LDAP Account Manager - ManualOverviewLDAP Account Manager (LAM) manages user, group and host accounts in
an LDAP directory. LAM runs on any webserver with PHP5 support and
connects to your LDAP server unencrypted or via SSL/TLS.LAM supports Samba 3, Unix, Zarafa, Kolab 2/3, address book entries,
NIS mail aliases, MAC addresses and much more. There is a tree viewer
included to allow access to the raw LDAP attributes. You can use templates
for account creation and use multiple configuration profiles.https://www.ldap-account-manager.org/Copyright (C) 2003 - 2014 Roland Gruber
<post@rolandgruber.de>Key features:managing user/group/host/domain entriesaccount profilesaccount creation via file uploadmultiple configuration profilesLDAP browserschema browserOU editorPDF export for all accountsmanage user/group Quota and create home directoriesRequirements:PHP5 (>= 5.2.4)Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba
4, OpenDJ, 389 Directory Server, Apache DS, ...)A recent web browser that supports CSS2 and JavaScript, at
minimum:Firefox 3Internet Explorer 8 (compatibility
mode turned off)Opera 10The default password to edit the configuration options is
"lam".License:LAM is published under the GNU General Public License. The complete
list of licenses can be found in the copyright file.Default password:The default password for the LAM configuration is "lam".
Have fun!
The LAM development teamArchitectureThere are basically two groups of users for LAM:LDAP administrators and support
staff:These people administer LDAP entries like user accounts, groups,
...Users:This includes all people who need to manage their own data
inside the LDAP directory. E.g. these people edit their contact
information with LAM self service (LAM Pro).Therefore, LAM is split into two separate parts, LAM for admins and
for users. LAM for admins allows to manage various types of LDAP entries
(e.g. users, groups, hosts, ...). It also contains tools like batch
upload, account profiles, LDAP schema viewer and an LDAP browser. LAM for
users focuses on end users. It provides a self service for the users to
edit their personal data (e.g. contact information). The LAM administrator
is able to specify what data may be changed by the users. The design is
also adaptable to your corporate design.LAM for admins/users is accessible via HTTP(S) by all major web
browsers (Firefox, IE, Opera, ...).LAM runtime environment:LAM runs on PHP. Therefore, it is independant of CPU architecture
and operating system (OS). You can run LAM on any OS which supports
Apache, Nginx or other PHP compatible web servers.Home directory server:You can manage user home directories and their quotas inside LAM.
The home directories may reside on the server where LAM is installed or
any remote server. The commands for home directory management are secured
by SSH. LAM will use the user name and password of the logged in LAM
administrator for authentication.LDAP directory:LAM connects to your LDAP server via standard LDAP protocol. It also
supports encrypted connections with SSL and TLS.InstallationNew installationRequirementsLAM has the following requirements to run:Apache/Nginx webserver (SSL recommended) with PHP module
(PHP 5 (>= 5.2.4) with ldap, gettext, xml, openssl and optional
mcrypt)Some LAM plugins may require additional PHP extensions (you
will get a note on the login page if something is missing)Perl (optional, needed only for lamdaemon)Any standard LDAP server (e.g. OpenLDAP, Active Directory,
Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...)A recent web browser that supports CSS2 and JavaScript, at
minimum:Firefox 3Internet Explorer 8 (compatibility mode turned
off)Opera 10MCrypt will be used to store your LDAP password encrypted in the
session file.Please note that LAM does not ship with a selinux policy. Please
disable selinux or create your own policy.See LDAP schema fles for
information about used LDAP schema files.Prepackaged releasesLAM is available as prepackaged version for various
platforms.DebianLAM is part of the official Debian repository. New
releases are uploaded to unstable and will be available
automatically in testing and the stable releases. You can
runapt-get
install ldap-account-managerto install LAM
on your server. Additionally, you may download the latest
LAM Debian packages from the LAM
homepage or the Debian
package homepage.Installation of the latest packages on
DebianInstall the LAM packagedpkg -i ldap-account-manager_*.debIf you get any messages about missing
dependencies run now: apt-get -f installInstall the lamdaemon package (optional)dpkg -i
ldap-account-manager-lamdaemon_*.debSuse/FedoraThere are RPM packages available on the LAM
homepage. The packages can be installed with these
commands:rpm -e
ldap-account-manager
ldap-account-manager-lamdaemon (if an older
version is installed)rpm
-i <path to LAM package>Other RPM based distributionsThe RPM packages for Suse/Fedora are very generic and should
be installable on other RPM-based distributions, too. The Fedora
packages use apache:apache as file owner and the Suse ones use
wwwrun:www.FreeBSDLAM is part of the official FreeBSD ports tree. For
more details see these pages:FreeBSD-SVN: http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/FreshPorts:
http://www.freshports.org/sysutils/ldap-account-managerInstalling the tar.bz2Extract the archivePlease extract the archive with the following command:tar xjf ldap-account-manager-<version>.tar.bz2Install the filesManual copyCopy the files into the html-file scope of the web server.
For example /apache/htdocs.Then set the appropriate file permissions:lam/sess: write permission for apache/nginx userlam/tmp: write permission for apache/nginx userlam/config (with subdirectories): write permission for
apache/nginx userlam/lib: lamdaemon.pl must be set executableWith configure scriptInstead of manually copying files you can also use the
included configure script to install LAM. Just run these commands
in the extracted directory:./configuremake installOptions for "./configure":--with-httpd-user=USER USER is the name of your
Apache/Nginx user account (default httpd)--with-httpd-group=GROUP GROUP is the name of your
Apache/Nginx group (default httpd)--with-web-root=DIRECTORY DIRECTORY is the name where
LAM should be installed (default /usr/local/lam)Configuration filesCopy config/config.cfg.sample to config/config.cfg and
config/lam.conf.sample to config/lam.conf. Open the index.html in
your web browser:Follow the link "LAM configuration" from the start page to
configure LAM.Select "Edit general settings" to setup global settings
and to change the master
configuration password (default is "lam").Select "Edit server profiles" to setup your server
profiles. There should be the lam profile which you just copied
from the sample file. The default password is "lam". Now change
the settings to fit for your environment.Webserver configurationPlease see the Apache or Nginx chapter.System configurationPHPLAM runs with PHP5 (>= 5.2.4). Needed changes in your
php.ini:memory_limit = 64MFor large installations (>10000 LDAP entries) you may need
to increase the memory limit to 256M.If you run PHP with activated Suhosin
extension please check your logs for alerts. E.g. LAM requires that
"suhosin.post.max_name_length" and
"suhosin.request.max_varname_length" are increased (e.g. to
256).Locales for non-English translationIf you want to use a translated version of LAM be sure to
install the needed locales. The following table shows the needed
locales for the different languages.
LocalesLanguageLocaleCatalanca_ES.utf8Chinese (Simplified)zh_CN.utf8Chinese (Traditional)zh_TW.utf8Czechcs_CZ.utf8Dutchnl_NL.utf8English - Great Britainno extra locale neededEnglish - USAen_US.utf8Frenchfr_FR.utf8Germande_DE.utf8Hungarianhu_HU.utf8Italianit_IT.utf8Japaneseja_JP.utf8Polishpl_PL.utf8Portuguesept_BR.utf8Russianru_RU.utf8Slovaksk_SK.utf8Spanishes_ES.utf8Turkishtr_TR.utf8Ukrainianuk_UA.utf8
You can get a list of all installed locales on your system by
executing:locale -aDebian users can add locales with "dpkg-reconfigure
locales".Upgrading LAM or migrate from LAM to LAM ProUpgrading from LAM to LAM Pro is like installing a new LAM
version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM
ones.Upgrade LAMBackup configuration
filesConfiguration files need only to be backed up for .tar.bz2
installations. DEB/RPM installations do not require this step.LAM stores all configuration files in the "config" folder.
Please backup the following files and copy them after the new version
is installed.config/*.confconfig/config.cfgconfig/pdf/*.xmlconfig/profiles/*LAM Pro only:config/selfService/*.*Uninstall current LAM (Pro)
versionIf you used the RPM installation packages then remove the
ldap-account-manager and ldap-account-manager-lamdaemon packages by
calling "rpm -e ldap-account-manager
ldap-account-manager-lamdaemon".Debian needs no removal of old packages.For tar.bz2 please remove the folder where you installed LAM via
configure or by copying the files.Install new LAM (Pro)
versionPlease install the new LAM
(Pro) release. Skip the part about setting up LAM configuration
files.Restore configuration
filesRPM:Please check if there are any files ending with ".rpmsave" in
/var/lib/ldap-account-manager/config or
/var/lib/ldap-account-manager/config/selfService. In this case you
need to manually remove the .rpmsave extension by overwriting the
package file. E.g. rename default.user.rpmsave to default.user.DEB:Nothing needs to be restored.tar.bz2:Please restore your configuration files from the backup. Copy
all files from the backup folder to the config folder in your LAM Pro
installation. Do not simply replace the folder because the new LAM
(Pro) release might include additional files in this folder. Overwrite
any existing files with your backup files.Final stepsNow open your webbrowser and point it to the LAM login page. All
your settings should be migrated.Please check also the version
specific instructions. They might include additional
actions.Version specific upgrade instructions4.5 -> 4.7No special actions needed.4.4 -> 4.5LAM will no longer follow referrals by default. This is ok for
most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings
-> Server settings -> Advanced options).The self service pages now have an own option for allowed IPs.
If your LAM installation uses IP restrictions please update the LAM
main configuration.Password self reset (LAM Pro) allows to set a backup email
address. You need to update the LDAP
schema if you want to use this feature.4.3 -> 4.4Apache configuration: LAM supports Apache 2.2 and 2.4. This
requires that your Apache server has enabled the "version" module.
For Debian and Fedora this is the default setup. The Suse RPM will
try to enable the version module during installation.Kolab: User accounts get the object class "mailrecipient" by
default. You can change this behaviour in the module settings
section of your LAM server profile.Windows: sAMAccountName is no longer set by default. Enable it
in server profile if needed. The possible domains for the user name
can also be set in server profile.4.2.1 -> 4.3LAM is no more shipped as tar.gz package but as tar.bz2 which
allows smaller file sizes.4.1 -> 4.2/4.2.1Zarafa users: The default attribute for mail aliases is now
"dn". If you use "uid" and did not change the server profile for a
long time please check your LAM server profile for this setting and
save it.4.0 -> 4.1Unix: The list of valid login
shells is no longer configured in "config/shells" but in the
server/self service profiles (Unix settings). LAM will use the
following shells by default: /bin/bash, /bin/csh, /bin/dash,
/bin/false, /bin/ksh, /bin/sh.Please update your server/self service profile if you would
like to change the list of valid login shells.3.9 -> 4.0The account profiles and PDF structures are now separated by
server profile. This means that if you edit e.g. an account profile
in server profile A then this change will not affect the account
profiles in server profile B.LAM will automatically migrate your existing files as soon as
the login page is loaded.Special install instructions:Debian: none, config files will be migrated when opening
LAM's login pageSuse/Fedora RPM:Run "rpm -e ldap-account-manager
ldap-account-manager-lamdaemon"You may get warnings like "warning:
/var/lib/ldap-account-manager/config/profiles/default.user
saved as
/var/lib/ldap-account-manager/config/profiles/default.user.rpmsave"Please rename all files "*.rpmsave" and remove the
file extension ".rpmsave". E.g. "default.user.rpmsave" needs
to be renamed to "default.user".Install the LAM packages with "rpm -i". E.g. "rpm -i
ldap-account-manager-4.0-0.suse.1.noarch.rpm".Open LAM's login page in your browser to complete the
migrationtar.gz: standard upgrade steps, config files will be
migrated when opening LAM's login page3.7 -> 3.9No changes.3.6 -> 3.7Asterisk extensions: The extension entries are now grouped by
extension name and account context. LAM will automatically assign
priorities and set same owners for all entries.3.5.0 -> 3.6Debian users: LAM 3.6
requires to install FPDF 1.7. You can download the package here.
If you use Debian Stable (Squeeze) please use the package from
Testing (Wheezy).3.4.0 -> 3.5.0LAM Pro: The global
config/passwordMailTemplate.txt is no longer supported. You can
setup the mail settings now for each LAM server profile which
provides more flexibility.Suse/Fedora RPM
installations: LAM is now installed to
/usr/share/ldap-account-manager and
/var/lib/ldap-account-manager.Please note that configuration files are not migrated
automatically. Please move the files from /srv/www/htdocs/lam/config
(Suse) or /var/www/html/lam/config (Fedora) to
/var/lib/ldap-account-manager/config.3.3.0 -> 3.4.0No changes.3.2.0 -> 3.3.0If you use custom images for the PDF export then these images
need to be 5 times bigger than before (e.g. 250x250px instead of
50x50px). This allows to use images with higher resolution.3.1.0 -> 3.2.0No changes.3.0.0 -> 3.1.0LAM supported to set a list of valid workstations on the
"Personal" page. This required to change the LDAP schema. Since
3.1.0 this is replaced by the new "Hosts" module for users.Lamdaemon: The sudo entry needs to be changed to
".../lamdaemon.pl *".2.3.0 -> 3.0.0No changes.2.2.0 -> 2.3.0LAM Pro: There is now a
separate account type for group of (unique) names. Please edit your
server profiles to activate the new account type.1.1.0 -> 2.2.0No changes.Uninstallation of LAM (Pro)If you used the prepackaged installation packages then remove the
ldap-account-manager and ldap-account-manager-lamdaemon packages.Otherwise, remove the folder where you installed LAM via configure
or by copying the files.ConfigurationAfter you installed LAM you
can configure it to fit your needs. The complete configuration can be done
inside the application. There is no need to edit configuration
files.Please point you browser to the location where you installed LAM.
E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
via the tar.bz2 then this may vary. You should see the following
page:If you see an error message then you might need to install an
additional PHP extension. Please follow the instructions and reload the
page afterwards.Now you are ready to configure LAM. Click on the "LAM configuration"
link to proceed.Here you can change LAM's general settings, setup server profiles
for your LDAP server(s) and configure the self service (LAM Pro). You should start
with the general settings and then setup a server profile.General settingsAfter selecting "Edit general settings" you will need to enter the
master configuration password.
The default password for new installations is "lam". Now you can edit
the general settings.Security settingsHere you can set a time period after which inactive sessions are
automatically invalidated. The selected value represents minutes of
inactivity.You may also set a list of IP addresses which are allowed to
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
access LAM via an untrusted IP only get blank pages. There is a
separate field for LAM Pro self service.Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
PHP MCrypt is active. This
adds extra security but also costs performance. If you manage a large
directory you might want to disable this and take other actions to
secure your LAM server.SSL certificate
setup:By default, LAM uses the CA certificates that are preinstalled
on your system. This will work if you connect via SSL/TLS to an LDAP
server that uses a certificate signed by a well-known CA. In case you
use your own CA (e.g. company internal CA) you can import the CA
certificates here.Please note that this can affect other web applications on the
same server if they require different certificates. There seem to be
problems on Debian systems and you may also need to restart Apache. In
case of any problems please delete the uploaded certificates and use
the system setup.You can either upload a DER/PEM formatted certificate file or
import the certificates directly from an LDAP server that is available
with LDAP+SSL (ldaps://). LAM will automatically override system
certificates if at least one certificate is uploaded/imported.The whole certificate list can be downloaded in PEM format. You
can also delete single certificates from the list.Please note that you might need to restart your webserver if you
do any changes to this configuration.Password policyThis allows you to specify a central password policy for LAM.
The policy is valid for all password fields inside LAM admin
(excluding tree view) and LAM self service. Configuration passwords do
not need to follow this policy.You can set the minimum password length and also the complexity
of the passwords.LoggingLAM can log events (e.g. user logins). You can use system
logging (syslog for Unix, event viewer for Windows) or log to a
separate file. Please note that LAM may log sensitive data (e.g.
passwords) at log level "Debug". Production systems should be set to
"Warning" or "Error".The PHP error reporting is only for developers. By default LAM
does not show PHP notice messages in the web pages. You can select to
use the php.ini setting here or printing all errors and
notices.Additional optionsEmail
formatSome email servers are not standards compatible. If you receive
mails that look broken you can change the line endings for sent mails
here. Default is to use "\r\n".At the moment, this option is only available in LAM Pro as there
is no mail sending in the free version. See here for setting up your SMTP
server.Change master passwordIf you would like to change the master configuration password
then enter a new password here.Server profilesThe server profiles store information about your LDAP server (e.g.
host name) and what kind of accounts (e.g. users and groups) you would
like to manage. There is no limit on the number of server profiles. See
the typical scenarios about
how to structure your server profiles.Manage server profilesSelect "Manage server profiles" to open the profile management
page.Here you can create, rename and delete server profiles. The
passwords of your server
profiles can also be reset.You may also specify the default server profile. This is the
server profile which is preselected at the login page. It also
specifies the language of the login and configuration pages.You can create a new server profile by simply entering its name
and password. After you created a new profile you can go back to the
profile login and edit your new server profile.All operations on the profile management page require that you
authenticate yourself with the configuration master
password.Editing a server profilePlease select you server profile and enter its password to edit
a server profile.Each server profile contains the following information:General settings: general
settings about your LDAP server (e.g. host name and security
settings)Account types: list of
account types (e.g. users and groups) that you would like to
manage and type specific settings (e.g. LDAP suffix)Modules: list of modules
which define what account aspects (e.g. Unix, Samba, Kolab) you
would like to manageModule settings: settings
which are specific for the selected account modules on the page
beforeGeneral settingsHere you can specify the LDAP server and some security
settings.The server address of your LDAP server can be a DNS name or an
IP address. Use ldap:// for unencrypted LDAP connections or TLS
encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
specified with ldaps://. The port value is optional. TLS cannot be
combined with ldaps://.LAM includes an LDAP browser which allows direct modification
of LDAP entries. If you would like to use it then enter the LDAP
suffix at "Tree suffix".The search limit is used to reduce the number of search
results which are returned by your LDAP server.The access level specifies if LAM should allow to modify LDAP
entries. This feature is only available in LAM Pro. LAM non-Pro
releases use write access. See this page for details on
the different access levels.By default LAM will not follow LDAP referrals. This is ok for
most installations. If you use LDAP referrals please activate the
referral option in advanced settings.LAM is translated to many different languages. Here you can
select the default language for this server profile. The language
setting may be overriden at the LAM login page.LAM can manage user home directories and
quotas with an external script. You can specify the home directory
server and where the script is located. The default rights for new
home directories can be set, too.LAM Pro users can send out changed passwords to their users.
Here you can specify the options for these mails.If you select "Allow alternate address" then password mails
can be sent to any address (e.g. a secondary address if the user
account is also bound to the mailbox).LAM supports two methods for login. The first one is to
specify a fixed list of LDAP DNs that are allowed to login. Please
enter one DN per line.The second one is to let LAM search for the DN in your
directory. E.g. if a user logs in with the user name "joe" then LAM
will do an LDAP search for this user name. When it finds a matching
DN then it will use this to authenticate the user. The wildcard
"%USER%" will be replaced by "joe" in this example. This way you can
provide login by user name, email address or other LDAP
attributes.Additionally, you can enable HTTP authentication when using
"LDAP search". This way the web server is responsible to
authenticate your users. LAM will use the given user name + password
for the LDAP login. You can also configure this to setup advanced
login restrictions (e.g. require group memberships for login). To
setup HTTP authentication in Apache please see this link
and an example for LDAP authentication here.Hint: LDAP search with group
membership check can be done with either HTTP authentication or LDAP
overlays like "memberOf"
or "Dynamic
lists". Dynamic lists allow to insert virtual attributes to
your user entries. These can then be used for the LDAP filter (e.g.
"(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").You may also change the password of this server profile.
Please just enter the new password in both password fields.Account typesLAM supports to manage various types of LDAP entries (e.g.
users, groups, DHCP entries, ...). On this page you can select which
types of entries you want to manage with LAM.The section at the top shows a list of possible types. You can
activate them by simply clicking on the plus sign next to it.Each account type has the following options:LDAP suffix: the LDAP
suffix where entries of this type should be managedList attributes: a list
of attributes which are shown in the account listsAdditional LDAP filter:
LAM will automatically detect the right LDAP entries for each
account type. This can be used to further limit the number of
visible entries (e.g. if you want to manage only some specific
groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
user who is logged in.Hidden: This is used to
hide account types that should not be displayed but are required
by other account types. E.g. you can hide the Samba domains
account type and still assign domains when you edit your
users.Read-only (LAM Pro only):
This allows to set a single account type to read-only mode.
Please note that this is a restriction on functional level (e.g.
group memberships can be changed on user page even if groups are
read-only) and is no replacement for setting up proper ACLs on
your LDAP server.Custom label: Here you
can set a custom label for the account types. Use this if the
standard label does not fit for you (e.g. enter "Servers" for
hosts).No new entries (LAM Pro
only): Use this if you want to prevent that new
accounts of this type are created by your users. The GUI will
hide buttons to create new entries and also disable file upload
for this type.Disallow delete (LAM Pro
only): Use this if you want to prevent that accounts
of this type are deleted by your users.On the next page you can specify in detail what extensions
should be enabled for each account type.ModulesThe modules specify the active extensions for each account
type. E.g. here you can setup if your user entries should be address
book entries only or also support Unix or Samba.Each account type needs a so called "base module". This is the
basement for all LDAP entries of this type. Usually, it provides the
structural object class for the LDAP entries. There must be exactly
one active base module for each account type.Furthermore, there may be any number of additional active
account modules. E.g. you may select "Personal" as base module and
Unix + Samba as additional modules.Module settingsDepending on the activated account modules there may be
additional configuration options available. They can be found on the
"Module settings" tab. E.g. the Personal account module allows to
hide several input fields and the Unix module requires to specify
ranges for UID numbers.Typical scenariosThis is a list of typical scenarios how your LDAP environment
may look like and how to structure the server profiles for it.Simple: One LDAP directory managed by a small group of
adminsThis is the easiest and most common scenario. You want to
manage a single LDAP server and there is only one or a few admins.
In this case just create one server profile and you are done. The
admins may be either specified as a fixed list or by using an LDAP
search at login time.Advanced: One LDAP server which is managed by different admin
groupsLarge organisations may have one big LDAP directory for all
user/group accounts. But the users are managed by different groups
of admins (e.g. departments, locations, subsidiaries, ...). The
users are typically divided into organisational units in the LDAP
tree. Admins may only manage the users in their part of the
tree.In this situation it is recommended to create one server
profile for each admin group (e.g. department). Setup the LDAP
suffixes in the server profiles to point to the needed
organisational units. E.g. use
ou=people,ou=department1,dc=company,dc=com or
ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
Do the same for groups, hosts, ... This way each admin group will
only see its own users. You may want to use LDAP search for the LAM
login in this scenario. This will prevent that you need to update a
server profile if the number of admins changes.Attention: LAM's feature to
automatically find free UIDs/GIDs for new users/groups will not work
in this case. LAM uses the user/group suffix to search for already
assigned UIDs/GIDs. As an alternative you can specify different
UID/GID ranges for each department. Then the UIDs/GIDs will stay
unique for the whole directory.Multiple LDAP serversYou can manage as many LDAP servers with LAM as you wish. This
scenario is similar to the advanced scenario above. Just create one
server profile for each LDAP server.Single LDAP directory with lots of users (>10 000)LAM was tested to work with 10 000 users. If you have a lot
more users then you have basically two options.Divide your LDAP tree in organisational units: This is
usually the best performing option. Put your accounts in several
organisational units and setup LAM as in the advanced scenario
above.Increase memory limit: Increase the memory_limit parameter
in your php.ini. This will allow LAM to read more entries. But
this will slow down the response times of LAM.Managing entries in your LDAP directoryThis chapter will give you instructions how to manage the different
LDAP entries in your directory.Please note that not all account types are manageable with the free
LAM release. LAM Pro provides some more account types (e.g. group of
names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to
support additional LDAP object classes. All LAM Pro features are marked in
this manual.Basic page layout:After the login LAM will present you its main page. It consists of a
header part which is equal for all pages and the content area which covers
most the of the page.The header part includes the links to manage all account types (e.g.
users and groups) and open the tree view (LDAP browser). There is also the
logout link and a tools entry.When you login the you will see an account listing in the content
area.Here you can create, delete and modify accounts. Use the action
buttons at the left or double click on an entry to edit it.The suffix selection box allows you to list only the accounts which
are located in a subtree of your LDAP directory.You can change the number of shown entries per page with "Change
settings". Depending on the account type there may be additional settings.
E.g. the user list can convert group numbers to group names.When you select to edit an entry then LAM will show all its data on
a tabbed view. There is one tab for each functional part of the account.
You can set default values by loading an account profile.Typical usage scenariosHere is a list of typical usage scenarios and what account types
and modules you need to configure.Address book entries:Account types:Users (Personal)Unix accounts:Account types:Users (Personal + Unix)Groups (Unix (posixGroup))Suse users may need to use Group (Group of names + Unix
(rfc2307bisPosixGroup)) because of Suse's special LDAP schema.Samba 3 accounts:Account types:Users (Personal + User + Samba 3)Groups (Unix + Samba 3)Hosts (Account + Unix + Samba 3)Samba domains (Samba domain)Samba 4/Active Directory:Account types:Users (Windows)Groups (Windows)Hosts (Windows)Please note that must change the attributes that are shown in the
account lists. Otherwise, the account tables will show empty lines. See
the documentation for the Windows user/group/host modules.For Samba 4 with Zarafa use the following modules:Users (Windows + Zarafa (+ Zarafa contact))Groups (Windows + Zarafa)Hosts (Windows + Zarafa)Zarafa dynamic groups (Zarafa dynamic group)Zarafa address lists (Zarafa address list)See also the Zarafa section for
additional settings (e.g. using Zarafa AD schema).Asterisk:Account types:Users (Personal + Asterisk)Asterisk extensions (Asterisk extension)Zarafa:Account types:Users (Personal + Unix + Zarafa (+ Zarafa contact))Groups (Unix + Zarafa)Zarafa dynamic groups (Zarafa dynamic group)Zarafa address lists (Zarafa address list)Hosts (Device + Zarafa + IP Address)PyKota:Account types:Users (Personal + Unix + PyKota)Groups (Unix + PyKota)Printers (PyKota)Billing codes (PyKota)UsersLAM manages various types of user accounts. This includes address
book entries, Unix, Samba, Zarafa and much more.Account list settings:The user list includes two special options to change how your
users are displayed.Translate GID number to group name: By
default the user list can show the primary group IDs (GIDs) of your
users. There are often cases where it is more suitable to show the group
name instead. This can be done by activating this option. Please note
that LAM will execute more LDAP queries which may result in decreased
performance.Show account status: If you activate this
option then there will be an additional column displayed that shows if
the account is locked. You can see more details when moving the mouse
cursor over the lock icon. This function supports Unix, Samba and
PPolicy.Password:Click the "Set password" button to change the user's password(s).
Depending on the active account modules LAM will offer to change
multiple passwords at the same time.If a module supports to enforce a password change then you will
see the appropriate checkbox. LAM Pro also offers to send the password
via email after the account is saved. Email options are specified in
your LAM server profile.Quick account (un)locking:When you edit an user then LAM supports to quickly lock/unlock the
whole account. This includes Unix, Samba and PPolicy. LAM can also
remove group memberships if an account is locked.You will see the current status of all account parts in the title
area of the account.If you click on the lock icon then a dialog will be opened to
change these values. Depending on which parts are locked LAM will
provide options to lock/unlock account parts.PersonalThis module is the most common basis for user accounts in LAM.
You can use it stand-alone to manage address book entries or in
combination with Unix, Samba or other modules.The Personal module provides support for managing various
personal data of your users including mail addresses and telephone
numbers. You can also add photos of your users (please install PHP
Imagick/ImageMagick for full file format support). If you do
not need to manage all attributes then you can deactivate them in your
server profile.ConfigurationPlease activate the module "Personal (inetOrgPerson)" for
users.The module manages lots of fields. Probably, you will not need
all of them. You can hide fields in module settings.In advanced options you may also set fields to read-only (for
existing accounts) and define limits for photo files.User managementUser certificates can be uploaded and downloaded. LAM will
automatically convert PEM to DER format.
UnixThe Unix module manages Unix user accounts including group
memberships.There are several configuration options for this module:UID generator: LAM will suggest UID numbers for your
accounts. Please note that it may happen that there are duplicate
IDs assigned if users create accounts at the same time. Use an
overlay
like "Attribute Uniqueness" (example) if you have lots of
LAM admins creating accounts.Fixed range: LAM searches for free numbers within the
given limits. LAM always tries to use a free UID that is
greater than the existing UIDs to prevent collisions with
deleted accounts.Samba ID pool: This uses a special LDAP entry that
includes attributes that store a counter for the last used
UID/GID. Please note that this requires that you install the
Samba schema and create an LDAP entry of object class
"sambaUnixIdPool".Password hash type: If possible use CRYPT-SHA512 or SSHA to
protect your user's passwords.Login shells: List of valid login shells that can be
selected when editing an account.Hidden options: Some input fields can be hidden to simplify
the GUI if you do not need them.The user name is automatically filled as specified in the
configuration (default smiller for Steve Miller). Of course, the
suggested value can be changed any time. Common name is also filled
with first/last name by default.Group memberships can be changed when clicking on "Edit groups".
Here you can select the Unix groups and group of names
memberships.To enable "Group of names" please either add the groups module
"groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
names".You can also create home directories for your users if you setup
lamdaemon. This allows you to
create the directories on the local or remote servers.It is also possible to check the status of the user's home
directories. If needed the directories can be created or removed at
any time.Group of names (LAM Pro)This module manages memberships in group of (unique) names. To
activate this feature please add the user module "Group of names
(groupOfNamesUser)" to your LAM server profile.Please note that this module cannot be used if the Unix module
is active. In this case group memberships may be managed with the Unix
module.The module automatically detects if groups are based on
"groupOfNames" or "groupOfUniqueNames" and sets the correct
attribute.Organizational roles (LAM Pro)LAM can manage role memberships in organizationalRole objects. To
activate this feature please add the user module "Roles
(organizationalRoleUser)" to your LAM server profile.Now, there will be a new tab "Roles" when you edit your user
accounts. Here you can select the role memberships.ShadowLAM supports the management of the LDAP substitution of
/etc/shadow. Here you can setup password policies for your Unix
accounts and also view the last password change of a user.Password self reset (LAM
Pro)LAM Pro allows your users to reset their passwords by answering
a security question. The reset link is displayed on the self service page. Additionally,
you can set question + answer in the admin interface.Please note that self service and LAM admin interface are
separated functionalities. You need to specify the list of possible
security questions in both self service profile(s) and server
profile(s).Schema installationPlease install the LDAP schema as described here.Activate password self reset
modulePlease activate the password self reset module in your LAM Pro
server profile.Now select the tab "Module settings" and specify the list of
possible security questions. Only these questions will be selectable
when you later edit accounts.Edit usersAfter everything is setup please login to LAM Pro and edit your
users. You will see a new tab called "Password self reset". Here you
can activate/remove the password self reset function for each user.
You can also change the security question and answer.If you set a backup email address then confirmation emails will
also be sent to this address. This is useful if the user password
grants access to the user's primary mailbox. So passwords can be
unlocked with an external email address.Hint: You can add the
passwordSelfReset object class to all your users with the multi edit tool.Samba 4 note: Due to a bug in
Samba 4 you need to add the extension, save, and then select a
question and set the answer. If you add the extension, set
question/answer and then save all together this will cause an LDAP
error and no changes will be saved.HostsYou can specify a list of valid host names where the user may
login. If you add the value "*" then the user may login to any host.
This can be further restricted by adding explicit deny entries which
are prefixed with "!" (e.g. "!hr_server").Please note that your PAM settings need to support host
restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the
account facility of pam_ldap will perform the checks and return an
error when no proper host attribute is present. Please note that users
without host attribute cannot login to such a configured
server.Samba 3LAM supports full Samba 3 user management including logon hours
and terminal server options.Windows (Samba 4)Please activate the account type "Users" in your LAM server
profile and then add the user module "Windows
(windowsUser)(*)".The default list attributes are for Unix and not suitable for
Windows (blank lines in account table). Please use
"#cn;#givenName;#sn;#mail" or select your own attributes to display in
the account list.On tab "Module settings" you can specify the possible Windows
domain names and if pre-Windows 2000 user names should be
managed.NIS support is deactivated by default. Enable it if
needed.Now you can manage your Windows users and e.g. assign groups.
You might want to set the default domain name in the profile editor.Attention: Password changes
require a secure connection via ldaps://. Check your LAM server
profile if password changes are refused by the server.Filesystem quota (lamdaemon)You can manage file system quotas with LAM. This requires to
setup lamdaemon. LAM connects to
your server via SSH and manages the disk filesystem quotas. The quotas
are stored directly on the filesystem. This is the default mechanism
to store quotas for most systems.Please add the module "Quota (quota)" for users to your LAM
server profile to enable this feature.If you store the quota information directly inside LDAP please
see the next section.Filesystem quota (LDAP)You can store your filesystem quotas directly in LDAP. See
Linux
DiskQuota for details since it requires quota tools that
support LDAP. You will need to install the quota LDAP schema to manage
the object class "systemQuotas".Please add the module "Quota (systemQuotas)" for users to your
LAM server profile to enable this feature.If you store the quota information on the filesystem please see
the previous section.KolabThis module supports to manage Kolab accounts with LAM. E.g. you
can set the user's mail quota and define invitation policies.Please add the Kolab user module in your LAM server profile to
activate Kolab support.Attention: LAM will add the object class "mailrecipient" by
default. This object class is available on 389 directory server but
may not be present on e.g. OpenLDAP. Please deactivate the following
setting (LAM server profile, module settings) if you do not use this
object class.Please enter an email address at the Personal page and set a
Unix password first. Both are required that Kolab accepts the
accounts. The email address ("Personal" page) must match your Kolab
domain, otherwise the account will not work.Attention: The mailbox server
cannot be changed after the account has been saved. Please make sure
that the value is correct.Kolab users should not be directly deleted with LAM. You can
mark an account for deletion which then is done by the Kolab server
itself. This makes sure that the mailbox etc. is also deleted.If you upgrade existing non-Kolab accounts please make sure that
the account has an Unix password.AsteriskLAM supports Asterisk accounts, too. See the Asterisk section for details.EDU personEDU person accounts are mainly used in university networks. You
can specify the principal name, nick names and much more.PyKotaThere are two LAM user modules depending if your user entries
should be built on object class "pykotaObject" or a different
structural object class (e.g. "inetOrgPerson"). For "pykotaObject"
please select "PyKota (pykotaUserStructural(*))" and "PyKota
(pykotaUser)" in all other cases.To display the job history please setup the job DN on tab
"Module settings":Now you can add the PyKota extension to your user accounts. Here
you can setup the printing options and add payments for this
user.For LAM Pro there are also self service fields to allow users
e.g. to view their current balance and job history.You may also view the payment and job history.Password policy (LAM Pro)OpenLDAP supports the ppolicy overlay
to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to
user accounts.Please add the account type "Password policies" to your LAM
server profile and activate the "Password policy" module for the user
type.You can assign any password policy which is found in the LDAP
suffix of the "Password policies" type. When you set the policy to
"default" then OpenLDAP will use the default policy as defined in your
slapd.conf file.Attention: Locking and
unlocking requires that you also activate the option "Lockout users"
in the assigned password policy.
Otherwise, it will have no effect.FreeRadiusFreeRadius is a software that implements the RADIUS
authentication protocol. LAM allows you to mange several of the
FreeRadius attributes.To activate the FreeRadius plugin please activate the FreeRadius
user module in your server profile:You can disable unneeded fields on the tab "Module
settings":Now you will see the tab "FreeRadius" when editing users. The
extension can be (de)activated for each user. You can setup e.g.
realm, IP and expiration date.Heimdal Kerberos (LAM Pro)You can manage your Heimdal Kerberos accounts with LAM Pro.
Please add the user module "Kerberos (heimdalKerberos)" to activate
this feature.Setup password changingLAM Pro cannot generate the password hashes itself because
Heimdal uses a propietary format for them. Therefore, LAM Pro needs to
call e.g. kadmin to set the password.The wildcards @@password@@ and @@principal@@ are replaced with
password and principal name. Please use keytab authentication for this
command since it must run without any interaction.Example to create a keytab: ktutil -k /root/lam.keytab add -p
lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1Security hint: Please secure your LAM Pro server since the new
passwords will be visible for a short term in the process list during
password change.User managementYou can specify the principal/user name, ticket lifetimes and
expiration dates. Additionally, you can set various account
options.MIT Kerberos (LAM Pro)You can manage your MIT Kerberos accounts with LAM Pro. Please
add the user module "Kerberos (mitKerberos)" to activate this feature.
If you want to manage entries based on the structural object class
"krbPrincipal" please use "Kerberos (mitKerberosStructural)"
instead.Setup password changingLAM Pro cannot generate the password hashes itself because MIT
uses a propietary format for them. Therefore, LAM Pro needs to call
kadmin/kadmin.local to set the password.LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
set the password. Please use keytab authentication for this command
since it must run without any interaction.Keytabs may be created with the "ktutil" application.Security hint: Please secure your LAM Pro server since the new
passwords will be visible for a short term in the process list during
password change.Example commands:/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
realm/changepwdsudo /usr/sbin/kadmin.localUser managementYou can specify the principal/user name, ticket lifetimes and
expiration dates. Additionally, you can set various account
options.Mail aliasesThis module allows to add/remove the user in mail alias
entries.Note: You need to activate the
mail alias type for this
module.To activate mail aliases for users please select the module
"Mail aliases (nisMailAliasUser)":On tab Module settings you can select if you want to set the
user name or email as recipient in alias entries.Now you will see the mail aliases tab when editing an
user.The red cross will only remove the user from the alias entry. If
you click the trash can button then the whole alias entry (which may
contain other users) will be deleted.You can add the user to existing alias entries or create
completly new ones.Qmail (LAM Pro)LAM Pro manages all qmail attributes for users. This includes
mail addresses, ID numbers and quota settings.Please note that the main mail address is managed on tab
"Personal" if this module is active. Otherwise, it will be on the
qmail tab.You can hide several qmail options if you do not want to manage
them with LAM. This can be done on the module settings tab of your LAM
server profile.Mail routingLAM supports to manage mail routing for user accounts. You can
specify a routing address, the mail server and a number of local
addresses to route. This feature can be activated by adding the "Mail
routing" module to the user account type in your server
profile.SSH keysYou can manage your public keys for SSH in LAM if you installed
the LPK patch for
SSH. Activate the "SSH public key" module for users in the
server profile and you can add keys to your user entries.Authorized servicesYou can setup PAM to check if a user is allowed to run a
specific service (e.g. sshd) by reading the LDAP attribute
"authorizedService". This way you can manage all allowed services via
LAM.To activate this PAM feature please setup your /etc/libnss-ldap.conf and set
"pam_check_service_attr" to "yes".Inside LAM you can now set the allowed services. You may also
setup default services in your account profiles.You can define a list of services in your LAM server profile
that is used for autocompletion.The autocompletion will show all values that contains the
entered text. To display the whole list you can press backspace in the
empty input field. Of course, you can also insert a service name that
is not in the list.IMAP mailboxesLAM may create and delete mailboxes on an IMAP server for your
user accounts. You will need an IMAP server that supports either SSL
or TLS for this feature.To activate the mailbox management module please add the
"Mailbox (imapAccess)" module for the type user in your LAM server
profile:Now configure the module on the tab "Module settings". Here you
can specify the IMAP server name, encryption options, the
authentication for the IMAP connection and the valid mail domains. LAM
can use either your LAM login password for the IMAP connection or
display a dialog where you need to enter the password. It is also
possible to store the admin password in your server profile. This is
not recommended for security reasons.The user name can either be a fixed name (e.g. "admin") or it
can be generated with LDAP attributes of the LAM admn user. E.g. $uid$
will be transformed to "myUser" if you login with
"uid=myUser,ou=people,dc=example,dc=com".The mail domains specify for which accounts mailboxes may be
created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can
be managed for "user@lam-demo.org" but not for "user@example.com". Use
"*" for any domain.You need to install the SSL certificate of the CA that signed
your server certificate. This is usually done by installing the
certificate in /etc/ssl/certs. Different Linux distributions may offer
different ways to do this. For Debian please copy the certificate in
"/usr/local/share/ca-certificates" and run "update-ca-certificates" as
root.It is not recommended to disable the validation of IMAP server
certificates.The prefix, user name attribute and path separator specifies how
your mailboxes are named (e.g. "user.myUser@localhost" or
"user/myUser"). Select the values depending on your IMAP server
settings.When you edit an user account then you will now see the tab
"Mailbox". Here you can create/delete the mailbox for this
user.AccountThis is a very simple module to manage accounts based on the
object class "account". Usually, this is used for host accounts only.
Please pay attention that users based on the "account" object class
cannot have contact information (e.g. telephone number) as with
"inetOrgPerson".You can enter a user/host name and a description for your
accounts.GroupsUnixThis module is used to manage Unix group entries. This is the
default module to manage Unix groups and uses the nis.schema. Suse
users who use the rfc2307bis.schema need to use
LAM Pro.ConfigurationPlease add the account type "Groups" and then select account
module "Unix (posixGroup)".GID generator: LAM will suggest GID numbers for your accounts.
Please note that it may happen that there are duplicate IDs assigned
if users create groups at the same time. Use an overlay
like "Attribute Uniqueness" (example) if you have lots of LAM
admins creating groups.Fixed range: LAM searches for free numbers within the given
limits. LAM always tries to use a free GID that is greater than
the existing GIDs to prevent collisions with deleted
groups.Samba ID pool: This uses a special LDAP entry that includes
attributes that store a counter for the last used UID/GID. Please
note that this requires that you install the Samba schema and
create an LDAP entry of object class "sambaUnixIdPool".Disable membership management: Disables group membership
management. This is useful if memberships are e.g. managed via
group of names.Group management:Group membership management:Unix groups with rfc2307bis schema (LAM Pro)Some applications (e.g. Suse Linux) use the rfc2307bis schema
for Unix accounts instead of the nis schema. In this case group
accounts are based on the object class groupOf(Unique)Names or namedObject.
The object class posixGroup is auxiliary in this case.LAM Pro supports these groups with a special account module:
rfc2307bisPosixGroupUse this module only if your system depends on the rfc2307bis
schema. The module can be selected in the LAM configuration. Instead
of using groupOfNames as basis for your groups you may also use
namedObject.Samba 3LAM supports managing Samba 3 groups. You can set special group
types and also create Windows predefined groups like "Domain
admins".Windows (Samba 4)LAM can manage your Windows groups. Please enable the account
type "Groups" in your LAM server profile and then add the group module
"Windows (windowsGroup)(*)".The default list attributes are for Unix and not suitable for
Windows (blank lines in account table). Please use
"#cn;#member;#description" or select your own attributes to display in
the account list.NIS support is deactivated by default. Enable it if needed on
tab "Module settings".Now you can edit your groups inside LAM. You can manage the
group name, description and its type. Of course, you can also set the
group members.Group scopes:Global: Use this for groups with frequent changes. Global
groups are not replicated to other domains.Universal: Groups with universal scope are used to
consolidate groups that span domains. They are globally
replicated.Domain local: Groups with domain local scope can be used to
set permissions inside one domain. They are not replicated to
other domains.Group type:Security: Use this group type to control permissions.Distribution: These groups are only used for email
applications. They cannot be used to control permissions.KolabPlease activate the Kolab group module in your LAM server
profile to activate Kolab support.You can specify the email address and also set allowed sender
and recipient addresses.QuotaYou can manage file system quotas with LAM. This requires to
setup lamdaemon. File system quotas
are not stored inside LAM but managed directly on the specified
servers.PyKotaThere are two LAM group modules depending if your group entries
should be built on object class "pykotaObject" or a different
structural object class (e.g. "posixGroup"). For "pykotaObject" please
select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)"
in all other cases.Now you can add the PyKota extension to your groups.HostsAccountPlease see the description here.Device (LAM Pro)The device object class allows to manage general information
about all sorts of devices (e.g. computers, network hardware, ...).
You can enter the serial number, location and a describing text. It is
also possible to specify the owner of the device.Samba 3You can manage Samba 3 host entries by adding the Unix and Samba
3 account modules.Windows (Samba 4)LAM can manage your Windows servers and workstations. Please
enable the account type "Hosts" in your LAM server profile and then
add the host module "Windows (windowsHost)(*)".The default list attributes are for Unix and not suitable for
Windows (blank lines in account table). Please use
"#cn;#description;#location" or select your own attributes to display
in the account list.Now you will see you computer accounts inside LAM. You can set
e.g. the server's description and location information.IP addresses (LAM Pro)You can manage the IP addresses of host accounts with the ipHost
module. It manages the following information:IP addresses (IPv4/IPv6)location of the hostmanager: the person who is responsible for the hostYou can activate this extension by adding the module ipHost to
the list of active host modules.MAC addressesHosts can have an unlimited number of MAC addresses. To enable
this feature just add the "MAC address" module to the host account
type.PuppetLAM supports to manage your Puppet configuration. You can
edit all attributes like environment, classes, variables and parent
node.ConfigurationTo activate this feature please edit your LAM server profile and
add the host module "Puppet (puppetClient)" on tab "Modules". This
will add the Puppet tab to your host pages.On tab "Module settings" in your LAM server profile you may also
setup some common environment names. LAM will use them to provide
autocompletion hints when editing the environment for a node.Editing nodesWhen you edit a host entry then you will see the tab "Puppet".
Here you can add/remove the Puppet extension and edit all
attributes.Samba 3 domainsSamba 3 stores information about its domain settings inside LDAP.
This includes the domain name, its SID and some policies. You can manage
all these attributes with LAM.Please activate the account type "Samba domains" in your LAM
server profile. Please notice that Samba by default uses the LDAP root
for domain objects (e.g. dc=example,dc=com).This will add a new tab to LAM where you can manage domain
information.The domain name, SID and RID base can only be specified for new
domains and are not changeable via LAM at a later time. You may setup
several password policies for your Samba domains and also some RID
options that influence the creation of SIDs for
users/groups/hosts.Group of (unique) names (LAM Pro)These classes can be used to represent group relations. Since they
allow DNs as members you can also use them to represent nested
groups.Configuration:Activate the account type "Group of names" in your LAM server
profile to use these account modules. Alternatively, you can use the
account type "Groups".Then add the module "Group of names (groupOfNames)" or "Group of
unique names (groupOfUniqueNames)".On the module settings tab you set some options like the display
format for members/owners and if fields like description should not be
displayed.Group management:Group of (unique) names have four basic attributes:Name: a unique name for the groupDescription: optional descriptionOwner: the account which owns this group (optional)Members: the members of the group (at least one is
required)You can add any accounts as members. This includes other groups
which leads to nested groups.Organizational roles (LAM Pro)This module manages roles via the organizationalRole object class.
There is also a user
module to manage memberships on the user edit page.Configuration:Activate the account type "Groups" in your LAM server profile to
use this account module. Alternatively, you can use the account type
"Group of names".Then add the module "Role (organizationalRole)".On the module settings tab you set some options like the display
format for members and if description should not be displayed.Role management:You can add any accounts as members. This includes other roles
which leads to nested roles (needs to be supported by LDAP client
applications).AsteriskLAM includes large support for Asterisk. You can add Asterisk
extensions (including voicemail) to your users and also manage Asterisk
extensions.The Asterisk support for users can be added by selecting the
Asterisk and Asterisk voicemail modules for users in your LAM server
profile. This will add the following tabs to your user accounts.The Asterisk module allows to edit a large amount of attributes.
Therefore, you can hide unused fields. Please edit you server profile
(Module settings) to do so.Of course, the voicemail part of Asterisk is also
supported.If you also want to manage Asterisk extensions then simply add the
account type "Asterisk extensions" and its module to your server
profile.LAM groups your Asterisk extension entries by extension name and
account context. If you edit an extension then you will see the Asterisk
entries as rules. LAM manages that all rule entries have the same owners
and assigns the priorities.Zarafa (LAM Pro)Zarafa is an OpenSource collaboration software. LAM Pro provides
support to manage Zarafa server entries, users and groups. It covers all
settings for these types including resource and quota settings.LAM Pro is an official Zarafa Certified Integration.ConfigurationTo enable Zarafa support in LAM Pro please activate the Zarafa
modules for the Users, Groups and Hosts account types in you server
profile:Attention: LAM Pro uses the
Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
OpenDJ, Apache Directory server and other common LDAP servers. If you
run Samba 4 or Active Directory then you need to switch the schema to
"Active Directory" on the module settings tab:You can configure which parts of the Zarafa user options should
be enabled. E.g. if you do not want to manage quotas per user then you
can hide these options on the tab "Module settings"."Send as" attribute: Here you
can specify how "Send as" privileges should be managed. LAM supports
"uid" and "dn".If you select "uid" the LAM will store user names in the
zarafaSendAsPrivilege attribute. This way you are restricted to
specify user accounts as "Send as" allowed.You can also set this option to "dn" and LAM will store DNs in
the zarafaSendAsPrivilege attribute. In this case you may specify
users and groups as "Send as" allowed.Examples for your Zarafa ldap.cfg:"Send as" attribute: dnldap_user_sendas_attribute_type = dn"Send as" attribute: uidldap_user_sendas_attribute_type = textldap_user_sendas_relation_attribute = uid
Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.
Features: Zarafa 7 allows to
enable IMAP/POP3 for each user. Please hide the option "Features" if
you use Zarafa 6.x.UsersThis is an example of the user edit page with all possible
settings. This includes email settings, quotas and some options
(e.g. hide from address book). You can also set the resource type
and capacity for meeting rooms and equipment. The Zarafa extension
can be added and removed at any time for every user.Please note that the option "Features" requires Zarafa 7.
Please hide this option in the LAM server profile if you run Zarafa
6.x.ContactsLAM Pro can manage your Zarafa contact entries. You can set
the email aliases and "send as" privileges. Additionally, accounts
may be hidden in the address book or disabled.Please note that you can either use the Zarafa user module or
Zarafa contact. LAM Pro will disable the other tab when enabling one
of them.GroupsThis is the edit page for groups. You can enter an email
address and additional aliases for your groups. It is also possible
to specify options (e.g. hide from address book). The extension can
be added/removed dynamically.Please note that the option "Send-as privileges" requires the
Zarafa 7.0.3 schema. Please hide this option in the LAM server
profile if you run Zarafa < 7.0.3.ServersThe Zarafa extension for host accounts allows to set the
connection ports and file path. You can add/remove the extension at
any time.Setting the public store option is only possible for new host
entries.Please note that the proxy URL option requires the Zarafa 7.1
schema. Please hide this option in your LAM server profile if you
use an older version.Address listsZarafa allows to store address lists in LDAP. You need to
define a search base and LDAP filter for each address list. E.g.
entering "ou=people,dc=company,dc=com" as base and "uid=*" will
select all users that are stored in
"ou=people,dc=company,dc=com".You can also hide your lists from the address book or
temporarily disable them.Dynamic groupsZarafa allows to define dynamic groups in LDAP. You need to
define a search base and LDAP filter for each group. E.g. entering
"ou=people,dc=company,dc=com" as base and "uid=*" will select all
users that are stored in "ou=people,dc=company,dc=com".Dynamic groups may have an email address and multiple email
alias addresses.You can also hide your dynamic groups from the address book or
temporarily disable them.Kolab shared foldersPlease add the account type "Kolab shared folders" in your LAM
server profile and set the correct LDAP suffix.Then add the "Kolab shared folder" module on tab "Modules".Now you can start to add shared folders inside LAM.DHCPYou can mange your DHCP server with LAM. It supports to manage
subnets, fixed IP entries, IP ranges and DDNS.ConfigurationThe DHCP management can be activated by adding the account type
DHCP to your server profile. Please also add the DHCP modules.LAM requires that you use an LDAP entry with the object class
"dhcpService" or "dhcpServer" as suffix for this account type. If the
"dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
then you need to use the DN of the "dhcpService" entry as LDAP suffix
for DHCP.Add account type:Set suffix:Add modules:Example server
entry:dn:
cn=server,ou=dhcp,dc=ldap-account-manager,dc=orgobjectclass: dhcpServerobjectclass: dhcpOptionsobjectclass: topcn: serverdhcpcomments: My DHCP serverdhcpoption: domain-name
"ldap-account-manager.org"dhcpoption: domain-name-servers 192.168.1.1dhcpoption: routers 192.168.1.1dhcpoption: netbios-name-servers 192.168.1.1dhcpoption: subnet-mask 255.255.255.0dhcpoption: netbios-node-type 8dhcpstatements: default-lease-time 3600dhcpstatements: max-lease-time 7200dhcpstatements: include "mykey"dhcpstatements: ddns-update-style interimdhcpstatements: update-static-leases truedhcpstatements: ignore client-updatesExample settings for
dhcpd.conf:ddns-update-style none;deny unknown-clients;ldap-server "server";ldap-dhcp-server-cn "server";ldap-port 389;ldap-username
"uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";ldap-password "{SSHA}XXXXXXXXXXXX";ldap-base-dn
"ou=dhcp,dc=ldap-account-manager,dc=org";ldap-method dynamic;ldap-debug-file
"/var/log/dhcp-ldap-startup.log";slapd.conf changes:include /etc/ldap/schema/dhcp.schemaindex dhcpHWAddress eqindex dhcpClassData eq
Run slapindex to rebuild the index.
You can manage the settings of your DHCP service/server
entry:You can easily create new subnet entries.It is also possible to specify a list of fixed IPs.IP ranges may be specified.If you use failover pools for your IP ranges please use the pool
options on the bottom. Here you can add DHCP pools (object class
"dhcpPool") and specify the failover peer.If you activated DDNS in the server entry then you may also
specify the DDNS settings for this subnet.Bind DLZ (LAM Pro)Bind DLZ is
an extension to the DNS server Bind that allows to store
DNS entries inside LDAP. Please install the Bind DLZ schema file on your
LDAP server. It is part of the DLZ patch.ConfigurationFirst, you need to add the Bind DNS account type and the Bind DLZ
module:Please set the LDAP suffix either to an existing DNS zone
(dlzZone) or an organizational unit that should include your DNS
zones.Automatic PTR managementLAM can automatically create/delete PTR entries for the entered
IPv4/6 records. You can enable this feature on the module settings
tab.PTR records will get the same TTL as IP records. Please note that
you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
under the same suffix as your other DNS entries.Zone managementIf you do not yet have a DNS zone then LAM can create one for you.
In list view switch the suffix to an organizational unit DN. Now you
will see a button "New zone".This will create the zone container entry and a default DNS entry
"@" for authoritative information. Now switch the suffix to your new
zone and start adding DNS entries.DNS entriesLAM supports the following DNS record types:SOA: authoritative informationNS: name serversA/AAAA: IP addressesPTR: reverse DNS entriesCNAME: alias namesMX: mail serversTXT: text recordsSRV: service entriesAuthoritative (SOA) and name server (NS)
recordsHere you can manage general information about the zone like
timeouts and name servers. Please note that name servers must be
inserted in a special format (dot at the end).IP addresses (A/AAAA)LAM will automatically set the correct type (A/AAAA) depending if
you enter an IPv4 or IPv6 address.Reverse DNS entriesReverse DNS entries are important when you need to find the DNS
name that is associated with a given IP address. Reverse DNS entries are
stored in a separate DNS zone.Alias names (CNAME)Sometimes a DNS entry should simply point to a different DNS entry
(e.g. for migrations). This can be done by adding an alias name.Mail servers (MX)The mail server entries define where mails to a domain should be
delivered. The server with the lowest preference has the highest
priority.Text records (TXT)Text records can be added to store a description or other data
(e.g. SPF information).Services (SRV)Service records can be used to specify which servers provide
common services such as LDAP. Please note that the host name must be
_SERVICE._PROTOCOL (e.g. _ldap._tcp).Priority: The priority of the target host, lower value means more
preferred.Weight: A relative weight for records with the same priority. E.g.
weights 20 and 80 for a service will result in 20% queries to the one
server and 80% to the other.Port: The port number that is used for your service.Server: DNS name where service can be reached (with dot at the
end).File uploadYou can upload complete DNS zones via LAM's file upload. Here is
an example for a zone file and the corresponding CSV file.
Zone file@INSOAns1.example.com admin.ns1.example.com (1 360000 3600
3600000 370000)INNSns1.example.com.INNSns2.example.com.INMX10 mail1.example.comINMX20 mail2.example.comfooINA123.123.123.100foo2INCNAMEfoo.example.combarINA123.123.123.101INAAAA1:2:3:4:5
Please check that you have an existing zone entry that can be used
for the file upload. See above to create a new zone.Hint: If you use the function above to create a new zone then
please skip the "@" entry in the CSV file below. LAM creates this entry
with sample data.In this example we assume that the following zone extry
exists:dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
dlzzonename: example.com
objectclass: dlzZone
objectclass: top
Here is the corresponding CSV file: bindUpload.csvAliases (LAM Pro)Some applications use the object class "alias" to link LDAP
entries to other parts of the LDAP tree. Activate the account type
"Aliases" in your LAM server profile to use this account type.Currently, only user accounts can be aliased with the "uidObject"
object class.Mail aliasesYou can manage mail aliases (e.g. for NIS) inside LAM. This can be
used to replace local /etc/aliases files with LDAP.Note: Use the mail alias user
module to manage mail aliases on user pages.All accounts of this type are based on the "nisMailAlias" object
class and may have "cn" and "rfc822MailMember" attributes. To activate
this type please add "Mail aliases" in your LAM server profile:You need to select the Mail aliases module on the next tab.The mail aliases will then appear as separate tab inside LAM. You
may then manage the aliases with their names and recipient
addresses.There are mail/user icons that allow to select a mail address/user
name from the existing users.NIS net groupsLAM supports to define NIS netgroups. You can use them e.g. to
restrict SSH access to your machines.Add the NIS net group account type and its module to your server
profile. Then you can manage net groups in LAM. Net groups may contain
other net groups as child groups. You can either insert the host/user
names manually or print the search buttons next to the input fields to
find existing entries in your directory.NIS objects (LAM Pro)You can manage NIS objects with LAM Pro. This allows you define
network mount points in LDAP.Add the NIS objects type to your LAM configuration and then the
NIS objects module. This will add the NIS objects tab to LAM.Automount objects (LAM Pro)LAM Pro allows you to manage automount entries. Please activate
the account type "Automount objects" in your LAM Pro server
profile.Then add the correct automount module. Usually, this is "Automount
entry (automount)". If you use Suse Linux with RFC2307bis schema please
select "Automount entry (rfc2307bisAutomount)".This will add a new tab to LAM Pro's main screen which includes a
list of all automount entries. Here you can easily create new
entries.Please see the following external HowTos for more information on
automounting and LDAP:AutofsLDAPAutomount
über LDAP (German)Oracle databases (LAM Pro)Oracle allows to manage connection data that is stored in
tnsnames.ora to be stored in an LDAP directory.Initial setupLDAP server setup:You will need to install the correct Oracle LDAP schema files on
your LDAP server. If you run no Oracle LDAP server then you can get them
(oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
here.Next you need to create the root entry for Oracle. It should look
like this:dn: cn=OracleContext,dc=example,dc=com
objectclass: orclContext
cn: OracleContextYou can create it with LAM's tree view. Please note that "cn" must
be set to "OracleContext".LAM setup:Edit your LAM server profile and add the Oracle account
type:In case you manage a single Oracle context just enter the
cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
context entries then set the LDAP suffix to a parent entry of
them.Next, add the Oracle module:Now you can login to LAM and start to add database
entries.Managing database entriesEach database has a service name, the connection string and an
optional description.Database client setup for
LDAPYou need to activate the LDAP adapter to make the database tools
reading LDAP. Edit network/admin/sqlnet.ora like this:NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)Then add a file called ldap.ora next to your sqlnet.ora and set
the LDAP server and DN suffix where cn=OracleContext is stored:DIRECTORY_SERVERS= (ldap.example.com:389:636)
DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
DIRECTORY_SERVER_TYPE = OIDThis will allow e.g. tnsping to get the connection data from
LDAP:[oracle@oracle bin]$ tnsping mydb
TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54
Copyright (c) 1997, 2013, Oracle. All rights reserved.
Used parameter files:
/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
OK (10 msec)Password policies (LAM Pro)OpenLDAP supports the ppolicy overlay
to manage password policies for LDAP entries. This allows you to set
password policies which are independent from your applications. The
policies are managed internally by the LDAP server.You can manage these policies with LAM Pro with the account type
"Password policies".You will need to add the ppolicy schema to your OpenLDAP
configuration and activate the ppolicy overlay
module in slapd.conf to use this feature.PyKota printersPlease add the account type "Printers (PyKota printers)" on tab
"Account types" in your server profile and setup the LDAP suffix where
printers are stored.Then add the PyKota printer module on tab "Account
modules".Next you can start managing printers inside LAM. Here you can
setup the costs for a print job. LAM will also show if the printer is
member of any printer groups.You can also setup printer groups. Just add some members to your
new group.PyKota billing codesPlease add the account type "Billing codes" on tab "Account types"
in your server profile and setup the LDAP suffix where billing codes are
stored.Then add the PyKota billing code module on tab "Account
modules".Now login to LAM and you will see the billing code tab where you
can manage your entries. If jobs were printed with a billing code then
you will also see the balance and page count.Custom fields (LAM Pro)This module allows you to manage LDAP attributes that are not
covered by the other LAM modules (e.g. if you use custom LDAP schemas).
You can fully define how your input fields look like:LabelLDAP attribute nameUnique name for fieldHelp textRead-only displayField type: text, password, text area, checkbox, radio
buttons, select list, file uploadValidation via regular expressionError message if validation failsLimitations:Custom fields cannot managestructural object classesattributes that require validation rules across multiple
attributes or cannot be described by a simple regular
expressionActivating the custom fields
module:You may specify custom fields for all of your account types.
Please enter tab "Modules" in your server profile. Now activate the
"Custom fields (customFields)" module for all needed account
types.Setting label and icon:You may set the label that is displayed e.g. on the tab when
editing an account. It is also possible to specify an icon (must be a
valid URL like "/images/icon.png" or "http://server/images/icon.png").
The icon size should be 32x32 pixels.LAM will display a default icon and "Custom fields" as label if
you do not enter any values.You may also specify how LAM displays cutom fields when there are
multiple field groups. The default is accordion view where you can
switch field groups by clicking on the title. You may also deactivate
this mode. Then all field groups are displayed one below the
other.Defining groups:All input fields are devided into groups. A group may contain one
or more object classes and allows you to add/remove a certain set of
input fields.E.g. you may define two groups - "My application A" and "My
application B" - that manage different LDAP attributes and object
classes. This way you will be able to control both attribute sets
independently.To create a group please edit your server profile and switch to
tab "Module settings". You will see the section "Custom fields" which
allows you to add new groups. Now select your account type (e.g. Users)
and specify an alias for your group. This alias will be printed as group
header when you later edit an account in the admin interface.After you created your new group you can setup the managed object
classes. If you specify any object classes then you will later be able
to add/remove a complete set of attributes including their object
classes.Skipping the object classes field is only useful if you want to
manage some attributes that are not yet supported by LAM but there is
already a LAM module that manages the object class.The group may look like when you edit a user.Adding fields:Now you can add a new field that manages an LDAP attribute. Simply
fill the fields and press on "Add".Please note that the field name cannot be changed later. It is the
unique ID for this field.Examples for fields and their representation:Text field:Text fields allow to specify a validation
expression and error message.You can also enable auto-completion. In this case LAM will search
all accounts for the given attribute and provide auto-completion hints
when the user edits this field. This should only be used if there is a
limited number of different values for this attribute.Presentation:Password field:You can also manage custom password fields. LAM Pro will display
two fields where the user must enter the same password. You can hash the
password if needed.Presentation:Text area:This adds a multi-line field. The options are similar to text
fields. Additionally, you can set the size with the number of columns
and rows.Please note that the validation
expression should be set to multi-line. This is done by adding
"m" at the end.Presentation:Checkbox:Sometimes you may want to allow only yes/no values for your LDAP
attributes. This can be represented by a checkbox. You can specify the
values for checked and unchecked. The default value is set if the LDAP
attribute has no value.Presentation:Radio buttons:This displays a list of radio buttons where the user can select
one value.You can specify a mapping of LDAP attribute values and their
display (label) on the Self Service page. To add more mapping fields
please press "Add more mapping fields".Presentation:Select list:Select lists allow the user to select a value in a large list of
options. The definition of the possible values and their display is
similar to radio buttons.You can also allow multiple values.Presentation:Validation expressions:The validation expressions follow the standard of Perl regular
expressions. They start and end with a "/". The beginning of a
line is specified by "^" and the end by "$".Examples:/^[a-z0-9]+$/ allows small letters and numbers. The value must not
be empty ("+")./^[a-z0-9]+$/i allows small and capital letters ("i" at the end
means ignore case) and numbers. The value must not be empty
("+").Special characters that must be escaped with "\": "\", ".", "(",
")"E.g. /^[a-z0-9\.]$/iFile upload:This is used for binary data. You can restrict uploaded data to a
given file extension and set the maximum file size.Presentation:The uploaded data may also be downloaded via LAM.Custom scripts (LAM Pro)LAM Pro allows you to execute scripts whenever an account is
created, modified or deleted. This can be useful to automate processes
which needed manual work afterwards (e.g. sending your user a welcome
mail or register a mailbox). Additionally, you can specify manual scipts
that can be executed from within LAM Pro.To activate this feature please add the "Custom scripts" module to
all needed account types on the configuration pages.You can specify multiple scripts for each action type (e.g.
modify) and account type (e.g. user). The scripts need to be located on
the filesystem of your webserver and will be executed in its user
environment. E.g. if you webserver runs as user www-data with the group
www-data then the custom scripts will be run under this user with his
rights. The output of the scripts will be shown in LAM.You can specify the scripts on the LAM configuration pages.Syntax:Please enter one script per line. Each line has the following
format: <account type> <action> <script>E.g.: user preModify /usr/bin/myCustomScript -u $uid$Account types:You can setup scripts for all available account types (e.g. user,
group, host, ...). Please see the help on the configuration page about
your current active account types.Actions:
Action typesAction nameDescriptionpreCreateexecuted before creating a new account (cancels operation
if a script returns an exit code > 0, not available for file
upload)postCreateexecuted after creating a new account (does not run if preCreate or LDAP operations
fail)preModifyexecuted before an account is modified (cancels operation
if a script returns an exit code > 0)postModifyexecuted after an account was modified (does not run if preModify or LDAP operations
fail)preDeleteexecuted before an account is modified (cancels operation
if a script returns an exit code > 0)postDeleteexecuted after an account was modified (does not run if preDelete or LDAP operations
fail)manualcan be run manually on account page
Script:You can execute any script which is located on the filesystem of
your webserver. The path may be absolute or relative to the
PATH-variable of the environment of your webserver process. It is also
possible to add commandline arguments to your scripts. Additionally, LAM
will resolve wildcards to LDAP attributes. If your script includes an
wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
attribute value of the current LDAP entry. The values of multi-value
attributes are separated by commas. E.g. if you create an account with
the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
"steve".Please note that manual scripts can only use the current LDAP
attribute values of the account. Any modifications done that are not
saved will not be available. Manual scripts are also not available for
new accounts that are not yet saved to LDAP.You can switch LAM's logging to debug mode if you are unsure which
attributes with which values are available.The following special wildcards are available for automatical
scripts:$INFO.userPasswordClearText$:
cleartext password when Unix/Windows password is changed (e.g.
useful for external password synchronisation) for new/modified
accounts$INFO.userPasswordStatusChange$: provides
additional information if the Unix password locking status was
changed, possible values: locked, unlocked, unchanged$INFO.passwordSelfResetAnswerClearText$:
cleartext answer to security question$NEW.<attribute>$: the
value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
accounts$DEL.<attribute>$: the
value of a deleted attribute (e.g. $DEL.telephoneNumber$) for
modified accounts$MOD.<attribute>$: the
new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
modified accounts$ORIG.<attribute>$: the
original value of an attribute (e.g. $ORIG.telephoneNumber$) for
modified accountsOutput may contain HTML: If your
scripts generate HTML output then activate this option.Hide command in messages: You may
want to prevent that your users see the executed commands. In this case
activating this option will only show the command output but not the
command itself.You can see a preview of the commands which will be automatically
executed on the "Custom scripts" tab. Here you can also run the manual
scripts.Sudo roles (LAM Pro)You can manage your sudo roles in LDAP if you have installed the
sudo-ldap package or compiled sudo with LDAP
support.To activate sudo management in LAM Pro edit your server profile
and add the type "Sudo roles".Now you can create sudo commands.The sudo roles in LDAP work similar to those in /etc/sudoers. You
can specify who may run which commands as which user. It is also
possible to specify options like NOPASSWD.General informationThis module is available for all account types. It shows some
internal information about the LDAP entries like the creation time and
who modified the entry.If you use the "memberOf" overlay in OpenLDAP then this will also
show group memberships done by the overlay.Tree view (LDAP browser)The tree view provides a raw view on your LDAP directory. This
feature is for people who are experienced with LDAP and need special
functionality which the LAM account modules not provide. E.g. if you
want to add a special object class to an account or edit attributes
ignoring LAM's syntax checks.There are also some special functions available:Export: This allows you to export
entries to a file (e.g. LDIF or CSV format).Show internal attributes: Shows
internal attributes of the current entry. This includes information
about the creator and creation time of the entry.ToolsProfile editorThe account profiles are templates for your accounts. Here you can
specify default values which can then be loaded when you create
accounts. You may also load a template for an existing account to reset
it to default values. When you create a new account then LAM will always
load the profile named "default". This
account profile can include default values for all your accounts.You can enter the LDAP suffix, RDN identifier and various other
attributes depending on account type and activated modules.Import/export:Profiles can be exported to and imported from other server
profiles.There is a special export target called "*Global templates". All
profiles exported here will be copied to all other server profiles
(incl. new ones). But existing profiles with the same name are not
overwritten. So a profile in global templates is treated as default
profile for all server profiles.Use this if you would like to setup default profiles that are
valid for all server profiles.File uploadWhen you need to create lots of accounts then you can use LAM's
file upload to create them. LAM will read a CSV formatted file and
create the related LDAP entries. Please check the data in you CSV file
carefully. LAM will do less checks for the file upload than for single
account creation.At the first page please select the account type and what
extensions should be activated.The next page shows all available options for the file upload. You
will also find a sample CSV file which can be used as template for your
CSV file. All red options are required columns in the file. You need to
specify a value for each account.When you upload the CSV file then LAM first does some checks on
this file. This includes syntax checks and if all required data was
entered. No changes in the LDAP directory are done at this time.If the checks were successful then LAM will ask again if you want
to create the accounts. You will also have the chance to check the
upload by viewing the changes in LDIF format.Multi editThis tool allows you to modify a large list of LDAP entries in
batch mode. You can add new attributes/object classes, remove attributes
and set attributes to a specific value.At the beginning, you need to specify where the entries are stored
that should be changed. You can select an account suffix, the tree
suffix or enter your own DN by selecting "Other".Next, enter an additional LDAP filter to limit the entries that
should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for
users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to
match all accounts that do not yet have the password self reset
feature.Now, it is time to define the changes that should be done. The
following operations are possible:Add: Adds an attribute value if not yet existing. Please do
not use for single-value attributes that already have a
value.Modify: Sets an attribute to the given value. If the attribute
does not yet exist then it is added. If the attribute has multiple
values then all other values are removed.Delete: Deletes the specified value from this attribute. If
you leave the value field blank then all attribute values are
removed.Please note that all actions are run as separate LDAP commands.
You cannot add an object class and a required attribute at the same
time.Dry runYou should always start with a dry run. It will not do any changes
to your LDAP directory but print out all modifications that will be
done. You will also be able to download the changes in LDIF format to
use with ldapmodify. This is useful if you want to adjust some actions
manually.Apply changesThis will run the actions against your LDAP directory. You will
see which accounts are edited in the progress area and also if any
errors occured.OU editorThis is a simple editor to add/delete organisational units in your
LDAP tree. This way you can structure the accounts.PDF editorAll accounts in LAM may be exported as PDF files. You can specify
the page structure and displayed information by editing the PDF
profiles.When you export accounts to PDF then each account will get its own
page inside the PDF. There is a headline on each page where you can show
a page title. You may also add a logo to each page. To add more logos
please use the logo management on the PDF editor main page.The main part is structured into sections of information. Each
section has a title. This can either be static text or the value of an
attribute. You may also insert a static text block as section. Sections
can be moved by using the arrows next to the section title.Each section can contain multiple fields which usually represent
LDAP attributes. You can simply add new fields by selecting the field
name and its position. Then use the arrows to move the field inside the
section.Import/export:PDF structures can be exported to and imported from other server
profiles.There is a special export target called "*Global templates". All
PDF structures exported here will be copied to all other server profiles
(incl. new ones). But existing PDF structures with the same name are not
overwritten. So a PDF structure in global templates is treated as
default structure for all server profiles.Use this if you would like to setup default PDF structures that
are valid for all server profiles.Logo management:You can upload image files to put a custom logo on the PDF files.
The image file name must end with .png or .jpg and the size must not
exceed 2000x300px.Schema browserHere you browse the schema of your LDAP server. You can view what
object classes, attributes, syntaxes and matching rules are available.
This is useful if you need to check if a certain object class is
available.Server informationThis shows information and statistics about your LDAP server. This
includes the suffixes, used overlays, connection data and operation
statistics. You will need "cn=monitor" setup to see all details. Some
data may not be available depending on your LDAP server software.Please see the following links how to setup "cn=monitor":OpenLDAP389
serverTestsThis allows you to check if your LDAP schema is compatible with
LAM and to find possible problems.Lamdaemon testLAM provides an external script to manage home directories and
quotas. You can test here if everything is setup correctly.If you get an error like "no tty present and no askpass program
specified" then the path to the lamdaemon.pl may be wrong. Please see
the lamdaemon installation
instructions for setup details.Schema testThis will test if your LDAP schema supports all object classes
and attributes of the active LAM modules. If you get a message that
something is missing please check that you installed all required schemas.If you get error messages about object class violations then
this test can tell you what is missing.Access levels and password reset page (LAM Pro)You can define different access levels for each profile to allow or
disallow write access. The password reset page helps your deskside support
staff to reset user passwords.Access levelsThere are three access levels:Write access (default)There are no restrictions. LAM admin users can manage account,
create profiles and set passwords.Change passwordsSimilar to "Read only" except that the password reset page is available.Read onlyNo write access to the LDAP database is allowed. It is also
impossible to manage account and PDF profiles.Accounts may be viewed but no changes can be saved.The access level can be set on the server configuration
page:Password reset pageThis special page allows your deskside support staff to reset the
Unix and Samba passwords of your users. Account may also be (un)locked
If you set the access level to
"Change passwords" then LAM will not allow any changes to the LDAP
database except password changes via this page. The account pages will
be still available in read-only mode.You can open the password reset page by clicking on the key symbol
on each user account:There are three different options to set a new
password:set random password and display it on
screenThis will set the user's password to a random value. The
password will be 11 characters long with a random combination of
letters, digits and ".-_".You may want to use this method to tell users their new
passwords via phone.set random password and mail it to
userIf the user account has set the mail attribute then LAM can
send your user a mail with the new password. You can change the mail
template to fit your needs. Please configure your LAM server profile
to setup the sender address, subject and mail body. Please see email format option in case of broken
mails. See here for setting up your
SMTP server.Using this method will prevent that your support staff knows
the new password.set specific passwordHere you can specify your own password.LAM will display contact information about the user like the
user's name, email address and telephone number. This will help your
deskside support to easily contact your users.Options:Depending on the account there may be additional options
available.Sync Samba NT/LM password with Unix
password: If a user account has Samba passwords set then
LAM will offer to synchronize the passwords.Unlock Samba account: Locked
Samba accounts can be unlocked with the password change.Update Samba password
timestamps: This will set the timestamps when the
password was changed (sambaPwdLastSet). Only existing attributes are
updated. No new attributes are added.Sync Kerberos password with Unix
password: This will also update the Heimdal Kerberos
password.Sync Asterisk (voicemail) password with
Unix password: Changes also the Asterisk
passwords.Force password change: This
will force the user to change his password at next login. This
option supports Shadow, Samba 3 and PPolicy (automatically
detected).Account (un)locking:Depending if the account includes a Unix/Samba extension and
PPolicy is activated the page will show options to (un)lock the account.
E.g. if the account is fully unlocked then there will be no unlocking
options printed.Self service (LAM Pro)PreparationsOpenLDAP ACLsBy default only a few administrative users have write access to
the LDAP database. Before your users may change their settings you
must allow them to change their LDAP data.Hint: The ACLs below are not required if you decide to run all
operations as the LDAP bind user (option "Use for all
operations").This can be done by adding ACLs to your slapd.conf or
slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to
these:access to attrs=userPassword by self write by anonymous auth by * noneaccess to
attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange by self write by * readIf you do not want them to change all attributes then reduce the
list to fit your needs. Some modules may require additional LDAP
attributes. You can use the tree view to get the technical attribute
names e.g. by selecting an user account.Usually, the slapd.conf file is located in /etc/ldap or
/etc/openldap.Other LDAP serversThere exist many LDAP implementations. If you do not use
OpenLDAP you need to write your own ACLs. Please check the manual of
your LDAP server for instructions.Creating a self service profileA self service profile defines what input fields your users see
and some other general settings like the login caption.When you go to the LAM configuration page you will see the self
service link at the bottom. This will lead you to the self service
configuration pagesNow we need to create a new self service profile. Click on the
link to manage the self service profiles.Specify a name for the new profile and enter your master
configuration password (default is "lam") to save the profile.Now go back to the profile login and enter your master
configuration password to edit your new profile.Edit your new profileBasic settingsOn top of the page you see the link to the user login page. Copy
this link address and give it to your users.Below the link you can specify several options.
General optionsServer addressThe address of your LDAP server. For LDAP+SSL use
"ldaps://myserver"Activate TLSActivates TLS encryption. Please note that this cannot
be combined with LDAP+SSL ("ldaps://").LDAP suffixThe part of the LDAP tree where LAM should search for
usersLDAP search attributeHere you can specify if your users can login with user
name + password, email + password or other attributes.LDAP user + passwordThe DN and password which is used to search for users
in the LDAP database. It is sufficient if this DN has only
read rights. If you leave these fields empty LAM will try to
connect anonymously.Use for all operationsBy default LAM will use the credentials of the user
that logged in to self service for read/modify operations. If
you select this box then the connection user specified before
will be used instead. Please note that this can be a security
risk because the user requires write access to all users. You
need to make sure that your LAM server is well
protected.Additional LDAP filterUse this to enter an additional LDAP filter (e.g.
"(objectClass=passwordSelfReset)") to reduce the number of
accounts who may use self service.HTTP authenticationYou can enable HTTP authentication for your users. This
way the web server is responsible to authenticate your users.
LAM will use the given user name + password for the LDAP
login. To setup HTTP authentication in Apache please see this
link.Login attribute labelThis is the description for the LDAP search attribute.
Set it to something which your users are familiar
with.Password field labelThis text is placed as label for the password field on
the login page. LAM will use "Password" if you do not enter
any text.Login captionThis text is displayed at the login page. You can input
HTML, too.Main page captionThis text is displayed at self service main page where
your users change their data. You can input HTML, too.Page headerThis HTML code will be placed on top of all self
service pages. E.g. you can use this to place your custom
logo. Any HTML code is permitted.Additional CSS linksHere you can specify additional CSS links to change the
layout of the self service pages. This is useful to adapt them
to your corporate design. Please enter one link per
line.
Page layoutHere you can specify what input fields your users can see. It is
also possible to group several input fields.Please use the arrow signs to change the order of the
fields/groups.You may also set some fields as read-only for your users. This
can be done by clicking on the lock symbol. Read-only fields can be
used to show your users additional data on the self service page that
must not be changed by themselves (e.g. first/last name).Sometimes, you may want to set a custom label for an input
field. Click on the edit icon to set your own label text (Personal:
Department is relabeled as "Business unit" here).Possible input fieldsThis is a list of input fields you may add to the self service
page.
Self service fieldsAccount
typeOptionDescription Asterisk (voicemail)Sync Asterisk password with Unix passwordThis is a hidden field. It will update the Asterisk
password each time the Unix password is changed. KerberosSync Kerberos password with Unix passwordThis is a hidden field. It will update the Kerberos
password each time the Unix password is changed. KolabDelegatesAllows to manage delegate permissionsInvitation policyInvitation policy management Password policyLast password changeread-only Password self resetQuestionSecurity question selectionAnswerSecurity answerBackup email(External) backup email address that has no relation to
user password. PersonalBusiness categoryCar licenseDepartmentDescriptionEmail addressFax numberFirst nameHome telephone numberInitialsJob titleLast nameLocationMobile numberOffice nameOrganisational unitPhotoShows the user photo if set. The user may also remove
the photo or upload a new one.Postal addressPostal codePost office boxRegistered addressRoom numberStateStreetTelephone numberUser certificatesUpload of user certificates in PEM or DER
formatUser nameWeb site Samba 3PasswordInput field to set a new NT/LM password. The attribute
"sambaPwdLastSet" is updated if it existed before.Sync Samba LM password with Unix passwordThis is a hidden field. It will update the Samba LM
password each time the Unix password is changed.Sync Samba NT password with Unix passwordThis is a hidden field. It will update the Samba NT
password each time the Unix password is changed.Update attribute "sambaPwdLastSet" on password
changeUpdates the password timestamp when password is
synchronized with Unix.Last password change (read-only)Displays the date and time of the user's last password
change. ShadowLast password change (read-only)Displays the date and time of the user's last password
change (Unix). WindowsPasswordChange the user's passwordLocationOffice namePostal codePost office boxStateStreetTelephone numberWeb site UnixCommon nameLogin shellPasswordThis is also the source for several password
synchronization options. Zarafa"Send as" privilegesDefine user who may send mails as this userEmail aliasesEmail aliases PyKotaBalance (read-only)Current balance for printingTotal paid (read-only)Total money paidPayment historyHistory of user paymentsJob historyHistory of printed jobs
Module settingsThis allows to configure some module specific options (e.g.
custom scripts or password hash type).Password self resetSchema installationPlease install the LDAP schema as described here.SettingsYou can allow your users to reset their passwords themselves.
This will reduce your administrative costs for cases where users
forget their passwords.To enable this feature please activate the checkbox "Enable
password self reset link".Hint: Plese note that LAM Pro
uses security questions by default. Activate confirmation mails and
then deactivate security questions if you want to use only email
validation.You can now configure the minimum answer length for password
reset answers. This is checked when you allow you users to specify
their answers via the self service. Additionally, you can specify the
text of the password reset link (default: "Forgot password?"). The
link is displayed below the password field on the self service login
page.Next, please enter the DN and password of an LDAP entry that is
allowed to reset the passwords. This entry needs write access to the
attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
also needs read access to uid, mail, passwordSelfResetQuestion and
passwordSelfResetAnswer. Please note that LAM Pro saves the password
on your server file system. Therefore, it is required to protect your
server against unauthorised access.Please also specify the list of password reset questions that
the user can choose.Please note that self service and LAM admin interface are
separated functionalities. You need to specify the list of possible
security questions in both self service profile(s) and server
profile(s).You can inform your users via mail about their password change.
The mail can include the new password by using the special wildcard
"@@newPassword@@". Additionally, you may want to insert other
wildcards that are replaced by the corresponding LDAP attributes. E.g.
"@@uid@@" will be replaced by the user name. Please see email format option in case of broken mails.
See here for setting up your SMTP
server.LAM Pro can send your users an email with a confirmation link to
validate their email address. Of course, this should only be used if
the email account is independent from the user password (e.g. at
external provider) or you use the backup email address feature. The
mail body must include the confirmation link by using the special
wildcard "@@resetLink@@". Additionally, you may want to insert other
wildcards that are replaced by the corresponding LDAP attributes. E.g.
"@@uid@@" will be replaced by the user name.There is also an option to skip the security question at all if
email verification is enabled. In this case the password can be reset
directly after clicking on the confirmation link. Please handle with
care since anybody with access to the user's mail account can reset
the password.Troubleshooting:If you get messages like "Unable to find user account." this can
have multiple reasons:security questions enabled but no security question and/or
answer set for this useruser name + email combination does not existno connection to LDAP serverTurn on logging in LAM's main configuration settings. The exact
reason is logged on notice level.New fields for self service
pageThere are special fields that you may put on the self service
page for your users. These fields allow them to change the reset
question and its answer. It is also possible to set a backup email
address to reset passwords with an external email address.This is an example how can be presented to your users on the
self service page:Password reset linkAfter activating the password self reset feature there will be a
new link on the self service login page. The text can be configured as
described above (default: "Forgot password?").When a user clicks on the link then he will be asked for
identification with his user name and email address.LAM Pro will use this information to find the correct LDAP entry
of this user. It then displays the user's security question and input
fields for his new password. If the answer is correct then the new
password will be set. Additionally, pwdAccountLockedTime will be
removed and shadowLastChange updated to the current time if
existing.User self registrationWith LAM Pro your users can create their own accounts if you
like. LAM Pro will display an additional link on the self service
login page that allows you users to create a new account including
email validation (see here for
setting up your SMTP server).You enable this feature in your self service profile. Just
activate the checkbox "Enable self registration link".Options:Link text: This is the label for the link
to the self registration. If empty "Register new account" will be
used.Admin DN and password: Please enter the
LDAP DN and its password that should be used to create new users. This
DN also needs to be able to do LDAP searches by uid in the self
service part of your LDAP tree.Object classes: This is a list of object
classes that are used to build the new user accounts. Please enter one
object class in each line.Attributes: This is a list of additional
attributes that the user can enter. Please note that user name,
password and email address are mandatory anyway and need not be
specified.Each line represents one LDAP attribute. The settings are
separated by "::". The first setting specifies the field type. The
second setting is the LDAP attribute name. Depending on the field type
you can enter additional options:
DescriptionTypeAttribute nameFirst optionSecond optionThird optionAn optional input field that is displayed on the
registration page.optionale.g. "givenName"Label that is displayed on pageoptional regular expression for validation (e.g.
"/^[0-9a-zA-Z]+$/")validation message if value does not match validation
expressionA required input field that is displayed on the
registration page. Self registration cannot be done if such a
field is left empty by the user.requirede.g. "sn"Label that is displayed on pageoptional regular expression for validation (e.g.
"/^[0-9a-zA-Z]+$/")validation message if value does not match validation
expressionConstant attribute value, not visible for the user. Can
be used to set some initial values or data that must not be
edited by the user.constante.g. "homeDirectory"attribute value, supports wirldcards to insert other
attribute values (e.g. "@@uid@@")
For a syntax description of validation expressions see here. Validation is
optional, you can leave these options blank.Example:optional::givenName::First name::/^[[:alnum:] ]+$/u::Please
enter a valid first name.required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a
valid last name.constant::homeDirectory::/home/@@uid@@If you use the object class "inetOrgPerson" and do not provide
the "cn" attribute then LAM will set it to the user name value.Please note that only simple input boxes are supported for
account registration. The user may log in to self service when his
account was created to manage all his attributes.User view:The user can register by clicking on a link on the self service
login page:Here he can insert the data that you specified in the self
service profile:LAM will then send him an email with a validation link that is
valid for 24 hours. When he clicks on this link then the account will
be created in the self service user suffix. The DN will look like
this: uid=<user name>,...Please see email format option in
case of broken mails.Custom fields (LAM Pro)This module allows you to manage LDAP attributes that are not
covered by the other LAM modules (e.g. if you use custom LDAP
schemas). You can fully define how your input fields look like:LabelLDAP attribute nameUnique name for fieldHelp textRead-only displayField type: text, password, text area, checkbox, radio
buttons, select list, file uploadValidation via regular expressionError message if validation failsTo create custom fields for the Self Service please edit your
Self Service profile and switch to tab "Module settings". Here you can
add a new field. Simply fill the fields and press on "Add".Please note that the field name cannot be changed later. It is
the unique ID for this field.After you created your fields please press on "Sync fields with
page layout". Now you can switch to tab "Page layout" and add your new
fields like any other standard field.Examples for fields and their representation in Self
Service:Text field:Text fields allow to specify a validation
expression and error message.You can also enable auto-completion. In this case LAM will
search all accounts for the given attribute and provide
auto-completion hints when the user edits this field. This should only
be used if there is a limited number of different values for this
attribute.Presentation in Self Service:Password field:You can also manage custom password fields. LAM Pro will display
two fields where the user must enter the same password. You can hash
the password if needed.Presentation in Self Service:Text area:This adds a multi-line field. The options are similar to text
fields. Additionally, you can set the size with the number of columns
and rows.Please note that the validation
expression should be set to multi-line. This is done by adding
"m" at the end.Presentation in Self Service:Checkbox:Sometimes you may want to allow only yes/no values for your LDAP
attributes. This can be represented by a checkbox. You can specify the
values for checked and unchecked. The default value is set if the LDAP
attribute has no value.Presentation in Self Service:Radio buttons:This displays a list of radio buttons where the user can select
one value.You can specify a mapping of LDAP attribute values and their
display (label) on the Self Service page. To add more mapping fields
please press "Add more mapping fields".Presentation in Self Service:Select list:Select lists allow the user to select a value in a large list of
options. The definition of the possible values and their display is
similar to radio buttons.You can also allow multiple values.Presentation in Self Service:Validation expressions:The validation expressions follow the standard of Perl regular
expressions. They start and end with a "/". The beginning of a
line is specified by "^" and the end by "$".Examples:/^[a-z0-9]+$/ allows small letters and numbers. The value must
not be empty ("+")./^[a-z0-9]+$/i allows small and capital letters ("i" at the end
means ignore case) and numbers. The value must not be empty
("+").Special characters that must be escaped with "\": "\", ".", "(",
")"E.g. /^[a-z0-9\.]$/iFile upload:This is used for binary data. You can restrict uploaded data to
a given file extension and set the maximum file size.Presentation:The uploaded data may also be downloaded via LAM.Adapt the self service to your corporate designLAM Pro allows you to integrate customs CSS style definitions and
design the header of all self service pages. This way you can integrate
you own logo and use your company's colors.Custom headerThe default LAM Pro header includes a logo and a horizontal
line. You can enter any HTML code here. It will be included in the
self services pages after the body tag.CSS filesUsually, companies have regulations about their corporate design
and use common CSS files. This assures a common appearance of all
intranet pages (e.g. colors and fonts). To include additional CSS
files just use the following setting for this task. The additional CSS
links will be added after LAM Pro's default CSS link. This way you can
overwrite LAM Pro's style.LDAP schema filesHere is a list of needed LDAP schema files for the different LAM
modules. For OpenLDAP we also provide a source where you can get the
files.
LDAP schema filesAccount typeObject class(es)Schema nameSourceNotesUnix accountsposixAccount, shadowAccount, hostObject, posixGroupnis.schema, rfc2307bis.schema, ldapns.schema
(hostObject)Part of OpenLDAP installation, part of libpam-ldap
(ldapns.schema)The rfc2307bis.schema is only supported by LAM Pro. Use the
nis.schema if you do not want to upgrade to LAM Pro.Address book entriesinetOrgPersoninetorgperson.schemaPart of OpenLDAP installationSamba 3 accountssambaSamAccount, sambaGroupMapping, sambaDomainsamba.schemaPart of Samba tarball (examples/LDAP/samba.schema)Windows AD (Samba 4)user, group, computerSamba 4 built-inKolab 2/3 userskolabUserkolab2/3.schema, rfc2739.schemaPart of Kolab 2/3 installationAsterisk (extension)AsteriskSIPUser, AsteriskExtensionasterisk.schemaPart of Asterisk installationPyKota users, groups, printers and billing codespykotaObject, pykotaAccount, pykotaAccountBalance,
pykotaGroup, pykotaPrinter, pykotaBillingpykota.schemaPart of PyKota installationMail routinginetLocalMailRecipientmisc.schemaPart of OpenLDAP installationHostshostObject, deviceldapns.schemaPart of libpam-ldap installationThe device object class is only available in LAM
Pro.Authorized servicesauthorizedServiceObjectldapns.schemaPart of libpam-ldap installationMail aliasesnisMailAliasmisc.schemaPart of OpenLDAP installationQmail userqmailUserqmail.schemaPart of qmail_ldapLAM Pro onlyMAC addressesieee802devicenis.schemaPart of OpenLDAP installationIP addressesipHostnis.schemaPart of OpenLDAP installationLAM Pro onlyPuppetpuppetClientpuppet.schemaPuppet
on GitHubEDU personeduPersoneduperson.schemahttp://middleware.internet2.eduSimple Accountsaccountcosine.schemaPart of OpenLDAP installationSSH public keysldapPublicKeyopenssh-lpk.schemaIncluded in patch from http://code.google.com/p/openssh-lpk/Filesystem quotassystemQuotasquota.schemaLinux
DiskQuotaGroup of (unique) namesgroupOfNames, groupOfUniqueNamescore.schemaPart of OpenLDAP installationLAM Pro onlyGroupsorganizationalRolecore.schemaPart of OpenLDAP installationLAM Pro onlyDHCPdhcpOptions, dhcpSubnet, dhcpServerdhcp.schemadocs/schema/dhcp.schemaThe LDAP suffix should be set to your dhcpServer
entry.Bind DLZ DNSdlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord,
dlzMXRecord, dlzCNameRecord, dlzPTRRecorddlz.schemapart of Bind
DLZ patchLAM Pro onlyAliasesalias, uidObjectcore.schemaPart of OpenLDAP installationLAM Pro onlyNIS netgroupsnisNetgroupnis.schemaPart of OpenLDAP installationNIS objectsnisObjectnis.schemaPart of OpenLDAP installationLAM Pro onlyAutomount objectsautomountautofs.schema, rfc2307bis.schemaAutofs LDAPLAM Pro onlyOracle databasesorclNetServiceoidbase.schema, oidnet.schema, oidrdbms.schema,
alias.schemaPreinstalled on Oracle directory server, OpenLDAP schemas
can be downloaded e.g. hereLAM Pro onlyPassword policiespwdPolicy, deviceppolicy.schema, core.schemaPart of OpenLDAP installationLAM Pro onlyFreeRadius usersradiusprofileopenldap.schemaPart of FreeRadius installationHeimdal Kerberoskrb5KDCEntryhdb.schemaPart of Heimdal Kerberos installationLAM Pro onlyMIT KerberoskrbPrincipal, krbPrincipalAux, krbTicketPolicyAuxkerberos.schemaPart of MIT Kerberos installationLAM Pro onlySudo rolessudoRolesudo.schemaPart of sudo-ldap installationLAM Pro onlyZarafazarafa-user, zarafa-group, zarafa-serverzarafa.schemaPart of Zarafa installationLAM Pro onlyIMAP mailboxes---Does not require any schema.
SecurityLAM configuration passwordsLAM supports a two level authorization system for its
configuration. Therefore, there are two types of configuration
passwords:master configuration
password: needed to change general settings,
create/delete server profiles and self service profilesserver profile password: used
to change the settings of a server profile (e.g. LDAP server and
account types to manage)The master configuration password can be used to reset a server
profile password. Each server profile has its own profile
password.Both password types are stored as hash values in the configuration
files for enhanced security.Use of SSLThe data which is transfered between you and LAM is very
sensitive. Please always use SSL encrypted connections between LAM and
your browser to protect yourself against network sniffers.LDAP with SSL and TLSSSL will be used if you use ldaps://servername in your
configuration profile. TLS can be activated with the "Activate TLS"
option.If your LDAP server uses a SSL certificate of a well-know
certificate authority (CA) then you probably need no changes. If you use
a custom CA in your company then there are two ways to setup the CA
certificates.Setup SSL certificates in LAM general settingsThis is much easier than system level setup and will only affect
LAM. There might be some cases where other web applications on the
same web server are influenced.See here for details.Setup SSL certificates on system levelThis will make the CA certificates available also to other
applications on your system (e.g. other web applications).You will need to setup ldap.conf to trust your server
certificate. Some installations use /etc/ldap.conf and some use
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
/etc/ldap/ldap.conf. Specify the server CA certificate with the
following option:TLS_CACERT /etc/ldap/ca/myCA/cacert.pemThis needs to be the public part of the signing certificate
authority. See "man ldap.conf" for additional options.You may also need to specify the CA certificate in your Apache
configuration by using the option "LDAPTrustedGlobalCert":LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pemChrooted serversIf your server is chrooted and you have no access to /dev/random
or /dev/urandom this can be a security risk. LAM stores your LDAP
password encrypted in the session. LAM uses rand() to generate the key
if /dev/random and /dev/urandom are not accessible. Therefore the key
can be easily guessed. An attaker needs read access to the session file
(e.g. by another Apache instance) to exploit this.Protection of your LDAP password and directory contentsYou have to install the MCrypt extension for PHP to enable
encryption.Your LDAP password is stored encrypted in the session file. The
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
encrypt the password. All data that was read from LDAP and needs to be
stored in the session file is also encrypted.Apache configurationSensitive directoriesLAM includes several .htaccess files to protect your
configuration files and temporary data. Apache is often configured to
not use .htaccess files by default. Therefore, please check your
Apache configuration and change the override setting to:AllowOverride AllIf you are experienced in configuring Apache then you can also
copy the security settings from the .htaccess files to your main
Apache configuration.If possible, you should not rely on .htaccess files but also
move the config and sess directory to a place outside of your WWW
root. You can put a symbolic link in the LAM directory so that LAM
finds the configuration/session files.Security sensitive directories:config: Contains your LAM
configuration and account profilesLAM configuration passwords (SSHA hashed)default values for new accountsdirectory must be accessibly by Apache but needs not to be
accessible by the browsersess: PHP session filesLAM admin password in clear text or MCrypt encryptedcached LDAP entries in clear text or MCrypt encrypteddirectory must be accessibly by Apache but needs not to be
accessible by the browsertmp: temporary filesPDF documents which may also include passwordsimages of your usersdirectory contents must be accessible by browser but
directory itself needs not to be browseableUse LDAP HTTP authentication for LAMWith HTTP authentication Apache will be responsible to ask for
the user name and password. Both will then be forwarded to LAM which
will use it to access LDAP. This approach gives you more flexibility
to restrict the number of users that may access LAM (e.g. by requiring
group memberships).First of all you need to load additional Apache modules. These
are "mod_ldap"
and "mod_authnz_ldap".Next you can add a file called "lam_auth_ldap" to
/etc/apache/conf.d. This simple example restricts access to all URLs
beginning with "lam" to LDAP authentication.<location /lam>
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
</location>You can also require that your users belong to a certain Unix
group in LDAP:<location /lam>
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
# force membership of lam-admins
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
</location>Please see the Apache
documentation for more details.Self Service behind proxy in DMZ (LAM Pro)In some cases you might want to make the self service accessible
via the internet. Here is an Apache config to forward only the
required URLs via a proxy server (lamproxy.company.com) in your DMZ to
the internal LAM server (lam.company.com).This configuration allows your users to open
https://lamproxy.company.com which will then proxy the self service on
the internal server.<VirtualHost lamproxy.company.com:443>
ServerName lamproxy.company.com
ErrorLog /var/log/apache2/lam-proxy-error.log
CustomLog /var/log/apache2/lam-proxy-access.log combined
DocumentRoot /var/www/lam-proxy
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
ProxyPreserveHost On
ProxyRequests off
loglevel info
# redirect front page to self service login page
RewriteEngine on
RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
# proxy required URLs
ProxyPass /tmp https://lam.company.com/lam/tmp
ProxyPass /sess https://lam.company.com/lam/sess
ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
ProxyPass /style https://lam.company.com/lam/style
ProxyPass /graphics https://lam.company.com/lam/graphics
ProxyPassReverse /tmp https://lam.company.com/lam/tmp
ProxyPassReverse /sess https://lam.company.com/lam/sess
ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
ProxyPassReverse /style https://lam.company.com/lam/style
ProxyPassReverse /graphics https://lam.company.com/lam/graphics
</VirtualHost>Nginx configurationThere is no fully automatic setup of Nginx but LAM provides a
ready-to-use configuration file.RPM based installationsThe RPM package has dependencies on Apache. Therefore, Nginx is
not officially supported with this installation mode. Use tar.bz2 if
you are unsure.However, the package also includes an Nginx configuration file.
Please include it in your server directive like this:server {
...
include /etc/ldap-account-manager/lam.nginx.conf;
...
}DEB based installationsThe LAM installation package ships with an Nginx configuration
file. Please include it in your server directive like this:server {
...
include /etc/ldap-account-manager/lam.nginx.conf;
...
}tar.bz2 based installationsPlease add the following configuration snippet to your server
directive.You will need to change the alias location
("/usr/share/ldap-account-manager") and fastcgi_pass
("/var/run/php5-fpm.sock") to match your installation.location /lam {
index index.html;
alias /usr/share/ldap-account-manager;
autoindex off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}
}
Typical OpenLDAP settingsSome basic hints to configure the OpenLDAP server:Size
limit:You will get a message like "LDAP sizelimit exceeded, not all
entries are shown." when you hit the LDAP search limit.OpenLDAP allows by default 500 return values per search, if you have
more users/groups/hosts please change this:slapd.conf:e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
valuesslapd.d:e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
return values in /etc/ldap/slapd.d/cn=config.ldifUnique
attributes:There are cases where you do not want that same attribute values
exist multiple times in your database. A good example are UID/GID
numbers.OpenLDAP provides the attribute
uniqueness overlay for this task.Example to force unique UID numbers:In
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add
"olcModuleLoad: {3}unique" (replace "3" with the highest existing number
plus one).Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
"olcUniqueURI: ldap:///?uidNumber?sub"Indices:Indices will improve the performance when searching for entries in
the LDAP directory. The following indices are recommended:index objectClass eqindex default subindex uidNumber eqindex gidNumber eqindex memberUid eqindex cn,sn,uid,displayName pres,sub,eq# Samba 3.xindex sambaSID eqindex sambaPrimaryGroupSID eqindex sambaDomainName eqSetup of email (SMTP) serverLAM always uses a local SMTP email server on the machine where LAM
is installed. Therefore, there is no need to configure any SMTP settings
inside LAM itself.The local email server should be configured to forward all emails to
your company mail server (so-called smarthost). You can use any SMTP
software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or
Sendmail itself).Setup for home directory and quota managementLamdaemon.pl is used to modify quota and home directories on a
remote or local host via SSH (even if homedirs are located on
localhost).If you want wo use it you have to set up the following things to get
it to work:LDAP Account Manager configurationSet the remote or local host in the configuration (e.g.
127.0.0.1)Path to lamdaemon.pl, e.g.
/srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
RPM package then the script will be located at
/usr/share/ldap-account-manager/lib/lamdaemon.pl.Your LAM admin user must be a valid Unix account. It needs to
have the object class "posixAccount" and an attribute "uid". This
account must be accepted by the SSH daemon of your home directory
server. Do not create a second local account but change your system
to accept LDAP users. You can use LAM to add the Unix account part
to your admin user or create a new account. Please do not forget to
setup LDAP write access (ACLs)
if you create a new account.Note that the builtin admin/manager entries do not work for
lamdaemon. You need to login with a Unix account.OpenLDAP ACL location:The access rights for OpenLDAP are configured in
/etc/ldap/slapd.conf or
/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.Setup sudoThe perl script has to run as root. Therefore we need a wrapper,
sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
and add the following line:$admin All= NOPASSWD: $path_to_lamdaemon *$admin is the admin user from
LAM (must be a valid Unix account) and
$path_to_lamdaemon is the path to
lamdaemon.pl.Example:myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
*You might need to run the sudo command once manually to init sudo.
The command "sudo -l" will show all possible sudo commands of the
current user.Attention: Please do not use the
options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
Otherwise you might get errors like "you must have a tty to run sudo" or
"no tty present and no askpass program specified".Setup PerlWe need an extra Perl module - Quota. To install it, run:perl -MCPAN -e shellinstall QuotaIf your Perl executable is not located in /usr/bin/perl you will
have to edit the path in the first line of lamdaemon.pl. If you have
problems compiling the Perl modules try installing a newer release of
your GCC compiler and the "make" application.Several Linux distributions already include a quota package for
Perl.Set up SSHYour SSH daemon must offer the password authentication method. To
activate it just use this configuration option in
/etc/ssh/sshd_config:PasswordAuthentication yesTroubleshootingIf you have problems managing quotas and home directories then
these points might help:There is a test page for lamdaemon: Login to LAM and open
Tools -> Tests -> Lamdaemon testCheck /var/log/auth.log or its equivalent on your system. This
file contains messages about all logins. If the ssh login failed
then you will find a description about the reason here.Set sshd in debug mode. In /etc/ssh/sshd_conf add these
lines:SyslogFacility AUTHLogLevel DEBUG3Now check /var/log/syslog for messages from sshd.Error message "Your LAM admin user (...)
must be a valid Unix account to work with lamdaemon!": This
happens if you use the default LDAP admin/manager user to login to LAM.
Please see here and setup a Unix
account.Setup password self reset schema (LAM Pro)New installationPlease see here if you want to
upgrade an existing schema version.Schema installationPlease install the schema that comes with LAM Pro. The schema
files are located in:tar.bz2: docs/schemaDEB: /usr/share/doc/ldap-account-manager/docs/schemaRPM:
/usr/share/doc/ldap-account-manager-{VERSION}/schemaOpenLDAP with slapd.conf
configurationFor a configuration with slapd.conf-file copy
passwordSelfReset.schema to /etc/ldap/schema/ and add this line to
slapd.conf: include /etc/ldap/schema/passwordSelfReset.schema
OpenLDAP with slapd.d
configurationFor slapd.d configurations you need to upload the schema file
passwordSelfReset.ldif via ldapadd command:ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f
passwordSelfReset.ldifPlease replace "localhost" with your LDAP server and
"cn=admin,o=test,c=de" with your LDAP admin user (usually starts with
cn=admin or cn=manager).Samba 4The schema files are passwordSelfReset-Samba4-attributes.ldif and
passwordSelfReset-Samba4-objectClass.ldif.First, you need to edit them and replace "DOMAIN_TOP_DN" with your
LDAP suffix (e.g. dc=samba4,dc=test).Then install the attribute and afterwards the object class schema
file: ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true
ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true
WindowsThe schema file is passwordSelfReset-Windows.ldif.First, you need to edit it and replace "DOMAIN_TOP_DN" with your
LDAP suffix (e.g. dc=windows,dc=test).Then install the schema file as administrator on a command
line: ldifde -v -i -f passwordSelfReset-Windows.ldif
This allows to set a security question + answer for each
account.Schema updateThe schema files are located in:tar.bz2: docs/schema/updatesDEB:
/usr/share/doc/ldap-account-manager/docs/schema/updatesRPM:
/usr/share/doc/ldap-account-manager-{VERSION}/schema/updatesSchema versions:Initial version (LAM Pro 3.6)Added passwordSelfResetBackupMail (LAM Pro 4.5)OpenLDAP with slapd.conf
configurationInstall the schema file like a new install (skip
modification of slapd.conf file).OpenLDAP with slapd.d
configurationThe upgrade requires to stop the LDAP server.Steps:Stop OpenLDAP with e.g. "/etc/init.d/slapd stop"Delete the old schema file. It is located in e.g.
"/etc/ldap/slapd.d/cn=config/cn=schema" and called
"cn={XX}passwordselfreset.ldif" (XX can be any number)Start OpenLDAP with e.g. "/etc/init.d/slapd start"Install the schema file like a new installSamba 4Install the these update files by following the install
instructions in the file:samba4_version_1_to_2_attributes.ldifsamba4_version_1_to_2_objectClass.ldifPlease note that attributes file needs to be installed
first.WindowsInstall the file "windows_version_1_to_2.ldif" by following the
install instructions in the file.Adapt LAM to your corporate designThere are cases where you might want to change LAM's default
look'n'feel to better integrate it in your company network. Changes can be
done like this:Change colors, fonts and other parts with
custom CSSYou can integrate custom CSS files in LAM. It is recommended to
write a separate CSS file instead of modifying LAM's default files.The CSS files are located in DEB/RPM: /usr/share/ldap-account-manager/style
tar.bz2: style
LAM will automatically integrate all CSS files in alphabetical
order. E.g. you can create a file called "900_myCompany.css" which will be
added as last file.Example:This will change the background color of all pages to turquoise. See
500_layout.css for LAM's default settings.body {
background-color: #b6eeff;
}
You can use the same way to change fonts, sizes and more.E.g. this will reduce the default font size to 80%:body {
font-size: 80%;
}
.ui-button-text-only {
font-size: 100%;
}
.ui-button-text-icon-primary {
font-size: 100%;
}
Custom logo/* image in login box */
td.loginLogo {
background-image: url(/logos/mylogo.png);
}
/* image (24x24) in header line */
a.lamLogo {
background-image: url(/logos/mylogo.png);
}Other imagesAll images are located in DEB/RPM: /usr/share/ldap-account-manager/graphics
tar.bz2: graphicsPlease note that if you replace images then you need to reapply your
changes every time you upgrade LAM.Special changes with custom
JavaScriptIn rare cases it might not be sufficient to write custom CSS or
replace some image files. E.g. you might want to add custom content to all
pages.For these cases you can add a custom JavaScript file that contains
your code.The JavaScript files are located in DEB/RPM: /usr/share/ldap-account-manager/templates/lib
tar.bz2: templates/libLAM will automatically integrate all .js files in alphabetical
order. E.g. you can create a file called "900_myCompany.js" which will be
added as last file.Self serviceSee here for self
service customisations.Clustering LAMLAM is a web application based on PHP. Therefore, clustering is not
directly a part of the application.But here are some hints to run LAM in a clustered
environment.Application parts:LAM can be divided into three partsSoftwareConfiguration filesSession files and temporary dataSoftware:This is the simplest part. Just install LAM on each cluster node.
Please note that if you run LAM Pro you will need either one license for
each active cluster node or a company license.Configuration files:These files include the LAM server profiles, account profiles, PDF
structures, ... Usually, they do not change frequently and can be put on a
shared file system (e.g. NFS, AFS, ...).Please link "config" or "/var/lib/ldap-account-manager/config" to a
directory on your shared file system.Session data and temporary
files:These are critical because the files may change on every page load.
There are basically two options:load balancer with session stickiness: In this case your load
balancer will forward all requests of a user to the same cluster node.
In this case you can keep the files locally on your cluster nodes. If
you already have a load balancer then this is the simplest solution
and performs best. The disadvantage is that if a node fails then all
users connected to this node will loose their session and need to
relogin.shared file system: This should only be used if your load
balancer does not support session stickiness or you use a different
system to distribute request across the cluster. A shared file system
will decrease performance for all page loads.Session data and temporary files are located in "tmp" + "sess" or
"/var/lib/ldap-account-manager/tmp" +
"/var/lib/ldap-account-manager/sess".TroubleshootingFunctional issuesSize limitYou will get a message like "LDAP sizelimit exceeded, not all
entries are shown." when you hit the LDAP search limit. See the OpenLDAP settings to fix
this.Invalid syntax errors:If you get any strange errors like "Invalid syntax" or "Invalid DN
syntax" please check if your LDAP schema matches LAM's
requirements.Schema test:This can be done by running "Tools" -> "Tests" -> "Schema
test" inside LAM.If there are any object classes or attributes missing you will get
a notice. See LDAP schema files for a
list of used schemas. You may also want to deactive unused modules in
your LAM server profile (tab "Modules").LDAP Logging:If your schema is correct you can turn on LDAP logging to get more
detailed error messages from your LDAP server.OpenLDAP logging:slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
line "loglevel 256".slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
Stats" if the attribute is missing.After changing the configuration please restart OpenLDAP. It
usually uses /var/log/syslog for log output.PHP loggingSometimes it can help to enable PHP logging inside LAM. You can do
this in the logging area of LAM's
main configuration. Set the logging option to "all" and check if there
are any messages printed in your browser window. Please note that not
every notice message is an error but it may help to find the
problem.Performance issuesLAM is tested to work with 10000 users with acceptable
performance. If you have a larger directory or slow hardware then here
are some points to increase performance.The first step is to check if performance problems are caused by
the LAM web server or the LDAP server. Please check which machine
suffers from high system load (CPU/memory consumption).High network latency may also be a problem. For large
installations please make sure that LAM web server and LDAP server are
located in the same building/server room.If you run LAM on multiple nodes (DNS load balancing/hardware load
balancer) then also check the clustering
section.LDAP serverUse indicesDepending on the queries it may help to add some more indices on
the LDAP server. Depending on your LDAP software it may already
suggest indices in its log files. See here for typical OpenLDAP indices.Reduce query results by splitting LDAP
management into multiple server profilesIf you manage a very large directory then it might already be
separated into multiple subtrees (e.g. by country, subsidiary, ...).
Do not use a single LAM server profile to manage your whole directory.
Use different server profiles for each separated LDAP subtree where
possible (e.g. one for German users and one for French ones).Limit query resultsLAM allows to set an LDAP search
limit for each server profile. This will limit the number of
entries returned by your LDAP server. Use with caution because it can
cause problems (e.g. with automatic UID generation) when LAM is not
able to read all entries.LAM web serverInstall a PHP
acceleratorThere are tools like APC (free) or
Zend
Server (commercial) that provide caching of PHP pages to
improve performance. They will reduce the time for parsing the PHP
pages and IO load.This is a simply way to enhance performance since APC is part of
most Linux distributions.If you use APC then make sure that it uses enough memory (e.g.
"apc.shm_size=128M"). You can check the memory usage with the file
apc.php that is shipped with APC.Disable session
encryptionLAM encrypts sensitive data in your session files. You can disable it to reduce CPU
load.