2142 lines
67 KiB
XML
2142 lines
67 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
<book>
|
|
<title>LDAP Account Manager - Manual</title>
|
|
|
|
<preface>
|
|
<title>Overview</title>
|
|
|
|
<para>LDAP Account Manager (LAM) manages user, group and host accounts in
|
|
an LDAP directory. LAM runs on any webserver with PHP5 support and
|
|
connects to your LDAP server unencrypted or via SSL/TLS.</para>
|
|
|
|
<para>Currently LAM supports these account types: Samba 3, Unix, Kolab 2,
|
|
address book entries, NIS mail aliases and MAC addresses. There is a tree
|
|
viewer included to allow access to the raw LDAP attributes. You can use
|
|
templates for account creation and use multiple configuration profiles.
|
|
LAM is translated to Catalan, Chinese (Traditional + Simplified), Czech,
|
|
Dutch, English, French, German, Hungarian, Italian, Japanese, Polish,
|
|
Portuguese, Russian and Spanish.</para>
|
|
|
|
<para><ulink
|
|
url="http://www.ldap-account-manager.org/">http://www.ldap-account-manager.org/</ulink></para>
|
|
|
|
<para>Copyright (C) 2003 - 2010</para>
|
|
|
|
<simplelist>
|
|
<member>Michael Duergner <michael@duergner.com></member>
|
|
|
|
<member>Roland Gruber <post@rolandgruber.de></member>
|
|
|
|
<member>Tilo Lutz <tilolutz@gmx.de></member>
|
|
</simplelist>
|
|
|
|
<para><emphasis role="bold">Key features:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>managing user/group/host/domain entries</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>account profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>account creation via file upload</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>multiple configuration profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP browser</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>schema browser</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>OU editor</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>PDF export for all accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>manage user/group Quota and create home directories</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Requirements:</emphasis></para>
|
|
|
|
<simplelist>
|
|
<member>PHP5 (>= 5.1)</member>
|
|
|
|
<member>Openldap (2.0 or greater)</member>
|
|
|
|
<member>A web browser that supports CSS and JavaScript</member>
|
|
</simplelist>
|
|
|
|
<para>The default password to edit the configuration options is
|
|
"lam".</para>
|
|
|
|
<para><emphasis role="bold">License:</emphasis></para>
|
|
|
|
<para>LAM is published under the GNU General Public License. The complete
|
|
list of licenses can be found in the copyright file.</para>
|
|
|
|
<para><emphasis role="bold">Default password:</emphasis></para>
|
|
|
|
<para>The default password for the LAM configuration is "lam".</para>
|
|
|
|
<literallayout>
|
|
Have fun!
|
|
The LAM development team</literallayout>
|
|
</preface>
|
|
|
|
<preface>
|
|
<title>Architecture</title>
|
|
|
|
<para>There are basically two groups of users for LAM:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">LDAP administrators and support
|
|
staff:</emphasis></para>
|
|
|
|
<para>These people administer LDAP entries like user accounts, groups,
|
|
...</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Users:</emphasis></para>
|
|
|
|
<para>This includes all people who need to manage their own data
|
|
inside the LDAP directory. E.g. these people edit their contact
|
|
information with LAM self service (LAM Pro only).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lam_architecture.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Therefore, LAM is split into two separate parts, LAM for admins and
|
|
for users. LAM for admins allows to manage various types of LDAP entries
|
|
(e.g. users, groups, hosts, ...). It also contains tools like batch
|
|
upload, account profiles, LDAP schema viewer and an LDAP browser. LAM for
|
|
users focuses on end users. It provides a self service for the users to
|
|
edit their personal data (e.g. contact information). The LAM administrator
|
|
is able to specify what data may be changed by the users. The design is
|
|
also adaptable to your corporate design.</para>
|
|
|
|
<para>LAM for admins/users is accessible via HTTP(S) by all major web
|
|
browsers (Firefox, IE, Opera, ...).</para>
|
|
|
|
<para><emphasis role="bold">LAM runtime environment:</emphasis></para>
|
|
|
|
<para>LAM runs on PHP. Therefore, it is independant of CPU architecture
|
|
and operating system (OS). You can run LAM on any OS which supports Apache
|
|
or other PHP compatible web servers.</para>
|
|
|
|
<para><emphasis role="bold">Home directory server:</emphasis></para>
|
|
|
|
<para>You can manage user home directories and their quotas inside LAM.
|
|
The home directories may reside on the server where LAM is installed or
|
|
any remote server. The commands for home directory management are secured
|
|
by SSH. LAM will use the user name and password of the logged in LAM
|
|
administrator for authentication.</para>
|
|
|
|
<para><emphasis role="bold">LDAP directory:</emphasis></para>
|
|
|
|
<para>LAM connects to your LDAP server via standard LDAP protocol. It also
|
|
supports encrypted connections with SSL and TLS.</para>
|
|
</preface>
|
|
|
|
<chapter>
|
|
<title>Installation</title>
|
|
|
|
<section id="a_install">
|
|
<title>New installation</title>
|
|
|
|
<section>
|
|
<title>Requirements</title>
|
|
|
|
<para>LAM has the following requirements to run:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Apache webserver (SSL recommended) with PHP module (PHP 5
|
|
(>= 5.1) with ldap, gettext, xml and optional mcrypt)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Some LAM plugins may require additional PHP extensions (you
|
|
will get a note on the login page if something is missing)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl (optional, needed only for lamdaemon)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>OpenLDAP (>2.0)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A web browser :-)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>MCrypt will be used to store your LDAP password encrypted in the
|
|
session file.</para>
|
|
|
|
<para>See <link linkend="a_schema">LDAP schema fles</link> for
|
|
information about used LDAP schema files.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Prepackaged releases</title>
|
|
|
|
<para>LAM is available as prepackaged version for various
|
|
platforms.</para>
|
|
|
|
<section>
|
|
<title>Debian</title>
|
|
|
|
<informaltable frame="none" tabstyle="noborder">
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/debian.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>LAM is part of the official Debian repository. New
|
|
releases are uploaded to unstable and will available
|
|
automatically in testing and the stable releases. You can
|
|
run<literal> </literal><para><emphasis role="bold">apt-get
|
|
install ldap-account-manager</emphasis></para>to install LAM
|
|
on your server. Additionally, you may download the LAM
|
|
Debian packages from the <ulink type=""
|
|
url="http://www.ldap-account-manager.org/">LAM
|
|
homepage</ulink> or the <ulink
|
|
url="http://packages.debian.org/search?keywords=ldap-account-manager">Debian
|
|
package homepage</ulink>.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Suse/Fedora</title>
|
|
|
|
<informaltable frame="none">
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/suse.png" />
|
|
</imageobject>
|
|
</inlinemediaobject><para></para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/fedora.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>There are RPM packages available on the <ulink
|
|
type="" url="http://www.ldap-account-manager.org/">LAM
|
|
homepage</ulink>. The packages can be installed with this
|
|
command<para><emphasis role="bold">rpm -i <path to LAM
|
|
package></emphasis></para></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Other RPM based distributions</title>
|
|
|
|
<para>The RPM packages for Suse/Fedora are very generic and should
|
|
be installable on other RPM-based distributions, too. The Fedora
|
|
packages use apache:apache as file owner and the Suse ones use
|
|
wwwrun:www.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>FreeBSD</title>
|
|
|
|
<informaltable frame="none">
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/freebsd.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>LAM is part of the official FreeBSD ports tree. For
|
|
more details see these pages:<para>FreeBSD-CVS: <ulink
|
|
url="http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/ldap-account-manager">http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/ldap-account-manager</ulink></para><para>FreshPorts:
|
|
<ulink
|
|
url="http://www.freshports.org/sysutils/ldap-account-manager">http://www.freshports.org/sysutils/ldap-account-manager</ulink></para></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Installing the tar.gz</title>
|
|
|
|
<section>
|
|
<title>Extract the archive</title>
|
|
|
|
<para>Please extract the archive with the following command:</para>
|
|
|
|
<para>tar xzf ldap-account-manager-<version>.tar.gz</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Install the files</title>
|
|
|
|
<section>
|
|
<title>Manual copy</title>
|
|
|
|
<para>Copy the files into the html-file scope of the web server.
|
|
For example /apache/htdocs.</para>
|
|
|
|
<para>Then set the appropriate file permissions:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>lam/sess: write permission for apache user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>lam/tmp: write permission for apache user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>lam/config (with subdirectories): write permission for
|
|
apache user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>lam/lib: lamdaemon.pl must be set executable (See also
|
|
docs/readme.lamdeamon.txt)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>With configure script</title>
|
|
|
|
<para>Instead of manually copying files you can also use the
|
|
included configure script to install LAM. Just run these commands
|
|
in the extracted directory:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>./configure</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>make install</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Options for "./configure":</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>--with-httpd-user=USER USER is the name of your Apache
|
|
user account (default httpd)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>--with-httpd-group=GROUP GROUP is the name of your
|
|
Apache group (default httpd)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>--with-web-root=DIRECTORY DIRECTORY is the name where
|
|
LAM should be installed (default /usr/local/lam)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuration files</title>
|
|
|
|
<para>Copy conf/config.cfg_sample to conf/config.cfg and
|
|
conf/lam.conf_sample to conf/lam.conf. Open the index.html in your
|
|
web browser:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Follow the link "LAM configuration" from the start page.
|
|
(The default passwords to edit all options is "lam")</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Select "Edit general settings" to setup global settings
|
|
and to change the configuration master password.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Select "Edit server profiles" to setup your server
|
|
profiles. There should be the lam profile which you just copied
|
|
from the sample file. The default password is "lam". Now change
|
|
the settings to fit for your environment.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>System configuration</title>
|
|
|
|
<section>
|
|
<title>PHP</title>
|
|
|
|
<para>LAM runs with PHP5 (>= 5.1). Needed changes in your
|
|
php.ini:</para>
|
|
|
|
<para>memory_limit = 64M</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Locales for non-English translation</title>
|
|
|
|
<para>If you want to use a translated version of LAM be sure to
|
|
install the needed locales. The following table shows the needed
|
|
locales for the different languages.</para>
|
|
|
|
<table>
|
|
<title>Locales</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Language</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Locale</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Catalan</entry>
|
|
|
|
<entry>ca_ES.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Chinese (Simplified)</entry>
|
|
|
|
<entry>zh_CN.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Chinese (Traditional)</entry>
|
|
|
|
<entry>zh_TW.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Czech</entry>
|
|
|
|
<entry>cs_CZ.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Dutch</entry>
|
|
|
|
<entry>nl_NL.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>English</entry>
|
|
|
|
<entry>no extra locale needed</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>French</entry>
|
|
|
|
<entry>fr_FR.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>German</entry>
|
|
|
|
<entry>de_DE.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Hungarian</entry>
|
|
|
|
<entry>hu_HU.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Italian</entry>
|
|
|
|
<entry>it_IT.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Japanese</entry>
|
|
|
|
<entry>ja_JP.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Polish</entry>
|
|
|
|
<entry>pl_PL.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Portuguese</entry>
|
|
|
|
<entry>pt_BR.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Russian</entry>
|
|
|
|
<entry>ru_RU.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Spanish</entry>
|
|
|
|
<entry>es_ES.utf8</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>You can get a list of all installed locales on your system by
|
|
executing:</para>
|
|
|
|
<para>locale -a</para>
|
|
|
|
<para>Debian users can add locales with "dpkg-reconfigure
|
|
locales".</para>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Upgrading LAM or migrate from LAM to LAM Pro</title>
|
|
|
|
<section>
|
|
<title>Migrating configuration files</title>
|
|
|
|
<para>First, you need to make a backup of your existing configuration
|
|
files.</para>
|
|
|
|
<para>LAM stores all configuration files in the "config" folder.
|
|
Please backup the following files and copy them after the new version
|
|
is installed.</para>
|
|
|
|
<simplelist>
|
|
<member>config/*.conf</member>
|
|
|
|
<member>config/config.cfg</member>
|
|
|
|
<member>config/pdf/*.xml</member>
|
|
|
|
<member>config/profiles/*.xml</member>
|
|
</simplelist>
|
|
|
|
<para>LAM Pro only:</para>
|
|
|
|
<simplelist>
|
|
<member>config/selfService/*.*</member>
|
|
|
|
<member>config/passwordMailTemplate.txt</member>
|
|
</simplelist>
|
|
|
|
<para>Second, <link linkend="a_uninstall">uninstall</link> your
|
|
current LAM (Pro) installation.</para>
|
|
|
|
<para>Third, <link linkend="a_install">install</link> the new LAM
|
|
(Pro) release. Skip the part about setting up LAM configuration
|
|
files.</para>
|
|
|
|
<para>Finally, restore your configuration files from the backup. Copy
|
|
all files from the backup folder to the config folder in your LAM Pro
|
|
installation. Do not simply replace the folder because the new LAM
|
|
(Pro) release might include additional files in this folder. Overwrite
|
|
any existing files with your backup files.</para>
|
|
|
|
<para>Now open your webbrowser and point it to the LAM login page. All
|
|
your settings should be migrated.</para>
|
|
|
|
<para>Please check also the <link linkend="a_versUpgrade">version
|
|
specific instructions</link>. They might include additional
|
|
actions.</para>
|
|
</section>
|
|
|
|
<section id="a_versUpgrade">
|
|
<title>Version specific upgrade instructions</title>
|
|
|
|
<section>
|
|
<title>2.2.0 -> 2.3.0</title>
|
|
|
|
<para><emphasis role="bold">LAM Pro:</emphasis> There is now a
|
|
separate account type for group of (unique) names. Please edit your
|
|
server profiles to activate the new account type.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>1.1.0 -> 2.2.0</title>
|
|
|
|
<para>No changes.</para>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="a_uninstall">
|
|
<title>Unistalltion of LAM (Pro)</title>
|
|
|
|
<para>If you used the prepackaged installation packages then remove the
|
|
ldap-account-manager and ldap-account-manager-lamdaemon packages.</para>
|
|
|
|
<para>Otherwise, remove the folder where you installed LAM via configure
|
|
or by copying the files.</para>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter>
|
|
<title>Configuration</title>
|
|
|
|
<para>TODO</para>
|
|
|
|
<section>
|
|
<title>General settings</title>
|
|
|
|
<para>TODO</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Server profiles</title>
|
|
|
|
<para>TODO<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lamProTypes.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot></para>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter>
|
|
<title>Managing entries in your LDAP directory</title>
|
|
|
|
<para>This chapter will give you instructions how to manage the different
|
|
LDAP entries in your directory.</para>
|
|
|
|
<para>Please note that not all account types are manageable with the free
|
|
LAM release. LAM Pro provides some more account types and modules to
|
|
support additional LDAP object classes.</para>
|
|
|
|
<para><emphasis role="bold">Additional types:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Group of names</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Aliases</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>NIS objects</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Additional modules:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Group of names (groupOfNames)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Group of unique names (groupOfUniqueNames)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Unix (rfc2307bisPosixGroup)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Alias (aliasEntry)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>User name (uidObject)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>NIS object (nisObject)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Custom scripts (customScripts)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<section>
|
|
<title>Groups</title>
|
|
|
|
<para></para>
|
|
|
|
<section>
|
|
<title>Unix groups with rfc2307bis schema (LAM Pro only)</title>
|
|
|
|
<para>Some applications (e.g. Suse Linux) use the rfc2307bis schema
|
|
for Unix accounts instead of the nis schema. In this case group
|
|
accounts are based on the object class groupOf(Unique)Names. The
|
|
object class is auxiliary in this case.</para>
|
|
|
|
<para>LAM Pro supports these groups with a special account module:
|
|
<emphasis role="bold">rfc2307bisPosixGroup</emphasis></para>
|
|
|
|
<para>Use this module only if your system depends on the rfc2307bis
|
|
schema. The module can be selected in the LAM configuration.</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/rfc2307bis.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot></para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts</title>
|
|
|
|
<para></para>
|
|
|
|
<section>
|
|
<title>IP addresses (LAM Pro only)</title>
|
|
|
|
<para>You can manage the IP addresses of host accounts with the ipHost
|
|
module. It manages the following information:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>IP addresses (IPv4/IPv6)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>location of the host</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>manager: the person who is responsible for the host</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can activate this extension by adding the module ipHost to
|
|
the list of active host modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ipHost.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Group of (unique) names (LAM Pro only)</title>
|
|
|
|
<para>These classes can be used to represent group relations. Since they
|
|
allow DNs as members you can also use them to represent nested groups.
|
|
Activate the account type "Group of names" in your LAM server profile to
|
|
use these account modules.</para>
|
|
|
|
<para>Group of (unique) names have four basic attributes:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Name: a unique name for the group</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Description: optional description</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Owner: the account which owns this group (optional)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Members: the members of the group (at least one is
|
|
required)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can add any accounts as members. This includes other groups
|
|
which leads to nested groups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Aliases (LAM Pro only)</title>
|
|
|
|
<para>Some applications use the object class "alias" to link LDAP
|
|
entries to other parts of the LDAP tree. Activate the account type
|
|
"Aliases" in your LAM server profile to use this account type.</para>
|
|
|
|
<para>Currently, only user accounts can be aliased with the "uidObject"
|
|
object class.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/alias.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS objects (LAM Pro only)</title>
|
|
|
|
<para>You can manage NIS objects with LAM Pro. This allows you define
|
|
network mount points in LDAP.</para>
|
|
|
|
<para>Add the NIS objects type to your LAM configuration and then the
|
|
NIS objects module. This will add the NIS objects tab to LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisObject.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Custom scripts (LAM Pro only)</title>
|
|
|
|
<para>LAM Pro allows you to execute scripts whenever an account is
|
|
created, modified or deleted. This can be useful to automate processes
|
|
which needed manual work afterwards (e.g. sending your user a welcome
|
|
mail or register a mailbox). To activate this feature please add the
|
|
"Custom scripts" module to all needed account types on the configuration
|
|
pages.</para>
|
|
|
|
<para>You can specify multiple scripts for each action type (e.g.
|
|
modify) and account type (e.g. user). The scripts need to be located on
|
|
the filesystem of your webserver and will be executed in its user
|
|
environment. E.g. if you webserver runs as user www-data with the group
|
|
www-data then the custom scripts will be run under this user with his
|
|
rights. The output of the scripts will be shown in LAM.</para>
|
|
|
|
<para>You can specify the scripts on the LAM configuration pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Syntax:</emphasis></para>
|
|
|
|
<para>Please enter one script per line. Each line has the following
|
|
format: <account type> <action> <script></para>
|
|
|
|
<para>E.g.: user preModify /usr/bin/myCustomScript -u $uid$</para>
|
|
|
|
<para><emphasis role="bold">Account types:</emphasis></para>
|
|
|
|
<para>You can setup scripts for all available account types (e.g. user,
|
|
group, host, ...). Please see the help on the configuration page about
|
|
your current active account types.</para>
|
|
|
|
<para><emphasis role="bold">Actions:</emphasis></para>
|
|
|
|
<table>
|
|
<title>Action types</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Action name</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Description</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preCreate</entry>
|
|
|
|
<entry>executed before creating a new account (cancels operation
|
|
if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postCreate</entry>
|
|
|
|
<entry>executed after creating a new account</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preModify</entry>
|
|
|
|
<entry>executed before the account is modified (cancels
|
|
operation if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postModify</entry>
|
|
|
|
<entry>executed after an account was modified</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preDelete</entry>
|
|
|
|
<entry>executed before an account was modified (cancels
|
|
operation if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postDelete</entry>
|
|
|
|
<entry>executed after an account was modified</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para><emphasis role="bold">Script:</emphasis></para>
|
|
|
|
<para>You can execute any script which is located on the filesystem of
|
|
your webserver. The path may be absolute or relative to the
|
|
PATH-variable of the environment of your webserver process. It is also
|
|
possible to add commandline arguments to your scripts. Additionally, LAM
|
|
will resolve wildcards to LDAP attributes. If your script includes an
|
|
wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
|
|
attribute value of the current LDAP entry. The values of multi-value
|
|
attributes are separated by commas. E.g. if you create an account with
|
|
the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
|
|
"steve".</para>
|
|
|
|
<para><emphasis role="bold"></emphasis></para>
|
|
|
|
<para>You can see a preview of the commands which will be executed on
|
|
the "Custom scripts" tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tree view (LDAP browser)</title>
|
|
|
|
<para>The tree view provides a raw view on your LDAP directory. This
|
|
feature is for people who are experienced with LDAP and need special
|
|
functionality which the LAM account modules not provide. E.g. if you
|
|
want to add a special object class to an account or edit attributes
|
|
ignoring LAM's syntax checks.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/tree1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>There are also some special functions available:</para>
|
|
|
|
<para><emphasis role="bold">Export:</emphasis> This allows you to export
|
|
entries to a file (e.g. LDIF or CSV format).</para>
|
|
|
|
<para><emphasis role="bold">Show internal attributes:</emphasis> Shows
|
|
internal attributes of the current entry. This includes information
|
|
about the creator and creation time of the entry.</para>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter>
|
|
<title>Access levels and password reset page (LAM Pro only)</title>
|
|
|
|
<para>You can define different access levels for each profile to allow or
|
|
disallow write access. The password reset page helps your deskside support
|
|
staff to reset user passwords.</para>
|
|
|
|
<section>
|
|
<title id="s_accessLevel">Access levels</title>
|
|
|
|
<para>There are three access levels:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Write access (default)</emphasis></para>
|
|
|
|
<para>There are no restrictions. LAM admin users can manage account,
|
|
create profiles and set passwords.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Change passwords</emphasis></para>
|
|
|
|
<para>Similar to "Read only" except that the <link
|
|
linkend="s_pwdReset">password reset page</link> is available.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Read only</emphasis></para>
|
|
|
|
<para>No write access to the LDAP database is allowed. It is also
|
|
impossible to manage account and PDF profiles.</para>
|
|
|
|
<para>Accounts may be viewed but no changes can be saved.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The access level can be set on the server configuration
|
|
page:</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accessLevel.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot></para>
|
|
</section>
|
|
|
|
<section id="s_pwdReset">
|
|
<title>Password reset page</title>
|
|
|
|
<para>This special page allows your deskside support staff to reset the
|
|
Unix and Samba passwords of your users. If you set the <link
|
|
linkend="s_accessLevel">access level</link> to "Change passwords" then
|
|
LAM will not allow any changes to the LDAP database except password
|
|
changes via this page. The account pages will be still available in
|
|
read-only mode.</para>
|
|
|
|
<para>You can open the password reset page by clicking on the key symbol
|
|
on each user account:</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordReset1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>There are three different options to set a new
|
|
password:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">set random password and display it on
|
|
screen</emphasis></para>
|
|
|
|
<para>This will set the user's password to a random value. The
|
|
password will be 11 characters long with a random combination of
|
|
letters, digits and ".-_".</para>
|
|
|
|
<para>You may want to use this method to tell users their new
|
|
passwords via phone.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">set random password and mail it to
|
|
user</emphasis></para>
|
|
|
|
<para>If the user account has set the mail attribute then LAM can
|
|
send your user a mail with the new password. You can change the mail
|
|
template to fit your needs. See the help link for further
|
|
details.</para>
|
|
|
|
<para>Using this method will prevent that your support staff knows
|
|
the new password.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">set specific password</emphasis></para>
|
|
|
|
<para>Here you can specify your own password.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordReset2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM will display contact information about the user like the
|
|
user's name, email address and telephone number. This will help your
|
|
deskside support to easily contact your users.</para>
|
|
|
|
<para><emphasis role="bold">Options:</emphasis></para>
|
|
|
|
<para>Depending on the account there may be additional options
|
|
available.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Sync Samba NT/LM password with Unix
|
|
password:</emphasis> If a user account has Samba passwords set then
|
|
LAM will offer to synchronize the passwords.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Unlock Samba account:</emphasis> Locked
|
|
Samba accounts can be unlocked with the password change.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Update Samba password
|
|
timestamps:</emphasis> This will set the timestamps when the
|
|
password was changed (sambaPwdLastSet), may be changed again
|
|
(sambaPwdCanChange) and must be changed again (sambaPwdMustChange).
|
|
Only existing attributes are updated. No new attributes are
|
|
added.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para></para>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter>
|
|
<title>Self service (LAM Pro only)</title>
|
|
|
|
<section>
|
|
<title>Preparations</title>
|
|
|
|
<section>
|
|
<title>OpenLDAP ACLs</title>
|
|
|
|
<para>By default only a few administrative users have write access to
|
|
the LDAP database. Before your users may change their settings you
|
|
must allow them to change their LDAP data.</para>
|
|
|
|
<para>This can be done by adding an ACL to your slapd.conf which looks
|
|
like this:</para>
|
|
|
|
<para><emphasis role="bold">access to</emphasis></para>
|
|
|
|
<para><emphasis role="bold">
|
|
attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,password</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by self write</emphasis></para>
|
|
|
|
<para>If you do not want them to change all attributes then reduce the
|
|
list to fit your needs. Some modules may require additional LDAP
|
|
attributes.</para>
|
|
|
|
<para>Usually, the slapd.conf file is located in /etc/ldap or
|
|
/etc/openldap.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Other LDAP servers</title>
|
|
|
|
<para>There exist many LDAP implementations. If you do not use
|
|
OpenLDAP you need to write your own ACLs. Please check the manual of
|
|
your LDAP server for instructions.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Creating a self service profile</title>
|
|
|
|
<para>A self service profile defines what input fields your users see
|
|
and some other general settings like the login caption.</para>
|
|
|
|
<para>When you go to the LAM configuration page you will see the self
|
|
service link at the bottom. This will lead you to the self service
|
|
configuration pages</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf1.jpg" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now we need to create a new self service profile. Click on the
|
|
link to manage the self service profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf2.jpg" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Specify a name for the new profile and enter you master
|
|
configuration password (default is "lam") to save the profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf3.jpg" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now go back to the profile login and enter your master
|
|
configuration password to edit your new profile.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Edit your new profile</title>
|
|
|
|
<para>On top of the page you see the link to the user login page. Copy
|
|
this link address and give it to your users.</para>
|
|
|
|
<para>Below the link you can specify several options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf4.jpg" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<table>
|
|
<title>General options</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry>Server address</entry>
|
|
|
|
<entry>The address of your LDAP server</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP suffix</entry>
|
|
|
|
<entry>The part of the LDAP tree where LAM should search for
|
|
users</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP user + password</entry>
|
|
|
|
<entry>The DN and password which is used to search for users in
|
|
the LDAP database. It is sufficient if this DN has only read
|
|
rights. If you leave these fields empty LAM will try to connect
|
|
anonymously.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP search attribute</entry>
|
|
|
|
<entry>Here you can specify if your users can login with user
|
|
name + password, email + password or other attributes.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login attribute label</entry>
|
|
|
|
<entry>This is the description for the LDAP search attribute.
|
|
Set it to something which your users are familiar with.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login caption</entry>
|
|
|
|
<entry>This text is displayed at the login page. You can input
|
|
HTML, too.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Main page caption</entry>
|
|
|
|
<entry>This text is displayed at self service main page where
|
|
your users change their data. You can input HTML, too.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Page header</entry>
|
|
|
|
<entry>This HTML code will be placed on top of all self service
|
|
pages. E.g. you can use this to place your custom logo. Any HTML
|
|
code is permitted.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Additional CSS links</entry>
|
|
|
|
<entry>Here you can specify additional CSS links to change the
|
|
layout of the self service pages. This is useful to adapt them
|
|
to your corporate design. Please enter one link per
|
|
line.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>On the bottom you can specify what input fields your users can
|
|
see. It is also possible to group several input fields.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf5.jpg" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Adapt the self service to your corporate design</title>
|
|
|
|
<para>LAM Pro allows you to integrate customs CSS style definitions and
|
|
design the header of all self service pages. This way you can integrate
|
|
you own logo and use your company's colors.</para>
|
|
|
|
<section>
|
|
<title>Custom header</title>
|
|
|
|
<para>The default LAM Pro header includes a logo and a horizontal
|
|
line. You can enter any HTML code here. It will be included in the
|
|
self services pages after the body tag.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configPageHeader.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>CSS files</title>
|
|
|
|
<para>Usually, companies have regulations about their corporate design
|
|
and use common CSS files. This assures a common appearance of all
|
|
intranet pages (e.g. colors and fonts). To include additional CSS
|
|
files just use the following setting for this task. The additional CSS
|
|
links will be added after LAM Pro's default CSS link. This way you can
|
|
overwrite LAM Pro's style.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configCSS.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</chapter>
|
|
|
|
<appendix id="a_schema">
|
|
<title>LDAP schema files</title>
|
|
|
|
<para>Here is a list of needed LDAP schema files for the different LAM
|
|
modules. For OpenLDAP we also provide a source where you can get the
|
|
files.</para>
|
|
|
|
<table frame="none" lang="" role="" tabstyle="nogrid">
|
|
<title>LDAP schema files</title>
|
|
|
|
<tgroup cols="6">
|
|
<thead>
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>Account type</entry>
|
|
|
|
<entry>Object class(es)</entry>
|
|
|
|
<entry>Schema name</entry>
|
|
|
|
<entry>Source</entry>
|
|
|
|
<entry>Notes</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_unix.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Unix accounts</entry>
|
|
|
|
<entry>posixAccount, shadowAccount, posixGroup</entry>
|
|
|
|
<entry>nis.schema, rfc2307bis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>The rfc2307bis.schema is only supported by LAM Pro. Use the
|
|
nis.schema if you do not want to upgrade to LAM Pro.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_inetOrgPerson.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Address book entries</entry>
|
|
|
|
<entry>inetOrgPerson</entry>
|
|
|
|
<entry>inetorgperson.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Samba 3 accounts</entry>
|
|
|
|
<entry>sambaSamAccount, sambaGroupMapping, sambaDomain</entry>
|
|
|
|
<entry>samba.schema</entry>
|
|
|
|
<entry>Part of Samba tarball (examples/LDAP/samba.schema)</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_kolab.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Kolab 2 users</entry>
|
|
|
|
<entry>kolabUser</entry>
|
|
|
|
<entry>kolab2.schema, rfc2739.schema</entry>
|
|
|
|
<entry>Part of Kolab 2 installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_asterisk.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Asterisk (extension)</entry>
|
|
|
|
<entry>AsteriskSIPUser, AsteriskExtension</entry>
|
|
|
|
<entry>asterisk.schema</entry>
|
|
|
|
<entry>Part of Asterisk installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Mail routing</entry>
|
|
|
|
<entry>inetLocalMailRecipient</entry>
|
|
|
|
<entry>misc.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Mail aliases</entry>
|
|
|
|
<entry>nisMailAlias</entry>
|
|
|
|
<entry>misc.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mac.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>MAC addresses</entry>
|
|
|
|
<entry>ieee802device</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_user.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Simple Accounts</entry>
|
|
|
|
<entry>account</entry>
|
|
|
|
<entry>cosine.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>SSH public keys</entry>
|
|
|
|
<entry>ldapPublicKey</entry>
|
|
|
|
<entry>openssh-lpk.schema</entry>
|
|
|
|
<entry>Included in patch from <ulink
|
|
url="http://code.google.com/p/openssh-lpk/">http://code.google.com/p/openssh-lpk/</ulink></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_groupOfNames.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Group of (unique) names</entry>
|
|
|
|
<entry>groupOfNames, groupOfUniqueNames</entry>
|
|
|
|
<entry>core.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>These modules are only available in LAM Pro.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_phpgroupware.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>phpGroupWare</entry>
|
|
|
|
<entry>phpGroupwareUser, phpGroupwareGroup</entry>
|
|
|
|
<entry>phpgroupware.schema</entry>
|
|
|
|
<entry><ulink
|
|
url="http://www.phpgroupware.org/">http://www.phpgroupware.org/</ulink></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_dhcp.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>DHCP</entry>
|
|
|
|
<entry>dhcpOptions, dhcpSubnet, dhcpServer</entry>
|
|
|
|
<entry>dhcp.schema</entry>
|
|
|
|
<entry>docs/schema/dhcp.schema</entry>
|
|
|
|
<entry>The LDAP suffix should be set to your dhcpServer
|
|
entry.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_alias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Aliases</entry>
|
|
|
|
<entry>alias, uidObject</entry>
|
|
|
|
<entry>core.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>These modules are only available in LAM Pro.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_netgroup.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>NIS netgroups</entry>
|
|
|
|
<entry>nisNetgroup</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_nisObject.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>NIS objects</entry>
|
|
|
|
<entry>nisObject</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>This module is only available in LAM Pro.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</appendix>
|
|
|
|
<appendix id="a_security">
|
|
<title>Security</title>
|
|
|
|
<section>
|
|
<title>Use of SSL</title>
|
|
|
|
<para>The data which is transfered between you and LAM is very
|
|
sensitive. Please always use SSL encrypted connections between LAM and
|
|
your browser to protect yourself against network sniffers.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>LDAP with SSL and TLS</title>
|
|
|
|
<para>SSL will be used if you use ldaps://servername in your
|
|
configuration profile. TLS can be activated with the "Activate TLS"
|
|
option.</para>
|
|
|
|
<para>You will need to setup ldap.conf to trust your server certificate.
|
|
Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf.
|
|
It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf.
|
|
Specify the server CA certificate with the following option:</para>
|
|
|
|
<para>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</para>
|
|
|
|
<para>This needs to be the public part of the signing certificate
|
|
authority. See "man ldap.conf" for additional options.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Chrooted servers</title>
|
|
|
|
<para>If your server is chrooted and you have no access to /dev/random
|
|
or /dev/urandom this can be a security risk. LAM stores your LDAP
|
|
password encrypted in the session. LAM uses rand() to generate the key
|
|
if /dev/random and /dev/urandom are not accessible. Therefore the key
|
|
can be easily guessed. An attaker needs read access to the session file
|
|
(e.g. by another Apache instance) to exploit this.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Protection of your LDAP password and directory contents</title>
|
|
|
|
<para>You have to install the MCrypt extension for PHP to enable
|
|
encryption.</para>
|
|
|
|
<para>Your LDAP password is stored encrypted in the session file. The
|
|
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
|
|
encrypt the password. All data that was read from LDAP and needs to be
|
|
stored in the session file is also encrypted.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Apache configuration</title>
|
|
|
|
<para>LAM includes several .htaccess files to protect your configuration
|
|
files and temporary data. Apache is often configured to not use
|
|
.htaccess files by default. Therefore, please check your Apache
|
|
configuration and change the override setting to:</para>
|
|
|
|
<para>AllowOverride All</para>
|
|
|
|
<para>If you are experienced in configuring Apache then you can also
|
|
copy the security settings from the .htaccess files to your main Apache
|
|
configuration.</para>
|
|
|
|
<para>If possible, you should not rely on .htaccess files but also move
|
|
the config and sess directory to a place outside of your WWW root. You
|
|
can put a symbolic link in the LAM directory so that LAM finds the
|
|
configuration/session files.</para>
|
|
|
|
<para>Security sensitive directories:</para>
|
|
|
|
<para><emphasis role="bold">config: </emphasis>Contains your LAM
|
|
configuration and account profiles</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM configuration passwords (SSHA hashed)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>default values for new accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">sess:</emphasis> PHP session files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM admin password in clear text or MCrypt encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">tmp:</emphasis> temporary files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>PDF documents which may also include passwords</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>images of your users</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory contents must be accessible by browser but directory
|
|
itself needs not to be browseable</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>Recommended OpenLDAP settings</title>
|
|
|
|
<para>Some basic hints to configure the OpenLDAP server:</para>
|
|
|
|
<para><emphasis role="bold">Size limit:</emphasis> OpenLDAP allows by
|
|
default 500 return values per search, if you have more users/groups/hosts
|
|
change this in slapd.conf: e.g. "sizelimit 10000" or "sizelimit -1" for
|
|
unlimited return values.</para>
|
|
|
|
<para><emphasis role="bold">Indices:</emphasis> Indices will improve the
|
|
performance when searching for entries in the LDAP directory. The
|
|
following indices are recommended:</para>
|
|
|
|
<simplelist>
|
|
<member>index objectClass eq</member>
|
|
|
|
<member>index default sub</member>
|
|
|
|
<member>index uidNumber eq</member>
|
|
|
|
<member>index gidNumber eq</member>
|
|
|
|
<member>index memberUid eq</member>
|
|
|
|
<member>index cn,sn,uid,displayName pres,sub,eq</member>
|
|
|
|
<member># Samba 3.x</member>
|
|
|
|
<member>index sambaSID eq</member>
|
|
|
|
<member>index sambaPrimaryGroupSID eq</member>
|
|
|
|
<member>index sambaDomainName eq</member>
|
|
</simplelist>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>Setup for home directory and quota management</title>
|
|
|
|
<para>Lamdaemon.pl is used to modify quota and home directories on a
|
|
remote or local host via SSH. If you want wo use it you have to set up the
|
|
following things to get it to work:</para>
|
|
|
|
<section>
|
|
<title>LDAP Account Manager configuration</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Set the remote or local host in the configuration (e.g.
|
|
127.0.0.1)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Path to lamdaemon.pl, e.g.
|
|
/srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
|
|
RPM package then the script may be located at
|
|
/usr/share/ldap-account-manager/lib or /var/www/html/lam/lib.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Your LAM admin user must be a valid Unix account. It needs to
|
|
have the object class "posixAccount" and an attribute "uid". This
|
|
account must be accepted by the SSH daemon of your home directory
|
|
server. Do not create a second local account but change your system
|
|
to accept LDAP users. You can use LAM to add the Unix account part
|
|
to your admin user.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Setup sudo</title>
|
|
|
|
<para>The perl script has to run as root. Therefore we need a wrapper,
|
|
sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
|
|
and add the following line:</para>
|
|
|
|
<para>$admin All= NOPASSWD: $path_to_lamdaemon</para>
|
|
|
|
<para><emphasis condition="">$admin</emphasis> is the admin user from
|
|
LAM (must be a valid Unix account) and
|
|
<emphasis>$path_to_lamdaemon</emphasis> is the path to
|
|
lamdaemon.pl.</para>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
|
|
<para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl</para>
|
|
|
|
<para>You might need to run the sudo command once manually to init sudo.
|
|
The command "sudo -l" will show all possible sudo commands of the
|
|
current user.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Setup Perl</title>
|
|
|
|
<para>We need an extra Perl module - Quota. To install it, run:</para>
|
|
|
|
<simplelist>
|
|
<member>perl -MCPAN -e shell</member>
|
|
|
|
<member>install Quota</member>
|
|
</simplelist>
|
|
|
|
<para>If your Perl executable is not located in /usr/bin/perl you will
|
|
have to edit the path in the first line of lamdaemon.pl. If you have
|
|
problems compiling the Perl modules try installing a newer release of
|
|
your GCC compiler and the "make" application.</para>
|
|
|
|
<para>Several Linux distributions already include a quota package for
|
|
Perl.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Install libssh2</title>
|
|
|
|
<para>The libssh2 library is needed to connect to the homedir/quota
|
|
server via SSH.</para>
|
|
|
|
<section>
|
|
<title>Install libssh2</title>
|
|
|
|
<para>You can get libssh2 here: <ulink
|
|
url="http://www.libssh2.org">http://www.libssh2.org</ulink> Unpack the
|
|
package and install it by executing the commands "./configure", "make"
|
|
and "make install" in the extracted directory. Several Linux
|
|
distributions already include a package for libssh2.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Install SSH2 for PHP</title>
|
|
|
|
<para>Several Linux distributions already include a package (e.g.
|
|
libssh2-php).</para>
|
|
|
|
<para>Otherwise, run "pecl install ssh2-beta". If you have no pecl
|
|
command then install the PHP Pear package (e.g. php-pear or php5-pear)
|
|
for your distribution.</para>
|
|
|
|
<para>If you want to compile it yourself, get the sources here: <ulink
|
|
url="http://pecl.php.net/package/ssh2">http://pecl.php.net/package/ssh2</ulink></para>
|
|
|
|
<para>After installing the PHP module please add this line to your
|
|
php.ini:</para>
|
|
|
|
<para>extension=ssh2.so</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Set up SSH</title>
|
|
|
|
<para>Your SSH daemon must offer the password authentication method. To
|
|
activate it just use this configuration option in
|
|
/etc/ssh/sshd_config:</para>
|
|
|
|
<para>PasswordAuthentication yes</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Troubleshooting</title>
|
|
|
|
<para>If you have problems managing quotas and home directories then
|
|
these points might help:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>There is a test page for lamdaemon: Login to LAM and open
|
|
Tools -> Tests -> Lamdaemon test</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you get garbage characters at the test page then PHP and
|
|
your php5-ssh2 library may not fit together. Try recompiling the
|
|
library and libssh2.</para>
|
|
|
|
<para>This combination was tested successfully: libssh2 0.13 with
|
|
php5-ssh2 0.10</para>
|
|
|
|
<para>php5-ssh2 0.11 should have no problems with recent libssh2
|
|
releases.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Check /var/log/auth.log or its equivalent on your system. This
|
|
file contains messages about all logins. If the ssh login failed
|
|
then you will find a description about the reason here.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
|
|
lines:</para>
|
|
|
|
<simplelist>
|
|
<member>SyslogFacility AUTH</member>
|
|
|
|
<member>LogLevel DEBUG3</member>
|
|
</simplelist>
|
|
|
|
<para>Now check /var/log/syslog for messages from sshd.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Update Openssh. A Suse Linux user reported that upgrading
|
|
Openssh solved the problem.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>Kolab user management</title>
|
|
|
|
<para>Here are some notes on managing Kolab accounts with LAM:</para>
|
|
|
|
<section>
|
|
<title>Creating accounts</title>
|
|
|
|
<para>The mailbox server cannot be changed after the account has been
|
|
saved. Please make sure that the value is correct. The email address
|
|
("Personal" page) must match your Kolab domain, otherwise the account
|
|
will not work.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Deleting accounts</title>
|
|
|
|
<para>If you want to cleanly delete accounts use the "Mark for deletion"
|
|
button on the Kolab subpage of an account. This will also remove the
|
|
user's mailbox. If you delete the account from the account list (which
|
|
is standard for LAM accounts) then no cleanup actions are made.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Managing accounts with both LAM and Kolab Admin GUI</title>
|
|
|
|
<para>The Kolab GUI has some restrictions that LAM does not have. Please
|
|
pay attention to the following restrictions:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Common name in LAM</para>
|
|
|
|
<para>The common name must have the format "<first name>
|
|
<last name>". You can leave the field empty in LAM and it will
|
|
automatically fill in the correct value.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Changing first/last name in Kolab GUI</para>
|
|
|
|
<para>Do not change the first/last name of your users in the Kolab
|
|
GUI! The GUI will change the common name which leads to an LDAP
|
|
object class violation. This is caused by a bug in the Kolab
|
|
GUI.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Adding a Kolab part to existing accounts</title>
|
|
|
|
<para>If you upgrade existing non-Kolab accounts please make sure that
|
|
the account has an Unix password.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Installing LAM on the Kolab server</title>
|
|
|
|
<para>You can install LAM in the directory "/kolab/var/kolab/www" which
|
|
is the root directory for Apache. The PHP installation already includes
|
|
all required packages.</para>
|
|
</section>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>InetOrgPerson and the host attribute</title>
|
|
|
|
<para>The attribute "host" is only in objectclass account. Unfortunatly
|
|
"account" conflicts with "inetorgperson". so there's no perfect way to use
|
|
both.</para>
|
|
|
|
<para>In order to get attribute host working you have to modify
|
|
schema/inetorgperson and include host:</para>
|
|
|
|
<literallayout># inetOrgPerson
|
|
# The inetOrgPerson represents people who are associated with an
|
|
# organization in some way. It is a structural class and is derived
|
|
# from the organizationalPerson which is defined in X.521 [X521].
|
|
objectclass ( 2.16.840.1.113730.3.2.2
|
|
NAME 'inetOrgPerson'
|
|
DESC 'RFC2798: Internet Organizational Person'
|
|
SUP organizationalPerson
|
|
STRUCTURAL
|
|
MAY (
|
|
audio $ businessCategory $ carLicense $ departmentNumber $
|
|
displayName $ employeeNumber $ employeeType $ givenName $
|
|
homePhone $ homePostalAddress $ initials $ jpegPhoto $
|
|
labeledURI $ mail $ manager $ mobile $ o $ pager $
|
|
photo $ roomNumber $ secretary $ uid $ userCertificate $
|
|
x500uniqueIdentifier $ preferredLanguage $
|
|
userSMIMECertificate $ userPKCS12 $ host )
|
|
)</literallayout>
|
|
</appendix>
|
|
</book>
|