run slapindex to rebuild the index. - - - - You can manage the settings of your DHCP service/server - entry: - - - - - - - - - - You can easily create new subnet entries. - - - - - - - - - - It is also possible to specify a list of fixed IPs. - - - - - - - - - - IP ranges may be specified. - - If you use failover pools for your IP ranges please use the pool - options on the bottom. Here you can add DHCP pools (object class - "dhcpPool") and specify the failover peer. - - - - - - - - - - If you activated DDNS in the server entry then you may also - specify the DDNS settings for this subnet. - - - - - - - - -
- -
- Bind DLZ (LAM Pro) - - Bind DLZ is - an extension to the DNS server Bind that allows to store - DNS entries inside LDAP. Please install the Bind DLZ schema file on your - LDAP server. It is part of the DLZ patch. - - Configuration - - First, you need to add the Bind DNS account type and the Bind DLZ - module: - - - - - - - - - - Please set the LDAP suffix either to an existing DNS zone - (dlzZone) or an organizational unit that should include your DNS - zones. - - - - - + @@ -3518,417 +392,590 @@ Run slapindex to rebuild the index. - - - - - - - - - Automatic PTR management - - LAM can automatically create/delete PTR entries for the entered - IPv4/6 records. You can enable this feature on the module settings - tab. - - PTR records will get the same TTL as IP records. Please note that - you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa") - under the same suffix as your other DNS entries. + User management - + - Zone management - - If you do not yet have a DNS zone then LAM can create one for you. - In list view switch the suffix to an organizational unit DN. Now you - will see a button "New zone". - - This will create the zone container entry and a default DNS entry - "@" for authoritative information. Now switch the suffix to your new - zone and start adding DNS entries. + User certificates can be uploaded and downloaded. LAM will + automatically convert PEM to DER format. - + - DNS entries - - LAM supports the following DNS record types: - - - - SOA: authoritative information - - - - NS: name servers - - - - A/AAAA: IP addresses - - - - PTR: reverse DNS entries - - - - CNAME: alias names - - - - MX: mail servers - - - - TXT: text records - - - - SRV: service entries - - - - - - - Authoritative (SOA) and name server (NS) - records - - Here you can manage general information about the zone like - timeouts and name servers. Please note that name servers must be - inserted in a special format (dot at the end). - - - - - - - - - - - - - IP addresses (A/AAAA) - - LAM will automatically set the correct type (A/AAAA) depending if - you enter an IPv4 or IPv6 address. - - - - - - - - - - - - - Reverse DNS entries - - Reverse DNS entries are important when you need to find the DNS - name that is associated with a given IP address. Reverse DNS entries are - stored in a separate DNS zone. - - - - - - - - - - - - - Alias names (CNAME) - - Sometimes a DNS entry should simply point to a different DNS entry - (e.g. for migrations). This can be done by adding an alias name. - - - - - - - - - - - - - Mail servers (MX) - - The mail server entries define where mails to a domain should be - delivered. The server with the lowest preference has the highest - priority. - - - - - - - - - - - - - Text records (TXT) - - Text records can be added to store a description or other data - (e.g. SPF information). - - - - - - - - - - - - - Services (SRV) - - Service records can be used to specify which servers provide - common services such as LDAP. Please note that the host name must be - _SERVICE._PROTOCOL (e.g. _ldap._tcp). - - - - - Priority: The priority of the target host, lower value means more - preferred. - - Weight: A relative weight for records with the same priority. E.g. - weights 20 and 80 for a service will result in 20% queries to the one - server and 80% to the other. - - Port: The port number that is used for your service. - - Server: DNS name where service can be reached (with dot at the - end). - - - - - - - - - - - - - File upload - - You can upload complete DNS zones via LAM's file upload. Here is - an example for a zone file and the corresponding CSV file. - - Zone file + LDAP attribute mappings + + + + + Attribute name + + Name inside LAM + + - - @ + businessCategory - IN - - SOA - - ns1.example.com admin.ns1.example.com (1 360000 3600 - 3600000 370000) + Business category - + carLicense - IN - - NS - - ns1.example.com. + Car license - + cn/commonName - IN - - NS - - ns2.example.com. + Common name - + departmentNumber - IN - - MX - - 10 mail1.example.com + Department(s) - + description - IN - - MX - - 20 mail2.example.com + Description - foo + employeeNumber - IN - - A - - 123.123.123.100 + Employee number - foo2 + employeeType - IN - - CNAME - - foo.example.com + Employee type - bar + facsimileTelephoneNumber/fax - IN - - A - - 123.123.123.101 + Fax number - + givenName/gn - IN + First name + - AAAA + + homePhone - 1:2:3:4:5 + Home telephone number + + + + initials + + Initials + + + + jpegPhoto + + Photo + + + + l + + Location + + + + labeledURI + + Web site + + + + mail/rfc822Mailbox + + Email address + + + + manager + + Manager + + + + mobile/mobileTelephoneNumber + + Mobile number + + + + organizationName/o + + Organisation + + + + ou + + Organizational unit + + + + pager + + Pager number + + + + physicalDeliveryOfficeName + + Office name + + + + postalAddress + + Postal address + + + + postalCode + + Postal code + + + + postOfficeBox + + Post office box + + + + registeredAddress + + Registered address + + + + roomNumber + + Room number + + + + sn/surname + + Last name + + + + st + + State + + + + street/streetAddress + + Street + + + + telephoneNumber + + Telephone number + + + + title + + Job title + + + + userCertificate + + User certificates + + + + uid/userid + + User name + + + + userPassword + + Password
- Please check that you have an existing zone entry that can be used - for the file upload. See above to create a new zone. + Wildcards - Hint: If you use the function above to create a new zone then - please skip the "@" entry in the CSV file below. LAM creates this entry - with sample data. + This module provides the following wildcards (others may be + provided by other modules): - In this example we assume that the following zone extry - exists: + + + $firstname: First name + - dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com -dlzzonename: example.com -objectclass: dlzZone -objectclass: top + + $lastname: Last name + - + + $user: User name + - Here is the corresponding CSV file: bindUpload.csv + + $commonname: Common name + + + + $email: Email address + + + + You can use them in the following input fields on user edit + screen: + + + + Common name + + + + Description + + + + Mail + + + + Postal address + + + + Registered address + + + + Web site + + + + Use this when some of your data always follows the same schema. + E.g. using "$firstname $lastname" in common name field can be used like + this to get "First Last". You can set the wildcards in profile editor so + they are automatically applied for new users. + + + + + + + + + + + + + + + + + +
- Aliases (LAM Pro) + Unix - Some applications use the object class "alias" to link LDAP - entries to other parts of the LDAP tree. Activate the account type - "Aliases" in your LAM server profile to use this account type. + The Unix module manages Unix user accounts including group + memberships. - Currently, only user accounts can be aliased with the "uidObject" - object class. + There are several configuration options for this module: + + + + UID generator: LAM will suggest UID numbers for your accounts. + Please note that it may happen that there are duplicate IDs assigned + if users create accounts at the same time. Use an overlay + like "Attribute Uniqueness" (example) if you have lots of LAM + admins creating accounts. + + + + Fixed range: LAM searches for free numbers within the + given limits. LAM always tries to use a free UID that is greater + than the existing UIDs to prevent collisions with deleted + accounts. + + + + Samba ID pool: This uses a special LDAP entry that + includes attributes that store a counter for the last used + UID/GID. Please note that this requires that you install the + Samba schema and create an LDAP entry of object class + "sambaUnixIdPool". + + + + Magic number: Use this if your LDAP server assigns the UID + numbers automatically (e.g. DNA by 389 server). Enter the + server's magic number setting. + + + + + + Password hash type: If possible use CRYPT-SHA512 or SSHA to + protect your user's passwords. The option SASL will set the password + to "{SASL}<user name>". + + + + Login shells: List of valid login shells that can be selected + when editing an account. + + + + Hidden options: Some input fields can be hidden to simplify + the GUI if you do not need them. + + + + Set primary group as memberUid: By default primary group + membership is not set on group objects but only on user (gidNumber). + Activate this if you need to have the primary group membership in + group object, too. + + + + Do not add object class: This is for Windows only. When the + checkbox is activated then the posixAccount object class will not be + added to a user. + + + + User name suggestion: The user name is automatically filled as + specified in the configuration (default smiller for Steve Miller). + Of course, the suggested value can be changed any time. Common name + is also filled with first/last name by default. + + - + + + + - + + + + + + Group memberships can be changed when clicking on "Edit groups". + Here you can select the Unix groups and group of names + memberships. + + To enable "Group of names" please either add the groups module + "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of + names". + + + + + + + + + + You can also create home directories for your users if you setup + lamdaemon. This allows you to create + the directories on the local or remote servers. + + It is also possible to check the status of the user's home + directories. If needed the directories can be created or removed at any + time. + + + + + + + + + + Wildcards + + This module provides the following wildcards (others may be + provided by other modules): + + + + $user: User name + + + + $group: Groupe name (not numeric number) + + + + You can use them in the following input fields on user edit + screen: + + + + Common name + + + + Gecos + + + + Home directory + + + + Use this when some of your data always follows the same schema. + E.g. using "/home/$user" in home directory field can be used like this + to get "/home/myuser". You can set the wildcards in profile editor so + they are automatically applied for new users. + + + + + + + + + + + + + + +
-
- Mail aliases +
+ Group of names and group of members (LAM Pro) - You can manage mail aliases (e.g. for NIS) inside LAM. This can be - used to replace local /etc/aliases files with LDAP. + This module manages memberships in group of (unique) names and + also group of members. - Note: Use the mail alias user - module to manage mail aliases on user pages. + Please note that this module cannot be used if the Unix module is + active. In this case group memberships may be managed with the Unix + module. - All accounts of this type are based on the "nisMailAlias" object - class and may have "cn" and "rfc822MailMember" attributes. To activate - this type please add "Mail aliases" in your LAM server profile: + Configuration + + To activate this feature please add the user module "Group of + names (groupOfNamesUser)" to your LAM server profile. - + - You need to select the Mail aliases module on the next tab. + The module automatically detects if groups are based on + "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the + correct attribute. - + + + + +
+ +
+ Organizational roles (LAM Pro) + + LAM can manage role memberships in organizationalRole objects. To + activate this feature please add the user module "Roles + (organizationalRoleUser)" to your LAM server profile. + + + + + - The mail aliases will then appear as separate tab inside LAM. You - may then manage the aliases with their names and recipient - addresses. + User editing - There are mail/user icons that allow to select a mail address/user - name from the existing users. + Now, there will be a new tab "Roles" when you edit your user + accounts. Here you can select the role memberships. - + + + + +
+ +
+ Shadow + + LAM supports the management of the LDAP substitution of + /etc/shadow. Here you can setup password policies for your Unix accounts + and also view the last password change of a user. + + + + + @@ -3937,199 +984,3295 @@ objectclass: top
NIS net groups - LAM supports to define NIS netgroups. You can use them e.g. to - restrict SSH access to your machines. + Configuration - Add the NIS net group account type and its module to your server - profile. Then you can manage net groups in LAM. Net groups may contain - other net groups as child groups. You can either insert the host/user - names manually or print the search buttons next to the input fields to - find existing entries in your directory. + Please add the module "NIS net groups (nisNetGroupUser)" to the + list of active user modules. - + + + + + + User editing + + You will now see a new tab when editing users. Here you can assign + memberships in NIS net groups and also set host/domain. + + + + +
- NIS objects (LAM Pro) + Password self reset (LAM Pro) - You can manage NIS objects with LAM Pro. This allows you define - network mount points in LDAP. + LAM Pro allows your users to reset their passwords by answering a + security question. The reset link is displayed on the self service page. Additionally, you + can set question + answer in the admin interface. - Add the NIS objects type to your LAM configuration and then the - NIS objects module. This will add the NIS objects tab to LAM. + Please note that self service and LAM admin interface are + separated functionalities. You need to specify the list of possible + security questions in both self service profile(s) and server + profile(s). + + Schema installation + + Please install the LDAP schema as described here. + + Activate password self reset + module + + Please activate the password self reset module in your LAM Pro + server profile. - + + + + + + Now select the tab "Module settings" and specify the list of + possible security questions. Only these questions will be selectable + when you later edit accounts unless you explicitly allow to enter custom + questions. LAM Pro supports to set up to three security questions per + user. + + If you do not want to set backup email addresses then you can hide + this option. + + + + + + + + + + Edit users + + After everything is setup please login to LAM Pro and edit your + users. You will see a new tab called "Password self reset". Here you can + activate/remove the password self reset function for each user. You can + also change the security question and answer. + + If you set a backup email address then confirmation emails will + also be sent to this address. This is useful if the user password grants + access to the user's primary mailbox. So passwords can be unlocked with + an external email address. + + Hint: You can add the + passwordSelfReset object class to all your users with the multi edit tool. + + Samba 4 note: Due to a bug in + Samba 4 you need to add the extension, save, and then select a question + and set the answer. If you add the extension, set question/answer and + then save all together this will cause an LDAP error and no changes will + be saved. + + + + +
- Automount objects (LAM Pro) + Hosts - LAM Pro allows you to manage automount entries. Please activate - the account type "Automount objects" in your LAM Pro server - profile. + You can specify a list of valid host names where the user may + login. If you add the value "*" then the user may login to any host. + This can be further restricted by adding explicit deny entries which are + prefixed with "!" (e.g. "!hr_server"). + + Please note that your PAM settings need to support host + restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the + account facility of pam_ldap will perform the checks and return an error + when no proper host attribute is present. Please note that users without + host attribute cannot login to such a configured server. - + - - Then add the correct automount module. Usually, this is "Automount - entry (automount)". If you use Suse Linux with RFC2307bis schema please - select "Automount entry (rfc2307bisAutomount)". - - - - - - - - - - This will add a new tab to LAM Pro's main screen which includes a - list of all automount entries. Here you can easily create new - entries. - - - - - - - - - - Please see the following external HowTos for more information on - automounting and LDAP: - - - - AutofsLDAP - - - - Automount - über LDAP (German) - -
- Oracle databases (LAM Pro) + Samba 3 - Oracle allows to manage connection data that is stored in - tnsnames.ora to be stored in an LDAP directory. + LAM supports full Samba 3 user management including logon hours + and terminal server options. - Initial setup - - LDAP server setup: - - You will need to install the correct Oracle LDAP schema files on - your LDAP server. If you run no Oracle LDAP server then you can get them - (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from - here. - - Next you need to create the root entry for Oracle. It should look - like this: - - dn: cn=OracleContext,dc=example,dc=com -objectclass: orclContext -cn: OracleContext - - You can create it with LAM's tree view. Please note that "cn" must - be set to "OracleContext". - - - - - LAM setup: - - Edit your LAM server profile and add the Oracle account - type: + The module is enabled by adding "Samba 3 (sambaSamAccount)" to + your user modules. - + - In case you manage a single Oracle context just enter the - cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle - context entries then set the LDAP suffix to a parent entry of + In the configuration options you can enable password history + checking. Depending on your LDAP server you might need ascending or + descending order. Just switch the setting if the password history is not + correctly updated. + + In case you have no very old Windows clients (e.g. Windows 98) it + is recommended to disable LM hashes. They are considered to be + insecure. + + You can also hide some input fields if you do not need them. - + - Next, add the Oracle module: + After configuring the module you will see the Samba 3 tab when you + edit a user. - + - Now you can login to LAM and start to add database - entries. + Logon hours can be changed. + + + + + + + + + + You can also setup terminal server settings. + + + + + + + + +
+ +
+ Windows (Samba 4) + + Please activate the account type "Users" in your LAM server + profile and then add the user module "Windows (windowsUser)(*)". + + + + + + + + + + The default list attributes are for Unix and not suitable for + Windows (blank lines in account table). Please use + "#cn;#givenName;#sn;#mail" or select your own attributes to display in + the account list. + + + + + + + + + + On tab "Module settings" you can specify the possible Windows + domain names and if pre-Windows 2000 user names should be + managed. + + NIS support is deactivated by default. Enable it if needed. + + + + + + + + + + Now you can manage your Windows users and e.g. assign groups. You + might want to set the default domain name in the profile editor. + + Attention: + + + + Password changes require a secure connection via ldaps://. + Check your LAM server profile if password changes are refused by the + server. + + + + Your server must run a 64bit operating system. Otherwise, the + module might not work. + + + + + + + + + + + + + + + + + + + + Wildcards + + This module provides the following wildcards (others may be + provided by other modules): + + + + $firstname: First name + + + + $lastname: Last name + + + + $user: User name + + + + $commonname: Common name + + + + $email: Email address + + + + You can use them in the following input fields on user edit + screen: + + + + Common name + + + + Display name + + + + Email + + + + Email alias + + + + Home directory + + + + Profile path + + + + Script path + + + + Use this when some of your data always follows the same schema. + E.g. using "$firstname $lastname" in common name field can be used like + this to get "First Last". You can set the wildcards in profile editor so + they are automatically applied for new users. + + + + + + + + + + + + + + + + + + +
+ +
+ Filesystem quota (lamdaemon) + + You can manage file system quotas with LAM. This requires to setup + lamdaemon. LAM connects to your + server via SSH and manages the disk filesystem quotas. The quotas are + stored directly on the filesystem. This is the default mechanism to + store quotas for most systems. + + Please add the module "Quota (quota)" for users to your LAM server + profile to enable this feature. + + If you store the quota information directly inside LDAP please see + the next section. + + + + + + + + +
+ +
+ Filesystem quota (LDAP) + + You can store your filesystem quotas directly in LDAP. See Linux + DiskQuota for details since it requires quota tools that support + LDAP. You will need to install the quota LDAP schema to manage the + object class "systemQuotas". + + Please add the module "Quota (systemQuotas)" for users to your LAM + server profile to enable this feature. + + If you store the quota information on the filesystem please see + the previous section. + + + + + + + + +
+ +
+ Kolab + + This module supports to manage Kolab accounts with LAM. E.g. you + can set the user's mail quota and define invitation policies. + + Please add the Kolab user module in your LAM server profile to + activate Kolab support. + + + + + + + + + + Attention: LAM will add the object class "mailrecipient" by + default. This object class is available on 389 directory server but may + not be present on e.g. OpenLDAP. Please deactivate the following setting + (LAM server profile, module settings) if you do not use this object + class. + + + + + + + + + + Please enter an email address at the Personal page and set a Unix + password first. Both are required that Kolab accepts the accounts. The + email address ("Personal" page) must match your Kolab domain, otherwise + the account will not work. + + Attention: The mailbox server + cannot be changed after the account has been saved. Please make sure + that the value is correct. + + Kolab users should not be directly deleted with LAM. You can mark + an account for deletion which then is done by the Kolab server itself. + This makes sure that the mailbox etc. is also deleted. + + + + + + + + + + If you upgrade existing non-Kolab accounts please make sure that + the account has an Unix password. +
+ +
+ Asterisk + + LAM supports Asterisk accounts, too. See the Asterisk section for details. +
+ +
+ EDU person + + EDU person accounts are mainly used in university networks. You + can specify the principal name, nick names and much more. + + + + + + + + +
+ +
+ PyKota + + There are two LAM user modules depending if your user entries + should be built on object class "pykotaObject" or a different structural + object class (e.g. "inetOrgPerson"). For "pykotaObject" please select + "PyKota (pykotaUserStructural(*))" and "PyKota (pykotaUser)" in all + other cases. + + + + + + + + + + To display the job history please setup the job DN on tab "Module + settings": + + + + + + + + + + Now you can add the PyKota extension to your user accounts. Here + you can setup the printing options and add payments for this + user. + + For LAM Pro there are also self service fields to allow users e.g. + to view their current balance and job history. + + + + + + + + + + You may also view the payment and job history. + + + + + + + + + + + + + + + + +
+ +
+ Password policy (LAM Pro) + + OpenLDAP supports the ppolicy overlay + to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to + user accounts. + + Please add the account type "Password policies" to your LAM server + profile and activate the "Password policy" module for the user + type. + + + + + + + + + + You can select the password policy and force a password change on + next login. Accounts can also be (un)locked. + + + + + + + + + + You can assign any password policy which is found in the LDAP + suffix of the "Password policies" type. When you set the policy to + "default" then OpenLDAP will use the default policy as defined in your + slapd.conf file. + + Attention: Locking and unlocking + requires that you also activate the option "Lockout users" in the + assigned password policy. Otherwise, it + will have no effect. +
+ +
+ Account locking for 389ds (LAM Pro) + + This module allows you to display if users are locked by 389ds + server. You can (de)activate your users. The password expiration time + can also be managed. + + Requirements: 389ds LDAP server + + Configuration + + Please add the user module "Account locking + (locking389ds)". + + + + + + + + + + This will show the password expiration time. You can edit the + value if needed. + + If there are any failed login attempts then LAM displays their + number and till when the user is locked by the system. + + The limit of failed login attempts and lockout duration is + configured on your LDAP server and not within LAM. + + + + + + + + + + You can unlock the user by clicking on the lock icon. + + Here you can also (de)activate the account. + + Note: Accounts are only locked by the LDAP server due to failed + password attempts. You cannot manually lock an account. Deactivate it in + case you want to disable login for a user. + + + + + + + + +
+ +
+ FreeRadius + + FreeRadius is a software that implements the RADIUS authentication + protocol. LAM allows you to mange several of the FreeRadius + attributes. + + To activate the FreeRadius plugin please activate the FreeRadius + user module in your server profile: + + + + + + + + + + You can disable unneeded fields on the tab "Module settings". Here + you can also set the DN where your Radius profile templates are stored + if you use the option "Profile". + + + + + + + + + + Now you will see the tab "FreeRadius" when editing users. The + extension can be (de)activated for each user. You can setup e.g. realm, + IP and expiration date. + + + + + + + + +
+ +
+ Heimdal Kerberos (LAM Pro) + + You can manage your Heimdal Kerberos accounts with LAM Pro. Please + add the user module "Kerberos (heimdalKerberos)" to activate this + feature. + + Setup password changing + + LAM Pro cannot generate the password hashes itself because Heimdal + uses a propietary format for them. Therefore, LAM Pro needs to call e.g. + kadmin to set the password. + + The wildcards @@password@@ and @@principal@@ are replaced with + password and principal name. Please use keytab authentication for this + command since it must run without any interaction. + + Example to create a keytab: ktutil -k /root/lam.keytab add -p + lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1 + + Security hint: Please secure your LAM Pro server since the new + passwords will be visible for a short term in the process list during + password change. + + + + + + + + + + User management + + You can specify the principal/user name, ticket lifetimes and + expiration dates. Additionally, you can set various account + options. + + + + + + + + +
+ +
+ MIT Kerberos (LAM Pro) + + You can manage your MIT Kerberos accounts with LAM Pro. Please add + the user module "Kerberos (mitKerberos)" to activate this feature. If + you want to manage entries based on the structural object class + "krbPrincipal" please use "Kerberos (mitKerberosStructural)" + instead. + + Setup password changing + + LAM Pro cannot generate the password hashes itself because MIT + uses a propietary format for them. Therefore, LAM Pro needs to call + kadmin/kadmin.local to set the password. + + LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to + set the password. Please use keytab authentication for this command + since it must run without any interaction. + + Keytabs may be created with the "ktutil" application. + + Security hint: Please secure your LAM Pro server since the new + passwords will be visible for a short term in the process list during + password change. + + Example commands: + + + + /usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p + realm/changepwd + + + + sudo /usr/sbin/kadmin.local + + + + + + + + + + + + User management + + You can specify the principal/user name, ticket lifetimes and + expiration dates. Additionally, you can set various account + options. + + + + + + + + +
+ +
+ Mail aliases + + This module allows to add/remove the user in mail alias + entries. + + Note: You need to activate the + mail alias type for this + module. + + To activate mail aliases for users please select the module "Mail + aliases (nisMailAliasUser)": + + + + + + + + + + On tab Module settings you can select if you want to set the user + name or email as recipient in alias entries. + + + + + + + + + + Now you will see the mail aliases tab when editing an user. + + The red cross will only remove the user from the alias entry. If + you click the trash can button then the whole alias entry (which may + contain other users) will be deleted. + + + + + + + + + + You can add the user to existing alias entries or create completly + new ones. + + + + + + + + +
+ +
+ Qmail (LAM Pro) + + LAM Pro manages all qmail attributes for users. This includes mail + addresses, ID numbers and quota settings. + + Please note that the main mail address is managed on tab + "Personal" if this module is active. Otherwise, it will be on the qmail + tab. + + + + + + + + + + You can hide several qmail options if you do not want to manage + them with LAM. This can be done on the module settings tab of your LAM + server profile. + + + + + + + + +
+ +
+ Mail routing + + LAM supports to manage mail routing for user accounts. + + Module activation: + + This feature can be activated by adding the "Mail routing" module + to the user account type in your server profile. + + + + + + + + + + Usage: + + You can specify a routing address, the mail server and a number of + local addresses to route. + + In case you want to add this extension by default for new users + there is an option in profile editor. + + + + + + + + +
+ +
+ SSH keys + + You can manage your public keys for SSH in LAM if you installed + the LPK patch for + SSH. Activate the "SSH public key" module for users in the + server profile and you can add keys to your user entries. + + + + + + + + +
+ +
+ Authorized services + + You can setup PAM to check if a user is allowed to run a specific + service (e.g. sshd) by reading the LDAP attribute "authorizedService". + This way you can manage all allowed services via LAM. + + + + To activate this PAM feature please setup your /etc/libnss-ldap.conf and set + "pam_check_service_attr" to "yes". + + + + Inside LAM you can now set the allowed services. You may also + setup default services in your account profiles. + + + + + + + + + + You can define a list of services in your LAM server profile that + is used for autocompletion. + + + + + + + + + + The autocompletion will show all values that contains the entered + text. To display the whole list you can press backspace in the empty + input field. Of course, you can also insert a service name that is not + in the list. + + + + + + + + +
+ +
+ IMAP mailboxes + + LAM may create and delete mailboxes on an IMAP server for your + user accounts. You will need an IMAP server that supports either SSL or + TLS for this feature. + + To activate the mailbox management module please add the "Mailbox + (imapAccess)" module for the type user in your LAM server + profile: + + + + + + + + + + Now configure the module on the tab "Module settings". Here you + can specify the IMAP server name, encryption options, the authentication + for the IMAP connection and the valid mail domains. LAM can use either + your LAM login password for the IMAP connection or display a dialog + where you need to enter the password. It is also possible to store the + admin password in your server profile. This is not recommended for + security reasons. + + The user name can either be a fixed name (e.g. "admin") or it can + be generated with LDAP attributes of the LAM admn user. E.g. $uid$ will + be transformed to "myUser" if you login with + "uid=myUser,ou=people,dc=example,dc=com". + + The mail domains specify for which accounts mailboxes may be + created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be + managed for "user@lam-demo.org" but not for "user@example.com". Use "*" + for any domain. + + You need to install the SSL certificate of the CA that signed your + server certificate. This is usually done by installing the certificate + in /etc/ssl/certs. Different Linux distributions may offer different + ways to do this. For Debian please copy the certificate in + "/usr/local/share/ca-certificates" and run "update-ca-certificates" as + root. + + It is not recommended to disable the validation of IMAP server + certificates. + + The prefix, user name attribute and path separator specifies how + your mailboxes are named (e.g. "user.myUser@localhost" or + "user/myUser"). Select the values depending on your IMAP server + settings. + + You can specify a list of initial folder names to create for new + mailboxes. LAM will then create them with each new mailbox. + + + + + + + + + + When you edit an user account then you will now see the tab + "Mailbox". Here you can create/delete the mailbox for this user. + + + + + + + + +
+ +
+ IP addresses (LAM Pro) + + You can manage the IP addresses of user accounts (e.g. assigned by + DHCP) with the ipHost module. + + Configuration + + + + + + + + + + User editing + + + + + + + + +
+ +
+ Account + + This is a very simple module to manage accounts based on the + object class "account". Usually, this is used for host accounts only. + Please pay attention that users based on the "account" object class + cannot have contact information (e.g. telephone number) as with + "inetOrgPerson". + + You can enter a user/host name and a description for your + accounts. + + + + + + + + +
+
+ +
+ Groups + + + +
+ Unix + + This module is used to manage Unix group entries. This is the + default module to manage Unix groups and uses the nis.schema. Suse users + who use the rfc2307bis.schema need to use LAM + Pro. + + Configuration + + Please add the account type "Groups" and then select account + module "Unix (posixGroup)". + + + + + + + + + + GID generator: LAM will suggest GID numbers for your accounts. + Please note that it may happen that there are duplicate IDs assigned if + users create groups at the same time. Use an overlay + like "Attribute Uniqueness" (example) if you have lots of LAM + admins creating groups. + + + + Fixed range: LAM searches for free numbers within the given + limits. LAM always tries to use a free GID that is greater than the + existing GIDs to prevent collisions with deleted groups. + + + + Samba ID pool: This uses a special LDAP entry that includes + attributes that store a counter for the last used UID/GID. Please + note that this requires that you install the Samba schema and create + an LDAP entry of object class "sambaUnixIdPool". + + + + Magic number: Use this if your LDAP server assigns the GID + numbers automatically (e.g. DNA by 389 server). Enter the server's + magic number setting. + + + + Disable membership management: Disables group membership + management. This is useful if memberships are e.g. managed via group of + names. + + + + + + + + + + Group management: + + + + + + + + + + Group membership management: + + + + + + + + +
+ +
+ Unix groups with rfc2307bis schema (LAM Pro) + + Some applications (e.g. Suse Linux) use the rfc2307bis schema for + Unix accounts instead of the nis schema. In this case group accounts are + based on the object class groupOf(Unique)Names or namedObject. The + object class posixGroup is auxiliary in this case. + + LAM Pro supports these groups with a special account module: + rfc2307bisPosixGroup + + Use this module only if your system depends on the rfc2307bis + schema. The module can be selected in the LAM configuration. Instead of + using groupOfNames as basis for your groups you may also use + namedObject. + + Module activation: + + + + + + + + + + GID generator: LAM will suggest GID numbers for your accounts. + Please note that it may happen that there are duplicate IDs assigned if + users create groups at the same time. Use an overlay + like "Attribute Uniqueness" (example) if you have lots of LAM + admins creating groups. + + + + Fixed range: LAM searches for free numbers within the given + limits. LAM always tries to use a free GID that is greater than the + existing GIDs to prevent collisions with deleted groups. + + + + Samba ID pool: This uses a special LDAP entry that includes + attributes that store a counter for the last used UID/GID. Please + note that this requires that you install the Samba schema and create + an LDAP entry of object class "sambaUnixIdPool". + + + + Magic number: Use this if your LDAP server assigns the GID + numbers automatically (e.g. DNA by 389 server). Enter the server's + magic number setting. + + + + Disable membership management: Disables group membership + management. This is useful if memberships are e.g. managed via group of + names. + + Force sync with group of names: This will automatically set the + group memberships of the Unix part to the same members as set on group + of names tab. + + + + + + + + + + The GID number will be filled automatically based on the server + profile configuration. + + + + + + + + + + Group members can be edited and also synced with Group of (unique) + names. + + + + + + + + +
+ +
+ Samba 3 + + LAM supports managing Samba 3 groups. You can set special group + types and also create Windows predefined groups like "Domain + admins". + + Module activation: + + + + + + + + + + Group editing: + + + + + + + + +
+ +
+ Windows (Samba 4) + + LAM can manage your Windows groups. Please enable the account type + "Groups" in your LAM server profile and then add the group module + "Windows (windowsGroup)(*)". + + + + + + + + + + The default list attributes are for Unix and not suitable for + Windows (blank lines in account table). Please use + "#cn;#member;#description" or select your own attributes to display in + the account list. + + + + + + + + + + NIS support is deactivated by default. Enable it if needed on tab + "Module settings". + + + + + + + + + + Now you can edit your groups inside LAM. You can manage the group + name, description and its type. Of course, you can also set the group + members. + + Group scopes: + + + + Global: Use this for groups with frequent changes. Global + groups are not replicated to other domains. + + + + Universal: Groups with universal scope are used to consolidate + groups that span domains. They are globally replicated. + + + + Domain local: Groups with domain local scope can be used to + set permissions inside one domain. They are not replicated to other + domains. + + + + Group type: + + + + Security: Use this group type to control permissions. + + + + Distribution: These groups are only used for email + applications. They cannot be used to control permissions. + + + + With "Show effective members" you can show a list of all members + of this group including members of subgroups and their subgroups. + + + + + + + + +
+ +
+ Kolab + + Please activate the Kolab group module in your LAM server profile + to activate Kolab support. + + + + + + + + + + You can specify the email address and also set allowed sender and + recipient addresses. + + + + + + + + +
+ +
+ Mail routing + + LAM supports to manage mail routing for group accounts. + + Module activation: + + This feature can be activated by adding the "Mail routing" module + to the group account type in your server profile. + + + + + + + + + + Usage: + + You can specify a routing address, the mail server and a number of + local addresses to route. + + In case you want to add this extension by default for new groups + there is an option in profile editor. + + + + + + + + +
+ +
+ Quota + + You can manage file system quotas with LAM. This requires to setup + lamdaemon. File system quotas are not + stored inside LAM but managed directly on the specified servers. + + + + + + + + +
+ +
+ PyKota + + There are two LAM group modules depending if your group entries + should be built on object class "pykotaObject" or a different structural + object class (e.g. "posixGroup"). For "pykotaObject" please select + "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" in all + other cases. + + + + + + + + + + Now you can add the PyKota extension to your groups. + + + + + + + + +
+
+ +
+ Hosts + +
+ Account + + Please see the description here. +
+ +
+ Device (LAM Pro) + + The device object class allows to manage general information about + all sorts of devices (e.g. computers, network hardware, ...). You can + enter the serial number, location and a describing text. It is also + possible to specify the owner of the device. + + + + + + + + +
+ +
+ Samba 3 + + You can manage Samba 3 host entries by adding the Unix and Samba 3 + account modules. + + + + + + + + + + + + + + + + +
+ +
+ Windows (Samba 4) + + LAM can manage your Windows servers and workstations. Please + enable the account type "Hosts" in your LAM server profile and then add + the host module "Windows (windowsHost)(*)". + + + + + + + + + + The default list attributes are for Unix and not suitable for + Windows (blank lines in account table). Please use + "#cn;#description;#location" or select your own attributes to display in + the account list. + + + + + + + + + + Now you will see you computer accounts inside LAM. You can set + e.g. the server's description and location information. + + + + + + + + +
+ +
+ IP addresses (LAM Pro) + + You can manage the IP addresses of host accounts with the ipHost + module. It manages the following information: + + + + IP addresses (IPv4/IPv6) + + + + location of the host + + + + manager: the person who is responsible for the host + + + + You can activate this extension by adding the module ipHost to the + list of active host modules. + + + + + + + + +
+ +
+ MAC addresses + + Hosts can have an unlimited number of MAC addresses. To enable + this feature just add the "MAC address" module to the host account + type. + + + + + + + + +
+ +
+ Puppet + + LAM supports to manage your Puppet configuration. You can edit + all attributes like environment, classes, variables and parent + node. + + Configuration + + To activate this feature please edit your LAM server profile and + add the host module "Puppet (puppetClient)" on tab "Modules". This will + add the Puppet tab to your host pages. + + + + + + + + + + On tab "Module settings" in your LAM server profile you may also + setup some common environment names. LAM will use them to provide + autocompletion hints when editing the environment for a node. + + If you enter any value in "Enforce classes" then LAM will only + accept this list of classes. + + + + + + + + + + Editing nodes + + When you edit a host entry then you will see the tab "Puppet". + Here you can add/remove the Puppet extension and edit all + attributes. + + + + + + + + +
+ +
+ NIS net groups + + NIS netgroups can be used to e.g. restrict SSH access to your + machines. + + Configuration + + Please add the module "NIS net groups (nisNetGroupHost)" to the + list of active host modules. + + + + + + + + + + Host editing + + You will now see a new tab when editing hosts. Here you can assign + memberships in NIS net groups and also set user/domain. + + + + + + + + +
+
+ +
+ Samba 3 domains + + Samba 3 stores information about its domain settings inside LDAP. + This includes the domain name, its SID and some policies. You can manage + all these attributes with LAM. + + Please activate the account type "Samba domains" in your LAM server + profile. Please notice that Samba by default uses the LDAP root for domain + objects (e.g. dc=example,dc=com). + + + + + + + + + + This will add a new tab to LAM where you can manage domain + information. + + The domain name, SID and RID base can only be specified for new + domains and are not changeable via LAM at a later time. You may setup + several password policies for your Samba domains and also some RID options + that influence the creation of SIDs for users/groups/hosts. + + + + + + + + +
+ +
+ Group of (unique) names and group of members (LAM Pro) + + These classes can be used to represent group relations. Since they + allow DNs as members you can also use them to represent nested + groups. + + Configuration: + + Activate the account type "Group of names" in your LAM server + profile to use these account modules. Alternatively, you can use the + account type "Groups". + + + + + + + + + + + + + + + + + + Then add the module "Group of names (groupOfNames)", "Group of + unique names (groupOfUniqueNames)" or "Group of members + (groupOfMembers)". + + + + + + + + + + + + + + + + + + + + On the module settings tab you set some options like the display + format for members/owners and if fields like description should not be + displayed. + + + + + + + + + + Group management: + + Group of (unique) names have four basic attributes: + + + + Name: a unique name for the group + + + + Description: optional description + + + + Owner: the account which owns this group (optional) + + + + Members: the members of the group (at least one is + required) + + + + You can add any accounts as members. This includes other groups + which leads to nested groups. + + To show members of nested groups click on "Show effective members". + Please note that for large groups this will run lots of queries against + your LDAP server. + + + + + + + + +
+ +
+ Organizational roles (LAM Pro) + + This module manages roles via the organizationalRole object class. + There is also a user module + to manage memberships on the user edit page. + + Configuration: + + Activate the account type "Groups" in your LAM server profile to use + this account module. Alternatively, you can use the account type "Group of + names". + + + + + + + + + + + + + + + + + + Then add the module "Role (organizationalRole)". + + + + + + + + + + On the module settings tab you set some options like the display + format for members and if description should not be displayed. + + + + + + + + + + Role management: + + You can add any accounts as members. This includes other roles which + leads to nested roles (needs to be supported by LDAP client + applications). + + To show members of nested roles click on "Show effective members". + Please note that for large roles this will run lots of queries against + your LDAP server. + + + + + + + + +
+ +
+ Asterisk + + LAM includes large support for Asterisk. You can add Asterisk + extensions (including voicemail) to your users and also manage Asterisk + extensions. + + The Asterisk support for users can be added by selecting the + Asterisk and Asterisk voicemail modules for users in your LAM server + profile. This will add the following tabs to your user accounts. + + + + + + + + + + The Asterisk module allows to edit a large amount of attributes. + Therefore, you can hide unused fields. Please edit you server profile + (Module settings) to do so. + + + + + + + + + + Of course, the voicemail part of Asterisk is also supported. + + + + + + + + + + If you also want to manage Asterisk extensions then simply add the + account type "Asterisk extensions" and its module to your server + profile. + + LAM groups your Asterisk extension entries by extension name and + account context. If you edit an extension then you will see the Asterisk + entries as rules. LAM manages that all rule entries have the same owners + and assigns the priorities. + + + + + + + + +
+ +
+ Kopano (LAM Pro) + + Kopano is an OpenSource collaboration software. LAM Pro provides + support to manage Kopano user entries, groups, address lists and servers. + It covers all settings for these types including resource and quota + settings. + +
+ Users + + Configuration + + To enable Kopano support in LAM Pro please activate the Kopano + module for the user account type in you server profile: + + + + + + + + + + Adjust the suffix and list attributes to your needs. + + + + + + + + + + Then select the Kopano user module. You can combine it with + Personal module, Unix or Windows. + + + + + + + + + + Next configure the module to your needs. + + + + + Attention: LAM Pro uses the + Kopano OpenLDAP schema by default. This schema fits for OpenLDAP, + OpenDJ, Apache Directory server and other common LDAP servers. If you + run Samba 4 or Active Directory then you need to switch the schema to + "Active Directory" on the module settings tab. + + + + + You can hide options that you do not need. E.g. if you do not want + to manage quotas per user then you can hide these options. + + + + + Examples for your Zarafa ldap.cfg: + + "Send as" attribute: dn + + ldap_user_sendas_attribute_type = dn + + + + + "Send as" attribute: uid + + ldap_user_sendas_attribute_type = text + + ldap_user_sendas_relation_attribute = uid + + + + + Attention: If the Active Directory schema is used then LAM will + always use dn and ignore this setting. + + + + + + + + + + Usage + + LAM Pro will now display the Kopano tab on your users. This + includes email settings, quotas and some options (e.g. hide from address + book). You can also set the resource type and capacity for meeting rooms + and equipment. The Kopano extension can be added and removed at any time + for every user. + + + + + + + + +
+ +
+ Contacts + + Configuration + + The configuration is similar to users. Instead of the Kopano user + module please select the contact module. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Usage + + LAM Pro will now display the Kopano contact tab on your users. The + Kopano extension can be added and removed at any time for every + user. + + + + + + + + +
+
+ +
+ Zarafa (LAM Pro) + + Zarafa is an OpenSource collaboration software. LAM Pro provides + support to manage Zarafa server entries, users and groups. It covers all + settings for these types including resource and quota settings. + + LAM Pro is an official Zarafa Certified Integration. + + + + + + + +
+ Configuration + + To enable Zarafa support in LAM Pro please activate the Zarafa + modules for the Users, Groups and Hosts account types in you server + profile: + + + + + + + + + + Attention: LAM Pro uses the + Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP, + OpenDJ, Apache Directory server and other common LDAP servers. If you + run Samba 4 or Active Directory then you need to switch the schema to + "Active Directory" on the module settings tab: + + + + + + + + + + You can configure which parts of the Zarafa user options should be + enabled. E.g. if you do not want to manage quotas per user then you can + hide these options on the tab "Module settings". + + + + + "Send as" attribute: Here you can + specify how "Send as" privileges should be managed. LAM supports "uid" + and "dn". + + If you select "uid" the LAM will store user names in the + zarafaSendAsPrivilege attribute. This way you are restricted to specify + user accounts as "Send as" allowed. + + You can also set this option to "dn" and LAM will store DNs in the + zarafaSendAsPrivilege attribute. In this case you may specify users and + groups as "Send as" allowed. + + + + + Examples for your Zarafa ldap.cfg: + + "Send as" attribute: dn + + ldap_user_sendas_attribute_type = dn + + + + + "Send as" attribute: uid + + ldap_user_sendas_attribute_type = text + + ldap_user_sendas_relation_attribute = uid + + +Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting. + + - Managing database entries - - Each database has a service name, the connection string and an - optional description. + Features: Zarafa 7 allows to + enable IMAP/POP3 for each user. Please hide the option "Features" if you + use Zarafa 6.x. - + - Database client setup for - LDAP +
+ Users - You need to activate the LDAP adapter to make the database tools - reading LDAP. Edit network/admin/sqlnet.ora like this: + This is an example of the user edit page with all possible + settings. This includes email settings, quotas and some options (e.g. + hide from address book). You can also set the resource type and + capacity for meeting rooms and equipment. The Zarafa extension can be + added and removed at any time for every user. - NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP) + Please note that the option "Features" requires Zarafa 7. Please + hide this option in the LAM server profile if you run Zarafa + 6.x. - Then add a file called ldap.ora next to your sqlnet.ora and set - the LDAP server and DN suffix where cn=OracleContext is stored: + + + + + + + +
- DIRECTORY_SERVERS= (ldap.example.com:389:636) +
+ Contacts + + LAM Pro can manage your Zarafa contact entries. You can set the + email aliases and "send as" privileges. Additionally, accounts may be + hidden in the address book or disabled. + + Please note that you can either use the Zarafa user module or + Zarafa contact. LAM Pro will disable the other tab when enabling one + of them. + + + + + + + + +
+ +
+ Groups + + This is the edit page for groups. You can enter an email address + and additional aliases for your groups. It is also possible to specify + options (e.g. hide from address book). The extension can be + added/removed dynamically. + + Please note that the option "Send-as privileges" requires the + Zarafa 7.0.3 schema. Please hide this option in the LAM server profile + if you run Zarafa < 7.0.3. + + + + + + + + +
+ +
+ Servers + + The Zarafa extension for host accounts allows to set the + connection ports and file path. You can add/remove the extension at + any time. + + Setting the public store option is only possible for new host + entries. + + Please note that the proxy URL option requires the Zarafa 7.1 + schema. Please hide this option in your LAM server profile if you use + an older version. + + + + + + + + +
+ +
+ Address lists + + Zarafa allows to store address lists in LDAP. You need to define + a search base and LDAP filter for each address list. E.g. entering + "ou=people,dc=company,dc=com" as base and "uid=*" will select all + users that are stored in "ou=people,dc=company,dc=com". + + You can also hide your lists from the address book or + temporarily disable them. + + + + + + + + +
+ +
+ Dynamic groups + + Zarafa allows to define dynamic groups in LDAP. You need to + define a search base and LDAP filter for each group. E.g. entering + "ou=people,dc=company,dc=com" as base and "uid=*" will select all + users that are stored in "ou=people,dc=company,dc=com". + + Dynamic groups may have an email address and multiple email + alias addresses. + + You can also hide your dynamic groups from the address book or + temporarily disable them. + + + + + + + + +
+
+
+ +
+ Kolab shared folders + + Please add the account type "Kolab shared folders" in your LAM + server profile and set the correct LDAP suffix. + + + + + + + + + + + + + + + + + + + + + Then add the "Kolab shared folder" module on tab "Modules". + + + + + + + + + + Now you can start to add shared folders inside LAM. + + + + + + + + +
+ +
+ DHCP + + You can mange your DHCP server with LAM. It supports to manage + subnets, fixed IP entries, IP ranges and DDNS. + + Configuration + + The DHCP management can be activated by adding the account type DHCP + to your server profile. Please also add the DHCP modules. + + LAM requires that you use an LDAP entry with the object class + "dhcpService" or "dhcpServer" as suffix for this account type. If the + "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN" + then you need to use the DN of the "dhcpService" entry as LDAP suffix for + DHCP. + + + + + Add account type: + + + + + + + + + + Set suffix: + + + + + + + + + + Add modules: + + + + + + + + + + Example server + entry: + + dn: + cn=server,ou=dhcp,dc=ldap-account-manager,dc=org + + objectclass: dhcpServer + + objectclass: dhcpOptions + + objectclass: top + + cn: server + + dhcpcomments: My DHCP server + + dhcpoption: domain-name + "ldap-account-manager.org" + + dhcpoption: domain-name-servers 192.168.1.1 + + dhcpoption: routers 192.168.1.1 + + dhcpoption: netbios-name-servers 192.168.1.1 + + dhcpoption: subnet-mask 255.255.255.0 + + dhcpoption: netbios-node-type 8 + + dhcpstatements: default-lease-time 3600 + + dhcpstatements: max-lease-time 7200 + + dhcpstatements: include "mykey" + + dhcpstatements: ddns-update-style interim + + dhcpstatements: update-static-leases true + + dhcpstatements: ignore client-updates + + + + + Example settings for + dhcpd.conf: + + ddns-update-style none; + + deny unknown-clients; + + ldap-server "server"; + + ldap-dhcp-server-cn "server"; + + ldap-port 389; + + ldap-username + "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org"; + + ldap-password "{SSHA}XXXXXXXXXXXX"; + + ldap-base-dn + "ou=dhcp,dc=ldap-account-manager,dc=org"; + + ldap-method dynamic; + + ldap-debug-file + "/var/log/dhcp-ldap-startup.log"; + + + + + + + slapd.conf changes: + + include /etc/ldap/schema/dhcp.schema + + index dhcpHWAddress eq + + index dhcpClassData eq +Run slapindex to rebuild the index. + + + + You can manage the settings of your DHCP service/server + entry: + + + + + + + + + + You can easily create new subnet entries. + + + + + + + + + + It is also possible to specify a list of fixed IPs. + + + + + + + + + + IP ranges may be specified. + + If you use failover pools for your IP ranges please use the pool + options on the bottom. Here you can add DHCP pools (object class + "dhcpPool") and specify the failover peer. + + + + + + + + + + If you activated DDNS in the server entry then you may also specify + the DDNS settings for this subnet. + + + + + + + + +
+ +
+ Bind DLZ (LAM Pro) + + Bind DLZ is an + extension to the DNS server Bind that allows to store + DNS entries inside LDAP. Please install the Bind DLZ schema file on your + LDAP server. It is part of the DLZ patch. + + Configuration + + First, you need to add the Bind DNS account type and the Bind DLZ + module: + + + + + + + + + + Please set the LDAP suffix either to an existing DNS zone (dlzZone) + or an organizational unit that should include your DNS zones. + + + + + + + + + + + + + + + + + + + + + Automatic PTR management + + LAM can automatically create/delete PTR entries for the entered + IPv4/6 records. You can enable this feature on the module settings + tab. + + PTR records will get the same TTL as IP records. Please note that + you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa") + under the same suffix as your other DNS entries. + + + + + + + + + + Zone management + + If you do not yet have a DNS zone then LAM can create one for you. + In list view switch the suffix to an organizational unit DN. Now you will + see a button "New zone". + + This will create the zone container entry and a default DNS entry + "@" for authoritative information. Now switch the suffix to your new zone + and start adding DNS entries. + + + + + + + + + + DNS entries + + LAM supports the following DNS record types: + + + + SOA: authoritative information + + + + NS: name servers + + + + A/AAAA: IP addresses + + + + PTR: reverse DNS entries + + + + CNAME: alias names + + + + MX: mail servers + + + + TXT: text records + + + + SRV: service entries + + + + + + + Authoritative (SOA) and name server (NS) + records + + Here you can manage general information about the zone like timeouts + and name servers. Please note that name servers must be inserted in a + special format (dot at the end). + + + + + + + + + + + + + IP addresses (A/AAAA) + + LAM will automatically set the correct type (A/AAAA) depending if + you enter an IPv4 or IPv6 address. + + + + + + + + + + + + + Reverse DNS entries + + Reverse DNS entries are important when you need to find the DNS name + that is associated with a given IP address. Reverse DNS entries are stored + in a separate DNS zone. + + + + + + + + + + + + + Alias names (CNAME) + + Sometimes a DNS entry should simply point to a different DNS entry + (e.g. for migrations). This can be done by adding an alias name. + + + + + + + + + + + + + Mail servers (MX) + + The mail server entries define where mails to a domain should be + delivered. The server with the lowest preference has the highest + priority. + + + + + + + + + + + + + Text records (TXT) + + Text records can be added to store a description or other data (e.g. + SPF information). + + + + + + + + + + + + + Services (SRV) + + Service records can be used to specify which servers provide common + services such as LDAP. Please note that the host name must be + _SERVICE._PROTOCOL (e.g. _ldap._tcp). + + + + + Priority: The priority of the target host, lower value means more + preferred. + + Weight: A relative weight for records with the same priority. E.g. + weights 20 and 80 for a service will result in 20% queries to the one + server and 80% to the other. + + Port: The port number that is used for your service. + + Server: DNS name where service can be reached (with dot at the + end). + + + + + + + + + + + + + File upload + + You can upload complete DNS zones via LAM's file upload. Here is an + example for a zone file and the corresponding CSV file. + + + Zone file + + + + + @ + + IN + + SOA + + ns1.example.com admin.ns1.example.com (1 360000 3600 + 3600000 370000) + + + + + + IN + + NS + + ns1.example.com. + + + + + + IN + + NS + + ns2.example.com. + + + + + + IN + + MX + + 10 mail1.example.com + + + + + + IN + + MX + + 20 mail2.example.com + + + + foo + + IN + + A + + 123.123.123.100 + + + + foo2 + + IN + + CNAME + + foo.example.com + + + + bar + + IN + + A + + 123.123.123.101 + + + + + + IN + + AAAA + + 1:2:3:4:5 + + + +
+ + Please check that you have an existing zone entry that can be used + for the file upload. See above to create a new zone. + + Hint: If you use the function above to create a new zone then please + skip the "@" entry in the CSV file below. LAM creates this entry with + sample data. + + In this example we assume that the following zone extry + exists: + + dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com +dlzzonename: example.com +objectclass: dlzZone +objectclass: top + + + + Here is the corresponding CSV file: bindUpload.csv +
+ +
+ Aliases (LAM Pro) + + Some applications use the object class "alias" to link LDAP entries + to other parts of the LDAP tree. Activate the account type "Aliases" in + your LAM server profile to use this account type. + + Currently, only user accounts can be aliased with the "uidObject" + object class. + + + + + + + + + + + + + + + + +
+ +
+ Mail aliases + + You can manage mail aliases (e.g. for NIS) inside LAM. This can be + used to replace local /etc/aliases files with LDAP. + + Note: Use the mail alias user + module to manage mail aliases on user pages. + + All accounts of this type are based on the "nisMailAlias" object + class and may have "cn" and "rfc822MailMember" attributes. To activate + this type please add "Mail aliases" in your LAM server profile: + + + + + + + + + + You need to select the Mail aliases module on the next tab. + + + + + + + + + + The mail aliases will then appear as separate tab inside LAM. You + may then manage the aliases with their names and recipient + addresses. + + There are mail/user icons that allow to select a mail address/user + name from the existing users. + + + + + + + + +
+ +
+ NIS net groups + + LAM supports to define NIS netgroups. You can use them e.g. to + restrict SSH access to your machines. + + Add the NIS net group account type and its module to your server + profile. Then you can manage net groups in LAM. Net groups may contain + other net groups as child groups. You can either insert the host/user + names manually or print the search buttons next to the input fields to + find existing entries in your directory. + + + + + + + + +
+ +
+ NIS objects (LAM Pro) + + You can manage NIS objects with LAM Pro. This allows you define + network mount points in LDAP. + + Add the NIS objects type to your LAM configuration and then the NIS + objects module. This will add the NIS objects tab to LAM. + + + + + + + + +
+ +
+ Automount objects (LAM Pro) + + LAM Pro allows you to manage automount entries. Please activate the + account type "Automount objects" in your LAM Pro server profile. + + + + + + + + + + Then add the correct automount module. Usually, this is "Automount + entry (automount)". If you use Suse Linux with RFC2307bis schema please + select "Automount entry (rfc2307bisAutomount)". + + + + + + + + + + This will add a new tab to LAM Pro's main screen which includes a + list of all automount entries. Here you can easily create new + entries. + + + + + + + + + + Please see the following external HowTos for more information on + automounting and LDAP: + + + + AutofsLDAP + + + + Automount + über LDAP (German) + + +
+ +
+ Oracle databases (LAM Pro) + + Oracle allows to manage connection data that is stored in + tnsnames.ora to be stored in an LDAP directory. + + Initial setup + + LDAP server setup: + + You will need to install the correct Oracle LDAP schema files on + your LDAP server. If you run no Oracle LDAP server then you can get them + (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from + here. + + Next you need to create the root entry for Oracle. It should look + like this: + + dn: cn=OracleContext,dc=example,dc=com +objectclass: orclContext +cn: OracleContext + + You can create it with LAM's tree view. Please note that "cn" must + be set to "OracleContext". + + + + + LAM setup: + + Edit your LAM server profile and add the Oracle account type: + + + + + + + + + + In case you manage a single Oracle context just enter the + cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle + context entries then set the LDAP suffix to a parent entry of them. + + + + + + + + + + Next, add the Oracle module: + + + + + + + + + + Now you can login to LAM and start to add database + entries. + + + Managing database entries + + Each database has a service name, the connection string and an + optional description. + + + + + + + + + + Database client setup for + LDAP + + You need to activate the LDAP adapter to make the database tools + reading LDAP. Edit network/admin/sqlnet.ora like this: + + NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP) + + Then add a file called ldap.ora next to your sqlnet.ora and set the + LDAP server and DN suffix where cn=OracleContext is stored: + + DIRECTORY_SERVERS= (ldap.example.com:389:636) DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de" DIRECTORY_SERVER_TYPE = OID - This will allow e.g. tnsping to get the connection data from - LDAP: + This will allow e.g. tnsping to get the connection data from + LDAP: - [oracle@oracle bin]$ tnsping mydb + [oracle@oracle bin]$ tnsping mydb TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54 @@ -4141,918 +4284,911 @@ Used parameter files: Used LDAP adapter to resolve the alias Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl))) OK (10 msec) -
- -
- Password policies (LAM Pro) - - OpenLDAP supports the ppolicy overlay - to manage password policies for LDAP entries. This allows you to set - password policies which are independent from your applications. The - policies are managed internally by the LDAP server. - - You can manage these policies with LAM Pro with the account type - "Password policies". - - - - - - - - - - You will need to add the ppolicy schema to your OpenLDAP - configuration and activate the ppolicy overlay - module in slapd.conf to use this feature. -
- -
- PyKota printers - - Please add the account type "Printers (PyKota printers)" on tab - "Account types" in your server profile and setup the LDAP suffix where - printers are stored. - - - - - - - - - - - - - - - - - - Then add the PyKota printer module on tab "Account - modules". - - - - - - - - - - Next you can start managing printers inside LAM. Here you can - setup the costs for a print job. LAM will also show if the printer is - member of any printer groups. - - - - - - - - - - You can also setup printer groups. Just add some members to your - new group. - - - - - - - - -
- -
- PyKota billing codes - - Please add the account type "Billing codes" on tab "Account types" - in your server profile and setup the LDAP suffix where billing codes are - stored. - - - - - - - - - - - - - - - - - - Then add the PyKota billing code module on tab "Account - modules". - - - - - - - - - - Now login to LAM and you will see the billing code tab where you - can manage your entries. If jobs were printed with a billing code then - you will also see the balance and page count. - - - - - - - - -
- -
- Custom fields (LAM Pro) - - This module allows you to manage LDAP attributes that are not - covered by the other LAM modules (e.g. if you use custom LDAP schemas). - You can fully define how your input fields look like: - - - - Label - - - - LDAP attribute name - - - - Unique name for field - - - - Help text - - - - Read-only display - - - - Field type: text, password, text area, checkbox, radio - buttons, select list, file upload - - - - Validation via regular expression - - - - Error message if validation fails - - - - Limitations: - - Custom fields cannot manage - - - - structural object classes - - - - attributes that require validation rules across multiple - attributes or cannot be described by a simple regular - expression - - - - Activating the custom fields - module: - - You may specify custom fields for all of your account types. - Please enter tab "Modules" in your server profile. Now activate the - "Custom fields (customFields)" module for all needed account - types. - - - - - - - - - - Setting label and icon: - - You may set the label that is displayed e.g. on the tab when - editing an account. It is also possible to specify an icon (must be a - valid URL like "/images/icon.png" or "http://server/images/icon.png"). - The icon size should be 32x32 pixels. - - LAM will display a default icon and "Custom fields" as label if - you do not enter any values. - - You may also specify how LAM displays cutom fields when there are - multiple field groups. The default is accordion view where you can - switch field groups by clicking on the title. You may also deactivate - this mode. Then all field groups are displayed one below the - other. - - - - - - - - - - Defining groups: - - All input fields are devided into groups. A group may contain one - or more object classes and allows you to add/remove a certain set of - input fields. - - E.g. you may define two groups - "My application A" and "My - application B" - that manage different LDAP attributes and object - classes. This way you will be able to control both attribute sets - independently. - - To create a group please edit your server profile and switch to - tab "Module settings". You will see the section "Custom fields" which - allows you to add new groups. Now select your account type (e.g. Users) - and specify an alias for your group. This alias will be printed as group - header when you later edit an account in the admin interface. - - - - - - - - - - After you created your new group you can setup the managed object - classes. If you specify any object classes then you will later be able - to add/remove a complete set of attributes including their object - classes. - - Skipping the object classes field is only useful if you want to - manage some attributes that are not yet supported by LAM but there is - already a LAM module that manages the object class. - - - - - - - - - - The group may look like when you edit a user. - - - - - - - - - - - - - - - - - - Adding fields: - - Now you can add a new field that manages an LDAP attribute. Simply - fill the fields and press on "Add". - - Please note that the field name cannot be changed later. It is the - unique ID for this field. - - - - - - - - - - Examples for fields and their representation: - - Text field: - - Text fields allow to specify a validation - expression and error message. - - You can also enable auto-completion. In this case LAM will search - all accounts for the given attribute and provide auto-completion hints - when the user edits this field. This should only be used if there is a - limited number of different values for this attribute. - - In case your field is a date value you can show a calendar for - easy editing. - - Example calendar formats: - - - - dd.mm.yy: 31.12.2016 - - - - yy-mm-dd: 2016-12-31 - - - - d M, y: 31 Dec, 16 - - - - d MM, y: 31 December, 2016 - - - - - - - - - - - - Presentation: - - - - - - - - - - Password field: - - You can also manage custom password fields. LAM Pro will display - two fields where the user must enter the same password. You can hash the - password if needed. - - - - - - - - - - Presentation: - - - - - - - - - - Text area: - - This adds a multi-line field. The options are similar to text - fields. Additionally, you can set the size with the number of columns - and rows. - - Please note that the validation - expression should be set to multi-line. This is done by adding - "m" at the end. - - - - - - - - - - Presentation: - - - - - - - - - - Checkbox: - - Sometimes you may want to allow only yes/no values for your LDAP - attributes. This can be represented by a checkbox. You can specify the - values for checked and unchecked. The default value is set if the LDAP - attribute has no value. - - - - - - - - - - Presentation: - - - - - - - - - - Radio buttons: - - This displays a list of radio buttons where the user can select - one value. - - You can specify a mapping of LDAP attribute values and their - display (label) on the Self Service page. To add more mapping fields - please press "Add more mapping fields". - - - - - - - - - - Presentation: - - - - - - - - - - Select list: - - Select lists allow the user to select a value in a large list of - options. The definition of the possible values and their display is - similar to radio buttons. - - You can also allow multiple values. - - - - - - - - - - Presentation: - - - - - - - - - - - - - - - - - - Validation expressions: - - The validation expressions follow the standard of Perl regular - expressions. They start and end with a "/". The beginning of a - line is specified by "^" and the end by "$". - - Examples: - - /^[a-z0-9]+$/ allows small letters and numbers. The value must not - be empty ("+"). - - /^[a-z0-9]+$/i allows small and capital letters ("i" at the end - means ignore case) and numbers. The value must not be empty - ("+"). - - Special characters that must be escaped with "\": "\", ".", "(", - ")" - - E.g. /^[a-z0-9\.]$/i - - +
+ +
+ Password policies (LAM Pro) + + OpenLDAP supports the ppolicy overlay to + manage password policies for LDAP entries. This allows you to set password + policies which are independent from your applications. The policies are + managed internally by the LDAP server. + + You can manage these policies with LAM Pro with the account type + "Password policies". + + + + + + + + + + You will need to add the ppolicy schema to your OpenLDAP + configuration and activate the ppolicy overlay + module in slapd.conf to use this feature. +
+ +
+ PyKota printers + + Please add the account type "Printers (PyKota printers)" on tab + "Account types" in your server profile and setup the LDAP suffix where + printers are stored. + + + + + + + + + + + + + + + + + + Then add the PyKota printer module on tab "Account modules". + + + + + + + + + + Next you can start managing printers inside LAM. Here you can setup + the costs for a print job. LAM will also show if the printer is member of + any printer groups. + + + + + + + + + + You can also setup printer groups. Just add some members to your new + group. + + + + + + + + +
+ +
+ PyKota billing codes + + Please add the account type "Billing codes" on tab "Account types" + in your server profile and setup the LDAP suffix where billing codes are + stored. + + + + + + + + + + + + + + + + + + Then add the PyKota billing code module on tab "Account + modules". + + + + + + + + + + Now login to LAM and you will see the billing code tab where you can + manage your entries. If jobs were printed with a billing code then you + will also see the balance and page count. + + + + + + + + +
+ +
+ Custom fields (LAM Pro) + + This module allows you to manage LDAP attributes that are not + covered by the other LAM modules (e.g. if you use custom LDAP schemas). + You can fully define how your input fields look like: + + + + Label + + + + LDAP attribute name + + + + Unique name for field + + + + Help text + + + + Read-only display + + + + Field type: text, password, text area, checkbox, radio buttons, + select list, file upload + + + + Validation via regular expression + + + + Error message if validation fails + + + + Limitations: + + Custom fields cannot manage + + + + structural object classes + + + + attributes that require validation rules across multiple + attributes or cannot be described by a simple regular + expression + + + + Activating the custom fields + module: + + You may specify custom fields for all of your account types. Please + enter tab "Modules" in your server profile. Now activate the "Custom + fields (customFields)" module for all needed account types. + + + + + + + + + + Setting label and icon: + + You may set the label that is displayed e.g. on the tab when editing + an account. It is also possible to specify an icon (must be a valid URL + like "/images/icon.png" or "http://server/images/icon.png"). The icon size + should be 32x32 pixels. + + LAM will display a default icon and "Custom fields" as label if you + do not enter any values. + + You may also specify how LAM displays cutom fields when there are + multiple field groups. The default is accordion view where you can switch + field groups by clicking on the title. You may also deactivate this mode. + Then all field groups are displayed one below the other. + + + + + + + + + + Defining groups: + + All input fields are devided into groups. A group may contain one or + more object classes and allows you to add/remove a certain set of input + fields. + + E.g. you may define two groups - "My application A" and "My + application B" - that manage different LDAP attributes and object classes. + This way you will be able to control both attribute sets + independently. + + To create a group please edit your server profile and switch to tab + "Module settings". You will see the section "Custom fields" which allows + you to add new groups. Now select your account type (e.g. Users) and + specify an alias for your group. This alias will be printed as group + header when you later edit an account in the admin interface. + + + + + + + + + + After you created your new group you can setup the managed object + classes. If you specify any object classes then you will later be able to + add/remove a complete set of attributes including their object + classes. + + Skipping the object classes field is only useful if you want to + manage some attributes that are not yet supported by LAM but there is + already a LAM module that manages the object class. + + + + + + + + + + The group may look like when you edit a user. + + + + + + + + + + + + + + + + + + Adding fields: + + Now you can add a new field that manages an LDAP attribute. Simply + fill the fields and press on "Add". + + Please note that the field name cannot be changed later. It is the + unique ID for this field. + + + + + + + + + + Examples for fields and their representation: + + Text field: + + Text fields allow to specify a validation + expression and error message. + + You can also enable auto-completion. In this case LAM will search + all accounts for the given attribute and provide auto-completion hints + when the user edits this field. This should only be used if there is a + limited number of different values for this attribute. + + In case your field is a date value you can show a calendar for easy + editing. + + Example calendar formats: + + + + dd.mm.yy: 31.12.2016 + + + + yy-mm-dd: 2016-12-31 + + + + d M, y: 31 Dec, 16 + + + + d MM, y: 31 December, 2016 + + + + + + + + + + + + Presentation: + + + + + + + + + + Password field: + + You can also manage custom password fields. LAM Pro will display two + fields where the user must enter the same password. You can hash the + password if needed. + + + + + + + + + + Presentation: + + + + + + + + + + Text area: + + This adds a multi-line field. The options are similar to text + fields. Additionally, you can set the size with the number of columns and + rows. + + Please note that the validation + expression should be set to multi-line. This is done by adding "m" + at the end. + + + + + + + + + + Presentation: + + + + + + + + + + Checkbox: + + Sometimes you may want to allow only yes/no values for your LDAP + attributes. This can be represented by a checkbox. You can specify the + values for checked and unchecked. The default value is set if the LDAP + attribute has no value. + + + + + + + + + + Presentation: + + + + + + + + + + Radio buttons: + + This displays a list of radio buttons where the user can select one + value. + + You can specify a mapping of LDAP attribute values and their display + (label) on the Self Service page. To add more mapping fields please press + "Add more mapping fields". + + + + + + + + + + Presentation: + + + + + + + + + + Select list: + + Select lists allow the user to select a value in a large list of + options. The definition of the possible values and their display is + similar to radio buttons. + + You can also allow multiple values. + + + + + + + + + + Presentation: + + + + + + + + + + + + + + + + + + Validation expressions: + + The validation expressions follow the standard of Perl regular + expressions. They start and end with a "/". The beginning of a + line is specified by "^" and the end by "$". + + Examples: + + /^[a-z0-9]+$/ allows small letters and numbers. The value must not + be empty ("+"). + + /^[a-z0-9]+$/i allows small and capital letters ("i" at the end + means ignore case) and numbers. The value must not be empty ("+"). + + Special characters that must be escaped with "\": "\", ".", "(", + ")" + + E.g. /^[a-z0-9\.]$/i + + - File upload: + File upload: - This is used for binary data. You can restrict uploaded data to a - given file extension and set the maximum file size. - - - - - - - - + This is used for binary data. You can restrict uploaded data to a + given file extension and set the maximum file size. - Presentation: + + + + + + + - The uploaded data may also be downloaded via LAM. + Presentation: - - - - - - - -
+ The uploaded data may also be downloaded via LAM. -
- Custom scripts (LAM Pro) + + + + + + + +
- LAM Pro allows you to execute scripts whenever an account is - created, modified or deleted. This can be useful to automate processes - which needed manual work afterwards (e.g. sending your user a welcome - mail or register a mailbox). Additionally, you can specify manual scipts - that can be executed from within LAM Pro. +
+ Custom scripts (LAM Pro) - To activate this feature please add the "Custom scripts" module to - all needed account types on the configuration pages. + LAM Pro allows you to execute scripts whenever an account is + created, modified or deleted. This can be useful to automate processes + which needed manual work afterwards (e.g. sending your user a welcome mail + or register a mailbox). Additionally, you can specify manual scipts that + can be executed from within LAM Pro. - - - - - - - - - In "Module settings" you can specify multiple scripts for each - action type (e.g. modify) and account type (e.g. user). The scripts need - to be located on the filesystem of your webserver and will be executed - in its user environment. E.g. if you webserver runs as user www-data - with the group www-data then the custom scripts will be run under this - user with his rights. The output of the scripts will be shown in - LAM. - - You can specify the scripts on the LAM configuration pages. - - - - - - - - - - Syntax: - - Please enter one script per line. Each line has the following - format: <account type> <action> <script> - - E.g.: user preModify /usr/bin/myCustomScript -u $uid$ - - Account types: - - You can setup scripts for all available account types (e.g. user, - group, host, ...). Please see the help on the configuration page about - your current active account types. - - Actions: - - - Action types - - - - - Action name - - Description - - - - preCreate - - Executed before creating a new account (cancels operation - if a script returns an exit code > 0, not available for file - upload) - - - - postCreate - - Executed after creating a new account (does not run if preCreate or LDAP operations - fail) - - - - preModify - - Executed before an account is modified (cancels operation - if a script returns an exit code > 0) - - - - postModify - - Executed after an account was modified (does not run if preModify or LDAP operations - fail) - - - - preDelete - - Executed before an account is modified (cancels operation - if a script returns an exit code > 0) - - - - postDelete - - Executed after an account was modified (does not run if preDelete or LDAP operations - fail) - - - - manual - - Can be run manually on account page. If you add - LAMLABEL="text" before the command then LAM will use the text as - label for the button in account edit screen. - - - -
- - Script: - - You can execute any script which is located on the filesystem of - your webserver. The path may be absolute or relative to the - PATH-variable of the environment of your webserver process. It is also - possible to add commandline arguments to your scripts. Additionally, LAM - will resolve wildcards to LDAP attributes. If your script includes an - wildcard in the format $ATTRIBUTE$ then LAM will replace it with the - attribute value of the current LDAP entry. The values of multi-value - attributes are separated by commas. E.g. if you create an account with - the attribute "uid" and value "steve" then LAM will resolve "$uid$" to - "steve". - - Please note that manual scripts can only use the current LDAP - attribute values of the account. Any modifications done that are not - saved will not be available. Manual scripts are also not available for - new accounts that are not yet saved to LDAP. - - You can switch LAM's logging to debug mode if you are unsure which - attributes with which values are available. - - The following special wildcards are available for automatical - scripts: - - - - $INFO.userPasswordClearText$: - cleartext password when Unix/Windows password is changed (e.g. - useful for external password synchronisation) for new/modified - accounts - - - - $INFO.userPasswordStatusChange$: provides - additional information if the Personal/Unix password locking status - was changed, possible values: locked, unlocked, unchanged - - - - $INFO.passwordSelfResetAnswerClearText$: - cleartext answer to security question - - - - $INFO.389lockingStatusChange$: for 389ds - account locking, provides information if account was unlocked. - Possible values: unchanged, unlocked - - - - $INFO.389deactivationStatusChange$: for 389ds - account locking, provides information if account was deactivated. - Possible values: unchanged, activated, deactivated - - - - $NEW.<attribute>$: the - value of a new attribute (e.g. $NEW.telephoneNumber$) for modified - accounts - - - - $DEL.<attribute>$: the - value of a deleted attribute (e.g. $DEL.telephoneNumber$) for - modified accounts - - - - $MOD.<attribute>$: the - new value of a modified attribute (e.g. $MOD.telephoneNumber$) for - modified accounts - - - - $ORIG.<attribute>$: the - original value of an attribute (e.g. $ORIG.telephoneNumber$) for - modified accounts - - - - Output may contain HTML: If your - scripts generate HTML output then activate this option. - - Hide command in messages: You may - want to prevent that your users see the executed commands. In this case - activating this option will only show the command output but not the - command itself. - - - - You can see a preview of the commands which will be automatically - executed on the "Custom scripts" tab. Here you can also run the manual - scripts. - - - - - - - - -
- -
- Sudo roles (LAM Pro) - - You can manage your sudo roles in LDAP if you have installed the - sudo-ldap package or compiled sudo with LDAP - support. - - To activate sudo management in LAM Pro edit your server profile - and add the type "Sudo roles". - - - - - - - - - - - - - - - - - - Now you can create sudo commands. - - - - - - - - - - The sudo roles in LDAP work similar to those in /etc/sudoers. You - can specify who may run which commands as which user. It is also - possible to specify options like NOPASSWD. -
- -
- LDAP views based on nsview (LAM Pro) - - LAM Pro supports LDAP views based on the "nsview" object class. - These views allow to create an organizational unit that shows a subset - of your LDAP content. The subset is determined by an LDAP filter. - - Configuration: - - To activate view management in LAM Pro edit your server profile - and add the type "LDAP views". - - - - - - - - - - - - - - - - - - Now you are ready to create your views. Each view has a name, LDAP - filter and an optional description. - - - - - - - - - - - - - - - - -
- -
- General information - - This module is available for all account types. It shows some - internal information about the LDAP entries like the creation time and - who modified the entry. - - If you use the "memberOf" overlay in OpenLDAP then this will also - show group memberships done by the overlay. - - - - - - - - -
- -
- Tree view (LDAP browser) - - The tree view provides a raw view on your LDAP directory. This - feature is for people who are experienced with LDAP and need special - functionality which the LAM account modules not provide. E.g. if you - want to add a special object class to an account or edit attributes - ignoring LAM's syntax checks. - - - - - - - - - - There are also some special functions available: - - Export: This allows you to export - entries to a file (e.g. LDIF or CSV format). - - Show internal attributes: Shows - internal attributes of the current entry. This includes information - about the creator and creation time of the entry. -
- + To activate this feature please add the "Custom scripts" module to + all needed account types on the configuration pages. + + + + + + + + + + In "Module settings" you can specify multiple scripts for each + action type (e.g. modify) and account type (e.g. user). The scripts need + to be located on the filesystem of your webserver and will be executed in + its user environment. E.g. if you webserver runs as user www-data with the + group www-data then the custom scripts will be run under this user with + his rights. The output of the scripts will be shown in LAM. + + You can specify the scripts on the LAM configuration pages. + + + + + + + + + + Syntax: + + Please enter one script per line. Each line has the following + format: <account type> <action> <script> + + E.g.: user preModify /usr/bin/myCustomScript -u $uid$ + + Account types: + + You can setup scripts for all available account types (e.g. user, + group, host, ...). Please see the help on the configuration page about + your current active account types. + + Actions: + + + Action types + + + + + Action name + + Description + + + + preCreate + + Executed before creating a new account (cancels operation + if a script returns an exit code > 0, not available for file + upload) + + + + postCreate + + Executed after creating a new account (does not run if preCreate or LDAP operations + fail) + + + + preModify + + Executed before an account is modified (cancels operation + if a script returns an exit code > 0) + + + + postModify + + Executed after an account was modified (does not run if preModify or LDAP operations + fail) + + + + preDelete + + Executed before an account is modified (cancels operation + if a script returns an exit code > 0) + + + + postDelete + + Executed after an account was modified (does not run if preDelete or LDAP operations + fail) + + + + manual + + Can be run manually on account page. If you add + LAMLABEL="text" before the command then LAM will use the text as + label for the button in account edit screen. + + + +
+ + Script: + + You can execute any script which is located on the filesystem of + your webserver. The path may be absolute or relative to the PATH-variable + of the environment of your webserver process. It is also possible to add + commandline arguments to your scripts. Additionally, LAM will resolve + wildcards to LDAP attributes. If your script includes an wildcard in the + format $ATTRIBUTE$ then LAM will replace it with the attribute value of + the current LDAP entry. The values of multi-value attributes are separated + by commas. E.g. if you create an account with the attribute "uid" and + value "steve" then LAM will resolve "$uid$" to "steve". + + Please note that manual scripts can only use the current LDAP + attribute values of the account. Any modifications done that are not saved + will not be available. Manual scripts are also not available for new + accounts that are not yet saved to LDAP. + + You can switch LAM's logging to debug mode if you are unsure which + attributes with which values are available. + + The following special wildcards are available for automatical + scripts: + + + + $INFO.userPasswordClearText$: + cleartext password when Unix/Windows password is changed (e.g. useful + for external password synchronisation) for new/modified + accounts + + + + $INFO.userPasswordStatusChange$: provides + additional information if the Personal/Unix password locking status + was changed, possible values: locked, unlocked, unchanged + + + + $INFO.passwordSelfResetAnswerClearText$: + cleartext answer to security question + + + + $INFO.389lockingStatusChange$: + for 389ds account locking, provides information if account was + unlocked. Possible values: unchanged, unlocked + + + + $INFO.389deactivationStatusChange$: for 389ds + account locking, provides information if account was deactivated. + Possible values: unchanged, activated, deactivated + + + + $NEW.<attribute>$: the + value of a new attribute (e.g. $NEW.telephoneNumber$) for modified + accounts + + + + $DEL.<attribute>$: the + value of a deleted attribute (e.g. $DEL.telephoneNumber$) for modified + accounts + + + + $MOD.<attribute>$: the + new value of a modified attribute (e.g. $MOD.telephoneNumber$) for + modified accounts + + + + $ORIG.<attribute>$: the + original value of an attribute (e.g. $ORIG.telephoneNumber$) for + modified accounts + + + + Output may contain HTML: If your + scripts generate HTML output then activate this option. + + Hide command in messages: You may + want to prevent that your users see the executed commands. In this case + activating this option will only show the command output but not the + command itself. + + + + You can see a preview of the commands which will be automatically + executed on the "Custom scripts" tab. Here you can also run the manual + scripts. + + + + + + + + +
+ +
+ Sudo roles (LAM Pro) + + You can manage your sudo roles in LDAP if you have installed the + sudo-ldap package or compiled sudo with LDAP + support. + + To activate sudo management in LAM Pro edit your server profile and + add the type "Sudo roles". + + + + + + + + + + + + + + + + + + Now you can create sudo commands. + + + + + + + + + + The sudo roles in LDAP work similar to those in /etc/sudoers. You + can specify who may run which commands as which user. It is also possible + to specify options like NOPASSWD. +
+ +
+ LDAP views based on nsview (LAM Pro) + + LAM Pro supports LDAP views based on the "nsview" object class. + These views allow to create an organizational unit that shows a subset of + your LDAP content. The subset is determined by an LDAP filter. + + Configuration: + + To activate view management in LAM Pro edit your server profile and + add the type "LDAP views". + + + + + + + + + + + + + + + + + + Now you are ready to create your views. Each view has a name, LDAP + filter and an optional description. + + + + + + + + + + + + + + + + +
+ +
+ General information + + This module is available for all account types. It shows some + internal information about the LDAP entries like the creation time and who + modified the entry. + + If you use the "memberOf" overlay in OpenLDAP then this will also + show group memberships done by the overlay. + + + + + + + + +
+ +
+ Tree view (LDAP browser) + + The tree view provides a raw view on your LDAP directory. This + feature is for people who are experienced with LDAP and need special + functionality which the LAM account modules not provide. E.g. if you want + to add a special object class to an account or edit attributes ignoring + LAM's syntax checks. + + + + + + + + + + There are also some special functions available: + + Export: This allows you to export + entries to a file (e.g. LDIF or CSV format). + + Show internal attributes: Shows + internal attributes of the current entry. This includes information about + the creator and creation time of the entry. +
+ diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml index cab0d870..1db39f42 100644 --- a/lam/docs/manual-sources/chapter-selfService.xml +++ b/lam/docs/manual-sources/chapter-selfService.xml @@ -750,6 +750,24 @@ each time the Windows password is changed. + + + + + + Kopano + + "Send as" privileges + + Define user who may send mails as this user + + + + Email aliases + + Email aliases + + diff --git a/lam/docs/manual-sources/images/mod_kopano1.png b/lam/docs/manual-sources/images/mod_kopano1.png new file mode 100644 index 00000000..adf795b5 Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopano1.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoContact1.png b/lam/docs/manual-sources/images/mod_kopanoContact1.png new file mode 100644 index 00000000..b87af6fb Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoContact1.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoContact2.png b/lam/docs/manual-sources/images/mod_kopanoContact2.png new file mode 100644 index 00000000..8e133d15 Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoContact2.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoContact3.png b/lam/docs/manual-sources/images/mod_kopanoContact3.png new file mode 100644 index 00000000..4744a42c Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoContact3.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoUser1.png b/lam/docs/manual-sources/images/mod_kopanoUser1.png new file mode 100644 index 00000000..364d9f42 Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoUser1.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoUser2.png b/lam/docs/manual-sources/images/mod_kopanoUser2.png new file mode 100644 index 00000000..8d0eeba1 Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoUser2.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoUser3.png b/lam/docs/manual-sources/images/mod_kopanoUser3.png new file mode 100644 index 00000000..1251d565 Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoUser3.png differ diff --git a/lam/docs/manual-sources/images/mod_kopanoUser4.png b/lam/docs/manual-sources/images/mod_kopanoUser4.png new file mode 100644 index 00000000..aa863276 Binary files /dev/null and b/lam/docs/manual-sources/images/mod_kopanoUser4.png differ diff --git a/lam/docs/manual-sources/images/schema_kopano.png b/lam/docs/manual-sources/images/schema_kopano.png new file mode 100644 index 00000000..4c1e35d1 Binary files /dev/null and b/lam/docs/manual-sources/images/schema_kopano.png differ diff --git a/lam/docs/manual-sources/overview.xml b/lam/docs/manual-sources/overview.xml index 2e7ff1dc..60180fd4 100644 --- a/lam/docs/manual-sources/overview.xml +++ b/lam/docs/manual-sources/overview.xml @@ -8,7 +8,7 @@ LDAP directory. LAM runs on any webserver with PHP5 support and connects to your LDAP server unencrypted or via SSL/TLS. - LAM supports Samba 3/4, Unix, Zarafa, Kolab 2/3, address book entries, + LAM supports Samba 3/4, Unix, Kopano, Kolab 3, address book entries, NIS mail aliases, MAC addresses and much more. There is a tree viewer included to allow access to the raw LDAP attributes. You can use templates for account creation and use multiple configuration profiles. @@ -16,7 +16,7 @@ https://www.ldap-account-manager.org/ - Copyright (C) 2003 - 2016 Roland Gruber + Copyright (C) 2003 - 2017 Roland Gruber <post@rolandgruber.de> Key features: