<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> <book> <title>LDAP Account Manager - Manual</title> <preface> <title>Overview</title> <para>LDAP Account Manager (LAM) manages user, group and host accounts in an LDAP directory. LAM runs on any webserver with PHP5 support and connects to your LDAP server unencrypted or via SSL/TLS.</para> <para>Currently LAM supports these account types: Samba 3, Unix, Kolab 2, address book entries, NIS mail aliases and MAC addresses. There is a tree viewer included to allow access to the raw LDAP attributes. You can use templates for account creation and use multiple configuration profiles. LAM is translated to Catalan, Chinese (Traditional + Simplified), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Polish, Portuguese, Russian and Spanish.</para> <para><ulink url="http://www.ldap-account-manager.org/">http://www.ldap-account-manager.org/</ulink></para> <para>Copyright (C) 2003 - 2012 Roland Gruber <post@rolandgruber.de></para> <para><emphasis role="bold">Key features:</emphasis></para> <itemizedlist> <listitem> <para>managing user/group/host/domain entries</para> </listitem> <listitem> <para>account profiles</para> </listitem> <listitem> <para>account creation via file upload</para> </listitem> <listitem> <para>multiple configuration profiles</para> </listitem> <listitem> <para>LDAP browser</para> </listitem> <listitem> <para>schema browser</para> </listitem> <listitem> <para>OU editor</para> </listitem> <listitem> <para>PDF export for all accounts</para> </listitem> <listitem> <para>manage user/group Quota and create home directories</para> </listitem> </itemizedlist> <para><emphasis role="bold">Requirements:</emphasis></para> <itemizedlist> <listitem> <para>PHP5 (>= 5.2.4)</para> </listitem> <listitem> <para>Openldap (2.0 or greater)</para> </listitem> <listitem> <para>A recent web browser that supports CSS2 and JavaScript, at minimum:</para> <itemizedlist> <listitem> <para>Firefox 3</para> </listitem> <listitem> <para>Internet Explorer 8<emphasis role="bold"> (compatibility mode turned off)</emphasis></para> </listitem> <listitem> <para>Opera 10</para> </listitem> </itemizedlist> </listitem> </itemizedlist> <para>The default password to edit the configuration options is "lam".</para> <para><emphasis role="bold">License:</emphasis></para> <para>LAM is published under the GNU General Public License. The complete list of licenses can be found in the copyright file.</para> <para><emphasis role="bold">Default password:</emphasis></para> <para>The default password for the LAM configuration is "lam".</para> <literallayout> Have fun! The LAM development team</literallayout> </preface> <preface> <title>Architecture</title> <para>There are basically two groups of users for LAM:</para> <itemizedlist> <listitem> <para><emphasis role="bold">LDAP administrators and support staff:</emphasis></para> <para>These people administer LDAP entries like user accounts, groups, ...</para> </listitem> <listitem> <para><emphasis role="bold">Users:</emphasis></para> <para>This includes all people who need to manage their own data inside the LDAP directory. E.g. these people edit their contact information with LAM self service (LAM Pro).</para> </listitem> </itemizedlist> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/lam_architecture.png" /> </imageobject> </mediaobject> </screenshot> <para>Therefore, LAM is split into two separate parts, LAM for admins and for users. LAM for admins allows to manage various types of LDAP entries (e.g. users, groups, hosts, ...). It also contains tools like batch upload, account profiles, LDAP schema viewer and an LDAP browser. LAM for users focuses on end users. It provides a self service for the users to edit their personal data (e.g. contact information). The LAM administrator is able to specify what data may be changed by the users. The design is also adaptable to your corporate design.</para> <para>LAM for admins/users is accessible via HTTP(S) by all major web browsers (Firefox, IE, Opera, ...).</para> <para><emphasis role="bold">LAM runtime environment:</emphasis></para> <para>LAM runs on PHP. Therefore, it is independant of CPU architecture and operating system (OS). You can run LAM on any OS which supports Apache or other PHP compatible web servers.</para> <para><emphasis role="bold">Home directory server:</emphasis></para> <para>You can manage user home directories and their quotas inside LAM. The home directories may reside on the server where LAM is installed or any remote server. The commands for home directory management are secured by SSH. LAM will use the user name and password of the logged in LAM administrator for authentication.</para> <para><emphasis role="bold">LDAP directory:</emphasis></para> <para>LAM connects to your LDAP server via standard LDAP protocol. It also supports encrypted connections with SSL and TLS.</para> </preface> <chapter id="a_installation"> <title>Installation</title> <section id="a_install"> <title>New installation</title> <section> <title>Requirements</title> <para>LAM has the following requirements to run:</para> <itemizedlist> <listitem> <para>Apache webserver (SSL recommended) with PHP module (PHP 5 (>= 5.2.4) with ldap, gettext, xml and optional mcrypt)</para> </listitem> <listitem> <para>Some LAM plugins may require additional PHP extensions (you will get a note on the login page if something is missing)</para> </listitem> <listitem> <para>Perl (optional, needed only for lamdaemon)</para> </listitem> <listitem> <para>OpenLDAP (>2.0)</para> </listitem> <listitem> <para>A recent web browser that supports CSS2 and JavaScript, at minimum:</para> <para><itemizedlist> <listitem> <para>Firefox 3</para> </listitem> <listitem> <para>Internet Explorer 8 <emphasis role="bold">(compatibility mode turned off)</emphasis></para> </listitem> <listitem> <para>Opera 10</para> </listitem> </itemizedlist></para> </listitem> </itemizedlist> <para>MCrypt will be used to store your LDAP password encrypted in the session file.</para> <para>See <link linkend="a_schema">LDAP schema fles</link> for information about used LDAP schema files.</para> </section> <section> <title>Prepackaged releases</title> <para>LAM is available as prepackaged version for various platforms.</para> <section> <title>Debian</title> <informaltable frame="none" tabstyle="noborder"> <tgroup cols="2"> <tbody> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/debian.png" /> </imageobject> </inlinemediaobject></entry> <entry>LAM is part of the official Debian repository. New releases are uploaded to unstable and will be available automatically in testing and the stable releases. You can run<literal> </literal><para><emphasis role="bold">apt-get install ldap-account-manager</emphasis></para>to install LAM on your server. Additionally, you may download the latest LAM Debian packages from the <ulink type="" url="http://www.ldap-account-manager.org/">LAM homepage</ulink> or the <ulink url="http://packages.debian.org/search?keywords=ldap-account-manager">Debian package homepage</ulink>.<para><emphasis role="bold">Installation of the latest packages on Debian Lenny</emphasis></para><orderedlist> <listitem> <para>apt-get install javascript-common</para> </listitem> <listitem> <para>Download the jquery and jquery-ui packages from here:</para> <para><ulink url="http://packages.debian.org/squeeze/all/libjs-jquery/download">http://packages.debian.org/squeeze/all/libjs-jquery/download</ulink></para> <para><ulink url="http://packages.debian.org/squeeze/all/libjs-jquery-ui/download">http://packages.debian.org/squeeze/all/libjs-jquery-ui/download</ulink></para> </listitem> <listitem> <para>Install first jquery and then jquery-ui:</para> <para>dpkg -i libjs-jquery_*.deb</para> <para>dpkg -i libjs-jquery-ui_*.deb</para> </listitem> <listitem> <para>Install php-fpdf 1.6.dfsg-1 from here:</para> <para><ulink url="http://packages.debian.org/stable/all/php-fpdf/download">http://packages.debian.org/stable/all/php-fpdf/download</ulink></para> </listitem> <listitem> <para>Install the LAM package</para> <para>dpkg -i ldap-account-manager_*.deb</para> </listitem> <listitem> <para>Install the lamdaemon package (optional)</para> <para>dpkg -i ldap-account-manager-lamdaemon_*.deb</para> </listitem> </orderedlist></entry> </row> </tbody> </tgroup> </informaltable> </section> <section> <title>Suse/Fedora</title> <informaltable frame="none"> <tgroup cols="2"> <tbody> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/suse.png" /> </imageobject> </inlinemediaobject><para></para><inlinemediaobject> <imageobject> <imagedata fileref="images/fedora.png" /> </imageobject> </inlinemediaobject></entry> <entry>There are RPM packages available on the <ulink type="" url="http://www.ldap-account-manager.org/">LAM homepage</ulink>. The packages can be installed with these commands:<para><emphasis role="bold">rpm -e ldap-account-manager ldap-account-manager-lamdaemon</emphasis> (if an older version is installed)</para><para><emphasis role="bold">rpm -i <path to LAM package></emphasis></para></entry> </row> </tbody> </tgroup> </informaltable> </section> <section> <title>Other RPM based distributions</title> <para>The RPM packages for Suse/Fedora are very generic and should be installable on other RPM-based distributions, too. The Fedora packages use apache:apache as file owner and the Suse ones use wwwrun:www.</para> </section> <section> <title>FreeBSD</title> <informaltable frame="none"> <tgroup cols="2"> <tbody> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/freebsd.png" /> </imageobject> </inlinemediaobject></entry> <entry>LAM is part of the official FreeBSD ports tree. For more details see these pages:<para>FreeBSD-CVS: <ulink url="http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/ldap-account-manager">http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/ldap-account-manager</ulink></para><para>FreshPorts: <ulink url="http://www.freshports.org/sysutils/ldap-account-manager">http://www.freshports.org/sysutils/ldap-account-manager</ulink></para></entry> </row> </tbody> </tgroup> </informaltable> </section> </section> <section> <title>Installing the tar.gz</title> <section> <title>Extract the archive</title> <para>Please extract the archive with the following command:</para> <para>tar xzf ldap-account-manager-<version>.tar.gz</para> </section> <section> <title>Install the files</title> <section> <title>Manual copy</title> <para>Copy the files into the html-file scope of the web server. For example /apache/htdocs.</para> <para>Then set the appropriate file permissions:</para> <itemizedlist> <listitem> <para>lam/sess: write permission for apache user</para> </listitem> <listitem> <para>lam/tmp: write permission for apache user</para> </listitem> <listitem> <para>lam/config (with subdirectories): write permission for apache user</para> </listitem> <listitem> <para>lam/lib: lamdaemon.pl must be set executable</para> </listitem> </itemizedlist> </section> <section> <title>With configure script</title> <para>Instead of manually copying files you can also use the included configure script to install LAM. Just run these commands in the extracted directory:</para> <itemizedlist> <listitem> <para>./configure</para> </listitem> <listitem> <para>make install</para> </listitem> </itemizedlist> <para>Options for "./configure":</para> <itemizedlist> <listitem> <para>--with-httpd-user=USER USER is the name of your Apache user account (default httpd)</para> </listitem> <listitem> <para>--with-httpd-group=GROUP GROUP is the name of your Apache group (default httpd)</para> </listitem> <listitem> <para>--with-web-root=DIRECTORY DIRECTORY is the name where LAM should be installed (default /usr/local/lam)</para> </listitem> </itemizedlist> </section> </section> <section> <title>Configuration files</title> <para>Copy config/config.cfg_sample to config/config.cfg and config/lam.conf_sample to config/lam.conf. Open the index.html in your web browser:</para> <itemizedlist> <listitem> <para>Follow the link "LAM configuration" from the start page to <link linkend="a_configuration">configure LAM</link>.</para> </listitem> <listitem> <para>Select "Edit general settings" to setup global settings and to change the <link linkend="a_configPasswords">master configuration password</link> (default is "lam").</para> </listitem> <listitem> <para>Select "Edit server profiles" to setup your server profiles. There should be the lam profile which you just copied from the sample file. The default password is "lam". Now change the settings to fit for your environment.</para> </listitem> </itemizedlist> </section> </section> <section> <title>System configuration</title> <section> <title>PHP</title> <para>LAM runs with PHP5 (>= 5.2.4). Needed changes in your php.ini:</para> <para>memory_limit = 64M</para> <para>If you run PHP with activated <ulink url="http://www.hardened-php.net/suhosin/index.html">Suhosin</ulink> extension please check your logs for alerts. E.g. LAM requires that "suhosin.post.max_name_length" and "suhosin.request.max_varname_length" are increased (e.g. to 256).</para> </section> <section> <title>Locales for non-English translation</title> <para>If you want to use a translated version of LAM be sure to install the needed locales. The following table shows the needed locales for the different languages.</para> <table> <title>Locales</title> <tgroup cols="2"> <tbody> <row> <entry><emphasis role="bold">Language</emphasis></entry> <entry><emphasis role="bold">Locale</emphasis></entry> </row> <row> <entry>Catalan</entry> <entry>ca_ES.utf8</entry> </row> <row> <entry>Chinese (Simplified)</entry> <entry>zh_CN.utf8</entry> </row> <row> <entry>Chinese (Traditional)</entry> <entry>zh_TW.utf8</entry> </row> <row> <entry>Czech</entry> <entry>cs_CZ.utf8</entry> </row> <row> <entry>Dutch</entry> <entry>nl_NL.utf8</entry> </row> <row> <entry>English</entry> <entry>no extra locale needed</entry> </row> <row> <entry>French</entry> <entry>fr_FR.utf8</entry> </row> <row> <entry>German</entry> <entry>de_DE.utf8</entry> </row> <row> <entry>Hungarian</entry> <entry>hu_HU.utf8</entry> </row> <row> <entry>Italian</entry> <entry>it_IT.utf8</entry> </row> <row> <entry>Japanese</entry> <entry>ja_JP.utf8</entry> </row> <row> <entry>Polish</entry> <entry>pl_PL.utf8</entry> </row> <row> <entry>Portuguese</entry> <entry>pt_BR.utf8</entry> </row> <row> <entry>Russian</entry> <entry>ru_RU.utf8</entry> </row> <row> <entry>Spanish</entry> <entry>es_ES.utf8</entry> </row> </tbody> </tgroup> </table> <para>You can get a list of all installed locales on your system by executing:</para> <para>locale -a</para> <para>Debian users can add locales with "dpkg-reconfigure locales".</para> </section> </section> </section> <section> <title>Upgrading LAM or migrate from LAM to LAM Pro</title> <section> <title>Migrating configuration files</title> <para>First, you need to make a backup of your existing configuration files.</para> <para>LAM stores all configuration files in the "config" folder. Please backup the following files and copy them after the new version is installed.</para> <simplelist> <member>config/*.conf</member> <member>config/config.cfg</member> <member>config/pdf/*.xml</member> <member>config/profiles/*</member> </simplelist> <para>LAM Pro only:</para> <simplelist> <member>config/selfService/*.*</member> </simplelist> <para>Second, <link linkend="a_uninstall">uninstall</link> your current LAM (Pro) installation.</para> <para>Third, <link linkend="a_install">install</link> the new LAM (Pro) release. Skip the part about setting up LAM configuration files.</para> <para>Finally, restore your configuration files from the backup. Copy all files from the backup folder to the config folder in your LAM Pro installation. Do not simply replace the folder because the new LAM (Pro) release might include additional files in this folder. Overwrite any existing files with your backup files.</para> <para>Now open your webbrowser and point it to the LAM login page. All your settings should be migrated.</para> <para>Please check also the <link linkend="a_versUpgrade">version specific instructions</link>. They might include additional actions.</para> </section> <section id="a_versUpgrade"> <title>Version specific upgrade instructions</title> <section> <title>3.5.0 -> 3.6</title> <para><emphasis role="bold">Debian users:</emphasis> LAM 3.6 requires to install FPDF 1.7. You can download the package <ulink url="http://packages.debian.org/search?keywords=php-fpdf&searchon=names&suite=all&section=all">here</ulink>. If you use Debian Stable (Squeeze) please use the package from Testing (Wheezy).</para> </section> <section> <title>3.4.0 -> 3.5.0</title> <para><emphasis role="bold">LAM Pro:</emphasis> The global config/passwordMailTemplate.txt is no longer supported. You can setup the mail settings now for each LAM server profile which provides more flexibility.</para> <para><emphasis role="bold">Suse/Fedora RPM installations:</emphasis> LAM is now installed to /usr/share/ldap-account-manager and /var/lib/ldap-account-manager.</para> <para>Please note that configuration files are not migrated automatically. Please move the files from /srv/www/htdocs/lam/config (Suse) or /var/www/html/lam/config (Fedora) to /var/lib/ldap-account-manager/config.</para> </section> <section> <title>3.3.0 -> 3.4.0</title> <para>No changes.</para> </section> <section> <title>3.2.0 -> 3.3.0</title> <para>If you use custom images for the PDF export then these images need to be 5 times bigger than before (e.g. 250x250px instead of 50x50px). This allows to use images with higher resolution.</para> </section> <section> <title>3.1.0 -> 3.2.0</title> <para>No changes.</para> </section> <section> <title>3.0.0 -> 3.1.0</title> <para>LAM supported to set a list of valid workstations on the "Personal" page. This required to change the LDAP schema. Since 3.1.0 this is replaced by the new "Hosts" module for users.</para> <para>Lamdaemon: The sudo entry needs to be changed to ".../lamdaemon.pl *".</para> </section> <section> <title>2.3.0 -> 3.0.0</title> <para>No changes.</para> </section> <section> <title>2.2.0 -> 2.3.0</title> <para><emphasis role="bold">LAM Pro:</emphasis> There is now a separate account type for group of (unique) names. Please edit your server profiles to activate the new account type.</para> </section> <section> <title>1.1.0 -> 2.2.0</title> <para>No changes.</para> </section> </section> </section> <section id="a_uninstall"> <title>Uninstalltion of LAM (Pro)</title> <para>If you used the prepackaged installation packages then remove the ldap-account-manager and ldap-account-manager-lamdaemon packages.</para> <para>Otherwise, remove the folder where you installed LAM via configure or by copying the files.</para> </section> </chapter> <chapter id="a_configuration"> <title>Configuration</title> <para>After you <link linkend="a_installation">installed</link> LAM you can configure it to fit your needs. The complete configuration can be done inside the application. There is no need to edit configuration files.</para> <para>Please point you browser to the location where you installed LAM. E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM via the tar.gz then this may vary. You should see the following page:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/login.png" /> </imageobject> </mediaobject> </screenshot> <para>If you see an error message then you might need to install an additional PHP extension. Please follow the instructions and reload the page afterwards.</para> <para>Now you are ready to configure LAM. Click on the "LAM configuration" link to proceed.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configOverview.png" /> </imageobject> </mediaobject> </screenshot> <para>Here you can change LAM's general settings, setup server profiles for your LDAP server(s) and configure the <link linkend="a_selfService">self service</link> (LAM Pro). You should start with the general settings and then setup a server profile.</para> <section> <title>General settings</title> <para>After selecting "Edit general settings" you will need to enter the <link linkend="a_configPasswords">master configuration password</link>. The default password for new installations is "lam". Now you can edit the general settings.</para> <section> <title>Security settings</title> <para>Here you can set a time period after which inactive sessions are automatically invalidated. The selected value represents minutes of inactivity.</para> <para>You may also set a list of IP addresses which are allowed to access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access LAM via an untrusted IP only get blank pages.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configGeneral1.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Password policy</title> <para>This allows you to specify a central password policy for LAM. The policy is valid for all password fields inside LAM admin (excluding tree view) and LAM self service. Configuration passwords do not need to follow this policy.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configGeneral2.png" /> </imageobject> </mediaobject> </screenshot> <para>You can set the minimum password length and also the complexity of the passwords.</para> </section> <section> <title>Logging</title> <para>LAM can log events (e.g. user logins). You can use system logging (syslog for Unix, event viewer for Windows) or log to a separate file. Please note that LAM may log sensitive data (e.g. passwords) at log level "Debug". Production system should be set to "Warning" or "Error".</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configGeneral3.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Change master password</title> <para>If you would like to change the master configuration password then enter a new password here.</para> </section> </section> <section> <title>Server profiles</title> <para>The server profiles store information about your LDAP server (e.g. host name) and what kind of accounts (e.g. users and groups) you would like to manage. There is no limit on the number of server profiles. See the <link linkend="confTypicalScenarios">typical scenarios</link> about how to structure your server profiles.</para> <section> <title>Manage server profiles</title> <para>Select "Manage server profiles" to open the profile management page.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles1.png" /> </imageobject> </mediaobject> </screenshot> <para>Here you can create, rename and delete server profiles. The <link linkend="a_configPasswords">passwords</link> of your server profiles can also be reset.</para> <para>You may also specify the default server profile. This is the server profile which is preselected at the login page. It also specifies the language of the login and configuration pages.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles2.png" /> </imageobject> </mediaobject> </screenshot> <para>You can create a new server profile by simply entering its name and password. After you created a new profile you can go back to the profile login and edit your new server profile.</para> <para>All operations on the profile management page require that you authenticate yourself with the <link linkend="a_configPasswords">configuration master password</link>.</para> </section> <section> <title>Editing a server profile</title> <para>Please select you server profile and enter its password to edit a server profile.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles3.png" /> </imageobject> </mediaobject> </screenshot> <para>Each server profile contains the following information:</para> <itemizedlist> <listitem> <para><emphasis role="bold">General settings:</emphasis> general settings about your LDAP server (e.g. host name and security settings)</para> </listitem> <listitem> <para><emphasis role="bold">Account types:</emphasis> list of account types (e.g. users and groups) that you would like to manage and type specific settings (e.g. LDAP suffix)</para> </listitem> <listitem> <para><emphasis role="bold">Modules:</emphasis> list of modules which define what account aspects (e.g. Unix, Samba, Kolab) you would like to manage</para> </listitem> <listitem> <para><emphasis role="bold">Module settings:</emphasis> settings which are specific for the selected account modules on the page before</para> </listitem> </itemizedlist> <section> <title>General settings</title> <para>Here you can specify the LDAP server and some security settings.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles4.png" /> </imageobject> </mediaobject> </screenshot> <para>The server address of your LDAP server can be a DNS name or an IP address. Use ldap:// for unencrypted LDAP connections or TLS encrypted connections. LDAP+SSL (LDAPS) encrypted connections are specified with ldaps://. The port value is optional. TLS cannot be combined with ldaps://.</para> <para>LAM includes an LDAP browser which allows direct modification of LDAP entries. If you would like to use it then enter the LDAP suffix at "Tree suffix".</para> <para>The search limit is used to reduce the number of search results which are returned by your LDAP server.</para> <para>The access level specifies if LAM should allow to modify LDAP entries. This feature is only available in LAM Pro. LAM non-Pro releases use write access. See <link linkend="a_accessLevelPasswordReset">this page</link> for details on the different access levels.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles5.png" /> </imageobject> </mediaobject> </screenshot> <para>LAM is translated to many different languages. Here you can select the default language for this server profile. The language setting may be overriden at the LAM login page.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles6.png" /> </imageobject> </mediaobject> </screenshot> <para>LAM can manage user home directories and quotas with an external script. You can specify the home directory server and where the script is located. The default rights for new home directories can be set, too.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles8.png" /> </imageobject> </mediaobject> </screenshot> <para>LAM supports two methods for login. The first one is to specify a fixed list of LDAP DNs that are allowed to login. Please enter one DN per line.</para> <para>The second one is to let LAM search for the DN in your directory. E.g. if a user logs in with the user name "joe" then LAM will do an LDAP search for this user name. When it finds a matching DN then it will use this to authenticate the user. The wildcard "%USER%" will be replaced by "joe" in this example. This way you can provide login by user name, email address or other LDAP attributes.</para> <para>Additionally, you can enable HTTP authentication when using "LDAP search". This way the web server is responsible to authenticate your users. LAM will use the given user name + password for the LDAP login. You can also configure this to setup advanced login restrictions (e.g. require group memberships for login). To setup HTTP authentication in Apache please see this <ulink url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink> and an example for LDAP authentication <link linkend="apache_http_auth">here</link>.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configProfiles7.png" /> </imageobject> </mediaobject> </screenshot> <para>You may also change the password of this server profile. Please just enter the new password in both password fields.</para> </section> <section> <title>Account types</title> <para>LAM supports to manage various types of LDAP entries (e.g. users, groups, DHCP entries, ...). On this page you can select which types of entries you want to manage with LAM.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configTypes1.png" /> </imageobject> </mediaobject> </screenshot> <para>The section at the top shows a list of possible types. You can activate them by simply clicking on the plus sign next to it.</para> <para>Each account type has the following options:</para> <itemizedlist> <listitem> <para><emphasis role="bold">LDAP suffix:</emphasis> the LDAP suffix where entries of this type should be managed</para> </listitem> <listitem> <para><emphasis role="bold">List attributes:</emphasis> a list of attributes which are shown in the account lists</para> </listitem> </itemizedlist> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configTypes2.png" /> </imageobject> </mediaobject> </screenshot> <para>On the next page you can specify in detail what extensions should be enabled for each account type.</para> </section> <section> <title>Modules</title> <para>The modules specify the active extensions for each account type. E.g. here you can setup if your user entries should be address book entries only or also support Unix or Samba.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configModules1.png" /> </imageobject> </mediaobject> </screenshot> <para>Each account type needs a so called "base module". This is the basement for all LDAP entries of this type. Usually, it provides the structural object class for the LDAP entries. There must be exactly one active base module for each account type.</para> <para>Furthermore, there may be any number of additional active account modules. E.g. you may select "Personal" as base module and Unix + Samba as additional modules.</para> </section> <section> <title>Module settings</title> <para>Depending on the activated account modules there may be additional configuration options available. They can be found on the "Module settings" tab. E.g. the Personal account module allows to hide several input fields and the Unix module requires to specify ranges for UID numbers.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configSettings1.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> <section id="confTypicalScenarios"> <title>Typical scenarios</title> <para>This is a list of typical scenarios how your LDAP environment may look like and how to structure the server profiles for it.</para> <section> <title>Simple: One LDAP directory managed by a small group of admins</title> <para>This is the easiest and most common scenario. You want to manage a single LDAP server and there is only one or a few admins. In this case just create one server profile and you are done. The admins may be either specified as a fixed list or by using an LDAP search at login time.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/LDAPStructuresSimple.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Advanced: One LDAP server which is managed by different admin groups</title> <para>Large organisations may have one big LDAP directory for all user/group accounts. But the users are managed by different groups of admins (e.g. departments, locations, subsidiaries, ...). The users are typically divided into organisational units in the LDAP tree. Admins may only manage the users in their part of the tree.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/LDAPStructuresAdvanced.png" /> </imageobject> </mediaobject> </screenshot> <para>In this situation it is recommended to create one server profile for each admin group (e.g. department). Setup the LDAP suffixes in the server profiles to point to the needed organisational units. E.g. use ou=people,ou=department1,dc=company,dc=com or ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. Do the same for groups, hosts, ... This way each admin group will only see its own users. You may want to use LDAP search for the LAM login in this scenario. This will prevent that you need to update a server profile if the number of admins changes.</para> <para><emphasis role="bold">Attention:</emphasis> LAM's feature to automatically find free UIDs/GIDs for new users/groups will not work in this case. LAM uses the user/group suffix to search for already assigned UIDs/GIDs. As an alternative you can specify different UID/GID ranges for each department. Then the UIDs/GIDs will stay unique for the whole directory.</para> </section> <section> <title>Multiple LDAP servers</title> <para>You can manage as many LDAP servers with LAM as you wish. This scenario is similar to the advanced scenario above. Just create one server profile for each LDAP server.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/LDAPStructuresMultiServer.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Single LDAP directory with lots of users (>10 000)</title> <para>LAM was tested to work with 10 000 users. If you have a lot more users then you have basically two options.</para> <itemizedlist> <listitem> <para>Divide your LDAP tree in organisational units: This is usually the best performing option. Put your accounts in several organisational units and setup LAM as in the advanced scenario above.</para> </listitem> <listitem> <para>Increase memory limit: Increase the memory_limit parameter in your php.ini. This will allow LAM to read more entries. But this will slow down the response times of LAM.</para> </listitem> </itemizedlist> </section> </section> </section> </chapter> <chapter> <title>Managing entries in your LDAP directory</title> <para>This chapter will give you instructions how to manage the different LDAP entries in your directory.</para> <para>Please note that not all account types are manageable with the free LAM release. LAM Pro provides some more account types and modules to support additional LDAP object classes.</para> <para><emphasis role="bold">Additional types:</emphasis></para> <itemizedlist> <listitem> <para>Group of names</para> </listitem> <listitem> <para>Aliases</para> </listitem> <listitem> <para>NIS objects</para> </listitem> <listitem> <para>Sudo roles</para> </listitem> </itemizedlist> <para><emphasis role="bold">Additional modules:</emphasis></para> <itemizedlist> <listitem> <para>Group of names (groupOfNames)</para> </listitem> <listitem> <para>Group of unique names (groupOfUniqueNames)</para> </listitem> <listitem> <para>Unix (rfc2307bisPosixGroup)</para> </listitem> <listitem> <para>Alias (aliasEntry)</para> </listitem> <listitem> <para>User name (uidObject)</para> </listitem> <listitem> <para>NIS object (nisObject)</para> </listitem> <listitem> <para>Custom scripts (customScripts)</para> </listitem> <listitem> <para>Sudo role (sudoRole)</para> </listitem> </itemizedlist> <para><emphasis role="bold">Basic page layout:</emphasis></para> <para>After the login LAM will present you its main page. It consists of a header part which is equal for all pages and the content area which covers most the of the page.</para> <para>The header part includes the links to manage all account types (e.g. users and groups) and open the tree view (LDAP browser). There is also the logout link and a tools entry.</para> <para>When you login the you will see an account listing in the content area.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mainpage.png" /> </imageobject> </mediaobject> </screenshot> <para>Here you can create, delete and modify accounts. Use the action buttons at the left or double click on an entry to edit it.</para> <para>The suffix selection box allows you to list only the accounts which are located in a subtree of your LDAP directory.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/listConfig.png" /> </imageobject> </mediaobject> </screenshot> <para>You can change the number of shown entries per page with "Change settings". Depending on the account type there may be additional settings. E.g. the user list can convert group numbers to group names.</para> <para>When you select to edit an entry then LAM will show all its data on a tabbed view. There is one tab for each functional part of the account. You can set default values by loading an <link linkend="a_accountProfile">account profile</link>.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/editView.png" /> </imageobject> </mediaobject> </screenshot> <section> <title>Users</title> <para></para> <section> <title>Personal</title> <para>This module is the most common basis for user accounts in LAM. You can use it stand-alone to manage address book entries or in combination with Unix, Samba or other modules.</para> <para>The Personal module provides support for managing various personal data of your users including mail addresses and telephone numbers. You can also add photos of your users. If you do not need to manage all attributes then you can deactivate them in your server profile.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_personal.png" /> </imageobject> </mediaobject> </screenshot> <para></para> <table> <title>LDAP attribute mappings</title> <tgroup cols="2"> <thead> <row> <entry align="center">Attribute name</entry> <entry align="center">Name inside LAM</entry> </row> </thead> <tbody> <row> <entry>businessCategory</entry> <entry>Business category</entry> </row> <row> <entry>carLicense</entry> <entry>Car license</entry> </row> <row> <entry>cn/commonName</entry> <entry>Common name</entry> </row> <row> <entry>departmentNumber</entry> <entry>Department(s)</entry> </row> <row> <entry>description</entry> <entry>Description</entry> </row> <row> <entry>employeeNumber</entry> <entry>Employee number</entry> </row> <row> <entry>employeeType</entry> <entry>Employee type</entry> </row> <row> <entry>facsimileTelephoneNumber/fax</entry> <entry>Fax number</entry> </row> <row> <entry>givenName/gn</entry> <entry>First name</entry> </row> <row> <entry>homePhone</entry> <entry>Home telephone number</entry> </row> <row> <entry>initials</entry> <entry>Initials</entry> </row> <row> <entry>jpegPhoto</entry> <entry>Photo</entry> </row> <row> <entry>l</entry> <entry>Location</entry> </row> <row> <entry>mail/rfc822Mailbox</entry> <entry>Email address</entry> </row> <row> <entry>manager</entry> <entry>Manager</entry> </row> <row> <entry>mobile/mobileTelephoneNumber</entry> <entry>Mobile number</entry> </row> <row> <entry>organizationName/o</entry> <entry>Organisation</entry> </row> <row> <entry>physicalDeliveryOfficeName</entry> <entry>Office name</entry> </row> <row> <entry>postalAddress</entry> <entry>Postal address</entry> </row> <row> <entry>postalCode</entry> <entry>Postal code</entry> </row> <row> <entry>postOfficeBox</entry> <entry>Post office box</entry> </row> <row> <entry>registeredAddress</entry> <entry>Registered address</entry> </row> <row> <entry>roomNumber</entry> <entry>Room number</entry> </row> <row> <entry>sn/surname</entry> <entry>Last name</entry> </row> <row> <entry>st</entry> <entry>State</entry> </row> <row> <entry>street/streetAddress</entry> <entry>Street</entry> </row> <row> <entry>telephoneNumber</entry> <entry>Telephone number</entry> </row> <row> <entry>title</entry> <entry>Job title</entry> </row> <row> <entry>uid/userid</entry> <entry>User name</entry> </row> <row> <entry>userPassword</entry> <entry>Password</entry> </row> </tbody> </tgroup> </table> </section> <section> <title>Unix</title> <para>The Unix module manages Unix user accounts including group memberships.</para> <para></para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_unixUser.png" /> </imageobject> </mediaobject> </screenshot> <para>You can also create home directories for your users if you setup <link linkend="a_lamdaemon">lamdaemon</link>. This allows you to create the directories on the local or remote servers.</para> <para>It is also possible to check the status of the user's home directories. If needed the directories can be created or removed at any time.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_unixUserHomedir.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Shadow</title> <para>LAM supports the management of the LDAP substitution of /etc/shadow. Here you can setup password policies for your Unix accounts and also view the last password change of a user.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_shadow.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Password self reset (LAM Pro)</title> <para>LAM Pro allows your users to reset their passwords by answering a security question. The reset link is displayed on the <link linkend="PasswordSelfReset">self service page</link>. Additionally, you can set question + answer in the admin interface.</para> <para><emphasis role="bold">Schema</emphasis></para> <para>Please install the schema that comes with LAM Pro: docs/schema/passwordSelfReset.schema or docs/schema/passwordSelfReset.ldif</para> <para>This allows to set a security question + answer for each account.</para> <para><emphasis role="bold">Activate password self reset module</emphasis></para> <para>Please activate the password self reset module in your LAM Pro server profile.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset7.png" /> </imageobject> </mediaobject> </screenshot> <para>Now select the tab "Module settings" and specify the list of possible security questions. Only these questions will be selectable when you later edit accounts.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset8.png" /> </imageobject> </mediaobject> </screenshot> <para><emphasis role="bold">Edit users</emphasis></para> <para>After everything is setup please login to LAM Pro and edit your users. You will see a new tab called "Password self reset". Here you can activate/remove the password self reset function for each user. You can also change the security question and answer.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset9.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Hosts</title> <para>You can specify a list of valid host names where the user may login. If you add the value "*" then the user may login to any host. This can be further restricted by adding explicit deny entries which are prefixed with "!" (e.g. "!hr_server").</para> <para>Please note that your PAM settings need to support host restrictions. This feature is enabled by setting <emphasis role="bold">pam_check_host_attr yes</emphasis> in your <emphasis role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the account facility of pam_ldap will perform the checks and return an error when no proper host attribute is present. Please note that users without host attribute cannot login to such a configured server.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/hostObject.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Samba 3</title> <para>LAM supports full Samba 3 user management including logon hours and terminal server options.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_samba3User1.png" /> </imageobject> </mediaobject> </screenshot> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_samba3User2.png" /> </imageobject> </mediaobject> </screenshot> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_samba3User3.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Filesystem quota (lamdaemon)</title> <para>You can manage file system quotas with LAM. This requires to setup <link linkend="a_lamdaemon">lamdaemon</link>. LAM connects to your server via SSH and manages the disk filesystem quotas. The quotas are stored directly on the filesystem. This is the default mechanism to store quotas for most systems.</para> <para>Please add the module "Quota (quota)" for users to your LAM server profile to enable this feature.</para> <para>If you store the quota information directly inside LDAP please see the next section.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_quotaUser.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Filesystem quota (LDAP)</title> <para>You can store your filesystem quotas directly in LDAP. See <ulink url="http://sourceforge.net/projects/linuxquota/">Linux DiskQuota</ulink> for details since it requires quota tools that support LDAP. You will need to install the quota LDAP schema to manage the object class "systemQuotas".</para> <para>Please add the module "Quota (systemQuotas)" for users to your LAM server profile to enable this feature.</para> <para>If you store the quota information on the filesystem please see the previous section.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_systemQuotas.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Kolab</title> <para>This module supports to manage Kolab accounts with LAM. E.g. you can set the user's mail quota and define invitation policies.</para> <para>Please enter an email address at the Personal page and set a Unix password first. Both are required that Kolab accepts the accounts.</para> <para>Kolab users should not be directly deleted with LAM. You can mark an account for deletion which then is done by the Kolab server itself. This makes sure that the mailbox etc. is also deleted.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_kolab.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Asterisk</title> <para>LAM supports Asterisk accounts, too. See the <link linkend="type_asterisk">Asterisk</link> section for details.</para> </section> <section> <title>EDU person</title> <para>EDU person accounts are mainly used in university networks. You can specify the principal name, nick names and much more.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_eduPerson.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Password policy (LAM Pro)</title> <para>OpenLDAP supports the <ulink url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay to manage password policies for LDAP entries. LAM Pro supports <link linkend="a_ppolicy">managing the policies</link> and assigning them to user accounts.</para> <para>Please add the account type "Password policies" to your LAM server profile and activate the "Password policy" module for the user type.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ppolicyUser.png" /> </imageobject> </mediaobject> </screenshot> <para>You can assign any password policy which is found in the LDAP suffix of the "Password policies" type. When you set the policy to "default" then OpenLDAP will use the default policy as defined in your slapd.conf file.</para> </section> <section> <title>FreeRadius</title> <para>FreeRadius is a software that implements the RADIUS authentication protocol. LAM allows you to mange several of the FreeRadius attributes.</para> <para>To activate the FreeRadius plugin please activate the FreeRadius user module in your server profile:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_freeRadius1.png" /> </imageobject> </mediaobject> </screenshot> <para>You can disable unneeded fields on the tab "Module settings":</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_freeRadius2.png" /> </imageobject> </mediaobject> </screenshot> <para>Now you will see the tab "FreeRadius" when editing users. The extension can be (de)activated for each user. You can setup e.g. realm, IP and expiration date.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_freeRadius3.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Mail routing</title> <para>LAM supports to manage mail routing for user accounts. You can specify a routing address, the mail server and a number of local addresses to route. This feature can be activated by adding the "Mail routing" module to the user account type in your server profile.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mailRouting.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>SSH keys</title> <para>You can manage your public keys for SSH in LAM if you installed the <ulink url="http://code.google.com/p/openssh-lpk/">LPK patch for SSH</ulink>. Activate the "SSH public key" module for users in the server profile and you can add keys to your user entries.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ldapPublicKey.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Authorized services</title> <para>You can setup PAM to check if a user is allowed to run a specific service (e.g. sshd) by reading the LDAP attribute "authorizedService". This way you can manage all allowed services via LAM.</para> <para></para> <para>To activate this PAM feature please setup your <emphasis role="bold">/etc/libnss-ldap.conf</emphasis> and set "pam_check_service_attr" to "yes".</para> <para></para> <para>Inside LAM you can now set the allowed services. You may also setup default services in your account profiles.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_authorizedServices.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>IMAP mailboxes</title> <para>LAM may create and delete mailboxes on an IMAP server for your user accounts. You will need an IMAP server that supports either SSL or TLS for this feature.</para> <para>To activate the mailbox management module please add the "Mailbox (imapAccess)" module for the type user in your LAM server profile:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/imapAccess1.png" /> </imageobject> </mediaobject> </screenshot> <para>Now configure the module on the tab "Module settings". Here you can specify the IMAP server name, encryption options, the authentication for the IMAP connection and the valid mail domains. LAM can use either your LAM login password for the IMAP connection or display a dialog where you need to enter the password. The mail domains specify for which accounts mailboxes may be created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be managed for "user@lam-demo.org" but not for "user@example.com".</para> <para>You need to install the SSL certificate of the CA that signed your server certificate. This is usually done by installing the certificate in /etc/ssl/certs. Different Linux distributions may offer different ways to do this. For Debian please copy the certificate in "/usr/local/share/ca-certificates" and run "update-ca-certificates" as root.</para> <para>It is not recommended to disable the validation of IMAP server certificates.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/imapAccess2.png" /> </imageobject> </mediaobject> </screenshot> <para>When you edit an user account then you will now see the tab "Mailbox". Here you can create/delete the mailbox for this user.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/imapAccess3.png" /> </imageobject> </mediaobject> </screenshot> </section> <section id="s_account"> <title>Account</title> <para>This is a very simple module to manage accounts based on the object class "account". Usually, this is used for host accounts only. Please pay attention that users based on the "account" object class cannot have contact information (e.g. telephone number) as with "inetOrgPerson".</para> <para>You can enter a user/host name and a description for your accounts.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_account.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> <section> <title>Groups</title> <para></para> <section> <title>Unix</title> <para>This module is used to manage Unix group entries. This is the default module to manage Unix groups and uses the nis.schema. Suse users who use the rfc2307bis.schema need to use LAM Pro.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_unixGroup.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Unix groups with rfc2307bis schema (LAM Pro)</title> <para>Some applications (e.g. Suse Linux) use the rfc2307bis schema for Unix accounts instead of the nis schema. In this case group accounts are based on the object class <link lang="" linkend="a_groupOfNames">groupOf(Unique)Names</link>. The object class is auxiliary in this case.</para> <para>LAM Pro supports these groups with a special account module: <emphasis role="bold">rfc2307bisPosixGroup</emphasis></para> <para>Use this module only if your system depends on the rfc2307bis schema. The module can be selected in the LAM configuration.</para> <para><screenshot> <mediaobject> <imageobject> <imagedata fileref="images/rfc2307bis.png" /> </imageobject> </mediaobject> </screenshot><screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_unixGroupLAMPro.png" /> </imageobject> </mediaobject> </screenshot></para> </section> <section> <title>Samba 3</title> <para>LAM supports managing Samba 3 groups. You can set special group types and also create Windows predefined groups like "Domain admins".</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_sambaGroup.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Quota</title> <para>You can manage file system quotas with LAM. This requires to setup <link linkend="a_lamdaemon">lamdaemon</link>. File system quotas are not stored inside LAM but managed directly on the specified servers.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_quotaGroup.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> <section> <title>Hosts</title> <section> <title>Account</title> <para>Please see the description <link linkend="s_account">here</link>.</para> </section> <section> <title>Device (LAM Pro)</title> <para>The device object class allows to manage general information about all sorts of devices (e.g. computers, network hardware, ...). You can enter the serial number, location and a describing text. It is also possible to specify the owner of the device.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/device.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Samba 3</title> <para>You can manage Samba 3 host entries by adding the Unix and Samba 3 account modules.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_sambaHost1.png" /> </imageobject> </mediaobject> </screenshot> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_sambaHost2.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>IP addresses (LAM Pro)</title> <para>You can manage the IP addresses of host accounts with the ipHost module. It manages the following information:</para> <itemizedlist> <listitem> <para>IP addresses (IPv4/IPv6)</para> </listitem> <listitem> <para>location of the host</para> </listitem> <listitem> <para>manager: the person who is responsible for the host</para> </listitem> </itemizedlist> <para>You can activate this extension by adding the module ipHost to the list of active host modules.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ipHost.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>MAC addresses</title> <para>Hosts can have an unlimited number of MAC addresses. To enable this feature just add the "MAC address" module to the host account type.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/macAddress.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> <section> <title>Samba 3 domains</title> <para>Samba 3 stores information about its domain settings inside LDAP. This includes the domain name, its SID and some policies. You can manage all these attributes with LAM.</para> <para>Please activate the account type "Samba domains" in your LAM server profile. Please notice that Samba by default uses the LDAP root for domain objects (e.g. dc=example,dc=com).</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/sambaDomains1.png" /> </imageobject> </mediaobject> </screenshot> <para>This will add a new tab to LAM where you can manage domain information.</para> <para>The domain name, SID and RID base can only be specified for new domains and are not changeable via LAM at a later time. You may setup several password policies for your Samba domains and also some RID options that influence the creation of SIDs for users/groups/hosts.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/sambaDomains2.png" /> </imageobject> </mediaobject> </screenshot> </section> <section id="a_groupOfNames"> <title>Group of (unique) names (LAM Pro)</title> <para>These classes can be used to represent group relations. Since they allow DNs as members you can also use them to represent nested groups. Activate the account type "Group of names" in your LAM server profile to use these account modules.</para> <para>Group of (unique) names have four basic attributes:</para> <itemizedlist> <listitem> <para>Name: a unique name for the group</para> </listitem> <listitem> <para>Description: optional description</para> </listitem> <listitem> <para>Owner: the account which owns this group (optional)</para> </listitem> <listitem> <para>Members: the members of the group (at least one is required)</para> </listitem> </itemizedlist> <para>You can add any accounts as members. This includes other groups which leads to nested groups.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/groupOfNames1.png" /> </imageobject> </mediaobject> </screenshot> </section> <section id="type_asterisk"> <title>Asterisk</title> <para>LAM includes large support for Asterisk. You can add Asterisk extensions (including voicemail) to your users and also manage Asterisk extensions.</para> <para>The Asterisk support for users can be added by selecting the Asterisk and Asterisk voicemail modules for users in your LAM server profile. This will add the following tabs to your user accounts.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/asterisk.png" /> </imageobject> </mediaobject> </screenshot> <para>The Asterisk module allows to edit a large amount of attributes. Therefore, you can hide unused fields. Please edit you server profile (Module settings) to do so.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/asteriskConfig.png" /> </imageobject> </mediaobject> </screenshot> <para>Of course, the voicemail part of Asterisk is also supported.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/asteriskVoicemail.png" /> </imageobject> </mediaobject> </screenshot> <para>If you also want to manage Asterisk extensions then simply add the account type "Asterisk extensions" and its module to your server profile.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/asteriskExtension.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Zarafa (LAM Pro)</title> <para>Zarafa is an OpenSource collaboration software. LAM Pro provides support to manage Zarafa server entries, users and groups. It covers all settings for these types including resource and quota settings.</para> <para>LAM Pro is an official Zarafa Certified Integration.</para> <para><inlinemediaobject> <imageobject> <imagedata fileref="images/zarafa_logo_integrations_certified_140px.jpg" /> </imageobject> </inlinemediaobject></para> <section> <title>Configuration</title> <para>To enable Zarafa support in LAM Pro please activate the Zarafa modules for the Users, Groups and Hosts account types in you server profile:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa1.png" /> </imageobject> </mediaobject> </screenshot> <para>You can configure which parts of the Zarafa user options should be enabled. E.g. if you do not want to manage quotas per user then you can hide these options on the tab "Module settings".</para> <literallayout> </literallayout> <para><emphasis role="bold">"Send as" attribute:</emphasis> Here you can specify how "Send as" privileges should be managed. LAM supports "uid" and "dn".</para> <para>If you select "uid" the LAM will store user names in the zarafaSendAsPrivilege attribute. This way you are restricted to specify user accounts as "Send as" allowed.</para> <para>You can also set this option to "dn" and LAM will store DNs in the zarafaSendAsPrivilege attribute. In this case you may specify users and groups as "Send as" allowed.</para> <literallayout> </literallayout> <para>Examples for your Zarafa ldap.cfg:</para> <para>"Send as" attribute: <emphasis role="bold">dn</emphasis></para> <para>ldap_user_sendas_attribute_type = dn</para> <literallayout> </literallayout> <para>"Send as" attribute: <emphasis role="bold">uid</emphasis></para> <para>ldap_user_sendas_attribute_type = text</para> <para>ldap_user_sendas_relation_attribute = uid</para> <para><literallayout> </literallayout><literallayout> </literallayout></para> <para><emphasis role="bold">Features:</emphasis> Zarafa 7 allows to enable IMAP/POP3 for each user. Please hide the option "Features" if you use Zarafa 6.x.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa2.png" /> </imageobject> </mediaobject> </screenshot> <section> <title>Users</title> <para>This is an example of the user edit page with all possible settings. This includes email settings, quotas and some options (e.g. hide from address book). You can also set the resource type and capacity for meeting rooms and equipment. The Zarafa extension can be added and removed at any time for every user.</para> <para>Please note that the option "Features" requires Zarafa 7. Please hide this option in the LAM server profile if you run Zarafa 6.x.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa3.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Contacts</title> <para>LAM Pro can manage your Zarafa contact entries. You can set the email aliases and "send as" privileges. Additionally, accounts may be hidden in the address book or disabled.</para> <para>Please note that you can either use the Zarafa user module or Zarafa contact. LAM Pro will disable the other tab when enabling one of them.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa8.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Groups</title> <para>This is the edit page for groups. You can enter an email address and additional aliases for your groups. It is also possible to specify options (e.g. hide from address book). The extension can be added/removed dynamically.</para> <para>Please note that the option "Send-as privileges" requires the Zarafa 7.0.3 schema. Please hide this option in the LAM server profile if you run Zarafa < 7.0.3.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa4.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Servers</title> <para>The Zarafa extension for host accounts allows to set the connection ports and file path. You can add/remove the extension at any time.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa5.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Address lists</title> <para>Zarafa allows to store address lists in LDAP. You need to define a search base and LDAP filter for each address list. E.g. entering "ou=people,dc=company,dc=com" as base and "uid=*" will select all users that are stored in "ou=people,dc=company,dc=com".</para> <para>You can also hide your lists from the address book or temporarily disable them.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa6.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Dynamic groups</title> <para>Zarafa allows to define dynamic groups in LDAP. You need to define a search base and LDAP filter for each group. E.g. entering "ou=people,dc=company,dc=com" as base and "uid=*" will select all users that are stored in "ou=people,dc=company,dc=com".</para> <para>Dynamic groups may have an email address and multiple email alias addresses.</para> <para>You can also hide your dynamic groups from the address book or temporarily disable them.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/zarafa7.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> </section> <section> <title>DHCP</title> <para>You can mange your DHCP server with LAM. It supports to manage subnets, fixed IP entries, IP ranges and DDNS. The DHCP can be activated by adding the account type DHCP to your server profile. Please also add the DHCP modules. LAM requires that you use an LDAP entry with the object class "dhcpServer" as suffix for this account type.</para> <literallayout> </literallayout> <para><emphasis role="bold">Example server entry:</emphasis><code></code></para> <para><code>dn: cn=server,ou=dhcp,dc=ldap-account-manager,dc=org</code></para> <para><code>objectclass: dhcpServer</code></para> <para><code>objectclass: dhcpOptions</code></para> <para><code>objectclass: top</code></para> <para><code>cn: server</code></para> <para><code>dhcpcomments: My DHCP server</code></para> <para><code>dhcpoption: domain-name "ldap-account-manager.org"</code></para> <para><code>dhcpoption: domain-name-servers 192.168.1.1</code></para> <para><code>dhcpoption: routers 192.168.1.1</code></para> <para><code>dhcpoption: netbios-name-servers 192.168.1.1</code></para> <para><code>dhcpoption: subnet-mask 255.255.255.0</code></para> <para><code>dhcpoption: netbios-node-type 8</code></para> <para><code>dhcpstatements: default-lease-time 3600</code></para> <para><code>dhcpstatements: max-lease-time 7200</code></para> <para><code>dhcpstatements: include "mykey"</code></para> <para><code>dhcpstatements: ddns-update-style interim</code></para> <para><code>dhcpstatements: update-static-leases true</code></para> <para><code>dhcpstatements: ignore client-updates</code></para> <literallayout> </literallayout> <para><emphasis role="bold">Example settings for dhcpd.conf:</emphasis></para> <para><code>ddns-update-style none;</code></para> <para><code>deny unknown-clients;</code></para> <para><code>ldap-server "server";</code></para> <para><code>ldap-dhcp-server-cn "server";</code></para> <para><code>ldap-port 389;</code></para> <para><code>ldap-username "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";</code></para> <para><code>ldap-password "{SSHA}XXXXXXXXXXXX";</code></para> <para><code>ldap-base-dn "ou=dhcp,dc=ldap-account-manager,dc=org";</code></para> <para><code>ldap-method dynamic;</code></para> <para><code>ldap-debug-file "/var/log/dhcp-ldap-startup.log";</code></para> <para><code></code></para> <literallayout> </literallayout> <para><emphasis role="bold">slapd.conf changes:</emphasis></para> <para><code>include /etc/ldap/schema/dhcp.schema</code></para> <para><code>index dhcpHWAddress eq</code></para> <para><code>index dhcpClassData eq</code><literallayout> Run slapindex to rebuild the index. </literallayout></para> <para>You can manage the settings of your DHCP server entry:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/dhcpMainSettings.png" /> </imageobject> </mediaobject> </screenshot> <para>You can easily create new subnet entries.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/dhcpSettings.png" /> </imageobject> </mediaobject> </screenshot> <para>It is also possible to specify a list of fixed IPs.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/fixedIP.png" /> </imageobject> </mediaobject> </screenshot> <para>IP ranges may be specified.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ranges.png" /> </imageobject> </mediaobject> </screenshot> <para>If you activated DDNS in the server entry then you may also specify the DDNS settings for this subnet.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ddns.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Aliases (LAM Pro)</title> <para>Some applications use the object class "alias" to link LDAP entries to other parts of the LDAP tree. Activate the account type "Aliases" in your LAM server profile to use this account type.</para> <para>Currently, only user accounts can be aliased with the "uidObject" object class.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/alias.png" /> </imageobject> </mediaobject> </screenshot> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/alias2.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Mail aliases</title> <para>You can manage mail aliases (e.g. for NIS) inside LAM. This can be used to replace local /etc/aliases files with LDAP.</para> <para>All accounts of this type are based on the "nisMailAlias" object class and may have "cn" and "rfc822MailMember" attributes. To activate this type please add "Mail aliases" in your LAM server profile:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/nisMailAlias1.png" /> </imageobject> </mediaobject> </screenshot> <para>The mail aliases will appear as separate tab inside LAM. You may then manage the aliases with their names and recipient addresses.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/nisMailAlias2.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>NIS net groups</title> <para>LAM supports to define NIS netgroups. You can use them e.g. to restrict SSH access to your machines.</para> <para>Add the NIS net group account type and its module to your server profile. Then you can manage net groups in LAM. Net groups may contain other net groups as child groups. You can either insert the host/user names manually or print the search buttons next to the input fields to find existing entries in your directory.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/nisNetgroup.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>NIS objects (LAM Pro)</title> <para>You can manage NIS objects with LAM Pro. This allows you define network mount points in LDAP.</para> <para>Add the NIS objects type to your LAM configuration and then the NIS objects module. This will add the NIS objects tab to LAM.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/nisObject.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Automount objects (LAM Pro)</title> <para>LAM Pro allows you to manage automount entries. Please activate the account type "Automount objects" in your LAM Pro server profile:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/automount1.png" /> </imageobject> </mediaobject> </screenshot> <para>This will add a new tab to LAM Pro's main screen which includes a list of all automount entries. Here you can easily create new entries.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/automount2.png" /> </imageobject> </mediaobject> </screenshot> <para>Please see the following external HowTos for more information on automounting and LDAP:</para> <itemizedlist> <listitem> <para><ulink url="https://help.ubuntu.com/community/AutofsLDAP">AutofsLDAP</ulink></para> </listitem> <listitem> <para><ulink type="" url="http://www.pro-linux.de/artikel/2/760/automount-ueber-ldap.html">Automount über LDAP (German)</ulink></para> </listitem> </itemizedlist> </section> <section id="a_ppolicy"> <title>Password policies (LAM Pro)</title> <para>OpenLDAP supports the <ulink url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay to manage password policies for LDAP entries. This allows you to set password policies which are independent from your applications. The policies are managed internally by the LDAP server.</para> <para>You can manage these policies with LAM Pro with the account type "Password policies".</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ppolicy.png" /> </imageobject> </mediaobject> </screenshot> <para>You will need to add the ppolicy schema to your OpenLDAP configuration and activate the <ulink url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay module in slapd.conf to use this feature.</para> </section> <section> <title>Custom scripts (LAM Pro)</title> <para>LAM Pro allows you to execute scripts whenever an account is created, modified or deleted. This can be useful to automate processes which needed manual work afterwards (e.g. sending your user a welcome mail or register a mailbox). To activate this feature please add the "Custom scripts" module to all needed account types on the configuration pages.</para> <para>You can specify multiple scripts for each action type (e.g. modify) and account type (e.g. user). The scripts need to be located on the filesystem of your webserver and will be executed in its user environment. E.g. if you webserver runs as user www-data with the group www-data then the custom scripts will be run under this user with his rights. The output of the scripts will be shown in LAM.</para> <para>You can specify the scripts on the LAM configuration pages.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/customScripts.png" /> </imageobject> </mediaobject> </screenshot> <para><emphasis role="bold">Syntax:</emphasis></para> <para>Please enter one script per line. Each line has the following format: <account type> <action> <script></para> <para>E.g.: user preModify /usr/bin/myCustomScript -u $uid$</para> <para><emphasis role="bold">Account types:</emphasis></para> <para>You can setup scripts for all available account types (e.g. user, group, host, ...). Please see the help on the configuration page about your current active account types.</para> <para><emphasis role="bold">Actions:</emphasis></para> <table> <title>Action types</title> <tgroup cols="2"> <tbody> <row> <entry><emphasis role="bold">Action name</emphasis></entry> <entry><emphasis role="bold">Description</emphasis></entry> </row> <row> <entry>preCreate</entry> <entry>executed before creating a new account (cancels operation if a script returns an exit code > 0, not available for file upload)</entry> </row> <row> <entry>postCreate</entry> <entry>executed after creating a new account</entry> </row> <row> <entry>preModify</entry> <entry>executed before the account is modified (cancels operation if a script returns an exit code > 0)</entry> </row> <row> <entry>postModify</entry> <entry>executed after an account was modified</entry> </row> <row> <entry>preDelete</entry> <entry>executed before an account was modified (cancels operation if a script returns an exit code > 0)</entry> </row> <row> <entry>postDelete</entry> <entry>executed after an account was modified</entry> </row> </tbody> </tgroup> </table> <para><emphasis role="bold">Script:</emphasis></para> <para>You can execute any script which is located on the filesystem of your webserver. The path may be absolute or relative to the PATH-variable of the environment of your webserver process. It is also possible to add commandline arguments to your scripts. Additionally, LAM will resolve wildcards to LDAP attributes. If your script includes an wildcard in the format $ATTRIBUTE$ then LAM will replace it with the attribute value of the current LDAP entry. The values of multi-value attributes are separated by commas. E.g. if you create an account with the attribute "uid" and value "steve" then LAM will resolve "$uid$" to "steve".</para> <para>You can switch LAM's logging to debug mode if you are unsure which attributes with which values are available.</para> <para>The following special wildcards are available:</para> <itemizedlist> <listitem> <para><emphasis role="bold">$INFO.userPasswordClearText$:</emphasis> cleartext password when Unix password is changed (e.g. useful for external password synchronisation) for new/modified accounts</para> </listitem> <listitem> <para><emphasis role="bold">$INFO.userPasswordStatusChange$:</emphasis> provides additional information if the password locking status was changed, possible values: locked, unlocked, unchanged</para> </listitem> <listitem> <para><emphasis role="bold">$INFO.passwordSelfResetAnswerClearText$</emphasis>: cleartext answer to security question</para> </listitem> <listitem> <para><emphasis role="bold">$NEW.<attribute>$:</emphasis> the value of a new attribute (e.g. $NEW.telephoneNumber$) for modified accounts</para> </listitem> <listitem> <para><emphasis role="bold">$DEL.<attribute>$:</emphasis> the value of a deleted attribute (e.g. $DEL.telephoneNumber$) for modified accounts</para> </listitem> <listitem> <para><emphasis role="bold">$MOD.<attribute>$:</emphasis> the new value of a modified attribute (e.g. $MOD.telephoneNumber$) for modified accounts</para> </listitem> </itemizedlist> <para><emphasis role="bold">Output may contain HTML:</emphasis> If your scripts generate HTML output then activate this option.</para> <para><emphasis role="bold">Hide command in messages:</emphasis> You may want to prevent that your users see the executed commands. In this case activating this option will only show the command output but not the command itself.</para> <para></para> <para>You can see a preview of the commands which will be executed on the "Custom scripts" tab.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/customScripts2.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Sudo roles (LAM Pro)</title> <para>You can manage your sudo roles in LDAP if you have installed the sudo-ldap package or <ulink url="http://www.sudo.ws/sudo/readme_ldap.html">compiled sudo with LDAP support</ulink>. To activate sudo management in LAM Pro edit your server profile and add the type "Sudo roles".</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/sudoRole.png" /> </imageobject> </mediaobject> </screenshot> <para>The sudo roles in LDAP work similar to those in /etc/sudoers. You can specify who may run which commands as which user. It is also possible to specify options like NOPASSWD.</para> </section> <section> <title>General information</title> <para>This module is available for all account types. It shows some internal information about the LDAP entries like the creation time and who modified the entry.</para> <para>If you use the "memberOf" overlay in OpenLDAP then this will also show group memberships done by the overlay.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/mod_generalInformation.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Tree view (LDAP browser)</title> <para>The tree view provides a raw view on your LDAP directory. This feature is for people who are experienced with LDAP and need special functionality which the LAM account modules not provide. E.g. if you want to add a special object class to an account or edit attributes ignoring LAM's syntax checks.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/tree1.png" /> </imageobject> </mediaobject> </screenshot> <para>There are also some special functions available:</para> <para><emphasis role="bold">Export:</emphasis> This allows you to export entries to a file (e.g. LDIF or CSV format).</para> <para><emphasis role="bold">Show internal attributes:</emphasis> Shows internal attributes of the current entry. This includes information about the creator and creation time of the entry.</para> </section> <section> <title>Typical usage scenarios</title> <para>Here is a list of typical usage scenarios and what account types and modules you need to configure.</para> <para><emphasis role="bold">Address book entries:</emphasis></para> <para>Account types:</para> <itemizedlist> <listitem> <para>Users (Personal)</para> </listitem> </itemizedlist> <para><emphasis role="bold">Unix accounts:</emphasis></para> <para>Account types:</para> <itemizedlist> <listitem> <para>Users (Personal + Unix)</para> </listitem> <listitem> <para>Groups (Unix (posixGroup))</para> </listitem> </itemizedlist> <para>Suse users may need to use Group (Group of names + Unix (rfc2307bisPosixGroup)) because of Suse's special LDAP schema.</para> <para><emphasis role="bold">Samba accounts:</emphasis></para> <para>Account types:</para> <itemizedlist> <listitem> <para>Users (Personal + User + Samba 3)</para> </listitem> <listitem> <para>Groups (Unix + Samba 3)</para> </listitem> <listitem> <para>Hosts (Account + Unix + Samba 3)</para> </listitem> <listitem> <para>Samba domains (Samba domain)</para> </listitem> </itemizedlist> <para><emphasis role="bold">Asterisk:</emphasis></para> <para>Account types:</para> <itemizedlist> <listitem> <para>Users (Personal + Asterisk)</para> </listitem> <listitem> <para>Asterisk extensions (Asterisk extension)</para> </listitem> </itemizedlist> <para><emphasis role="bold">Zarafa:</emphasis></para> <para>Account types:</para> <itemizedlist> <listitem> <para>Users (Personal + Unix + Zarafa (+ Zarafa contact))</para> </listitem> <listitem> <para>Groups (Unix + Zarafa)</para> </listitem> <listitem> <para>Zarafa dynamic groups (Zarafa dynamic group)</para> </listitem> <listitem> <para>Zarafa address lists (Zarafa address list)</para> </listitem> <listitem> <para>Hosts (Device + Zarafa + IP Address)</para> </listitem> </itemizedlist> </section> </chapter> <chapter> <title>Tools</title> <para></para> <section id="a_accountProfile"> <title>Profile editor</title> <para>The account profiles are templates for your accounts. Here you can specify default values which can then be loaded when you create accounts. You may also load a template for an existing account to reset it to default values. When you create a new account then LAM will always load the profile named <emphasis role="bold">"default"</emphasis>. This account profile can include default values for all your accounts.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/profileEditor.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>File upload</title> <para>When you need to create lots of accounts then you can use LAM's file upload to create them. LAM will read a CSV formatted file and create the related LDAP entries. Please check the data in you CSV file carefully. LAM will do less checks for the file upload than for single account creation.</para> <para>At the first page please select the account type and what extensions should be activated.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/fileUpload1.png" /> </imageobject> </mediaobject> </screenshot> <para>The next page shows all available options for the file upload. You will also find a sample CSV file which can be used as template for your CSV file. All red options are required columns in the file. You need to specify a value for each account.</para> <para>When you upload the CSV file then LAM first does some checks on this file. This includes syntax checks and if all required data was entered. No changes in the LDAP directory are done at this time.</para> <para>If the checks were successful then LAM will ask again if you want to create the accounts. You will also have the chance to check the upload by viewing the changes in LDIF format.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/fileUpload2.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>OU editor</title> <para>This is a simple editor to add/delete organisational units in your LDAP tree. This way you can structure the accounts.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/ouEditor.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>PDF editor</title> <para>All accounts in LAM may be exported as PDF files. You can specify the page structure and displayed information by editing the PDF profiles.</para> <para>When you export accounts to PDF then each account will get its own page inside the PDF. There is a headline on each page where you can show a page title. You may also add a logo to each page. To add more possible logos simply copy the images to config/pdf/logos.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/pdfEditor.png" /> </imageobject> </mediaobject> </screenshot> <para>The main part is structured into sections of information. Each section has a title. This can either be static text or the value of an attribute. You may also insert a static text block as section. Sections can be moved by using the arrows next to the section title.</para> <para>Each section can contain multiple fields which usually represent LDAP attributes. You can simply add new fields by selecting the field name and its position. Then use the arrows to move the field inside the section.</para> </section> <section> <title>Schema browser</title> <para>Here you browse the schema of your LDAP server. You can view what object classes, attributes, syntaxes and matching rules are available. This is useful if you need to check if a certain object class is available.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/schemaBrowser.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Server information</title> <para>This shows information and statistics about your LDAP server. This includes the suffixes, used overlays, connection data and operation statistics. You will need "cn=monitor" setup to see all details. Some data may not be available depending on your LDAP server software.</para> <para>Please see the following links how to setup "cn=monitor":</para> <itemizedlist> <listitem> <para><ulink url="http://www.openldap.org/doc/admin24/monitoringslapd.html">OpenLDAP</ulink></para> </listitem> <listitem> <para><ulink type="" url="http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring">389 server</ulink></para> </listitem> </itemizedlist> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/serverInfo.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Tests</title> <para>This allows you to check if your LDAP schema is compatible with LAM and to find possible problems.</para> <section> <title>Lamdaemon test</title> <para>LAM provides an external script to manage home directories and quotas. You can test here if everything is setup correctly.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/lamdaemonTest.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>Schema test</title> <para>This will test if your LDAP schema supports all object classes and attributes of the active LAM modules. If you get a message that something is missing please check that you installed all <link linkend="a_schema">required schemas</link>.</para> <para>If you get error messages about object class violations then this test can tell you what is missing.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/schemaTest.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> </chapter> <chapter id="a_accessLevelPasswordReset"> <title>Access levels and password reset page (LAM Pro)</title> <para>You can define different access levels for each profile to allow or disallow write access. The password reset page helps your deskside support staff to reset user passwords.</para> <section> <title id="s_accessLevel">Access levels</title> <para>There are three access levels:</para> <itemizedlist> <listitem> <para><emphasis role="bold">Write access (default)</emphasis></para> <para>There are no restrictions. LAM admin users can manage account, create profiles and set passwords.</para> </listitem> <listitem> <para><emphasis role="bold">Change passwords</emphasis></para> <para>Similar to "Read only" except that the <link linkend="s_pwdReset">password reset page</link> is available.</para> </listitem> <listitem> <para><emphasis role="bold">Read only</emphasis></para> <para>No write access to the LDAP database is allowed. It is also impossible to manage account and PDF profiles.</para> <para>Accounts may be viewed but no changes can be saved.</para> </listitem> </itemizedlist> <para>The access level can be set on the server configuration page:</para> <para><screenshot> <mediaobject> <imageobject> <imagedata fileref="images/accessLevel.png" /> </imageobject> </mediaobject> </screenshot></para> </section> <section id="s_pwdReset"> <title>Password reset page</title> <para>This special page allows your deskside support staff to reset the Unix and Samba passwords of your users. If you set the <link linkend="s_accessLevel">access level</link> to "Change passwords" then LAM will not allow any changes to the LDAP database except password changes via this page. The account pages will be still available in read-only mode.</para> <para>You can open the password reset page by clicking on the key symbol on each user account:</para> <para><screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordReset1.png" /> </imageobject> </mediaobject> </screenshot>There are three different options to set a new password:</para> <itemizedlist> <listitem> <para><emphasis role="bold">set random password and display it on screen</emphasis></para> <para>This will set the user's password to a random value. The password will be 11 characters long with a random combination of letters, digits and ".-_".</para> <para>You may want to use this method to tell users their new passwords via phone.</para> </listitem> <listitem> <para><emphasis role="bold">set random password and mail it to user</emphasis></para> <para>If the user account has set the mail attribute then LAM can send your user a mail with the new password. You can change the mail template to fit your needs. Please configure your LAM server profile to setup the sender address, subject and mail body.</para> <para>Using this method will prevent that your support staff knows the new password.</para> </listitem> <listitem> <para><emphasis role="bold">set specific password</emphasis></para> <para>Here you can specify your own password.</para> </listitem> </itemizedlist> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordReset2.png" /> </imageobject> </mediaobject> </screenshot> <para>LAM will display contact information about the user like the user's name, email address and telephone number. This will help your deskside support to easily contact your users.</para> <para><emphasis role="bold">Options:</emphasis></para> <para>Depending on the account there may be additional options available.</para> <itemizedlist> <listitem> <para><emphasis role="bold">Sync Samba NT/LM password with Unix password:</emphasis> If a user account has Samba passwords set then LAM will offer to synchronize the passwords.</para> </listitem> <listitem> <para><emphasis role="bold">Unlock Samba account:</emphasis> Locked Samba accounts can be unlocked with the password change.</para> </listitem> <listitem> <para><emphasis role="bold">Update Samba password timestamps:</emphasis> This will set the timestamps when the password was changed (sambaPwdLastSet), may be changed again (sambaPwdCanChange) and must be changed again (sambaPwdMustChange). Only existing attributes are updated. No new attributes are added.</para> </listitem> <listitem> <para><emphasis role="bold">Sync Asterisk (voicemail) password with Unix password:</emphasis> Changes also the Asterisk passwords.</para> </listitem> <listitem> <para><emphasis role="bold">Force password change:</emphasis> This will force the user to change his password at next login. This option supports Shadow, Samba 3 and PPolicy (automatically detected).</para> </listitem> </itemizedlist> <para></para> </section> </chapter> <chapter id="a_selfService"> <title>Self service (LAM Pro)</title> <section> <title>Preparations</title> <section> <title>OpenLDAP ACLs</title> <para>By default only a few administrative users have write access to the LDAP database. Before your users may change their settings you must allow them to change their LDAP data.</para> <para>This can be done by adding an ACL to your slapd.conf which looks like this:</para> <para><emphasis role="bold">access to</emphasis></para> <para><emphasis role="bold"> attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,userPassword,shadowLastChange</emphasis></para> <para><emphasis role="bold"> by self write</emphasis></para> <para><emphasis role="bold"> by * read</emphasis></para> <para>If you do not want them to change all attributes then reduce the list to fit your needs. Some modules may require additional LDAP attributes. You can use the tree view to get the technical attribute names e.g. by selecting an user account.</para> <para>Usually, the slapd.conf file is located in /etc/ldap or /etc/openldap.</para> </section> <section> <title>Other LDAP servers</title> <para>There exist many LDAP implementations. If you do not use OpenLDAP you need to write your own ACLs. Please check the manual of your LDAP server for instructions.</para> </section> </section> <section> <title>Creating a self service profile</title> <para>A self service profile defines what input fields your users see and some other general settings like the login caption.</para> <para>When you go to the LAM configuration page you will see the self service link at the bottom. This will lead you to the self service configuration pages</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/conf1.jpg" /> </imageobject> </mediaobject> </screenshot> <para>Now we need to create a new self service profile. Click on the link to manage the self service profiles.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/conf2.jpg" /> </imageobject> </mediaobject> </screenshot> <para>Specify a name for the new profile and enter your master configuration password (default is "lam") to save the profile.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/conf3.jpg" /> </imageobject> </mediaobject> </screenshot> <para>Now go back to the profile login and enter your master configuration password to edit your new profile.</para> </section> <section> <title>Edit your new profile</title> <section> <title>Basic settings</title> <para>On top of the page you see the link to the user login page. Copy this link address and give it to your users.</para> <para>Below the link you can specify several options.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/conf4.jpg" /> </imageobject> </mediaobject> </screenshot> <table> <title>General options</title> <tgroup cols="2"> <tbody> <row> <entry>Server address</entry> <entry>The address of your LDAP server</entry> </row> <row> <entry>LDAP suffix</entry> <entry>The part of the LDAP tree where LAM should search for users</entry> </row> <row> <entry>LDAP user + password</entry> <entry>The DN and password which is used to search for users in the LDAP database. It is sufficient if this DN has only read rights. If you leave these fields empty LAM will try to connect anonymously.</entry> </row> <row> <entry>LDAP search attribute</entry> <entry>Here you can specify if your users can login with user name + password, email + password or other attributes.</entry> </row> <row> <entry>HTTP authentication</entry> <entry>You can enable HTTP authentication for your users. This way the web server is responsible to authenticate your users. LAM will use the given user name + password for the LDAP login. To setup HTTP authentication in Apache please see this <ulink url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry> </row> <row> <entry>Login attribute label</entry> <entry>This is the description for the LDAP search attribute. Set it to something which your users are familiar with.</entry> </row> <row> <entry>Login caption</entry> <entry>This text is displayed at the login page. You can input HTML, too.</entry> </row> <row> <entry>Main page caption</entry> <entry>This text is displayed at self service main page where your users change their data. You can input HTML, too.</entry> </row> <row> <entry>Page header</entry> <entry>This HTML code will be placed on top of all self service pages. E.g. you can use this to place your custom logo. Any HTML code is permitted.</entry> </row> <row> <entry>Additional CSS links</entry> <entry>Here you can specify additional CSS links to change the layout of the self service pages. This is useful to adapt them to your corporate design. Please enter one link per line.</entry> </row> </tbody> </tgroup> </table> </section> <section> <title>Page layout</title> <para>On the bottom you can specify what input fields your users can see. It is also possible to group several input fields.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/conf5.jpg" /> </imageobject> </mediaobject> </screenshot> </section> <section id="PasswordSelfReset"> <title>Password self reset</title> <para><emphasis role="bold">Settings</emphasis></para> <para>You can allow your users to reset their passwords themselves. This will reduce your administrative costs for cases where users forget their passwords.</para> <para>To enable this feature please activate the checkbox "Enable password self reset link":</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset1.png" /> </imageobject> </mediaobject> </screenshot> <para>You can now configure the minimum answer length for password reset answers. This is checked when you allow you users to specify their answers via the self service. Additionally, you can specify the text of the password reset link (default: "Forgot password?"). The link is displayed below the password field on the self service login page.</para> <para>Next, please enter the DN and password of an LDAP entry that is allowed to reset the passwords. This entry needs write access to the attributes shadowLastChange, pwdAccountLockedTime and userPassword. It also needs read access to uid, mail, passwordSelfResetQuestion and passwordSelfResetAnswer. Please note that LAM Pro saves the password on your server file system. Therefore, it is required to protect your server against unauthorised access.</para> <para>Please also specify the list of password reset questions that the user can choose.</para> <literallayout> </literallayout> <para>You can inform your users via mail about their password change. The mail can include the new password by using the special wildcard "@@newPassword@@". Additionally, you may want to insert other wildcards that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@" will be replaced by the user name.</para> <literallayout> </literallayout> <para>LAM Pro can send your users an email with a confirmation link to validate their email address. Of course, this should only be used if the email account is independent from the user password (e.g. at external provider). The mail must include the confirmation link by using the special wildcard "@@resetLink@@". Additionally, you may want to insert other wildcards that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@" will be replaced by the user name.</para> <para>There is also an option to skip the security question at all if email verification is enabled. In this case the password can be reset directly after clicking on the confirmation link. Please handle with care since anybody with access to the user's mail account can reset the password.</para> <para><emphasis role="bold">New fields for self service page</emphasis></para> <para>There are two new fields that you may put on the self service page for your users. These fields allow them to change the reset question and its answer.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset2.png" /> </imageobject> </mediaobject> </screenshot> <para>This is an example how can be presented to your users on the self service page:</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset3.png" /> </imageobject> </mediaobject> </screenshot> <para><emphasis role="bold">Password reset link</emphasis></para> <para>After activating the password self reset feature there will be a new link on the self service login page. The text can be configured as described above (default: "Forgot password?").</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset4.png" /> </imageobject> </mediaobject> </screenshot> <para>When a user clicks on the link then he will be asked for identification with his user name and email address.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset5.png" /> </imageobject> </mediaobject> </screenshot> <para>LAM Pro will use this information to find the correct LDAP entry of this user. It then displays the user's security question and input fields for his new password. If the answer is correct then the new password will be set. Additionally, pwdAccountLockedTime will be removed and shadowLastChange updated to the current time if existing.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/passwordSelfReset6.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> <section> <title>Adapt the self service to your corporate design</title> <para>LAM Pro allows you to integrate customs CSS style definitions and design the header of all self service pages. This way you can integrate you own logo and use your company's colors.</para> <section> <title>Custom header</title> <para>The default LAM Pro header includes a logo and a horizontal line. You can enter any HTML code here. It will be included in the self services pages after the body tag.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configPageHeader.png" /> </imageobject> </mediaobject> </screenshot> </section> <section> <title>CSS files</title> <para>Usually, companies have regulations about their corporate design and use common CSS files. This assures a common appearance of all intranet pages (e.g. colors and fonts). To include additional CSS files just use the following setting for this task. The additional CSS links will be added after LAM Pro's default CSS link. This way you can overwrite LAM Pro's style.</para> <screenshot> <mediaobject> <imageobject> <imagedata fileref="images/configCSS.png" /> </imageobject> </mediaobject> </screenshot> </section> </section> </chapter> <appendix id="a_schema"> <title>LDAP schema files</title> <para>Here is a list of needed LDAP schema files for the different LAM modules. For OpenLDAP we also provide a source where you can get the files.</para> <table frame="none" lang="" role="" tabstyle="nogrid"> <title>LDAP schema files</title> <tgroup cols="6"> <thead> <row> <entry></entry> <entry>Account type</entry> <entry>Object class(es)</entry> <entry>Schema name</entry> <entry>Source</entry> <entry>Notes</entry> </row> </thead> <tbody> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_unix.png" /> </imageobject> </inlinemediaobject></entry> <entry>Unix accounts</entry> <entry>posixAccount, shadowAccount, hostObject, posixGroup</entry> <entry>nis.schema, rfc2307bis.schema, ldapns.schema (hostObject)</entry> <entry>Part of OpenLDAP installation, part of libpam-ldap (ldapns.schema)</entry> <entry>The rfc2307bis.schema is only supported by LAM Pro. Use the nis.schema if you do not want to upgrade to LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_inetOrgPerson.png" /> </imageobject> </inlinemediaobject></entry> <entry>Address book entries</entry> <entry>inetOrgPerson</entry> <entry>inetorgperson.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_samba.png" /> </imageobject> </inlinemediaobject></entry> <entry>Samba 3 accounts</entry> <entry>sambaSamAccount, sambaGroupMapping, sambaDomain</entry> <entry>samba.schema</entry> <entry>Part of Samba tarball (examples/LDAP/samba.schema)</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_kolab.png" /> </imageobject> </inlinemediaobject></entry> <entry>Kolab 2 users</entry> <entry>kolabUser</entry> <entry>kolab2.schema, rfc2739.schema</entry> <entry>Part of Kolab 2 installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_asterisk.png" /> </imageobject> </inlinemediaobject></entry> <entry>Asterisk (extension)</entry> <entry>AsteriskSIPUser, AsteriskExtension</entry> <entry>asterisk.schema</entry> <entry>Part of Asterisk installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_mailAlias.png" /> </imageobject> </inlinemediaobject></entry> <entry>Mail routing</entry> <entry>inetLocalMailRecipient</entry> <entry>misc.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_hostObject.png" /> </imageobject> </inlinemediaobject></entry> <entry>Hosts</entry> <entry>hostObject, device</entry> <entry>ldapns.schema</entry> <entry>Part of libpam-ldap installation</entry> <entry>The device object class is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_authorizedServices.png" /> </imageobject> </inlinemediaobject></entry> <entry>Authorized services</entry> <entry>authorizedServiceObject</entry> <entry>ldapns.schema</entry> <entry>Part of libpam-ldap installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_mailAlias.png" /> </imageobject> </inlinemediaobject></entry> <entry>Mail aliases</entry> <entry>nisMailAlias</entry> <entry>misc.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_mac.png" /> </imageobject> </inlinemediaobject></entry> <entry>MAC addresses</entry> <entry>ieee802device</entry> <entry>nis.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_ipHost.png" /> </imageobject> </inlinemediaobject></entry> <entry>IP addresses</entry> <entry>ipHost</entry> <entry>nis.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_user.png" /> </imageobject> </inlinemediaobject></entry> <entry>Simple Accounts</entry> <entry>account</entry> <entry>cosine.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_ssh.png" /> </imageobject> </inlinemediaobject></entry> <entry>SSH public keys</entry> <entry>ldapPublicKey</entry> <entry>openssh-lpk.schema</entry> <entry>Included in patch from <ulink url="http://code.google.com/p/openssh-lpk/">http://code.google.com/p/openssh-lpk/</ulink></entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_quota.png" /> </imageobject> </inlinemediaobject></entry> <entry>Filesystem quotas</entry> <entry>systemQuotas</entry> <entry>quota.schema</entry> <entry><ulink url="http://sourceforge.net/projects/linuxquota/">Linux DiskQuota</ulink></entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_groupOfNames.png" /> </imageobject> </inlinemediaobject></entry> <entry>Group of (unique) names</entry> <entry>groupOfNames, groupOfUniqueNames</entry> <entry>core.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_dhcp.png" /> </imageobject> </inlinemediaobject></entry> <entry>DHCP</entry> <entry>dhcpOptions, dhcpSubnet, dhcpServer</entry> <entry>dhcp.schema</entry> <entry>docs/schema/dhcp.schema</entry> <entry>The LDAP suffix should be set to your dhcpServer entry.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_alias.png" /> </imageobject> </inlinemediaobject></entry> <entry>Aliases</entry> <entry>alias, uidObject</entry> <entry>core.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_netgroup.png" /> </imageobject> </inlinemediaobject></entry> <entry>NIS netgroups</entry> <entry>nisNetgroup</entry> <entry>nis.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_nisObject.png" /> </imageobject> </inlinemediaobject></entry> <entry>NIS objects</entry> <entry>nisObject</entry> <entry>nis.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_nisObject.png" /> </imageobject> </inlinemediaobject></entry> <entry>Automount objects</entry> <entry>automount</entry> <entry>autofs.schema</entry> <entry>Autofs LDAP</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_ppolicy.png" /> </imageobject> </inlinemediaobject></entry> <entry>Password policies</entry> <entry>pwdPolicy, device</entry> <entry>ppolicy.schema, core.schema</entry> <entry>Part of OpenLDAP installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_freeRadius.png" /> </imageobject> </inlinemediaobject></entry> <entry>FreeRadius users</entry> <entry>radiusprofile</entry> <entry>openldap.schema</entry> <entry>Part of FreeRadius installation</entry> <entry></entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_sudo.png" /> </imageobject> </inlinemediaobject></entry> <entry>Sudo roles</entry> <entry>sudoRole</entry> <entry>sudo.schema</entry> <entry>Part of sudo-ldap installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_zarafa.png" /> </imageobject> </inlinemediaobject></entry> <entry>Zarafa</entry> <entry>zarafa-user, zarafa-group, zarafa-server</entry> <entry>zarafa.schema</entry> <entry>Part of Zarafa installation</entry> <entry>This account type is only available in LAM Pro.</entry> </row> <row> <entry><inlinemediaobject> <imageobject> <imagedata fileref="images/schema_mailAlias.png" /> </imageobject> </inlinemediaobject></entry> <entry>IMAP mailboxes</entry> <entry>-</entry> <entry>-</entry> <entry>-</entry> <entry>Does not require any schema.</entry> </row> </tbody> </tgroup> </table> </appendix> <appendix id="a_security"> <title>Security</title> <section id="a_configPasswords"> <title>LAM configuration passwords</title> <para>LAM supports a two level authorization system for its configuration. Therefore, there are two types of configuration passwords:</para> <itemizedlist> <listitem> <para><emphasis role="bold">master configuration password:</emphasis> needed to change general settings, create/delete server profiles and self service profiles</para> </listitem> <listitem> <para><emphasis role="bold">server profile password:</emphasis> used to change the settings of a server profile (e.g. LDAP server and account types to manage)</para> </listitem> </itemizedlist> <para>The master configuration password can be used to reset a server profile password. Each server profile has its own profile password.</para> <para>Both password types are stored as hash values in the configuration files for enhanced security.</para> </section> <section> <title>Use of SSL</title> <para>The data which is transfered between you and LAM is very sensitive. Please always use SSL encrypted connections between LAM and your browser to protect yourself against network sniffers.</para> </section> <section> <title>LDAP with SSL and TLS</title> <para>SSL will be used if you use ldaps://servername in your configuration profile. TLS can be activated with the "Activate TLS" option.</para> <para>You will need to setup ldap.conf to trust your server certificate. Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. Specify the server CA certificate with the following option:</para> <programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting> <para>This needs to be the public part of the signing certificate authority. See "man ldap.conf" for additional options.</para> </section> <section> <title>Chrooted servers</title> <para>If your server is chrooted and you have no access to /dev/random or /dev/urandom this can be a security risk. LAM stores your LDAP password encrypted in the session. LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible. Therefore the key can be easily guessed. An attaker needs read access to the session file (e.g. by another Apache instance) to exploit this.</para> </section> <section> <title>Protection of your LDAP password and directory contents</title> <para>You have to install the MCrypt extension for PHP to enable encryption.</para> <para>Your LDAP password is stored encrypted in the session file. The key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to encrypt the password. All data that was read from LDAP and needs to be stored in the session file is also encrypted.</para> </section> <section> <title>Apache configuration</title> <section> <title>Sensitive directories</title> <para>LAM includes several .htaccess files to protect your configuration files and temporary data. Apache is often configured to not use .htaccess files by default. Therefore, please check your Apache configuration and change the override setting to:</para> <para>AllowOverride All</para> <para>If you are experienced in configuring Apache then you can also copy the security settings from the .htaccess files to your main Apache configuration.</para> <para>If possible, you should not rely on .htaccess files but also move the config and sess directory to a place outside of your WWW root. You can put a symbolic link in the LAM directory so that LAM finds the configuration/session files.</para> <para>Security sensitive directories:</para> <para><emphasis role="bold">config: </emphasis>Contains your LAM configuration and account profiles</para> <itemizedlist> <listitem> <para>LAM configuration passwords (SSHA hashed)</para> </listitem> <listitem> <para>default values for new accounts</para> </listitem> <listitem> <para>directory must be accessibly by Apache but needs not to be accessible by the browser</para> </listitem> </itemizedlist> <para><emphasis role="bold">sess:</emphasis> PHP session files</para> <itemizedlist> <listitem> <para>LAM admin password in clear text or MCrypt encrypted</para> </listitem> <listitem> <para>cached LDAP entries in clear text or MCrypt encrypted</para> </listitem> <listitem> <para>directory must be accessibly by Apache but needs not to be accessible by the browser</para> </listitem> </itemizedlist> <para><emphasis role="bold">tmp:</emphasis> temporary files</para> <itemizedlist> <listitem> <para>PDF documents which may also include passwords</para> </listitem> <listitem> <para>images of your users</para> </listitem> <listitem> <para>directory contents must be accessible by browser but directory itself needs not to be browseable</para> </listitem> </itemizedlist> </section> <section id="apache_http_auth"> <title>Use LDAP HTTP authentication for LAM</title> <para>With HTTP authentication Apache will be responsible to ask for the user name and password. Both will then be forwarded to LAM which will use it to access LDAP. This approach gives you more flexibility to restrict the number of users that may access LAM (e.g. by requiring group memberships).</para> <para>First of all you need to load additional Apache modules. These are "<ulink url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>" and "<ulink type="" url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para> <para>Next you can add a file called "lam_auth_ldap" to /etc/apache/conf.d. This simple example restricts access to all URLs beginning with "lam" to LDAP authentication.</para> <programlisting><location /lam> AuthType Basic AuthBasicProvider ldap AuthName "LAM" AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" Require valid-user </location></programlisting> <para>You can also require that your users belong to a certain Unix group in LDAP:</para> <programlisting><location /lam> AuthType Basic AuthBasicProvider ldap AuthName "LAM" AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" Require valid-user # force membership of lam-admins AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com </location></programlisting> <para>Please see the <ulink url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache documentation</ulink> for more details.</para> </section> </section> </appendix> <appendix> <title>Recommended OpenLDAP settings</title> <para>Some basic hints to configure the OpenLDAP server:</para> <para><emphasis role="bold">Size limit:</emphasis> OpenLDAP allows by default 500 return values per search, if you have more users/groups/hosts change this in slapd.conf: e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return values.</para> <para><emphasis role="bold">Indices:</emphasis> Indices will improve the performance when searching for entries in the LDAP directory. The following indices are recommended:</para> <simplelist> <member>index objectClass eq</member> <member>index default sub</member> <member>index uidNumber eq</member> <member>index gidNumber eq</member> <member>index memberUid eq</member> <member>index cn,sn,uid,displayName pres,sub,eq</member> <member># Samba 3.x</member> <member>index sambaSID eq</member> <member>index sambaPrimaryGroupSID eq</member> <member>index sambaDomainName eq</member> </simplelist> </appendix> <appendix id="a_lamdaemon"> <title>Setup for home directory and quota management</title> <para>Lamdaemon.pl is used to modify quota and home directories on a remote or local host via SSH. If you want wo use it you have to set up the following things to get it to work:</para> <section> <title>LDAP Account Manager configuration</title> <itemizedlist> <listitem> <para>Set the remote or local host in the configuration (e.g. 127.0.0.1)</para> </listitem> <listitem> <para>Path to lamdaemon.pl, e.g. /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or RPM package then the script may be located at /usr/share/ldap-account-manager/lib or /var/www/html/lam/lib.</para> </listitem> <listitem> <para>Your LAM admin user must be a valid Unix account. It needs to have the object class "posixAccount" and an attribute "uid". This account must be accepted by the SSH daemon of your home directory server. Do not create a second local account but change your system to accept LDAP users. You can use LAM to add the Unix account part to your admin user.</para> </listitem> </itemizedlist> </section> <section> <title>Setup sudo</title> <para>The perl script has to run as root. Therefore we need a wrapper, sudo. Edit /etc/sudoers on host where homedirs or quotas should be used and add the following line:</para> <para>$admin All= NOPASSWD: $path_to_lamdaemon *</para> <para><emphasis condition="">$admin</emphasis> is the admin user from LAM (must be a valid Unix account) and <emphasis>$path_to_lamdaemon</emphasis> is the path to lamdaemon.pl.</para> <para><emphasis role="bold">Example:</emphasis></para> <para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl *</para> <para>You might need to run the sudo command once manually to init sudo. The command "sudo -l" will show all possible sudo commands of the current user.</para> <para><emphasis role="bold">Attention:</emphasis> Please do not use the options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers. Otherwise you might get errors like "you must have a tty to run sudo" or "no tty present and no askpass program specified".</para> </section> <section> <title>Setup Perl</title> <para>We need an extra Perl module - Quota. To install it, run:</para> <simplelist> <member>perl -MCPAN -e shell</member> <member>install Quota</member> </simplelist> <para>If your Perl executable is not located in /usr/bin/perl you will have to edit the path in the first line of lamdaemon.pl. If you have problems compiling the Perl modules try installing a newer release of your GCC compiler and the "make" application.</para> <para>Several Linux distributions already include a quota package for Perl.</para> </section> <section> <title>Set up SSH</title> <para>Your SSH daemon must offer the password authentication method. To activate it just use this configuration option in /etc/ssh/sshd_config:</para> <para>PasswordAuthentication yes</para> </section> <section> <title>Troubleshooting</title> <para>If you have problems managing quotas and home directories then these points might help:</para> <itemizedlist> <listitem> <para>There is a test page for lamdaemon: Login to LAM and open Tools -> Tests -> Lamdaemon test</para> </listitem> <listitem> <para>Check /var/log/auth.log or its equivalent on your system. This file contains messages about all logins. If the ssh login failed then you will find a description about the reason here.</para> </listitem> <listitem> <para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these lines:</para> <simplelist> <member>SyslogFacility AUTH</member> <member>LogLevel DEBUG3</member> </simplelist> <para>Now check /var/log/syslog for messages from sshd.</para> </listitem> <listitem> <para>Update Openssh. A Suse Linux user reported that upgrading Openssh solved the problem.</para> </listitem> </itemizedlist> </section> </appendix> <appendix> <title>Kolab user management</title> <para>Here are some notes on managing Kolab accounts with LAM:</para> <section> <title>Creating accounts</title> <para>The mailbox server cannot be changed after the account has been saved. Please make sure that the value is correct. The email address ("Personal" page) must match your Kolab domain, otherwise the account will not work.</para> </section> <section> <title>Deleting accounts</title> <para>If you want to cleanly delete accounts use the "Mark for deletion" button on the Kolab subpage of an account. This will also remove the user's mailbox. If you delete the account from the account list (which is standard for LAM accounts) then no cleanup actions are made.</para> </section> <section> <title>Managing accounts with both LAM and Kolab Admin GUI</title> <para>The Kolab GUI has some restrictions that LAM does not have. Please pay attention to the following restrictions:</para> <itemizedlist> <listitem> <para>Common name in LAM</para> <para>The common name must have the format "<first name> <last name>". You can leave the field empty in LAM and it will automatically fill in the correct value.</para> </listitem> <listitem> <para>Changing first/last name in Kolab GUI</para> <para>Do not change the first/last name of your users in the Kolab GUI! The GUI will change the common name which leads to an LDAP object class violation. This is caused by a bug in the Kolab GUI.</para> </listitem> </itemizedlist> </section> <section> <title>Adding a Kolab part to existing accounts</title> <para>If you upgrade existing non-Kolab accounts please make sure that the account has an Unix password.</para> </section> <section> <title>Installing LAM on the Kolab server</title> <para>You can install LAM in the directory "/kolab/var/kolab/www" which is the root directory for Apache. The PHP installation already includes all required packages.</para> </section> </appendix> </book>