diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index c16f12a7..3e345239 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -102,7 +102,7 @@ Have fun!
Installation
-
+ New installation
@@ -286,8 +286,37 @@ Have fun!
With configure scriptInstead of manually copying files you can also use the
- included configure script to install LAM. See "./configure --help"
- for a list of install options.
+ included configure script to install LAM. Just run these commands
+ in the extracted directory:
+
+
+
+ ./configure
+
+
+
+ make install
+
+
+
+ Options for "./configure":
+
+
+
+ --with-httpd-user=USER USER is the name of your Apache
+ user account (default httpd)
+
+
+
+ --with-httpd-group=GROUP GROUP is the name of your
+ Apache group (default httpd)
+
+
+
+ --with-web-root=DIRECTORY DIRECTORY is the name where
+ LAM should be installed (default /usr/local/lam)
+
+
@@ -454,11 +483,14 @@ Have fun!
- Upgrading LAM
+ Upgrading LAM or migrate from LAM to LAM ProMigrating configuration files
+ First, you need to make a backup of your existing configuration
+ files.
+
LAM stores all configuration files in the "config" folder.
Please backup the following files and copy them after the new version
is installed.
@@ -481,11 +513,28 @@ Have fun!
config/passwordMailTemplate.txt
- Please check also the version specific instructions. They might
- include additional actions.
+ Second, uninstall your
+ current LAM (Pro) installation.
+
+ Third, install the new LAM
+ (Pro) release. Skip the part about setting up LAM configuration
+ files.
+
+ Finally, restore your configuration files from the backup. Copy
+ all files from the backup folder to the config folder in your LAM Pro
+ installation. Do not simply replace the folder because the new LAM
+ (Pro) release might include additional files in this folder. Overwrite
+ any existing files with your backup files.
+
+ Now open your webbrowser and point it to the LAM login page. All
+ your settings should be migrated.
+
+ Please check also the version
+ specific instructions. They might include additional
+ actions.
-
+ Version specific upgrade instructions
@@ -503,6 +552,771 @@ Have fun!
+
+
+ Unistalltion of LAM (Pro)
+
+ If you used the prepackaged installation packages then remove the
+ ldap-account-manager and ldap-account-manager-lamdaemon packages.
+
+ Otherwise, remove the folder where you installed LAM via configure
+ or by copying the files.
+
+
+
+
+ Configuration
+
+ TODO
+
+
+ General settings
+
+ TODO
+
+
+
+ Server profiles
+
+ TODO
+
+
+
+
+
+
+
+
+
+
+ Managing entries in your LDAP directory
+
+ This chapter will give you instructions how to manage the different
+ LDAP entries in your directory.
+
+ Please note that not all account types are manageable with the free
+ LAM release. LAM Pro provides some more account types and modules to
+ support additional LDAP object classes.
+
+ Additional types:
+
+
+
+ Group of names
+
+
+
+ Aliases
+
+
+
+ NIS objects
+
+
+
+ Additional modules:
+
+
+
+ Group of names (groupOfNames)
+
+
+
+ Group of unique names (groupOfUniqueNames)
+
+
+
+ Unix (rfc2307bisPosixGroup)
+
+
+
+ Alias (aliasEntry)
+
+
+
+ User name (uidObject)
+
+
+
+ NIS object (nisObject)
+
+
+
+ Custom scripts (customScripts)
+
+
+
+
+ Groups
+
+
+
+
+ Unix groups with rfc2307bis schema (LAM Pro only)
+
+ Some applications (e.g. Suse Linux) use the rfc2307bis schema
+ for Unix accounts instead of the nis schema. In this case group
+ accounts are based on the object class groupOf(Unique)Names. The
+ object class is auxiliary in this case.
+
+ LAM Pro supports these groups with a special account module:
+ rfc2307bisPosixGroup
+
+ Use this module only if your system depends on the rfc2307bis
+ schema. The module can be selected in the LAM configuration.
+
+
+
+
+
+
+
+
+
+
+
+
+ Hosts
+
+
+
+
+ IP addresses (LAM Pro only)
+
+ You can manage the IP addresses of host accounts with the ipHost
+ module. It manages the following information:
+
+
+
+ IP addresses (IPv4/IPv6)
+
+
+
+ location of the host
+
+
+
+ manager: the person who is responsible for the host
+
+
+
+ You can activate this extension by adding the module ipHost to
+ the list of active host modules.
+
+
+
+
+
+
+
+
+
+
+
+
+ Group of (unique) names (LAM Pro only)
+
+ These classes can be used to represent group relations. Since they
+ allow DNs as members you can also use them to represent nested groups.
+ Activate the account type "Group of names" in your LAM server profile to
+ use these account modules.
+
+ Group of (unique) names have four basic attributes:
+
+
+
+ Name: a unique name for the group
+
+
+
+ Description: optional description
+
+
+
+ Owner: the account which owns this group (optional)
+
+
+
+ Members: the members of the group (at least one is
+ required)
+
+
+
+ You can add any accounts as members. This includes other groups
+ which leads to nested groups.
+
+
+
+
+
+
+
+
+
+
+
+ Aliases (LAM Pro only)
+
+ Some applications use the object class "alias" to link LDAP
+ entries to other parts of the LDAP tree. Activate the account type
+ "Aliases" in your LAM server profile to use this account type.
+
+ Currently, only user accounts can be aliased with the "uidObject"
+ object class.
+
+
+
+
+
+
+
+
+
+
+
+ NIS objects (LAM Pro only)
+
+ You can manage NIS objects with LAM Pro. This allows you define
+ network mount points in LDAP.
+
+ Add the NIS objects type to your LAM configuration and then the
+ NIS objects module. This will add the NIS objects tab to LAM.
+
+
+
+
+
+
+
+
+
+
+
+ Custom scripts (LAM Pro only)
+
+ LAM Pro allows you to execute scripts whenever an account is
+ created, modified or deleted. This can be useful to automate processes
+ which needed manual work afterwards (e.g. sending your user a welcome
+ mail or register a mailbox). To activate this feature please add the
+ "Custom scripts" module to all needed account types on the configuration
+ pages.
+
+ You can specify multiple scripts for each action type (e.g.
+ modify) and account type (e.g. user). The scripts need to be located on
+ the filesystem of your webserver and will be executed in its user
+ environment. E.g. if you webserver runs as user www-data with the group
+ www-data then the custom scripts will be run under this user with his
+ rights. The output of the scripts will be shown in LAM.
+
+ You can specify the scripts on the LAM configuration pages.
+
+
+
+
+
+
+
+
+
+ Syntax:
+
+ Please enter one script per line. Each line has the following
+ format: <account type> <action> <script>
+
+ E.g.: user preModify /usr/bin/myCustomScript -u $uid$
+
+ Account types:
+
+ You can setup scripts for all available account types (e.g. user,
+ group, host, ...). Please see the help on the configuration page about
+ your current active account types.
+
+ Actions:
+
+
+ Action types
+
+
+
+
+ Action name
+
+ Description
+
+
+
+ preCreate
+
+ executed before creating a new account (cancels operation
+ if a script returns an exit code > 0)
+
+
+
+ postCreate
+
+ executed after creating a new account
+
+
+
+ preModify
+
+ executed before the account is modified (cancels
+ operation if a script returns an exit code > 0)
+
+
+
+ postModify
+
+ executed after an account was modified
+
+
+
+ preDelete
+
+ executed before an account was modified (cancels
+ operation if a script returns an exit code > 0)
+
+
+
+ postDelete
+
+ executed after an account was modified
+
+
+
+
+
+ Script:
+
+ You can execute any script which is located on the filesystem of
+ your webserver. The path may be absolute or relative to the
+ PATH-variable of the environment of your webserver process. It is also
+ possible to add commandline arguments to your scripts. Additionally, LAM
+ will resolve wildcards to LDAP attributes. If your script includes an
+ wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
+ attribute value of the current LDAP entry. The values of multi-value
+ attributes are separated by commas. E.g. if you create an account with
+ the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
+ "steve".
+
+
+
+ You can see a preview of the commands which will be executed on
+ the "Custom scripts" tab.
+
+
+
+
+
+
+
+
+
+
+
+ Tree view
+
+ The tree view provides a raw view on your LDAP directory. This
+ feature is for people who are experienced with LDAP and need special
+ functionality which the LAM account modules not provide. E.g. if you
+ want to add a special object class to an account or edit attributes
+ ignoring LAM's syntax checks.
+
+
+
+
+
+
+
+
+
+ There are also some special functions available:
+
+ Export: This allows you to export
+ entries to a file (e.g. LDIF or CSV format).
+
+ Show internal attributes: Shows
+ internal attributes of the current entry. This includes information
+ about the creator and creation time of the entry.
+
+
+
+
+ Access levels and password reset page (LAM Pro only)
+
+ You can define different access levels for each profile to allow or
+ disallow write access. The password reset page helps your deskside support
+ staff to reset user passwords.
+
+
+ Access levels
+
+ There are three access levels:
+
+
+
+ Write access (default)
+
+ There are no restrictions. LAM admin users can manage account,
+ create profiles and set passwords.
+
+
+
+ Change passwords
+
+ Similar to "Read only" except that the password reset page is available.
+
+
+
+ Read only
+
+ No write access to the LDAP database is allowed. It is also
+ impossible to manage account and PDF profiles.
+
+ Accounts may be viewed but no changes can be saved.
+
+
+
+ The access level can be set on the server configuration
+ page:
+
+
+
+
+
+
+
+
+
+
+
+ Password reset page
+
+ This special page allows your deskside support staff to reset the
+ Unix and Samba passwords of your users. If you set the access level to "Change passwords" then
+ LAM will not allow any changes to the LDAP database except password
+ changes via this page. The account pages will be still available in
+ read-only mode.
+
+ You can open the password reset page by clicking on the key symbol
+ on each user account:
+
+
+
+
+
+
+
+ There are three different options to set a new
+ password:
+
+
+
+ set random password and display it on
+ screen
+
+ This will set the user's password to a random value. The
+ password will be 11 characters long with a random combination of
+ letters, digits and ".-_".
+
+ You may want to use this method to tell users their new
+ passwords via phone.
+
+
+
+ set random password and mail it to
+ user
+
+ If the user account has set the mail attribute then LAM can
+ send your user a mail with the new password. You can change the mail
+ template to fit your needs. See the help link for further
+ details.
+
+ Using this method will prevent that your support staff knows
+ the new password.
+
+
+
+ set specific password
+
+ Here you can specify your own password.
+
+
+
+
+
+
+
+
+
+
+
+ LAM will display contact information about the user like the
+ user's name, email address and telephone number. This will help your
+ deskside support to easily contact your users.
+
+ Options:
+
+ Depending on the account there may be additional options
+ available.
+
+
+
+ Sync Samba NT/LM password with Unix
+ password: If a user account has Samba passwords set then
+ LAM will offer to synchronize the passwords.
+
+
+
+ Unlock Samba account: Locked
+ Samba accounts can be unlocked with the password change.
+
+
+
+ Update Samba password
+ timestamps: This will set the timestamps when the
+ password was changed (sambaPwdLastSet), may be changed again
+ (sambaPwdCanChange) and must be changed again (sambaPwdMustChange).
+ Only existing attributes are updated. No new attributes are
+ added.
+
+
+
+
+
+
+
+
+ Self service (LAM Pro only)
+
+
+ Preparations
+
+
+ OpenLDAP ACLs
+
+ By default only a few administrative users have write access to
+ the LDAP database. Before your users may change their settings you
+ must allow them to change their LDAP data.
+
+ This can be done by adding an ACL to your slapd.conf which looks
+ like this:
+
+ access to
+
+
+ attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,password
+
+ by self write
+
+ If you do not want them to change all attributes then reduce the
+ list to fit your needs. Some modules may require additional LDAP
+ attributes.
+
+ Usually, the slapd.conf file is located in /etc/ldap or
+ /etc/openldap.
+
+
+
+ Other LDAP servers
+
+ There exist many LDAP implementations. If you do not use
+ OpenLDAP you need to write your own ACLs. Please check the manual of
+ your LDAP server for instructions.
+
+
+
+
+ Creating a self service profile
+
+ A self service profile defines what input fields your users see
+ and some other general settings like the login caption.
+
+ When you go to the LAM configuration page you will see the self
+ service link at the bottom. This will lead you to the self service
+ configuration pages
+
+
+
+
+
+
+
+
+
+ Now we need to create a new self service profile. Click on the
+ link to manage the self service profiles.
+
+
+
+
+
+
+
+
+
+ Specify a name for the new profile and enter you master
+ configuration password (default is "lam") to save the profile.
+
+
+
+
+
+
+
+
+
+ Now go back to the profile login and enter your master
+ configuration password to edit your new profile.
+
+
+
+ Edit your new profile
+
+ On top of the page you see the link to the user login page. Copy
+ this link address and give it to your users.
+
+ Below the link you can specify several options.
+
+
+
+
+
+
+
+
+
+
+ General options
+
+
+
+
+ Server address
+
+ The address of your LDAP server
+
+
+
+ LDAP suffix
+
+ The part of the LDAP tree where LAM should search for
+ users
+
+
+
+ LDAP user + password
+
+ The DN and password which is used to search for users in
+ the LDAP database. It is sufficient if this DN has only read
+ rights. If you leave these fields empty LAM will try to connect
+ anonymously.
+
+
+
+ LDAP search attribute
+
+ Here you can specify if your users can login with user
+ name + password, email + password or other attributes.
+
+
+
+ Login attribute label
+
+ This is the description for the LDAP search attribute.
+ Set it to something which your users are familiar with.
+
+
+
+ Login caption
+
+ This text is displayed at the login page. You can input
+ HTML, too.
+
+
+
+ Main page caption
+
+ This text is displayed at self service main page where
+ your users change their data. You can input HTML, too.
+
+
+
+ Page header
+
+ This HTML code will be placed on top of all self service
+ pages. E.g. you can use this to place your custom logo. Any HTML
+ code is permitted.
+
+
+
+ Additional CSS links
+
+ Here you can specify additional CSS links to change the
+ layout of the self service pages. This is useful to adapt them
+ to your corporate design. Please enter one link per
+ line.
+
+
+
+
+
+ On the bottom you can specify what input fields your users can
+ see. It is also possible to group several input fields.
+
+
+
+
+
+
+
+
+
+
+
+
+ Adapt LAM Pro to your corporate design
+
+ LAM Pro allows you to integrate customs CSS style definitions and
+ design the header of all self service pages. This way you can integrate
+ you own logo and use your company's colors.
+
+
+ Custom header
+
+ The default LAM Pro header includes a logo and a horizontal line.
+ You can enter any HTML code here. It will be included in the self
+ services pages after the body tag.
+
+
+
+
+
+
+
+
+
+
+
+ CSS files
+
+ Usually, companies have regulations about their corporate design
+ and use common CSS files. This assures a common appearance of all
+ intranet pages (e.g. colors and fonts). To include additional CSS files
+ just use the following setting for this task. The additional CSS links
+ will be added after LAM Pro's default CSS link. This way you can
+ overwrite LAM Pro's style.
+
+
+
+
+
+
+
+
+
diff --git a/lam/docs/manual-sources/images/accessLevel.png b/lam/docs/manual-sources/images/accessLevel.png
new file mode 100644
index 00000000..246a2722
Binary files /dev/null and b/lam/docs/manual-sources/images/accessLevel.png differ
diff --git a/lam/docs/manual-sources/images/alias.png b/lam/docs/manual-sources/images/alias.png
new file mode 100644
index 00000000..be094803
Binary files /dev/null and b/lam/docs/manual-sources/images/alias.png differ
diff --git a/lam/docs/manual-sources/images/conf1.jpg b/lam/docs/manual-sources/images/conf1.jpg
new file mode 100644
index 00000000..60c6b4ab
Binary files /dev/null and b/lam/docs/manual-sources/images/conf1.jpg differ
diff --git a/lam/docs/manual-sources/images/conf2.jpg b/lam/docs/manual-sources/images/conf2.jpg
new file mode 100644
index 00000000..398c98d7
Binary files /dev/null and b/lam/docs/manual-sources/images/conf2.jpg differ
diff --git a/lam/docs/manual-sources/images/conf3.jpg b/lam/docs/manual-sources/images/conf3.jpg
new file mode 100644
index 00000000..07568fd8
Binary files /dev/null and b/lam/docs/manual-sources/images/conf3.jpg differ
diff --git a/lam/docs/manual-sources/images/conf4.jpg b/lam/docs/manual-sources/images/conf4.jpg
new file mode 100644
index 00000000..629cbec1
Binary files /dev/null and b/lam/docs/manual-sources/images/conf4.jpg differ
diff --git a/lam/docs/manual-sources/images/conf5.jpg b/lam/docs/manual-sources/images/conf5.jpg
new file mode 100644
index 00000000..1ba12cc5
Binary files /dev/null and b/lam/docs/manual-sources/images/conf5.jpg differ
diff --git a/lam/docs/manual-sources/images/configCSS.png b/lam/docs/manual-sources/images/configCSS.png
new file mode 100644
index 00000000..2fd30206
Binary files /dev/null and b/lam/docs/manual-sources/images/configCSS.png differ
diff --git a/lam/docs/manual-sources/images/configPageHeader.png b/lam/docs/manual-sources/images/configPageHeader.png
new file mode 100644
index 00000000..486a4116
Binary files /dev/null and b/lam/docs/manual-sources/images/configPageHeader.png differ
diff --git a/lam/docs/manual-sources/images/customScripts.png b/lam/docs/manual-sources/images/customScripts.png
new file mode 100644
index 00000000..19190732
Binary files /dev/null and b/lam/docs/manual-sources/images/customScripts.png differ
diff --git a/lam/docs/manual-sources/images/customScripts2.png b/lam/docs/manual-sources/images/customScripts2.png
new file mode 100644
index 00000000..037d6379
Binary files /dev/null and b/lam/docs/manual-sources/images/customScripts2.png differ
diff --git a/lam/docs/manual-sources/images/groupOfNames1.png b/lam/docs/manual-sources/images/groupOfNames1.png
new file mode 100644
index 00000000..9392f565
Binary files /dev/null and b/lam/docs/manual-sources/images/groupOfNames1.png differ
diff --git a/lam/docs/manual-sources/images/ipHost.png b/lam/docs/manual-sources/images/ipHost.png
new file mode 100644
index 00000000..e29a5c9e
Binary files /dev/null and b/lam/docs/manual-sources/images/ipHost.png differ
diff --git a/lam/docs/manual-sources/images/lamProTypes.png b/lam/docs/manual-sources/images/lamProTypes.png
new file mode 100644
index 00000000..f8b0b8ce
Binary files /dev/null and b/lam/docs/manual-sources/images/lamProTypes.png differ
diff --git a/lam/docs/manual-sources/images/nisObject.png b/lam/docs/manual-sources/images/nisObject.png
new file mode 100644
index 00000000..799d18ca
Binary files /dev/null and b/lam/docs/manual-sources/images/nisObject.png differ
diff --git a/lam/docs/manual-sources/images/passwordReset1.png b/lam/docs/manual-sources/images/passwordReset1.png
new file mode 100644
index 00000000..5a764253
Binary files /dev/null and b/lam/docs/manual-sources/images/passwordReset1.png differ
diff --git a/lam/docs/manual-sources/images/passwordReset2.png b/lam/docs/manual-sources/images/passwordReset2.png
new file mode 100644
index 00000000..02220736
Binary files /dev/null and b/lam/docs/manual-sources/images/passwordReset2.png differ
diff --git a/lam/docs/manual-sources/images/rfc2307bis.png b/lam/docs/manual-sources/images/rfc2307bis.png
new file mode 100644
index 00000000..9e3ab688
Binary files /dev/null and b/lam/docs/manual-sources/images/rfc2307bis.png differ
diff --git a/lam/docs/manual-sources/images/tree1.png b/lam/docs/manual-sources/images/tree1.png
new file mode 100644
index 00000000..3efe48d3
Binary files /dev/null and b/lam/docs/manual-sources/images/tree1.png differ