<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<book>
  <title>LDAP Account Manager - Manual</title>

  <preface>
    <title>Overview</title>

    <para>LDAP Account Manager (LAM) manages user, group and host accounts in
    an LDAP directory. LAM runs on any webserver with PHP5 support and
    connects to your LDAP server unencrypted or via SSL/TLS.</para>

    <para>LAM supports Samba 3, Unix, Zarafa, Kolab 2, address book entries,
    NIS mail aliases, MAC addresses and much more. There is a tree viewer
    included to allow access to the raw LDAP attributes. You can use templates
    for account creation and use multiple configuration profiles.</para>

    <para><ulink
    url="https://www.ldap-account-manager.org/">https://www.ldap-account-manager.org/</ulink></para>

    <para>Copyright (C) 2003 - 2013 Roland Gruber
    &lt;post@rolandgruber.de&gt;</para>

    <para><emphasis role="bold">Key features:</emphasis></para>

    <itemizedlist>
      <listitem>
        <para>managing user/group/host/domain entries</para>
      </listitem>

      <listitem>
        <para>account profiles</para>
      </listitem>

      <listitem>
        <para>account creation via file upload</para>
      </listitem>

      <listitem>
        <para>multiple configuration profiles</para>
      </listitem>

      <listitem>
        <para>LDAP browser</para>
      </listitem>

      <listitem>
        <para>schema browser</para>
      </listitem>

      <listitem>
        <para>OU editor</para>
      </listitem>

      <listitem>
        <para>PDF export for all accounts</para>
      </listitem>

      <listitem>
        <para>manage user/group Quota and create home directories</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Requirements:</emphasis></para>

    <itemizedlist>
      <listitem>
        <para>PHP5 (&gt;= 5.2.4)</para>
      </listitem>

      <listitem>
        <para>Openldap (2.0 or greater)</para>
      </listitem>

      <listitem>
        <para>A recent web browser that supports CSS2 and JavaScript, at
        minimum:</para>

        <itemizedlist>
          <listitem>
            <para>Firefox 3</para>
          </listitem>

          <listitem>
            <para>Internet Explorer 8<emphasis role="bold"> (compatibility
            mode turned off)</emphasis></para>
          </listitem>

          <listitem>
            <para>Opera 10</para>
          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>

    <para>The default password to edit the configuration options is
    "lam".</para>

    <para><emphasis role="bold">License:</emphasis></para>

    <para>LAM is published under the GNU General Public License. The complete
    list of licenses can be found in the copyright file.</para>

    <para><emphasis role="bold">Default password:</emphasis></para>

    <para>The default password for the LAM configuration is "lam".</para>

    <literallayout>
Have fun!
     The LAM development team</literallayout>
  </preface>

  <preface>
    <title>Architecture</title>

    <para>There are basically two groups of users for LAM:</para>

    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">LDAP administrators and support
        staff:</emphasis></para>

        <para>These people administer LDAP entries like user accounts, groups,
        ...</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">Users:</emphasis></para>

        <para>This includes all people who need to manage their own data
        inside the LDAP directory. E.g. these people edit their contact
        information with LAM self service (LAM Pro).</para>
      </listitem>
    </itemizedlist>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/lam_architecture.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Therefore, LAM is split into two separate parts, LAM for admins and
    for users. LAM for admins allows to manage various types of LDAP entries
    (e.g. users, groups, hosts, ...). It also contains tools like batch
    upload, account profiles, LDAP schema viewer and an LDAP browser. LAM for
    users focuses on end users. It provides a self service for the users to
    edit their personal data (e.g. contact information). The LAM administrator
    is able to specify what data may be changed by the users. The design is
    also adaptable to your corporate design.</para>

    <para>LAM for admins/users is accessible via HTTP(S) by all major web
    browsers (Firefox, IE, Opera, ...).</para>

    <para><emphasis role="bold">LAM runtime environment:</emphasis></para>

    <para>LAM runs on PHP. Therefore, it is independant of CPU architecture
    and operating system (OS). You can run LAM on any OS which supports Apache
    or other PHP compatible web servers.</para>

    <para><emphasis role="bold">Home directory server:</emphasis></para>

    <para>You can manage user home directories and their quotas inside LAM.
    The home directories may reside on the server where LAM is installed or
    any remote server. The commands for home directory management are secured
    by SSH. LAM will use the user name and password of the logged in LAM
    administrator for authentication.</para>

    <para><emphasis role="bold">LDAP directory:</emphasis></para>

    <para>LAM connects to your LDAP server via standard LDAP protocol. It also
    supports encrypted connections with SSL and TLS.</para>
  </preface>

  <chapter id="a_installation">
    <title>Installation</title>

    <section id="a_install">
      <title>New installation</title>

      <section>
        <title>Requirements</title>

        <para>LAM has the following requirements to run:</para>

        <itemizedlist>
          <listitem>
            <para>Apache webserver (SSL recommended) with PHP module (PHP 5
            (&gt;= 5.2.4) with ldap, gettext, xml, openssl and optional
            mcrypt)</para>
          </listitem>

          <listitem>
            <para>Some LAM plugins may require additional PHP extensions (you
            will get a note on the login page if something is missing)</para>
          </listitem>

          <listitem>
            <para>Perl (optional, needed only for lamdaemon)</para>
          </listitem>

          <listitem>
            <para>OpenLDAP (&gt;2.0)</para>
          </listitem>

          <listitem>
            <para>A recent web browser that supports CSS2 and JavaScript, at
            minimum:</para>

            <para><itemizedlist>
                <listitem>
                  <para>Firefox 3</para>
                </listitem>

                <listitem>
                  <para>Internet Explorer 8 <emphasis
                  role="bold">(compatibility mode turned
                  off)</emphasis></para>
                </listitem>

                <listitem>
                  <para>Opera 10</para>
                </listitem>
              </itemizedlist></para>
          </listitem>
        </itemizedlist>

        <para>MCrypt will be used to store your LDAP password encrypted in the
        session file.</para>

        <para>See <link linkend="a_schema">LDAP schema fles</link> for
        information about used LDAP schema files.</para>
      </section>

      <section>
        <title>Prepackaged releases</title>

        <para>LAM is available as prepackaged version for various
        platforms.</para>

        <section>
          <title>Debian</title>

          <informaltable frame="none" tabstyle="noborder">
            <tgroup cols="2">
              <tbody>
                <row>
                  <entry><inlinemediaobject>
                      <imageobject>
                        <imagedata fileref="images/debian.png" />
                      </imageobject>
                    </inlinemediaobject></entry>

                  <entry>LAM is part of the official Debian repository. New
                  releases are uploaded to unstable and will be available
                  automatically in testing and the stable releases. You can
                  run<literal> </literal><para><emphasis role="bold">apt-get
                  install ldap-account-manager</emphasis></para>to install LAM
                  on your server. Additionally, you may download the latest
                  LAM Debian packages from the <ulink type=""
                  url="http://www.ldap-account-manager.org/">LAM
                  homepage</ulink> or the <ulink
                  url="http://packages.debian.org/search?keywords=ldap-account-manager">Debian
                  package homepage</ulink>.<para><emphasis
                  role="bold">Installation of the latest packages on Debian
                  Squeeze</emphasis></para><orderedlist>
                      <listitem>
                        <para>Install php-fpdf 1.7.dfsg-1 from here:</para>

                        <para><ulink
                        url="http://packages.debian.org/wheezy/all/php-fpdf/download">http://packages.debian.org/wheezy/all/php-fpdf/download</ulink></para>
                      </listitem>

                      <listitem>
                        <para>Install the LAM package</para>

                        <para>dpkg -i ldap-account-manager_*.deb</para>
                      </listitem>

                      <listitem>
                        <para>Install the lamdaemon package (optional)</para>

                        <para>dpkg -i
                        ldap-account-manager-lamdaemon_*.deb</para>
                      </listitem>
                    </orderedlist></entry>
                </row>
              </tbody>
            </tgroup>
          </informaltable>
        </section>

        <section>
          <title>Suse/Fedora</title>

          <informaltable frame="none">
            <tgroup cols="2">
              <tbody>
                <row>
                  <entry><inlinemediaobject>
                      <imageobject>
                        <imagedata fileref="images/suse.png" />
                      </imageobject>
                    </inlinemediaobject><para></para><inlinemediaobject>
                      <imageobject>
                        <imagedata fileref="images/fedora.png" />
                      </imageobject>
                    </inlinemediaobject></entry>

                  <entry>There are RPM packages available on the <ulink
                  type="" url="http://www.ldap-account-manager.org/">LAM
                  homepage</ulink>. The packages can be installed with these
                  commands:<para><emphasis role="bold">rpm -e
                  ldap-account-manager
                  ldap-account-manager-lamdaemon</emphasis> (if an older
                  version is installed)</para><para><emphasis role="bold">rpm
                  -i &lt;path to LAM package&gt;</emphasis></para></entry>
                </row>
              </tbody>
            </tgroup>
          </informaltable>
        </section>

        <section>
          <title>Other RPM based distributions</title>

          <para>The RPM packages for Suse/Fedora are very generic and should
          be installable on other RPM-based distributions, too. The Fedora
          packages use apache:apache as file owner and the Suse ones use
          wwwrun:www.</para>
        </section>

        <section>
          <title>FreeBSD</title>

          <informaltable frame="none">
            <tgroup cols="2">
              <tbody>
                <row>
                  <entry><inlinemediaobject>
                      <imageobject>
                        <imagedata fileref="images/freebsd.png" />
                      </imageobject>
                    </inlinemediaobject></entry>

                  <entry>LAM is part of the official FreeBSD ports tree. For
                  more details see these pages:<para>FreeBSD-SVN: <ulink
                  url="http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/"
                  userlevel="">http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/</ulink></para><para>FreshPorts:
                  <ulink
                  url="http://www.freshports.org/sysutils/ldap-account-manager">http://www.freshports.org/sysutils/ldap-account-manager</ulink></para></entry>
                </row>
              </tbody>
            </tgroup>
          </informaltable>
        </section>
      </section>

      <section>
        <title>Installing the tar.bz2</title>

        <section>
          <title>Extract the archive</title>

          <para>Please extract the archive with the following command:</para>

          <para>tar xjf ldap-account-manager-&lt;version&gt;.tar.bz2</para>
        </section>

        <section>
          <title>Install the files</title>

          <section>
            <title>Manual copy</title>

            <para>Copy the files into the html-file scope of the web server.
            For example /apache/htdocs.</para>

            <para>Then set the appropriate file permissions:</para>

            <itemizedlist>
              <listitem>
                <para>lam/sess: write permission for apache user</para>
              </listitem>

              <listitem>
                <para>lam/tmp: write permission for apache user</para>
              </listitem>

              <listitem>
                <para>lam/config (with subdirectories): write permission for
                apache user</para>
              </listitem>

              <listitem>
                <para>lam/lib: lamdaemon.pl must be set executable</para>
              </listitem>
            </itemizedlist>
          </section>

          <section>
            <title>With configure script</title>

            <para>Instead of manually copying files you can also use the
            included configure script to install LAM. Just run these commands
            in the extracted directory:</para>

            <itemizedlist>
              <listitem>
                <para>./configure</para>
              </listitem>

              <listitem>
                <para>make install</para>
              </listitem>
            </itemizedlist>

            <para>Options for "./configure":</para>

            <itemizedlist>
              <listitem>
                <para>--with-httpd-user=USER USER is the name of your Apache
                user account (default httpd)</para>
              </listitem>

              <listitem>
                <para>--with-httpd-group=GROUP GROUP is the name of your
                Apache group (default httpd)</para>
              </listitem>

              <listitem>
                <para>--with-web-root=DIRECTORY DIRECTORY is the name where
                LAM should be installed (default /usr/local/lam)</para>
              </listitem>
            </itemizedlist>
          </section>
        </section>

        <section>
          <title>Configuration files</title>

          <para>Copy config/config.cfg_sample to config/config.cfg and
          config/lam.conf_sample to config/lam.conf. Open the index.html in
          your web browser:</para>

          <itemizedlist>
            <listitem>
              <para>Follow the link "LAM configuration" from the start page to
              <link linkend="a_configuration">configure LAM</link>.</para>
            </listitem>

            <listitem>
              <para>Select "Edit general settings" to setup global settings
              and to change the <link linkend="a_configPasswords">master
              configuration password</link> (default is "lam").</para>
            </listitem>

            <listitem>
              <para>Select "Edit server profiles" to setup your server
              profiles. There should be the lam profile which you just copied
              from the sample file. The default password is "lam". Now change
              the settings to fit for your environment.</para>
            </listitem>
          </itemizedlist>
        </section>
      </section>

      <section>
        <title>System configuration</title>

        <section>
          <title>PHP</title>

          <para>LAM runs with PHP5 (&gt;= 5.2.4). Needed changes in your
          php.ini:</para>

          <para>memory_limit = 64M</para>

          <para>If you run PHP with activated <ulink
          url="http://www.hardened-php.net/suhosin/index.html">Suhosin</ulink>
          extension please check your logs for alerts. E.g. LAM requires that
          "suhosin.post.max_name_length" and
          "suhosin.request.max_varname_length" are increased (e.g. to
          256).</para>
        </section>

        <section>
          <title>Locales for non-English translation</title>

          <para>If you want to use a translated version of LAM be sure to
          install the needed locales. The following table shows the needed
          locales for the different languages.</para>

          <table>
            <title>Locales</title>

            <tgroup cols="2">
              <tbody>
                <row>
                  <entry><emphasis role="bold">Language</emphasis></entry>

                  <entry><emphasis role="bold">Locale</emphasis></entry>
                </row>

                <row>
                  <entry>Catalan</entry>

                  <entry>ca_ES.utf8</entry>
                </row>

                <row>
                  <entry>Chinese (Simplified)</entry>

                  <entry>zh_CN.utf8</entry>
                </row>

                <row>
                  <entry>Chinese (Traditional)</entry>

                  <entry>zh_TW.utf8</entry>
                </row>

                <row>
                  <entry>Czech</entry>

                  <entry>cs_CZ.utf8</entry>
                </row>

                <row>
                  <entry>Dutch</entry>

                  <entry>nl_NL.utf8</entry>
                </row>

                <row>
                  <entry>English</entry>

                  <entry>no extra locale needed</entry>
                </row>

                <row>
                  <entry>French</entry>

                  <entry>fr_FR.utf8</entry>
                </row>

                <row>
                  <entry>German</entry>

                  <entry>de_DE.utf8</entry>
                </row>

                <row>
                  <entry>Hungarian</entry>

                  <entry>hu_HU.utf8</entry>
                </row>

                <row>
                  <entry>Italian</entry>

                  <entry>it_IT.utf8</entry>
                </row>

                <row>
                  <entry>Japanese</entry>

                  <entry>ja_JP.utf8</entry>
                </row>

                <row>
                  <entry>Polish</entry>

                  <entry>pl_PL.utf8</entry>
                </row>

                <row>
                  <entry>Portuguese</entry>

                  <entry>pt_BR.utf8</entry>
                </row>

                <row>
                  <entry>Russian</entry>

                  <entry>ru_RU.utf8</entry>
                </row>

                <row>
                  <entry>Slovak</entry>

                  <entry>sk_SK.utf8</entry>
                </row>

                <row>
                  <entry>Spanish</entry>

                  <entry>es_ES.utf8</entry>
                </row>
              </tbody>
            </tgroup>
          </table>

          <para>You can get a list of all installed locales on your system by
          executing:</para>

          <para>locale -a</para>

          <para>Debian users can add locales with "dpkg-reconfigure
          locales".</para>
        </section>
      </section>
    </section>

    <section>
      <title>Upgrading LAM or migrate from LAM to LAM Pro</title>

      <para>Upgrading from LAM to LAM Pro is like installing a new LAM
      version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM
      ones.</para>

      <section>
        <title>Install new version</title>

        <para><emphasis role="bold">Backup configuration
        files</emphasis></para>

        <para>Configuration files need only to be backed up for .tar.bz
        installations. DEB/RPM installations do not require this step.</para>

        <para>LAM stores all configuration files in the "config" folder.
        Please backup the following files and copy them after the new version
        is installed.</para>

        <simplelist>
          <member>config/*.conf</member>

          <member>config/config.cfg</member>

          <member>config/pdf/*.xml</member>

          <member>config/profiles/*</member>
        </simplelist>

        <para>LAM Pro only:</para>

        <simplelist>
          <member>config/selfService/*.*</member>
        </simplelist>

        <para><emphasis role="bold">Uninstall current LAM (Pro)
        version</emphasis></para>

        <para>If you used the DEB/RPM installation packages then remove the
        ldap-account-manager and ldap-account-manager-lamdaemon
        packages.</para>

        <para>Otherwise, remove the folder where you installed LAM via
        configure or by copying the files.</para>

        <para><emphasis role="bold">Install new LAM (Pro)
        version</emphasis></para>

        <para>Please <link linkend="a_install">install</link> the new LAM
        (Pro) release. Skip the part about setting up LAM configuration
        files.</para>

        <para><emphasis role="bold">Restore configuration
        files</emphasis></para>

        <para>This step can be skipped if you installed the DEB/RPM
        packages.</para>

        <para>Please restore your configuration files from the backup. Copy
        all files from the backup folder to the config folder in your LAM Pro
        installation. Do not simply replace the folder because the new LAM
        (Pro) release might include additional files in this folder. Overwrite
        any existing files with your backup files.</para>

        <para><emphasis role="bold">Final steps</emphasis></para>

        <para>Now open your webbrowser and point it to the LAM login page. All
        your settings should be migrated.</para>

        <para>Please check also the <link linkend="a_versUpgrade">version
        specific instructions</link>. They might include additional
        actions.</para>
      </section>

      <section id="a_versUpgrade">
        <title>Version specific upgrade instructions</title>

        <section>
          <title>4.2.1 -&gt; 4.3</title>

          <para>LAM is no more shipped as tar.gz package but as tar.bz2 which
          allows smaller file sizes.</para>
        </section>

        <section>
          <title>4.1 -&gt; 4.2/4.2.1</title>

          <para>Zarafa users: The default attribute for mail aliases is now
          "dn". If you use "uid" and did not change the server profile for a
          long time please check your LAM server profile for this setting and
          save it.</para>
        </section>

        <section>
          <title>4.0 -&gt; 4.1</title>

          <para><emphasis role="bold">Unix:</emphasis> The list of valid login
          shells is no longer configured in "config/shells" but in the
          server/self service profiles (Unix settings). LAM will use the
          following shells by default: /bin/bash, /bin/csh, /bin/dash,
          /bin/false, /bin/ksh, /bin/sh.</para>

          <para>Please update your server/self service profile if you would
          like to change the list of valid login shells.</para>
        </section>

        <section>
          <title>3.9 -&gt; 4.0</title>

          <para>The account profiles and PDF structures are now separated by
          server profile. This means that if you edit e.g. an account profile
          in server profile A then this change will not affect the account
          profiles in server profile B.</para>

          <para>LAM will automatically migrate your existing files as soon as
          the login page is loaded.</para>

          <para>Special install instructions:</para>

          <itemizedlist>
            <listitem>
              <para>Debian: none, config files will be migrated when opening
              LAM's login page</para>
            </listitem>

            <listitem>
              <para>Suse/Fedora RPM:</para>

              <itemizedlist>
                <listitem>
                  <para>Run "rpm -e ldap-account-manager
                  ldap-account-manager-lamdaemon"</para>
                </listitem>

                <listitem>
                  <para>You may get warnings like "warning:
                  /var/lib/ldap-account-manager/config/profiles/default.user
                  saved as
                  /var/lib/ldap-account-manager/config/profiles/default.user.rpmsave"</para>
                </listitem>

                <listitem>
                  <para>Please rename all files "*.rpmsave" and remove the
                  file extension ".rpmsave". E.g. "default.user.rpmsave" needs
                  to be renamed to "default.user".</para>
                </listitem>

                <listitem>
                  <para>Install the LAM packages with "rpm -i". E.g. "rpm -i
                  ldap-account-manager-4.0-0.suse.1.noarch.rpm".</para>
                </listitem>

                <listitem>
                  <para>Open LAM's login page in your browser to complete the
                  migration</para>
                </listitem>
              </itemizedlist>
            </listitem>

            <listitem>
              <para>tar.gz: standard upgrade steps, config files will be
              migrated when opening LAM's login page</para>
            </listitem>
          </itemizedlist>
        </section>

        <section>
          <title>3.7 -&gt; 3.9</title>

          <para>No changes.</para>
        </section>

        <section>
          <title>3.6 -&gt; 3.7</title>

          <para>Asterisk extensions: The extension entries are now grouped by
          extension name and account context. LAM will automatically assign
          priorities and set same owners for all entries.</para>
        </section>

        <section>
          <title>3.5.0 -&gt; 3.6</title>

          <para><emphasis role="bold">Debian users:</emphasis> LAM 3.6
          requires to install FPDF 1.7. You can download the package <ulink
          url="http://packages.debian.org/search?keywords=php-fpdf&amp;searchon=names&amp;suite=all&amp;section=all">here</ulink>.
          If you use Debian Stable (Squeeze) please use the package from
          Testing (Wheezy).</para>
        </section>

        <section>
          <title>3.4.0 -&gt; 3.5.0</title>

          <para><emphasis role="bold">LAM Pro:</emphasis> The global
          config/passwordMailTemplate.txt is no longer supported. You can
          setup the mail settings now for each LAM server profile which
          provides more flexibility.</para>

          <para><emphasis role="bold">Suse/Fedora RPM
          installations:</emphasis> LAM is now installed to
          /usr/share/ldap-account-manager and
          /var/lib/ldap-account-manager.</para>

          <para>Please note that configuration files are not migrated
          automatically. Please move the files from /srv/www/htdocs/lam/config
          (Suse) or /var/www/html/lam/config (Fedora) to
          /var/lib/ldap-account-manager/config.</para>
        </section>

        <section>
          <title>3.3.0 -&gt; 3.4.0</title>

          <para>No changes.</para>
        </section>

        <section>
          <title>3.2.0 -&gt; 3.3.0</title>

          <para>If you use custom images for the PDF export then these images
          need to be 5 times bigger than before (e.g. 250x250px instead of
          50x50px). This allows to use images with higher resolution.</para>
        </section>

        <section>
          <title>3.1.0 -&gt; 3.2.0</title>

          <para>No changes.</para>
        </section>

        <section>
          <title>3.0.0 -&gt; 3.1.0</title>

          <para>LAM supported to set a list of valid workstations on the
          "Personal" page. This required to change the LDAP schema. Since
          3.1.0 this is replaced by the new "Hosts" module for users.</para>

          <para>Lamdaemon: The sudo entry needs to be changed to
          ".../lamdaemon.pl *".</para>
        </section>

        <section>
          <title>2.3.0 -&gt; 3.0.0</title>

          <para>No changes.</para>
        </section>

        <section>
          <title>2.2.0 -&gt; 2.3.0</title>

          <para><emphasis role="bold">LAM Pro:</emphasis> There is now a
          separate account type for group of (unique) names. Please edit your
          server profiles to activate the new account type.</para>
        </section>

        <section>
          <title>1.1.0 -&gt; 2.2.0</title>

          <para>No changes.</para>
        </section>
      </section>
    </section>

    <section id="a_uninstall">
      <title>Uninstalltion of LAM (Pro)</title>

      <para>If you used the prepackaged installation packages then remove the
      ldap-account-manager and ldap-account-manager-lamdaemon packages.</para>

      <para>Otherwise, remove the folder where you installed LAM via configure
      or by copying the files.</para>
    </section>
  </chapter>

  <chapter id="a_configuration">
    <title>Configuration</title>

    <para>After you <link linkend="a_installation">installed</link> LAM you
    can configure it to fit your needs. The complete configuration can be done
    inside the application. There is no need to edit configuration
    files.</para>

    <para>Please point you browser to the location where you installed LAM.
    E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
    via the tar.bz2 then this may vary. You should see the following
    page:</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/login.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>If you see an error message then you might need to install an
    additional PHP extension. Please follow the instructions and reload the
    page afterwards.</para>

    <para>Now you are ready to configure LAM. Click on the "LAM configuration"
    link to proceed.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/configOverview.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Here you can change LAM's general settings, setup server profiles
    for your LDAP server(s) and configure the <link
    linkend="a_selfService">self service</link> (LAM Pro). You should start
    with the general settings and then setup a server profile.</para>

    <section>
      <title>General settings</title>

      <para>After selecting "Edit general settings" you will need to enter the
      <link linkend="a_configPasswords">master configuration password</link>.
      The default password for new installations is "lam". Now you can edit
      the general settings.</para>

      <section>
        <title>Security settings</title>

        <para>Here you can set a time period after which inactive sessions are
        automatically invalidated. The selected value represents minutes of
        inactivity.</para>

        <para>You may also set a list of IP addresses which are allowed to
        access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
        or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
        access LAM via an untrusted IP only get blank pages.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configGeneral1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para id="conf_sslCert"><emphasis role="bold">SSL certificate
        setup:</emphasis></para>

        <para>By default, LAM uses the CA certificates that are preinstalled
        on your system. This will work if you connect via SSL/TLS to an LDAP
        server that uses a certificate signed by a well-known CA. In case you
        use your own CA (e.g. company internal CA) you can import the CA
        certificates here.</para>

        <para>Please note that this can affect other web applications on the
        same server if they require different certificates. You may also need
        to restart Apache. In case of any problems please delete the uploaded
        certificates and use the <link linkend="ssl_certSystem">system
        setup</link>.</para>

        <para>You can either upload a DER/PEM formatted certificate file or
        import the certificates directly from an LDAP server that is available
        with LDAP+SSL (ldaps://). LAM will automatically override system
        certificates if at least one certificate is uploaded/imported.</para>

        <para>The whole certificate list can be downloaded in PEM format. You
        can also delete single certificates from the list.</para>

        <para>Please note that you might need to restart your webserver if you
        do any changes to this configuration.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configGeneral4.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Password policy</title>

        <para>This allows you to specify a central password policy for LAM.
        The policy is valid for all password fields inside LAM admin
        (excluding tree view) and LAM self service. Configuration passwords do
        not need to follow this policy.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configGeneral2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can set the minimum password length and also the complexity
        of the passwords.</para>
      </section>

      <section>
        <title>Logging</title>

        <para>LAM can log events (e.g. user logins). You can use system
        logging (syslog for Unix, event viewer for Windows) or log to a
        separate file. Please note that LAM may log sensitive data (e.g.
        passwords) at log level "Debug". Production system should be set to
        "Warning" or "Error".</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configGeneral3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Change master password</title>

        <para>If you would like to change the master configuration password
        then enter a new password here.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configGeneral5.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>

    <section>
      <title>Server profiles</title>

      <para>The server profiles store information about your LDAP server (e.g.
      host name) and what kind of accounts (e.g. users and groups) you would
      like to manage. There is no limit on the number of server profiles. See
      the <link linkend="confTypicalScenarios">typical scenarios</link> about
      how to structure your server profiles.</para>

      <section>
        <title>Manage server profiles</title>

        <para>Select "Manage server profiles" to open the profile management
        page.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configProfiles1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Here you can create, rename and delete server profiles. The
        <link linkend="a_configPasswords">passwords</link> of your server
        profiles can also be reset.</para>

        <para>You may also specify the default server profile. This is the
        server profile which is preselected at the login page. It also
        specifies the language of the login and configuration pages.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configProfiles2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can create a new server profile by simply entering its name
        and password. After you created a new profile you can go back to the
        profile login and edit your new server profile.</para>

        <para>All operations on the profile management page require that you
        authenticate yourself with the <link
        linkend="a_configPasswords">configuration master
        password</link>.</para>
      </section>

      <section>
        <title>Editing a server profile</title>

        <para>Please select you server profile and enter its password to edit
        a server profile.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configProfiles3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Each server profile contains the following information:</para>

        <itemizedlist>
          <listitem>
            <para><emphasis role="bold">General settings:</emphasis> general
            settings about your LDAP server (e.g. host name and security
            settings)</para>
          </listitem>

          <listitem>
            <para><emphasis role="bold">Account types:</emphasis> list of
            account types (e.g. users and groups) that you would like to
            manage and type specific settings (e.g. LDAP suffix)</para>
          </listitem>

          <listitem>
            <para><emphasis role="bold">Modules:</emphasis> list of modules
            which define what account aspects (e.g. Unix, Samba, Kolab) you
            would like to manage</para>
          </listitem>

          <listitem>
            <para><emphasis role="bold">Module settings:</emphasis> settings
            which are specific for the selected account modules on the page
            before</para>
          </listitem>
        </itemizedlist>

        <section>
          <title>General settings</title>

          <para>Here you can specify the LDAP server and some security
          settings.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configProfiles4.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>The server address of your LDAP server can be a DNS name or an
          IP address. Use ldap:// for unencrypted LDAP connections or TLS
          encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
          specified with ldaps://. The port value is optional. TLS cannot be
          combined with ldaps://.</para>

          <para>LAM includes an LDAP browser which allows direct modification
          of LDAP entries. If you would like to use it then enter the LDAP
          suffix at "Tree suffix".</para>

          <para>The search limit is used to reduce the number of search
          results which are returned by your LDAP server.</para>

          <para>The access level specifies if LAM should allow to modify LDAP
          entries. This feature is only available in LAM Pro. LAM non-Pro
          releases use write access. See <link
          linkend="a_accessLevelPasswordReset">this page</link> for details on
          the different access levels.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configProfiles5.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>LAM is translated to many different languages. Here you can
          select the default language for this server profile. The language
          setting may be overriden at the LAM login page.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configProfiles6.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>LAM can manage user home directories and quotas with an
          external script. You can specify the home directory server and where
          the script is located. The default rights for new home directories
          can be set, too.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configProfiles8.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>LAM supports two methods for login. The first one is to
          specify a fixed list of LDAP DNs that are allowed to login. Please
          enter one DN per line.</para>

          <para>The second one is to let LAM search for the DN in your
          directory. E.g. if a user logs in with the user name "joe" then LAM
          will do an LDAP search for this user name. When it finds a matching
          DN then it will use this to authenticate the user. The wildcard
          "%USER%" will be replaced by "joe" in this example. This way you can
          provide login by user name, email address or other LDAP
          attributes.</para>

          <para>Additionally, you can enable HTTP authentication when using
          "LDAP search". This way the web server is responsible to
          authenticate your users. LAM will use the given user name + password
          for the LDAP login. You can also configure this to setup advanced
          login restrictions (e.g. require group memberships for login). To
          setup HTTP authentication in Apache please see this <ulink
          url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>
          and an example for LDAP authentication <link lang=""
          linkend="apache_http_auth">here</link>.</para>

          <para><emphasis role="bold">Hint:</emphasis> LDAP search with group
          membership check can be done with either <link
          linkend="apache_http_auth">HTTP authentication</link> or LDAP
          overlays like <ulink
          url="http://www.openldap.org/doc/admin24/overlays.html">"memberOf"</ulink>
          or <ulink
          url="http://www.openldap.org/doc/admin24/overlays.html">"Dynamic
          lists"</ulink>. Dynamic lists allow to insert virtual attributes to
          your user entries. These can then be used for the LDAP filter (e.g.
          "(&amp;(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configProfiles7.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>You may also change the password of this server profile.
          Please just enter the new password in both password fields.</para>
        </section>

        <section>
          <title>Account types</title>

          <para>LAM supports to manage various types of LDAP entries (e.g.
          users, groups, DHCP entries, ...). On this page you can select which
          types of entries you want to manage with LAM.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configTypes1.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>The section at the top shows a list of possible types. You can
          activate them by simply clicking on the plus sign next to it.</para>

          <para>Each account type has the following options:</para>

          <itemizedlist>
            <listitem>
              <para><emphasis role="bold">LDAP suffix:</emphasis> the LDAP
              suffix where entries of this type should be managed</para>
            </listitem>

            <listitem>
              <para><emphasis role="bold">List attributes:</emphasis> a list
              of attributes which are shown in the account lists</para>
            </listitem>

            <listitem>
              <para><emphasis role="bold">Additional LDAP filter:</emphasis>
              LAM will automatically detect the right LDAP entries for each
              account type. This can be used to further limit the number of
              visible entries (e.g. if you want to manage only some specific
              groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
              "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
              user who is logged in.</para>
            </listitem>

            <listitem>
              <para><emphasis role="bold">Hidden:</emphasis> This is used to
              hide account types that should not be displayed but are required
              by other account types. E.g. you can hide the Samba domains
              account type and still assign domains when you edit your
              users.</para>
            </listitem>

            <listitem>
              <para><emphasis role="bold">No new entries (LAM Pro
              only):</emphasis> Use this if you want to prevent that new
              accounts of this type are created by your users. The GUI will
              hide buttons to create new entries and also disable file upload
              for this type.</para>
            </listitem>

            <listitem>
              <para><emphasis role="bold">Disallow delete (LAM Pro
              only):</emphasis> Use this if you want to prevent that accounts
              of this type are deleted by your users.</para>
            </listitem>
          </itemizedlist>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configTypes2.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>On the next page you can specify in detail what extensions
          should be enabled for each account type.</para>
        </section>

        <section>
          <title>Modules</title>

          <para>The modules specify the active extensions for each account
          type. E.g. here you can setup if your user entries should be address
          book entries only or also support Unix or Samba.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configModules1.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Each account type needs a so called "base module". This is the
          basement for all LDAP entries of this type. Usually, it provides the
          structural object class for the LDAP entries. There must be exactly
          one active base module for each account type.</para>

          <para>Furthermore, there may be any number of additional active
          account modules. E.g. you may select "Personal" as base module and
          Unix + Samba as additional modules.</para>
        </section>

        <section>
          <title>Module settings</title>

          <para>Depending on the activated account modules there may be
          additional configuration options available. They can be found on the
          "Module settings" tab. E.g. the Personal account module allows to
          hide several input fields and the Unix module requires to specify
          ranges for UID numbers.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/configSettings1.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>
      </section>

      <section id="confTypicalScenarios">
        <title>Typical scenarios</title>

        <para>This is a list of typical scenarios how your LDAP environment
        may look like and how to structure the server profiles for it.</para>

        <section>
          <title>Simple: One LDAP directory managed by a small group of
          admins</title>

          <para>This is the easiest and most common scenario. You want to
          manage a single LDAP server and there is only one or a few admins.
          In this case just create one server profile and you are done. The
          admins may be either specified as a fixed list or by using an LDAP
          search at login time.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/LDAPStructuresSimple.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Advanced: One LDAP server which is managed by different admin
          groups</title>

          <para>Large organisations may have one big LDAP directory for all
          user/group accounts. But the users are managed by different groups
          of admins (e.g. departments, locations, subsidiaries, ...). The
          users are typically divided into organisational units in the LDAP
          tree. Admins may only manage the users in their part of the
          tree.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/LDAPStructuresAdvanced.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>In this situation it is recommended to create one server
          profile for each admin group (e.g. department). Setup the LDAP
          suffixes in the server profiles to point to the needed
          organisational units. E.g. use
          ou=people,ou=department1,dc=company,dc=com or
          ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
          Do the same for groups, hosts, ... This way each admin group will
          only see its own users. You may want to use LDAP search for the LAM
          login in this scenario. This will prevent that you need to update a
          server profile if the number of admins changes.</para>

          <para><emphasis role="bold">Attention:</emphasis> LAM's feature to
          automatically find free UIDs/GIDs for new users/groups will not work
          in this case. LAM uses the user/group suffix to search for already
          assigned UIDs/GIDs. As an alternative you can specify different
          UID/GID ranges for each department. Then the UIDs/GIDs will stay
          unique for the whole directory.</para>
        </section>

        <section>
          <title>Multiple LDAP servers</title>

          <para>You can manage as many LDAP servers with LAM as you wish. This
          scenario is similar to the advanced scenario above. Just create one
          server profile for each LDAP server.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/LDAPStructuresMultiServer.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Single LDAP directory with lots of users (&gt;10 000)</title>

          <para>LAM was tested to work with 10 000 users. If you have a lot
          more users then you have basically two options.</para>

          <itemizedlist>
            <listitem>
              <para>Divide your LDAP tree in organisational units: This is
              usually the best performing option. Put your accounts in several
              organisational units and setup LAM as in the advanced scenario
              above.</para>
            </listitem>

            <listitem>
              <para>Increase memory limit: Increase the memory_limit parameter
              in your php.ini. This will allow LAM to read more entries. But
              this will slow down the response times of LAM.</para>
            </listitem>
          </itemizedlist>
        </section>
      </section>
    </section>
  </chapter>

  <chapter>
    <title>Managing entries in your LDAP directory</title>

    <para>This chapter will give you instructions how to manage the different
    LDAP entries in your directory.</para>

    <para>Please note that not all account types are manageable with the free
    LAM release. LAM Pro provides some more account types (e.g. group of
    names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to
    support additional LDAP object classes. All LAM Pro features are marked in
    this manual.</para>

    <para><emphasis role="bold">Basic page layout:</emphasis></para>

    <para>After the login LAM will present you its main page. It consists of a
    header part which is equal for all pages and the content area which covers
    most the of the page.</para>

    <para>The header part includes the links to manage all account types (e.g.
    users and groups) and open the tree view (LDAP browser). There is also the
    logout link and a tools entry.</para>

    <para>When you login the you will see an account listing in the content
    area.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/mainpage.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>Here you can create, delete and modify accounts. Use the action
    buttons at the left or double click on an entry to edit it.</para>

    <para>The suffix selection box allows you to list only the accounts which
    are located in a subtree of your LDAP directory.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/listConfig.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <para>You can change the number of shown entries per page with "Change
    settings". Depending on the account type there may be additional settings.
    E.g. the user list can convert group numbers to group names.</para>

    <para>When you select to edit an entry then LAM will show all its data on
    a tabbed view. There is one tab for each functional part of the account.
    You can set default values by loading an <link
    linkend="a_accountProfile">account profile</link>.</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/editView.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <section>
      <title>Typical usage scenarios</title>

      <para>Here is a list of typical usage scenarios and what account types
      and modules you need to configure.</para>

      <para><emphasis role="bold">Address book entries:</emphasis></para>

      <para>Account types:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Personal)</para>
        </listitem>
      </itemizedlist>

      <para><emphasis role="bold">Unix accounts:</emphasis></para>

      <para>Account types:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Personal + Unix)</para>
        </listitem>

        <listitem>
          <para>Groups (Unix (posixGroup))</para>
        </listitem>
      </itemizedlist>

      <para>Suse users may need to use Group (Group of names + Unix
      (rfc2307bisPosixGroup)) because of Suse's special LDAP schema.</para>

      <para><emphasis role="bold">Samba 3 accounts:</emphasis></para>

      <para>Account types:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Personal + User + Samba 3)</para>
        </listitem>

        <listitem>
          <para>Groups (Unix + Samba 3)</para>
        </listitem>

        <listitem>
          <para>Hosts (Account + Unix + Samba 3)</para>
        </listitem>

        <listitem>
          <para>Samba domains (Samba domain)</para>
        </listitem>
      </itemizedlist>

      <para><emphasis role="bold">Samba 4:</emphasis></para>

      <para>Account types:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Windows)</para>
        </listitem>

        <listitem>
          <para>Groups (Windows)</para>
        </listitem>

        <listitem>
          <para>Hosts (Windows)</para>
        </listitem>
      </itemizedlist>

      <para>Please note that must change the attributes that are shown in the
      account lists. Otherwise, the account tables will show empty lines. See
      the documentation for the Windows user/group/host modules.</para>

      <para>For Samba 4 with Zarafa use the following modules:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Windows + Zarafa (+ Zarafa contact))</para>
        </listitem>

        <listitem>
          <para>Groups (Windows + Zarafa)</para>
        </listitem>

        <listitem>
          <para>Hosts (Windows + Zarafa)</para>
        </listitem>

        <listitem>
          <para>Zarafa dynamic groups (Zarafa dynamic group)</para>
        </listitem>

        <listitem>
          <para>Zarafa address lists (Zarafa address list)</para>
        </listitem>
      </itemizedlist>

      <para>See also the <link linkend="s_zarafa">Zarafa</link> section for
      additional settings (e.g. using Zarafa AD schema).</para>

      <para><emphasis role="bold">Asterisk:</emphasis></para>

      <para>Account types:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Personal + Asterisk)</para>
        </listitem>

        <listitem>
          <para>Asterisk extensions (Asterisk extension)</para>
        </listitem>
      </itemizedlist>

      <para><emphasis role="bold">Zarafa:</emphasis></para>

      <para>Account types:</para>

      <itemizedlist>
        <listitem>
          <para>Users (Personal + Unix + Zarafa (+ Zarafa contact))</para>
        </listitem>

        <listitem>
          <para>Groups (Unix + Zarafa)</para>
        </listitem>

        <listitem>
          <para>Zarafa dynamic groups (Zarafa dynamic group)</para>
        </listitem>

        <listitem>
          <para>Zarafa address lists (Zarafa address list)</para>
        </listitem>

        <listitem>
          <para>Hosts (Device + Zarafa + IP Address)</para>
        </listitem>
      </itemizedlist>
    </section>

    <section>
      <title>Users</title>

      <para>LAM manages various types of user accounts. This includes address
      book entries, Unix, Samba, Zarafa and much more.</para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Account list settings:</emphasis></para>

      <para>The user list includes two special options to change how your
      users are displayed.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/userListOptions.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis>Translate GID number to group name:</emphasis> By
      default the user list can show the primary group IDs (GIDs) of your
      users. There are often cases where it is more suitable to show the group
      name instead. This can be done by activating this option. Please note
      that LAM will execute more LDAP queries which may result in decreased
      performance.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/userListOptionTransPrimary.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis>Show account status:</emphasis> If you activate this
      option then there will be an additional column displayed that shows if
      the account is locked. You can see more details when moving the mouse
      cursor over the lock icon. This function supports Unix, Samba and
      PPolicy.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/userListOptionAccountStatus.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Quick account (un)locking:</emphasis></para>

      <para>When you edit an user then LAM supports to quickly lock/unlock the
      whole account. This includes Unix, Samba and PPolicy. LAM can also
      remove group memberships if an account is locked.</para>

      <para>You will see the current status of all account parts in the title
      area of the account.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/userAccountStatus1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>If you click on the lock icon then a dialog will be opened to
      change these values. Depending on which parts are locked LAM will
      provide options to lock/unlock account parts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/userAccountStatus2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/userAccountStatus3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <section>
        <title>Personal</title>

        <para>This module is the most common basis for user accounts in LAM.
        You can use it stand-alone to manage address book entries or in
        combination with Unix, Samba or other modules.</para>

        <para>The Personal module provides support for managing various
        personal data of your users including mail addresses and telephone
        numbers. You can also add photos of your users. If you do not need to
        manage all attributes then you can deactivate them in your server
        profile.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_personal.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>User certificates can be uploaded and downloaded. LAM will
        automatically convert PEM to DER format.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_personal2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <table>
          <title>LDAP attribute mappings</title>

          <tgroup cols="2">
            <thead>
              <row>
                <entry align="center">Attribute name</entry>

                <entry align="center">Name inside LAM</entry>
              </row>
            </thead>

            <tbody>
              <row>
                <entry>businessCategory</entry>

                <entry>Business category</entry>
              </row>

              <row>
                <entry>carLicense</entry>

                <entry>Car license</entry>
              </row>

              <row>
                <entry>cn/commonName</entry>

                <entry>Common name</entry>
              </row>

              <row>
                <entry>departmentNumber</entry>

                <entry>Department(s)</entry>
              </row>

              <row>
                <entry>description</entry>

                <entry>Description</entry>
              </row>

              <row>
                <entry>employeeNumber</entry>

                <entry>Employee number</entry>
              </row>

              <row>
                <entry>employeeType</entry>

                <entry>Employee type</entry>
              </row>

              <row>
                <entry>facsimileTelephoneNumber/fax</entry>

                <entry>Fax number</entry>
              </row>

              <row>
                <entry>givenName/gn</entry>

                <entry>First name</entry>
              </row>

              <row>
                <entry>homePhone</entry>

                <entry>Home telephone number</entry>
              </row>

              <row>
                <entry>initials</entry>

                <entry>Initials</entry>
              </row>

              <row>
                <entry>jpegPhoto</entry>

                <entry>Photo</entry>
              </row>

              <row>
                <entry>l</entry>

                <entry>Location</entry>
              </row>

              <row>
                <entry>mail/rfc822Mailbox</entry>

                <entry>Email address</entry>
              </row>

              <row>
                <entry>manager</entry>

                <entry>Manager</entry>
              </row>

              <row>
                <entry>mobile/mobileTelephoneNumber</entry>

                <entry>Mobile number</entry>
              </row>

              <row>
                <entry>organizationName/o</entry>

                <entry>Organisation</entry>
              </row>

              <row>
                <entry>physicalDeliveryOfficeName</entry>

                <entry>Office name</entry>
              </row>

              <row>
                <entry>postalAddress</entry>

                <entry>Postal address</entry>
              </row>

              <row>
                <entry>postalCode</entry>

                <entry>Postal code</entry>
              </row>

              <row>
                <entry>postOfficeBox</entry>

                <entry>Post office box</entry>
              </row>

              <row>
                <entry>registeredAddress</entry>

                <entry>Registered address</entry>
              </row>

              <row>
                <entry>roomNumber</entry>

                <entry>Room number</entry>
              </row>

              <row>
                <entry>sn/surname</entry>

                <entry>Last name</entry>
              </row>

              <row>
                <entry>st</entry>

                <entry>State</entry>
              </row>

              <row>
                <entry>street/streetAddress</entry>

                <entry>Street</entry>
              </row>

              <row>
                <entry>telephoneNumber</entry>

                <entry>Telephone number</entry>
              </row>

              <row>
                <entry>title</entry>

                <entry>Job title</entry>
              </row>

              <row>
                <entry>userCertificate</entry>

                <entry>User certificates</entry>
              </row>

              <row>
                <entry>uid/userid</entry>

                <entry>User name</entry>
              </row>

              <row>
                <entry>userPassword</entry>

                <entry>Password</entry>
              </row>
            </tbody>
          </tgroup>
        </table>
      </section>

      <section>
        <title>Unix</title>

        <para>The Unix module manages Unix user accounts including group
        memberships.</para>

        <para>There are several configuration options for this module:</para>

        <itemizedlist>
          <listitem>
            <para>UID generator: LAM will suggest UID numbers for your
            accounts. Please note that it may happen that there are duplicate
            IDs assigned if users create accounts at the same time. Use an
            <ulink
            url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
            like "Attribute Uniqueness" (<link
            linkend="a_openldap_unique">example</link>) if you have lots of
            LAM admins creating accounts.</para>

            <itemizedlist>
              <listitem>
                <para>Fixed range: LAM searches for free numbers within the
                given limits. LAM always tries to use a free UID that is
                greater than the existing UIDs to prevent collisions with
                deleted accounts.</para>
              </listitem>

              <listitem>
                <para>Samba ID pool: This uses a special LDAP entry that
                includes attributes that store a counter for the last used
                UID/GID. Please note that this requires that you install the
                Samba schema and create an LDAP entry of object class
                "sambaUnixIdPool".</para>
              </listitem>
            </itemizedlist>
          </listitem>

          <listitem>
            <para>Password hash type: If possible use CRYPT-SHA512 or SSHA to
            protect your user's passwords.</para>
          </listitem>

          <listitem>
            <para>Login shells: List of valid login shells that can be
            selected when editing an account.</para>
          </listitem>

          <listitem>
            <para>Hidden options: Some input fields can be hidden to simplify
            the GUI if you do not need them.</para>
          </listitem>
        </itemizedlist>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixUserConfig.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>The user name is automatically filled as specified in the
        configuration (default smiller for Steve Miller). Of course, the
        suggested value can be changed any time. Common name is also filled
        with first/last name by default.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixUser.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Group memberships can be changed when clicking on "Edit groups".
        Here you can select the Unix groups and group of names
        memberships.</para>

        <para>To enable "Group of names" please either add the groups module
        "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
        names".</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixUserGroups.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can also create home directories for your users if you setup
        <link linkend="a_lamdaemon">lamdaemon</link>. This allows you to
        create the directories on the local or remote servers.</para>

        <para>It is also possible to check the status of the user's home
        directories. If needed the directories can be created or removed at
        any time.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixUserHomedir.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Group of names (LAM Pro)</title>

        <para>This module manages memberships in group of (unique) names. To
        activate this feature please add the user module "Group of names
        (groupOfNamesUser)" to your LAM server profile.</para>

        <para>Please note that this module cannot be used if the Unix module
        is active. In this case group memberships may be managed with the Unix
        module.</para>

        <para>The module automatically detects if groups are based on
        "groupOfNames" or "groupOfUniqueNames" and sets the correct
        attribute.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_groupOfNamesUser.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Shadow</title>

        <para>LAM supports the management of the LDAP substitution of
        /etc/shadow. Here you can setup password policies for your Unix
        accounts and also view the last password change of a user.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_shadow.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Password self reset (LAM Pro)</title>

        <para>LAM Pro allows your users to reset their passwords by answering
        a security question. The reset link is displayed on the <link
        linkend="PasswordSelfReset">self service page</link>. Additionally,
        you can set question + answer in the admin interface.</para>

        <para>Please note that self service and LAM admin interface are
        separated functionalities. You need to specify the list of possible
        security questions in both self service profile(s) and server
        profile(s).</para>

        <para><emphasis role="bold">Schema installation</emphasis></para>

        <para>Please install the schema that comes with LAM Pro.</para>

        <para><emphasis role="underline">OpenLDAP:</emphasis></para>

        <para>Install docs/schema/passwordSelfReset.schema for slapd.conf
        configuration or docs/schema/passwordSelfReset.ldif for slapd.d
        configuration.</para>

        <para><emphasis role="underline">Samba 4:</emphasis></para>

        <para>The schema files are
        docs/schema/passwordSelfReset-Samba4-attributes.ldif and
        docs/schema/passwordSelfReset-Samba4-objectClass.ldif.</para>

        <para>First, you need to edit them and replace "DOMAIN_TOP_DN" with
        your LDAP suffix (e.g. dc=samba4,dc=test).</para>

        <para>Then install the attribute and afterwards the object class
        schema file:</para>

        <literallayout>ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true
ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true

</literallayout>

        <para>This allows to set a security question + answer for each
        account.</para>

        <para><emphasis role="bold">Activate password self reset
        module</emphasis></para>

        <para>Please activate the password self reset module in your LAM Pro
        server profile.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/passwordSelfReset7.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Now select the tab "Module settings" and specify the list of
        possible security questions. Only these questions will be selectable
        when you later edit accounts.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/passwordSelfReset8.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para><emphasis role="bold">Edit users</emphasis></para>

        <para>After everything is setup please login to LAM Pro and edit your
        users. You will see a new tab called "Password self reset". Here you
        can activate/remove the password self reset function for each user.
        You can also change the security question and answer.</para>

        <para><emphasis role="bold">Samba 4 note:</emphasis> Due to a <ulink
        url="https://bugzilla.samba.org/show_bug.cgi?id=10094">bug</ulink> in
        Samba 4 you need to add the extension, save, and then select a
        question and set the answer. If you add the extension, set
        question/answer and then save all together this will cause an LDAP
        error and no changes will be saved. </para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/passwordSelfReset9.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Hosts</title>

        <para>You can specify a list of valid host names where the user may
        login. If you add the value "*" then the user may login to any host.
        This can be further restricted by adding explicit deny entries which
        are prefixed with "!" (e.g. "!hr_server").</para>

        <para>Please note that your PAM settings need to support host
        restrictions. This feature is enabled by setting <emphasis
        role="bold">pam_check_host_attr yes</emphasis> in your <emphasis
        role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the
        account facility of pam_ldap will perform the checks and return an
        error when no proper host attribute is present. Please note that users
        without host attribute cannot login to such a configured
        server.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/hostObject.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Samba 3</title>

        <para>LAM supports full Samba 3 user management including logon hours
        and terminal server options.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_samba3User1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_samba3User2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_samba3User3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Windows (Samba 4)</title>

        <para>Please activate the account type "Users" in your LAM server
        profile and then add the user module "Windows
        (windowsUser)(*)".</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsUser4.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>The default list attributes are for Unix and not suitable for
        Windows (blank lines in account table). Please use
        "#cn;#givenName;#sn;#mail" or select your own attributes to display in
        the account list.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsUser1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Now you can manage your Windows users and e.g. assign
        groups.</para>

        <para><emphasis role="bold">Attention:</emphasis> Password changes
        require a secure connection via ldaps://. Check your LAM server
        profile if password changes are refused by the server.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsUser2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsUser3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Filesystem quota (lamdaemon)</title>

        <para>You can manage file system quotas with LAM. This requires to
        setup <link linkend="a_lamdaemon">lamdaemon</link>. LAM connects to
        your server via SSH and manages the disk filesystem quotas. The quotas
        are stored directly on the filesystem. This is the default mechanism
        to store quotas for most systems.</para>

        <para>Please add the module "Quota (quota)" for users to your LAM
        server profile to enable this feature.</para>

        <para>If you store the quota information directly inside LDAP please
        see the next section.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_quotaUser.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Filesystem quota (LDAP)</title>

        <para>You can store your filesystem quotas directly in LDAP. See
        <ulink url="http://sourceforge.net/projects/linuxquota/">Linux
        DiskQuota</ulink> for details since it requires quota tools that
        support LDAP. You will need to install the quota LDAP schema to manage
        the object class "systemQuotas".</para>

        <para>Please add the module "Quota (systemQuotas)" for users to your
        LAM server profile to enable this feature.</para>

        <para>If you store the quota information on the filesystem please see
        the previous section.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_systemQuotas.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Kolab</title>

        <para>This module supports to manage Kolab accounts with LAM. E.g. you
        can set the user's mail quota and define invitation policies.</para>

        <para>Please enter an email address at the Personal page and set a
        Unix password first. Both are required that Kolab accepts the
        accounts. The email address ("Personal" page) must match your Kolab
        domain, otherwise the account will not work.</para>

        <para><emphasis role="bold">Attention:</emphasis> The mailbox server
        cannot be changed after the account has been saved. Please make sure
        that the value is correct.</para>

        <para>Kolab users should not be directly deleted with LAM. You can
        mark an account for deletion which then is done by the Kolab server
        itself. This makes sure that the mailbox etc. is also deleted.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_kolab.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>If you upgrade existing non-Kolab accounts please make sure that
        the account has an Unix password.</para>
      </section>

      <section>
        <title>Asterisk</title>

        <para>LAM supports Asterisk accounts, too. See the <link
        linkend="type_asterisk">Asterisk</link> section for details.</para>
      </section>

      <section>
        <title>EDU person</title>

        <para>EDU person accounts are mainly used in university networks. You
        can specify the principal name, nick names and much more.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_eduPerson.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Password policy (LAM Pro)</title>

        <para>OpenLDAP supports the <ulink
        url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
        to manage password policies for LDAP entries. LAM Pro supports <link
        linkend="a_ppolicy">managing the policies</link> and assigning them to
        user accounts.</para>

        <para>Please add the account type "Password policies" to your LAM
        server profile and activate the "Password policy" module for the user
        type.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/ppolicyUser.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can assign any password policy which is found in the LDAP
        suffix of the "Password policies" type. When you set the policy to
        "default" then OpenLDAP will use the default policy as defined in your
        slapd.conf file.</para>

        <para><emphasis role="bold">Attention:</emphasis> Locking and
        unlocking requires that you also activate the option "Lockout users"
        in the assigned <link linkend="a_ppolicy">password policy</link>.
        Otherwise, it will have no effect.</para>
      </section>

      <section>
        <title>FreeRadius</title>

        <para>FreeRadius is a software that implements the RADIUS
        authentication protocol. LAM allows you to mange several of the
        FreeRadius attributes.</para>

        <para>To activate the FreeRadius plugin please activate the FreeRadius
        user module in your server profile:</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_freeRadius1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can disable unneeded fields on the tab "Module
        settings":</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_freeRadius2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Now you will see the tab "FreeRadius" when editing users. The
        extension can be (de)activated for each user. You can setup e.g.
        realm, IP and expiration date.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_freeRadius3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Heimdal Kerberos (LAM Pro)</title>

        <para>You can manage your Heimdal Kerberos accounts with LAM Pro.
        Please add the user module "Kerberos (heimdalKerberos)" to activate
        this feature.</para>

        <para><emphasis role="bold">Setup password changing</emphasis></para>

        <para>LAM Pro cannot generate the password hashes itself because
        Heimdal uses a propietary format for them. Therefore, LAM Pro needs to
        call e.g. kadmin to set the password.</para>

        <para>The wildcards @@password@@ and @@principal@@ are replaced with
        password and principal name. Please use keytab authentication for this
        command since it must run without any interaction.</para>

        <para>Example to create a keytab: ktutil -k /root/lam.keytab add -p
        lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1</para>

        <para>Security hint: Please secure your LAM Pro server since the new
        passwords will be visible for a short term in the process list during
        password change.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_kerberos2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para><emphasis role="bold">User management</emphasis></para>

        <para>You can specify the principal/user name, ticket lifetimes and
        expiration dates. Additionally, you can set various account
        options.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_kerberos1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>MIT Kerberos (LAM Pro)</title>

        <para>You can manage your MIT Kerberos accounts with LAM Pro. Please
        add the user module "Kerberos (mitKerberos)" to activate this feature.
        If you want to manage entries based on the structural object class
        "krbPrincipal" please use "Kerberos (mitKerberosStructural)"
        instead.</para>

        <para><emphasis role="bold">Setup password changing</emphasis></para>

        <para>LAM Pro cannot generate the password hashes itself because MIT
        uses a propietary format for them. Therefore, LAM Pro needs to call
        kadmin/kadmin.local to set the password.</para>

        <para>LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
        set the password. Please use keytab authentication for this command
        since it must run without any interaction.</para>

        <para>Keytabs may be created with the "ktutil" application.</para>

        <para>Security hint: Please secure your LAM Pro server since the new
        passwords will be visible for a short term in the process list during
        password change.</para>

        <para>Example commands:</para>

        <itemizedlist>
          <listitem>
            <para>/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
            realm/changepwd</para>
          </listitem>

          <listitem>
            <para>sudo /usr/sbin/kadmin.local</para>
          </listitem>
        </itemizedlist>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_mitKerberos1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para><emphasis role="bold">User management</emphasis></para>

        <para>You can specify the principal/user name, ticket lifetimes and
        expiration dates. Additionally, you can set various account
        options.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_mitKerberos2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Qmail (LAM Pro)</title>

        <para>LAM Pro manages all qmail attributes for users. This includes
        mail addresses, ID numbers and quota settings.</para>

        <para>Please note that the main mail address is managed on tab
        "Personal" if this module is active. Otherwise, it will be on the
        qmail tab.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_qmail2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can hide several qmail options if you do not want to manage
        them with LAM. This can be done on the module settings tab of your LAM
        server profile.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_qmail1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Mail routing</title>

        <para>LAM supports to manage mail routing for user accounts. You can
        specify a routing address, the mail server and a number of local
        addresses to route. This feature can be activated by adding the "Mail
        routing" module to the user account type in your server
        profile.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mailRouting.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>SSH keys</title>

        <para>You can manage your public keys for SSH in LAM if you installed
        the <ulink url="http://code.google.com/p/openssh-lpk/">LPK patch for
        SSH</ulink>. Activate the "SSH public key" module for users in the
        server profile and you can add keys to your user entries.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/ldapPublicKey.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Authorized services</title>

        <para>You can setup PAM to check if a user is allowed to run a
        specific service (e.g. sshd) by reading the LDAP attribute
        "authorizedService". This way you can manage all allowed services via
        LAM.</para>

        <para></para>

        <para>To activate this PAM feature please setup your <emphasis
        role="bold">/etc/libnss-ldap.conf</emphasis> and set
        "pam_check_service_attr" to "yes".</para>

        <para></para>

        <para>Inside LAM you can now set the allowed services. You may also
        setup default services in your account profiles.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_authorizedServices.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can define a list of services in your LAM server profile
        that is used for autocompletion.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_authorizedServices3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>The autocompletion will show all values that contains the
        entered text. To display the whole list you can press backspace in the
        empty input field. Of course, you can also insert a service name that
        is not in the list.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_authorizedServices2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>IMAP mailboxes</title>

        <para>LAM may create and delete mailboxes on an IMAP server for your
        user accounts. You will need an IMAP server that supports either SSL
        or TLS for this feature.</para>

        <para>To activate the mailbox management module please add the
        "Mailbox (imapAccess)" module for the type user in your LAM server
        profile:</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/imapAccess1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Now configure the module on the tab "Module settings". Here you
        can specify the IMAP server name, encryption options, the
        authentication for the IMAP connection and the valid mail domains. LAM
        can use either your LAM login password for the IMAP connection or
        display a dialog where you need to enter the password. The mail
        domains specify for which accounts mailboxes may be created/deleted.
        E.g. if you enter "lam-demo.org" then mailboxes can be managed for
        "user@lam-demo.org" but not for "user@example.com".</para>

        <para>You need to install the SSL certificate of the CA that signed
        your server certificate. This is usually done by installing the
        certificate in /etc/ssl/certs. Different Linux distributions may offer
        different ways to do this. For Debian please copy the certificate in
        "/usr/local/share/ca-certificates" and run "update-ca-certificates" as
        root.</para>

        <para>It is not recommended to disable the validation of IMAP server
        certificates.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/imapAccess2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>When you edit an user account then you will now see the tab
        "Mailbox". Here you can create/delete the mailbox for this
        user.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/imapAccess3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section id="s_account">
        <title>Account</title>

        <para>This is a very simple module to manage accounts based on the
        object class "account". Usually, this is used for host accounts only.
        Please pay attention that users based on the "account" object class
        cannot have contact information (e.g. telephone number) as with
        "inetOrgPerson".</para>

        <para>You can enter a user/host name and a description for your
        accounts.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_account.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>

    <section>
      <title>Groups</title>

      <para></para>

      <section>
        <title>Unix</title>

        <para>This module is used to manage Unix group entries. This is the
        default module to manage Unix groups and uses the nis.schema. Suse
        users who use the rfc2307bis.schema need to use LAM Pro.</para>

        <para><emphasis role="bold">Configuration</emphasis></para>

        <para>GID generator: LAM will suggest GID numbers for your accounts.
        Please note that it may happen that there are duplicate IDs assigned
        if users create groups at the same time. Use an <ulink
        url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
        like "Attribute Uniqueness" (<link
        linkend="a_openldap_unique">example</link>) if you have lots of LAM
        admins creating groups.</para>

        <itemizedlist>
          <listitem>
            <para>Fixed range: LAM searches for free numbers within the given
            limits. LAM always tries to use a free GID that is greater than
            the existing GIDs to prevent collisions with deleted
            groups.</para>
          </listitem>

          <listitem>
            <para>Samba ID pool: This uses a special LDAP entry that includes
            attributes that store a counter for the last used UID/GID. Please
            note that this requires that you install the Samba schema and
            create an LDAP entry of object class "sambaUnixIdPool".</para>
          </listitem>
        </itemizedlist>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixGroupConfig.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Group management:</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixGroup.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Group membership management:</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_unixGroup2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Unix groups with rfc2307bis schema (LAM Pro)</title>

        <para>Some applications (e.g. Suse Linux) use the rfc2307bis schema
        for Unix accounts instead of the nis schema. In this case group
        accounts are based on the object class <link lang=""
        linkend="a_groupOfNames">groupOf(Unique)Names</link> or namedObject.
        The object class posixGroup is auxiliary in this case.</para>

        <para>LAM Pro supports these groups with a special account module:
        <emphasis role="bold">rfc2307bisPosixGroup</emphasis></para>

        <para>Use this module only if your system depends on the rfc2307bis
        schema. The module can be selected in the LAM configuration. Instead
        of using groupOfNames as basis for your groups you may also use
        namedObject.</para>

        <para><screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/rfc2307bis.png" />
              </imageobject>
            </mediaobject>
          </screenshot><screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/mod_unixGroupLAMPro.png" />
              </imageobject>
            </mediaobject>
          </screenshot></para>
      </section>

      <section>
        <title>Samba 3</title>

        <para>LAM supports managing Samba 3 groups. You can set special group
        types and also create Windows predefined groups like "Domain
        admins".</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_sambaGroup.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Windows (Samba 4)</title>

        <para>LAM can manage your Windows groups. Please enable the account
        type "Groups" in your LAM server profile and then add the group module
        "Windows (windowsGroup)(*)".</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsGroup3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>The default list attributes are for Unix and not suitable for
        Windows (blank lines in account table). Please use
        "#cn;#member;#description" or select your own attributes to display in
        the account list.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsGroup1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Now you can edit your groups inside LAM. You can manage the
        group name, description and its type. Of course, you can also set the
        group members.</para>

        <para>Group scopes:</para>

        <itemizedlist>
          <listitem>
            <para>Global: Use this for groups with frequent changes. Global
            groups are not replicated to other domains.</para>
          </listitem>

          <listitem>
            <para>Universal: Groups with universal scope are used to
            consolidate groups that span domains. They are globally
            replicated.</para>
          </listitem>

          <listitem>
            <para>Domain local: Groups with domain local scope can be used to
            set permissions inside one domain. They are not replicated to
            other domains.</para>
          </listitem>
        </itemizedlist>

        <para>Group type:</para>

        <itemizedlist>
          <listitem>
            <para>Security: Use this group type to control permissions.</para>
          </listitem>

          <listitem>
            <para>Distribution: These groups are only used for email
            applications. They cannot be used to control permissions.</para>
          </listitem>
        </itemizedlist>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsGroup2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Quota</title>

        <para>You can manage file system quotas with LAM. This requires to
        setup <link linkend="a_lamdaemon">lamdaemon</link>. File system quotas
        are not stored inside LAM but managed directly on the specified
        servers.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_quotaGroup.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>

    <section>
      <title>Hosts</title>

      <section>
        <title>Account</title>

        <para>Please see the description <link
        linkend="s_account">here</link>.</para>
      </section>

      <section>
        <title>Device (LAM Pro)</title>

        <para>The device object class allows to manage general information
        about all sorts of devices (e.g. computers, network hardware, ...).
        You can enter the serial number, location and a describing text. It is
        also possible to specify the owner of the device.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/device.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Samba 3</title>

        <para>You can manage Samba 3 host entries by adding the Unix and Samba
        3 account modules.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_sambaHost1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_sambaHost2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Windows (Samba 4)</title>

        <para>LAM can manage your Windows servers and workstations. Please
        enable the account type "Hosts" in your LAM server profile and then
        add the host module "Windows (windowsHost)(*)".</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsServer3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>The default list attributes are for Unix and not suitable for
        Windows (blank lines in account table). Please use
        "#cn;#description;#location" or select your own attributes to display
        in the account list.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsServer2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>Now you will see you computer accounts inside LAM. You can set
        e.g. the server's description and location information.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_windowsServer1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>IP addresses (LAM Pro)</title>

        <para>You can manage the IP addresses of host accounts with the ipHost
        module. It manages the following information:</para>

        <itemizedlist>
          <listitem>
            <para>IP addresses (IPv4/IPv6)</para>
          </listitem>

          <listitem>
            <para>location of the host</para>
          </listitem>

          <listitem>
            <para>manager: the person who is responsible for the host</para>
          </listitem>
        </itemizedlist>

        <para>You can activate this extension by adding the module ipHost to
        the list of active host modules.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/ipHost.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>MAC addresses</title>

        <para>Hosts can have an unlimited number of MAC addresses. To enable
        this feature just add the "MAC address" module to the host account
        type.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/macAddress.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Puppet</title>

        <para>LAM supports to manage your <ulink
        url="http://puppetlabs.com/">Puppet</ulink> configuration. You can
        edit all attributes like environment, classes, variables and parent
        node.</para>

        <para><emphasis role="bold">Configuration</emphasis></para>

        <para>To activate this feature please edit your LAM server profile and
        add the host module "Puppet (puppetClient)" on tab "Modules". This
        will add the Puppet tab to your host pages.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_puppet2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>On tab "Module settings" in your LAM server profile you may also
        setup some common environment names. LAM will use them to provide
        autocompletion hints when editing the environment for a node.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_puppet3.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para><emphasis role="bold">Editing nodes</emphasis></para>

        <para>When you edit a host entry then you will see the tab "Puppet".
        Here you can add/remove the Puppet extension and edit all
        attributes.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/mod_puppet1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>

    <section>
      <title>Samba 3 domains</title>

      <para>Samba 3 stores information about its domain settings inside LDAP.
      This includes the domain name, its SID and some policies. You can manage
      all these attributes with LAM.</para>

      <para>Please activate the account type "Samba domains" in your LAM
      server profile. Please notice that Samba by default uses the LDAP root
      for domain objects (e.g. dc=example,dc=com).</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/sambaDomains1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>This will add a new tab to LAM where you can manage domain
      information.</para>

      <para>The domain name, SID and RID base can only be specified for new
      domains and are not changeable via LAM at a later time. You may setup
      several password policies for your Samba domains and also some RID
      options that influence the creation of SIDs for
      users/groups/hosts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/sambaDomains2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="a_groupOfNames">
      <title>Group of (unique) names (LAM Pro)</title>

      <para>These classes can be used to represent group relations. Since they
      allow DNs as members you can also use them to represent nested groups.
      Activate the account type "Group of names" in your LAM server profile to
      use these account modules.</para>

      <para>Group of (unique) names have four basic attributes:</para>

      <itemizedlist>
        <listitem>
          <para>Name: a unique name for the group</para>
        </listitem>

        <listitem>
          <para>Description: optional description</para>
        </listitem>

        <listitem>
          <para>Owner: the account which owns this group (optional)</para>
        </listitem>

        <listitem>
          <para>Members: the members of the group (at least one is
          required)</para>
        </listitem>
      </itemizedlist>

      <para>You can add any accounts as members. This includes other groups
      which leads to nested groups.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/groupOfNames1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="type_asterisk">
      <title>Asterisk</title>

      <para>LAM includes large support for Asterisk. You can add Asterisk
      extensions (including voicemail) to your users and also manage Asterisk
      extensions.</para>

      <para>The Asterisk support for users can be added by selecting the
      Asterisk and Asterisk voicemail modules for users in your LAM server
      profile. This will add the following tabs to your user accounts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/asterisk.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The Asterisk module allows to edit a large amount of attributes.
      Therefore, you can hide unused fields. Please edit you server profile
      (Module settings) to do so.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/asteriskConfig.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Of course, the voicemail part of Asterisk is also
      supported.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/asteriskVoicemail.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>If you also want to manage Asterisk extensions then simply add the
      account type "Asterisk extensions" and its module to your server
      profile.</para>

      <para>LAM groups your Asterisk extension entries by extension name and
      account context. If you edit an extension then you will see the Asterisk
      entries as rules. LAM manages that all rule entries have the same owners
      and assigns the priorities.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/asteriskExtension.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section id="s_zarafa">
      <title>Zarafa (LAM Pro)</title>

      <para>Zarafa is an OpenSource collaboration software. LAM Pro provides
      support to manage Zarafa server entries, users and groups. It covers all
      settings for these types including resource and quota settings.</para>

      <para>LAM Pro is an official Zarafa Certified Integration.</para>

      <para><inlinemediaobject>
          <imageobject>
            <imagedata fileref="images/zarafa_logo_integrations_certified_140px.jpg" />
          </imageobject>
        </inlinemediaobject></para>

      <section>
        <title>Configuration</title>

        <para>To enable Zarafa support in LAM Pro please activate the Zarafa
        modules for the Users, Groups and Hosts account types in you server
        profile:</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para><emphasis role="bold">Attention:</emphasis> LAM Pro uses the
        Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
        OpenDJ, Apache Directory server and other common LDAP servers. If you
        run Samba 4 or Active Directory then you need to switch the schema to
        "Active Directory" on the module settings tab:</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa9.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para>You can configure which parts of the Zarafa user options should
        be enabled. E.g. if you do not want to manage quotas per user then you
        can hide these options on the tab "Module settings".</para>

        <literallayout>
</literallayout>

        <para><emphasis role="bold">"Send as" attribute:</emphasis> Here you
        can specify how "Send as" privileges should be managed. LAM supports
        "uid" and "dn".</para>

        <para>If you select "uid" the LAM will store user names in the
        zarafaSendAsPrivilege attribute. This way you are restricted to
        specify user accounts as "Send as" allowed.</para>

        <para>You can also set this option to "dn" and LAM will store DNs in
        the zarafaSendAsPrivilege attribute. In this case you may specify
        users and groups as "Send as" allowed.</para>

        <literallayout>
</literallayout>

        <para>Examples for your Zarafa ldap.cfg:</para>

        <para>"Send as" attribute: <emphasis role="bold">dn</emphasis></para>

        <para>ldap_user_sendas_attribute_type = dn</para>

        <literallayout>
</literallayout>

        <para>"Send as" attribute: <emphasis role="bold">uid</emphasis></para>

        <para>ldap_user_sendas_attribute_type = text</para>

        <para>ldap_user_sendas_relation_attribute = uid</para>

        <para><literallayout>
Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.


</literallayout></para>

        <para><emphasis role="bold">Features:</emphasis> Zarafa 7 allows to
        enable IMAP/POP3 for each user. Please hide the option "Features" if
        you use Zarafa 6.x.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/zarafa2.png" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <section>
          <title>Users</title>

          <para>This is an example of the user edit page with all possible
          settings. This includes email settings, quotas and some options
          (e.g. hide from address book). You can also set the resource type
          and capacity for meeting rooms and equipment. The Zarafa extension
          can be added and removed at any time for every user.</para>

          <para>Please note that the option "Features" requires Zarafa 7.
          Please hide this option in the LAM server profile if you run Zarafa
          6.x.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/zarafa3.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Contacts</title>

          <para>LAM Pro can manage your Zarafa contact entries. You can set
          the email aliases and "send as" privileges. Additionally, accounts
          may be hidden in the address book or disabled.</para>

          <para>Please note that you can either use the Zarafa user module or
          Zarafa contact. LAM Pro will disable the other tab when enabling one
          of them.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/zarafa8.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Groups</title>

          <para>This is the edit page for groups. You can enter an email
          address and additional aliases for your groups. It is also possible
          to specify options (e.g. hide from address book). The extension can
          be added/removed dynamically.</para>

          <para>Please note that the option "Send-as privileges" requires the
          Zarafa 7.0.3 schema. Please hide this option in the LAM server
          profile if you run Zarafa &lt; 7.0.3.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/zarafa4.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Servers</title>

          <para>The Zarafa extension for host accounts allows to set the
          connection ports and file path. You can add/remove the extension at
          any time.</para>

          <para>Setting the public store option is only possible for new host
          entries.</para>

          <para>Please note that the proxy URL option requires the Zarafa 7.1
          schema. Please hide this option in your LAM server profile if you
          use an older version.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/zarafa5.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Address lists</title>

          <para>Zarafa allows to store address lists in LDAP. You need to
          define a search base and LDAP filter for each address list. E.g.
          entering "ou=people,dc=company,dc=com" as base and "uid=*" will
          select all users that are stored in
          "ou=people,dc=company,dc=com".</para>

          <para>You can also hide your lists from the address book or
          temporarily disable them.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/zarafa6.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>Dynamic groups</title>

          <para>Zarafa allows to define dynamic groups in LDAP. You need to
          define a search base and LDAP filter for each group. E.g. entering
          "ou=people,dc=company,dc=com" as base and "uid=*" will select all
          users that are stored in "ou=people,dc=company,dc=com".</para>

          <para>Dynamic groups may have an email address and multiple email
          alias addresses.</para>

          <para>You can also hide your dynamic groups from the address book or
          temporarily disable them.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/zarafa7.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>
      </section>
    </section>

    <section>
      <title>DHCP</title>

      <para>You can mange your DHCP server with LAM. It supports to manage
      subnets, fixed IP entries, IP ranges and DDNS. The DHCP can be activated
      by adding the account type DHCP to your server profile. Please also add
      the DHCP modules.</para>

      <para>LAM requires that you use an LDAP entry with the object class
      "dhcpService" or "dhcpServer" as suffix for this account type. If the
      "dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
      then you need to use the DN of the "dhcpService" entry as LDAP suffix
      for DHCP.</para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Example server
      entry:</emphasis><code></code></para>

      <para><code>dn:
      cn=server,ou=dhcp,dc=ldap-account-manager,dc=org</code></para>

      <para><code>objectclass: dhcpServer</code></para>

      <para><code>objectclass: dhcpOptions</code></para>

      <para><code>objectclass: top</code></para>

      <para><code>cn: server</code></para>

      <para><code>dhcpcomments: My DHCP server</code></para>

      <para><code>dhcpoption: domain-name
      "ldap-account-manager.org"</code></para>

      <para><code>dhcpoption: domain-name-servers 192.168.1.1</code></para>

      <para><code>dhcpoption: routers 192.168.1.1</code></para>

      <para><code>dhcpoption: netbios-name-servers 192.168.1.1</code></para>

      <para><code>dhcpoption: subnet-mask 255.255.255.0</code></para>

      <para><code>dhcpoption: netbios-node-type 8</code></para>

      <para><code>dhcpstatements: default-lease-time 3600</code></para>

      <para><code>dhcpstatements: max-lease-time 7200</code></para>

      <para><code>dhcpstatements: include "mykey"</code></para>

      <para><code>dhcpstatements: ddns-update-style interim</code></para>

      <para><code>dhcpstatements: update-static-leases true</code></para>

      <para><code>dhcpstatements: ignore client-updates</code></para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Example settings for
      dhcpd.conf:</emphasis></para>

      <para><code>ddns-update-style none;</code></para>

      <para><code>deny unknown-clients;</code></para>

      <para><code>ldap-server "server";</code></para>

      <para><code>ldap-dhcp-server-cn "server";</code></para>

      <para><code>ldap-port 389;</code></para>

      <para><code>ldap-username
      "uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";</code></para>

      <para><code>ldap-password "{SSHA}XXXXXXXXXXXX";</code></para>

      <para><code>ldap-base-dn
      "ou=dhcp,dc=ldap-account-manager,dc=org";</code></para>

      <para><code>ldap-method dynamic;</code></para>

      <para><code>ldap-debug-file
      "/var/log/dhcp-ldap-startup.log";</code></para>

      <para><code></code></para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">slapd.conf changes:</emphasis></para>

      <para><code>include /etc/ldap/schema/dhcp.schema</code></para>

      <para><code>index dhcpHWAddress eq</code></para>

      <para><code>index dhcpClassData eq</code><literallayout>
Run slapindex to rebuild the index.

</literallayout></para>

      <para>You can manage the settings of your DHCP service/server
      entry:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/dhcpMainSettings.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can easily create new subnet entries.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/dhcpSettings.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>It is also possible to specify a list of fixed IPs.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/fixedIP.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>IP ranges may be specified.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ranges.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>If you activated DDNS in the server entry then you may also
      specify the DDNS settings for this subnet.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ddns.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Aliases (LAM Pro)</title>

      <para>Some applications use the object class "alias" to link LDAP
      entries to other parts of the LDAP tree. Activate the account type
      "Aliases" in your LAM server profile to use this account type.</para>

      <para>Currently, only user accounts can be aliased with the "uidObject"
      object class.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/alias.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/alias2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Mail aliases</title>

      <para>You can manage mail aliases (e.g. for NIS) inside LAM. This can be
      used to replace local /etc/aliases files with LDAP.</para>

      <para>All accounts of this type are based on the "nisMailAlias" object
      class and may have "cn" and "rfc822MailMember" attributes. To activate
      this type please add "Mail aliases" in your LAM server profile:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAlias1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The mail aliases will appear as separate tab inside LAM. You may
      then manage the aliases with their names and recipient addresses.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisMailAlias2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>NIS net groups</title>

      <para>LAM supports to define NIS netgroups. You can use them e.g. to
      restrict SSH access to your machines.</para>

      <para>Add the NIS net group account type and its module to your server
      profile. Then you can manage net groups in LAM. Net groups may contain
      other net groups as child groups. You can either insert the host/user
      names manually or print the search buttons next to the input fields to
      find existing entries in your directory.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisNetgroup.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>NIS objects (LAM Pro)</title>

      <para>You can manage NIS objects with LAM Pro. This allows you define
      network mount points in LDAP.</para>

      <para>Add the NIS objects type to your LAM configuration and then the
      NIS objects module. This will add the NIS objects tab to LAM.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/nisObject.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Automount objects (LAM Pro)</title>

      <para>LAM Pro allows you to manage automount entries. Please activate
      the account type "Automount objects" in your LAM Pro server
      profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/automount1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Then add the correct automount module. Usually, this is "Automount
      entry (automount)". If you use Suse Linux with RFC2307bis schema please
      select "Automount entry (rfc2307bisAutomount)".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/automount3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>This will add a new tab to LAM Pro's main screen which includes a
      list of all automount entries. Here you can easily create new
      entries.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/automount2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Please see the following external HowTos for more information on
      automounting and LDAP:</para>

      <itemizedlist>
        <listitem>
          <para><ulink
          url="https://help.ubuntu.com/community/AutofsLDAP">AutofsLDAP</ulink></para>
        </listitem>

        <listitem>
          <para><ulink type=""
          url="http://www.pro-linux.de/artikel/2/760/automount-ueber-ldap.html">Automount
          über LDAP (German)</ulink></para>
        </listitem>
      </itemizedlist>
    </section>

    <section id="a_ppolicy">
      <title>Password policies (LAM Pro)</title>

      <para>OpenLDAP supports the <ulink
      url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
      to manage password policies for LDAP entries. This allows you to set
      password policies which are independent from your applications. The
      policies are managed internally by the LDAP server.</para>

      <para>You can manage these policies with LAM Pro with the account type
      "Password policies".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ppolicy.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You will need to add the ppolicy schema to your OpenLDAP
      configuration and activate the <ulink
      url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
      module in slapd.conf to use this feature.</para>
    </section>

    <section>
      <title>Custom fields (LAM Pro)</title>

      <para>This module allows you to manage LDAP attributes that are not
      covered by the other LAM modules (e.g. if you use custom LDAP schemas).
      You can fully define how your input fields look like:</para>

      <itemizedlist>
        <listitem>
          <para>Label</para>
        </listitem>

        <listitem>
          <para>LDAP attribute name</para>
        </listitem>

        <listitem>
          <para>Unique name for field</para>
        </listitem>

        <listitem>
          <para>Read-only display</para>
        </listitem>

        <listitem>
          <para>Field type: text, password, text area, checkbox, radio
          buttons, select list</para>
        </listitem>

        <listitem>
          <para>Validation via regular expression</para>
        </listitem>

        <listitem>
          <para>Error message if validation fails</para>
        </listitem>
      </itemizedlist>

      <para>Limitations:</para>

      <para>Custom fields cannot manage</para>

      <itemizedlist>
        <listitem>
          <para>structural object classes</para>
        </listitem>

        <listitem>
          <para>(binary) attributes that require file uploads</para>
        </listitem>

        <listitem>
          <para>multi-value attributes</para>
        </listitem>

        <listitem>
          <para>attributes that require validation rules across multiple
          attributes or cannot be described by a simple regular
          expression</para>
        </listitem>
      </itemizedlist>

      <para><emphasis role="bold">Activating the custom fields
      module:</emphasis></para>

      <para>You may specify custom fields for all of your account types.
      Please enter tab "Modules" in your server profile. Now activate the
      "Custom fields (customFields)" module for all needed account
      types.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields14.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Defining groups:</emphasis></para>

      <para>All input fields are devided into groups. A group may contain one
      or more object classes and allows you to add/remove a certain set of
      input fields.</para>

      <para>E.g. you may define two groups - "My application A" and "My
      application B" - that manage different LDAP attributes and object
      classes. This way you will be able to control both attribute sets
      independently.</para>

      <para>To create a group please edit your server profile and switch to
      tab "Module settings". You will see the section "Custom fields" which
      allows you to add new groups. Now select your account type (e.g. Users)
      and specify an alias for your group. This alias will be printed as group
      header when you later edit an account in the admin interface.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields15.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>After you created your new group you can setup the managed object
      classes. If you specify any object classes then you will later be able
      to add/remove a complete set of attributes including their object
      classes.</para>

      <para>Skipping the object classes field is only useful if you want to
      manage some attributes that are not yet supported by LAM but there is
      already a LAM module that manages the object class.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields16.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The group may look like when you edit a user.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields19.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields20.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Adding fields:</emphasis></para>

      <para>Now you can add a new field that manages an LDAP attribute. Simply
      fill the fields and press on "Add".</para>

      <para>Please note that the field name cannot be changed later. It is the
      unique ID for this field.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields17.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Examples for fields and their representation:</para>

      <para><emphasis role="bold">Text field:</emphasis></para>

      <para>Text fields allow to specify a <link
      linkend="customFields_validation_expressions_admin">validation
      expression</link> and error message.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Presentation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Password field:</emphasis></para>

      <para>You can also manage custom password fields. LAM Pro will display
      two fields where the user must enter the same password. You can hash the
      password if needed.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields4.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Presentation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields5.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Text area:</emphasis></para>

      <para>This adds a multi-line field. The options are similar to text
      fields. Additionally, you can set the size with the number of columns
      and rows.</para>

      <para>Please note that the <link
      linkend="customFields_validation_expressions_admin">validation
      expression</link> should be set to multi-line. This is done by adding
      "m" at the end.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields6.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Presentation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields7.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Checkbox:</emphasis></para>

      <para>Sometimes you may want to allow only yes/no values for your LDAP
      attributes. This can be represented by a checkbox. You can specify the
      values for checked and unchecked. The default value is set if the LDAP
      attribute has no value.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields8.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Presentation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields9.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Radio buttons:</emphasis></para>

      <para>This displays a list of radio buttons where the user can select
      one value.</para>

      <para>You can specify a mapping of LDAP attribute values and their
      display (label) on the Self Service page. To add more mapping fields
      please press "Add more mapping fields".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields10.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Presentation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields11.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Select list:</emphasis></para>

      <para>Select lists allow the user to select a value in a large list of
      options. The definition of the possible values and their display is
      similar to radio buttons.</para>

      <para>You can also allow multiple values.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields12.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Presentation:</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields13.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customFields18.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para id="customFields_validation_expressions_admin"><emphasis
      role="bold">Validation expressions:</emphasis></para>

      <para>The validation expressions follow the standard of <ulink
      url="http://perldoc.perl.org/perlre.html">Perl regular
      expressions</ulink>. They start and end with a "/". The beginning of a
      line is specified by "^" and the end by "$".</para>

      <para>Examples:</para>

      <para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
      be empty ("+").</para>

      <para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
      means ignore case) and numbers. The value must not be empty
      ("+").</para>

      <para>Special characters that must be escaped with "\": "\", ".", "(",
      ")"</para>

      <para>E.g. /^[a-z0-9\.]$/i</para>
    </section>

    <section>
      <title>Custom scripts (LAM Pro)</title>

      <para>LAM Pro allows you to execute scripts whenever an account is
      created, modified or deleted. This can be useful to automate processes
      which needed manual work afterwards (e.g. sending your user a welcome
      mail or register a mailbox). Additionally, you can specify manual scipts
      that can be executed from within LAM Pro.</para>

      <para>To activate this feature please add the "Custom scripts" module to
      all needed account types on the configuration pages.</para>

      <para>You can specify multiple scripts for each action type (e.g.
      modify) and account type (e.g. user). The scripts need to be located on
      the filesystem of your webserver and will be executed in its user
      environment. E.g. if you webserver runs as user www-data with the group
      www-data then the custom scripts will be run under this user with his
      rights. The output of the scripts will be shown in LAM.</para>

      <para>You can specify the scripts on the LAM configuration pages.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customScripts.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Syntax:</emphasis></para>

      <para>Please enter one script per line. Each line has the following
      format: &lt;account type&gt; &lt;action&gt; &lt;script&gt;</para>

      <para>E.g.: user preModify /usr/bin/myCustomScript -u $uid$</para>

      <para><emphasis role="bold">Account types:</emphasis></para>

      <para>You can setup scripts for all available account types (e.g. user,
      group, host, ...). Please see the help on the configuration page about
      your current active account types.</para>

      <para><emphasis role="bold">Actions:</emphasis></para>

      <table>
        <title>Action types</title>

        <tgroup cols="2">
          <tbody>
            <row>
              <entry><emphasis role="bold">Action name</emphasis></entry>

              <entry><emphasis role="bold">Description</emphasis></entry>
            </row>

            <row>
              <entry>preCreate</entry>

              <entry>executed before creating a new account (cancels operation
              if a script returns an exit code &gt; 0, not available for file
              upload)</entry>
            </row>

            <row>
              <entry>postCreate</entry>

              <entry>executed after creating a new account</entry>
            </row>

            <row>
              <entry>preModify</entry>

              <entry>executed before the account is modified (cancels
              operation if a script returns an exit code &gt; 0)</entry>
            </row>

            <row>
              <entry>postModify</entry>

              <entry>executed after an account was modified</entry>
            </row>

            <row>
              <entry>preDelete</entry>

              <entry>executed before an account was modified (cancels
              operation if a script returns an exit code &gt; 0)</entry>
            </row>

            <row>
              <entry>postDelete</entry>

              <entry>executed after an account was modified</entry>
            </row>

            <row>
              <entry>manual</entry>

              <entry>can be run manually on account page</entry>
            </row>
          </tbody>
        </tgroup>
      </table>

      <para><emphasis role="bold">Script:</emphasis></para>

      <para>You can execute any script which is located on the filesystem of
      your webserver. The path may be absolute or relative to the
      PATH-variable of the environment of your webserver process. It is also
      possible to add commandline arguments to your scripts. Additionally, LAM
      will resolve wildcards to LDAP attributes. If your script includes an
      wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
      attribute value of the current LDAP entry. The values of multi-value
      attributes are separated by commas. E.g. if you create an account with
      the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
      "steve".</para>

      <para>Please note that manual scripts can only use the current LDAP
      attribute values of the account. Any modifications done that are not
      saved will not be available. Manual scripts are also not available for
      new accounts that are not yet saved to LDAP.</para>

      <para>You can switch LAM's logging to debug mode if you are unsure which
      attributes with which values are available.</para>

      <para>The following special wildcards are available for automatical
      scripts:</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">$INFO.userPasswordClearText$:</emphasis>
          cleartext password when Unix/Windows password is changed (e.g.
          useful for external password synchronisation) for new/modified
          accounts</para>
        </listitem>

        <listitem>
          <para><emphasis
          role="bold">$INFO.userPasswordStatusChange$:</emphasis> provides
          additional information if the Unix password locking status was
          changed, possible values: locked, unlocked, unchanged</para>
        </listitem>

        <listitem>
          <para><emphasis
          role="bold">$INFO.passwordSelfResetAnswerClearText$</emphasis>:
          cleartext answer to security question</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">$NEW.&lt;attribute&gt;$:</emphasis> the
          value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
          accounts</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">$DEL.&lt;attribute&gt;$:</emphasis> the
          value of a deleted attribute (e.g. $DEL.telephoneNumber$) for
          modified accounts</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">$MOD.&lt;attribute&gt;$:</emphasis> the
          new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
          modified accounts</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">$ORIG.&lt;attribute&gt;$:</emphasis> the
          original value of an attribute (e.g. $ORIG.telephoneNumber$) for
          modified accounts</para>
        </listitem>
      </itemizedlist>

      <para><emphasis role="bold">Output may contain HTML:</emphasis> If your
      scripts generate HTML output then activate this option.</para>

      <para><emphasis role="bold">Hide command in messages:</emphasis> You may
      want to prevent that your users see the executed commands. In this case
      activating this option will only show the command output but not the
      command itself.</para>

      <para></para>

      <para>You can see a preview of the commands which will be automatically
      executed on the "Custom scripts" tab. Here you can also run the manual
      scripts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/customScripts2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Sudo roles (LAM Pro)</title>

      <para>You can manage your sudo roles in LDAP if you have installed the
      sudo-ldap package or <ulink
      url="http://www.sudo.ws/sudo/readme_ldap.html">compiled sudo with LDAP
      support</ulink>. To activate sudo management in LAM Pro edit your server
      profile and add the type "Sudo roles".</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/sudoRole.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The sudo roles in LDAP work similar to those in /etc/sudoers. You
      can specify who may run which commands as which user. It is also
      possible to specify options like NOPASSWD.</para>
    </section>

    <section>
      <title>General information</title>

      <para>This module is available for all account types. It shows some
      internal information about the LDAP entries like the creation time and
      who modified the entry.</para>

      <para>If you use the "memberOf" overlay in OpenLDAP then this will also
      show group memberships done by the overlay.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/mod_generalInformation.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Tree view (LDAP browser)</title>

      <para>The tree view provides a raw view on your LDAP directory. This
      feature is for people who are experienced with LDAP and need special
      functionality which the LAM account modules not provide. E.g. if you
      want to add a special object class to an account or edit attributes
      ignoring LAM's syntax checks.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/tree1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>There are also some special functions available:</para>

      <para><emphasis role="bold">Export:</emphasis> This allows you to export
      entries to a file (e.g. LDIF or CSV format).</para>

      <para><emphasis role="bold">Show internal attributes:</emphasis> Shows
      internal attributes of the current entry. This includes information
      about the creator and creation time of the entry.</para>
    </section>
  </chapter>

  <chapter>
    <title>Tools</title>

    <para></para>

    <section id="a_accountProfile">
      <title>Profile editor</title>

      <para>The account profiles are templates for your accounts. Here you can
      specify default values which can then be loaded when you create
      accounts. You may also load a template for an existing account to reset
      it to default values. When you create a new account then LAM will always
      load the profile named <emphasis role="bold">"default"</emphasis>. This
      account profile can include default values for all your accounts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/profileEditor2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>You can enter the LDAP suffix, RDN identifier and various other
      attributes depending on account type and activated modules.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/profileEditor.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">Import/export:</emphasis></para>

      <para>Profiles can be exported to and imported from other server
      profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/profileEditor3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/profileEditor4.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>There is a special export target called "*Global templates". All
      profiles exported here will be copied to all other server profiles
      (incl. new ones). But existing profiles with the same name are not
      overwritten. So a profile in global templates is treated as default
      profile for all server profiles.</para>

      <para>Use this if you would like to setup default profiles that are
      valid for all server profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/profileEditor5.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>File upload</title>

      <para>When you need to create lots of accounts then you can use LAM's
      file upload to create them. LAM will read a CSV formatted file and
      create the related LDAP entries. Please check the data in you CSV file
      carefully. LAM will do less checks for the file upload than for single
      account creation.</para>

      <para>At the first page please select the account type and what
      extensions should be activated.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/fileUpload1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The next page shows all available options for the file upload. You
      will also find a sample CSV file which can be used as template for your
      CSV file. All red options are required columns in the file. You need to
      specify a value for each account.</para>

      <para>When you upload the CSV file then LAM first does some checks on
      this file. This includes syntax checks and if all required data was
      entered. No changes in the LDAP directory are done at this time.</para>

      <para>If the checks were successful then LAM will ask again if you want
      to create the accounts. You will also have the chance to check the
      upload by viewing the changes in LDIF format.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/fileUpload2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>OU editor</title>

      <para>This is a simple editor to add/delete organisational units in your
      LDAP tree. This way you can structure the accounts.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/ouEditor.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>PDF editor</title>

      <para>All accounts in LAM may be exported as PDF files. You can specify
      the page structure and displayed information by editing the PDF
      profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/pdfEditor2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>When you export accounts to PDF then each account will get its own
      page inside the PDF. There is a headline on each page where you can show
      a page title. You may also add a logo to each page. To add more possible
      logos simply copy the images to config/pdf/&lt;server profile
      name&gt;/logos.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/pdfEditor.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>The main part is structured into sections of information. Each
      section has a title. This can either be static text or the value of an
      attribute. You may also insert a static text block as section. Sections
      can be moved by using the arrows next to the section title.</para>

      <para>Each section can contain multiple fields which usually represent
      LDAP attributes. You can simply add new fields by selecting the field
      name and its position. Then use the arrows to move the field inside the
      section.</para>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Import/export:</emphasis></para>

      <para>PDF structures can be exported to and imported from other server
      profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/pdfEditor3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/pdfEditor4.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>There is a special export target called "*Global templates". All
      PDF structures exported here will be copied to all other server profiles
      (incl. new ones). But existing PDF structures with the same name are not
      overwritten. So a PDF structure in global templates is treated as
      default structure for all server profiles.</para>

      <para>Use this if you would like to setup default PDF structures that
      are valid for all server profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/pdfEditor5.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Schema browser</title>

      <para>Here you browse the schema of your LDAP server. You can view what
      object classes, attributes, syntaxes and matching rules are available.
      This is useful if you need to check if a certain object class is
      available.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/schemaBrowser.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Server information</title>

      <para>This shows information and statistics about your LDAP server. This
      includes the suffixes, used overlays, connection data and operation
      statistics. You will need "cn=monitor" setup to see all details. Some
      data may not be available depending on your LDAP server software.</para>

      <para>Please see the following links how to setup "cn=monitor":</para>

      <itemizedlist>
        <listitem>
          <para><ulink
          url="http://www.openldap.org/doc/admin24/monitoringslapd.html">OpenLDAP</ulink></para>
        </listitem>

        <listitem>
          <para><ulink type=""
          url="http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring">389
          server</ulink></para>
        </listitem>
      </itemizedlist>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/serverInfo.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>

    <section>
      <title>Tests</title>

      <para>This allows you to check if your LDAP schema is compatible with
      LAM and to find possible problems.</para>

      <section>
        <title>Lamdaemon test</title>

        <para>LAM provides an external script to manage home directories and
        quotas. You can test here if everything is setup correctly.</para>

        <para>If you get an error like "no tty present and no askpass program
        specified" then the path to the lamdaemon.pl may be wrong. Please see
        the <link linkend="a_lamdaemon">lamdaemon installation
        instructions</link> for setup details.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/lamdaemonTest.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>Schema test</title>

        <para>This will test if your LDAP schema supports all object classes
        and attributes of the active LAM modules. If you get a message that
        something is missing please check that you installed all <link
        linkend="a_schema">required schemas</link>.</para>

        <para>If you get error messages about object class violations then
        this test can tell you what is missing.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/schemaTest.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>
  </chapter>

  <chapter id="a_accessLevelPasswordReset">
    <title>Access levels and password reset page (LAM Pro)</title>

    <para>You can define different access levels for each profile to allow or
    disallow write access. The password reset page helps your deskside support
    staff to reset user passwords.</para>

    <section>
      <title id="s_accessLevel">Access levels</title>

      <para>There are three access levels:</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Write access (default)</emphasis></para>

          <para>There are no restrictions. LAM admin users can manage account,
          create profiles and set passwords.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Change passwords</emphasis></para>

          <para>Similar to "Read only" except that the <link
          linkend="s_pwdReset">password reset page</link> is available.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Read only</emphasis></para>

          <para>No write access to the LDAP database is allowed. It is also
          impossible to manage account and PDF profiles.</para>

          <para>Accounts may be viewed but no changes can be saved.</para>
        </listitem>
      </itemizedlist>

      <para>The access level can be set on the server configuration
      page:</para>

      <para><screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/accessLevel.png" />
            </imageobject>
          </mediaobject>
        </screenshot></para>
    </section>

    <section id="s_pwdReset">
      <title>Password reset page</title>

      <para>This special page allows your deskside support staff to reset the
      Unix and Samba passwords of your users. Account may also be (un)locked
      If you set the <link linkend="s_accessLevel">access level</link> to
      "Change passwords" then LAM will not allow any changes to the LDAP
      database except password changes via this page. The account pages will
      be still available in read-only mode.</para>

      <para>You can open the password reset page by clicking on the key symbol
      on each user account:</para>

      <para><screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/passwordReset1.png" />
            </imageobject>
          </mediaobject>
        </screenshot>There are three different options to set a new
      password:</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">set random password and display it on
          screen</emphasis></para>

          <para>This will set the user's password to a random value. The
          password will be 11 characters long with a random combination of
          letters, digits and ".-_".</para>

          <para>You may want to use this method to tell users their new
          passwords via phone.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">set random password and mail it to
          user</emphasis></para>

          <para>If the user account has set the mail attribute then LAM can
          send your user a mail with the new password. You can change the mail
          template to fit your needs. Please configure your LAM server profile
          to setup the sender address, subject and mail body.</para>

          <para>Using this method will prevent that your support staff knows
          the new password.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">set specific password</emphasis></para>

          <para>Here you can specify your own password.</para>
        </listitem>
      </itemizedlist>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordReset2.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>LAM will display contact information about the user like the
      user's name, email address and telephone number. This will help your
      deskside support to easily contact your users.</para>

      <para><emphasis role="bold">Options:</emphasis></para>

      <para>Depending on the account there may be additional options
      available.</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">Sync Samba NT/LM password with Unix
          password:</emphasis> If a user account has Samba passwords set then
          LAM will offer to synchronize the passwords.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Unlock Samba account:</emphasis> Locked
          Samba accounts can be unlocked with the password change.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Update Samba password
          timestamps:</emphasis> This will set the timestamps when the
          password was changed (sambaPwdLastSet). Only existing attributes are
          updated. No new attributes are added.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Sync Kerberos password with Unix
          password:</emphasis> This will also update the Heimdal Kerberos
          password.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Sync Asterisk (voicemail) password with
          Unix password:</emphasis> Changes also the Asterisk
          passwords.</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">Force password change:</emphasis> This
          will force the user to change his password at next login. This
          option supports Shadow, Samba 3 and PPolicy (automatically
          detected).</para>
        </listitem>
      </itemizedlist>

      <literallayout>
</literallayout>

      <para><emphasis role="bold">Account (un)locking:</emphasis></para>

      <para>Depending if the account includes a Unix/Samba extension and
      PPolicy is activated the page will show options to (un)lock the account.
      E.g. if the account is fully unlocked then there will be no unlocking
      options printed.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/passwordReset3.png" />
          </imageobject>
        </mediaobject>
      </screenshot>
    </section>
  </chapter>

  <chapter id="a_selfService">
    <title>Self service (LAM Pro)</title>

    <section>
      <title>Preparations</title>

      <section>
        <title>OpenLDAP ACLs</title>

        <para>By default only a few administrative users have write access to
        the LDAP database. Before your users may change their settings you
        must allow them to change their LDAP data.</para>

        <para>This can be done by adding ACLs to your slapd.conf or
        slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to
        these:</para>

        <para><emphasis role="bold">access to</emphasis></para>

        <para><emphasis role="bold"> attrs=userPassword</emphasis></para>

        <para><emphasis role="bold"> by self write</emphasis></para>

        <para><emphasis role="bold"> by anonymous auth</emphasis></para>

        <para><emphasis role="bold"> by * none</emphasis></para>

        <literallayout>
</literallayout>

        <para><emphasis role="bold">access to</emphasis></para>

        <para><emphasis role="bold">
        attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange</emphasis></para>

        <para><emphasis role="bold"> by self write</emphasis></para>

        <para><emphasis role="bold"> by * read</emphasis></para>

        <para>If you do not want them to change all attributes then reduce the
        list to fit your needs. Some modules may require additional LDAP
        attributes. You can use the tree view to get the technical attribute
        names e.g. by selecting an user account.</para>

        <para>Usually, the slapd.conf file is located in /etc/ldap or
        /etc/openldap.</para>
      </section>

      <section>
        <title>Other LDAP servers</title>

        <para>There exist many LDAP implementations. If you do not use
        OpenLDAP you need to write your own ACLs. Please check the manual of
        your LDAP server for instructions.</para>
      </section>
    </section>

    <section>
      <title>Creating a self service profile</title>

      <para>A self service profile defines what input fields your users see
      and some other general settings like the login caption.</para>

      <para>When you go to the LAM configuration page you will see the self
      service link at the bottom. This will lead you to the self service
      configuration pages</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/conf1.jpg" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now we need to create a new self service profile. Click on the
      link to manage the self service profiles.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/conf2.jpg" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Specify a name for the new profile and enter your master
      configuration password (default is "lam") to save the profile.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/conf3.jpg" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Now go back to the profile login and enter your master
      configuration password to edit your new profile.</para>
    </section>

    <section>
      <title>Edit your new profile</title>

      <section>
        <title>Basic settings</title>

        <para>On top of the page you see the link to the user login page. Copy
        this link address and give it to your users.</para>

        <para>Below the link you can specify several options.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/conf4.jpg" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <table>
          <title>General options</title>

          <tgroup cols="2">
            <tbody>
              <row>
                <entry>Server address</entry>

                <entry>The address of your LDAP server</entry>
              </row>

              <row>
                <entry>LDAP suffix</entry>

                <entry>The part of the LDAP tree where LAM should search for
                users</entry>
              </row>

              <row>
                <entry>LDAP user + password</entry>

                <entry>The DN and password which is used to search for users
                in the LDAP database. It is sufficient if this DN has only
                read rights. If you leave these fields empty LAM will try to
                connect anonymously.</entry>
              </row>

              <row>
                <entry>LDAP search attribute</entry>

                <entry>Here you can specify if your users can login with user
                name + password, email + password or other attributes.</entry>
              </row>

              <row>
                <entry>HTTP authentication</entry>

                <entry>You can enable HTTP authentication for your users. This
                way the web server is responsible to authenticate your users.
                LAM will use the given user name + password for the LDAP
                login. To setup HTTP authentication in Apache please see this
                <ulink
                url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry>
              </row>

              <row>
                <entry>Login attribute label</entry>

                <entry>This is the description for the LDAP search attribute.
                Set it to something which your users are familiar
                with.</entry>
              </row>

              <row>
                <entry>Login caption</entry>

                <entry>This text is displayed at the login page. You can input
                HTML, too.</entry>
              </row>

              <row>
                <entry>Main page caption</entry>

                <entry>This text is displayed at self service main page where
                your users change their data. You can input HTML, too.</entry>
              </row>

              <row>
                <entry>Page header</entry>

                <entry>This HTML code will be placed on top of all self
                service pages. E.g. you can use this to place your custom
                logo. Any HTML code is permitted.</entry>
              </row>

              <row>
                <entry>Additional CSS links</entry>

                <entry>Here you can specify additional CSS links to change the
                layout of the self service pages. This is useful to adapt them
                to your corporate design. Please enter one link per
                line.</entry>
              </row>
            </tbody>
          </tgroup>
        </table>
      </section>

      <section>
        <title>Page layout</title>

        <para>Here you can specify what input fields your users can see. It is
        also possible to group several input fields.</para>

        <para>Please use the arrow signs to change the order of the
        fields/groups.</para>

        <para>You may also set some fields as read-only for your users. This
        can be done by clicking on the lock symbol. Read-only fields can be
        used to show your users additional data on the self service page that
        must not be changed by themselves (e.g. first/last name).</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/conf5.jpg" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <para><emphasis role="bold">Possible input fields</emphasis></para>

        <para>This is a list of input fields you may add to the self service
        page.</para>

        <table frame="box" rules="rows">
          <caption>Self service fields</caption>

          <col align="center" span="1" />

          <thead>
            <tr align="center">
              <th>Account type</th>

              <th>Option</th>

              <th>Description</th>
            </tr>
          </thead>

          <tbody>
            <tr>
              <th align="left"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_asterisk.png" />
                  </imageobject>
                </inlinemediaobject> Asterisk (voicemail)</th>

              <td>Sync Asterisk password with Unix password</td>

              <td>This is a hidden field. It will update the Asterisk password
              each time the Unix password is changed.</td>
            </tr>

            <tr>
              <th align="left"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_heimdal.png" />
                  </imageobject>
                </inlinemediaobject> Kerberos</th>

              <td>Sync Kerberos password with Unix password</td>

              <td>This is a hidden field. It will update the Kerberos password
              each time the Unix password is changed.</td>
            </tr>

            <tr>
              <th align="left" axis="" rowspan="2"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_kolab.png" />
                  </imageobject>
                </inlinemediaobject> Kolab</th>

              <td>Delegates</td>

              <td>Allows to manage delegate permissions</td>
            </tr>

            <tr>
              <td>Invitation policy</td>

              <td>Invitation policy management</td>
            </tr>

            <tr>
              <th align="left" rowspan="2"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_ssh.png" />
                  </imageobject>
                </inlinemediaobject> Password self reset</th>

              <td>Question</td>

              <td>Security question selection</td>
            </tr>

            <tr>
              <td>Answer</td>

              <td>Security answer</td>
            </tr>

            <tr>
              <th align="left" rowspan="24"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_user.png" />
                  </imageobject>
                </inlinemediaobject> Personal</th>

              <td>Business category</td>

              <td></td>
            </tr>

            <tr>
              <td>Car license</td>

              <td></td>
            </tr>

            <tr>
              <td>Department</td>

              <td></td>
            </tr>

            <tr>
              <td>Email address</td>

              <td></td>
            </tr>

            <tr>
              <td>Fax number</td>

              <td></td>
            </tr>

            <tr>
              <td>First name</td>

              <td></td>
            </tr>

            <tr>
              <td>Home telephone number</td>

              <td></td>
            </tr>

            <tr>
              <td>Initials</td>

              <td></td>
            </tr>

            <tr>
              <td>Job title</td>

              <td></td>
            </tr>

            <tr>
              <td>Last name</td>

              <td></td>
            </tr>

            <tr>
              <td>Location</td>

              <td></td>
            </tr>

            <tr>
              <td>Mobile number</td>

              <td></td>
            </tr>

            <tr>
              <td>Office name</td>

              <td></td>
            </tr>

            <tr>
              <td>Photo</td>

              <td>Shows the user photo if set. The user may also remove the
              photo or upload a new one.</td>
            </tr>

            <tr>
              <td>Postal address</td>

              <td></td>
            </tr>

            <tr>
              <td>Postal code</td>

              <td></td>
            </tr>

            <tr>
              <td>Post office box</td>

              <td></td>
            </tr>

            <tr>
              <td>Registered address</td>

              <td></td>
            </tr>

            <tr>
              <td>Room number</td>

              <td></td>
            </tr>

            <tr>
              <td>State</td>

              <td></td>
            </tr>

            <tr>
              <td>Street</td>

              <td></td>
            </tr>

            <tr>
              <td>Telephone number</td>

              <td></td>
            </tr>

            <tr>
              <td>User certificates</td>

              <td>Upload of user certificates in PEM or DER format</td>
            </tr>

            <tr>
              <td>Web site</td>

              <td></td>
            </tr>

            <tr>
              <th align="left" rowspan="4"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_samba.png" />
                  </imageobject>
                </inlinemediaobject> Samba 3</th>

              <td>Password</td>

              <td>Input field to set a new NT/LM password. The attribute
              "sambaPwdLastSet" is updated if it existed before.</td>
            </tr>

            <tr>
              <td>Sync Samba LM password with Unix password</td>

              <td>This is a hidden field. It will update the Samba LM password
              each time the Unix password is changed.</td>
            </tr>

            <tr>
              <td>Sync Samba NT password with Unix password</td>

              <td>This is a hidden field. It will update the Samba NT password
              each time the Unix password is changed.</td>
            </tr>

            <tr>
              <td>Update attribute "sambaPwdLastSet" on password change</td>

              <td>Updates the password timestamp when password is synchronized
              with Unix.</td>
            </tr>

            <tr>
              <td align="left" rowspan="9"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_samba.png" />
                  </imageobject>
                </inlinemediaobject>Windows</td>

              <td>Password</td>

              <td>Change the user's password</td>
            </tr>

            <tr>
              <td>Location</td>

              <td></td>
            </tr>

            <tr>
              <td>Office name</td>

              <td></td>
            </tr>

            <tr>
              <td>Postal code</td>

              <td></td>
            </tr>

            <tr>
              <td>Post office box</td>

              <td></td>
            </tr>

            <tr>
              <td>State</td>

              <td></td>
            </tr>

            <tr>
              <td>Street</td>

              <td></td>
            </tr>

            <tr>
              <td>Telephone number</td>

              <td></td>
            </tr>

            <tr>
              <td>Web site</td>

              <td></td>
            </tr>

            <tr>
              <th align="left" rowspan="3"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_unix.png" />
                  </imageobject>
                </inlinemediaobject> Unix</th>

              <td>Common name</td>

              <td></td>
            </tr>

            <tr>
              <td>Login shell</td>

              <td></td>
            </tr>

            <tr>
              <td>Password</td>

              <td>This is also the source for several password synchronization
              options.</td>
            </tr>

            <tr>
              <th align="left" rowspan="2"><inlinemediaobject>
                  <imageobject>
                    <imagedata fileref="images/schema_zarafa.png" />
                  </imageobject>
                </inlinemediaobject> Zarafa</th>

              <td>"Send as" privileges</td>

              <td>Define user who may send mails as this user</td>
            </tr>

            <tr>
              <td>Email aliases</td>

              <td>Email aliases</td>
            </tr>
          </tbody>
        </table>
      </section>

      <section>
        <title>Module settings</title>

        <para>This allows to configure some module specific options (e.g.
        custom scripts or password hash type).</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/conf6.jpg" />
            </imageobject>
          </mediaobject>
        </screenshot>

        <section id="PasswordSelfReset">
          <title>Password self reset</title>

          <para><emphasis role="bold">Settings</emphasis></para>

          <para>You can allow your users to reset their passwords themselves.
          This will reduce your administrative costs for cases where users
          forget their passwords.</para>

          <para>To enable this feature please activate the checkbox "Enable
          password self reset link".</para>

          <para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro
          uses security questions by default. Activate confirmation mails and
          then deactivate security questions if you want to use only email
          validation.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/passwordSelfReset1.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>You can now configure the minimum answer length for password
          reset answers. This is checked when you allow you users to specify
          their answers via the self service. Additionally, you can specify
          the text of the password reset link (default: "Forgot password?").
          The link is displayed below the password field on the self service
          login page.</para>

          <para>Next, please enter the DN and password of an LDAP entry that
          is allowed to reset the passwords. This entry needs write access to
          the attributes shadowLastChange, pwdAccountLockedTime and
          userPassword. It also needs read access to uid, mail,
          passwordSelfResetQuestion and passwordSelfResetAnswer. Please note
          that LAM Pro saves the password on your server file system.
          Therefore, it is required to protect your server against
          unauthorised access.</para>

          <para>Please also specify the list of password reset questions that
          the user can choose.</para>

          <para>Please note that self service and LAM admin interface are
          separated functionalities. You need to specify the list of possible
          security questions in both self service profile(s) and server
          profile(s).</para>

          <literallayout> </literallayout>

          <para>You can inform your users via mail about their password
          change. The mail can include the new password by using the special
          wildcard "@@newPassword@@". Additionally, you may want to insert
          other wildcards that are replaced by the corresponding LDAP
          attributes. E.g. "@@uid@@" will be replaced by the user name.</para>

          <literallayout> </literallayout>

          <para>LAM Pro can send your users an email with a confirmation link
          to validate their email address. Of course, this should only be used
          if the email account is independent from the user password (e.g. at
          external provider). The mail must include the confirmation link by
          using the special wildcard "@@resetLink@@". Additionally, you may
          want to insert other wildcards that are replaced by the
          corresponding LDAP attributes. E.g. "@@uid@@" will be replaced by
          the user name.</para>

          <para>There is also an option to skip the security question at all
          if email verification is enabled. In this case the password can be
          reset directly after clicking on the confirmation link. Please
          handle with care since anybody with access to the user's mail
          account can reset the password.</para>

          <para><emphasis role="bold">Troubleshooting:</emphasis></para>

          <para>If you get messages like "Unable to find user account." this
          can have multiple reasons:</para>

          <itemizedlist>
            <listitem>
              <para>security questions enabled but no security question and/or
              answer set for this user</para>
            </listitem>

            <listitem>
              <para>user name + email combination does not exist</para>
            </listitem>

            <listitem>
              <para>no connection to LDAP server</para>
            </listitem>
          </itemizedlist>

          <para>Turn on logging in LAM's main configuration settings. The
          exact reason is logged on notice level.</para>

          <para><emphasis role="bold">New fields for self service
          page</emphasis></para>

          <para>There are two new fields that you may put on the self service
          page for your users. These fields allow them to change the reset
          question and its answer.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/passwordSelfReset2.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>This is an example how can be presented to your users on the
          self service page:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/passwordSelfReset3.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Password reset link</emphasis></para>

          <para>After activating the password self reset feature there will be
          a new link on the self service login page. The text can be
          configured as described above (default: "Forgot password?").</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/passwordSelfReset4.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>When a user clicks on the link then he will be asked for
          identification with his user name and email address.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/passwordSelfReset5.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>LAM Pro will use this information to find the correct LDAP
          entry of this user. It then displays the user's security question
          and input fields for his new password. If the answer is correct then
          the new password will be set. Additionally, pwdAccountLockedTime
          will be removed and shadowLastChange updated to the current time if
          existing.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/passwordSelfReset6.png" />
              </imageobject>
            </mediaobject>
          </screenshot>
        </section>

        <section>
          <title>User self registration</title>

          <para>With LAM Pro your users can create their own accounts if you
          like. LAM Pro will display an additional link on the self service
          login page that allows you users to create a new account including
          email validation.</para>

          <para>You enable this feature in your self service profile. Just
          activate the checkbox "Enable self registration link".</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/accountRegistration1.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Options:</emphasis></para>

          <para><emphasis>Link text:</emphasis> This is the label for the link
          to the self registration. If empty "Register new account" will be
          used.</para>

          <para><emphasis>Admin DN and password:</emphasis> Please enter the
          LDAP DN and its password that should be used to create new users.
          This DN also needs to be able to do LDAP searches by uid in the self
          service part of your LDAP tree.</para>

          <para><emphasis>Object classes:</emphasis> This is a list of object
          classes that are used to build the new user accounts. Please enter
          one object class in each line.</para>

          <para><emphasis>Attributes:</emphasis> This is a list of additional
          attributes that the user can enter. Please note that user name,
          password and email address are mandatory anyway and need not be
          specified.</para>

          <para>Each line represents one LDAP attribute. The options are
          separated by "::". The first option specifies if the attribute is
          mandatory. It can have the values "optional" and "required". The
          second option is the LDAP attribute name and the third one is a
          descriptive label for it. Options four and five are used for input
          validation. Please enter the regular expression (e.g.
          "/^[0-9a-zA-Z]+$/") and an error message if the value does not match
          it. For a syntax description see <ulink
          url="http://perldoc.perl.org/perlre.html">here</ulink>. Validation
          is optional.</para>

          <para>Example:</para>

          <para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please
          enter a valid first name.</para>

          <para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a
          valid last name.</para>

          <para>If you use the object class "inetOrgPerson" and do not provide
          the "cn" attribute then LAM will set it to the user name
          value.</para>

          <literallayout>
</literallayout>

          <para>Please note that only simple input boxes are supported for
          account registration. The user may log in to self service when his
          account was created to manage all his attributes.</para>

          <literallayout>
</literallayout>

          <para><emphasis role="bold">User view:</emphasis></para>

          <para>The user can register by clicking on a link on the self
          service login page:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/accountRegistration2.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Here he can insert the data that you specified in the self
          service profile:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/accountRegistration3.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>LAM will then send him an email with a validation link that is
          valid for 24 hours. When he clicks on this link then the account
          will be created in the self service user suffix. The DN will look
          like this: <emphasis>uid=&lt;user name&gt;,...</emphasis></para>
        </section>

        <section>
          <title>Custom fields (LAM Pro)</title>

          <para>This module allows you to manage LDAP attributes that are not
          covered by the other LAM modules (e.g. if you use custom LDAP
          schemas). You can fully define how your input fields look
          like:</para>

          <itemizedlist>
            <listitem>
              <para>Label</para>
            </listitem>

            <listitem>
              <para>LDAP attribute name</para>
            </listitem>

            <listitem>
              <para>Unique name for field</para>
            </listitem>

            <listitem>
              <para>Read-only display</para>
            </listitem>

            <listitem>
              <para>Field type: text, password, text area, checkbox, radio
              buttons, select list</para>
            </listitem>

            <listitem>
              <para>Validation via regular expression</para>
            </listitem>

            <listitem>
              <para>Error message if validation fails</para>
            </listitem>
          </itemizedlist>

          <para>To create custom fields for the Self Service please edit your
          Self Service profile and switch to tab "Module settings". Here you
          can add a new field. Simply fill the fields and press on
          "Add".</para>

          <para>Please note that the field name cannot be changed later. It is
          the unique ID for this field.</para>

          <para>After you created your fields please press on "Sync fields
          with page layout". Now you can switch to tab "Page layout" and add
          your new fields like any other standard field.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields1.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Examples for fields and their representation in Self
          Service:</para>

          <para><emphasis role="bold">Text field:</emphasis></para>

          <para>Text fields allow to specify a <link
          linkend="customFields_validation_expressions">validation
          expression</link> and error message.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields2.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Presentation in Self Service:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields3.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Password field:</emphasis></para>

          <para>You can also manage custom password fields. LAM Pro will
          display two fields where the user must enter the same password. You
          can hash the password if needed.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields4.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Presentation in Self Service:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields5.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Text area:</emphasis></para>

          <para>This adds a multi-line field. The options are similar to text
          fields. Additionally, you can set the size with the number of
          columns and rows.</para>

          <para>Please note that the <link
          linkend="customFields_validation_expressions">validation
          expression</link> should be set to multi-line. This is done by
          adding "m" at the end.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields6.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Presentation in Self Service:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields7.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Checkbox:</emphasis></para>

          <para>Sometimes you may want to allow only yes/no values for your
          LDAP attributes. This can be represented by a checkbox. You can
          specify the values for checked and unchecked. The default value is
          set if the LDAP attribute has no value.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields8.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Presentation in Self Service:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields9.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Radio buttons:</emphasis></para>

          <para>This displays a list of radio buttons where the user can
          select one value.</para>

          <para>You can specify a mapping of LDAP attribute values and their
          display (label) on the Self Service page. To add more mapping fields
          please press "Add more mapping fields".</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields10.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Presentation in Self Service:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields11.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para><emphasis role="bold">Select list:</emphasis></para>

          <para>Select lists allow the user to select a value in a large list
          of options. The definition of the possible values and their display
          is similar to radio buttons.</para>

          <para>You can also allow multiple values.</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields12.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para>Presentation in Self Service:</para>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields13.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <screenshot>
            <mediaobject>
              <imageobject>
                <imagedata fileref="images/customFields18.png" />
              </imageobject>
            </mediaobject>
          </screenshot>

          <para id="customFields_validation_expressions"><emphasis
          role="bold">Validation expressions:</emphasis></para>

          <para>The validation expressions follow the standard of <ulink
          url="http://perldoc.perl.org/perlre.html">Perl regular
          expressions</ulink>. They start and end with a "/". The beginning of
          a line is specified by "^" and the end by "$".</para>

          <para>Examples:</para>

          <para>/^[a-z0-9]+$/ allows small letters and numbers. The value must
          not be empty ("+").</para>

          <para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the
          end means ignore case) and numbers. The value must not be empty
          ("+").</para>

          <para>Special characters that must be escaped with "\": "\", ".",
          "(", ")"</para>

          <para>E.g. /^[a-z0-9\.]$/i</para>
        </section>
      </section>
    </section>

    <section>
      <title>Adapt the self service to your corporate design</title>

      <para>LAM Pro allows you to integrate customs CSS style definitions and
      design the header of all self service pages. This way you can integrate
      you own logo and use your company's colors.</para>

      <section>
        <title>Custom header</title>

        <para>The default LAM Pro header includes a logo and a horizontal
        line. You can enter any HTML code here. It will be included in the
        self services pages after the body tag.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configPageHeader.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>

      <section>
        <title>CSS files</title>

        <para>Usually, companies have regulations about their corporate design
        and use common CSS files. This assures a common appearance of all
        intranet pages (e.g. colors and fonts). To include additional CSS
        files just use the following setting for this task. The additional CSS
        links will be added after LAM Pro's default CSS link. This way you can
        overwrite LAM Pro's style.</para>

        <screenshot>
          <mediaobject>
            <imageobject>
              <imagedata fileref="images/configCSS.png" />
            </imageobject>
          </mediaobject>
        </screenshot>
      </section>
    </section>
  </chapter>

  <appendix id="a_schema">
    <title>LDAP schema files</title>

    <para>Here is a list of needed LDAP schema files for the different LAM
    modules. For OpenLDAP we also provide a source where you can get the
    files.</para>

    <table frame="none" lang="" role="" tabstyle="nogrid">
      <title>LDAP schema files</title>

      <tgroup cols="6">
        <thead>
          <row>
            <entry></entry>

            <entry>Account type</entry>

            <entry>Object class(es)</entry>

            <entry>Schema name</entry>

            <entry>Source</entry>

            <entry>Notes</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_unix.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Unix accounts</entry>

            <entry>posixAccount, shadowAccount, hostObject, posixGroup</entry>

            <entry>nis.schema, rfc2307bis.schema, ldapns.schema
            (hostObject)</entry>

            <entry>Part of OpenLDAP installation, part of libpam-ldap
            (ldapns.schema)</entry>

            <entry>The rfc2307bis.schema is only supported by LAM Pro. Use the
            nis.schema if you do not want to upgrade to LAM Pro.</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_inetOrgPerson.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Address book entries</entry>

            <entry>inetOrgPerson</entry>

            <entry>inetorgperson.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_samba.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Samba 3 accounts</entry>

            <entry>sambaSamAccount, sambaGroupMapping, sambaDomain</entry>

            <entry>samba.schema</entry>

            <entry>Part of Samba tarball (examples/LDAP/samba.schema)</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_samba.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Windows AD (Samba 4)</entry>

            <entry>user, group, computer</entry>

            <entry></entry>

            <entry>Samba 4 built-in</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_kolab.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Kolab 2 users</entry>

            <entry>kolabUser</entry>

            <entry>kolab2.schema, rfc2739.schema</entry>

            <entry>Part of Kolab 2 installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_asterisk.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Asterisk (extension)</entry>

            <entry>AsteriskSIPUser, AsteriskExtension</entry>

            <entry>asterisk.schema</entry>

            <entry>Part of Asterisk installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_mailAlias.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Mail routing</entry>

            <entry>inetLocalMailRecipient</entry>

            <entry>misc.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_hostObject.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Hosts</entry>

            <entry>hostObject, device</entry>

            <entry>ldapns.schema</entry>

            <entry>Part of libpam-ldap installation</entry>

            <entry>The device object class is only available in LAM
            Pro.</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_authorizedServices.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Authorized services</entry>

            <entry>authorizedServiceObject</entry>

            <entry>ldapns.schema</entry>

            <entry>Part of libpam-ldap installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_mailAlias.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Mail aliases</entry>

            <entry>nisMailAlias</entry>

            <entry>misc.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_mailAlias.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Qmail user</entry>

            <entry>qmailUser</entry>

            <entry>qmail.schema</entry>

            <entry>Part of <ulink
            url="http://www.nrg4u.com/">qmail_ldap</ulink></entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_mac.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>MAC addresses</entry>

            <entry>ieee802device</entry>

            <entry>nis.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_ipHost.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>IP addresses</entry>

            <entry>ipHost</entry>

            <entry>nis.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_puppet.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Puppet</entry>

            <entry>puppetClient</entry>

            <entry>puppet.schema</entry>

            <entry><ulink
            url="https://github.com/puppetlabs/puppet/blob/master/ext/ldap/puppet.schema">Puppet
            on GitHub</ulink></entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_user.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Simple Accounts</entry>

            <entry>account</entry>

            <entry>cosine.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_ssh.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>SSH public keys</entry>

            <entry>ldapPublicKey</entry>

            <entry>openssh-lpk.schema</entry>

            <entry>Included in patch from <ulink
            url="http://code.google.com/p/openssh-lpk/">http://code.google.com/p/openssh-lpk/</ulink></entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_quota.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Filesystem quotas</entry>

            <entry>systemQuotas</entry>

            <entry>quota.schema</entry>

            <entry><ulink
            url="http://sourceforge.net/projects/linuxquota/">Linux
            DiskQuota</ulink></entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_groupOfNames.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Group of (unique) names</entry>

            <entry>groupOfNames, groupOfUniqueNames</entry>

            <entry>core.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_dhcp.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>DHCP</entry>

            <entry>dhcpOptions, dhcpSubnet, dhcpServer</entry>

            <entry>dhcp.schema</entry>

            <entry>docs/schema/dhcp.schema</entry>

            <entry>The LDAP suffix should be set to your dhcpServer
            entry.</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_alias.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Aliases</entry>

            <entry>alias, uidObject</entry>

            <entry>core.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_netgroup.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>NIS netgroups</entry>

            <entry>nisNetgroup</entry>

            <entry>nis.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_nisObject.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>NIS objects</entry>

            <entry>nisObject</entry>

            <entry>nis.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_nisObject.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Automount objects</entry>

            <entry>automount</entry>

            <entry>autofs.schema, rfc2307bis.schema</entry>

            <entry>Autofs LDAP</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_ppolicy.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Password policies</entry>

            <entry>pwdPolicy, device</entry>

            <entry>ppolicy.schema, core.schema</entry>

            <entry>Part of OpenLDAP installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_freeRadius.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>FreeRadius users</entry>

            <entry>radiusprofile</entry>

            <entry>openldap.schema</entry>

            <entry>Part of FreeRadius installation</entry>

            <entry></entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_heimdal.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Heimdal Kerberos</entry>

            <entry>krb5KDCEntry</entry>

            <entry>hdb.schema</entry>

            <entry>Part of Heimdal Kerberos installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_mitKerberos.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>MIT Kerberos</entry>

            <entry>krbPrincipal, krbPrincipalAux, krbTicketPolicyAux</entry>

            <entry>kerberos.schema</entry>

            <entry>Part of MIT Kerberos installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_sudo.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Sudo roles</entry>

            <entry>sudoRole</entry>

            <entry>sudo.schema</entry>

            <entry>Part of sudo-ldap installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_zarafa.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>Zarafa</entry>

            <entry>zarafa-user, zarafa-group, zarafa-server</entry>

            <entry>zarafa.schema</entry>

            <entry>Part of Zarafa installation</entry>

            <entry>LAM Pro only</entry>
          </row>

          <row>
            <entry><inlinemediaobject>
                <imageobject>
                  <imagedata fileref="images/schema_mailAlias.png" />
                </imageobject>
              </inlinemediaobject></entry>

            <entry>IMAP mailboxes</entry>

            <entry>-</entry>

            <entry>-</entry>

            <entry>-</entry>

            <entry>Does not require any schema.</entry>
          </row>
        </tbody>
      </tgroup>
    </table>
  </appendix>

  <appendix id="a_security">
    <title>Security</title>

    <section id="a_configPasswords">
      <title>LAM configuration passwords</title>

      <para>LAM supports a two level authorization system for its
      configuration. Therefore, there are two types of configuration
      passwords:</para>

      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">master configuration
          password:</emphasis> needed to change general settings,
          create/delete server profiles and self service profiles</para>
        </listitem>

        <listitem>
          <para><emphasis role="bold">server profile password:</emphasis> used
          to change the settings of a server profile (e.g. LDAP server and
          account types to manage)</para>
        </listitem>
      </itemizedlist>

      <para>The master configuration password can be used to reset a server
      profile password. Each server profile has its own profile
      password.</para>

      <para>Both password types are stored as hash values in the configuration
      files for enhanced security.</para>
    </section>

    <section>
      <title>Use of SSL</title>

      <para>The data which is transfered between you and LAM is very
      sensitive. Please always use SSL encrypted connections between LAM and
      your browser to protect yourself against network sniffers.</para>
    </section>

    <section>
      <title>LDAP with SSL and TLS</title>

      <para>SSL will be used if you use ldaps://servername in your
      configuration profile. TLS can be activated with the "Activate TLS"
      option.</para>

      <para>If your LDAP server uses a SSL certificate of a well-know
      certificate authority (CA) then you probably need no changes. If you use
      a custom CA in your company then there are two ways to setup the CA
      certificates.</para>

      <section>
        <title>Setup SSL certificates in LAM general settings</title>

        <para>This is much easier than system level setup and will only affect
        LAM. There might be some cases where other web applications on the
        same web server are influenced.</para>

        <para>See <link linkend="conf_sslCert">here</link> for details.</para>
      </section>

      <section id="ssl_certSystem">
        <title>Setup SSL certificates on system level</title>

        <para>This will make the CA certificates available also to other
        applications on your system (e.g. other web applications).</para>

        <para>You will need to setup ldap.conf to trust your server
        certificate. Some installations use /etc/ldap.conf and some use
        /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
        /etc/ldap/ldap.conf. Specify the server CA certificate with the
        following option:</para>

        <programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>

        <para>This needs to be the public part of the signing certificate
        authority. See "man ldap.conf" for additional options.</para>

        <literallayout>
</literallayout>

        <para>You may also need to specify the CA certificate in your Apache
        configuration by using the option "LDAPTrustedGlobalCert":</para>

        <programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
      </section>
    </section>

    <section>
      <title>Chrooted servers</title>

      <para>If your server is chrooted and you have no access to /dev/random
      or /dev/urandom this can be a security risk. LAM stores your LDAP
      password encrypted in the session. LAM uses rand() to generate the key
      if /dev/random and /dev/urandom are not accessible. Therefore the key
      can be easily guessed. An attaker needs read access to the session file
      (e.g. by another Apache instance) to exploit this.</para>
    </section>

    <section>
      <title>Protection of your LDAP password and directory contents</title>

      <para>You have to install the MCrypt extension for PHP to enable
      encryption.</para>

      <para>Your LDAP password is stored encrypted in the session file. The
      key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
      encrypt the password. All data that was read from LDAP and needs to be
      stored in the session file is also encrypted.</para>
    </section>

    <section>
      <title>Apache configuration</title>

      <section>
        <title>Sensitive directories</title>

        <para>LAM includes several .htaccess files to protect your
        configuration files and temporary data. Apache is often configured to
        not use .htaccess files by default. Therefore, please check your
        Apache configuration and change the override setting to:</para>

        <para>AllowOverride All</para>

        <para>If you are experienced in configuring Apache then you can also
        copy the security settings from the .htaccess files to your main
        Apache configuration.</para>

        <para>If possible, you should not rely on .htaccess files but also
        move the config and sess directory to a place outside of your WWW
        root. You can put a symbolic link in the LAM directory so that LAM
        finds the configuration/session files.</para>

        <para>Security sensitive directories:</para>

        <para><emphasis role="bold">config: </emphasis>Contains your LAM
        configuration and account profiles</para>

        <itemizedlist>
          <listitem>
            <para>LAM configuration passwords (SSHA hashed)</para>
          </listitem>

          <listitem>
            <para>default values for new accounts</para>
          </listitem>

          <listitem>
            <para>directory must be accessibly by Apache but needs not to be
            accessible by the browser</para>
          </listitem>
        </itemizedlist>

        <para><emphasis role="bold">sess:</emphasis> PHP session files</para>

        <itemizedlist>
          <listitem>
            <para>LAM admin password in clear text or MCrypt encrypted</para>
          </listitem>

          <listitem>
            <para>cached LDAP entries in clear text or MCrypt encrypted</para>
          </listitem>

          <listitem>
            <para>directory must be accessibly by Apache but needs not to be
            accessible by the browser</para>
          </listitem>
        </itemizedlist>

        <para><emphasis role="bold">tmp:</emphasis> temporary files</para>

        <itemizedlist>
          <listitem>
            <para>PDF documents which may also include passwords</para>
          </listitem>

          <listitem>
            <para>images of your users</para>
          </listitem>

          <listitem>
            <para>directory contents must be accessible by browser but
            directory itself needs not to be browseable</para>
          </listitem>
        </itemizedlist>
      </section>

      <section id="apache_http_auth">
        <title>Use LDAP HTTP authentication for LAM</title>

        <para>With HTTP authentication Apache will be responsible to ask for
        the user name and password. Both will then be forwarded to LAM which
        will use it to access LDAP. This approach gives you more flexibility
        to restrict the number of users that may access LAM (e.g. by requiring
        group memberships).</para>

        <para>First of all you need to load additional Apache modules. These
        are "<ulink
        url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
        and "<ulink type=""
        url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>

        <para>Next you can add a file called "lam_auth_ldap" to
        /etc/apache/conf.d. This simple example restricts access to all URLs
        beginning with "lam" to LDAP authentication.</para>

        <programlisting>&lt;location /lam&gt;
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "LAM"
  AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
  Require valid-user
&lt;/location&gt;</programlisting>

        <para>You can also require that your users belong to a certain Unix
        group in LDAP:</para>

        <programlisting>&lt;location /lam&gt;
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "LAM"
  AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
  Require valid-user
  # force membership of lam-admins
  AuthLDAPGroupAttribute memberUid
  AuthLDAPGroupAttributeIsDN off
  Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
&lt;/location&gt;</programlisting>

        <para>Please see the <ulink
        url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache
        documentation</ulink> for more details.</para>
      </section>
    </section>
  </appendix>

  <appendix>
    <title>Typical OpenLDAP settings</title>

    <para>Some basic hints to configure the OpenLDAP server:</para>

    <para><emphasis role="bold">Size limit:</emphasis></para>

    <para>You will get a message like "LDAP sizelimit exceeded, not all
    entries are shown." when you hit the LDAP search limit.</para>

    <para>OpenLDAP allows by default 500 return values per search, if you have
    more users/groups/hosts please change this:</para>

    <para>slapd.conf:</para>

    <para>e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
    values</para>

    <para>slapd.d:</para>

    <para>e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
    return values in etc/ldap/slapd.d/cn=config.ldif</para>

    <literallayout>
</literallayout>

    <para><emphasis id="a_openldap_unique" role="bold">Unique
    attributes:</emphasis></para>

    <para>There are cases where you do not want that same attribute values
    exist multiple times in your database. A good example are UID/GID
    numbers.</para>

    <para>OpenLDAP provides the <ulink
    url="http://www.openldap.org/doc/admin24/overlays.html">attribute
    uniqueness overlay</ulink> for this task.</para>

    <para>Example to force unique UID numbers:</para>

    <para>In
    <emphasis>/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif</emphasis> add
    "olcModuleLoad: {3}unique" (replace "3" with the highest existing number
    plus one).</para>

    <para>Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
    "olcUniqueURI: ldap:///?uidNumber?sub"</para>

    <literallayout>
</literallayout>

    <para><emphasis role="bold">Indices:</emphasis></para>

    <para>Indices will improve the performance when searching for entries in
    the LDAP directory. The following indices are recommended:</para>

    <simplelist>
      <member>index objectClass eq</member>

      <member>index default sub</member>

      <member>index uidNumber eq</member>

      <member>index gidNumber eq</member>

      <member>index memberUid eq</member>

      <member>index cn,sn,uid,displayName pres,sub,eq</member>

      <member># Samba 3.x</member>

      <member>index sambaSID eq</member>

      <member>index sambaPrimaryGroupSID eq</member>

      <member>index sambaDomainName eq</member>
    </simplelist>
  </appendix>

  <appendix id="a_lamdaemon">
    <title>Setup for home directory and quota management</title>

    <para>Lamdaemon.pl is used to modify quota and home directories on a
    remote or local host via SSH (even if homedirs are located on
    localhost).</para>

    <para>If you want wo use it you have to set up the following things to get
    it to work:</para>

    <section id="a_lamdaemonConf">
      <title>LDAP Account Manager configuration</title>

      <itemizedlist>
        <listitem>
          <para>Set the remote or local host in the configuration (e.g.
          127.0.0.1)</para>
        </listitem>

        <listitem>
          <para>Path to lamdaemon.pl, e.g.
          /srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
          RPM package then the script will be located at
          /usr/share/ldap-account-manager/lib/lamdaemon.pl.</para>
        </listitem>

        <listitem>
          <para>Your LAM admin user must be a valid Unix account. It needs to
          have the object class "posixAccount" and an attribute "uid". This
          account must be accepted by the SSH daemon of your home directory
          server. Do not create a second local account but change your system
          to accept LDAP users. You can use LAM to add the Unix account part
          to your admin user or create a new account. Please do not forget to
          setup LDAP write access (<ulink
          url="http://www.openldap.org/doc/admin24/access-control.html">ACLs</ulink>)
          if you create a new account.</para>
        </listitem>
      </itemizedlist>

      <para></para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/lamdaemon.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para>Note that the builtin admin/manager entries do not work for
      lamdaemon. You need to login with a Unix account.</para>

      <screenshot>
        <mediaobject>
          <imageobject>
            <imagedata fileref="images/lamdaemon1.png" />
          </imageobject>
        </mediaobject>
      </screenshot>

      <para><emphasis role="bold">OpenLDAP ACL location:</emphasis></para>

      <para>The access rights for OpenLDAP are configured in
      /etc/ldap/slapd.conf or
      /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.</para>
    </section>

    <section>
      <title>Setup sudo</title>

      <para>The perl script has to run as root. Therefore we need a wrapper,
      sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
      and add the following line:</para>

      <para>$admin All= NOPASSWD: $path_to_lamdaemon *</para>

      <para><emphasis condition="">$admin</emphasis> is the admin user from
      LAM (must be a valid Unix account) and
      <emphasis>$path_to_lamdaemon</emphasis> is the path to
      lamdaemon.pl.</para>

      <para><emphasis role="bold">Example:</emphasis></para>

      <para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
      *</para>

      <para>You might need to run the sudo command once manually to init sudo.
      The command "sudo -l" will show all possible sudo commands of the
      current user.</para>

      <para><emphasis role="bold">Attention:</emphasis> Please do not use the
      options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
      Otherwise you might get errors like "you must have a tty to run sudo" or
      "no tty present and no askpass program specified".</para>
    </section>

    <section>
      <title>Setup Perl</title>

      <para>We need an extra Perl module - Quota. To install it, run:</para>

      <simplelist>
        <member>perl -MCPAN -e shell</member>

        <member>install Quota</member>
      </simplelist>

      <para>If your Perl executable is not located in /usr/bin/perl you will
      have to edit the path in the first line of lamdaemon.pl. If you have
      problems compiling the Perl modules try installing a newer release of
      your GCC compiler and the "make" application.</para>

      <para>Several Linux distributions already include a quota package for
      Perl.</para>
    </section>

    <section>
      <title>Set up SSH</title>

      <para>Your SSH daemon must offer the password authentication method. To
      activate it just use this configuration option in
      /etc/ssh/sshd_config:</para>

      <para>PasswordAuthentication yes</para>
    </section>

    <section>
      <title>Troubleshooting</title>

      <para>If you have problems managing quotas and home directories then
      these points might help:</para>

      <itemizedlist>
        <listitem>
          <para>There is a test page for lamdaemon: Login to LAM and open
          Tools -&gt; Tests -&gt; Lamdaemon test</para>
        </listitem>

        <listitem>
          <para>Check /var/log/auth.log or its equivalent on your system. This
          file contains messages about all logins. If the ssh login failed
          then you will find a description about the reason here.</para>
        </listitem>

        <listitem>
          <para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
          lines:</para>

          <simplelist>
            <member>SyslogFacility AUTH</member>

            <member>LogLevel DEBUG3</member>
          </simplelist>

          <para>Now check /var/log/syslog for messages from sshd.</para>
        </listitem>
      </itemizedlist>

      <para>Error message <emphasis role="bold">"Your LAM admin user (...)
      must be a valid Unix account to work with lamdaemon!"</emphasis>: This
      happens if you use the default LDAP admin/manager user to login to LAM.
      Please see <link linkend="a_lamdaemonConf">here</link> and setup a Unix
      account.</para>
    </section>
  </appendix>

  <appendix>
    <title>Clustering LAM</title>

    <para>LAM is a web application based on PHP. Therefore, clustering is not
    directly a part of the application.</para>

    <para>But here are some hints to run LAM in a clustered
    environment.</para>

    <para><emphasis role="bold">Application parts:</emphasis></para>

    <para>LAM can be divided into three parts</para>

    <itemizedlist>
      <listitem>
        <para>Software</para>
      </listitem>

      <listitem>
        <para>Configuration files</para>
      </listitem>

      <listitem>
        <para>Session files and temporary data</para>
      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">Software:</emphasis></para>

    <para>This is the simplest part. Just install LAM on each cluster node.
    Please note that if you run LAM Pro you will need either one license for
    each active cluster node or a company license.</para>

    <para><emphasis role="bold">Configuration files:</emphasis></para>

    <para>These files include the LAM server profiles, account profiles, PDF
    structures, ... Usually, they do not change frequently and can be put on a
    shared file system (e.g. NFS, AFS, ...).</para>

    <para>Please link "config" or "/var/lib/ldap-account-manager/config" to a
    directory on your shared file system.</para>

    <para><emphasis role="bold">Session data and temporary
    files:</emphasis></para>

    <para>These are critical because the files may change on every page load.
    There are basically two options:</para>

    <itemizedlist>
      <listitem>
        <para>load balancer with session stickiness: In this case your load
        balancer will forward all requests of a user to the same cluster node.
        In this case you can keep the files locally on your cluster nodes. If
        you already have a load balancer then this is the simplest solution
        and performs best. The disadvantage is that if a node fails then all
        users connected to this node will loose their session and need to
        relogin.</para>
      </listitem>

      <listitem>
        <para>shared file system: This should only be used if your load
        balancer does not support session stickiness or you use a different
        system to distribute request across the cluster. A shared file system
        will decrease performance for all page loads.</para>
      </listitem>
    </itemizedlist>

    <para>Session data and temporary files are located in "tmp" + "sess" or
    "/var/lib/ldap-account-manager/tmp" +
    "/var/lib/ldap-account-manager/sess".</para>
  </appendix>

  <appendix>
    <title>Troubleshooting</title>

    <para>If you get any strange errors like "Invalid syntax" or "Invalid DN
    syntax" please check if your LDAP schema matches LAM's
    requirements.</para>

    <para><emphasis role="bold">Schema test:</emphasis></para>

    <para>This can be done by running "Tools" -&gt; "Tests" -&gt; "Schema
    test" inside LAM.</para>

    <para>If there are any object classes or attributes missing you will get a
    notice. See <link linkend="a_schema">LDAP schema files</link> for a list
    of used schemas. You may also want to deactive unused modules in your LAM
    server profile (tab "Modules").</para>

    <screenshot>
      <mediaobject>
        <imageobject>
          <imagedata fileref="images/schemaTest.png" />
        </imageobject>
      </mediaobject>
    </screenshot>

    <para><emphasis role="bold">Logging:</emphasis></para>

    <para>If your schema is correct you can turn on LDAP logging to get more
    detailed error messages from your LDAP server.</para>

    <para><emphasis role="bold">OpenLDAP logging:</emphasis></para>

    <itemizedlist>
      <listitem>
        <para>slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
        line "loglevel 256".</para>
      </listitem>

      <listitem>
        <para>slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
        attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
        Stats" if the attribute is missing.</para>
      </listitem>
    </itemizedlist>

    <para>After changing the configuration please restart OpenLDAP. It usually
    uses /var/log/syslog for log output.</para>
  </appendix>
</book>