Managing entries in your LDAP directoryThis chapter will give you instructions how to manage the different
LDAP entries in your directory.Please note that not all account types are manageable with the free
LAM release. LAM Pro provides some more account types (e.g. group of names,
aliases, ...) and modules (e.g. Kopano, custom scripts, ...) to support
additional LDAP object classes. All LAM Pro features are marked in this
manual.Basic page layout:After the login LAM will present you its main page. It consists of a
header part which is equal for all pages and the content area which covers
most the of the page.The header part includes the links to manage all account types (e.g.
users and groups) and open the tree view (LDAP browser). There is also the
logout link and a tools entry.When you login the you will see an account listing in the content
area.Here you can create, delete and modify accounts. Use the action
buttons at the left or double click on an entry to edit it.The suffix selection box allows you to list only the accounts which
are located in a subtree of your LDAP directory.You can change the number of shown entries per page with "Change
settings". Depending on the account type there may be additional settings.
E.g. the user list can convert group numbers to group names.When you select to edit an entry then LAM will show all its data on a
tabbed view. There is one tab for each functional part of the account. You
can set default values by loading an account profile.Typical usage scenariosHere is a list of typical usage scenarios and what account types and
modules you need to configure.Address book entries:Account types:Users (Personal)Unix accounts:Account types:Users (Personal + Unix)Groups (Unix (posixGroup))Suse users may need to use Group (Group of names + Unix
(rfc2307bisPosixGroup)) because of Suse's special LDAP schema.Samba 3 accounts:Account types:Users (Personal + User + Samba 3)Groups (Unix + Samba 3)Hosts (Account + Unix + Samba 3)Samba domains (Samba domain)Samba 4/Active Directory:Account types:Users (Windows)Groups (Windows)Hosts (Windows)Please note that must change the attributes that are shown in the
account lists. Otherwise, the account tables will show empty lines. See
the documentation for the Windows user/group/host modules.For Samba 4 with Kopano use the following modules:Users (Windows + Kopano (+ Kopano contact))Groups (Windows + Kopano)Hosts (Windows + Kopano)Kopano dynamic groups (Kopano dynamic group)Kopano address lists (Kopano address list)See also the Kopano section for
additional settings (e.g. using Kopano AD schema).Asterisk:Account types:Users (Personal + Asterisk)Asterisk extensions (Asterisk extension)Kopano:Account types:Users (Personal + Unix + Kopano (+ Kopano contact))Groups (Unix + Kopano)Kopano dynamic groups (Kopano dynamic group)Kopano address lists (Kopano address list)Hosts (Device + Kopano + IP Address)PyKota:Account types:Users (Personal + Unix + PyKota)Groups (Unix + PyKota)Printers (PyKota)Billing codes (PyKota)UsersLAM manages various types of user accounts. This includes address
book entries, Unix, Samba, Kopano and much more.Account list settings:The user list includes two special options to change how your users
are displayed.Translate GID number to group name: By default
the user list can show the primary group IDs (GIDs) of your users. There
are often cases where it is more suitable to show the group name instead.
This can be done by activating this option. Please note that LAM will
execute more LDAP queries which may result in decreased
performance.Show account status: If you activate this
option then there will be an additional column displayed that shows if the
account is locked. You can see more details when moving the mouse cursor
over the lock icon. This function supports Unix, Samba, PPolicy, Windows
and 389ds locking+deactivation.Password:Click the "Set password" button to change the user's password(s).
Depending on the active account modules LAM will offer to change multiple
passwords at the same time.If a module supports to enforce a password change then you will see
the appropriate checkbox. LAM Pro also offers to send the password via
email after the account is saved. Email options are specified in your
LAM server profile.Quick account (un)locking:When you edit an user then LAM supports to quickly lock/unlock the
whole account. This includes Unix, Samba and PPolicy. LAM can also remove
group memberships if an account is locked.You will see the current status of all account parts in the title
area of the account.If you click on the lock icon then a dialog will be opened to change
these values. Depending on which parts are locked LAM will provide options
to lock/unlock account parts.PersonalThis module is the most common basis for user accounts in LAM. You
can use it stand-alone to manage address book entries or in combination
with Unix, Samba or other modules.The Personal module provides support for managing various personal
data of your users including mail addresses and telephone numbers. You
can also add photos of your users (please install PHP
Imagick/ImageMagick for full file format support). If you do not
need to manage all attributes then you can deactivate them in your
server profile.ConfigurationPlease activate the module "Personal (inetOrgPerson)" for
users.The module manages lots of fields. Probably, you will not need all
of them. You can hide fields in module settings.In advanced options you may also set fields to read-only (for
existing accounts) and define limits for photo files. Additionally, you
can add an "ou=addressbook" subentry to each user in case you manage
user addressbooks.User managementUser certificates can be uploaded and downloaded. LAM will
automatically convert PEM to DER format.
WildcardsThis module provides the following wildcards (others may be
provided by other modules):$firstname: First name$lastname: Last name$user: User name$commonname: Common name$email: Email addressYou can use them in the following input fields on user edit
screen:Common nameDescriptionMailPostal addressRegistered addressWeb siteUse this when some of your data always follows the same schema.
E.g. using "$firstname $lastname" in common name field can be used like
this to get "First Last". You can set the wildcards in profile editor so
they are automatically applied for new users.UnixThe Unix module manages Unix user accounts including group
memberships.There are several configuration options for this module:UID generator: LAM will suggest UID numbers for your accounts.
Please note that it may happen that there are duplicate IDs assigned
if users create accounts at the same time. Use an overlay
like "Attribute Uniqueness" (example) if you have lots of LAM
admins creating accounts.Fixed range: LAM searches for free numbers within the
given limits. LAM always tries to use a free UID that is greater
than the existing UIDs to prevent collisions with deleted
accounts.Samba ID pool: This uses a special LDAP entry that
includes attributes that store a counter for the last used
UID/GID. Please note that this requires that you install the
Samba schema and create an LDAP entry of object class
"sambaUnixIdPool".Magic number: Use this if your LDAP server assigns the UID
numbers automatically (e.g. DNA by 389 server). Enter the
server's magic number setting.Password hash type: If possible use CRYPT-SHA512 or SSHA to
protect your user's passwords. The option SASL will set the password
to "{SASL}<user name>".Login shells: List of valid login shells that can be selected
when editing an account.Hidden options: Some input fields can be hidden to simplify
the GUI if you do not need them.Set primary group as memberUid: By default primary group
membership is not set on group objects but only on user (gidNumber).
Activate this if you need to have the primary group membership in
group object, too.Do not add object class: This is for Windows only. When the
checkbox is activated then the posixAccount object class will not be
added to a user.User name suggestion: The user name is automatically filled as
specified in the configuration (default smiller for Steve Miller).
Of course, the suggested value can be changed any time. Common name
is also filled with first/last name by default.Group memberships can be changed when clicking on "Edit groups".
Here you can select the Unix groups and group of names
memberships.To enable "Group of names" please either add the groups module
"groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
names".You can also create home directories for your users if you setup
lamdaemon. This allows you to create
the directories on the local or remote servers.It is also possible to check the status of the user's home
directories. If needed the directories can be created or removed at any
time.WildcardsThis module provides the following wildcards (others may be
provided by other modules):$user: User name$group: Groupe name (not numeric number)You can use them in the following input fields on user edit
screen:Common nameGecosHome directoryUse this when some of your data always follows the same schema.
E.g. using "/home/$user" in home directory field can be used like this
to get "/home/myuser". You can set the wildcards in profile editor so
they are automatically applied for new users.Group of names and group of members (LAM Pro)This module manages memberships in group of (unique) names and
also group of members.Please note that this module cannot be used if the Unix module is
active. In this case group memberships may be managed with the Unix
module.ConfigurationTo activate this feature please add the user module "Group of
names (groupOfNamesUser)" to your LAM server profile.The module automatically detects if groups are based on
"groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the
correct attribute.Organizational roles (LAM Pro)LAM can manage role memberships in organizationalRole objects. To
activate this feature please add the user module "Roles
(organizationalRoleUser)" to your LAM server profile.User editingNow, there will be a new tab "Roles" when you edit your user
accounts. Here you can select the role memberships.ShadowLAM supports the management of the LDAP substitution of
/etc/shadow. Here you can setup password policies for your Unix accounts
and also view the last password change of a user.NIS net groupsConfigurationPlease add the module "NIS net groups (nisNetGroupUser)" to the
list of active user modules.User editingYou will now see a new tab when editing users. Here you can assign
memberships in NIS net groups and also set host/domain.Password self reset (LAM Pro)LAM Pro allows your users to reset their passwords by answering a
security question. The reset link is displayed on the self service page. Additionally, you
can set question + answer in the admin interface.Please note that self service and LAM admin interface are
separated functionalities. You need to specify the list of possible
security questions in both self service profile(s) and server
profile(s).Schema installationPlease install the LDAP schema as described here.Activate password self reset
modulePlease activate the password self reset module in your LAM Pro
server profile.Now select the tab "Module settings" and specify the list of
possible security questions. Only these questions will be selectable
when you later edit accounts unless you explicitly allow to enter custom
questions. LAM Pro supports to set up to three security questions per
user.If you do not want to set backup email addresses then you can hide
this option.Edit usersAfter everything is setup please login to LAM Pro and edit your
users. You will see a new tab called "Password self reset". Here you can
activate/remove the password self reset function for each user. You can
also change the security question and answer.If you set a backup email address then confirmation emails will
also be sent to this address. This is useful if the user password grants
access to the user's primary mailbox. So passwords can be unlocked with
an external email address.Hint: You can add the
passwordSelfReset object class to all your users with the multi edit tool.Samba 4 note: Due to a bug in
Samba 4 you need to add the extension, save, and then select a question
and set the answer. If you add the extension, set question/answer and
then save all together this will cause an LDAP error and no changes will
be saved.HostsYou can specify a list of valid host names where the user may
login. If you add the value "*" then the user may login to any host.
This can be further restricted by adding explicit deny entries which are
prefixed with "!" (e.g. "!hr_server").Please note that your PAM settings need to support host
restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the
account facility of pam_ldap will perform the checks and return an error
when no proper host attribute is present. Please note that users without
host attribute cannot login to such a configured server.Samba 3LAM supports full Samba 3 user management including logon hours
and terminal server options.The module is enabled by adding "Samba 3 (sambaSamAccount)" to
your user modules.In the configuration options you can enable password history
checking. Depending on your LDAP server you might need ascending or
descending order. Just switch the setting if the password history is not
correctly updated.In case you have no very old Windows clients (e.g. Windows 98) it
is recommended to disable LM hashes. They are considered to be
insecure.You can also hide some input fields if you do not need
them.After configuring the module you will see the Samba 3 tab when you
edit a user.Logon hours can be changed.You can also setup terminal server settings.Windows (Samba 4)Please activate the account type "Users" in your LAM server
profile and then add the user module "Windows (windowsUser)(*)".The default list attributes are for Unix and not suitable for
Windows (blank lines in account table). Please use
"#cn;#givenName;#sn;#mail" or select your own attributes to display in
the account list.On tab "Module settings" you can specify the possible Windows
domain names and if pre-Windows 2000 user names should be
managed.NIS support is deactivated by default. Enable it if needed.Now you can manage your Windows users and e.g. assign groups. You
might want to set the default domain name in the profile editor.Attention:Password changes require a secure connection via ldaps://.
Check your LAM server profile if password changes are refused by the
server.Your server must run a 64bit operating system. Otherwise, the
module might not work.WildcardsThis module provides the following wildcards (others may be
provided by other modules):$firstname: First name$lastname: Last name$user: User name$commonname: Common name$email: Email addressYou can use them in the following input fields on user edit
screen:Common nameDisplay nameEmailEmail aliasHome directoryProfile pathScript pathUse this when some of your data always follows the same schema.
E.g. using "$firstname $lastname" in common name field can be used like
this to get "First Last". You can set the wildcards in profile editor so
they are automatically applied for new users.Filesystem quota (lamdaemon)You can manage file system quotas with LAM. This requires to setup
lamdaemon. LAM connects to your
server via SSH and manages the disk filesystem quotas. The quotas are
stored directly on the filesystem. This is the default mechanism to
store quotas for most systems.Please add the module "Quota (quota)" for users to your LAM server
profile to enable this feature.If you store the quota information directly inside LDAP please see
the next section.Filesystem quota (LDAP)You can store your filesystem quotas directly in LDAP. See Linux
DiskQuota for details since it requires quota tools that support
LDAP. You will need to install the quota LDAP schema to manage the
object class "systemQuotas".Please add the module "Quota (systemQuotas)" for users to your LAM
server profile to enable this feature.If you store the quota information on the filesystem please see
the previous section.KolabThis module supports to manage Kolab accounts with LAM. E.g. you
can set the user's mail quota and define invitation policies.Please add the Kolab user module in your LAM server profile to
activate Kolab support.Attention: LAM will add the object class "mailrecipient" by
default. This object class is available on 389 directory server but may
not be present on e.g. OpenLDAP. Please deactivate the following setting
(LAM server profile, module settings) if you do not use this object
class.Please enter an email address at the Personal page and set a Unix
password first. Both are required that Kolab accepts the accounts. The
email address ("Personal" page) must match your Kolab domain, otherwise
the account will not work.Attention: The mailbox server
cannot be changed after the account has been saved. Please make sure
that the value is correct.Kolab users should not be directly deleted with LAM. You can mark
an account for deletion which then is done by the Kolab server itself.
This makes sure that the mailbox etc. is also deleted.If you upgrade existing non-Kolab accounts please make sure that
the account has an Unix password.AsteriskLAM supports Asterisk accounts, too. See the Asterisk section for details.EDU personEDU person accounts are mainly used in university networks. You
can specify the principal name, nick names and much more.PyKotaThere are two LAM user modules depending if your user entries
should be built on object class "pykotaObject" or a different structural
object class (e.g. "inetOrgPerson"). For "pykotaObject" please select
"PyKota (pykotaUserStructural(*))" and "PyKota (pykotaUser)" in all
other cases.To display the job history please setup the job DN on tab "Module
settings":Now you can add the PyKota extension to your user accounts. Here
you can setup the printing options and add payments for this
user.For LAM Pro there are also self service fields to allow users e.g.
to view their current balance and job history.You may also view the payment and job history.Password policy (LAM Pro)OpenLDAP supports the ppolicy overlay
to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to
user accounts.Please add the account type "Password policies" to your LAM server
profile and activate the "Password policy" module for the user
type.You can select the password policy and force a password change on
next login. Accounts can also be (un)locked.You can assign any password policy which is found in the LDAP
suffix of the "Password policies" type. When you set the policy to
"default" then OpenLDAP will use the default policy as defined in your
slapd.conf file.Attention: Locking and unlocking
requires that you also activate the option "Lockout users" in the
assigned password policy. Otherwise, it
will have no effect.Account locking for 389ds (LAM Pro)This module allows you to display if users are locked by 389ds
server. You can (de)activate your users. The password expiration time
can also be managed.Requirements: 389ds LDAP serverConfigurationPlease add the user module "Account locking
(locking389ds)".This will show the password expiration time. You can edit the
value if needed.If there are any failed login attempts then LAM displays their
number and till when the user is locked by the system.The limit of failed login attempts and lockout duration is
configured on your LDAP server and not within LAM.You can unlock the user by clicking on the lock icon.Here you can also (de)activate the account.Note: Accounts are only locked by the LDAP server due to failed
password attempts. You cannot manually lock an account. Deactivate it in
case you want to disable login for a user.FreeRadiusFreeRadius is a software that implements the RADIUS authentication
protocol. LAM allows you to mange several of the FreeRadius
attributes.To activate the FreeRadius plugin please activate the FreeRadius
user module in your server profile:You can disable unneeded fields on the tab "Module settings". Here
you can also set the DN where your Radius profile templates are stored
if you use the option "Profile".Now you will see the tab "FreeRadius" when editing users. The
extension can be (de)activated for each user. You can setup e.g. realm,
IP and expiration date.Heimdal Kerberos (LAM Pro)You can manage your Heimdal Kerberos accounts with LAM Pro. Please
add the user module "Kerberos (heimdalKerberos)" to activate this
feature.Setup password changingLAM Pro cannot generate the password hashes itself because Heimdal
uses a propietary format for them. Therefore, LAM Pro needs to call e.g.
kadmin to set the password.The wildcards @@password@@ and @@principal@@ are replaced with
password and principal name. Please use keytab authentication for this
command since it must run without any interaction.Example to create a keytab: ktutil -k /root/lam.keytab add -p
lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1Security hint: Please secure your LAM Pro server since the new
passwords will be visible for a short term in the process list during
password change.User managementYou can specify the principal/user name, ticket lifetimes and
expiration dates. Additionally, you can set various account
options.MIT Kerberos (LAM Pro)You can manage your MIT Kerberos accounts with LAM Pro. Please add
the user module "Kerberos (mitKerberos)" to activate this feature. If
you want to manage entries based on the structural object class
"krbPrincipal" please use "Kerberos (mitKerberosStructural)"
instead.Setup password changingLAM Pro cannot generate the password hashes itself because MIT
uses a propietary format for them. Therefore, LAM Pro needs to call
kadmin/kadmin.local to set the password.LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
set the password. Please use keytab authentication for this command
since it must run without any interaction.Keytabs may be created with the "ktutil" application.Security hint: Please secure your LAM Pro server since the new
passwords will be visible for a short term in the process list during
password change.Example commands:/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
realm/changepwdsudo /usr/sbin/kadmin.localUser managementYou can specify the principal/user name, ticket lifetimes and
expiration dates. Additionally, you can set various account
options.NIS mail aliasesThis module allows to add/remove the user in mail alias
entries.Note: You need to activate the
mail alias type for this
module.To activate mail aliases for users please select the module "Mail
aliases (nisMailAliasUser)":On tab Module settings you can select if you want to set the user
name or email as recipient in alias entries.Now you will see the mail aliases tab when editing an user.The red cross will only remove the user from the alias entry. If
you click the trash can button then the whole alias entry (which may
contain other users) will be deleted.You can add the user to existing alias entries or create completly
new ones.Courier mailThis module allows to add/remove the Courier extension for
users.Configuration:Please activate the module Courier for users to enable this
extension. The Unix module is optional.Usage:Your user tab will now show the Courier extension. This can be
added/removed any time.Here you can configure the home directory in case the Unix module
is not activated. Additionally, mailbox folder, quota, server and
feature flags can be configured.Qmail (LAM Pro)LAM Pro manages all qmail attributes for users. This includes mail
addresses, ID numbers and quota settings.Please note that the main mail address is managed on tab
"Personal" if this module is active. Otherwise, it will be on the qmail
tab.You can hide several qmail options if you do not want to manage
them with LAM. This can be done on the module settings tab of your LAM
server profile.Mail routingLAM supports to manage mail routing for user accounts.Module activation:This feature can be activated by adding the "Mail routing" module
to the user account type in your server profile.Usage:You can specify a routing address, the mail server and a number of
local addresses to route.In case you want to add this extension by default for new users
there is an option in profile editor.SSH keysYou can manage your public keys for SSH in LAM if you installed
the LPK patch for
SSH. Activate the "SSH public key" module for users in the
server profile and you can add keys to your user entries.Authorized servicesYou can setup PAM to check if a user is allowed to run a specific
service (e.g. sshd) by reading the LDAP attribute "authorizedService".
This way you can manage all allowed services via LAM.To activate this PAM feature please setup your /etc/libnss-ldap.conf and set
"pam_check_service_attr" to "yes".Inside LAM you can now set the allowed services. You may also
setup default services in your account profiles.You can define a list of services in your LAM server profile that
is used for autocompletion.The autocompletion will show all values that contains the entered
text. To display the whole list you can press backspace in the empty
input field. Of course, you can also insert a service name that is not
in the list.IMAP mailboxesLAM may create and delete mailboxes on an IMAP server for your
user accounts. You will need an IMAP server that supports either SSL or
TLS for this feature.To activate the mailbox management module please add the "Mailbox
(imapAccess)" module for the type user in your LAM server
profile:Now configure the module on the tab "Module settings". Here you
can specify the IMAP server name, encryption options, the authentication
for the IMAP connection and the valid mail domains. LAM can use either
your LAM login password for the IMAP connection or display a dialog
where you need to enter the password. It is also possible to store the
admin password in your server profile. This is not recommended for
security reasons.The user name can either be a fixed name (e.g. "admin") or it can
be generated with LDAP attributes of the LAM admn user. E.g. $uid$ will
be transformed to "myUser" if you login with
"uid=myUser,ou=people,dc=example,dc=com".The mail domains specify for which accounts mailboxes may be
created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be
managed for "user@lam-demo.org" but not for "user@example.com". Use "*"
for any domain.You need to install the SSL certificate of the CA that signed your
server certificate. This is usually done by installing the certificate
in /etc/ssl/certs. Different Linux distributions may offer different
ways to do this. For Debian please copy the certificate in
"/usr/local/share/ca-certificates" and run "update-ca-certificates" as
root.It is not recommended to disable the validation of IMAP server
certificates.The prefix, user name attribute and path separator specifies how
your mailboxes are named (e.g. "user.myUser@localhost" or
"user/myUser"). Select the values depending on your IMAP server
settings.You can specify a list of initial folder names to create for new
mailboxes. LAM will then create them with each new mailbox.When you edit an user account then you will now see the tab
"Mailbox". Here you can create/delete the mailbox for this user.IP addresses (LAM Pro)You can manage the IP addresses of user accounts (e.g. assigned by
DHCP) with the ipHost module.ConfigurationUser editingAccountThis is a very simple module to manage accounts based on the
object class "account". Usually, this is used for host accounts only.
Please pay attention that users based on the "account" object class
cannot have contact information (e.g. telephone number) as with
"inetOrgPerson".You can enter a user/host name and a description for your
accounts.GroupsUnixThis module is used to manage Unix group entries. This is the
default module to manage Unix groups and uses the nis.schema. Suse users
who use the rfc2307bis.schema need to use LAM
Pro.ConfigurationPlease add the account type "Groups" and then select account
module "Unix (posixGroup)".GID generator: LAM will suggest GID numbers for your accounts.
Please note that it may happen that there are duplicate IDs assigned if
users create groups at the same time. Use an overlay
like "Attribute Uniqueness" (example) if you have lots of LAM
admins creating groups.Fixed range: LAM searches for free numbers within the given
limits. LAM always tries to use a free GID that is greater than the
existing GIDs to prevent collisions with deleted groups.Samba ID pool: This uses a special LDAP entry that includes
attributes that store a counter for the last used UID/GID. Please
note that this requires that you install the Samba schema and create
an LDAP entry of object class "sambaUnixIdPool".Magic number: Use this if your LDAP server assigns the GID
numbers automatically (e.g. DNA by 389 server). Enter the server's
magic number setting.Disable membership management: Disables group membership
management. This is useful if memberships are e.g. managed via group of
names.Group management:Group membership management:Unix groups with rfc2307bis schema (LAM Pro)Some applications (e.g. Suse Linux) use the rfc2307bis schema for
Unix accounts instead of the nis schema. In this case group accounts are
based on the object class groupOf(Unique)Names or namedObject. The
object class posixGroup is auxiliary in this case.LAM Pro supports these groups with a special account module:
rfc2307bisPosixGroupUse this module only if your system depends on the rfc2307bis
schema. The module can be selected in the LAM configuration. Instead of
using groupOfNames as basis for your groups you may also use
namedObject.Module activation:GID generator: LAM will suggest GID numbers for your accounts.
Please note that it may happen that there are duplicate IDs assigned if
users create groups at the same time. Use an overlay
like "Attribute Uniqueness" (example) if you have lots of LAM
admins creating groups.Fixed range: LAM searches for free numbers within the given
limits. LAM always tries to use a free GID that is greater than the
existing GIDs to prevent collisions with deleted groups.Samba ID pool: This uses a special LDAP entry that includes
attributes that store a counter for the last used UID/GID. Please
note that this requires that you install the Samba schema and create
an LDAP entry of object class "sambaUnixIdPool".Magic number: Use this if your LDAP server assigns the GID
numbers automatically (e.g. DNA by 389 server). Enter the server's
magic number setting.Disable membership management: Disables group membership
management. This is useful if memberships are e.g. managed via group of
names.Force sync with group of names: This will automatically set the
group memberships of the Unix part to the same members as set on group
of names tab.The GID number will be filled automatically based on the server
profile configuration.Group members can be edited and also synced with Group of (unique)
names.Samba 3LAM supports managing Samba 3 groups. You can set special group
types and also create Windows predefined groups like "Domain
admins".Module activation:Group editing:Windows (Samba 4)LAM can manage your Windows groups. Please enable the account type
"Groups" in your LAM server profile and then add the group module
"Windows (windowsGroup)(*)".The default list attributes are for Unix and not suitable for
Windows (blank lines in account table). Please use
"#cn;#member;#description" or select your own attributes to display in
the account list.NIS support is deactivated by default. Enable it if needed on tab
"Module settings".Now you can edit your groups inside LAM. You can manage the group
name, description and its type. Of course, you can also set the group
members.Group scopes:Global: Use this for groups with frequent changes. Global
groups are not replicated to other domains.Universal: Groups with universal scope are used to consolidate
groups that span domains. They are globally replicated.Domain local: Groups with domain local scope can be used to
set permissions inside one domain. They are not replicated to other
domains.Group type:Security: Use this group type to control permissions.Distribution: These groups are only used for email
applications. They cannot be used to control permissions.With "Show effective members" you can show a list of all members
of this group including members of subgroups and their subgroups.KolabPlease activate the Kolab group module in your LAM server profile
to activate Kolab support.You can specify the email address and also set allowed sender and
recipient addresses.Mail routingLAM supports to manage mail routing for group accounts.Module activation:This feature can be activated by adding the "Mail routing" module
to the group account type in your server profile.Usage:You can specify a routing address, the mail server and a number of
local addresses to route.In case you want to add this extension by default for new groups
there is an option in profile editor.QuotaYou can manage file system quotas with LAM. This requires to setup
lamdaemon. File system quotas are not
stored inside LAM but managed directly on the specified servers.PyKotaThere are two LAM group modules depending if your group entries
should be built on object class "pykotaObject" or a different structural
object class (e.g. "posixGroup"). For "pykotaObject" please select
"PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" in all
other cases.Now you can add the PyKota extension to your groups.HostsAccountPlease see the description here.Device (LAM Pro)The device object class allows to manage general information about
all sorts of devices (e.g. computers, network hardware, ...). You can
enter the serial number, location and a describing text. It is also
possible to specify the owner of the device.Samba 3You can manage Samba 3 host entries by adding the Unix and Samba 3
account modules.Windows (Samba 4)LAM can manage your Windows servers and workstations. Please
enable the account type "Hosts" in your LAM server profile and then add
the host module "Windows (windowsHost)(*)".The default list attributes are for Unix and not suitable for
Windows (blank lines in account table). Please use
"#cn;#description;#location" or select your own attributes to display in
the account list.Now you will see you computer accounts inside LAM. You can set
e.g. the server's description and location information.IP addresses (LAM Pro)You can manage the IP addresses of host accounts with the ipHost
module. It manages the following information:IP addresses (IPv4/IPv6)location of the hostmanager: the person who is responsible for the hostYou can activate this extension by adding the module ipHost to the
list of active host modules.MAC addressesHosts can have an unlimited number of MAC addresses. To enable
this feature just add the "MAC address" module to the host account
type.PuppetLAM supports to manage your Puppet configuration. You can edit
all attributes like environment, classes, variables and parent
node.ConfigurationTo activate this feature please edit your LAM server profile and
add the host module "Puppet (puppetClient)" on tab "Modules". This will
add the Puppet tab to your host pages.On tab "Module settings" in your LAM server profile you may also
setup some common environment names. LAM will use them to provide
autocompletion hints when editing the environment for a node.If you enter any value in "Enforce classes" then LAM will only
accept this list of classes.Editing nodesWhen you edit a host entry then you will see the tab "Puppet".
Here you can add/remove the Puppet extension and edit all
attributes.NIS net groupsNIS netgroups can be used to e.g. restrict SSH access to your
machines.ConfigurationPlease add the module "NIS net groups (nisNetGroupHost)" to the
list of active host modules.Host editingYou will now see a new tab when editing hosts. Here you can assign
memberships in NIS net groups and also set user/domain.Samba 3 domainsSamba 3 stores information about its domain settings inside LDAP.
This includes the domain name, its SID and some policies. You can manage
all these attributes with LAM.Please activate the account type "Samba domains" in your LAM server
profile. Please notice that Samba by default uses the LDAP root for domain
objects (e.g. dc=example,dc=com).This will add a new tab to LAM where you can manage domain
information.The domain name, SID and RID base can only be specified for new
domains and are not changeable via LAM at a later time. You may setup
several password policies for your Samba domains and also some RID options
that influence the creation of SIDs for users/groups/hosts.Group of (unique) names and group of members (LAM Pro)These classes can be used to represent group relations. Since they
allow DNs as members you can also use them to represent nested
groups.Configuration:Activate the account type "Group of names" in your LAM server
profile to use these account modules. Alternatively, you can use the
account type "Groups".Then add the module "Group of names (groupOfNames)", "Group of
unique names (groupOfUniqueNames)" or "Group of members
(groupOfMembers)".On the module settings tab you set some options like the display
format for members/owners and if fields like description should not be
displayed.Group management:Group of (unique) names have four basic attributes:Name: a unique name for the groupDescription: optional descriptionOwner: the account which owns this group (optional)Members: the members of the group (at least one is
required)You can add any accounts as members. This includes other groups
which leads to nested groups.To show members of nested groups click on "Show effective members".
Please note that for large groups this will run lots of queries against
your LDAP server.Organizational roles (LAM Pro)This module manages roles via the organizationalRole object class.
There is also a user module
to manage memberships on the user edit page.Configuration:Activate the account type "Groups" in your LAM server profile to use
this account module. Alternatively, you can use the account type "Group of
names".Then add the module "Role (organizationalRole)".On the module settings tab you set some options like the display
format for members and if description should not be displayed.Role management:You can add any accounts as members. This includes other roles which
leads to nested roles (needs to be supported by LDAP client
applications).To show members of nested roles click on "Show effective members".
Please note that for large roles this will run lots of queries against
your LDAP server.AsteriskLAM includes large support for Asterisk. You can add Asterisk
extensions (including voicemail) to your users and also manage Asterisk
extensions.The Asterisk support for users can be added by selecting the
Asterisk and Asterisk voicemail modules for users in your LAM server
profile. This will add the following tabs to your user accounts.The Asterisk module allows to edit a large amount of attributes.
Therefore, you can hide unused fields. Please edit you server profile
(Module settings) to do so.Of course, the voicemail part of Asterisk is also supported.If you also want to manage Asterisk extensions then simply add the
account type "Asterisk extensions" and its module to your server
profile.LAM groups your Asterisk extension entries by extension name and
account context. If you edit an extension then you will see the Asterisk
entries as rules. LAM manages that all rule entries have the same owners
and assigns the priorities.Kopano (LAM Pro)Kopano is an OpenSource collaboration software. LAM Pro provides
support to manage Kopano user entries, groups, address lists and servers.
It covers all settings for these types including resource and quota
settings.UsersConfigurationTo enable Kopano support for users please activate the Kopano
module for the user account type in you server profile:Adjust the suffix and list attributes to your needs.Then select the Kopano user module (tab Modules). You can combine
it with Personal module, Unix or Windows.Next configure the module to your needs (tab Module
settings).Attention: LAM Pro uses the
Kopano OpenLDAP schema by default. This schema fits for OpenLDAP,
OpenDJ, Apache Directory server and other common LDAP servers. If you
run Samba 4 or Active Directory then you need to switch the schema to
"Active Directory" on the module settings tab.You can hide options that you do not need. E.g. if you do not want
to manage quotas per user then you can hide these options.Examples for your Zarafa ldap.cfg:"Send as" attribute: dnldap_user_sendas_attribute_type = dn"Send as" attribute: uidldap_user_sendas_attribute_type = textldap_user_sendas_relation_attribute = uidAttention: If the Active Directory schema is used then LAM will
always use dn and ignore this setting.UsageLAM Pro will now display the Kopano tab on your users. This
includes email settings, quotas and some options (e.g. hide from address
book). You can also set the resource type and capacity for meeting rooms
and equipment. The Kopano extension can be added and removed at any time
for every user.ContactsConfigurationThe configuration is similar to users. Instead of the Kopano user
module please select the contact module.UsageLAM Pro will now display the Kopano contact tab on your users. The
Kopano extension can be added and removed at any time for every
user.GroupsConfigurationTo enable Kopano support for groups please activate the Kopano
module for the group account type in you server profile:Adjust the suffix and list attributes to your needs.Then select the Kopano group module (tab Modules). You can combine
it with groups of names module, Unix or Windows.Next configure the module to your needs (tab Module
settings).UsageLAM Pro will now display the Kopano tab on your groups. The Kopano
extension can be added and removed at any time for every group.Address listsConfigurationTo enable Kopano support for address lists please activate the
Kopano address list account type in you server profile (tab account
types):Adjust the suffix and list attributes to your needs.Then select the Kopano address list module (tab Modules).UsageLAM Pro will now display the Kopano address list tab.Dynamic groupsConfigurationTo enable Kopano support for dynamic groups please activate the
Kopano dynamic group account type in you server profile (tab account
types):Adjust the suffix and list attributes to your needs.Then select the Kopano dynamic group module (tab Modules).UsageLAM Pro will now display the Kopano address list tab.ServersConfigurationTo enable Kopano support for servers please activate the Kopano
server module for the hosts account type in you server profile (tab
account types):Adjust the suffix and list attributes to your needs.Then select the Kopano server module (tab Modules).Next configure the module to your needs (tab Module
settings).UsageLAM Pro will now display the Kopano tab on your hosts. The Kopano
extension can be added and removed at any time for every server.Zarafa (LAM Pro)Zarafa is an OpenSource collaboration software. LAM Pro provides
support to manage Zarafa server entries, users and groups. It covers all
settings for these types including resource and quota settings.LAM Pro is an official Zarafa Certified Integration.ConfigurationTo enable Zarafa support in LAM Pro please activate the Zarafa
modules for the Users, Groups and Hosts account types in you server
profile:Attention: LAM Pro uses the
Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
OpenDJ, Apache Directory server and other common LDAP servers. If you
run Samba 4 or Active Directory then you need to switch the schema to
"Active Directory" on the module settings tab:You can configure which parts of the Zarafa user options should be
enabled. E.g. if you do not want to manage quotas per user then you can
hide these options on the tab "Module settings"."Send as" attribute: Here you can
specify how "Send as" privileges should be managed. LAM supports "uid"
and "dn".If you select "uid" the LAM will store user names in the
zarafaSendAsPrivilege attribute. This way you are restricted to specify
user accounts as "Send as" allowed.You can also set this option to "dn" and LAM will store DNs in the
zarafaSendAsPrivilege attribute. In this case you may specify users and
groups as "Send as" allowed.Examples for your Zarafa ldap.cfg:"Send as" attribute: dnldap_user_sendas_attribute_type = dn"Send as" attribute: uidldap_user_sendas_attribute_type = textldap_user_sendas_relation_attribute = uid
Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.
Features: Zarafa 7 allows to
enable IMAP/POP3 for each user. Please hide the option "Features" if you
use Zarafa 6.x.UsersThis is an example of the user edit page with all possible
settings. This includes email settings, quotas and some options (e.g.
hide from address book). You can also set the resource type and
capacity for meeting rooms and equipment. The Zarafa extension can be
added and removed at any time for every user.Please note that the option "Features" requires Zarafa 7. Please
hide this option in the LAM server profile if you run Zarafa
6.x.ContactsLAM Pro can manage your Zarafa contact entries. You can set the
email aliases and "send as" privileges. Additionally, accounts may be
hidden in the address book or disabled.Please note that you can either use the Zarafa user module or
Zarafa contact. LAM Pro will disable the other tab when enabling one
of them.GroupsThis is the edit page for groups. You can enter an email address
and additional aliases for your groups. It is also possible to specify
options (e.g. hide from address book). The extension can be
added/removed dynamically.Please note that the option "Send-as privileges" requires the
Zarafa 7.0.3 schema. Please hide this option in the LAM server profile
if you run Zarafa < 7.0.3.ServersThe Zarafa extension for host accounts allows to set the
connection ports and file path. You can add/remove the extension at
any time.Setting the public store option is only possible for new host
entries.Please note that the proxy URL option requires the Zarafa 7.1
schema. Please hide this option in your LAM server profile if you use
an older version.Address listsZarafa allows to store address lists in LDAP. You need to define
a search base and LDAP filter for each address list. E.g. entering
"ou=people,dc=company,dc=com" as base and "uid=*" will select all
users that are stored in "ou=people,dc=company,dc=com".You can also hide your lists from the address book or
temporarily disable them.Dynamic groupsZarafa allows to define dynamic groups in LDAP. You need to
define a search base and LDAP filter for each group. E.g. entering
"ou=people,dc=company,dc=com" as base and "uid=*" will select all
users that are stored in "ou=people,dc=company,dc=com".Dynamic groups may have an email address and multiple email
alias addresses.You can also hide your dynamic groups from the address book or
temporarily disable them.Kolab shared foldersPlease add the account type "Kolab shared folders" in your LAM
server profile and set the correct LDAP suffix.Then add the "Kolab shared folder" module on tab "Modules".Now you can start to add shared folders inside LAM.DHCPYou can mange your DHCP server with LAM. It supports to manage
subnets, fixed IP entries, IP ranges and DDNS.ConfigurationThe DHCP management can be activated by adding the account type DHCP
to your server profile. Please also add the DHCP modules.LAM requires that you use an LDAP entry with the object class
"dhcpService" or "dhcpServer" as suffix for this account type. If the
"dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
then you need to use the DN of the "dhcpService" entry as LDAP suffix for
DHCP.Add account type:Set suffix:Add modules:Example server
entry:dn:
cn=server,ou=dhcp,dc=ldap-account-manager,dc=orgobjectclass: dhcpServerobjectclass: dhcpOptionsobjectclass: topcn: serverdhcpcomments: My DHCP serverdhcpoption: domain-name
"ldap-account-manager.org"dhcpoption: domain-name-servers 192.168.1.1dhcpoption: routers 192.168.1.1dhcpoption: netbios-name-servers 192.168.1.1dhcpoption: subnet-mask 255.255.255.0dhcpoption: netbios-node-type 8dhcpstatements: default-lease-time 3600dhcpstatements: max-lease-time 7200dhcpstatements: include "mykey"dhcpstatements: ddns-update-style interimdhcpstatements: update-static-leases truedhcpstatements: ignore client-updatesExample settings for
dhcpd.conf:ddns-update-style none;deny unknown-clients;ldap-server "server";ldap-dhcp-server-cn "server";ldap-port 389;ldap-username
"uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";ldap-password "{SSHA}XXXXXXXXXXXX";ldap-base-dn
"ou=dhcp,dc=ldap-account-manager,dc=org";ldap-method dynamic;ldap-debug-file
"/var/log/dhcp-ldap-startup.log";slapd.conf changes:include /etc/ldap/schema/dhcp.schemaindex dhcpHWAddress eqindex dhcpClassData eq
Run slapindex to rebuild the index.
You can manage the settings of your DHCP service/server
entry:You can easily create new subnet entries.It is also possible to specify a list of fixed IPs.IP ranges may be specified.If you use failover pools for your IP ranges please use the pool
options on the bottom. Here you can add DHCP pools (object class
"dhcpPool") and specify the failover peer.If you activated DDNS in the server entry then you may also specify
the DDNS settings for this subnet.Bind DLZ (LAM Pro)Bind DLZ is an
extension to the DNS server Bind that allows to store
DNS entries inside LDAP. Please install the Bind DLZ schema file on your
LDAP server. It is part of the DLZ patch.ConfigurationFirst, you need to add the Bind DNS account type and the Bind DLZ
module:Please set the LDAP suffix either to an existing DNS zone (dlzZone)
or an organizational unit that should include your DNS zones.Automatic PTR managementLAM can automatically create/delete PTR entries for the entered
IPv4/6 records. You can enable this feature on the module settings
tab.PTR records will get the same TTL as IP records. Please note that
you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
under the same suffix as your other DNS entries.Zone managementIf you do not yet have a DNS zone then LAM can create one for you.
In list view switch the suffix to an organizational unit DN. Now you will
see a button "New zone".This will create the zone container entry and a default DNS entry
"@" for authoritative information. Now switch the suffix to your new zone
and start adding DNS entries.DNS entriesLAM supports the following DNS record types:SOA: authoritative informationNS: name serversA/AAAA: IP addressesPTR: reverse DNS entriesCNAME: alias namesMX: mail serversTXT: text recordsSRV: service entriesAuthoritative (SOA) and name server (NS)
recordsHere you can manage general information about the zone like timeouts
and name servers. Please note that name servers must be inserted in a
special format (dot at the end).IP addresses (A/AAAA)LAM will automatically set the correct type (A/AAAA) depending if
you enter an IPv4 or IPv6 address.Reverse DNS entriesReverse DNS entries are important when you need to find the DNS name
that is associated with a given IP address. Reverse DNS entries are stored
in a separate DNS zone.Alias names (CNAME)Sometimes a DNS entry should simply point to a different DNS entry
(e.g. for migrations). This can be done by adding an alias name.Mail servers (MX)The mail server entries define where mails to a domain should be
delivered. The server with the lowest preference has the highest
priority.Text records (TXT)Text records can be added to store a description or other data (e.g.
SPF information).Services (SRV)Service records can be used to specify which servers provide common
services such as LDAP. Please note that the host name must be
_SERVICE._PROTOCOL (e.g. _ldap._tcp).Priority: The priority of the target host, lower value means more
preferred.Weight: A relative weight for records with the same priority. E.g.
weights 20 and 80 for a service will result in 20% queries to the one
server and 80% to the other.Port: The port number that is used for your service.Server: DNS name where service can be reached (with dot at the
end).File uploadYou can upload complete DNS zones via LAM's file upload. Here is an
example for a zone file and the corresponding CSV file.
Zone file@INSOAns1.example.com admin.ns1.example.com (1 360000 3600
3600000 370000)INNSns1.example.com.INNSns2.example.com.INMX10 mail1.example.comINMX20 mail2.example.comfooINA123.123.123.100foo2INCNAMEfoo.example.combarINA123.123.123.101INAAAA1:2:3:4:5
Please check that you have an existing zone entry that can be used
for the file upload. See above to create a new zone.Hint: If you use the function above to create a new zone then please
skip the "@" entry in the CSV file below. LAM creates this entry with
sample data.In this example we assume that the following zone extry
exists:dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
dlzzonename: example.com
objectclass: dlzZone
objectclass: top
Here is the corresponding CSV file: bindUpload.csvAliases (LAM Pro)Some applications use the object class "alias" to link LDAP entries
to other parts of the LDAP tree. Activate the account type "Aliases" in
your LAM server profile to use this account type.Currently, only user accounts can be aliased with the "uidObject"
object class.Mail aliasesYou can manage mail aliases (e.g. for NIS) inside LAM. This can be
used to replace local /etc/aliases files with LDAP.To activate this type please add "Mail aliases" in your LAM server
profile:NIS mail aliasesNote: Use the mail alias user
module to manage mail aliases on user pages.All accounts of this type are based on the "nisMailAlias" object
class and may have "cn" and "rfc822MailMember" attributes.You need to select the Mail aliases module on the next tab.The mail aliases will then appear as separate tab inside LAM. You
may then manage the aliases with their names and recipient
addresses.There are mail/user icons that allow to select a mail address/user
name from the existing users.Courier mail aliasesMail aliases for Courier SMTP can be used when activating NIS mail
aliases and Courier modules:You will then get the Courier tab for your mail aliases.NIS net groupsLAM supports to define NIS netgroups. You can use them e.g. to
restrict SSH access to your machines.Add the NIS net group account type and its module to your server
profile. Then you can manage net groups in LAM. Net groups may contain
other net groups as child groups. You can either insert the host/user
names manually or print the search buttons next to the input fields to
find existing entries in your directory.NIS objects (LAM Pro)You can manage NIS objects with LAM Pro. This allows you define
network mount points in LDAP.Add the NIS objects type to your LAM configuration and then the NIS
objects module. This will add the NIS objects tab to LAM.Automount objects (LAM Pro)LAM Pro allows you to manage automount entries. Please activate the
account type "Automount objects" in your LAM Pro server profile.Then add the correct automount module. Usually, this is "Automount
entry (automount)". If you use Suse Linux with RFC2307bis schema please
select "Automount entry (rfc2307bisAutomount)".This will add a new tab to LAM Pro's main screen which includes a
list of all automount entries. Here you can easily create new
entries.Please see the following external HowTos for more information on
automounting and LDAP:AutofsLDAPAutomount
über LDAP (German)Oracle databases (LAM Pro)Oracle allows to manage connection data that is stored in
tnsnames.ora to be stored in an LDAP directory.Initial setupLDAP server setup:You will need to install the correct Oracle LDAP schema files on
your LDAP server. If you run no Oracle LDAP server then you can get them
(oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
here.Next you need to create the root entry for Oracle. It should look
like this:dn: cn=OracleContext,dc=example,dc=com
objectclass: orclContext
cn: OracleContextYou can create it with LAM's tree view. Please note that "cn" must
be set to "OracleContext".LAM setup:Edit your LAM server profile and add the Oracle account type:In case you manage a single Oracle context just enter the
cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
context entries then set the LDAP suffix to a parent entry of them.Next, add the Oracle module:Now you can login to LAM and start to add database
entries.Managing database entriesEach database has a service name, the connection string and an
optional description.Database client setup for
LDAPYou need to activate the LDAP adapter to make the database tools
reading LDAP. Edit network/admin/sqlnet.ora like this:NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)Then add a file called ldap.ora next to your sqlnet.ora and set the
LDAP server and DN suffix where cn=OracleContext is stored:DIRECTORY_SERVERS= (ldap.example.com:389:636)
DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
DIRECTORY_SERVER_TYPE = OIDThis will allow e.g. tnsping to get the connection data from
LDAP:[oracle@oracle bin]$ tnsping mydb
TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54
Copyright (c) 1997, 2013, Oracle. All rights reserved.
Used parameter files:
/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
OK (10 msec)Password policies (LAM Pro)OpenLDAP supports the ppolicy overlay to
manage password policies for LDAP entries. This allows you to set password
policies which are independent from your applications. The policies are
managed internally by the LDAP server.You can manage these policies with LAM Pro with the account type
"Password policies".You will need to add the ppolicy schema to your OpenLDAP
configuration and activate the ppolicy overlay
module in slapd.conf to use this feature.PyKota printersPlease add the account type "Printers (PyKota printers)" on tab
"Account types" in your server profile and setup the LDAP suffix where
printers are stored.Then add the PyKota printer module on tab "Account modules".Next you can start managing printers inside LAM. Here you can setup
the costs for a print job. LAM will also show if the printer is member of
any printer groups.You can also setup printer groups. Just add some members to your new
group.PyKota billing codesPlease add the account type "Billing codes" on tab "Account types"
in your server profile and setup the LDAP suffix where billing codes are
stored.Then add the PyKota billing code module on tab "Account
modules".Now login to LAM and you will see the billing code tab where you can
manage your entries. If jobs were printed with a billing code then you
will also see the balance and page count.Custom fields (LAM Pro)This module allows you to manage LDAP attributes that are not
covered by the other LAM modules (e.g. if you use custom LDAP schemas).
You can fully define how your input fields look like:LabelLDAP attribute nameUnique name for fieldHelp textRead-only displayField type: text, password, text area, checkbox, radio buttons,
select list, file uploadValidation via regular expressionError message if validation failsLimitations:Custom fields cannot managestructural object classesattributes that require validation rules across multiple
attributes or cannot be described by a simple regular
expressionActivating the custom fields
module:You may specify custom fields for all of your account types. Please
enter tab "Modules" in your server profile. Now activate the "Custom
fields (customFields)" module for all needed account types.Setting label and icon:You may set the label that is displayed e.g. on the tab when editing
an account. It is also possible to specify an icon (must be a valid URL
like "/images/icon.png" or "http://server/images/icon.png"). The icon size
should be 32x32 pixels.LAM will display a default icon and "Custom fields" as label if you
do not enter any values.You may also specify how LAM displays cutom fields when there are
multiple field groups. The default is accordion view where you can switch
field groups by clicking on the title. You may also deactivate this mode.
Then all field groups are displayed one below the other.Defining groups:All input fields are devided into groups. A group may contain one or
more object classes and allows you to add/remove a certain set of input
fields.E.g. you may define two groups - "My application A" and "My
application B" - that manage different LDAP attributes and object classes.
This way you will be able to control both attribute sets
independently.To create a group please edit your server profile and switch to tab
"Module settings". You will see the section "Custom fields" which allows
you to add new groups. Now select your account type (e.g. Users) and
specify an alias for your group. This alias will be printed as group
header when you later edit an account in the admin interface.After you created your new group you can setup the managed object
classes. If you specify any object classes then you will later be able to
add/remove a complete set of attributes including their object
classes.Skipping the object classes field is only useful if you want to
manage some attributes that are not yet supported by LAM but there is
already a LAM module that manages the object class.The group may look like when you edit a user.Adding fields:Now you can add a new field that manages an LDAP attribute. Simply
fill the fields and press on "Add".Please note that the field name cannot be changed later. It is the
unique ID for this field.Examples for fields and their representation:Text field:Text fields allow to specify a validation
expression and error message.You can also enable auto-completion. In this case LAM will search
all accounts for the given attribute and provide auto-completion hints
when the user edits this field. This should only be used if there is a
limited number of different values for this attribute.In case your field is a date value you can show a calendar for easy
editing.Example calendar formats:dd.mm.yy: 31.12.2016yy-mm-dd: 2016-12-31d M, y: 31 Dec, 16d MM, y: 31 December, 2016Presentation:Password field:You can also manage custom password fields. LAM Pro will display two
fields where the user must enter the same password. You can hash the
password if needed.Presentation:Text area:This adds a multi-line field. The options are similar to text
fields. Additionally, you can set the size with the number of columns and
rows.Please note that the validation
expression should be set to multi-line. This is done by adding "m"
at the end.Presentation:Checkbox:Sometimes you may want to allow only yes/no values for your LDAP
attributes. This can be represented by a checkbox. You can specify the
values for checked and unchecked. The default value is set if the LDAP
attribute has no value.Presentation:Radio buttons:This displays a list of radio buttons where the user can select one
value.You can specify a mapping of LDAP attribute values and their display
(label) on the Self Service page. To add more mapping fields please press
"Add more mapping fields".Presentation:Select list:Select lists allow the user to select a value in a large list of
options. The definition of the possible values and their display is
similar to radio buttons.You can also allow multiple values.Presentation:LDAP search select listThis is similar to "Select list" but the option are read from LDAP.
You can use this to define e.g. a DN selection list. Multiple values are
supported.LDAP suffix: The LDAP DN that is used as starting point to search
for LDAP entries.LDAP filter: Only LDAP entries that match this filter will be used.
If all entries should be used then use "(objectclass=*)".Attribute name: The values of this attribute will be used to build
the selection list.Presentation:Constant valueThis will set the attribute to a constant value. You can also
specify wild cards to inject other attribute's values:Wildcards%attribute%: attribute value@attribute@: first character of attribute?attribute?: first character of attribute in lower case!attribute!: first character of attribute in upper case??attribute??: attribute in lower case!!attribute!!: attribute in upper case(attribute): space if attribute is set§attribute|;§; attribute values separted by ";" (you can set
other separators if you want)Examples for attributes gn="Steve", sn="Miller" and
memberUid=("user1", "user2") (specified value -> resulting LDAP
value):"my constant" -> "my constant""%gn%" -> "Steve""%gn%(gn)%sn%" -> "Steve Miller" (would be "Miller" if gn is
empty)"§memberUid|, §" -> "user1, user2"Validation expressions:The validation expressions follow the standard of Perl regular
expressions. They start and end with a "/". The beginning of a
line is specified by "^" and the end by "$".Examples:/^[a-z0-9]+$/ allows small letters and numbers. The value must not
be empty ("+")./^[a-z0-9]+$/i allows small and capital letters ("i" at the end
means ignore case) and numbers. The value must not be empty ("+").Special characters that must be escaped with "\": "\", ".", "(",
")"E.g. /^[a-z0-9\.]$/iFile upload:This is used for binary data. You can restrict uploaded data to a
given file extension and set the maximum file size.Presentation:The uploaded data may also be downloaded via LAM.Custom scripts (LAM Pro)LAM Pro allows you to execute scripts whenever an account is
created, modified or deleted. This can be useful to automate processes
which needed manual work afterwards (e.g. sending your user a welcome mail
or register a mailbox). Additionally, you can specify manual scipts that
can be executed from within LAM Pro.To activate this feature please add the "Custom scripts" module to
all needed account types on the configuration pages.In "Module settings" you can specify multiple scripts for each
action type (e.g. modify) and account type (e.g. user). The scripts need
to be located on the filesystem of your webserver and will be executed in
its user environment. E.g. if you webserver runs as user www-data with the
group www-data then the custom scripts will be run under this user with
his rights. The output of the scripts will be shown in LAM.You can specify the scripts on the LAM configuration pages.Syntax:Please enter one script per line. Each line has the following
format: <account type> <action> <script>E.g.: user preModify /usr/bin/myCustomScript -u $uid$Account types:You can setup scripts for all available account types (e.g. user,
group, host, ...). Please see the help on the configuration page about
your current active account types.Actions:
Action typesAction nameDescriptionpreCreateExecuted before creating a new account (cancels operation
if a script returns an exit code > 0, not available for file
upload)postCreateExecuted after creating a new account (does not run if preCreate or LDAP operations
fail)preModifyExecuted before an account is modified (cancels operation
if a script returns an exit code > 0)postModifyExecuted after an account was modified (does not run if preModify or LDAP operations
fail)preDeleteExecuted before an account is modified (cancels operation
if a script returns an exit code > 0)postDeleteExecuted after an account was modified (does not run if preDelete or LDAP operations
fail)manualCan be run manually on account page. If you add
LAMLABEL="text" before the command then LAM will use the text as
label for the button in account edit screen.
Script:You can execute any script which is located on the filesystem of
your webserver. The path may be absolute or relative to the PATH-variable
of the environment of your webserver process. It is also possible to add
commandline arguments to your scripts. Additionally, LAM will resolve
wildcards to LDAP attributes. If your script includes an wildcard in the
format $ATTRIBUTE$ then LAM will replace it with the attribute value of
the current LDAP entry. The values of multi-value attributes are separated
by commas. E.g. if you create an account with the attribute "uid" and
value "steve" then LAM will resolve "$uid$" to "steve".Please note that manual scripts can only use the current LDAP
attribute values of the account. Any modifications done that are not saved
will not be available. Manual scripts are also not available for new
accounts that are not yet saved to LDAP.You can switch LAM's logging to debug mode if you are unsure which
attributes with which values are available.The following special wildcards are available for automatical
scripts:$INFO.userPasswordClearText$:
cleartext password when Unix/Windows password is changed (e.g. useful
for external password synchronisation) for new/modified
accounts$INFO.userPasswordStatusChange$: provides
additional information if the Personal/Unix password locking status
was changed, possible values: locked, unlocked, unchanged$INFO.passwordSelfResetAnswerClearText$:
cleartext answer to security question$INFO.389lockingStatusChange$:
for 389ds account locking, provides information if account was
unlocked. Possible values: unchanged, unlocked$INFO.389deactivationStatusChange$: for 389ds
account locking, provides information if account was deactivated.
Possible values: unchanged, activated, deactivated$NEW.<attribute>$: the
value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
accounts$DEL.<attribute>$: the
value of a deleted attribute (e.g. $DEL.telephoneNumber$) for modified
accounts$MOD.<attribute>$: the
new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
modified accounts$ORIG.<attribute>$: the
original value of an attribute (e.g. $ORIG.telephoneNumber$) for
modified accountsOutput may contain HTML: If your
scripts generate HTML output then activate this option.Hide command in messages: You may
want to prevent that your users see the executed commands. In this case
activating this option will only show the command output but not the
command itself.You can see a preview of the commands which will be automatically
executed on the "Custom scripts" tab. Here you can also run the manual
scripts.Sudo roles (LAM Pro)You can manage your sudo roles in LDAP if you have installed the
sudo-ldap package or compiled sudo with LDAP
support.To activate sudo management in LAM Pro edit your server profile and
add the type "Sudo roles".Now you can create sudo commands.The sudo roles in LDAP work similar to those in /etc/sudoers. You
can specify who may run which commands as which user. It is also possible
to specify options like NOPASSWD.LDAP views based on nsview (LAM Pro)LAM Pro supports LDAP views based on the "nsview" object class.
These views allow to create an organizational unit that shows a subset of
your LDAP content. The subset is determined by an LDAP filter.Configuration:To activate view management in LAM Pro edit your server profile and
add the type "LDAP views".Now you are ready to create your views. Each view has a name, LDAP
filter and an optional description.General informationThis module is available for all account types. It shows some
internal information about the LDAP entries like the creation time and who
modified the entry.If you use the "memberOf" overlay in OpenLDAP then this will also
show group memberships done by the overlay.Tree view (LDAP browser)The tree view provides a raw view on your LDAP directory. This
feature is for people who are experienced with LDAP and need special
functionality which the LAM account modules not provide. E.g. if you want
to add a special object class to an account or edit attributes ignoring
LAM's syntax checks.There are also some special functions available:Export: This allows you to export
entries to a file (e.g. LDIF or CSV format).Show internal attributes: Shows
internal attributes of the current entry. This includes information about
the creator and creation time of the entry.