<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter>
  <title>Managing entries in your LDAP directory</title>

  <para>This chapter will give you instructions how to manage the different
  LDAP entries in your directory.</para>

  <para>Please note that not all account types are manageable with the free
  LAM release. LAM Pro provides some more account types (e.g. group of names,
  aliases, ...) and modules (e.g. Kopano, custom scripts, ...) to support
  additional LDAP object classes. All LAM Pro features are marked in this
  manual.</para>

  <para><emphasis role="bold">Basic page layout:</emphasis></para>

  <para>After the login LAM will present you its main page. It consists of a
  header part which is equal for all pages and the content area which covers
  most the of the page.</para>

  <para>The header part includes the links to manage all account types (e.g.
  users and groups) and open the tree view (LDAP browser). There is also the
  logout link and a tools entry.</para>

  <para>When you login the you will see an account listing in the content
  area.</para>

  <screenshot>
    <mediaobject>
      <imageobject>
        <imagedata fileref="images/mainpage.png"/>
      </imageobject>
    </mediaobject>
  </screenshot>

  <para>Here you can create, delete and modify accounts. Use the action
  buttons at the left or double click on an entry to edit it.</para>

  <para>The suffix selection box allows you to list only the accounts which
  are located in a subtree of your LDAP directory.</para>

  <screenshot>
    <mediaobject>
      <imageobject>
        <imagedata fileref="images/listConfig.png"/>
      </imageobject>
    </mediaobject>
  </screenshot>

  <para>You can change the number of shown entries per page with "Change
  settings". Depending on the account type there may be additional settings.
  E.g. the user list can convert group numbers to group names.</para>

  <para>When you select to edit an entry then LAM will show all its data on a
  tabbed view. There is one tab for each functional part of the account. You
  can set default values by loading an <link
  linkend="a_accountProfile">account profile</link>.</para>

  <screenshot>
    <mediaobject>
      <imageobject>
        <imagedata fileref="images/editView.png"/>
      </imageobject>
    </mediaobject>
  </screenshot>

  <section>
    <title>Typical usage scenarios</title>

    <para>Here is a list of typical usage scenarios and what account types and
    modules you need to configure.</para>

    <para><emphasis role="bold">Address book entries:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Personal)</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Unix accounts:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Personal + Unix)</para>
      </listitem>

      <listitem>
        <para>Groups (Unix (posixGroup))</para>
      </listitem>
    </itemizedlist>

    <para>Suse users may need to use Group (Group of names + Unix
    (rfc2307bisPosixGroup)) because of Suse's special LDAP schema.</para>

    <para><emphasis role="bold">Samba 3 accounts:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Personal + User + Samba 3)</para>
      </listitem>

      <listitem>
        <para>Groups (Unix + Samba 3)</para>
      </listitem>

      <listitem>
        <para>Hosts (Account + Unix + Samba 3)</para>
      </listitem>

      <listitem>
        <para>Samba domains (Samba domain)</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Samba 4/Active Directory:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Windows)</para>
      </listitem>

      <listitem>
        <para>Groups (Windows)</para>
      </listitem>

      <listitem>
        <para>Hosts (Windows)</para>
      </listitem>
    </itemizedlist>

    <para>Please note that must change the attributes that are shown in the
    account lists. Otherwise, the account tables will show empty lines. See
    the documentation for the Windows user/group/host modules.</para>

    <para>For Samba 4 with Kopano use the following modules:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Windows + Kopano (+ Kopano contact))</para>
      </listitem>

      <listitem>
        <para>Groups (Windows + Kopano)</para>
      </listitem>

      <listitem>
        <para>Hosts (Windows + Kopano)</para>
      </listitem>

      <listitem>
        <para>Kopano dynamic groups (Kopano dynamic group)</para>
      </listitem>

      <listitem>
        <para>Kopano address lists (Kopano address list)</para>
      </listitem>
    </itemizedlist>

    <para>See also the <link linkend="s_kopano">Kopano</link> section for
    additional settings (e.g. using Kopano AD schema).</para>

    <para><emphasis role="bold">Asterisk:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Personal + Asterisk)</para>
      </listitem>

      <listitem>
        <para>Asterisk extensions (Asterisk extension)</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Kopano:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Personal + Unix + Kopano (+ Kopano contact))</para>
      </listitem>

      <listitem>
        <para>Groups (Unix + Kopano)</para>
      </listitem>

      <listitem>
        <para>Kopano dynamic groups (Kopano dynamic group)</para>
      </listitem>

      <listitem>
        <para>Kopano address lists (Kopano address list)</para>
      </listitem>

      <listitem>
        <para>Hosts (Device + Kopano + IP Address)</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">PyKota:</emphasis></para>

    <para>Account types:</para>

    <itemizedlist>
      <listitem>
        <para>Users (Personal + Unix + PyKota)</para>
      </listitem>

      <listitem>
        <para>Groups (Unix + PyKota)</para>
      </listitem>

      <listitem>
        <para>Printers (PyKota)</para>
      </listitem>

      <listitem>
        <para>Billing codes (PyKota)</para>
      </listitem>
    </itemizedlist>
  </section>

  <section>
    <title>Users</title>

    <para>LAM manages various types of user accounts. This includes address
    book entries, Unix, Samba, Kopano and much more.</para>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">Account list settings:</emphasis></para>

    <para>The user list includes two special options to change how your users
    are displayed.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/userListOptions.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis>Translate GID number to group name:</emphasis> By default
    the user list can show the primary group IDs (GIDs) of your users. There
    are often cases where it is more suitable to show the group name instead.
    This can be done by activating this option. Please note that LAM will
    execute more LDAP queries which may result in decreased
    performance.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/userListOptionTransPrimary.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis>Show account status:</emphasis> If you activate this
    option then there will be an additional column displayed that shows if the
    account is locked or expired. You can see more details when moving the
    mouse cursor over the lock icon. This function supports Unix, Samba,
    PPolicy, Windows and 389ds locking+deactivation.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/userListOptionAccountStatus.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">Password:</emphasis></para>

    <para>Click the "Set password" button to change the user's password(s).
    Depending on the active account modules LAM will offer to change multiple
    passwords at the same time.</para>

    <para>If a module supports to enforce a password change then you will see
    the appropriate checkbox. LAM Pro also offers to send the password via
    email after the account is saved. Email options are specified in your
    <link linkend="profile_mail">LAM server profile</link>.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/password1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">Quick account (un)locking:</emphasis></para>

    <para>When you edit an user then LAM supports to quickly lock/unlock the
    whole account. This includes Unix, Samba and PPolicy. LAM can also remove
    group memberships if an account is locked.</para>

    <para>You will see the current status of all account parts in the title
    area of the account.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/userAccountStatus1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>If you click on the lock icon then a dialog will be opened to change
    these values. Depending on which parts are locked LAM will provide options
    to lock/unlock account parts.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/userAccountStatus2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/userAccountStatus3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <section>
      <title>Personal</title>

      <para>This module is the most common basis for user accounts in LAM. You
      can use it stand-alone to manage address book entries or in combination
      with Unix, Samba or other modules.</para>

      <para>The Personal module provides support for managing various personal
      data of your users including mail addresses and telephone numbers. You
      can also add photos of your users. If you do not need to manage all
      attributes then you can deactivate them in your server profile.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>Please activate the module "Personal (inetOrgPerson)" for
      users.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_personal3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The module manages lots of fields. Probably, you will not need all
      of them. You can hide fields in module settings.</para>

      <para>In advanced options you may also set fields to read-only (for
      existing accounts) and define limits for photo files. Additionally, you
      can add an "ou=addressbook" subentry to each user in case you manage
      user addressbooks.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_personal4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">User management</emphasis></para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_personal.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>User certificates can be uploaded and downloaded. LAM will
      automatically convert PEM to DER format.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_personal2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <table>
        <title>LDAP attribute mappings</title>

        <tgroup cols="2">
          <thead>
            <row>
              <entry align="center">Attribute name</entry>

              <entry align="center">Name inside LAM</entry>
            </row>
          </thead>

          <tbody>
            <row>
              <entry>businessCategory</entry>

              <entry>Business category</entry>
            </row>

            <row>
              <entry>carLicense</entry>

              <entry>Car license</entry>
            </row>

            <row>
              <entry>cn/commonName</entry>

              <entry>Common name</entry>
            </row>

            <row>
              <entry>departmentNumber</entry>

              <entry>Department(s)</entry>
            </row>

            <row>
              <entry>description</entry>

              <entry>Description</entry>
            </row>

            <row>
              <entry>employeeNumber</entry>

              <entry>Employee number</entry>
            </row>

            <row>
              <entry>employeeType</entry>

              <entry>Employee type</entry>
            </row>

            <row>
              <entry>facsimileTelephoneNumber/fax</entry>

              <entry>Fax number</entry>
            </row>

            <row>
              <entry>givenName/gn</entry>

              <entry>First name</entry>
            </row>

            <row>
              <entry>homePhone</entry>

              <entry>Home telephone number</entry>
            </row>

            <row>
              <entry>initials</entry>

              <entry>Initials</entry>
            </row>

            <row>
              <entry>jpegPhoto</entry>

              <entry>Photo</entry>
            </row>

            <row>
              <entry>l</entry>

              <entry>Location</entry>
            </row>

            <row>
              <entry>labeledURI</entry>

              <entry>Web site</entry>
            </row>

            <row>
              <entry>mail/rfc822Mailbox</entry>

              <entry>Email address</entry>
            </row>

            <row>
              <entry>manager</entry>

              <entry>Manager</entry>
            </row>

            <row>
              <entry>mobile/mobileTelephoneNumber</entry>

              <entry>Mobile number</entry>
            </row>

            <row>
              <entry>organizationName/o</entry>

              <entry>Organisation</entry>
            </row>

            <row>
              <entry>ou</entry>

              <entry>Organizational unit</entry>
            </row>

            <row>
              <entry>pager</entry>

              <entry>Pager number</entry>
            </row>

            <row>
              <entry>physicalDeliveryOfficeName</entry>

              <entry>Office name</entry>
            </row>

            <row>
              <entry>postalAddress</entry>

              <entry>Postal address</entry>
            </row>

            <row>
              <entry>postalCode</entry>

              <entry>Postal code</entry>
            </row>

            <row>
              <entry>postOfficeBox</entry>

              <entry>Post office box</entry>
            </row>

            <row>
              <entry>registeredAddress</entry>

              <entry>Registered address</entry>
            </row>

            <row>
              <entry>roomNumber</entry>

              <entry>Room number</entry>
            </row>

            <row>
              <entry>sn/surname</entry>

              <entry>Last name</entry>
            </row>

            <row>
              <entry>st</entry>

              <entry>State</entry>
            </row>

            <row>
              <entry>street/streetAddress</entry>

              <entry>Street</entry>
            </row>

            <row>
              <entry>telephoneNumber</entry>

              <entry>Telephone number</entry>
            </row>

            <row>
              <entry>title</entry>

              <entry>Job title</entry>
            </row>

            <row>
              <entry>userCertificate</entry>

              <entry>User certificates</entry>
            </row>

            <row>
              <entry>uid/userid</entry>

              <entry>User name</entry>
            </row>

            <row>
              <entry>userPassword</entry>

              <entry>Password</entry>
            </row>
          </tbody>
        </tgroup>
      </table>

      <para><emphasis role="bold">Wildcards</emphasis></para>

      <para>This module provides the following wildcards (others may be
      provided by other modules):</para>

      <itemizedlist>
        <listitem>
          <para>$firstname: First name</para>
        </listitem>

        <listitem>
          <para>$lastname: Last name</para>
        </listitem>

        <listitem>
          <para>$user: User name</para>
        </listitem>

        <listitem>
          <para>$commonname: Common name</para>
        </listitem>

        <listitem>
          <para>$email: Email address</para>
        </listitem>
      </itemizedlist>

      <para>You can use them in the following input fields on user edit
      screen:</para>

      <itemizedlist>
        <listitem>
          <para>Common name</para>
        </listitem>

        <listitem>
          <para>Description</para>
        </listitem>

        <listitem>
          <para>Mail</para>
        </listitem>

        <listitem>
          <para>Postal address</para>
        </listitem>

        <listitem>
          <para>Registered address</para>
        </listitem>

        <listitem>
          <para>Web site</para>
        </listitem>
      </itemizedlist>

      <para>Use this when some of your data always follows the same schema.
      E.g. using "$firstname $lastname" in common name field can be used like
      this to get "First Last". You can set the wildcards in profile editor so
      they are automatically applied for new users.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_personal5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_personal6.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Unix</title>

      <para>The Unix module manages Unix user accounts including group
      memberships.</para>

      <para>There are several configuration options for this module:</para>

      <itemizedlist>
        <listitem>
          <para>UID generator: LAM will suggest UID numbers for your accounts.
          Please note that it may happen that there are duplicate IDs assigned
          if users create accounts at the same time. Use an <ulink
          url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
          like "Attribute Uniqueness" (<link
          linkend="a_openldap_unique">example</link>) if you have lots of LAM
          admins creating accounts.</para>

          <itemizedlist>
            <listitem>
              <para>Fixed range: LAM searches for free numbers within the
              given limits. LAM always tries to use a free UID that is greater
              than the existing UIDs to prevent collisions with deleted
              accounts.</para>
            </listitem>

            <listitem>
              <para>Samba ID pool: This uses a special LDAP entry that
              includes attributes that store a counter for the last used
              UID/GID. Please note that this requires that you install the
              Samba schema and create an LDAP entry of object class
              "sambaUnixIdPool".</para>
            </listitem>

            <listitem>
              <para>Magic number: Use this if your LDAP server assigns the UID
              numbers automatically (e.g. DNA by 389 server). Enter the
              server's magic number setting.</para>
            </listitem>
          </itemizedlist>
        </listitem>

        <listitem>
          <para>Password hash type: If possible use CRYPT-SHA512 or SSHA to
          protect your user's passwords. The option SASL will set the password
          to "{SASL}&lt;user name&gt;". If you want to use an LDAP EXOP
          password operation to update the password then select
          LDAP_EXOP.</para>
        </listitem>

        <listitem>
          <para>Login shells: List of valid login shells that can be selected
          when editing an account.</para>
        </listitem>

        <listitem>
          <para>Hidden options: Some input fields can be hidden to simplify
          the GUI if you do not need them.</para>
        </listitem>

        <listitem>
          <para>Set primary group as memberUid: By default primary group
          membership is not set on group objects but only on user (gidNumber).
          Activate this if you need to have the primary group membership in
          group object, too.</para>
        </listitem>

        <listitem>
          <para>Do not add object class: This is for Windows only. When the
          checkbox is activated then the posixAccount object class will not be
          added to a user.</para>
        </listitem>

        <listitem>
          <para>User name suggestion: The user name is automatically filled as
          specified in the configuration (default smiller for Steve Miller).
          Of course, the suggested value can be changed any time. Common name
          is also filled with first/last name by default.</para>
        </listitem>
      </itemizedlist>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixUserConfig.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixUser.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Group memberships can be changed when clicking on "Edit groups".
      Here you can select the Unix groups and group of names
      memberships.</para>

      <para>To enable "Group of names" please either add the groups module
      "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
      names".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixUserGroups.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can also create home directories for your users if you setup
      <link linkend="a_lamdaemon">lamdaemon</link>. This allows you to create
      the directories on the local or remote servers.</para>

      <para>It is also possible to check the status of the user's home
      directories. If needed the directories can be created or removed at any
      time.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixUserHomedir.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Wildcards</emphasis></para>

      <para>This module provides the following wildcards (others may be
      provided by other modules):</para>

      <itemizedlist>
        <listitem>
          <para>$user: User name</para>
        </listitem>

        <listitem>
          <para>$group: Groupe name (not numeric number)</para>
        </listitem>
      </itemizedlist>

      <para>You can use them in the following input fields on user edit
      screen:</para>

      <itemizedlist>
        <listitem>
          <para>Common name</para>
        </listitem>

        <listitem>
          <para>Gecos</para>
        </listitem>

        <listitem>
          <para>Home directory</para>
        </listitem>
      </itemizedlist>

      <para>Use this when some of your data always follows the same schema.
      E.g. using "/home/$user" in home directory field can be used like this
      to get "/home/myuser". You can set the wildcards in profile editor so
      they are automatically applied for new users.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixUserWildcard1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixUserWildcard2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Group of names and group of members (LAM Pro)</title>

      <para>This module manages memberships in group of (unique) names and
      also group of members.</para>

      <para>Please note that this module cannot be used if the Unix module is
      active. In this case group memberships may be managed with the Unix
      module.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To activate this feature please add the user module "Group of
      names (groupOfNamesUser)" to your LAM server profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_groupOfNamesUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The module automatically detects if groups are based on
      "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the
      correct attribute.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_groupOfNamesUser.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="organizationalRoleUser">
      <title>Organizational roles (LAM Pro)</title>

      <para>LAM can manage role memberships in <link
      linkend="organizationalRole">organizationalRole</link> objects. To
      activate this feature please add the user module "Roles
      (organizationalRoleUser)" to your LAM server profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_organizationalRoleUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">User editing</emphasis></para>

      <para>Now, there will be a new tab "Roles" when you edit your user
      accounts. Here you can select the role memberships.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_organizationalRoleUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Shadow</title>

      <para>LAM supports the management of the LDAP substitution of
      /etc/shadow. Here you can setup password policies for your Unix accounts
      and also view the last password change of a user.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_shadow.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>NIS net groups</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>Please add the module "NIS net groups (nisNetGroupUser)" to the
      list of active user modules.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_nisNetGroupUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">User editing</emphasis></para>

      <para>You will now see a new tab when editing users. Here you can assign
      memberships in NIS net groups and also set host/domain.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_nisNetGroupUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title id="passwordSelfResetUser">Password self reset (LAM Pro)</title>

      <para>LAM Pro allows your users to reset their passwords by answering a
      security question. The reset link is displayed on the <link
      linkend="PasswordSelfReset">self service page</link>. Additionally, you
      can set question + answer in the admin interface.</para>

      <para>Please note that self service and LAM admin interface are
      separated functionalities. You need to specify the list of possible
      security questions in both self service profile(s) and server
      profile(s).</para>

      <para><emphasis role="bold">Schema installation</emphasis></para>

      <para>Please install the LDAP schema as described <link
      linkend="a_passwordSelfResetSchema">here</link>.</para>

      <para><emphasis role="bold">Activate password self reset
      module</emphasis></para>

      <para>Please activate the password self reset module in your LAM Pro
      server profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordSelfReset7.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now select the tab "Module settings" and specify the list of
      possible security questions. Only these questions will be selectable
      when you later edit accounts unless you explicitly allow to enter custom
      questions. LAM Pro supports to set up to three security questions per
      user.</para>

      <para>If you do not want to set backup email addresses then you can hide
      this option.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordSelfReset8.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Edit users</emphasis></para>

      <para>After everything is setup please login to LAM Pro and edit your
      users. You will see a new tab called "Password self reset". Here you can
      activate/remove the password self reset function for each user. You can
      also change the security question and answer.</para>

      <para>If you set a backup email address then confirmation emails will
      also be sent to this address. This is useful if the user password grants
      access to the user's primary mailbox. So passwords can be unlocked with
      an external email address.</para>

      <para><emphasis role="bold">Hint:</emphasis> You can add the
      passwordSelfReset object class to all your users with the <link
      linkend="toolMultiEdit">multi edit</link> tool.</para>

      <para><emphasis role="bold">Samba 4 note:</emphasis> Due to a <ulink
      url="https://bugzilla.samba.org/show_bug.cgi?id=10094">bug</ulink> in
      Samba 4 you need to add the extension, save, and then select a question
      and set the answer. If you add the extension, set question/answer and
      then save all together this will cause an LDAP error and no changes will
      be saved.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordSelfReset9.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Hosts</title>

      <para>You can specify a list of valid host names where the user may
      login. If you add the value "*" then the user may login to any host.
      This can be further restricted by adding explicit deny entries which are
      prefixed with "!" (e.g. "!hr_server").</para>

      <para>Please note that your PAM settings need to support host
      restrictions. This feature is enabled by setting <emphasis
      role="bold">pam_check_host_attr yes</emphasis> in your <emphasis
      role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the
      account facility of pam_ldap will perform the checks and return an error
      when no proper host attribute is present. Please note that users without
      host attribute cannot login to such a configured server.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/hostObject.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Samba 3</title>

      <para>LAM supports full Samba 3 user management including logon hours
      and terminal server options.</para>

      <para>The module is enabled by adding "Samba 3 (sambaSamAccount)" to
      your user modules.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_samba3Config2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>In the configuration options you can enable password history
      checking. Depending on your LDAP server you might need ascending or
      descending order. Just switch the setting if the password history is not
      correctly updated.</para>

      <para>In case you have no very old Windows clients (e.g. Windows 98) it
      is recommended to disable LM hashes. They are considered to be
      insecure.</para>

      <para>You can also hide some input fields if you do not need
      them.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_samba3Config1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>After configuring the module you will see the Samba 3 tab when you
      edit a user.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_samba3User1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Logon hours can be changed.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_samba3User2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can also setup terminal server settings.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_samba3User3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Windows (Samba 4/Active Directory)</title>

      <para>Please activate the account type "Users" in your LAM server
      profile and then add the user module "Windows (windowsUser)(*)".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsUser4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The default list attributes are for Unix and not suitable for
      Windows (blank lines in account table). Please use
      "#cn;#givenName;#sn;#mail" or select your own attributes to display in
      the account list.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>On tab "Module settings" you can specify the possible Windows
      domain names and if pre-Windows 2000 user names should be
      managed.</para>

      <para>NIS support is deactivated by default. Enable it if needed.</para>

      <para>You can also set maximum values for user photos in advanced
      options.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata contentwidth="1172"
                       fileref="images/mod_windowsUser5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you can manage your Windows users and e.g. assign groups. You
      might want to set the default domain name in the <link
      linkend="a_accountProfile">profile editor</link>.</para>

      <para><emphasis role="bold">Attention:</emphasis></para>

      <itemizedlist>
        <listitem>
          <para>Password changes require a secure connection via ldaps://.
          Check your LAM server profile if password changes are refused by the
          server.</para>
        </listitem>

        <listitem>
          <para>Your server must run a 64bit operating system. Otherwise, the
          module might not work.</para>
        </listitem>
      </itemizedlist>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsUser3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Wildcards</emphasis></para>

      <para>This module provides the following wildcards (others may be
      provided by other modules):</para>

      <itemizedlist>
        <listitem>
          <para>$firstname: First name</para>
        </listitem>

        <listitem>
          <para>$lastname: Last name</para>
        </listitem>

        <listitem>
          <para>$user: User name</para>
        </listitem>

        <listitem>
          <para>$commonname: Common name</para>
        </listitem>

        <listitem>
          <para>$email: Email address</para>
        </listitem>
      </itemizedlist>

      <para>You can use them in the following input fields on user edit
      screen:</para>

      <itemizedlist>
        <listitem>
          <para>Common name</para>
        </listitem>

        <listitem>
          <para>Display name</para>
        </listitem>

        <listitem>
          <para>Email</para>
        </listitem>

        <listitem>
          <para>Email alias</para>
        </listitem>

        <listitem>
          <para>Home directory</para>
        </listitem>

        <listitem>
          <para>Profile path</para>
        </listitem>

        <listitem>
          <para>Script path</para>
        </listitem>
      </itemizedlist>

      <para>Use this when some of your data always follows the same schema.
      E.g. using "$firstname $lastname" in common name field can be used like
      this to get "First Last". You can set the wildcards in profile editor so
      they are automatically applied for new users.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsUser6.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsUser7.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Filesystem quota (lamdaemon)</title>

      <para>You can manage file system quotas with LAM. This requires to setup
      <link linkend="a_lamdaemon">lamdaemon</link>. LAM connects to your
      server via SSH and manages the disk filesystem quotas. The quotas are
      stored directly on the filesystem. This is the default mechanism to
      store quotas for most systems.</para>

      <para>Please add the module "Quota (quota)" for users to your LAM server
      profile to enable this feature.</para>

      <para>If you store the quota information directly inside LDAP please see
      the next section.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_quotaUser.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Filesystem quota (LDAP)</title>

      <para>You can store your filesystem quotas directly in LDAP. See <ulink
      url="http://sourceforge.net/projects/linuxquota/">Linux
      DiskQuota</ulink> for details since it requires quota tools that support
      LDAP. You will need to install the quota LDAP schema to manage the
      object class "systemQuotas".</para>

      <para>Please add the module "Quota (systemQuotas)" for users to your LAM
      server profile to enable this feature.</para>

      <para>If you store the quota information on the filesystem please see
      the previous section.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_systemQuotas.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Kolab</title>

      <para>This module supports to manage Kolab accounts with LAM. E.g. you
      can set the user's mail quota and define invitation policies.</para>

      <para>Please add the Kolab user module in your LAM server profile to
      activate Kolab support.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kolab2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Please enter an email address at the Personal page and set a Unix
      password first. Both are required that Kolab accepts the accounts. The
      email address ("Personal" page) must match your Kolab domain, otherwise
      the account will not work.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kolab.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>If you upgrade existing non-Kolab accounts please make sure that
      the account has an Unix password.</para>
    </section>

    <section>
      <title>Asterisk</title>

      <para>LAM supports Asterisk accounts, too. See the <link
      linkend="type_asterisk">Asterisk</link> section for details.</para>
    </section>

    <section>
      <title>EDU person</title>

      <para>EDU person accounts are mainly used in university networks. You
      can specify the principal name, nick names and much more.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_eduPerson.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>PyKota</title>

      <para>There are two LAM user modules depending if your user entries
      should be built on object class "pykotaObject" or a different structural
      object class (e.g. "inetOrgPerson"). For "pykotaObject" please select
      "PyKota (pykotaUserStructural(*))" and "PyKota (pykotaUser)" in all
      other cases.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>To display the job history please setup the job DN on tab "Module
      settings":</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you can add the PyKota extension to your user accounts. Here
      you can setup the printing options and add payments for this
      user.</para>

      <para>For LAM Pro there are also self service fields to allow users e.g.
      to view their current balance and job history.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaUser3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You may also view the payment and job history.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaUser4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaUser5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Password policy (LAM Pro)</title>

      <para>OpenLDAP supports the <ulink
      url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
      to manage password policies for LDAP entries. LAM Pro supports <link
      linkend="a_ppolicy">managing the policies</link> and assigning them to
      user accounts.</para>

      <para>Please add the account type "Password policies" to your LAM server
      profile and activate the "Password policy" module for the user
      type.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ppolicyUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can select the password policy and force a password change on
      next login. Accounts can also be (un)locked.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ppolicyUser.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can assign any password policy which is found in the LDAP
      suffix of the "Password policies" type. When you set the policy to
      "default" then OpenLDAP will use the default policy as defined in your
      slapd.conf file.</para>

      <para><emphasis role="bold">Attention:</emphasis> Locking and unlocking
      requires that you also activate the option "Lockout users" in the
      assigned <link linkend="a_ppolicy">password policy</link>. Otherwise, it
      will have no effect.</para>
    </section>

    <section>
      <title>Account locking for 389ds (LAM Pro)</title>

      <para>This module allows you to display if users are locked by 389ds
      server. You can (de)activate your users. The password expiration time
      can also be managed.</para>

      <para>Requirements: 389ds LDAP server</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>Please add the user module "Account locking
      (locking389ds)".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_389dsLocking1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>This will show the password expiration time. You can edit the
      value if needed.</para>

      <para>If there are any failed login attempts then LAM displays their
      number and till when the user is locked by the system.</para>

      <para>The limit of failed login attempts and lockout duration is
      configured on your LDAP server and not within LAM.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_389dsLocking2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can unlock the user by clicking on the lock icon.</para>

      <para>Here you can also (de)activate the account.</para>

      <para>Note: Accounts are only locked by the LDAP server due to failed
      password attempts. You cannot manually lock an account. Deactivate it in
      case you want to disable login for a user.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_389dsLocking3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>FreeRadius</title>

      <para>FreeRadius is a software that implements the RADIUS authentication
      protocol. LAM allows you to mange several of the FreeRadius
      attributes.</para>

      <para>To activate the FreeRadius plugin please activate the FreeRadius
      user module in your server profile:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_freeRadius1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can disable unneeded fields on the tab "Module settings". Here
      you can also set the DN where your Radius profile templates are stored
      if you use the option "Profile".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_freeRadius2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you will see the tab "FreeRadius" when editing users. The
      extension can be (de)activated for each user. You can setup e.g. realm,
      IP and expiration date.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_freeRadius3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Heimdal Kerberos (LAM Pro)</title>

      <para>You can manage your Heimdal Kerberos accounts with LAM Pro. Please
      add the user module "Kerberos (heimdalKerberos)" to activate this
      feature.</para>

      <para><emphasis role="bold">Setup password changing</emphasis></para>

      <para>LAM Pro cannot generate the password hashes itself because Heimdal
      uses a propietary format for them. Therefore, LAM Pro needs to call e.g.
      kadmin to set the password.</para>

      <para>The wildcards @@password@@ and @@principal@@ are replaced with
      password and principal name. Please use keytab authentication for this
      command since it must run without any interaction.</para>

      <para>Example to create a keytab: ktutil -k /root/lam.keytab add -p
      lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1</para>

      <para>Security hint: Please secure your LAM Pro server since the new
      passwords will be visible for a short term in the process list during
      password change.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kerberos2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">User management</emphasis></para>

      <para>You can specify the principal/user name, ticket lifetimes and
      expiration dates. Additionally, you can set various account
      options.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kerberos1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>MIT Kerberos (LAM Pro)</title>

      <para>You can manage your MIT Kerberos accounts with LAM Pro. Please add
      the user module "Kerberos (mitKerberos)" to activate this feature. If
      you want to manage entries based on the structural object class
      "krbPrincipal" please use "Kerberos (mitKerberosStructural)"
      instead.</para>

      <para><emphasis role="bold">Setup password changing</emphasis></para>

      <para>LAM Pro cannot generate the password hashes itself because MIT
      uses a propietary format for them. Therefore, LAM Pro needs to call
      kadmin/kadmin.local to set the password.</para>

      <para>LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
      set the password. Please use keytab authentication for this command
      since it must run without any interaction.</para>

      <para>Keytabs may be created with the "ktutil" application.</para>

      <para>Security hint: Please secure your LAM Pro server since the new
      passwords will be visible for a short term in the process list during
      password change.</para>

      <para>Please note that kadmin/kadmin.local often returns a successful
      command even if errors occured (e.g. password policy violations). You
      need to test this before and if affected then write a wrapper script
      arround kadmin that returns non-zero return codes for errors.</para>

      <para>Example commands:</para>

      <itemizedlist>
        <listitem>
          <para>/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
          realm/changepwd</para>
        </listitem>

        <listitem>
          <para>sudo /usr/sbin/kadmin.local</para>
        </listitem>
      </itemizedlist>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_mitKerberos1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">User management</emphasis></para>

      <para>You can specify the principal/user name, ticket lifetimes and
      expiration dates. Additionally, you can set various account
      options.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_mitKerberos2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="mailAliasesUser">
      <title>NIS mail aliases</title>

      <para>This module allows to add/remove the user in mail alias
      entries.</para>

      <para><emphasis role="bold">Note:</emphasis> You need to activate the
      <link linkend="mailAliases">mail alias type</link> for this
      module.</para>

      <para>To activate mail aliases for users please select the module "Mail
      aliases (nisMailAliasUser)":</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAliasUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>On tab Module settings you can select if you want to set the user
      name or email as recipient in alias entries.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAliasUser4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you will see the mail aliases tab when editing an user.</para>

      <para>The red cross will only remove the user from the alias entry. If
      you click the trash can button then the whole alias entry (which may
      contain other users) will be deleted.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAliasUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can add the user to existing alias entries or create completly
      new ones.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAliasUser3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Courier mail</title>

      <para>This module allows to add/remove the Courier extension for
      users.</para>

      <para><emphasis role="bold">Configuration:</emphasis></para>

      <para>Please activate the module Courier for users to enable this
      extension. The Unix module is optional.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_courierUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage:</emphasis></para>

      <para>Your user tab will now show the Courier extension. This can be
      added/removed any time.</para>

      <para>Here you can configure the home directory in case the Unix module
      is not activated. Additionally, mailbox folder, quota, server and
      feature flags can be configured.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_courierUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Qmail (LAM Pro)</title>

      <para>LAM Pro manages all qmail attributes for users. This includes mail
      addresses, ID numbers and quota settings.</para>

      <para>Please note that the main mail address is managed on tab
      "Personal" if this module is active. Otherwise, it will be on the qmail
      tab.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_qmail2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can hide several qmail options if you do not want to manage
      them with LAM. This can be done on the module settings tab of your LAM
      server profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_qmail1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Mail routing</title>

      <para>LAM supports to manage mail routing for user accounts.</para>

      <para>Module activation:</para>

      <para>This feature can be activated by adding the "Mail routing" module
      to the user account type in your server profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mailRoutingConfig.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>You can specify a routing address, the mail server and a number of
      local addresses to route.</para>

      <para>In case you want to add this extension by default for new users
      there is an option in profile editor.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mailRouting.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Wildcards</emphasis></para>

      <para>The module supports wildcards in the following input
      fields:</para>

      <itemizedlist>
        <listitem>
          <para>Routing address</para>
        </listitem>

        <listitem>
          <para>Local address</para>
        </listitem>
      </itemizedlist>

      <para>See the other modules that you activated what wildcards they
      provide (e.g. $user).</para>
    </section>

    <section>
      <title>SSH keys</title>

      <para>You can manage your public keys for SSH in LAM if you installed
      the <ulink url="http://code.google.com/p/openssh-lpk/">LPK patch for
      SSH</ulink> or setup AuthorizedKeysCommand (see below).</para>

      <para>Activate the "SSH public key" module for users in the server
      profile and you can add keys to your user entries.</para>

      <screenshot>
        <graphic fileref="images/ldapPublicKey2.png"/>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ldapPublicKey.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Example for
      AuthorizedKeysCommand</emphasis></para>

      <para>This will dynamically get the public key from LDAP. In this case
      there is no need to patch SSH sources.</para>

      <para>Create the authentication script in e.g.
      /usr/bin/ldapAuthSSH.sh</para>

      <literallayout>
#!/bin/bash
uid=$1
server=ldap.domain.com
baseDN=ou=people,dc=example,dc=com
port=389
ldapsearch -x -h $server -p $port -b $baseDN -s sub "(&amp;(objectclass=posixAccount)(uid=$uid))" | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

</literallayout>

      <para>Now setup your sshd_config</para>

      <literallayout>AuthorizedKeysCommand /usr/bin/ldapAuthSSH.sh
AuthorizedKeysCommandUser root</literallayout>
    </section>

    <section>
      <title>YubiKey</title>

      <para>You can manage your YubiKey ids with LAM. It supports the <ulink
      url="https://github.com/mludvig/yubikey-ldap">yubiKeyUser schema</ulink>
      or any other attribute mapping.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>First, you need to activate the YubiKey module for users in your
      LAM server profile.</para>

      <screenshot>
        <graphic fileref="images/mod_yubikey1.png"/>
      </screenshot>

      <para>Second, you need to specify which object class and attribute name
      should be used.</para>

      <para>Object class: If you have an object class just for the YubiKey ids
      then enter it here. LAM will then provide options to add and remove it.
      In case you reuse some existing attribute from e.g. inetOrgPerson please
      leave object class name blank.</para>

      <para>Attribute name: please enter the attribute name that is used for
      the key ids.</para>

      <screenshot>
        <graphic fileref="images/mod_yubikey2.png"/>
      </screenshot>

      <para>You will then be able to manage the key ids for your users.</para>

      <screenshot>
        <graphic fileref="images/mod_yubikey3.png"/>
      </screenshot>

      <para><emphasis role="bold">Self Service (LAM Pro)</emphasis></para>

      <para>This will allow your users to update their own keys.</para>

      <para>You need to configure the object class and attribute name first.
      This is done on tab "Module settings" in self service profile.</para>

      <para><emphasis role="bold">Attention: </emphasis>Please note that both
      fields are mandatory here. Even if you reused an attribute from some
      existing object class you need to set it here. LAM needs this to detect
      if the user can add keys.</para>

      <screenshot>
        <graphic fileref="images/mod_yubikey5.png"/>
      </screenshot>

      <para>Then add the YubiKey ids field to your self service profile on tab
      "Page layout".</para>

      <screenshot>
        <graphic fileref="images/mod_yubikey4.png"/>
      </screenshot>

      <para>When a user with the specified object class logs in then the key
      input fields are shown.</para>

      <screenshot>
        <graphic fileref="images/mod_yubikey6.png"/>
      </screenshot>
    </section>

    <section>
      <title>Authorized services</title>

      <para>You can setup PAM to check if a user is allowed to run a specific
      service (e.g. sshd) by reading the LDAP attribute "authorizedService".
      This way you can manage all allowed services via LAM.</para>

      <para/>

      <para>To activate this PAM feature please setup your <emphasis
      role="bold">/etc/libnss-ldap.conf</emphasis> and set
      "pam_check_service_attr" to "yes".</para>

      <para/>

      <para>Inside LAM you can now set the allowed services. You may also
      setup default services in your account profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_authorizedServices.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can define a list of services in your LAM server profile that
      is used for autocompletion.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_authorizedServices3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The autocompletion will show all values that contains the entered
      text. To display the whole list you can press backspace in the empty
      input field. Of course, you can also insert a service name that is not
      in the list.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_authorizedServices2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>IMAP mailboxes</title>

      <para>LAM may create and delete mailboxes on an IMAP server for your
      user accounts. You will need an IMAP server that supports either SSL or
      TLS for this feature.</para>

      <para>To activate the mailbox management module please add the "Mailbox
      (imapAccess)" module for the type user in your LAM server
      profile:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/imapAccess1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now configure the module on the tab "Module settings". Here you
      can specify the IMAP server name, encryption options, the authentication
      for the IMAP connection and the valid mail domains. LAM can use either
      your LAM login password for the IMAP connection or display a dialog
      where you need to enter the password. It is also possible to store the
      admin password in your server profile. This is not recommended for
      security reasons.</para>

      <para>The user name can either be a fixed name (e.g. "admin") or it can
      be generated with LDAP attributes of the LAM admn user. E.g. $uid$ will
      be transformed to "myUser" if you login with
      "uid=myUser,ou=people,dc=example,dc=com".</para>

      <para>The mail domains specify for which accounts mailboxes may be
      created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be
      managed for "user@lam-demo.org" but not for "user@example.com". Use "*"
      for any domain.</para>

      <para>You need to install the SSL certificate of the CA that signed your
      server certificate. This is usually done by installing the certificate
      in /etc/ssl/certs. Different Linux distributions may offer different
      ways to do this. For Debian please copy the certificate in
      "/usr/local/share/ca-certificates" and run "update-ca-certificates" as
      root.</para>

      <para>It is not recommended to disable the validation of IMAP server
      certificates.</para>

      <para>The prefix, user name attribute and path separator specifies how
      your mailboxes are named (e.g. "user.myUser@localhost" or
      "user/myUser"). Select the values depending on your IMAP server
      settings.</para>

      <para>You can specify a list of initial folder names to create for new
      mailboxes. LAM will then create them with each new mailbox.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/imapAccess2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>When you edit an user account then you will now see the tab
      "Mailbox". Here you can create/delete the mailbox for this user.</para>

      <para>Please note that mailbox creation via file upload is not possible
      if you configured in LAM server profile to ask for the admin
      password.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/imapAccess3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>IP addresses (LAM Pro)</title>

      <para>You can manage the IP addresses of user accounts (e.g. assigned by
      DHCP) with the ipHost module.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ipHostUser.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">User editing</emphasis></para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ipHostUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="s_account">
      <title>Account</title>

      <para>This is a very simple module to manage accounts based on the
      object class "account". Usually, this is used for host accounts only.
      Please pay attention that users based on the "account" object class
      cannot have contact information (e.g. telephone number) as with
      "inetOrgPerson".</para>

      <para>You can enter a user/host name and a description for your
      accounts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_account.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </section>

  <section>
    <title>Groups</title>

    <para/>

    <section>
      <title>Unix</title>

      <para>This module is used to manage Unix group entries. This is the
      default module to manage Unix groups and uses the nis.schema. Suse users
      who use the <link
      linkend="rfc2307bisPosixGroup">rfc2307bis.schema</link> need to use LAM
      Pro.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>Special Please add the account type "Groups" and then select
      account module "Unix (posixGroup)".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixGroupConfig1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Virtual list attributes:</para>

      <screenshot>
        <graphic fileref="images/mod_unixGroupConfig2.png"/>
      </screenshot>

      <para>The following virtual attributes can be shown in the group list.
      These are no real LDAP attributes but extra data that can be shown by
      LAM.</para>

      <itemizedlist>
        <listitem>
          <para>memberuid_count: number of entries in attribute
          "memberuid"</para>
        </listitem>

        <listitem>
          <para>member_count: number of entries in attribute "member"</para>
        </listitem>

        <listitem>
          <para>uniqueMember_count: number of entries in attribute
          "uniquemember"</para>
        </listitem>

        <listitem>
          <para>owner_count: number of entries in attribute "owner"</para>
        </listitem>

        <listitem>
          <para>roleOccupant_count: number of entries in attribute
          "roleOccupant"</para>
        </listitem>
      </itemizedlist>

      <para>Module settings:</para>

      <para>GID generator: LAM will suggest GID numbers for your accounts.
      Please note that it may happen that there are duplicate IDs assigned if
      users create groups at the same time. Use an <ulink
      url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
      like "Attribute Uniqueness" (<link
      linkend="a_openldap_unique">example</link>) if you have lots of LAM
      admins creating groups.</para>

      <itemizedlist>
        <listitem>
          <para>Fixed range: LAM searches for free numbers within the given
          limits. LAM always tries to use a free GID that is greater than the
          existing GIDs to prevent collisions with deleted groups.</para>
        </listitem>

        <listitem>
          <para>Samba ID pool: This uses a special LDAP entry that includes
          attributes that store a counter for the last used UID/GID. Please
          note that this requires that you install the Samba schema and create
          an LDAP entry of object class "sambaUnixIdPool".</para>
        </listitem>

        <listitem>
          <para>Magic number: Use this if your LDAP server assigns the GID
          numbers automatically (e.g. DNA by 389 server). Enter the server's
          magic number setting.</para>
        </listitem>
      </itemizedlist>

      <para>Disable membership management: Disables group membership
      management. This is useful if memberships are e.g. managed via group of
      names.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixGroupConfig.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Group management:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixGroup.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Group membership management:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixGroup2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="rfc2307bisPosixGroup">
      <title>Unix groups with rfc2307bis schema (LAM Pro)</title>

      <para>Some applications (e.g. Suse Linux) use the rfc2307bis schema for
      Unix accounts instead of the nis schema. In this case group accounts are
      based on the object class <link lang=""
      linkend="a_groupOfNames">groupOf(Unique)Names</link> or namedObject. The
      object class posixGroup is auxiliary in this case.</para>

      <para>LAM Pro supports these groups with a special account module:
      <emphasis role="bold">rfc2307bisPosixGroup</emphasis></para>

      <para>Use this module only if your system depends on the rfc2307bis
      schema. The module can be selected in the LAM configuration. Instead of
      using groupOfNames as basis for your groups you may also use
      namedObject.</para>

      <para>Module activation:</para>

      <para><screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/rfc2307bis.png"/>
            </imageobject>
          </mediaobject>
        </screenshot></para>

      <para>GID generator: LAM will suggest GID numbers for your accounts.
      Please note that it may happen that there are duplicate IDs assigned if
      users create groups at the same time. Use an <ulink
      url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
      like "Attribute Uniqueness" (<link
      linkend="a_openldap_unique">example</link>) if you have lots of LAM
      admins creating groups.</para>

      <itemizedlist>
        <listitem>
          <para>Fixed range: LAM searches for free numbers within the given
          limits. LAM always tries to use a free GID that is greater than the
          existing GIDs to prevent collisions with deleted groups.</para>
        </listitem>

        <listitem>
          <para>Samba ID pool: This uses a special LDAP entry that includes
          attributes that store a counter for the last used UID/GID. Please
          note that this requires that you install the Samba schema and create
          an LDAP entry of object class "sambaUnixIdPool".</para>
        </listitem>

        <listitem>
          <para>Magic number: Use this if your LDAP server assigns the GID
          numbers automatically (e.g. DNA by 389 server). Enter the server's
          magic number setting.</para>
        </listitem>
      </itemizedlist>

      <para>Disable membership management: Disables group membership
      management. This is useful if memberships are e.g. managed via group of
      names.</para>

      <para>Force sync with group of names: This will automatically set the
      group memberships of the Unix part to the same members as set on group
      of names tab.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/rfc2307bis2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The GID number will be filled automatically based on the server
      profile configuration.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixGroupLAMPro.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Group members can be edited and also synced with Group of (unique)
      names.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_unixGroupLAMPro2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Samba 3</title>

      <para>LAM supports managing Samba 3 groups. You can set special group
      types and also create Windows predefined groups like "Domain
      admins".</para>

      <para>Module activation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_sambaGroup2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Group editing:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_sambaGroup.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Windows (Samba 4)</title>

      <para>LAM can manage your Windows groups. Please enable the account type
      "Groups" in your LAM server profile and then add the group module
      "Windows (windowsGroup)(*)".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsGroup3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The default list attributes are for Unix and not suitable for
      Windows (blank lines in account table). Please use
      "#cn;#member;#description" or select your own attributes to display in
      the account list.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsGroup1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>NIS support is deactivated by default. Enable it if needed on tab
      "Module settings".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsGroup4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you can edit your groups inside LAM. You can manage the group
      name, description and its type. Of course, you can also set the group
      members.</para>

      <para>Group scopes:</para>

      <itemizedlist>
        <listitem>
          <para>Global: Use this for groups with frequent changes. Global
          groups are not replicated to other domains.</para>
        </listitem>

        <listitem>
          <para>Universal: Groups with universal scope are used to consolidate
          groups that span domains. They are globally replicated.</para>
        </listitem>

        <listitem>
          <para>Domain local: Groups with domain local scope can be used to
          set permissions inside one domain. They are not replicated to other
          domains.</para>
        </listitem>
      </itemizedlist>

      <para>Group type:</para>

      <itemizedlist>
        <listitem>
          <para>Security: Use this group type to control permissions.</para>
        </listitem>

        <listitem>
          <para>Distribution: These groups are only used for email
          applications. They cannot be used to control permissions.</para>
        </listitem>
      </itemizedlist>

      <para>With "Show effective members" you can show a list of all members
      of this group including members of subgroups and their subgroups.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsGroup2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Kolab</title>

      <para>Please activate the Kolab group module in your LAM server profile
      to activate Kolab support.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kolab3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can specify the email address and also set allowed sender and
      recipient addresses.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kolab4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Mail routing</title>

      <para>LAM supports to manage mail routing for group accounts.</para>

      <para>Module activation:</para>

      <para>This feature can be activated by adding the "Mail routing" module
      to the group account type in your server profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mailRoutingConfigGroup.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Usage:</para>

      <para>You can specify a routing address, the mail server and a number of
      local addresses to route.</para>

      <para>In case you want to add this extension by default for new groups
      there is an option in profile editor.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mailRoutingGroup.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Quota</title>

      <para>You can manage file system quotas with LAM. This requires to setup
      <link linkend="a_lamdaemon">lamdaemon</link>. File system quotas are not
      stored inside LAM but managed directly on the specified servers.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_quotaGroup.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Dynamic lists (LAM Pro)</title>

      <para><ulink
      url="http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists">Dynamic
      lists</ulink> allow you to create LDAP entries that populate the value
      of an attribute via LDAP query. This is e.g. used to create groups that
      contain all users in a certain DN.</para>

      <para>Please note that this functionality requires configuration on your
      LDAP server. E.g. on OpenLDAP you need to activate the "dynlist" overlay
      and need to specify attribute mappings.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>Add a new group account type and set a unique label for it.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/mod_dynamicList1.png"/>
          </imageobject>
        </inlinemediaobject></para>

      <para>Do not forget to set proper "List attributes" to be shown on the
      overview page of all dynamic lists.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/mod_dynamicList2.png"/>
          </imageobject>
        </inlinemediaobject></para>

      <para>On tab "Modules" please add the dynamic lists module.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/mod_dynamicList4.png"/>
          </imageobject>
        </inlinemediaobject></para>

      <para>On tab "Module settings" you can now configure your dynamic lists.
      Here you setup the used object class, RDN attribute, query attribute and
      list attribute (the one that is populated via query).</para>

      <para>In case you have different types of dynamic lists you can simply
      redo the steps above to create more group types.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/mod_dynamicList3.png"/>
          </imageobject>
        </inlinemediaobject></para>

      <para/>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>When you login to LAM you will see your new dynamic lists
      tab.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/mod_dynamicList5.png"/>
          </imageobject>
        </inlinemediaobject></para>

      <para>For each list you can manage the name and query string. LAM also
      displays which entries are auto-populated to the list.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/mod_dynamicList6.png"/>
          </imageobject>
        </inlinemediaobject></para>
    </section>

    <section>
      <title>PyKota</title>

      <para>There are two LAM group modules depending if your group entries
      should be built on object class "pykotaObject" or a different structural
      object class (e.g. "posixGroup"). For "pykotaObject" please select
      "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" in all
      other cases.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaGroup1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you can add the PyKota extension to your groups.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_pykotaGroup2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </section>

  <section>
    <title>Hosts</title>

    <section>
      <title>Account</title>

      <para>Please see the description <link
      linkend="s_account">here</link>.</para>
    </section>

    <section>
      <title>Device (LAM Pro)</title>

      <para>The device object class allows to manage general information about
      all sorts of devices (e.g. computers, network hardware, ...). You can
      enter the serial number, location and a describing text. It is also
      possible to specify the owner of the device.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/device.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Samba 3</title>

      <para>You can manage Samba 3 host entries by adding the Unix and Samba 3
      account modules.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_sambaHost1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_sambaHost2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Windows (Samba 4)</title>

      <para>LAM can manage your Windows servers and workstations. Please
      enable the account type "Hosts" in your LAM server profile and then add
      the host module "Windows (windowsHost)(*)".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsServer3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The default list attributes are for Unix and not suitable for
      Windows (blank lines in account table). Please use
      "#cn;#description;#location" or select your own attributes to display in
      the account list.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsServer2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now you will see you computer accounts inside LAM. You can set
      e.g. the server's description and location information.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_windowsServer1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>IP addresses (LAM Pro)</title>

      <para>You can manage the IP addresses of host accounts with the ipHost
      module. It manages the following information:</para>

      <itemizedlist>
        <listitem>
          <para>IP addresses (IPv4/IPv6)</para>
        </listitem>

        <listitem>
          <para>location of the host</para>
        </listitem>

        <listitem>
          <para>manager: the person who is responsible for the host</para>
        </listitem>
      </itemizedlist>

      <para>You can activate this extension by adding the module ipHost to the
      list of active host modules.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ipHost.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>MAC addresses</title>

      <para>Hosts can have an unlimited number of MAC addresses. To enable
      this feature just add the "MAC address" module to the host account
      type.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/macAddress.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Puppet</title>

      <para>LAM supports to manage your <ulink
      url="http://puppetlabs.com/">Puppet</ulink> configuration. You can edit
      all attributes like environment, classes, variables and parent
      node.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To activate this feature please edit your LAM server profile and
      add the host module "Puppet (puppetClient)" on tab "Modules". This will
      add the Puppet tab to your host pages.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_puppet2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>On tab "Module settings" in your LAM server profile you may also
      setup some common environment names. LAM will use them to provide
      autocompletion hints when editing the environment for a node.</para>

      <para>If you enter any value in "Enforce classes" then LAM will only
      accept this list of classes.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_puppet3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Editing nodes</emphasis></para>

      <para>When you edit a host entry then you will see the tab "Puppet".
      Here you can add/remove the Puppet extension and edit all
      attributes.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_puppet1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>NIS net groups</title>

      <para>NIS netgroups can be used to e.g. restrict SSH access to your
      machines.</para>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>Please add the module "NIS net groups (nisNetGroupHost)" to the
      list of active host modules.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_nisNetGroupHost1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Host editing</emphasis></para>

      <para>You will now see a new tab when editing hosts. Here you can assign
      memberships in NIS net groups and also set user/domain.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_nisNetGroupHost2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </section>

  <section>
    <title>Samba 3 domains</title>

    <para>Samba 3 stores information about its domain settings inside LDAP.
    This includes the domain name, its SID and some policies. You can manage
    all these attributes with LAM.</para>

    <para>Please activate the account type "Samba domains" in your LAM server
    profile. Please notice that Samba by default uses the LDAP root for domain
    objects (e.g. dc=example,dc=com).</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/sambaDomains1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>This will add a new tab to LAM where you can manage domain
    information.</para>

    <para>The domain name, SID and RID base can only be specified for new
    domains and are not changeable via LAM at a later time. You may setup
    several password policies for your Samba domains and also some RID options
    that influence the creation of SIDs for users/groups/hosts.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/sambaDomains2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section id="a_groupOfNames">
    <title>Group of (unique) names and group of members (LAM Pro)</title>

    <para>These classes can be used to represent group relations. Since they
    allow DNs as members you can also use them to represent nested
    groups.</para>

    <para><emphasis role="bold">Configuration:</emphasis></para>

    <para>Activate the account type "Group of names" in your LAM server
    profile to use these account modules. Alternatively, you can use the
    account type "Groups".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/groupOfNames3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/groupOfNames2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Then add the module "Group of names (groupOfNames)", "Group of
    unique names (groupOfUniqueNames)" or "Group of members
    (groupOfMembers)".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/groupOfNames4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para/>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/groupOfMembers1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Virtual list attributes:</para>

    <screenshot>
      <graphic fileref="images/mod_gon.png"/>
    </screenshot>

    <para>The following virtual attributes can be shown in the group list.
    These are no real LDAP attributes but extra data that can be shown by
    LAM.</para>

    <itemizedlist>
      <listitem>
        <para>member_count: number of entries in attribute "member"</para>
      </listitem>

      <listitem>
        <para>uniqueMember_count: number of entries in attribute
        "uniquemember"</para>
      </listitem>

      <listitem>
        <para>owner_count: number of entries in attribute "owner"</para>
      </listitem>

      <listitem>
        <para>roleOccupant_count: number of entries in attribute
        "roleOccupant"</para>
      </listitem>
    </itemizedlist>

    <para>Module settings:</para>

    <para>On the module settings tab you set some options like the display
    format for members/owners and if fields like description should not be
    displayed.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/groupOfNames5.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Group management:</emphasis></para>

    <para>Group of (unique) names have four basic attributes:</para>

    <itemizedlist>
      <listitem>
        <para>Name: a unique name for the group</para>
      </listitem>

      <listitem>
        <para>Description: optional description</para>
      </listitem>

      <listitem>
        <para>Owner: the account which owns this group (optional)</para>
      </listitem>

      <listitem>
        <para>Members: the members of the group (at least one is
        required)</para>
      </listitem>
    </itemizedlist>

    <para>You can add any accounts as members. This includes other groups
    which leads to nested groups.</para>

    <para>To show members of nested groups click on "Show effective members".
    Please note that for large groups this will run lots of queries against
    your LDAP server.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/groupOfNames1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section id="organizationalRole">
    <title>Organizational roles (LAM Pro)</title>

    <para>This module manages roles via the organizationalRole object class.
    There is also a <link linkend="organizationalRoleUser">user module</link>
    to manage memberships on the user edit page.</para>

    <para><emphasis role="bold">Configuration:</emphasis></para>

    <para>Activate the account type "Groups" in your LAM server profile to use
    this account module. Alternatively, you can use the account type "Group of
    names".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_organizationalRole1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_organizationalRole2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Then add the module "Role (organizationalRole)".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_organizationalRole3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>On the module settings tab you set some options like the display
    format for members and if description should not be displayed.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_organizationalRole4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Role management:</emphasis></para>

    <para>You can add any accounts as members. This includes other roles which
    leads to nested roles (needs to be supported by LDAP client
    applications).</para>

    <para>To show members of nested roles click on "Show effective members".
    Please note that for large roles this will run lots of queries against
    your LDAP server.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_organizationalRole5.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section id="type_asterisk">
    <title>Asterisk</title>

    <para>LAM includes large support for Asterisk. You can add Asterisk
    extensions (including voicemail) to your users and also manage Asterisk
    extensions.</para>

    <para>The Asterisk support for users can be added by selecting the
    Asterisk and Asterisk voicemail modules for users in your LAM server
    profile. This will add the following tabs to your user accounts.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/asterisk.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>The Asterisk module allows to edit a large amount of attributes.
    Therefore, you can hide unused fields. Please edit you server profile
    (Module settings) to do so.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/asteriskConfig.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Of course, the voicemail part of Asterisk is also supported.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/asteriskVoicemail.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>If you also want to manage Asterisk extensions then simply add the
    account type "Asterisk extensions" and its module to your server
    profile.</para>

    <para>LAM groups your Asterisk extension entries by extension name and
    account context. If you edit an extension then you will see the Asterisk
    entries as rules. LAM manages that all rule entries have the same owners
    and assigns the priorities.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/asteriskExtension.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section id="s_kopano">
    <title>Kopano (LAM Pro)</title>

    <para>Kopano is an OpenSource collaboration software. LAM Pro provides
    support to manage Kopano user entries, groups, address lists and servers.
    It covers all settings for these types including resource and quota
    settings.</para>

    <section>
      <title>Users</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To enable Kopano support for users please activate the Kopano
      module for the user account type in you server profile:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopano1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Adjust the suffix and list attributes to your needs.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoUser1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Then select the Kopano user module (tab Modules). You can combine
      it with Personal module, Unix or Windows.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoUser2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Next configure the module to your needs (tab Module
      settings).</para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Attention:</emphasis> LAM Pro uses the
      Kopano OpenLDAP schema by default. This schema fits for OpenLDAP,
      OpenDJ, Apache Directory server and other common LDAP servers. If you
      run Samba 4 or Active Directory then you need to switch the schema to
      "Active Directory" on the module settings tab.</para>

      <literallayout>
</literallayout>

      <para>You can hide options that you do not need. E.g. if you do not want
      to manage quotas per user then you can hide these options.</para>

      <literallayout>
</literallayout>

      <para>Examples for your Zarafa ldap.cfg:</para>

      <para>"Send as" attribute: dn</para>

      <para>ldap_user_sendas_attribute_type = dn</para>

      <literallayout>
</literallayout>

      <para>"Send as" attribute: uid</para>

      <para>ldap_user_sendas_attribute_type = text</para>

      <para>ldap_user_sendas_relation_attribute = uid</para>

      <literallayout>
</literallayout>

      <para>Attention: If the Active Directory schema is used then LAM will
      always use dn and ignore this setting.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoUser3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>LAM Pro will now display the Kopano tab on your users. This
      includes email settings, quotas and some options (e.g. hide from address
      book). You can also set the resource type and capacity for meeting rooms
      and equipment. The Kopano extension can be added and removed at any time
      for every user.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoUser4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Contacts</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>The configuration is similar to users. Instead of the Kopano user
      module please select the contact module.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopano1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoContact1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoContact2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>LAM Pro will now display the Kopano contact tab on your users. The
      Kopano extension can be added and removed at any time for every
      user.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoContact3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Groups</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To enable Kopano support for groups please activate the Kopano
      module for the group account type in you server profile:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoGroup1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Adjust the suffix and list attributes to your needs.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoGroup2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Then select the Kopano group module (tab Modules). You can combine
      it with groups of names module, Unix or Windows.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoGroup3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Next configure the module to your needs (tab Module
      settings).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoGroup4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>LAM Pro will now display the Kopano tab on your groups. The Kopano
      extension can be added and removed at any time for every group.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoGroup5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Address lists</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To enable Kopano support for address lists please activate the
      Kopano address list account type in you server profile (tab account
      types):</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoAddresslist1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Adjust the suffix and list attributes to your needs.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoAddresslist2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Then select the Kopano address list module (tab Modules).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoAddresslist3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>LAM Pro will now display the Kopano address list tab.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoAddresslist4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoAddresslist5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Dynamic groups</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To enable Kopano support for dynamic groups please activate the
      Kopano dynamic group account type in you server profile (tab account
      types):</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoDynamicgroup1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Adjust the suffix and list attributes to your needs.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoDynamicgroup2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Then select the Kopano dynamic group module (tab Modules).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoDynamicgroup3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>LAM Pro will now display the Kopano address list tab.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoDynamicgroup4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para/>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoDynamicgroup5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Servers</title>

      <para><emphasis role="bold">Configuration</emphasis></para>

      <para>To enable Kopano support for servers please activate the Kopano
      server module for the hosts account type in you server profile (tab
      account types):</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoServer1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Adjust the suffix and list attributes to your needs.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoServer2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Then select the Kopano server module (tab Modules).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoServer3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Next configure the module to your needs (tab Module
      settings).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoServer4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Usage</emphasis></para>

      <para>LAM Pro will now display the Kopano tab on your hosts. The Kopano
      extension can be added and removed at any time for every server.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_kopanoServer5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </section>

  <section id="s_zarafa">
    <title>Zarafa (LAM Pro)</title>

    <para>Zarafa is an OpenSource collaboration software. LAM Pro provides
    support to manage Zarafa server entries, users and groups. It covers all
    settings for these types including resource and quota settings.</para>

    <para>LAM Pro is an official Zarafa Certified Integration.</para>

    <para><inlinemediaobject>
        <imageobject>
          <imagedata fileref="images/zarafa_logo_integrations_certified_140px.png"/>
        </imageobject>
      </inlinemediaobject></para>

    <section>
      <title>Configuration</title>

      <para>To enable Zarafa support in LAM Pro please activate the Zarafa
      modules for the Users, Groups and Hosts account types in you server
      profile:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/zarafa1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Attention:</emphasis> LAM Pro uses the
      Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
      OpenDJ, Apache Directory server and other common LDAP servers. If you
      run Samba 4 or Active Directory then you need to switch the schema to
      "Active Directory" on the module settings tab:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/zarafa9.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can configure which parts of the Zarafa user options should be
      enabled. E.g. if you do not want to manage quotas per user then you can
      hide these options on the tab "Module settings".</para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">"Send as" attribute:</emphasis> Here you can
      specify how "Send as" privileges should be managed. LAM supports "uid"
      and "dn".</para>

      <para>If you select "uid" the LAM will store user names in the
      zarafaSendAsPrivilege attribute. This way you are restricted to specify
      user accounts as "Send as" allowed.</para>

      <para>You can also set this option to "dn" and LAM will store DNs in the
      zarafaSendAsPrivilege attribute. In this case you may specify users and
      groups as "Send as" allowed.</para>

      <literallayout>
</literallayout>

      <para>Examples for your Zarafa ldap.cfg:</para>

      <para>"Send as" attribute: <emphasis role="bold">dn</emphasis></para>

      <para>ldap_user_sendas_attribute_type = dn</para>

      <literallayout>
</literallayout>

      <para>"Send as" attribute: <emphasis role="bold">uid</emphasis></para>

      <para>ldap_user_sendas_attribute_type = text</para>

      <para>ldap_user_sendas_relation_attribute = uid</para>

      <para><literallayout>
Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.


</literallayout></para>

      <para><emphasis role="bold">Features:</emphasis> Zarafa 7 allows to
      enable IMAP/POP3 for each user. Please hide the option "Features" if you
      use Zarafa 6.x.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/zarafa2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <section>
        <title>Users</title>

        <para>This is an example of the user edit page with all possible
        settings. This includes email settings, quotas and some options (e.g.
        hide from address book). You can also set the resource type and
        capacity for meeting rooms and equipment. The Zarafa extension can be
        added and removed at any time for every user.</para>

        <para>Please note that the option "Features" requires Zarafa 7. Please
        hide this option in the LAM server profile if you run Zarafa
        6.x.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa3.png"/>
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Contacts</title>

        <para>LAM Pro can manage your Zarafa contact entries. You can set the
        email aliases and "send as" privileges. Additionally, accounts may be
        hidden in the address book or disabled.</para>

        <para>Please note that you can either use the Zarafa user module or
        Zarafa contact. LAM Pro will disable the other tab when enabling one
        of them.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa8.png"/>
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Groups</title>

        <para>This is the edit page for groups. You can enter an email address
        and additional aliases for your groups. It is also possible to specify
        options (e.g. hide from address book). The extension can be
        added/removed dynamically.</para>

        <para>Please note that the option "Send-as privileges" requires the
        Zarafa 7.0.3 schema. Please hide this option in the LAM server profile
        if you run Zarafa &lt; 7.0.3.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa4.png"/>
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Servers</title>

        <para>The Zarafa extension for host accounts allows to set the
        connection ports and file path. You can add/remove the extension at
        any time.</para>

        <para>Setting the public store option is only possible for new host
        entries.</para>

        <para>Please note that the proxy URL option requires the Zarafa 7.1
        schema. Please hide this option in your LAM server profile if you use
        an older version.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa5.png"/>
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Address lists</title>

        <para>Zarafa allows to store address lists in LDAP. You need to define
        a search base and LDAP filter for each address list. E.g. entering
        "ou=people,dc=company,dc=com" as base and "uid=*" will select all
        users that are stored in "ou=people,dc=company,dc=com".</para>

        <para>You can also hide your lists from the address book or
        temporarily disable them.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa6.png"/>
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Dynamic groups</title>

        <para>Zarafa allows to define dynamic groups in LDAP. You need to
        define a search base and LDAP filter for each group. E.g. entering
        "ou=people,dc=company,dc=com" as base and "uid=*" will select all
        users that are stored in "ou=people,dc=company,dc=com".</para>

        <para>Dynamic groups may have an email address and multiple email
        alias addresses.</para>

        <para>You can also hide your dynamic groups from the address book or
        temporarily disable them.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa7.png"/>
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>
  </section>

  <section>
    <title>Kolab shared folders</title>

    <para>Please add the account type "Kolab shared folders" in your LAM
    server profile and set the correct LDAP suffix.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_kolab6.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <literallayout>
</literallayout>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_kolab7.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Then add the "Kolab shared folder" module on tab "Modules".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_kolab8.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Now you can start to add shared folders inside LAM.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_kolab9.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>DHCP</title>

    <para>You can mange your DHCP server with LAM. It supports to manage
    subnets, fixed IP entries, IP ranges and DDNS.</para>

    <para><emphasis role="bold">Configuration</emphasis></para>

    <para>The DHCP management can be activated by adding the account type DHCP
    to your server profile. Please also add the DHCP modules.</para>

    <para>LAM requires that you use an LDAP entry with the object class
    "dhcpService" or "dhcpServer" as suffix for this account type. If the
    "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
    then you need to use the DN of the "dhcpService" entry as LDAP suffix for
    DHCP.</para>

    <literallayout>
</literallayout>

    <para>Add account type:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/dhcpConf1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Set suffix:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/dhcpConf2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Add modules:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/dhcpConf3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Example server entry:</emphasis><code/></para>

    <para><code>dn:
    cn=server,ou=dhcp,dc=ldap-account-manager,dc=org</code></para>

    <para><code>objectclass: dhcpServer</code></para>

    <para><code>objectclass: dhcpOptions</code></para>

    <para><code>objectclass: top</code></para>

    <para><code>cn: server</code></para>

    <para><code>dhcpcomments: My DHCP server</code></para>

    <para><code>dhcpoption: domain-name
    "ldap-account-manager.org"</code></para>

    <para><code>dhcpoption: domain-name-servers 192.168.1.1</code></para>

    <para><code>dhcpoption: routers 192.168.1.1</code></para>

    <para><code>dhcpoption: netbios-name-servers 192.168.1.1</code></para>

    <para><code>dhcpoption: subnet-mask 255.255.255.0</code></para>

    <para><code>dhcpoption: netbios-node-type 8</code></para>

    <para><code>dhcpstatements: default-lease-time 3600</code></para>

    <para><code>dhcpstatements: max-lease-time 7200</code></para>

    <para><code>dhcpstatements: include "mykey"</code></para>

    <para><code>dhcpstatements: ddns-update-style interim</code></para>

    <para><code>dhcpstatements: update-static-leases true</code></para>

    <para><code>dhcpstatements: ignore client-updates</code></para>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">Example settings for
    dhcpd.conf:</emphasis></para>

    <para><code>ddns-update-style none;</code></para>

    <para><code>deny unknown-clients;</code></para>

    <para><code>ldap-server "server";</code></para>

    <para><code>ldap-dhcp-server-cn "server";</code></para>

    <para><code>ldap-port 389;</code></para>

    <para><code>ldap-username
    "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";</code></para>

    <para><code>ldap-password "{SSHA}XXXXXXXXXXXX";</code></para>

    <para><code>ldap-base-dn
    "ou=dhcp,dc=ldap-account-manager,dc=org";</code></para>

    <para><code>ldap-method dynamic;</code></para>

    <para><code>ldap-debug-file
    "/var/log/dhcp-ldap-startup.log";</code></para>

    <para><code/></para>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">slapd.conf changes:</emphasis></para>

    <para><code>include /etc/ldap/schema/dhcp.schema</code></para>

    <para><code>index dhcpHWAddress eq</code></para>

    <para><code>index dhcpClassData eq</code><literallayout>
Run slapindex to rebuild the index.

</literallayout></para>

    <para>You can manage the settings of your DHCP service/server
    entry:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/dhcpMainSettings.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>You can easily create new subnet entries.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/dhcpSettings.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>It is also possible to specify a list of fixed IPs.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/fixedIP.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>IP ranges may be specified.</para>

    <para>If you use failover pools for your IP ranges please use the pool
    options on the bottom. Here you can add DHCP pools (object class
    "dhcpPool") and specify the failover peer.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/ranges.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>If you activated DDNS in the server entry then you may also specify
    the DDNS settings for this subnet.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/ddns.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>Bind DLZ (LAM Pro)</title>

    <para><ulink url="http://bind-dlz.sourceforge.net">Bind DLZ</ulink> is an
    extension to the DNS server <ulink
    url="http://www.isc.org/software/bind">Bind</ulink> that allows to store
    DNS entries inside LDAP. Please install the Bind DLZ schema file on your
    LDAP server. It is part of the Bind download. You can also get it from
    Bind's <ulink
    url="https://gitlab.isc.org/isc-projects/bind9/blob/master/contrib/dlz/modules/ldap/testing/dlz.schema">git
    repository</ulink>.</para>

    <section>
      <title>Configuration</title>

      <para>First, you need to add the Bind DNS account type and the Bind DLZ
      module:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Please set the LDAP suffix either to an existing DNS zone
      (dlzZone) or an organizational unit that should include your DNS
      zones.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para>For regular entry management use "DNS entry (bindDLZ)(*)"
      module.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">XFR</emphasis></para>

      <para>If you want to edit XFR entries please add a second account type
      for XFR. Recommended list attributes are
      "#dlzipaddr;#dlzrecordid".</para>

      <screenshot>
        <graphic fileref="images/mod_bind13.png"/>
      </screenshot>

      <para>Now use the "XFR (bindDLZXfr)(*)" module for this account
      type.</para>

      <screenshot>
        <graphic fileref="images/mod_bind14.png"/>
      </screenshot>

      <para><emphasis role="bold">Automatic PTR management</emphasis></para>

      <para>LAM can automatically create/delete PTR entries for the entered
      IPv4/6 records. You can enable this feature on the module settings
      tab.</para>

      <para>PTR records will get the same TTL as IP records. Please note that
      you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
      under the same suffix as your other DNS entries.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind12.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Zone management</emphasis></para>

      <para>If you do not yet have a DNS zone then LAM can create one for you.
      In list view switch the suffix to an organizational unit DN. Now you
      will see a button "New zone".</para>

      <para>This will create the zone container entry and a default DNS entry
      "@" for authoritative information. Now switch the suffix to your new
      zone and start adding DNS entries.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind4.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>DNS entries</title>

      <para>LAM supports the following DNS record types:</para>

      <itemizedlist>
        <listitem>
          <para>SOA: authoritative information</para>
        </listitem>

        <listitem>
          <para>NS: name servers</para>
        </listitem>

        <listitem>
          <para>A/AAAA: IP addresses</para>
        </listitem>

        <listitem>
          <para>PTR: reverse DNS entries</para>
        </listitem>

        <listitem>
          <para>CNAME: alias names</para>
        </listitem>

        <listitem>
          <para>MX: mail servers</para>
        </listitem>

        <listitem>
          <para>TXT: text records</para>
        </listitem>

        <listitem>
          <para>SRV: service entries</para>
        </listitem>
      </itemizedlist>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Authoritative (SOA) and name server (NS)
      records</emphasis></para>

      <para>Here you can manage general information about the zone like
      timeouts and name servers. Please note that name servers must be
      inserted in a special format (dot at the end).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind5.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">IP addresses (A/AAAA)</emphasis></para>

      <para>LAM will automatically set the correct type (A/AAAA) depending if
      you enter an IPv4 or IPv6 address.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind6.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Reverse DNS entries</emphasis></para>

      <para>Reverse DNS entries are important when you need to find the DNS
      name that is associated with a given IP address. Reverse DNS entries are
      stored in a separate DNS zone.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind7.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Alias names (CNAME)</emphasis></para>

      <para>Sometimes a DNS entry should simply point to a different DNS entry
      (e.g. for migrations). This can be done by adding an alias name.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind8.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Mail servers (MX)</emphasis></para>

      <para>The mail server entries define where mails to a domain should be
      delivered. The server with the lowest preference has the highest
      priority.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind9.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Text records (TXT)</emphasis></para>

      <para>Text records can be added to store a description or other data
      (e.g. SPF information).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind10.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Services (SRV)</emphasis></para>

      <para>Service records can be used to specify which servers provide
      common services such as LDAP. Please note that the host name must be
      _SERVICE._PROTOCOL (e.g. _ldap._tcp).</para>

      <literallayout>
</literallayout>

      <para>Priority: The priority of the target host, lower value means more
      preferred.</para>

      <para>Weight: A relative weight for records with the same priority. E.g.
      weights 20 and 80 for a service will result in 20% queries to the one
      server and 80% to the other.</para>

      <para>Port: The port number that is used for your service.</para>

      <para>Server: DNS name where service can be reached (with dot at the
      end).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_bind11.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">File upload</emphasis></para>

      <para>You can upload complete DNS zones via LAM's file upload. Here is
      an example for a zone file and the corresponding CSV file.</para>

      <table>
        <title>Zone file</title>

        <tgroup cols="4">
          <tbody>
            <row>
              <entry>@</entry>

              <entry>IN</entry>

              <entry>SOA</entry>

              <entry>ns1.example.com admin.ns1.example.com (1 360000 3600
              3600000 370000)</entry>
            </row>

            <row>
              <entry/>

              <entry>IN</entry>

              <entry>NS</entry>

              <entry>ns1.example.com.</entry>
            </row>

            <row>
              <entry/>

              <entry>IN</entry>

              <entry>NS</entry>

              <entry>ns2.example.com.</entry>
            </row>

            <row>
              <entry/>

              <entry>IN</entry>

              <entry>MX</entry>

              <entry>10 mail1.example.com</entry>
            </row>

            <row>
              <entry/>

              <entry>IN</entry>

              <entry>MX</entry>

              <entry>20 mail2.example.com</entry>
            </row>

            <row>
              <entry>foo</entry>

              <entry>IN</entry>

              <entry>A</entry>

              <entry>123.123.123.100</entry>
            </row>

            <row>
              <entry>foo2</entry>

              <entry>IN</entry>

              <entry>CNAME</entry>

              <entry>foo.example.com</entry>
            </row>

            <row>
              <entry>bar</entry>

              <entry>IN</entry>

              <entry>A</entry>

              <entry>123.123.123.101</entry>
            </row>

            <row>
              <entry/>

              <entry>IN</entry>

              <entry>AAAA</entry>

              <entry>1:2:3:4:5</entry>
            </row>
          </tbody>
        </tgroup>
      </table>

      <para>Please check that you have an existing zone entry that can be used
      for the file upload. See above to create a new zone.</para>

      <para>Hint: If you use the function above to create a new zone then
      please skip the "@" entry in the CSV file below. LAM creates this entry
      with sample data.</para>

      <para>In this example we assume that the following zone extry
      exists:</para>

      <literallayout>dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
dlzzonename: example.com
objectclass: dlzZone
objectclass: top

</literallayout>

      <para>Here is the corresponding CSV file: <ulink
      url="resources/bindUpload.csv">bindUpload.csv</ulink></para>
    </section>

    <section>
      <title>XFR entries</title>

      <para>You can manage the XFR entries in the second tab that you
      configured before.</para>

      <screenshot>
        <graphic fileref="images/mod_bind16.png"/>
      </screenshot>

      <para>For each XFR entry you can set a record ID and the IP
      address.</para>

      <screenshot>
        <graphic fileref="images/mod_bind15.png"/>
      </screenshot>
    </section>
  </section>

  <section>
    <title>Aliases (LAM Pro)</title>

    <para>Some applications use the object class "alias" to link LDAP entries
    to other parts of the LDAP tree. Activate the account type "Aliases" in
    your LAM server profile to use this account type.</para>

    <para>Currently, only user accounts can be aliased with the "uidObject"
    object class.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/alias.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/alias2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>Mail aliases</title>

    <para>You can manage mail aliases (e.g. for NIS) inside LAM. This can be
    used to replace local /etc/aliases files with LDAP.</para>

    <para>To activate this type please add "Mail aliases" in your LAM server
    profile:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/nisMailAlias1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <section id="mailAliases">
      <title>NIS mail aliases</title>

      <para>Note: Use the <link linkend="mailAliasesUser">mail alias user
      module</link> to manage mail aliases on user pages.</para>

      <para>All accounts of this type are based on the "nisMailAlias" object
      class and may have "cn" and "rfc822MailMember" attributes.</para>

      <para>You need to select the Mail aliases module on the next tab.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAlias3.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The mail aliases will then appear as separate tab inside LAM. You
      may then manage the aliases with their names and recipient
      addresses.</para>

      <para>There are mail/user icons that allow to select a mail address/user
      name from the existing users.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAlias2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Courier mail aliases</title>

      <para>Mail aliases for Courier SMTP can be used when activating NIS mail
      aliases and Courier modules:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_courierAlias1.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You will then get the Courier tab for your mail aliases.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_courierAlias2.png"/>
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </section>

  <section>
    <title>NIS net groups</title>

    <para>LAM supports to define NIS netgroups. You can use them e.g. to
    restrict SSH access to your machines.</para>

    <para>Add the NIS net group account type and its module to your server
    profile. Then you can manage net groups in LAM. Net groups may contain
    other net groups as child groups. You can either insert the host/user
    names manually or print the search buttons next to the input fields to
    find existing entries in your directory.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/nisNetgroup.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>NIS objects (LAM Pro)</title>

    <para>You can manage NIS objects with LAM Pro. This allows you define
    network mount points in LDAP.</para>

    <para>Add the NIS objects type to your LAM configuration and then the NIS
    objects module. This will add the NIS objects tab to LAM.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/nisObject.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>Automount objects (LAM Pro)</title>

    <para>LAM Pro allows you to manage automount entries. Please activate the
    account type "Automount objects" in your LAM Pro server profile.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/automount1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Then add the correct automount module. Usually, this is "Automount
    entry (automount)". If you use Suse Linux with RFC2307bis schema please
    select "Automount entry (rfc2307bisAutomount)".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/automount3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>This will add a new tab to LAM Pro's main screen which includes a
    list of all automount entries. Here you can easily create new
    entries.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/automount2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Please see the following external HowTos for more information on
    automounting and LDAP:</para>

    <itemizedlist>
      <listitem>
        <para><ulink
        url="https://help.ubuntu.com/community/AutofsLDAP">AutofsLDAP</ulink></para>
      </listitem>

      <listitem>
        <para><ulink type=""
        url="http://www.pro-linux.de/artikel/2/760/automount-ueber-ldap.html">Automount
        über LDAP (German)</ulink></para>
      </listitem>
    </itemizedlist>
  </section>

  <section>
    <title>Oracle databases (LAM Pro)</title>

    <para>Oracle allows to manage connection data that is stored in
    tnsnames.ora to be stored in an LDAP directory.</para>

    <para><emphasis role="bold">Initial setup</emphasis></para>

    <para>LDAP server setup:</para>

    <para>You will need to install the correct Oracle LDAP schema files on
    your LDAP server. If you run no Oracle LDAP server then you can get them
    (oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
    <ulink
    url="http://www.idevelopment.info/data/Oracle/DBA_tips/LDAP/LDAP_8.shtml">here</ulink>.</para>

    <para>Next you need to create the root entry for Oracle. It should look
    like this:</para>

    <programlisting>dn: cn=OracleContext,dc=example,dc=com
objectclass: orclContext
cn: OracleContext</programlisting>

    <para>You can create it with LAM's tree view. Please note that "cn" must
    be set to "OracleContext".</para>

    <literallayout>
</literallayout>

    <para>LAM setup:</para>

    <para>Edit your LAM server profile and add the Oracle account type:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_oracle1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>In case you manage a single Oracle context just enter the
    cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
    context entries then set the LDAP suffix to a parent entry of them.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_oracle2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Next, add the Oracle module:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_oracle3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Now you can login to LAM and start to add database
    entries.<literallayout>
</literallayout></para>

    <para><emphasis role="bold">Managing database entries</emphasis></para>

    <para>Each database has a service name, the connection string and an
    optional description.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_oracle4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Database client setup for
    LDAP</emphasis></para>

    <para>You need to activate the LDAP adapter to make the database tools
    reading LDAP. Edit network/admin/sqlnet.ora like this:</para>

    <programlisting>NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)</programlisting>

    <para>Then add a file called ldap.ora next to your sqlnet.ora and set the
    LDAP server and DN suffix where cn=OracleContext is stored:</para>

    <programlisting>DIRECTORY_SERVERS= (ldap.example.com:389:636)
DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
DIRECTORY_SERVER_TYPE = OID</programlisting>

    <para>This will allow e.g. tnsping to get the connection data from
    LDAP:</para>

    <programlisting>[oracle@oracle bin]$ tnsping mydb

TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54

Copyright (c) 1997, 2013, Oracle.  All rights reserved.

Used parameter files:
/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora

Used <emphasis role="bold">LDAP</emphasis> adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
OK (10 msec)</programlisting>
  </section>

  <section id="a_ppolicy">
    <title>Password policies (LAM Pro)</title>

    <para>OpenLDAP supports the <ulink
    url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay to
    manage password policies for LDAP entries. This allows you to set password
    policies which are independent from your applications. The policies are
    managed internally by the LDAP server.</para>

    <para>You can manage these policies with LAM Pro with the account type
    "Password policies".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/ppolicy.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>You will need to add the ppolicy schema to your OpenLDAP
    configuration and activate the <ulink
    url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
    module in slapd.conf to use this feature.</para>
  </section>

  <section>
    <title>PyKota printers</title>

    <para>Please add the account type "Printers (PyKota printers)" on tab
    "Account types" in your server profile and setup the LDAP suffix where
    printers are stored.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaPrinter1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaPrinter2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Then add the PyKota printer module on tab "Account modules".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaPrinter3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Next you can start managing printers inside LAM. Here you can setup
    the costs for a print job. LAM will also show if the printer is member of
    any printer groups.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaPrinter4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>You can also setup printer groups. Just add some members to your new
    group.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaPrinter5.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>PyKota billing codes</title>

    <para>Please add the account type "Billing codes" on tab "Account types"
    in your server profile and setup the LDAP suffix where billing codes are
    stored.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaCode1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaCode2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Then add the PyKota billing code module on tab "Account
    modules".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaCode3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Now login to LAM and you will see the billing code tab where you can
    manage your entries. If jobs were printed with a billing code then you
    will also see the balance and page count.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_pykotaCode4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section id="mod_customTypes">
    <title>Custom types (LAM Pro)</title>

    <para>This account type allows you to manage any type of LDAP entries.
    This is e.g. needed if you define your own structural object classes or
    LAM does not yet provide a module for a structural object class.</para>

    <para>Always use this together with <link
    linkend="mod_customFields">Custom fields</link> to specify the LDAP
    attributes.</para>

    <para><emphasis role="bold">Configuration</emphasis></para>

    <para>Add a custom account type in your server profile (you can also add
    multiple if needed).</para>

    <para><inlinemediaobject>
        <imageobject>
          <imagedata fileref="images/mod_customBaseType1.png"/>
        </imageobject>
      </inlinemediaobject></para>

    <para>Then specify the root DN where the entries should be stored. Also
    provide the attributes to show in list view and a unique label for your
    entries.</para>

    <para><inlinemediaobject>
        <imageobject>
          <imagedata fileref="images/mod_customBaseType2.png"/>
        </imageobject>
      </inlinemediaobject></para>

    <para>On tab modules add the custom type module. You will also need the
    <link linkend="mod_customFields">Custom fields</link> module to manage the
    attributes.</para>

    <para><inlinemediaobject>
        <imageobject>
          <imagedata fileref="images/mod_customBaseType3.png"/>
        </imageobject>
      </inlinemediaobject></para>

    <para>Finally, switch to tab Module settings. Here you need to specify the
    structural object class. Also configure the <link
    linkend="mod_customFields">Custom fields</link> module to manage all your
    attributes.</para>

    <para><inlinemediaobject>
        <imageobject>
          <imagedata fileref="images/mod_customBaseType4.png"/>
        </imageobject>
      </inlinemediaobject></para>

    <para><emphasis role="bold">Manage your entries</emphasis></para>

    <para>You can now login to LAM and will see one tab for each configured
    custom type.</para>

    <para><inlinemediaobject>
        <imageobject>
          <imagedata fileref="images/mod_customBaseType5.png"/>
        </imageobject>
      </inlinemediaobject></para>
  </section>

  <section id="mod_customFields">
    <title>Custom fields (LAM Pro)</title>

    <para>This module allows you to manage LDAP attributes that are not
    covered by the other LAM modules (e.g. if you use custom LDAP schemas).
    You can fully define how your input fields look like:</para>

    <itemizedlist>
      <listitem>
        <para>Label</para>
      </listitem>

      <listitem>
        <para>LDAP attribute name</para>
      </listitem>

      <listitem>
        <para>Unique name for field</para>
      </listitem>

      <listitem>
        <para>Help text</para>
      </listitem>

      <listitem>
        <para>Read-only display</para>
      </listitem>

      <listitem>
        <para>Field type: text, password, text area, checkbox, radio buttons,
        select list, file upload</para>
      </listitem>

      <listitem>
        <para>Validation via regular expression</para>
      </listitem>

      <listitem>
        <para>Error message if validation fails</para>
      </listitem>
    </itemizedlist>

    <para>Limitations:</para>

    <para>Custom fields cannot manage</para>

    <itemizedlist>
      <listitem>
        <para>structural object classes (supported by <link
        linkend="mod_customTypes">Custom types</link>)</para>
      </listitem>

      <listitem>
        <para>attributes that require validation rules across multiple
        attributes or cannot be described by a simple regular
        expression</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Activating the custom fields
    module:</emphasis></para>

    <para>You may specify custom fields for all of your account types. Please
    enter tab "Modules" in your server profile. Now activate the "Custom
    fields (customFields)" module for all needed account types.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields14.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Setting label and icon:</emphasis></para>

    <para>You may set the label that is displayed e.g. on the tab when editing
    an account. It is also possible to specify an icon (must be a valid URL
    like "/images/icon.png" or "http://server/images/icon.png"). The icon size
    should be 32x32 pixels.</para>

    <para>LAM will display a default icon and "Custom fields" as label if you
    do not enter any values.</para>

    <para>You may also specify how LAM displays cutom fields when there are
    multiple field groups. The default is accordion view where you can switch
    field groups by clicking on the title. You may also deactivate this mode.
    Then all field groups are displayed one below the other.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields25.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Defining groups:</emphasis></para>

    <para>All input fields are devided into groups. A group may contain one or
    more object classes and allows you to add/remove a certain set of input
    fields.</para>

    <para>E.g. you may define two groups - "My application A" and "My
    application B" - that manage different LDAP attributes and object classes.
    This way you will be able to control both attribute sets
    independently.</para>

    <para>To create a group please edit your server profile and switch to tab
    "Module settings". You will see the section "Custom fields" which allows
    you to add new groups. Now select your account type (e.g. Users) and
    specify an alias for your group. This alias will be printed as group
    header when you later edit an account in the admin interface.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields15.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>After you created your new group you can setup the managed object
    classes. If you specify any object classes then you will later be able to
    add/remove a complete set of attributes including their object
    classes.</para>

    <para>Skipping the object classes field is only useful if you want to
    manage some attributes that are not yet supported by LAM but there is
    already a LAM module that manages the object class.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields16.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>The group may look like when you edit a user.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields19.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields20.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Adding fields:</emphasis></para>

    <para>Now you can add a new field that manages an LDAP attribute. Simply
    fill the fields and press on "Add".</para>

    <para>Please note that the field name cannot be changed later. It is the
    unique ID for this field.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields17.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Examples for fields and their representation:</para>

    <para><emphasis role="bold">Text field:</emphasis></para>

    <para>Text fields allow to specify a <link
    linkend="customFields_validation_expressions_admin">validation
    expression</link> and error message.</para>

    <para>You can also enable auto-completion. In this case LAM will search
    all accounts for the given attribute and provide auto-completion hints
    when the user edits this field. This should only be used if there is a
    limited number of different values for this attribute.</para>

    <para>In case your field is a date value you can show a calendar for easy
    editing.</para>

    <para>Example calendar formats:</para>

    <itemizedlist>
      <listitem>
        <para>dd.mm.yy: 31.12.2016</para>
      </listitem>

      <listitem>
        <para>yy-mm-dd: 2016-12-31</para>
      </listitem>

      <listitem>
        <para>d M, y: 31 Dec, 16</para>
      </listitem>

      <listitem>
        <para>d MM, y: 31 December, 2016</para>
      </listitem>
    </itemizedlist>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Password field:</emphasis></para>

    <para>You can also manage custom password fields. LAM Pro will display two
    fields where the user must enter the same password. You can hash the
    password if needed.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields5.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Text area:</emphasis></para>

    <para>This adds a multi-line field. The options are similar to text
    fields. Additionally, you can set the size with the number of columns and
    rows.</para>

    <para>Please note that the <link
    linkend="customFields_validation_expressions_admin">validation
    expression</link> should be set to multi-line. This is done by adding "m"
    at the end.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields6.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields7.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Checkbox:</emphasis></para>

    <para>Sometimes you may want to allow only yes/no values for your LDAP
    attributes. This can be represented by a checkbox. You can specify the
    values for checked and unchecked. The default value is set if the LDAP
    attribute has no value.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields8.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields9.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Radio buttons:</emphasis></para>

    <para>This displays a list of radio buttons where the user can select one
    value.</para>

    <para>You can specify a mapping of LDAP attribute values and their display
    (label) on the Self Service page. To add more mapping fields please press
    "Add more mapping fields".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields10.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields11.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Select list:</emphasis></para>

    <para>Select lists allow the user to select a value in a large list of
    options. The definition of the possible values and their display is
    similar to radio buttons.</para>

    <para>You can also allow multiple values.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields12.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields13.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields18.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">LDAP search select list</emphasis></para>

    <para>This is similar to "Select list" but the option are read from LDAP.
    You can use this to define e.g. a DN selection list. Multiple values are
    supported.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields26.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>LDAP suffix: The LDAP DN that is used as starting point to search
    for LDAP entries.</para>

    <para>LDAP filter: Only LDAP entries that match this filter will be used.
    If all entries should be used then use "(objectclass=*)".</para>

    <para>Attribute name: The values of this attribute will be used to build
    the selection list.</para>

    <para>Presentation:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields27.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Constant value</emphasis></para>

    <para>This will set the attribute to a constant value. You can also
    specify wildcards to inject other attribute's values.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields28.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Wildcards:</para>

    <itemizedlist>
      <listitem>
        <para>%attribute%: attribute value</para>
      </listitem>

      <listitem>
        <para>@attribute@: first character of attribute</para>
      </listitem>

      <listitem>
        <para>?attribute?: first character of attribute in lower case</para>
      </listitem>

      <listitem>
        <para>!attribute!: first character of attribute in upper case</para>
      </listitem>

      <listitem>
        <para>??attribute??: attribute in lower case</para>
      </listitem>

      <listitem>
        <para>!!attribute!!: attribute in upper case</para>
      </listitem>

      <listitem>
        <para>((attribute)): space if attribute is set</para>
      </listitem>

      <listitem>
        <para>§attribute|;§; attribute values separted by ";" (you can set
        other separators if you want)</para>
      </listitem>
    </itemizedlist>

    <para>Examples for attributes gn="Steve", sn="Miller" and
    memberUid=("user1", "user2") (specified value -&gt; resulting LDAP
    value):</para>

    <table border="1">
      <caption/>

      <tr>
        <th>Constant value</th>

        <th>Resulting LDAP value</th>
      </tr>

      <tr>
        <td>my constant</td>

        <td>my constant</td>
      </tr>

      <tr>
        <td>%gn%</td>

        <td>Steve</td>
      </tr>

      <tr>
        <td>%gn%((gn))%sn%</td>

        <td>Steve Miller (would be "Miller" if gn is empty)</td>
      </tr>

      <tr>
        <td>§memberUid|, §</td>

        <td>user1, user2</td>
      </tr>
    </table>

    <para/>

    <para>Presentation:</para>

    <para>The LDAP value will be shown as text.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields29.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">File upload:</emphasis></para>

    <para>This is used for binary data. You can restrict uploaded data to a
    given file extension and set the maximum file size.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields21.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Presentation:</para>

    <para>The uploaded data may also be downloaded via LAM.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customFields22.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <literallayout>
</literallayout>

    <para id="customFields_validation_expressions_admin"><emphasis
    role="bold">Validation expressions:</emphasis></para>

    <para>The validation expressions follow the standard of <ulink
    url="http://perldoc.perl.org/perlre.html">Perl regular
    expressions</ulink>. They start and end with a "/". The beginning of a
    line is specified by "^" and the end by "$".</para>

    <para>Examples:</para>

    <para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
    be empty ("+").</para>

    <para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
    means ignore case) and numbers. The value must not be empty ("+").</para>

    <para>Special characters that must be escaped with "\": "\", ".", "(",
    ")"</para>

    <para>E.g. /^[a-z0-9\.]$/i</para>
  </section>

  <section>
    <title>Custom scripts (LAM Pro)</title>

    <para>LAM Pro allows you to execute scripts whenever an account is
    created, modified or deleted. This can be useful to automate processes
    which needed manual work afterwards (e.g. sending your user a welcome mail
    or register a mailbox). Additionally, you can specify manual scipts that
    can be executed from within LAM Pro.</para>

    <para>To activate this feature please add the "Custom scripts" module to
    all needed account types on the configuration pages.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customScripts3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>In "Module settings" you can specify multiple scripts for each
    action type (e.g. modify) and account type (e.g. user). The scripts need
    to be located on the filesystem of your webserver and will be executed in
    its user environment. E.g. if you webserver runs as user www-data with the
    group www-data then the custom scripts will be run under this user with
    his rights. The output of the scripts will be shown in LAM.</para>

    <para>You can specify the scripts on the LAM configuration pages.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customScripts.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Syntax:</emphasis></para>

    <para>Please enter one script per line. Each line has the following
    format: &lt;account type&gt; &lt;action&gt; &lt;script&gt;</para>

    <para>E.g.: user preModify /usr/bin/myCustomScript -u $uid$</para>

    <para><emphasis role="bold">Account types:</emphasis></para>

    <para>You can setup scripts for all available account types (e.g. user,
    group, host, ...). Please see the help on the configuration page about
    your current active account types.</para>

    <para><emphasis role="bold">Actions:</emphasis></para>

    <table>
      <title>Action types</title>

      <tgroup cols="2">
        <tbody>
          <row>
            <entry><emphasis role="bold">Action name</emphasis></entry>

            <entry><emphasis role="bold">Description</emphasis></entry>
          </row>

          <row>
            <entry>preCreate</entry>

            <entry>Executed before creating a new account (cancels operation
            if a script returns an exit code &gt; 0, not available for file
            upload)</entry>
          </row>

          <row>
            <entry>postCreate</entry>

            <entry>Executed after creating a new account (does <emphasis
            role="bold">not</emphasis> run if preCreate or LDAP operations
            fail)</entry>
          </row>

          <row>
            <entry>preModify</entry>

            <entry>Executed before an account is modified (cancels operation
            if a script returns an exit code &gt; 0)</entry>
          </row>

          <row>
            <entry>postModify</entry>

            <entry>Executed after an account was modified (does <emphasis
            role="bold">not</emphasis> run if preModify or LDAP operations
            fail)</entry>
          </row>

          <row>
            <entry>preDelete</entry>

            <entry>Executed before an account is modified (cancels operation
            if a script returns an exit code &gt; 0)</entry>
          </row>

          <row>
            <entry>postDelete</entry>

            <entry>Executed after an account was modified (does <emphasis
            role="bold">not</emphasis> run if preDelete or LDAP operations
            fail)</entry>
          </row>

          <row>
            <entry>manual</entry>

            <entry>Can be run manually on account page. If you add
            LAMLABEL="text" before the command then LAM will use the text as
            label for the button in account edit screen.</entry>
          </row>
        </tbody>
      </tgroup>
    </table>

    <para><emphasis role="bold">Script:</emphasis></para>

    <para>You can execute any script which is located on the filesystem of
    your webserver. The path may be absolute or relative to the PATH-variable
    of the environment of your webserver process. It is also possible to add
    commandline arguments to your scripts. Additionally, LAM will resolve
    wildcards to LDAP attributes. If your script includes an wildcard in the
    format $ATTRIBUTE$ then LAM will replace it with the attribute value of
    the current LDAP entry. The values of multi-value attributes are separated
    by commas. E.g. if you create an account with the attribute "uid" and
    value "steve" then LAM will resolve "$uid$" to "steve".</para>

    <para>Please note that manual scripts can only use the current LDAP
    attribute values of the account. Any modifications done that are not saved
    will not be available. Manual scripts are also not available for new
    accounts that are not yet saved to LDAP.</para>

    <para>You can switch LAM's logging to debug mode if you are unsure which
    attributes with which values are available.</para>

    <para>The following special wildcards are available for automatical
    scripts:</para>

    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">$INFO.userPasswordClearText$:</emphasis>
        cleartext password when Unix/Windows password is changed (e.g. useful
        for external password synchronisation) for new/modified
        accounts</para>
      </listitem>

      <listitem>
        <para><emphasis
        role="bold">$INFO.userPasswordStatusChange$:</emphasis> provides
        additional information if the Personal/Unix password locking status
        was changed, possible values: locked, unlocked, unchanged</para>
      </listitem>

      <listitem>
        <para><emphasis
        role="bold">$INFO.passwordSelfResetAnswerClearText$</emphasis>:
        cleartext answer to security question</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">$INFO.389lockingStatusChange$:</emphasis>
        for 389ds account locking, provides information if account was
        unlocked. Possible values: unchanged, unlocked</para>
      </listitem>

      <listitem>
        <para><emphasis
        role="bold">$INFO.389deactivationStatusChange$:</emphasis> for 389ds
        account locking, provides information if account was deactivated.
        Possible values: unchanged, activated, deactivated</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">$NEW.&lt;attribute&gt;$:</emphasis> the
        value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
        accounts</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">$DEL.&lt;attribute&gt;$:</emphasis> the
        value of a deleted attribute (e.g. $DEL.telephoneNumber$) for modified
        accounts</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">$MOD.&lt;attribute&gt;$:</emphasis> the
        new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
        modified accounts</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">$ORIG.&lt;attribute&gt;$:</emphasis> the
        original value of an attribute (e.g. $ORIG.telephoneNumber$) for
        modified accounts</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Output may contain HTML:</emphasis> If your
    scripts generate HTML output then activate this option.</para>

    <para><emphasis role="bold">Hide command in messages:</emphasis> You may
    want to prevent that your users see the executed commands. In this case
    activating this option will only show the command output but not the
    command itself.</para>

    <para/>

    <para>You can see a preview of the commands which will be automatically
    executed on the "Custom scripts" tab. Here you can also run the manual
    scripts.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/customScripts2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>Sudo roles (LAM Pro)</title>

    <para>You can manage your sudo roles in LDAP if you have installed the
    sudo-ldap package or <ulink
    url="http://www.sudo.ws/sudo/readme_ldap.html">compiled sudo with LDAP
    support</ulink>.</para>

    <para>To activate sudo management in LAM Pro edit your server profile and
    add the type "Sudo roles".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/sudoRole1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/sudoRole2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Now you can create sudo commands.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/sudoRole.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>The sudo roles in LDAP work similar to those in /etc/sudoers. You
    can specify who may run which commands as which user. It is also possible
    to specify options like NOPASSWD.</para>
  </section>

  <section>
    <title>LDAP views based on nsview (LAM Pro)</title>

    <para>LAM Pro supports LDAP views based on the "nsview" object class.
    These views allow to create an organizational unit that shows a subset of
    your LDAP content. The subset is determined by an LDAP filter.</para>

    <para><emphasis role="bold">Configuration:</emphasis></para>

    <para>To activate view management in LAM Pro edit your server profile and
    add the type "LDAP views".</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_nsview1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_nsview2.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Now you are ready to create your views. Each view has a name, LDAP
    filter and an optional description.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_nsview4.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_nsview3.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>Auto delete (LAM Pro)</title>

    <para>This module allows to mark any new entry to be marked for auto
    deletion. The cleanup is done by the LDAP server itself. Please note that
    this will not delete any relations etc. in other entries (e.g. group
    memberships).</para>

    <para><emphasis role="bold">Requirements</emphasis></para>

    <itemizedlist>
      <listitem>
        <para>PHP 7.2 or later: the module will not be shown if you use an
        older PHP version since the required LDAP commands are not
        supported.</para>
      </listitem>

      <listitem>
        <para>LDAP server with DDS (Dynamic Directory Services) support: your
        LDAP server needs to be configured to allow auto deletion of entries.
        See e.g. <ulink
        url="http://www.openldap.org/doc/admin24/overlays.html">OpenLDAP
        configuration</ulink>.</para>
      </listitem>

      <listitem>
        <para>Your user has the right to set a deletion date. This is
        configured on your LDAP server via ACLs. E.g. OpenLDAP requires manage
        rights to attribute "entryTtl".</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Restrictions</emphasis></para>

    <para>The maximum time for auto deletion is one year and six days. This is
    a restriction by the DDS standard itself. The deletion date can be
    extended for existing accounts but always by a maximum of one year and six
    days.</para>

    <para>You should configure the maximum TTL value on your LDAP server as
    default is often much less than a year.</para>

    <para>A deletion date on an existing entry cannot be removed but only be
    extended.</para>

    <para><emphasis role="bold">Configuration</emphasis></para>

    <para>You can add the auto delete module to any account type.</para>

    <para><graphic fileref="images/mod_autoDelete1.png"/></para>

    <para><emphasis role="bold">Usage</emphasis></para>

    <para>You can set a deletion time for any new account. Please note the
    restrictions above. If you get an error about invalid TTL then you might
    have exceeded the maximum TTL.</para>

    <para>Existing accounts cannot be marked for deletion. But you may update
    the deletion date on existing accounts that are already marked for
    deletion.</para>

    <para>Profile editor can be used to setup a default deletion time.</para>

    <screenshot>
      <graphic fileref="images/mod_autoDelete2.png"/>
    </screenshot>

    <para/>
  </section>

  <section>
    <title>General information</title>

    <para>This module is available for all account types. It shows some
    internal information about the LDAP entries like the creation time and who
    modified the entry.</para>

    <para>If you use the "memberOf" overlay in OpenLDAP then this will also
    show group memberships done by the overlay.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mod_generalInformation.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>
  </section>

  <section>
    <title>Tree view (LDAP browser)</title>

    <para>The tree view provides a raw view on your LDAP directory. This
    feature is for people who are experienced with LDAP and need special
    functionality which the LAM account modules not provide. E.g. if you want
    to add a special object class to an account or edit attributes ignoring
    LAM's syntax checks.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/tree1.png"/>
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>There are also some special functions available:</para>

    <para><emphasis role="bold">Show internal attributes:</emphasis> Shows
    internal attributes of the current entry. This includes information about
    the creator and creation time of the entry.</para>
  </section>
</chapter>