LDAP Account Manager (LAM) manages user, group and host accounts in an LDAP directory. LAM runs on any webserver with PHP5 support and connects to your LDAP server unencrypted or via SSL/TLS. Currently LAM supports these account types: Samba 3, Unix, Kolab 2, address book entries, NIS mail aliases and MAC addresses. There is a tree viewer included to allow access to the raw LDAP attributes. You can use templates for account creation and use multiple configuration profiles. LAM is translated to Catalan, Chinese (Traditional + Simplified), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Polish, Portuguese, Russian and Spanish. http://www.ldap-account-manager.org/ Copyright (C) 2003 - 2010 Michael Duergner <michael@duergner.com> Roland Gruber <post@rolandgruber.de> Tilo Lutz <tilolutz@gmx.de> Key features: managing user/group/host/domain entries account profiles account creation via file upload multiple configuration profiles LDAP browser schema browser OU editor PDF export for all accounts manage user/group Quota and create home directories Requirements: PHP5 (>= 5.1) Openldap (2.0 or greater) A web browser that supports CSS and JavaScript The default password to edit the configuration options is "lam". License: LAM is published under the GNU General Public License. The complete list of licenses can be found in the copyright file. Default password: The default password for the LAM configuration is "lam". Have fun! The LAM development team There are basically two groups of users for LAM: LDAP administrators and support staff: These people administer LDAP entries like user accounts, groups, ... Users: This includes all people who need to manage their own data inside the LDAP directory. E.g. these people edit their contact information with LAM self service (LAM Pro only). Therefore, LAM is split into two separate parts, LAM for admins and for users. LAM for admins allows to manage various types of LDAP entries (e.g. users, groups, hosts, ...). It also contains tools like batch upload, account profiles, LDAP schema viewer and an LDAP browser. LAM for users focuses on end users. It provides a self service for the users to edit their personal data (e.g. contact information). The LAM administrator is able to specify what data may be changed by the users. The design is also adaptable to your corporate design. LAM for admins/users is accessible via HTTP(S) by all major web browsers (Firefox, IE, Opera, ...). LAM runtime environment: LAM runs on PHP. Therefore, it is independant of CPU architecture and operating system (OS). You can run LAM on any OS which supports Apache or other PHP compatible web servers. Home directory server: You can manage user home directories and their quotas inside LAM. The home directories may reside on the server where LAM is installed or any remote server. The commands for home directory management are secured by SSH. LAM will use the user name and password of the logged in LAM administrator for authentication. LDAP directory: LAM connects to your LDAP server via standard LDAP protocol. It also supports encrypted connections with SSL and TLS.

LAM has the following requirements to run: Apache webserver (SSL recommended) with PHP module (PHP 5 (>= 5.1) with ldap, gettext, xml and optional mcrypt) Some LAM plugins may require additional PHP extensions (you will get a note on the login page if something is missing) Perl (optional, needed only for lamdaemon) OpenLDAP (>2.0) A web browser :-) MCrypt will be used to store your LDAP password encrypted in the session file. See LDAP schema fles for information about used LDAP schema files.

LAM is available as prepackaged version for various platforms.

LAM is part of the official Debian repository. New releases are uploaded to unstable and will available automatically in testing and the stable releases. You can run apt-get install ldap-account-managerto install LAM on your server. Additionally, you may download the LAM Debian packages from the LAM homepage or the Debian package homepage.

There are RPM packages available on the LAM homepage. The packages can be installed with this commandrpm -i <path to LAM package>

The RPM packages for Suse/Fedora are very generic and should be installable on other RPM-based distributions, too. The Fedora packages use apache:apache as file owner and the Suse ones use wwwrun:www.

LAM is part of the official FreeBSD ports tree. For more details see these pages:FreeBSD-CVS: http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/ldap-account-managerFreshPorts: http://www.freshports.org/sysutils/ldap-account-manager

Please extract the archive with the following command: tar xzf ldap-account-manager-<version>.tar.gz

Copy the files into the html-file scope of the web server. For example /apache/htdocs. Then set the appropriate file permissions: lam/sess: write permission for apache user lam/tmp: write permission for apache user lam/config (with subdirectories): write permission for apache user lam/lib: lamdaemon.pl must be set executable (See also docs/readme.lamdeamon.txt)

Instead of manually copying files you can also use the included configure script to install LAM. Just run these commands in the extracted directory: ./configure make install Options for "./configure": --with-httpd-user=USER USER is the name of your Apache user account (default httpd) --with-httpd-group=GROUP GROUP is the name of your Apache group (default httpd) --with-web-root=DIRECTORY DIRECTORY is the name where LAM should be installed (default /usr/local/lam)

Copy conf/config.cfg_sample to conf/config.cfg and conf/lam.conf_sample to conf/lam.conf. Open the index.html in your web browser: Follow the link "LAM configuration" from the start page. (The default passwords to edit all options is "lam") Select "Edit general settings" to setup global settings and to change the configuration master password. Select "Edit server profiles" to setup your server profiles. There should be the lam profile which you just copied from the sample file. The default password is "lam". Now change the settings to fit for your environment.

LAM runs with PHP5 (>= 5.1). Needed changes in your php.ini: memory_limit = 64M

If you want to use a translated version of LAM be sure to install the needed locales. The following table shows the needed locales for the different languages. Language Locale Catalan ca_ES.utf8 Chinese (Simplified) zh_CN.utf8 Chinese (Traditional) zh_TW.utf8 Czech cs_CZ.utf8 Dutch nl_NL.utf8 English no extra locale needed French fr_FR.utf8 German de_DE.utf8 Hungarian hu_HU.utf8 Italian it_IT.utf8 Japanese ja_JP.utf8 Polish pl_PL.utf8 Portuguese pt_BR.utf8 Russian ru_RU.utf8 Spanish es_ES.utf8 You can get a list of all installed locales on your system by executing: locale -a Debian users can add locales with "dpkg-reconfigure locales".

First, you need to make a backup of your existing configuration files. LAM stores all configuration files in the "config" folder. Please backup the following files and copy them after the new version is installed. config/*.conf config/config.cfg config/pdf/*.xml config/profiles/*.xml LAM Pro only: config/selfService/*.* config/passwordMailTemplate.txt Second, uninstall your current LAM (Pro) installation. Third, install the new LAM (Pro) release. Skip the part about setting up LAM configuration files. Finally, restore your configuration files from the backup. Copy all files from the backup folder to the config folder in your LAM Pro installation. Do not simply replace the folder because the new LAM (Pro) release might include additional files in this folder. Overwrite any existing files with your backup files. Now open your webbrowser and point it to the LAM login page. All your settings should be migrated. Please check also the version specific instructions. They might include additional actions.

LAM Pro: There is now a separate account type for group of (unique) names. Please edit your server profiles to activate the new account type.

No changes.

If you used the prepackaged installation packages then remove the ldap-account-manager and ldap-account-manager-lamdaemon packages. Otherwise, remove the folder where you installed LAM via configure or by copying the files.

TODO

TODO

TODO

This chapter will give you instructions how to manage the different LDAP entries in your directory. Please note that not all account types are manageable with the free LAM release. LAM Pro provides some more account types and modules to support additional LDAP object classes. Additional types: Group of names Aliases NIS objects Additional modules: Group of names (groupOfNames) Group of unique names (groupOfUniqueNames) Unix (rfc2307bisPosixGroup) Alias (aliasEntry) User name (uidObject) NIS object (nisObject) Custom scripts (customScripts)

Some applications (e.g. Suse Linux) use the rfc2307bis schema for Unix accounts instead of the nis schema. In this case group accounts are based on the object class groupOf(Unique)Names. The object class is auxiliary in this case. LAM Pro supports these groups with a special account module: rfc2307bisPosixGroup Use this module only if your system depends on the rfc2307bis schema. The module can be selected in the LAM configuration.

You can manage the IP addresses of host accounts with the ipHost module. It manages the following information: IP addresses (IPv4/IPv6) location of the host manager: the person who is responsible for the host You can activate this extension by adding the module ipHost to the list of active host modules.

These classes can be used to represent group relations. Since they allow DNs as members you can also use them to represent nested groups. Activate the account type "Group of names" in your LAM server profile to use these account modules. Group of (unique) names have four basic attributes: Name: a unique name for the group Description: optional description Owner: the account which owns this group (optional) Members: the members of the group (at least one is required) You can add any accounts as members. This includes other groups which leads to nested groups.

Some applications use the object class "alias" to link LDAP entries to other parts of the LDAP tree. Activate the account type "Aliases" in your LAM server profile to use this account type. Currently, only user accounts can be aliased with the "uidObject" object class.

You can manage NIS objects with LAM Pro. This allows you define network mount points in LDAP. Add the NIS objects type to your LAM configuration and then the NIS objects module. This will add the NIS objects tab to LAM.

LAM Pro allows you to execute scripts whenever an account is created, modified or deleted. This can be useful to automate processes which needed manual work afterwards (e.g. sending your user a welcome mail or register a mailbox). To activate this feature please add the "Custom scripts" module to all needed account types on the configuration pages. You can specify multiple scripts for each action type (e.g. modify) and account type (e.g. user). The scripts need to be located on the filesystem of your webserver and will be executed in its user environment. E.g. if you webserver runs as user www-data with the group www-data then the custom scripts will be run under this user with his rights. The output of the scripts will be shown in LAM. You can specify the scripts on the LAM configuration pages. Syntax: Please enter one script per line. Each line has the following format: <account type> <action> <script> E.g.: user preModify /usr/bin/myCustomScript -u $uid$ Account types: You can setup scripts for all available account types (e.g. user, group, host, ...). Please see the help on the configuration page about your current active account types. Actions: Action name Description preCreate executed before creating a new account (cancels operation if a script returns an exit code > 0) postCreate executed after creating a new account preModify executed before the account is modified (cancels operation if a script returns an exit code > 0) postModify executed after an account was modified preDelete executed before an account was modified (cancels operation if a script returns an exit code > 0) postDelete executed after an account was modified Script: You can execute any script which is located on the filesystem of your webserver. The path may be absolute or relative to the PATH-variable of the environment of your webserver process. It is also possible to add commandline arguments to your scripts. Additionally, LAM will resolve wildcards to LDAP attributes. If your script includes an wildcard in the format $ATTRIBUTE$ then LAM will replace it with the attribute value of the current LDAP entry. The values of multi-value attributes are separated by commas. E.g. if you create an account with the attribute "uid" and value "steve" then LAM will resolve "$uid$" to "steve". You can see a preview of the commands which will be executed on the "Custom scripts" tab.

The tree view provides a raw view on your LDAP directory. This feature is for people who are experienced with LDAP and need special functionality which the LAM account modules not provide. E.g. if you want to add a special object class to an account or edit attributes ignoring LAM's syntax checks. There are also some special functions available: Export: This allows you to export entries to a file (e.g. LDIF or CSV format). Show internal attributes: Shows internal attributes of the current entry. This includes information about the creator and creation time of the entry.

You can define different access levels for each profile to allow or disallow write access. The password reset page helps your deskside support staff to reset user passwords.

There are three access levels: Write access (default) There are no restrictions. LAM admin users can manage account, create profiles and set passwords. Change passwords Similar to "Read only" except that the password reset page is available. Read only No write access to the LDAP database is allowed. It is also impossible to manage account and PDF profiles. Accounts may be viewed but no changes can be saved. The access level can be set on the server configuration page:

This special page allows your deskside support staff to reset the Unix and Samba passwords of your users. If you set the access level to "Change passwords" then LAM will not allow any changes to the LDAP database except password changes via this page. The account pages will be still available in read-only mode. You can open the password reset page by clicking on the key symbol on each user account: There are three different options to set a new password: set random password and display it on screen This will set the user's password to a random value. The password will be 11 characters long with a random combination of letters, digits and ".-_". You may want to use this method to tell users their new passwords via phone. set random password and mail it to user If the user account has set the mail attribute then LAM can send your user a mail with the new password. You can change the mail template to fit your needs. See the help link for further details. Using this method will prevent that your support staff knows the new password. set specific password Here you can specify your own password. LAM will display contact information about the user like the user's name, email address and telephone number. This will help your deskside support to easily contact your users. Options: Depending on the account there may be additional options available. Sync Samba NT/LM password with Unix password: If a user account has Samba passwords set then LAM will offer to synchronize the passwords. Unlock Samba account: Locked Samba accounts can be unlocked with the password change. Update Samba password timestamps: This will set the timestamps when the password was changed (sambaPwdLastSet), may be changed again (sambaPwdCanChange) and must be changed again (sambaPwdMustChange). Only existing attributes are updated. No new attributes are added.

By default only a few administrative users have write access to the LDAP database. Before your users may change their settings you must allow them to change their LDAP data. This can be done by adding an ACL to your slapd.conf which looks like this: access to attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,password by self write If you do not want them to change all attributes then reduce the list to fit your needs. Some modules may require additional LDAP attributes. Usually, the slapd.conf file is located in /etc/ldap or /etc/openldap.

There exist many LDAP implementations. If you do not use OpenLDAP you need to write your own ACLs. Please check the manual of your LDAP server for instructions.

A self service profile defines what input fields your users see and some other general settings like the login caption. When you go to the LAM configuration page you will see the self service link at the bottom. This will lead you to the self service configuration pages Now we need to create a new self service profile. Click on the link to manage the self service profiles. Specify a name for the new profile and enter you master configuration password (default is "lam") to save the profile. Now go back to the profile login and enter your master configuration password to edit your new profile.

On top of the page you see the link to the user login page. Copy this link address and give it to your users. Below the link you can specify several options. Server address The address of your LDAP server LDAP suffix The part of the LDAP tree where LAM should search for users LDAP user + password The DN and password which is used to search for users in the LDAP database. It is sufficient if this DN has only read rights. If you leave these fields empty LAM will try to connect anonymously. LDAP search attribute Here you can specify if your users can login with user name + password, email + password or other attributes. Login attribute label This is the description for the LDAP search attribute. Set it to something which your users are familiar with. Login caption This text is displayed at the login page. You can input HTML, too. Main page caption This text is displayed at self service main page where your users change their data. You can input HTML, too. Page header This HTML code will be placed on top of all self service pages. E.g. you can use this to place your custom logo. Any HTML code is permitted. Additional CSS links Here you can specify additional CSS links to change the layout of the self service pages. This is useful to adapt them to your corporate design. Please enter one link per line. On the bottom you can specify what input fields your users can see. It is also possible to group several input fields.

LAM Pro allows you to integrate customs CSS style definitions and design the header of all self service pages. This way you can integrate you own logo and use your company's colors.

The default LAM Pro header includes a logo and a horizontal line. You can enter any HTML code here. It will be included in the self services pages after the body tag.

Usually, companies have regulations about their corporate design and use common CSS files. This assures a common appearance of all intranet pages (e.g. colors and fonts). To include additional CSS files just use the following setting for this task. The additional CSS links will be added after LAM Pro's default CSS link. This way you can overwrite LAM Pro's style.

Here is a list of needed LDAP schema files for the different LAM modules. For OpenLDAP we also provide a source where you can get the files. Account type Object class(es) Schema name Source Notes Unix accounts posixAccount, shadowAccount, posixGroup nis.schema, rfc2307bis.schema Part of OpenLDAP installation The rfc2307bis.schema is only supported by LAM Pro. Use the nis.schema if you do not want to upgrade to LAM Pro. Address book entries inetOrgPerson inetorgperson.schema Part of OpenLDAP installation Samba 3 accounts sambaSamAccount, sambaGroupMapping, sambaDomain samba.schema Part of Samba tarball (examples/LDAP/samba.schema) Kolab 2 users kolabUser kolab2.schema, rfc2739.schema Part of Kolab 2 installation Asterisk (extension) AsteriskSIPUser, AsteriskExtension asterisk.schema Part of Asterisk installation Mail routing inetLocalMailRecipient misc.schema Part of OpenLDAP installation Mail aliases nisMailAlias misc.schema Part of OpenLDAP installation MAC addresses ieee802device nis.schema Part of OpenLDAP installation Simple Accounts account cosine.schema Part of OpenLDAP installation SSH public keys ldapPublicKey openssh-lpk.schema Included in patch from http://code.google.com/p/openssh-lpk/ Group of (unique) names groupOfNames, groupOfUniqueNames core.schema Part of OpenLDAP installation These modules are only available in LAM Pro. phpGroupWare phpGroupwareUser, phpGroupwareGroup phpgroupware.schema http://www.phpgroupware.org/ DHCP dhcpOptions, dhcpSubnet, dhcpServer dhcp.schema docs/schema/dhcp.schema The LDAP suffix should be set to your dhcpServer entry. Aliases alias, uidObject core.schema Part of OpenLDAP installation These modules are only available in LAM Pro. NIS netgroups nisNetgroup nis.schema Part of OpenLDAP installation NIS objects nisObject nis.schema Part of OpenLDAP installation This module is only available in LAM Pro.

The data which is transfered between you and LAM is very sensitive. Please always use SSL encrypted connections between LAM and your browser to protect yourself against network sniffers.

SSL will be used if you use ldaps://servername in your configuration profile. TLS can be activated with the "Activate TLS" option. You will need to setup ldap.conf to trust your server certificate. Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. Specify the server CA certificate with the following option: TLS_CACERT /etc/ldap/ca/myCA/cacert.pem This needs to be the public part of the signing certificate authority. See "man ldap.conf" for additional options.

If your server is chrooted and you have no access to /dev/random or /dev/urandom this can be a security risk. LAM stores your LDAP password encrypted in the session. LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible. Therefore the key can be easily guessed. An attaker needs read access to the session file (e.g. by another Apache instance) to exploit this.

You have to install the MCrypt extension for PHP to enable encryption. Your LDAP password is stored encrypted in the session file. The key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to encrypt the password. All data that was read from LDAP and needs to be stored in the session file is also encrypted.

LAM includes several .htaccess files to protect your configuration files and temporary data. Apache is often configured to not use .htaccess files by default. Therefore, please check your Apache configuration and change the override setting to: AllowOverride All If you are experienced in configuring Apache then you can also copy the security settings from the .htaccess files to your main Apache configuration. If possible, you should not rely on .htaccess files but also move the config and sess directory to a place outside of your WWW root. You can put a symbolic link in the LAM directory so that LAM finds the configuration/session files. Security sensitive directories: config: Contains your LAM configuration and account profiles LAM configuration passwords (SSHA hashed) default values for new accounts directory must be accessibly by Apache but needs not to be accessible by the browser sess: PHP session files LAM admin password in clear text or MCrypt encrypted cached LDAP entries in clear text or MCrypt encrypted directory must be accessibly by Apache but needs not to be accessible by the browser tmp: temporary files PDF documents which may also include passwords images of your users directory contents must be accessible by browser but directory itself needs not to be browseable

Some basic hints to configure the OpenLDAP server: Size limit: OpenLDAP allows by default 500 return values per search, if you have more users/groups/hosts change this in slapd.conf: e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return values. Indices: Indices will improve the performance when searching for entries in the LDAP directory. The following indices are recommended: index objectClass eq index default sub index uidNumber eq index gidNumber eq index memberUid eq index cn,sn,uid,displayName pres,sub,eq # Samba 3.x index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq Lamdaemon.pl is used to modify quota and home directories on a remote or local host via SSH. If you want wo use it you have to set up the following things to get it to work:

Set the remote or local host in the configuration (e.g. 127.0.0.1) Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or RPM package then the script may be located at /usr/share/ldap-account-manager/lib or /var/www/html/lam/lib. Your LAM admin user must be a valid Unix account. It needs to have the object class "posixAccount" and an attribute "uid". This account must be accepted by the SSH daemon of your home directory server. Do not create a second local account but change your system to accept LDAP users. You can use LAM to add the Unix account part to your admin user.

The perl script has to run as root. Therefore we need a wrapper, sudo. Edit /etc/sudoers on host where homedirs or quotas should be used and add the following line: $admin All= NOPASSWD: $path_to_lamdaemon $admin is the admin user from LAM (must be a valid Unix account) and $path_to_lamdaemon is the path to lamdaemon.pl. Example: myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl You might need to run the sudo command once manually to init sudo. The command "sudo -l" will show all possible sudo commands of the current user.

We need an extra Perl module - Quota. To install it, run: perl -MCPAN -e shell install Quota If your Perl executable is not located in /usr/bin/perl you will have to edit the path in the first line of lamdaemon.pl. If you have problems compiling the Perl modules try installing a newer release of your GCC compiler and the "make" application. Several Linux distributions already include a quota package for Perl.

The libssh2 library is needed to connect to the homedir/quota server via SSH.

You can get libssh2 here: http://www.libssh2.org Unpack the package and install it by executing the commands "./configure", "make" and "make install" in the extracted directory. Several Linux distributions already include a package for libssh2.

Several Linux distributions already include a package (e.g. libssh2-php). Otherwise, run "pecl install ssh2-beta". If you have no pecl command then install the PHP Pear package (e.g. php-pear or php5-pear) for your distribution. If you want to compile it yourself, get the sources here: http://pecl.php.net/package/ssh2 After installing the PHP module please add this line to your php.ini: extension=ssh2.so

Your SSH daemon must offer the password authentication method. To activate it just use this configuration option in /etc/ssh/sshd_config: PasswordAuthentication yes

If you have problems managing quotas and home directories then these points might help: There is a test page for lamdaemon: Login to LAM and open Tools -> Tests -> Lamdaemon test If you get garbage characters at the test page then PHP and your php5-ssh2 library may not fit together. Try recompiling the library and libssh2. This combination was tested successfully: libssh2 0.13 with php5-ssh2 0.10 php5-ssh2 0.11 should have no problems with recent libssh2 releases. Check /var/log/auth.log or its equivalent on your system. This file contains messages about all logins. If the ssh login failed then you will find a description about the reason here. Set sshd in debug mode. In /etc/ssh/sshd_conf add these lines: SyslogFacility AUTH LogLevel DEBUG3 Now check /var/log/syslog for messages from sshd. Update Openssh. A Suse Linux user reported that upgrading Openssh solved the problem.

Here are some notes on managing Kolab accounts with LAM:

The mailbox server cannot be changed after the account has been saved. Please make sure that the value is correct. The email address ("Personal" page) must match your Kolab domain, otherwise the account will not work.

If you want to cleanly delete accounts use the "Mark for deletion" button on the Kolab subpage of an account. This will also remove the user's mailbox. If you delete the account from the account list (which is standard for LAM accounts) then no cleanup actions are made.

The Kolab GUI has some restrictions that LAM does not have. Please pay attention to the following restrictions: Common name in LAM The common name must have the format "<first name> <last name>". You can leave the field empty in LAM and it will automatically fill in the correct value. Changing first/last name in Kolab GUI Do not change the first/last name of your users in the Kolab GUI! The GUI will change the common name which leads to an LDAP object class violation. This is caused by a bug in the Kolab GUI.

If you upgrade existing non-Kolab accounts please make sure that the account has an Unix password.

You can install LAM in the directory "/kolab/var/kolab/www" which is the root directory for Apache. The PHP installation already includes all required packages.

The attribute "host" is only in objectclass account. Unfortunatly "account" conflicts with "inetorgperson". so there's no perfect way to use both. In order to get attribute host working you have to modify schema/inetorgperson and include host: # inetOrgPerson # The inetOrgPerson represents people who are associated with an # organization in some way. It is a structural class and is derived # from the organizationalPerson which is defined in X.521 [X521]. objectclass ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 $ host ) )