<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> 
  <chapter id="a_accessLevelPasswordReset">
    <title>Access levels and password reset page (LAM Pro)</title>

    <para>You can define different access levels for each profile to allow or
    disallow write access. The password reset page helps your deskside support
    staff to reset user passwords.</para>

    <section>
      <title id="s_accessLevel">Access levels</title>

      <para>There are three access levels:</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Write access (default)</emphasis></para>

          <para>There are no restrictions. LAM admin users can manage account,
          create profiles and set passwords.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Change passwords</emphasis></para>

          <para>Similar to "Read only" except that the <link
          linkend="s_pwdReset">password reset page</link> is available.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Read only</emphasis></para>

          <para>No write access to the LDAP database is allowed. It is also
          impossible to manage account and PDF profiles.</para>

          <para>Accounts may be viewed but no changes can be saved.</para>
        </listitem>
      </itemizedlist>

      <para>The access level can be set on the server configuration
      page:</para>

      <para><screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/accessLevel.png" />
            </imageobject>
          </mediaobject>
        </screenshot></para>
    </section>

    <section id="s_pwdReset">
      <title>Password reset page</title>

      <para>This special page allows your deskside support staff to reset the
      Unix and Samba passwords of your users. Account may also be (un)locked
      If you set the <link linkend="s_accessLevel">access level</link> to
      "Change passwords" then LAM will not allow any changes to the LDAP
      database except password changes via this page. The account pages will
      be still available in read-only mode.</para>

      <para>You can open the password reset page by clicking on the key symbol
      on each user account:</para>

      <para><screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/passwordReset1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>There are three different options to set a new password.
      You can further restrict these options in server profile
      settings.</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">set random password and display it on
          screen</emphasis></para>

          <para>This will set the user's password to a random value. The
          password will be 11 characters long with a random combination of
          letters, digits and ".-_".</para>

          <para>You may want to use this method to tell users their new
          passwords via phone.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">set random password and mail it to
          user</emphasis></para>

          <para>If the user account has set the mail attribute then LAM can
          send your user a mail with the new password. You can change the mail
          template to fit your needs. Please configure your LAM server profile
          to setup the sender address, subject and mail body. Please see <link
          linkend="mailEOL">email format option</link> in case of broken
          mails. See <link linkend="mailSetup">here</link> for setting up your
          SMTP server.</para>

          <para>Using this method will prevent that your support staff knows
          the new password.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">set specific password</emphasis></para>

          <para>Here you can specify your own password.</para>
        </listitem>
      </itemizedlist>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordReset2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>LAM will display contact information about the user like the
      user's name, email address and telephone number. This will help your
      deskside support to easily contact your users.</para>

      <para><emphasis role="bold">Options:</emphasis></para>

      <para>Depending on the account there may be additional options
      available.</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Sync Samba NT/LM password with Unix
          password:</emphasis> If a user account has Samba passwords set then
          LAM will offer to synchronize the passwords.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Unlock Samba account:</emphasis> Locked
          Samba accounts can be unlocked with the password change.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Update Samba password
          timestamps:</emphasis> This will set the timestamps when the
          password was changed (sambaPwdLastSet). Only existing attributes are
          updated. No new attributes are added.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Sync Kerberos password with Unix
          password:</emphasis> This will also update the Heimdal Kerberos
          password.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Sync Asterisk (voicemail) password with
          Unix password:</emphasis> Changes also the Asterisk
          passwords.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Force password change:</emphasis> This
          will force the user to change his password at next login. This
          option supports Shadow, Samba 3 and PPolicy (automatically
          detected).</para>
        </listitem>
      </itemizedlist>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Account (un)locking:</emphasis></para>

      <para>Depending if the account includes a Unix/Samba extension and
      PPolicy is activated the page will show options to (un)lock the account.
      E.g. if the account is fully unlocked then there will be no unlocking
      options printed.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordReset3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </chapter>