6265 lines
185 KiB
XML
6265 lines
185 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<chapter>
|
|
<title>Managing entries in your LDAP directory</title>
|
|
|
|
<para>This chapter will give you instructions how to manage the different
|
|
LDAP entries in your directory.</para>
|
|
|
|
<para>Please note that not all account types are manageable with the free
|
|
LAM release. LAM Pro provides some more account types (e.g. group of names,
|
|
aliases, ...) and modules (e.g. Kopano, custom scripts, ...) to support
|
|
additional LDAP object classes. All LAM Pro features are marked in this
|
|
manual.</para>
|
|
|
|
<para><emphasis role="bold">Basic page layout:</emphasis></para>
|
|
|
|
<para>After the login LAM will present you its main page. It consists of a
|
|
header part which is equal for all pages and the content area which covers
|
|
most the of the page.</para>
|
|
|
|
<para>The header part includes the links to manage all account types (e.g.
|
|
users and groups) and open the tree view (LDAP browser). There is also the
|
|
logout link and a tools entry.</para>
|
|
|
|
<para>When you login the you will see an account listing in the content
|
|
area.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mainpage.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Here you can create, delete and modify accounts. Use the action
|
|
buttons at the left or double click on an entry to edit it.</para>
|
|
|
|
<para>The suffix selection box allows you to list only the accounts which
|
|
are located in a subtree of your LDAP directory.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/listConfig.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can change the number of shown entries per page with "Change
|
|
settings". Depending on the account type there may be additional settings.
|
|
E.g. the user list can convert group numbers to group names.</para>
|
|
|
|
<para>When you select to edit an entry then LAM will show all its data on a
|
|
tabbed view. There is one tab for each functional part of the account. You
|
|
can set default values by loading an <link
|
|
linkend="a_accountProfile">account profile</link>.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/editView.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section>
|
|
<title>Typical usage scenarios</title>
|
|
|
|
<para>Here is a list of typical usage scenarios and what account types and
|
|
modules you need to configure.</para>
|
|
|
|
<para><emphasis role="bold">Address book entries:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Unix accounts:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Unix)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix (posixGroup))</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Suse users may need to use Group (Group of names + Unix
|
|
(rfc2307bisPosixGroup)) because of Suse's special LDAP schema.</para>
|
|
|
|
<para><emphasis role="bold">Samba 3 accounts:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + User + Samba 3)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix + Samba 3)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Account + Unix + Samba 3)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba domains (Samba domain)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Samba 4/Active Directory:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Windows)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Windows)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Windows)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Please note that must change the attributes that are shown in the
|
|
account lists. Otherwise, the account tables will show empty lines. See
|
|
the documentation for the Windows user/group/host modules.</para>
|
|
|
|
<para>For Samba 4 with Kopano use the following modules:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Windows + Kopano (+ Kopano contact))</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Windows + Kopano)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Windows + Kopano)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Kopano dynamic groups (Kopano dynamic group)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Kopano address lists (Kopano address list)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>See also the <link linkend="s_kopano">Kopano</link> section for
|
|
additional settings (e.g. using Kopano AD schema).</para>
|
|
|
|
<para><emphasis role="bold">Asterisk:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Asterisk)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Asterisk extensions (Asterisk extension)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Kopano:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Unix + Kopano (+ Kopano contact))</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix + Kopano)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Kopano dynamic groups (Kopano dynamic group)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Kopano address lists (Kopano address list)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Device + Kopano + IP Address)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">PyKota:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Unix + PyKota)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix + PyKota)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Printers (PyKota)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Billing codes (PyKota)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Users</title>
|
|
|
|
<para>LAM manages various types of user accounts. This includes address
|
|
book entries, Unix, Samba, Kopano and much more.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Account list settings:</emphasis></para>
|
|
|
|
<para>The user list includes two special options to change how your users
|
|
are displayed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userListOptions.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis>Translate GID number to group name:</emphasis> By default
|
|
the user list can show the primary group IDs (GIDs) of your users. There
|
|
are often cases where it is more suitable to show the group name instead.
|
|
This can be done by activating this option. Please note that LAM will
|
|
execute more LDAP queries which may result in decreased
|
|
performance.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userListOptionTransPrimary.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis>Show account status:</emphasis> If you activate this
|
|
option then there will be an additional column displayed that shows if the
|
|
account is locked or expired. You can see more details when moving the
|
|
mouse cursor over the lock icon. This function supports Unix, Samba,
|
|
PPolicy, Windows and 389ds locking+deactivation.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userListOptionAccountStatus.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Password:</emphasis></para>
|
|
|
|
<para>Click the "Set password" button to change the user's password(s).
|
|
Depending on the active account modules LAM will offer to change multiple
|
|
passwords at the same time.</para>
|
|
|
|
<para>If a module supports to enforce a password change then you will see
|
|
the appropriate checkbox. LAM Pro also offers to send the password via
|
|
email after the account is saved. Email options are specified in your
|
|
<link linkend="profile_mail">LAM server profile</link>.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/password1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Quick account (un)locking:</emphasis></para>
|
|
|
|
<para>When you edit an user then LAM supports to quickly lock/unlock the
|
|
whole account. This includes Unix, Samba and PPolicy. LAM can also remove
|
|
group memberships if an account is locked.</para>
|
|
|
|
<para>You will see the current status of all account parts in the title
|
|
area of the account.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userAccountStatus1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you click on the lock icon then a dialog will be opened to change
|
|
these values. Depending on which parts are locked LAM will provide options
|
|
to lock/unlock account parts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userAccountStatus2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userAccountStatus3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section>
|
|
<title>Personal</title>
|
|
|
|
<para>This module is the most common basis for user accounts in LAM. You
|
|
can use it stand-alone to manage address book entries or in combination
|
|
with Unix, Samba or other modules.</para>
|
|
|
|
<para>The Personal module provides support for managing various personal
|
|
data of your users including mail addresses and telephone numbers. You
|
|
can also add photos of your users. If you do not need to manage all
|
|
attributes then you can deactivate them in your server profile.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Please activate the module "Personal (inetOrgPerson)" for
|
|
users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The module manages lots of fields. Probably, you will not need all
|
|
of them. You can hide fields in module settings.</para>
|
|
|
|
<para>In advanced options you may also set fields to read-only (for
|
|
existing accounts) and define limits for photo files. Additionally, you
|
|
can add an "ou=addressbook" subentry to each user in case you manage
|
|
user addressbooks.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">User management</emphasis></para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>User certificates can be uploaded and downloaded. LAM will
|
|
automatically convert PEM to DER format.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<table>
|
|
<title>LDAP attribute mappings</title>
|
|
|
|
<tgroup cols="2">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">Attribute name</entry>
|
|
|
|
<entry align="center">Name inside LAM</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>businessCategory</entry>
|
|
|
|
<entry>Business category</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>carLicense</entry>
|
|
|
|
<entry>Car license</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>cn/commonName</entry>
|
|
|
|
<entry>Common name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>departmentNumber</entry>
|
|
|
|
<entry>Department(s)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>description</entry>
|
|
|
|
<entry>Description</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>employeeNumber</entry>
|
|
|
|
<entry>Employee number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>employeeType</entry>
|
|
|
|
<entry>Employee type</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>facsimileTelephoneNumber/fax</entry>
|
|
|
|
<entry>Fax number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>givenName/gn</entry>
|
|
|
|
<entry>First name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>homePhone</entry>
|
|
|
|
<entry>Home telephone number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>initials</entry>
|
|
|
|
<entry>Initials</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>jpegPhoto</entry>
|
|
|
|
<entry>Photo</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>l</entry>
|
|
|
|
<entry>Location</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>labeledURI</entry>
|
|
|
|
<entry>Web site</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>mail/rfc822Mailbox</entry>
|
|
|
|
<entry>Email address</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>manager</entry>
|
|
|
|
<entry>Manager</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>mobile/mobileTelephoneNumber</entry>
|
|
|
|
<entry>Mobile number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>organizationName/o</entry>
|
|
|
|
<entry>Organisation</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>ou</entry>
|
|
|
|
<entry>Organizational unit</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>pager</entry>
|
|
|
|
<entry>Pager number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>physicalDeliveryOfficeName</entry>
|
|
|
|
<entry>Office name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postalAddress</entry>
|
|
|
|
<entry>Postal address</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postalCode</entry>
|
|
|
|
<entry>Postal code</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postOfficeBox</entry>
|
|
|
|
<entry>Post office box</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>registeredAddress</entry>
|
|
|
|
<entry>Registered address</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>roomNumber</entry>
|
|
|
|
<entry>Room number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>sn/surname</entry>
|
|
|
|
<entry>Last name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>st</entry>
|
|
|
|
<entry>State</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>street/streetAddress</entry>
|
|
|
|
<entry>Street</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>telephoneNumber</entry>
|
|
|
|
<entry>Telephone number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>title</entry>
|
|
|
|
<entry>Job title</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>userCertificate</entry>
|
|
|
|
<entry>User certificates</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>uid/userid</entry>
|
|
|
|
<entry>User name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>userPassword</entry>
|
|
|
|
<entry>Password</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para><emphasis role="bold">Wildcards</emphasis></para>
|
|
|
|
<para>This module provides the following wildcards (others may be
|
|
provided by other modules):</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>$firstname: First name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$lastname: Last name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$user: User name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$commonname: Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$email: Email address</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can use them in the following input fields on user edit
|
|
screen:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Description</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Mail</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Postal address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Registered address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Web site</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Use this when some of your data always follows the same schema.
|
|
E.g. using "$firstname $lastname" in common name field can be used like
|
|
this to get "First Last". You can set the wildcards in profile editor so
|
|
they are automatically applied for new users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Unix</title>
|
|
|
|
<para>The Unix module manages Unix user accounts including group
|
|
memberships.</para>
|
|
|
|
<para>There are several configuration options for this module:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>UID generator: LAM will suggest UID numbers for your accounts.
|
|
Please note that it may happen that there are duplicate IDs assigned
|
|
if users create accounts at the same time. Use an <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
|
|
like "Attribute Uniqueness" (<link
|
|
linkend="a_openldap_unique">example</link>) if you have lots of LAM
|
|
admins creating accounts.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Fixed range: LAM searches for free numbers within the
|
|
given limits. LAM always tries to use a free UID that is greater
|
|
than the existing UIDs to prevent collisions with deleted
|
|
accounts.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba ID pool: This uses a special LDAP entry that
|
|
includes attributes that store a counter for the last used
|
|
UID/GID. Please note that this requires that you install the
|
|
Samba schema and create an LDAP entry of object class
|
|
"sambaUnixIdPool".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Magic number: Use this if your LDAP server assigns the UID
|
|
numbers automatically (e.g. DNA by 389 server). Enter the
|
|
server's magic number setting.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Password hash type: If possible use CRYPT-SHA512 or SSHA to
|
|
protect your user's passwords. The option SASL will set the password
|
|
to "{SASL}<user name>". If you want to use an LDAP EXOP
|
|
password operation to update the password then select
|
|
LDAP_EXOP.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Login shells: List of valid login shells that can be selected
|
|
when editing an account.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hidden options: Some input fields can be hidden to simplify
|
|
the GUI if you do not need them.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Set primary group as memberUid: By default primary group
|
|
membership is not set on group objects but only on user (gidNumber).
|
|
Activate this if you need to have the primary group membership in
|
|
group object, too.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Do not add object class: This is for Windows only. When the
|
|
checkbox is activated then the posixAccount object class will not be
|
|
added to a user.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>User name suggestion: The user name is automatically filled as
|
|
specified in the configuration (default smiller for Steve Miller).
|
|
Of course, the suggested value can be changed any time. Common name
|
|
is also filled with first/last name by default.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserConfig.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUser.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group memberships can be changed when clicking on "Edit groups".
|
|
Here you can select the Unix groups and group of names
|
|
memberships.</para>
|
|
|
|
<para>To enable "Group of names" please either add the groups module
|
|
"groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
|
|
names".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserGroups.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can also create home directories for your users if you setup
|
|
<link linkend="a_lamdaemon">lamdaemon</link>. This allows you to create
|
|
the directories on the local or remote servers.</para>
|
|
|
|
<para>It is also possible to check the status of the user's home
|
|
directories. If needed the directories can be created or removed at any
|
|
time.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserHomedir.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Wildcards</emphasis></para>
|
|
|
|
<para>This module provides the following wildcards (others may be
|
|
provided by other modules):</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>$user: User name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$group: Groupe name (not numeric number)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can use them in the following input fields on user edit
|
|
screen:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Gecos</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Home directory</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Use this when some of your data always follows the same schema.
|
|
E.g. using "/home/$user" in home directory field can be used like this
|
|
to get "/home/myuser". You can set the wildcards in profile editor so
|
|
they are automatically applied for new users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserWildcard1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserWildcard2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Group of names and group of members (LAM Pro)</title>
|
|
|
|
<para>This module manages memberships in group of (unique) names and
|
|
also group of members.</para>
|
|
|
|
<para>Please note that this module cannot be used if the Unix module is
|
|
active. In this case group memberships may be managed with the Unix
|
|
module.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To activate this feature please add the user module "Group of
|
|
names (groupOfNamesUser)" to your LAM server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_groupOfNamesUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The module automatically detects if groups are based on
|
|
"groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the
|
|
correct attribute.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_groupOfNamesUser.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="organizationalRoleUser">
|
|
<title>Organizational roles (LAM Pro)</title>
|
|
|
|
<para>LAM can manage role memberships in <link
|
|
linkend="organizationalRole">organizationalRole</link> objects. To
|
|
activate this feature please add the user module "Roles
|
|
(organizationalRoleUser)" to your LAM server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRoleUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User editing</emphasis></para>
|
|
|
|
<para>Now, there will be a new tab "Roles" when you edit your user
|
|
accounts. Here you can select the role memberships.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRoleUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shadow</title>
|
|
|
|
<para>LAM supports the management of the LDAP substitution of
|
|
/etc/shadow. Here you can setup password policies for your Unix accounts
|
|
and also view the last password change of a user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_shadow.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS net groups</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Please add the module "NIS net groups (nisNetGroupUser)" to the
|
|
list of active user modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nisNetGroupUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User editing</emphasis></para>
|
|
|
|
<para>You will now see a new tab when editing users. Here you can assign
|
|
memberships in NIS net groups and also set host/domain.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nisNetGroupUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title id="passwordSelfResetUser">Password self reset (LAM Pro)</title>
|
|
|
|
<para>LAM Pro allows your users to reset their passwords by answering a
|
|
security question. The reset link is displayed on the <link
|
|
linkend="PasswordSelfReset">self service page</link>. Additionally, you
|
|
can set question + answer in the admin interface.</para>
|
|
|
|
<para>Please note that self service and LAM admin interface are
|
|
separated functionalities. You need to specify the list of possible
|
|
security questions in both self service profile(s) and server
|
|
profile(s).</para>
|
|
|
|
<para><emphasis role="bold">Schema installation</emphasis></para>
|
|
|
|
<para>Please install the LDAP schema as described <link
|
|
linkend="a_passwordSelfResetSchema">here</link>.</para>
|
|
|
|
<para><emphasis role="bold">Activate password self reset
|
|
module</emphasis></para>
|
|
|
|
<para>Please activate the password self reset module in your LAM Pro
|
|
server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now select the tab "Module settings" and specify the list of
|
|
possible security questions. Only these questions will be selectable
|
|
when you later edit accounts unless you explicitly allow to enter custom
|
|
questions. LAM Pro supports to set up to three security questions per
|
|
user.</para>
|
|
|
|
<para>If you do not want to set backup email addresses then you can hide
|
|
this option.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Edit users</emphasis></para>
|
|
|
|
<para>After everything is setup please login to LAM Pro and edit your
|
|
users. You will see a new tab called "Password self reset". Here you can
|
|
activate/remove the password self reset function for each user. You can
|
|
also change the security question and answer.</para>
|
|
|
|
<para>If you set a backup email address then confirmation emails will
|
|
also be sent to this address. This is useful if the user password grants
|
|
access to the user's primary mailbox. So passwords can be unlocked with
|
|
an external email address.</para>
|
|
|
|
<para><emphasis role="bold">Hint:</emphasis> You can add the
|
|
passwordSelfReset object class to all your users with the <link
|
|
linkend="toolMultiEdit">multi edit</link> tool.</para>
|
|
|
|
<para><emphasis role="bold">Samba 4 note:</emphasis> Due to a <ulink
|
|
url="https://bugzilla.samba.org/show_bug.cgi?id=10094">bug</ulink> in
|
|
Samba 4 you need to add the extension, save, and then select a question
|
|
and set the answer. If you add the extension, set question/answer and
|
|
then save all together this will cause an LDAP error and no changes will
|
|
be saved.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset9.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts</title>
|
|
|
|
<para>You can specify a list of valid host names where the user may
|
|
login. If you add the value "*" then the user may login to any host.
|
|
This can be further restricted by adding explicit deny entries which are
|
|
prefixed with "!" (e.g. "!hr_server").</para>
|
|
|
|
<para>Please note that your PAM settings need to support host
|
|
restrictions. This feature is enabled by setting <emphasis
|
|
role="bold">pam_check_host_attr yes</emphasis> in your <emphasis
|
|
role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the
|
|
account facility of pam_ldap will perform the checks and return an error
|
|
when no proper host attribute is present. Please note that users without
|
|
host attribute cannot login to such a configured server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/hostObject.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>LAM supports full Samba 3 user management including logon hours
|
|
and terminal server options.</para>
|
|
|
|
<para>The module is enabled by adding "Samba 3 (sambaSamAccount)" to
|
|
your user modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3Config2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>In the configuration options you can enable password history
|
|
checking. Depending on your LDAP server you might need ascending or
|
|
descending order. Just switch the setting if the password history is not
|
|
correctly updated.</para>
|
|
|
|
<para>In case you have no very old Windows clients (e.g. Windows 98) it
|
|
is recommended to disable LM hashes. They are considered to be
|
|
insecure.</para>
|
|
|
|
<para>You can also hide some input fields if you do not need
|
|
them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3Config1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>After configuring the module you will see the Samba 3 tab when you
|
|
edit a user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3User1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Logon hours can be changed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3User2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can also setup terminal server settings.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3User3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Windows (Samba 4/Active Directory)</title>
|
|
|
|
<para>Please activate the account type "Users" in your LAM server
|
|
profile and then add the user module "Windows (windowsUser)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for
|
|
Windows (blank lines in account table). Please use
|
|
"#cn;#givenName;#sn;#mail" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab "Module settings" you can specify the possible Windows
|
|
domain names and if pre-Windows 2000 user names should be
|
|
managed.</para>
|
|
|
|
<para>NIS support is deactivated by default. Enable it if needed.</para>
|
|
|
|
<para>You can also set maximum values for user photos in advanced
|
|
options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata contentwidth="1172"
|
|
fileref="images/mod_windowsUser5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can manage your Windows users and e.g. assign groups. You
|
|
might want to set the default domain name in the <link
|
|
linkend="a_accountProfile">profile editor</link>.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Password changes require a secure connection via ldaps://.
|
|
Check your LAM server profile if password changes are refused by the
|
|
server.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Your server must run a 64bit operating system. Otherwise, the
|
|
module might not work.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Wildcards</emphasis></para>
|
|
|
|
<para>This module provides the following wildcards (others may be
|
|
provided by other modules):</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>$firstname: First name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$lastname: Last name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$user: User name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$commonname: Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$email: Email address</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can use them in the following input fields on user edit
|
|
screen:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Display name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Email</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Email alias</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Home directory</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Profile path</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Script path</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Use this when some of your data always follows the same schema.
|
|
E.g. using "$firstname $lastname" in common name field can be used like
|
|
this to get "First Last". You can set the wildcards in profile editor so
|
|
they are automatically applied for new users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>AD LDS (formerly ADAM) (LAM Pro)</title>
|
|
|
|
<para>Please activate the account type "Users" in your LAM server
|
|
profile and then add the user module "AD LDS
|
|
(windowsLDSUser)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for AD
|
|
LDS (blank lines in account table). Please use
|
|
"#cn;#givenName;#sn;#mail" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab "Module settings" you can specify the possible Windows
|
|
domain names.</para>
|
|
|
|
<para>You can also set maximum values for user photos in advanced
|
|
options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata contentwidth="1172" fileref="images/mod_adLds3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can manage your AD LDS users and e.g. assign groups. You
|
|
might want to set the default domain name in the <link
|
|
linkend="a_accountProfile">profile editor</link>.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis></para>
|
|
|
|
<para>Password changes require a secure connection via ldaps://. Check
|
|
your LAM server profile if password changes are refused by the
|
|
server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds4a.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds4b.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Wildcards</emphasis></para>
|
|
|
|
<para>This module provides the following wildcards (others may be
|
|
provided by other modules):</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>$firstname: First name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$lastname: Last name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$user: User name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$commonname: Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>$email: Email address</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can use them in the following input fields on user edit
|
|
screen:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Common name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Display name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Email</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Email alias</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Use this when some of your data always follows the same schema.
|
|
E.g. using "$firstname $lastname" in common name field can be used like
|
|
this to get "Demo User". You can set the wildcards in profile editor so
|
|
they are automatically applied for new users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds5a.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds5b.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Filesystem quota (lamdaemon)</title>
|
|
|
|
<para>You can manage file system quotas with LAM. This requires to setup
|
|
<link linkend="a_lamdaemon">lamdaemon</link>. LAM connects to your
|
|
server via SSH and manages the disk filesystem quotas. The quotas are
|
|
stored directly on the filesystem. This is the default mechanism to
|
|
store quotas for most systems.</para>
|
|
|
|
<para>Please add the module "Quota (quota)" for users to your LAM server
|
|
profile to enable this feature.</para>
|
|
|
|
<para>If you store the quota information directly inside LDAP please see
|
|
the next section.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_quotaUser.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Filesystem quota (LDAP)</title>
|
|
|
|
<para>You can store your filesystem quotas directly in LDAP. See <ulink
|
|
url="http://sourceforge.net/projects/linuxquota/">Linux
|
|
DiskQuota</ulink> for details since it requires quota tools that support
|
|
LDAP. You will need to install the quota LDAP schema to manage the
|
|
object class "systemQuotas".</para>
|
|
|
|
<para>Please add the module "Quota (systemQuotas)" for users to your LAM
|
|
server profile to enable this feature.</para>
|
|
|
|
<para>If you store the quota information on the filesystem please see
|
|
the previous section.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_systemQuotas.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Kolab</title>
|
|
|
|
<para>This module supports to manage Kolab accounts with LAM. E.g. you
|
|
can set the user's mail quota and define invitation policies.</para>
|
|
|
|
<para>Please add the Kolab user module in your LAM server profile to
|
|
activate Kolab support.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Please enter an email address at the Personal page and set a Unix
|
|
password first. Both are required that Kolab accepts the accounts. The
|
|
email address ("Personal" page) must match your Kolab domain, otherwise
|
|
the account will not work.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you upgrade existing non-Kolab accounts please make sure that
|
|
the account has an Unix password.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Asterisk</title>
|
|
|
|
<para>LAM supports Asterisk accounts, too. See the <link
|
|
linkend="type_asterisk">Asterisk</link> section for details.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>EDU person</title>
|
|
|
|
<para>EDU person accounts are mainly used in university networks. You
|
|
can specify the principal name, nick names and much more.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_eduPerson.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota</title>
|
|
|
|
<para>There are two LAM user modules depending if your user entries
|
|
should be built on object class "pykotaObject" or a different structural
|
|
object class (e.g. "inetOrgPerson"). For "pykotaObject" please select
|
|
"PyKota (pykotaUserStructural(*))" and "PyKota (pykotaUser)" in all
|
|
other cases.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>To display the job history please setup the job DN on tab "Module
|
|
settings":</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can add the PyKota extension to your user accounts. Here
|
|
you can setup the printing options and add payments for this
|
|
user.</para>
|
|
|
|
<para>For LAM Pro there are also self service fields to allow users e.g.
|
|
to view their current balance and job history.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You may also view the payment and job history.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Password policy (LAM Pro)</title>
|
|
|
|
<para>OpenLDAP supports the <ulink
|
|
url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
|
|
to manage password policies for LDAP entries. LAM Pro supports <link
|
|
linkend="a_ppolicy">managing the policies</link> and assigning them to
|
|
user accounts.</para>
|
|
|
|
<para>Please add the account type "Password policies" to your LAM server
|
|
profile and activate the "Password policy" module for the user
|
|
type.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ppolicyUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can select the password policy and force a password change on
|
|
next login. Accounts can also be (un)locked.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ppolicyUser.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can assign any password policy which is found in the LDAP
|
|
suffix of the "Password policies" type. When you set the policy to
|
|
"default" then OpenLDAP will use the default policy as defined in your
|
|
slapd.conf file.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> Locking and unlocking
|
|
requires that you also activate the option "Lockout users" in the
|
|
assigned <link linkend="a_ppolicy">password policy</link>. Otherwise, it
|
|
will have no effect.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Account locking for 389ds (LAM Pro)</title>
|
|
|
|
<para>This module allows you to display if users are locked by 389ds
|
|
server. You can (de)activate your users. The password expiration time
|
|
can also be managed.</para>
|
|
|
|
<para>Requirements: 389ds LDAP server</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Please add the user module "Account locking
|
|
(locking389ds)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_389dsLocking1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This will show the password expiration time. You can edit the
|
|
value if needed.</para>
|
|
|
|
<para>If there are any failed login attempts then LAM displays their
|
|
number and till when the user is locked by the system.</para>
|
|
|
|
<para>The limit of failed login attempts and lockout duration is
|
|
configured on your LDAP server and not within LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_389dsLocking2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can unlock the user by clicking on the lock icon.</para>
|
|
|
|
<para>Here you can also (de)activate the account.</para>
|
|
|
|
<para>Note: Accounts are only locked by the LDAP server due to failed
|
|
password attempts. You cannot manually lock an account. Deactivate it in
|
|
case you want to disable login for a user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_389dsLocking3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>FreeRadius</title>
|
|
|
|
<para>FreeRadius is a software that implements the RADIUS authentication
|
|
protocol. LAM allows you to mange several of the FreeRadius
|
|
attributes.</para>
|
|
|
|
<para>To activate the FreeRadius plugin please activate the FreeRadius
|
|
user module in your server profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_freeRadius1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can disable unneeded fields on the tab "Module settings". Here
|
|
you can also set the DN where your Radius profile templates are stored
|
|
if you use the option "Profile".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_freeRadius2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you will see the tab "FreeRadius" when editing users. The
|
|
extension can be (de)activated for each user. You can setup e.g. realm,
|
|
IP and expiration date.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_freeRadius3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Heimdal Kerberos (LAM Pro)</title>
|
|
|
|
<para>You can manage your Heimdal Kerberos accounts with LAM Pro. Please
|
|
add the user module "Kerberos (heimdalKerberos)" to activate this
|
|
feature.</para>
|
|
|
|
<para><emphasis role="bold">Setup password changing</emphasis></para>
|
|
|
|
<para>LAM Pro cannot generate the password hashes itself because Heimdal
|
|
uses a proprietary format for them. Therefore, LAM Pro needs to call e.g.
|
|
kadmin to set the password.</para>
|
|
|
|
<para>The wildcards @@password@@ and @@principal@@ are replaced with
|
|
password and principal name. Please use keytab authentication for this
|
|
command since it must run without any interaction.</para>
|
|
|
|
<para>Example to create a keytab: ktutil -k /root/lam.keytab add -p
|
|
lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1</para>
|
|
|
|
<para>Security hint: Please secure your LAM Pro server since the new
|
|
passwords will be visible for a short term in the process list during
|
|
password change.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kerberos2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User management</emphasis></para>
|
|
|
|
<para>You can specify the principal/user name, ticket lifetimes and
|
|
expiration dates. Additionally, you can set various account
|
|
options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kerberos1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>MIT Kerberos (LAM Pro)</title>
|
|
|
|
<para>You can manage your MIT Kerberos accounts with LAM Pro. Please add
|
|
the user module "Kerberos (mitKerberos)" to activate this feature. If
|
|
you want to manage entries based on the structural object class
|
|
"krbPrincipal" please use "Kerberos (mitKerberosStructural)"
|
|
instead.</para>
|
|
|
|
<para><emphasis role="bold">Setup password changing</emphasis></para>
|
|
|
|
<para>LAM Pro cannot generate the password hashes itself because MIT
|
|
uses a proprietary format for them. Therefore, LAM Pro needs to call
|
|
kadmin/kadmin.local to set the password.</para>
|
|
|
|
<para>LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
|
|
set the password. Please use keytab authentication for this command
|
|
since it must run without any interaction.</para>
|
|
|
|
<para>Keytabs may be created with the "ktutil" application.</para>
|
|
|
|
<para>Security hint: Please secure your LAM Pro server since the new
|
|
passwords will be visible for a short term in the process list during
|
|
password change.</para>
|
|
|
|
<para>Please note that kadmin/kadmin.local often returns a successful
|
|
command even if errors occurred (e.g. password policy violations). You
|
|
need to test this before and if affected then write a wrapper script
|
|
around kadmin that returns non-zero return codes for errors.</para>
|
|
|
|
<para>Example commands:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
|
|
realm/changepwd</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>sudo /usr/sbin/kadmin.local</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_mitKerberos1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User management</emphasis></para>
|
|
|
|
<para>You can specify the principal/user name, ticket lifetimes and
|
|
expiration dates. Additionally, you can set various account
|
|
options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_mitKerberos2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="mailAliasesUser">
|
|
<title>NIS mail aliases</title>
|
|
|
|
<para>This module allows to add/remove the user in mail alias
|
|
entries.</para>
|
|
|
|
<para><emphasis role="bold">Note:</emphasis> You need to activate the
|
|
<link linkend="mailAliases">mail alias type</link> for this
|
|
module.</para>
|
|
|
|
<para>To activate mail aliases for users please select the module "Mail
|
|
aliases (nisMailAliasUser)":</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab Module settings you can select if you want to set the user
|
|
name or email as recipient in alias entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you will see the mail aliases tab when editing an user.</para>
|
|
|
|
<para>The red cross will only remove the user from the alias entry. If
|
|
you click the trash can button then the whole alias entry (which may
|
|
contain other users) will be deleted.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can add the user to existing alias entries or create completely
|
|
new ones.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Courier mail</title>
|
|
|
|
<para>This module allows to add/remove the Courier extension for
|
|
users.</para>
|
|
|
|
<para><emphasis role="bold">Configuration:</emphasis></para>
|
|
|
|
<para>Please activate the module Courier for users to enable this
|
|
extension. The Unix module is optional.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_courierUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage:</emphasis></para>
|
|
|
|
<para>Your user tab will now show the Courier extension. This can be
|
|
added/removed any time.</para>
|
|
|
|
<para>Here you can configure the home directory in case the Unix module
|
|
is not activated. Additionally, mailbox folder, quota, server and
|
|
feature flags can be configured.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_courierUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Qmail (LAM Pro)</title>
|
|
|
|
<para>LAM Pro manages all qmail attributes for users. This includes mail
|
|
addresses, ID numbers and quota settings.</para>
|
|
|
|
<para>Please note that the main mail address is managed on tab
|
|
"Personal" if this module is active. Otherwise, it will be on the qmail
|
|
tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_qmail2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can hide several qmail options if you do not want to manage
|
|
them with LAM. This can be done on the module settings tab of your LAM
|
|
server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_qmail1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Mail routing</title>
|
|
|
|
<para>LAM supports to manage mail routing for user accounts.</para>
|
|
|
|
<para>Module activation:</para>
|
|
|
|
<para>This feature can be activated by adding the "Mail routing" module
|
|
to the user account type in your server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mailRoutingConfig.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>You can specify a routing address, the mail server and a number of
|
|
local addresses to route.</para>
|
|
|
|
<para>In case you want to add this extension by default for new users
|
|
there is an option in profile editor.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mailRouting.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Wildcards</emphasis></para>
|
|
|
|
<para>The module supports wildcards in the following input
|
|
fields:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Routing address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Local address</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>See the other modules that you activated what wildcards they
|
|
provide (e.g. $user).</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>SSH keys</title>
|
|
|
|
<para>You can manage your public keys for SSH in LAM if you installed
|
|
the <ulink url="http://code.google.com/p/openssh-lpk/">LPK patch for
|
|
SSH</ulink> or setup AuthorizedKeysCommand (see below).</para>
|
|
|
|
<para>Activate the "SSH public key" module for users in the server
|
|
profile and you can add keys to your user entries.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/ldapPublicKey2.png"/>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ldapPublicKey.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Example for
|
|
AuthorizedKeysCommand</emphasis></para>
|
|
|
|
<para>This will dynamically get the public key from LDAP. In this case
|
|
there is no need to patch SSH sources.</para>
|
|
|
|
<para>Create the authentication script in e.g.
|
|
/usr/bin/ldapAuthSSH.sh</para>
|
|
|
|
<literallayout>
|
|
#!/bin/bash
|
|
uid=$1
|
|
server=ldap.domain.com
|
|
baseDN=ou=people,dc=example,dc=com
|
|
port=389
|
|
ldapsearch -x -h $server -p $port -b $baseDN -s sub "(&(objectclass=posixAccount)(uid=$uid))" | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
|
|
|
|
</literallayout>
|
|
|
|
<para>Now setup your sshd_config</para>
|
|
|
|
<literallayout>AuthorizedKeysCommand /usr/bin/ldapAuthSSH.sh
|
|
AuthorizedKeysCommandUser root</literallayout>
|
|
</section>
|
|
|
|
<section>
|
|
<title>YubiKey</title>
|
|
|
|
<para>You can manage your YubiKey ids with LAM. It supports the <ulink
|
|
url="https://github.com/mludvig/yubikey-ldap">yubiKeyUser schema</ulink>
|
|
or any other attribute mapping.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>First, you need to activate the YubiKey module for users in your
|
|
LAM server profile.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_yubikey1.png"/>
|
|
</screenshot>
|
|
|
|
<para>Second, you need to specify which object class and attribute name
|
|
should be used.</para>
|
|
|
|
<para>Object class: If you have an object class just for the YubiKey ids
|
|
then enter it here. LAM will then provide options to add and remove it.
|
|
In case you reuse some existing attribute from e.g. inetOrgPerson please
|
|
leave object class name blank.</para>
|
|
|
|
<para>Attribute name: please enter the attribute name that is used for
|
|
the key ids.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_yubikey2.png"/>
|
|
</screenshot>
|
|
|
|
<para>You will then be able to manage the key ids for your users.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_yubikey3.png"/>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Self Service (LAM Pro)</emphasis></para>
|
|
|
|
<para>This will allow your users to update their own keys.</para>
|
|
|
|
<para>You need to configure the object class and attribute name first.
|
|
This is done on tab "Module settings" in self service profile.</para>
|
|
|
|
<para><emphasis role="bold">Attention: </emphasis>Please note that both
|
|
fields are mandatory here. Even if you reused an attribute from some
|
|
existing object class you need to set it here. LAM needs this to detect
|
|
if the user can add keys.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_yubikey5.png"/>
|
|
</screenshot>
|
|
|
|
<para>Then add the YubiKey ids field to your self service profile on tab
|
|
"Page layout".</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_yubikey4.png"/>
|
|
</screenshot>
|
|
|
|
<para>When a user with the specified object class logs in then the key
|
|
input fields are shown.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_yubikey6.png"/>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Authorized services</title>
|
|
|
|
<para>You can setup PAM to check if a user is allowed to run a specific
|
|
service (e.g. sshd) by reading the LDAP attribute "authorizedService".
|
|
This way you can manage all allowed services via LAM.</para>
|
|
|
|
<para/>
|
|
|
|
<para>To activate this PAM feature please setup your <emphasis
|
|
role="bold">/etc/libnss-ldap.conf</emphasis> and set
|
|
"pam_check_service_attr" to "yes".</para>
|
|
|
|
<para/>
|
|
|
|
<para>Inside LAM you can now set the allowed services. You may also
|
|
setup default services in your account profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_authorizedServices.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can define a list of services in your LAM server profile that
|
|
is used for autocompletion.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_authorizedServices3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The autocompletion will show all values that contains the entered
|
|
text. To display the whole list you can press backspace in the empty
|
|
input field. Of course, you can also insert a service name that is not
|
|
in the list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_authorizedServices2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IMAP mailboxes</title>
|
|
|
|
<para>LAM may create and delete mailboxes on an IMAP server for your
|
|
user accounts. You will need an IMAP server that supports either SSL or
|
|
TLS for this feature.</para>
|
|
|
|
<para>To activate the mailbox management module please add the "Mailbox
|
|
(imapAccess)" module for the type user in your LAM server
|
|
profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/imapAccess1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now configure the module on the tab "Module settings". Here you
|
|
can specify the IMAP server name, encryption options, the authentication
|
|
for the IMAP connection and the valid mail domains. LAM can use either
|
|
your LAM login password for the IMAP connection or display a dialog
|
|
where you need to enter the password. It is also possible to store the
|
|
admin password in your server profile. This is not recommended for
|
|
security reasons.</para>
|
|
|
|
<para>The user name can either be a fixed name (e.g. "admin") or it can
|
|
be generated with LDAP attributes of the LAM admin user. E.g. $uid$ will
|
|
be transformed to "myUser" if you login with
|
|
"uid=myUser,ou=people,dc=example,dc=com".</para>
|
|
|
|
<para>The mail domains specify for which accounts mailboxes may be
|
|
created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be
|
|
managed for "user@lam-demo.org" but not for "user@example.com". Use "*"
|
|
for any domain.</para>
|
|
|
|
<para>You need to install the SSL certificate of the CA that signed your
|
|
server certificate. This is usually done by installing the certificate
|
|
in /etc/ssl/certs. Different Linux distributions may offer different
|
|
ways to do this. For Debian please copy the certificate in
|
|
"/usr/local/share/ca-certificates" and run "update-ca-certificates" as
|
|
root.</para>
|
|
|
|
<para>It is not recommended to disable the validation of IMAP server
|
|
certificates.</para>
|
|
|
|
<para>The prefix, user name attribute and path separator specifies how
|
|
your mailboxes are named (e.g. "user.myUser@localhost" or
|
|
"user/myUser"). Select the values depending on your IMAP server
|
|
settings.</para>
|
|
|
|
<para>You can specify a list of initial folder names to create for new
|
|
mailboxes. LAM will then create them with each new mailbox.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/imapAccess2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>When you edit an user account then you will now see the tab
|
|
"Mailbox". Here you can create/delete the mailbox for this user.</para>
|
|
|
|
<para>Please note that mailbox creation via file upload is not possible
|
|
if you configured in LAM server profile to ask for the admin
|
|
password.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/imapAccess3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IP addresses (LAM Pro)</title>
|
|
|
|
<para>You can manage the IP addresses of user accounts (e.g. assigned by
|
|
DHCP) with the ipHost module.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ipHostUser.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User editing</emphasis></para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ipHostUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="s_account">
|
|
<title>Account</title>
|
|
|
|
<para>This is a very simple module to manage accounts based on the
|
|
object class "account". Usually, this is used for host accounts only.
|
|
Please pay attention that users based on the "account" object class
|
|
cannot have contact information (e.g. telephone number) as with
|
|
"inetOrgPerson".</para>
|
|
|
|
<para>You can enter a user/host name and a description for your
|
|
accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_account.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Groups</title>
|
|
|
|
<para/>
|
|
|
|
<section>
|
|
<title>Unix</title>
|
|
|
|
<para>This module is used to manage Unix group entries. This is the
|
|
default module to manage Unix groups and uses the nis.schema. Suse users
|
|
who use the <link
|
|
linkend="rfc2307bisPosixGroup">rfc2307bis.schema</link> need to use LAM
|
|
Pro.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Special Please add the account type "Groups" and then select
|
|
account module "Unix (posixGroup)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupConfig1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Virtual list attributes:</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_unixGroupConfig2.png"/>
|
|
</screenshot>
|
|
|
|
<para>The following virtual attributes can be shown in the group list.
|
|
These are no real LDAP attributes but extra data that can be shown by
|
|
LAM.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>memberuid_count: number of entries in attribute
|
|
"memberuid"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>member_count: number of entries in attribute "member"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>uniqueMember_count: number of entries in attribute
|
|
"uniquemember"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>owner_count: number of entries in attribute "owner"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>roleOccupant_count: number of entries in attribute
|
|
"roleOccupant"</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Module settings:</para>
|
|
|
|
<para>GID generator: LAM will suggest GID numbers for your accounts.
|
|
Please note that it may happen that there are duplicate IDs assigned if
|
|
users create groups at the same time. Use an <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
|
|
like "Attribute Uniqueness" (<link
|
|
linkend="a_openldap_unique">example</link>) if you have lots of LAM
|
|
admins creating groups.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Fixed range: LAM searches for free numbers within the given
|
|
limits. LAM always tries to use a free GID that is greater than the
|
|
existing GIDs to prevent collisions with deleted groups.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba ID pool: This uses a special LDAP entry that includes
|
|
attributes that store a counter for the last used UID/GID. Please
|
|
note that this requires that you install the Samba schema and create
|
|
an LDAP entry of object class "sambaUnixIdPool".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Magic number: Use this if your LDAP server assigns the GID
|
|
numbers automatically (e.g. DNA by 389 server). Enter the server's
|
|
magic number setting.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Disable membership management: Disables group membership
|
|
management. This is useful if memberships are e.g. managed via group of
|
|
names.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupConfig.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group management:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroup.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group membership management:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroup2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="rfc2307bisPosixGroup">
|
|
<title>Unix groups with rfc2307bis schema (LAM Pro)</title>
|
|
|
|
<para>Some applications (e.g. Suse Linux) use the rfc2307bis schema for
|
|
Unix accounts instead of the nis schema. In this case group accounts are
|
|
based on the object class <link lang=""
|
|
linkend="a_groupOfNames">groupOf(Unique)Names</link> or namedObject. The
|
|
object class posixGroup is auxiliary in this case.</para>
|
|
|
|
<para>LAM Pro supports these groups with a special account module:
|
|
<emphasis role="bold">rfc2307bisPosixGroup</emphasis></para>
|
|
|
|
<para>Use this module only if your system depends on the rfc2307bis
|
|
schema. The module can be selected in the LAM configuration. Instead of
|
|
using groupOfNames as basis for your groups you may also use
|
|
namedObject.</para>
|
|
|
|
<para>Module activation:</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/rfc2307bis.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot></para>
|
|
|
|
<para>GID generator: LAM will suggest GID numbers for your accounts.
|
|
Please note that it may happen that there are duplicate IDs assigned if
|
|
users create groups at the same time. Use an <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
|
|
like "Attribute Uniqueness" (<link
|
|
linkend="a_openldap_unique">example</link>) if you have lots of LAM
|
|
admins creating groups.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Fixed range: LAM searches for free numbers within the given
|
|
limits. LAM always tries to use a free GID that is greater than the
|
|
existing GIDs to prevent collisions with deleted groups.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba ID pool: This uses a special LDAP entry that includes
|
|
attributes that store a counter for the last used UID/GID. Please
|
|
note that this requires that you install the Samba schema and create
|
|
an LDAP entry of object class "sambaUnixIdPool".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Magic number: Use this if your LDAP server assigns the GID
|
|
numbers automatically (e.g. DNA by 389 server). Enter the server's
|
|
magic number setting.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Disable membership management: Disables group membership
|
|
management. This is useful if memberships are e.g. managed via group of
|
|
names.</para>
|
|
|
|
<para>Force sync with group of names: This will automatically set the
|
|
group memberships of the Unix part to the same members as set on group
|
|
of names tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/rfc2307bis2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The GID number will be filled automatically based on the server
|
|
profile configuration.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupLAMPro.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group members can be edited and also synced with Group of (unique)
|
|
names.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupLAMPro2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>LAM supports managing Samba 3 groups. You can set special group
|
|
types and also create Windows predefined groups like "Domain
|
|
admins".</para>
|
|
|
|
<para>Module activation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaGroup2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group editing:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaGroup.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Windows (Samba 4)</title>
|
|
|
|
<para>LAM can manage your Windows groups. Please enable the account type
|
|
"Groups" in your LAM server profile and then add the group module
|
|
"Windows (windowsGroup)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for
|
|
Windows (blank lines in account table). Please use
|
|
"#cn;#member;#description" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>NIS support is deactivated by default. Enable it if needed on tab
|
|
"Module settings".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can edit your groups inside LAM. You can manage the group
|
|
name, description and its type. Of course, you can also set the group
|
|
members.</para>
|
|
|
|
<para>Group scopes:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Global: Use this for groups with frequent changes. Global
|
|
groups are not replicated to other domains.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Universal: Groups with universal scope are used to consolidate
|
|
groups that span domains. They are globally replicated.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Domain local: Groups with domain local scope can be used to
|
|
set permissions inside one domain. They are not replicated to other
|
|
domains.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Group type:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Security: Use this group type to control permissions.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Distribution: These groups are only used for email
|
|
applications. They cannot be used to control permissions.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>With "Show effective members" you can show a list of all members
|
|
of this group including members of subgroups and their subgroups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>AD LDS (formerly ADAM) (LAM Pro)</title>
|
|
|
|
<para>LAM can manage your AD LDS groups. Please enable the account type
|
|
"Groups" in your LAM server profile and then add the group module "AD
|
|
LDS (windowsLDSGroup)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for AD
|
|
LDS (blank lines in account table). Please use
|
|
"#cn;#member;#description" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<para>Now you can edit your groups inside LAM. You can manage the group
|
|
name, description and its type. Of course, you can also set the group
|
|
members.</para>
|
|
|
|
<para>With "Show effective members" you can show a list of all members
|
|
of this group including members of subgroups and their subgroups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_adLds6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Kolab</title>
|
|
|
|
<para>Please activate the Kolab group module in your LAM server profile
|
|
to activate Kolab support.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can specify the email address and also set allowed sender and
|
|
recipient addresses.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Mail routing</title>
|
|
|
|
<para>LAM supports to manage mail routing for group accounts.</para>
|
|
|
|
<para>Module activation:</para>
|
|
|
|
<para>This feature can be activated by adding the "Mail routing" module
|
|
to the group account type in your server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mailRoutingConfigGroup.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Usage:</para>
|
|
|
|
<para>You can specify a routing address, the mail server and a number of
|
|
local addresses to route.</para>
|
|
|
|
<para>In case you want to add this extension by default for new groups
|
|
there is an option in profile editor.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mailRoutingGroup.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Quota</title>
|
|
|
|
<para>You can manage file system quotas with LAM. This requires to setup
|
|
<link linkend="a_lamdaemon">lamdaemon</link>. File system quotas are not
|
|
stored inside LAM but managed directly on the specified servers.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_quotaGroup.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Dynamic lists (LAM Pro)</title>
|
|
|
|
<para><ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists">Dynamic
|
|
lists</ulink> allow you to create LDAP entries that populate the value
|
|
of an attribute via LDAP query. This is e.g. used to create groups that
|
|
contain all users in a certain DN.</para>
|
|
|
|
<para>Please note that this functionality requires configuration on your
|
|
LDAP server. E.g. on OpenLDAP you need to activate the "dynlist" overlay
|
|
and need to specify attribute mappings.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Add a new group account type and set a unique label for it.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_dynamicList1.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>Do not forget to set proper "List attributes" to be shown on the
|
|
overview page of all dynamic lists.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_dynamicList2.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>On tab "Modules" please add the dynamic lists module.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_dynamicList4.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>On tab "Module settings" you can now configure your dynamic lists.
|
|
Here you setup the used object class, RDN attribute, query attribute and
|
|
list attribute (the one that is populated via query).</para>
|
|
|
|
<para>In case you have different types of dynamic lists you can simply
|
|
redo the steps above to create more group types.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_dynamicList3.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para/>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>When you login to LAM you will see your new dynamic lists
|
|
tab.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_dynamicList5.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>For each list you can manage the name and query string. LAM also
|
|
displays which entries are auto-populated to the list.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_dynamicList6.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota</title>
|
|
|
|
<para>There are two LAM group modules depending if your group entries
|
|
should be built on object class "pykotaObject" or a different structural
|
|
object class (e.g. "posixGroup"). For "pykotaObject" please select
|
|
"PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" in all
|
|
other cases.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaGroup1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can add the PyKota extension to your groups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaGroup2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts</title>
|
|
|
|
<section>
|
|
<title>Account</title>
|
|
|
|
<para>Please see the description <link
|
|
linkend="s_account">here</link>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Device (LAM Pro)</title>
|
|
|
|
<para>The device object class allows to manage general information about
|
|
all sorts of devices (e.g. computers, network hardware, ...). You can
|
|
enter the serial number, location and a describing text. It is also
|
|
possible to specify the owner of the device.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/device.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>You can manage Samba 3 host entries by adding the Unix and Samba 3
|
|
account modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaHost1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaHost2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Windows (Samba 4)</title>
|
|
|
|
<para>LAM can manage your Windows servers and workstations. Please
|
|
enable the account type "Hosts" in your LAM server profile and then add
|
|
the host module "Windows (windowsHost)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsServer3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for
|
|
Windows (blank lines in account table). Please use
|
|
"#cn;#description;#location" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsServer2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you will see you computer accounts inside LAM. You can set
|
|
e.g. the server's description and location information.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsServer1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IP addresses (LAM Pro)</title>
|
|
|
|
<para>You can manage the IP addresses of host accounts with the ipHost
|
|
module. It manages the following information:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>IP addresses (IPv4/IPv6)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>location of the host</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>manager: the person who is responsible for the host</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can activate this extension by adding the module ipHost to the
|
|
list of active host modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ipHost.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>MAC addresses</title>
|
|
|
|
<para>Hosts can have an unlimited number of MAC addresses. To enable
|
|
this feature just add the "MAC address" module to the host account
|
|
type.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/macAddress.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Puppet</title>
|
|
|
|
<para>LAM supports to manage your <ulink
|
|
url="http://puppetlabs.com/">Puppet</ulink> configuration. You can edit
|
|
all attributes like environment, classes, variables and parent
|
|
node.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To activate this feature please edit your LAM server profile and
|
|
add the host module "Puppet (puppetClient)" on tab "Modules". This will
|
|
add the Puppet tab to your host pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_puppet2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab "Module settings" in your LAM server profile you may also
|
|
setup some common environment names. LAM will use them to provide
|
|
autocompletion hints when editing the environment for a node.</para>
|
|
|
|
<para>If you enter any value in "Enforce classes" then LAM will only
|
|
accept this list of classes.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_puppet3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Editing nodes</emphasis></para>
|
|
|
|
<para>When you edit a host entry then you will see the tab "Puppet".
|
|
Here you can add/remove the Puppet extension and edit all
|
|
attributes.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_puppet1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS net groups</title>
|
|
|
|
<para>NIS netgroups can be used to e.g. restrict SSH access to your
|
|
machines.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Please add the module "NIS net groups (nisNetGroupHost)" to the
|
|
list of active host modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nisNetGroupHost1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Host editing</emphasis></para>
|
|
|
|
<para>You will now see a new tab when editing hosts. Here you can assign
|
|
memberships in NIS net groups and also set user/domain.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nisNetGroupHost2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3 domains</title>
|
|
|
|
<para>Samba 3 stores information about its domain settings inside LDAP.
|
|
This includes the domain name, its SID and some policies. You can manage
|
|
all these attributes with LAM.</para>
|
|
|
|
<para>Please activate the account type "Samba domains" in your LAM server
|
|
profile. Please notice that Samba by default uses the LDAP root for domain
|
|
objects (e.g. dc=example,dc=com).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sambaDomains1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This will add a new tab to LAM where you can manage domain
|
|
information.</para>
|
|
|
|
<para>The domain name, SID and RID base can only be specified for new
|
|
domains and are not changeable via LAM at a later time. You may setup
|
|
several password policies for your Samba domains and also some RID options
|
|
that influence the creation of SIDs for users/groups/hosts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sambaDomains2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="a_groupOfNames">
|
|
<title>Group of (unique) names and group of members (LAM Pro)</title>
|
|
|
|
<para>These classes can be used to represent group relations. Since they
|
|
allow DNs as members you can also use them to represent nested
|
|
groups.</para>
|
|
|
|
<para><emphasis role="bold">Configuration:</emphasis></para>
|
|
|
|
<para>Activate the account type "Group of names" in your LAM server
|
|
profile to use these account modules. Alternatively, you can use the
|
|
account type "Groups".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the module "Group of names (groupOfNames)", "Group of
|
|
unique names (groupOfUniqueNames)" or "Group of members
|
|
(groupOfMembers)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfMembers1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Virtual list attributes:</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_gon.png"/>
|
|
</screenshot>
|
|
|
|
<para>The following virtual attributes can be shown in the group list.
|
|
These are no real LDAP attributes but extra data that can be shown by
|
|
LAM.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>member_count: number of entries in attribute "member"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>uniqueMember_count: number of entries in attribute
|
|
"uniquemember"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>owner_count: number of entries in attribute "owner"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>roleOccupant_count: number of entries in attribute
|
|
"roleOccupant"</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Module settings:</para>
|
|
|
|
<para>On the module settings tab you set some options like the display
|
|
format for members/owners and if fields like description should not be
|
|
displayed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Group management:</emphasis></para>
|
|
|
|
<para>Group of (unique) names have four basic attributes:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Name: a unique name for the group</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Description: optional description</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Owner: the account which owns this group (optional)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Members: the members of the group (at least one is
|
|
required)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can add any accounts as members. This includes other groups
|
|
which leads to nested groups.</para>
|
|
|
|
<para>To show members of nested groups click on "Show effective members".
|
|
Please note that for large groups this will run lots of queries against
|
|
your LDAP server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="organizationalRole">
|
|
<title>Organizational roles (LAM Pro)</title>
|
|
|
|
<para>This module manages roles via the organizationalRole object class.
|
|
There is also a <link linkend="organizationalRoleUser">user module</link>
|
|
to manage memberships on the user edit page.</para>
|
|
|
|
<para><emphasis role="bold">Configuration:</emphasis></para>
|
|
|
|
<para>Activate the account type "Groups" in your LAM server profile to use
|
|
this account module. Alternatively, you can use the account type "Group of
|
|
names".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the module "Role (organizationalRole)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On the module settings tab you set some options like the display
|
|
format for members and if description should not be displayed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Role management:</emphasis></para>
|
|
|
|
<para>You can add any accounts as members. This includes other roles which
|
|
leads to nested roles (needs to be supported by LDAP client
|
|
applications).</para>
|
|
|
|
<para>To show members of nested roles click on "Show effective members".
|
|
Please note that for large roles this will run lots of queries against
|
|
your LDAP server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="type_asterisk">
|
|
<title>Asterisk</title>
|
|
|
|
<para>LAM includes large support for Asterisk. You can add Asterisk
|
|
extensions (including voicemail) to your users and also manage Asterisk
|
|
extensions.</para>
|
|
|
|
<para>The Asterisk support for users can be added by selecting the
|
|
Asterisk and Asterisk voicemail modules for users in your LAM server
|
|
profile. This will add the following tabs to your user accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asterisk.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The Asterisk module allows to edit a large amount of attributes.
|
|
Therefore, you can hide unused fields. Please edit you server profile
|
|
(Module settings) to do so.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asteriskConfig.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Of course, the voicemail part of Asterisk is also supported.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asteriskVoicemail.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you also want to manage Asterisk extensions then simply add the
|
|
account type "Asterisk extensions" and its module to your server
|
|
profile.</para>
|
|
|
|
<para>LAM groups your Asterisk extension entries by extension name and
|
|
account context. If you edit an extension then you will see the Asterisk
|
|
entries as rules. LAM manages that all rule entries have the same owners
|
|
and assigns the priorities.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asteriskExtension.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="s_kopano">
|
|
<title>Kopano (LAM Pro)</title>
|
|
|
|
<para>Kopano is an OpenSource collaboration software. LAM Pro provides
|
|
support to manage Kopano user entries, groups, address lists and servers.
|
|
It covers all settings for these types including resource and quota
|
|
settings.</para>
|
|
|
|
<section>
|
|
<title>Users</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To enable Kopano support for users please activate the Kopano
|
|
module for the user account type in you server profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopano1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Adjust the suffix and list attributes to your needs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoUser1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then select the Kopano user module (tab Modules). You can combine
|
|
it with Personal module, Unix or Windows.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoUser2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next configure the module to your needs (tab Module
|
|
settings).</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> LAM Pro uses the
|
|
Kopano OpenLDAP schema by default. This schema fits for OpenLDAP,
|
|
OpenDJ, Apache Directory server and other common LDAP servers. If you
|
|
run Samba 4 or Active Directory then you need to switch the schema to
|
|
"Active Directory" on the module settings tab.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>You can hide options that you do not need. E.g. if you do not want
|
|
to manage quotas per user then you can hide these options.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Examples for your Zarafa ldap.cfg:</para>
|
|
|
|
<para>"Send as" attribute: dn</para>
|
|
|
|
<para>ldap_user_sendas_attribute_type = dn</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>"Send as" attribute: uid</para>
|
|
|
|
<para>ldap_user_sendas_attribute_type = text</para>
|
|
|
|
<para>ldap_user_sendas_relation_attribute = uid</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Attention: If the Active Directory schema is used then LAM will
|
|
always use dn and ignore this setting.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoUser3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>LAM Pro will now display the Kopano tab on your users. This
|
|
includes email settings, quotas and some options (e.g. hide from address
|
|
book). You can also set the resource type and capacity for meeting rooms
|
|
and equipment. The Kopano extension can be added and removed at any time
|
|
for every user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoUser4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Contacts</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>The configuration is similar to users. Instead of the Kopano user
|
|
module please select the contact module.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopano1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoContact1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoContact2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>LAM Pro will now display the Kopano contact tab on your users. The
|
|
Kopano extension can be added and removed at any time for every
|
|
user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoContact3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Groups</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To enable Kopano support for groups please activate the Kopano
|
|
module for the group account type in you server profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoGroup1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Adjust the suffix and list attributes to your needs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoGroup2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then select the Kopano group module (tab Modules). You can combine
|
|
it with groups of names module, Unix or Windows.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoGroup3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next configure the module to your needs (tab Module
|
|
settings).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoGroup4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>LAM Pro will now display the Kopano tab on your groups. The Kopano
|
|
extension can be added and removed at any time for every group.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoGroup5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Address lists</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To enable Kopano support for address lists please activate the
|
|
Kopano address list account type in you server profile (tab account
|
|
types):</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoAddresslist1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Adjust the suffix and list attributes to your needs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoAddresslist2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then select the Kopano address list module (tab Modules).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoAddresslist3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>LAM Pro will now display the Kopano address list tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoAddresslist4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoAddresslist5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Dynamic groups</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To enable Kopano support for dynamic groups please activate the
|
|
Kopano dynamic group account type in you server profile (tab account
|
|
types):</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoDynamicgroup1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Adjust the suffix and list attributes to your needs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoDynamicgroup2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then select the Kopano dynamic group module (tab Modules).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoDynamicgroup3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>LAM Pro will now display the Kopano address list tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoDynamicgroup4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoDynamicgroup5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Servers</title>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To enable Kopano support for servers please activate the Kopano
|
|
server module for the hosts account type in you server profile (tab
|
|
account types):</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoServer1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Adjust the suffix and list attributes to your needs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoServer2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then select the Kopano server module (tab Modules).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoServer3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next configure the module to your needs (tab Module
|
|
settings).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoServer4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>LAM Pro will now display the Kopano tab on your hosts. The Kopano
|
|
extension can be added and removed at any time for every server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kopanoServer5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="s_zarafa">
|
|
<title>Zarafa (LAM Pro)</title>
|
|
|
|
<para>Zarafa is an OpenSource collaboration software. LAM Pro provides
|
|
support to manage Zarafa server entries, users and groups. It covers all
|
|
settings for these types including resource and quota settings.</para>
|
|
|
|
<para>LAM Pro is an official Zarafa Certified Integration.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa_logo_integrations_certified_140px.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<section>
|
|
<title>Configuration</title>
|
|
|
|
<para>To enable Zarafa support in LAM Pro please activate the Zarafa
|
|
modules for the Users, Groups and Hosts account types in you server
|
|
profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> LAM Pro uses the
|
|
Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
|
|
OpenDJ, Apache Directory server and other common LDAP servers. If you
|
|
run Samba 4 or Active Directory then you need to switch the schema to
|
|
"Active Directory" on the module settings tab:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa9.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can configure which parts of the Zarafa user options should be
|
|
enabled. E.g. if you do not want to manage quotas per user then you can
|
|
hide these options on the tab "Module settings".</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">"Send as" attribute:</emphasis> Here you can
|
|
specify how "Send as" privileges should be managed. LAM supports "uid"
|
|
and "dn".</para>
|
|
|
|
<para>If you select "uid" the LAM will store user names in the
|
|
zarafaSendAsPrivilege attribute. This way you are restricted to specify
|
|
user accounts as "Send as" allowed.</para>
|
|
|
|
<para>You can also set this option to "dn" and LAM will store DNs in the
|
|
zarafaSendAsPrivilege attribute. In this case you may specify users and
|
|
groups as "Send as" allowed.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Examples for your Zarafa ldap.cfg:</para>
|
|
|
|
<para>"Send as" attribute: <emphasis role="bold">dn</emphasis></para>
|
|
|
|
<para>ldap_user_sendas_attribute_type = dn</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>"Send as" attribute: <emphasis role="bold">uid</emphasis></para>
|
|
|
|
<para>ldap_user_sendas_attribute_type = text</para>
|
|
|
|
<para>ldap_user_sendas_relation_attribute = uid</para>
|
|
|
|
<para><literallayout>
|
|
Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.
|
|
|
|
|
|
</literallayout></para>
|
|
|
|
<para><emphasis role="bold">Features:</emphasis> Zarafa 7 allows to
|
|
enable IMAP/POP3 for each user. Please hide the option "Features" if you
|
|
use Zarafa 6.x.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section>
|
|
<title>Users</title>
|
|
|
|
<para>This is an example of the user edit page with all possible
|
|
settings. This includes email settings, quotas and some options (e.g.
|
|
hide from address book). You can also set the resource type and
|
|
capacity for meeting rooms and equipment. The Zarafa extension can be
|
|
added and removed at any time for every user.</para>
|
|
|
|
<para>Please note that the option "Features" requires Zarafa 7. Please
|
|
hide this option in the LAM server profile if you run Zarafa
|
|
6.x.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Contacts</title>
|
|
|
|
<para>LAM Pro can manage your Zarafa contact entries. You can set the
|
|
email aliases and "send as" privileges. Additionally, accounts may be
|
|
hidden in the address book or disabled.</para>
|
|
|
|
<para>Please note that you can either use the Zarafa user module or
|
|
Zarafa contact. LAM Pro will disable the other tab when enabling one
|
|
of them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Groups</title>
|
|
|
|
<para>This is the edit page for groups. You can enter an email address
|
|
and additional aliases for your groups. It is also possible to specify
|
|
options (e.g. hide from address book). The extension can be
|
|
added/removed dynamically.</para>
|
|
|
|
<para>Please note that the option "Send-as privileges" requires the
|
|
Zarafa 7.0.3 schema. Please hide this option in the LAM server profile
|
|
if you run Zarafa < 7.0.3.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Servers</title>
|
|
|
|
<para>The Zarafa extension for host accounts allows to set the
|
|
connection ports and file path. You can add/remove the extension at
|
|
any time.</para>
|
|
|
|
<para>Setting the public store option is only possible for new host
|
|
entries.</para>
|
|
|
|
<para>Please note that the proxy URL option requires the Zarafa 7.1
|
|
schema. Please hide this option in your LAM server profile if you use
|
|
an older version.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Address lists</title>
|
|
|
|
<para>Zarafa allows to store address lists in LDAP. You need to define
|
|
a search base and LDAP filter for each address list. E.g. entering
|
|
"ou=people,dc=company,dc=com" as base and "uid=*" will select all
|
|
users that are stored in "ou=people,dc=company,dc=com".</para>
|
|
|
|
<para>You can also hide your lists from the address book or
|
|
temporarily disable them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Dynamic groups</title>
|
|
|
|
<para>Zarafa allows to define dynamic groups in LDAP. You need to
|
|
define a search base and LDAP filter for each group. E.g. entering
|
|
"ou=people,dc=company,dc=com" as base and "uid=*" will select all
|
|
users that are stored in "ou=people,dc=company,dc=com".</para>
|
|
|
|
<para>Dynamic groups may have an email address and multiple email
|
|
alias addresses.</para>
|
|
|
|
<para>You can also hide your dynamic groups from the address book or
|
|
temporarily disable them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Kolab shared folders</title>
|
|
|
|
<para>Please add the account type "Kolab shared folders" in your LAM
|
|
server profile and set the correct LDAP suffix.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the "Kolab shared folder" module on tab "Modules".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can start to add shared folders inside LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab9.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>DHCP</title>
|
|
|
|
<para>You can mange your DHCP server with LAM. It supports to manage
|
|
subnets, fixed IP entries, IP ranges and DDNS.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>The DHCP management can be activated by adding the account type DHCP
|
|
to your server profile. Please also add the DHCP modules.</para>
|
|
|
|
<para>LAM requires that you use an LDAP entry with the object class
|
|
"dhcpService" or "dhcpServer" as suffix for this account type. If the
|
|
"dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
|
|
then you need to use the DN of the "dhcpService" entry as LDAP suffix for
|
|
DHCP.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Add account type:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpConf1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Set suffix:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpConf2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Add modules:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpConf3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Example server entry:</emphasis><code/></para>
|
|
|
|
<para><code>dn:
|
|
cn=server,ou=dhcp,dc=ldap-account-manager,dc=org</code></para>
|
|
|
|
<para><code>objectclass: dhcpServer</code></para>
|
|
|
|
<para><code>objectclass: dhcpOptions</code></para>
|
|
|
|
<para><code>objectclass: top</code></para>
|
|
|
|
<para><code>cn: server</code></para>
|
|
|
|
<para><code>dhcpcomments: My DHCP server</code></para>
|
|
|
|
<para><code>dhcpoption: domain-name
|
|
"ldap-account-manager.org"</code></para>
|
|
|
|
<para><code>dhcpoption: domain-name-servers 192.168.1.1</code></para>
|
|
|
|
<para><code>dhcpoption: routers 192.168.1.1</code></para>
|
|
|
|
<para><code>dhcpoption: netbios-name-servers 192.168.1.1</code></para>
|
|
|
|
<para><code>dhcpoption: subnet-mask 255.255.255.0</code></para>
|
|
|
|
<para><code>dhcpoption: netbios-node-type 8</code></para>
|
|
|
|
<para><code>dhcpstatements: default-lease-time 3600</code></para>
|
|
|
|
<para><code>dhcpstatements: max-lease-time 7200</code></para>
|
|
|
|
<para><code>dhcpstatements: include "mykey"</code></para>
|
|
|
|
<para><code>dhcpstatements: ddns-update-style interim</code></para>
|
|
|
|
<para><code>dhcpstatements: update-static-leases true</code></para>
|
|
|
|
<para><code>dhcpstatements: ignore client-updates</code></para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Example settings for
|
|
dhcpd.conf:</emphasis></para>
|
|
|
|
<para><code>ddns-update-style none;</code></para>
|
|
|
|
<para><code>deny unknown-clients;</code></para>
|
|
|
|
<para><code>ldap-server "server";</code></para>
|
|
|
|
<para><code>ldap-dhcp-server-cn "server";</code></para>
|
|
|
|
<para><code>ldap-port 389;</code></para>
|
|
|
|
<para><code>ldap-username
|
|
"uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";</code></para>
|
|
|
|
<para><code>ldap-password "{SSHA}XXXXXXXXXXXX";</code></para>
|
|
|
|
<para><code>ldap-base-dn
|
|
"ou=dhcp,dc=ldap-account-manager,dc=org";</code></para>
|
|
|
|
<para><code>ldap-method dynamic;</code></para>
|
|
|
|
<para><code>ldap-debug-file
|
|
"/var/log/dhcp-ldap-startup.log";</code></para>
|
|
|
|
<para><code/></para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">slapd.conf changes:</emphasis></para>
|
|
|
|
<para><code>include /etc/ldap/schema/dhcp.schema</code></para>
|
|
|
|
<para><code>index dhcpHWAddress eq</code></para>
|
|
|
|
<para><code>index dhcpClassData eq</code><literallayout>
|
|
Run slapindex to rebuild the index.
|
|
|
|
</literallayout></para>
|
|
|
|
<para>You can manage the settings of your DHCP service/server
|
|
entry:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpMainSettings.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can easily create new subnet entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpSettings.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>It is also possible to specify a list of fixed IPs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/fixedIP.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>IP ranges may be specified.</para>
|
|
|
|
<para>If you use failover pools for your IP ranges please use the pool
|
|
options on the bottom. Here you can add DHCP pools (object class
|
|
"dhcpPool") and specify the failover peer.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ranges.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you activated DDNS in the server entry then you may also specify
|
|
the DDNS settings for this subnet.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ddns.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Bind DLZ (LAM Pro)</title>
|
|
|
|
<para><ulink url="http://bind-dlz.sourceforge.net">Bind DLZ</ulink> is an
|
|
extension to the DNS server <ulink
|
|
url="http://www.isc.org/software/bind">Bind</ulink> that allows to store
|
|
DNS entries inside LDAP. Please install the Bind DLZ schema file on your
|
|
LDAP server. It is part of the Bind download. You can also get it from
|
|
Bind's <ulink
|
|
url="https://gitlab.isc.org/isc-projects/bind9/blob/master/contrib/dlz/modules/ldap/testing/dlz.schema">git
|
|
repository</ulink>.</para>
|
|
|
|
<section>
|
|
<title>Configuration</title>
|
|
|
|
<para>First, you need to add the Bind DNS account type and the Bind DLZ
|
|
module:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Please set the LDAP suffix either to an existing DNS zone
|
|
(dlzZone) or an organizational unit that should include your DNS
|
|
zones.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>For regular entry management use "DNS entry (bindDLZ)(*)"
|
|
module.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">XFR</emphasis></para>
|
|
|
|
<para>If you want to edit XFR entries please add a second account type
|
|
for XFR. Recommended list attributes are
|
|
"#dlzipaddr;#dlzrecordid".</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_bind13.png"/>
|
|
</screenshot>
|
|
|
|
<para>Now use the "XFR (bindDLZXfr)(*)" module for this account
|
|
type.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_bind14.png"/>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Automatic PTR management</emphasis></para>
|
|
|
|
<para>LAM can automatically create/delete PTR entries for the entered
|
|
IPv4/6 records. You can enable this feature on the module settings
|
|
tab.</para>
|
|
|
|
<para>PTR records will get the same TTL as IP records. Please note that
|
|
you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
|
|
under the same suffix as your other DNS entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind12.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Zone management</emphasis></para>
|
|
|
|
<para>If you do not yet have a DNS zone then LAM can create one for you.
|
|
In list view switch the suffix to an organizational unit DN. Now you
|
|
will see a button "New zone".</para>
|
|
|
|
<para>This will create the zone container entry and a default DNS entry
|
|
"@" for authoritative information. Now switch the suffix to your new
|
|
zone and start adding DNS entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>DNS entries</title>
|
|
|
|
<para>LAM supports the following DNS record types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SOA: authoritative information</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>NS: name servers</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A/AAAA: IP addresses</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>PTR: reverse DNS entries</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CNAME: alias names</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>MX: mail servers</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>TXT: text records</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>SRV: service entries</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Authoritative (SOA) and name server (NS)
|
|
records</emphasis></para>
|
|
|
|
<para>Here you can manage general information about the zone like
|
|
timeouts and name servers. Please note that name servers must be
|
|
inserted in a special format (dot at the end).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">IP addresses (A/AAAA)</emphasis></para>
|
|
|
|
<para>LAM will automatically set the correct type (A/AAAA) depending if
|
|
you enter an IPv4 or IPv6 address.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Reverse DNS entries</emphasis></para>
|
|
|
|
<para>Reverse DNS entries are important when you need to find the DNS
|
|
name that is associated with a given IP address. Reverse DNS entries are
|
|
stored in a separate DNS zone.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Alias names (CNAME)</emphasis></para>
|
|
|
|
<para>Sometimes a DNS entry should simply point to a different DNS entry
|
|
(e.g. for migrations). This can be done by adding an alias name.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Mail servers (MX)</emphasis></para>
|
|
|
|
<para>The mail server entries define where mails to a domain should be
|
|
delivered. The server with the lowest preference has the highest
|
|
priority.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind9.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Text records (TXT)</emphasis></para>
|
|
|
|
<para>Text records can be added to store a description or other data
|
|
(e.g. SPF information).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind10.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Services (SRV)</emphasis></para>
|
|
|
|
<para>Service records can be used to specify which servers provide
|
|
common services such as LDAP. Please note that the host name must be
|
|
_SERVICE._PROTOCOL (e.g. _ldap._tcp).</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Priority: The priority of the target host, lower value means more
|
|
preferred.</para>
|
|
|
|
<para>Weight: A relative weight for records with the same priority. E.g.
|
|
weights 20 and 80 for a service will result in 20% queries to the one
|
|
server and 80% to the other.</para>
|
|
|
|
<para>Port: The port number that is used for your service.</para>
|
|
|
|
<para>Server: DNS name where service can be reached (with dot at the
|
|
end).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind11.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">File upload</emphasis></para>
|
|
|
|
<para>You can upload complete DNS zones via LAM's file upload. Here is
|
|
an example for a zone file and the corresponding CSV file.</para>
|
|
|
|
<table>
|
|
<title>Zone file</title>
|
|
|
|
<tgroup cols="4">
|
|
<tbody>
|
|
<row>
|
|
<entry>@</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>SOA</entry>
|
|
|
|
<entry>ns1.example.com admin.ns1.example.com (1 360000 3600
|
|
3600000 370000)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry/>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>NS</entry>
|
|
|
|
<entry>ns1.example.com.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry/>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>NS</entry>
|
|
|
|
<entry>ns2.example.com.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry/>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>MX</entry>
|
|
|
|
<entry>10 mail1.example.com</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry/>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>MX</entry>
|
|
|
|
<entry>20 mail2.example.com</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>foo</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>A</entry>
|
|
|
|
<entry>123.123.123.100</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>foo2</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>CNAME</entry>
|
|
|
|
<entry>foo.example.com</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>bar</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>A</entry>
|
|
|
|
<entry>123.123.123.101</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry/>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>AAAA</entry>
|
|
|
|
<entry>1:2:3:4:5</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>Please check that you have an existing zone entry that can be used
|
|
for the file upload. See above to create a new zone.</para>
|
|
|
|
<para>Hint: If you use the function above to create a new zone then
|
|
please skip the "@" entry in the CSV file below. LAM creates this entry
|
|
with sample data.</para>
|
|
|
|
<para>In this example we assume that the following zone entry
|
|
exists:</para>
|
|
|
|
<literallayout>dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
|
|
dlzzonename: example.com
|
|
objectclass: dlzZone
|
|
objectclass: top
|
|
|
|
</literallayout>
|
|
|
|
<para>Here is the corresponding CSV file: <ulink
|
|
url="resources/bindUpload.csv">bindUpload.csv</ulink></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>XFR entries</title>
|
|
|
|
<para>You can manage the XFR entries in the second tab that you
|
|
configured before.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_bind16.png"/>
|
|
</screenshot>
|
|
|
|
<para>For each XFR entry you can set a record ID and the IP
|
|
address.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_bind15.png"/>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Aliases (LAM Pro)</title>
|
|
|
|
<para>Some applications use the object class "alias" to link LDAP entries
|
|
to other parts of the LDAP tree. Activate the account type "Aliases" in
|
|
your LAM server profile to use this account type.</para>
|
|
|
|
<para>Currently, only user accounts can be aliased with the "uidObject"
|
|
object class.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/alias.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/alias2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Mail aliases</title>
|
|
|
|
<para>You can manage mail aliases (e.g. for NIS) inside LAM. This can be
|
|
used to replace local /etc/aliases files with LDAP.</para>
|
|
|
|
<para>To activate this type please add "Mail aliases" in your LAM server
|
|
profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAlias1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section id="mailAliases">
|
|
<title>NIS mail aliases</title>
|
|
|
|
<para>Note: Use the <link linkend="mailAliasesUser">mail alias user
|
|
module</link> to manage mail aliases on user pages.</para>
|
|
|
|
<para>All accounts of this type are based on the "nisMailAlias" object
|
|
class and may have "cn" and "rfc822MailMember" attributes.</para>
|
|
|
|
<para>You need to select the Mail aliases module on the next tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAlias3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The mail aliases will then appear as separate tab inside LAM. You
|
|
may then manage the aliases with their names and recipient
|
|
addresses.</para>
|
|
|
|
<para>There are mail/user icons that allow to select a mail address/user
|
|
name from the existing users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAlias2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Courier mail aliases</title>
|
|
|
|
<para>Mail aliases for Courier SMTP can be used when activating NIS mail
|
|
aliases and Courier modules:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_courierAlias1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You will then get the Courier tab for your mail aliases.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_courierAlias2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS net groups</title>
|
|
|
|
<para>LAM supports to define NIS netgroups. You can use them e.g. to
|
|
restrict SSH access to your machines.</para>
|
|
|
|
<para>Add the NIS net group account type and its module to your server
|
|
profile. Then you can manage net groups in LAM. Net groups may contain
|
|
other net groups as child groups. You can either insert the host/user
|
|
names manually or print the search buttons next to the input fields to
|
|
find existing entries in your directory.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisNetgroup.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS objects (LAM Pro)</title>
|
|
|
|
<para>You can manage NIS objects with LAM Pro. This allows you define
|
|
network mount points in LDAP.</para>
|
|
|
|
<para>Add the NIS objects type to your LAM configuration and then the NIS
|
|
objects module. This will add the NIS objects tab to LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisObject.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Automount objects (LAM Pro)</title>
|
|
|
|
<para>LAM Pro allows you to manage automount entries. Please activate the
|
|
account type "Automount objects" in your LAM Pro server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/automount1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the correct automount module. Usually, this is "Automount
|
|
entry (automount)". If you use Suse Linux with RFC2307bis schema please
|
|
select "Automount entry (rfc2307bisAutomount)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/automount3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This will add a new tab to LAM Pro's main screen which includes a
|
|
list of all automount entries. Here you can easily create new
|
|
entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/automount2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Please see the following external HowTos for more information on
|
|
automounting and LDAP:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><ulink
|
|
url="https://help.ubuntu.com/community/AutofsLDAP">AutofsLDAP</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink type=""
|
|
url="http://www.pro-linux.de/artikel/2/760/automount-ueber-ldap.html">Automount
|
|
über LDAP (German)</ulink></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Oracle databases (LAM Pro)</title>
|
|
|
|
<para>Oracle allows to manage connection data that is stored in
|
|
tnsnames.ora to be stored in an LDAP directory.</para>
|
|
|
|
<para><emphasis role="bold">Initial setup</emphasis></para>
|
|
|
|
<para>LDAP server setup:</para>
|
|
|
|
<para>You will need to install the correct Oracle LDAP schema files on
|
|
your LDAP server. If you run no Oracle LDAP server then you can get them
|
|
(oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
|
|
<ulink
|
|
url="http://www.idevelopment.info/data/Oracle/DBA_tips/LDAP/LDAP_8.shtml">here</ulink>.</para>
|
|
|
|
<para>Next you need to create the root entry for Oracle. It should look
|
|
like this:</para>
|
|
|
|
<programlisting>dn: cn=OracleContext,dc=example,dc=com
|
|
objectclass: orclContext
|
|
cn: OracleContext</programlisting>
|
|
|
|
<para>You can create it with LAM's tree view. Please note that "cn" must
|
|
be set to "OracleContext".</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>LAM setup:</para>
|
|
|
|
<para>Edit your LAM server profile and add the Oracle account type:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>In case you manage a single Oracle context just enter the
|
|
cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
|
|
context entries then set the LDAP suffix to a parent entry of them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next, add the Oracle module:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can login to LAM and start to add database
|
|
entries.<literallayout>
|
|
</literallayout></para>
|
|
|
|
<para><emphasis role="bold">Managing database entries</emphasis></para>
|
|
|
|
<para>Each database has a service name, the connection string and an
|
|
optional description.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Database client setup for
|
|
LDAP</emphasis></para>
|
|
|
|
<para>You need to activate the LDAP adapter to make the database tools
|
|
reading LDAP. Edit network/admin/sqlnet.ora like this:</para>
|
|
|
|
<programlisting>NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)</programlisting>
|
|
|
|
<para>Then add a file called ldap.ora next to your sqlnet.ora and set the
|
|
LDAP server and DN suffix where cn=OracleContext is stored:</para>
|
|
|
|
<programlisting>DIRECTORY_SERVERS= (ldap.example.com:389:636)
|
|
DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
|
|
DIRECTORY_SERVER_TYPE = OID</programlisting>
|
|
|
|
<para>This will allow e.g. tnsping to get the connection data from
|
|
LDAP:</para>
|
|
|
|
<programlisting>[oracle@oracle bin]$ tnsping mydb
|
|
|
|
TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54
|
|
|
|
Copyright (c) 1997, 2013, Oracle. All rights reserved.
|
|
|
|
Used parameter files:
|
|
/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
|
|
|
|
Used <emphasis role="bold">LDAP</emphasis> adapter to resolve the alias
|
|
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
|
|
OK (10 msec)</programlisting>
|
|
</section>
|
|
|
|
<section id="a_ppolicy">
|
|
<title>Password policies (LAM Pro)</title>
|
|
|
|
<para>OpenLDAP supports the <ulink
|
|
url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay to
|
|
manage password policies for LDAP entries. This allows you to set password
|
|
policies which are independent from your applications. The policies are
|
|
managed internally by the LDAP server.</para>
|
|
|
|
<para>You can manage these policies with LAM Pro with the account type
|
|
"Password policies".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ppolicy.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You will need to add the ppolicy schema to your OpenLDAP
|
|
configuration and activate the <ulink
|
|
url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
|
|
module in slapd.conf to use this feature.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota printers</title>
|
|
|
|
<para>Please add the account type "Printers (PyKota printers)" on tab
|
|
"Account types" in your server profile and setup the LDAP suffix where
|
|
printers are stored.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the PyKota printer module on tab "Account modules".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next you can start managing printers inside LAM. Here you can setup
|
|
the costs for a print job. LAM will also show if the printer is member of
|
|
any printer groups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can also setup printer groups. Just add some members to your new
|
|
group.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota billing codes</title>
|
|
|
|
<para>Please add the account type "Billing codes" on tab "Account types"
|
|
in your server profile and setup the LDAP suffix where billing codes are
|
|
stored.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the PyKota billing code module on tab "Account
|
|
modules".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now login to LAM and you will see the billing code tab where you can
|
|
manage your entries. If jobs were printed with a billing code then you
|
|
will also see the balance and page count.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="mod_customTypes">
|
|
<title>Custom types (LAM Pro)</title>
|
|
|
|
<para>This account type allows you to manage any type of LDAP entries.
|
|
This is e.g. needed if you define your own structural object classes or
|
|
LAM does not yet provide a module for a structural object class.</para>
|
|
|
|
<para>Always use this together with <link
|
|
linkend="mod_customFields">Custom fields</link> to specify the LDAP
|
|
attributes.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Add a custom account type in your server profile (you can also add
|
|
multiple if needed).</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_customBaseType1.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>Then specify the root DN where the entries should be stored. Also
|
|
provide the attributes to show in list view and a unique label for your
|
|
entries.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_customBaseType2.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>On tab modules add the custom type module. You will also need the
|
|
<link linkend="mod_customFields">Custom fields</link> module to manage the
|
|
attributes.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_customBaseType3.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>Finally, switch to tab Module settings. Here you need to specify the
|
|
structural object class. Also configure the <link
|
|
linkend="mod_customFields">Custom fields</link> module to manage all your
|
|
attributes.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_customBaseType4.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para><emphasis role="bold">Manage your entries</emphasis></para>
|
|
|
|
<para>You can now login to LAM and will see one tab for each configured
|
|
custom type.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_customBaseType5.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
</section>
|
|
|
|
<section id="mod_customFields">
|
|
<title>Custom fields (LAM Pro)</title>
|
|
|
|
<para>This module allows you to manage LDAP attributes that are not
|
|
covered by the other LAM modules (e.g. if you use custom LDAP schemas).
|
|
You can fully define how your input fields look like:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Label</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP attribute name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Unique name for field</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Help text</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Read-only display</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Field type: text, password, text area, checkbox, radio buttons,
|
|
select list, file upload</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Validation via regular expression</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Error message if validation fails</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Limitations:</para>
|
|
|
|
<para>Custom fields cannot manage</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>structural object classes (supported by <link
|
|
linkend="mod_customTypes">Custom types</link>)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>attributes that require validation rules across multiple
|
|
attributes or cannot be described by a simple regular
|
|
expression</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Activating the custom fields
|
|
module:</emphasis></para>
|
|
|
|
<para>You may specify custom fields for all of your account types. Please
|
|
enter tab "Modules" in your server profile. Now activate the "Custom
|
|
fields (customFields)" module for all needed account types.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields14.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Setting label and icon:</emphasis></para>
|
|
|
|
<para>You may set the label that is displayed e.g. on the tab when editing
|
|
an account. It is also possible to specify an icon (must be a valid URL
|
|
like "/images/icon.png" or "http://server/images/icon.png"). The icon size
|
|
should be 32x32 pixels.</para>
|
|
|
|
<para>LAM will display a default icon and "Custom fields" as label if you
|
|
do not enter any values.</para>
|
|
|
|
<para>You may also specify how LAM displays custom fields when there are
|
|
multiple field groups. The default is accordion view where you can switch
|
|
field groups by clicking on the title. You may also deactivate this mode.
|
|
Then all field groups are displayed one below the other.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields25.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Defining groups:</emphasis></para>
|
|
|
|
<para>All input fields are divided into groups. A group may contain one or
|
|
more object classes and allows you to add/remove a certain set of input
|
|
fields.</para>
|
|
|
|
<para>E.g. you may define two groups - "My application A" and "My
|
|
application B" - that manage different LDAP attributes and object classes.
|
|
This way you will be able to control both attribute sets
|
|
independently.</para>
|
|
|
|
<para>To create a group please edit your server profile and switch to tab
|
|
"Module settings". You will see the section "Custom fields" which allows
|
|
you to add new groups. Now select your account type (e.g. Users) and
|
|
specify an alias for your group. This alias will be printed as group
|
|
header when you later edit an account in the admin interface.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields15.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>After you created your new group you can setup the managed object
|
|
classes. If you specify any object classes then you will later be able to
|
|
add/remove a complete set of attributes including their object
|
|
classes.</para>
|
|
|
|
<para>Skipping the object classes field is only useful if you want to
|
|
manage some attributes that are not yet supported by LAM but there is
|
|
already a LAM module that manages the object class.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields16.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The group may look like when you edit a user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields19.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields20.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Adding fields:</emphasis></para>
|
|
|
|
<para>Now you can add a new field that manages an LDAP attribute. Simply
|
|
fill the fields and press on "Add".</para>
|
|
|
|
<para>Please note that the field name cannot be changed later. It is the
|
|
unique ID for this field.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields17.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Examples for fields and their representation:</para>
|
|
|
|
<para><emphasis role="bold">Text field:</emphasis></para>
|
|
|
|
<para>Text fields allow to specify a <link
|
|
linkend="customFields_validation_expressions_admin">validation
|
|
expression</link> and error message.</para>
|
|
|
|
<para>You can also enable auto-completion. In this case LAM will search
|
|
all accounts for the given attribute and provide auto-completion hints
|
|
when the user edits this field. This should only be used if there is a
|
|
limited number of different values for this attribute.</para>
|
|
|
|
<para>In case your field is a date value you can show a calendar for easy
|
|
editing.</para>
|
|
|
|
<para>Example calendar formats:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>dd.mm.yy: 31.12.2016</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>yy-mm-dd: 2016-12-31</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>d M, y: 31 Dec, 16</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>d MM, y: 31 December, 2016</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Password field:</emphasis></para>
|
|
|
|
<para>You can also manage custom password fields. LAM Pro will display two
|
|
fields where the user must enter the same password. You can hash the
|
|
password if needed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Text area:</emphasis></para>
|
|
|
|
<para>This adds a multi-line field. The options are similar to text
|
|
fields. Additionally, you can set the size with the number of columns and
|
|
rows.</para>
|
|
|
|
<para>Please note that the <link
|
|
linkend="customFields_validation_expressions_admin">validation
|
|
expression</link> should be set to multi-line. This is done by adding "m"
|
|
at the end.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Checkbox:</emphasis></para>
|
|
|
|
<para>Sometimes you may want to allow only yes/no values for your LDAP
|
|
attributes. This can be represented by a checkbox. You can specify the
|
|
values for checked and unchecked. The default value is set if the LDAP
|
|
attribute has no value.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields9.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Radio buttons:</emphasis></para>
|
|
|
|
<para>This displays a list of radio buttons where the user can select one
|
|
value.</para>
|
|
|
|
<para>You can specify a mapping of LDAP attribute values and their display
|
|
(label) on the Self Service page. To add more mapping fields please press
|
|
"Add more mapping fields".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields10.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields11.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Select list:</emphasis></para>
|
|
|
|
<para>Select lists allow the user to select a value in a large list of
|
|
options. The definition of the possible values and their display is
|
|
similar to radio buttons.</para>
|
|
|
|
<para>You can also allow multiple values.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields12.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields13.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields18.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">LDAP search select list</emphasis></para>
|
|
|
|
<para>This is similar to "Select list" but the option are read from LDAP.
|
|
You can use this to define e.g. a DN selection list. Multiple values are
|
|
supported.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields26.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LDAP suffix: The LDAP DN that is used as starting point to search
|
|
for LDAP entries.</para>
|
|
|
|
<para>LDAP filter: Only LDAP entries that match this filter will be used.
|
|
If all entries should be used then use "(objectclass=*)".</para>
|
|
|
|
<para>Attribute name: The values of this attribute will be used to build
|
|
the selection list.</para>
|
|
|
|
<para>Display attributes: List of attributes to show as label for the
|
|
options in select box. Attribute wildcards are surrounded by "$", e.g.
|
|
"$cn$" will be replaced by "cn" attribute. Default is "$dn$".</para>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields27.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Constant value</emphasis></para>
|
|
|
|
<para>This will set the attribute to a constant value. You can also
|
|
specify wildcards to inject other attribute's values.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields28.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Wildcards:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>%attribute%: attribute value</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>@attribute@: first character of attribute</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>?attribute?: first character of attribute in lower case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>!attribute!: first character of attribute in upper case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>??attribute??: attribute in lower case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>!!attribute!!: attribute in upper case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>((attribute)): space if attribute is set</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>§attribute|;§; attribute values separated by ";" (you can set
|
|
other separators if you want)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Examples for attributes gn="Steve", sn="Miller" and
|
|
memberUid=("user1", "user2") (specified value -> resulting LDAP
|
|
value):</para>
|
|
|
|
<table border="1">
|
|
<caption/>
|
|
|
|
<tr>
|
|
<th>Constant value</th>
|
|
|
|
<th>Resulting LDAP value</th>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>my constant</td>
|
|
|
|
<td>my constant</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>%gn%</td>
|
|
|
|
<td>Steve</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>%gn%((gn))%sn%</td>
|
|
|
|
<td>Steve Miller (would be "Miller" if gn is empty)</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>§memberUid|, §</td>
|
|
|
|
<td>user1, user2</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<para/>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<para>The LDAP value will be shown as text.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields29.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">File upload:</emphasis></para>
|
|
|
|
<para>This is used for binary data. You can restrict uploaded data to a
|
|
given file extension and set the maximum file size.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields21.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<para>The uploaded data may also be downloaded via LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields22.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para id="customFields_validation_expressions_admin"><emphasis
|
|
role="bold">Validation expressions:</emphasis></para>
|
|
|
|
<para>The validation expressions follow the standard of <ulink
|
|
url="http://perldoc.perl.org/perlre.html">Perl regular
|
|
expressions</ulink>. They start and end with a "/". The beginning of a
|
|
line is specified by "^" and the end by "$".</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
|
|
be empty ("+").</para>
|
|
|
|
<para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
|
|
means ignore case) and numbers. The value must not be empty ("+").</para>
|
|
|
|
<para>Special characters that must be escaped with "\": "\", ".", "(",
|
|
")"</para>
|
|
|
|
<para>E.g. /^[a-z0-9\.]$/i</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Custom scripts (LAM Pro)</title>
|
|
|
|
<para>LAM Pro allows you to execute scripts whenever an account is
|
|
created, modified or deleted. This can be useful to automate processes
|
|
which needed manual work afterwards (e.g. sending your user a welcome mail
|
|
or register a mailbox). Additionally, you can specify manual scripts that
|
|
can be executed from within LAM Pro.</para>
|
|
|
|
<para>To activate this feature please add the "Custom scripts" module to
|
|
all needed account types on the configuration pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>In "Module settings" you can specify multiple scripts for each
|
|
action type (e.g. modify) and account type (e.g. user). The scripts need
|
|
to be located on the filesystem of your webserver and will be executed in
|
|
its user environment. E.g. if you webserver runs as user www-data with the
|
|
group www-data then the custom scripts will be run under this user with
|
|
his rights. The output of the scripts will be shown in LAM.</para>
|
|
|
|
<para>You can specify the scripts on the LAM configuration pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Syntax:</emphasis></para>
|
|
|
|
<para>Please enter one script per line. Each line has the following
|
|
format: <account type> <action> <script></para>
|
|
|
|
<para>E.g.: user preModify /usr/bin/myCustomScript -u $uid$</para>
|
|
|
|
<para><emphasis role="bold">Account types:</emphasis></para>
|
|
|
|
<para>You can setup scripts for all available account types (e.g. user,
|
|
group, host, ...). Please see the help on the configuration page about
|
|
your current active account types.</para>
|
|
|
|
<para><emphasis role="bold">Actions:</emphasis></para>
|
|
|
|
<table>
|
|
<title>Action types</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Action name</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Description</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preCreate</entry>
|
|
|
|
<entry>Executed before creating a new account (cancels operation
|
|
if a script returns an exit code > 0, not available for file
|
|
upload)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postCreate</entry>
|
|
|
|
<entry>Executed after creating a new account (does <emphasis
|
|
role="bold">not</emphasis> run if preCreate or LDAP operations
|
|
fail)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preModify</entry>
|
|
|
|
<entry>Executed before an account is modified (cancels operation
|
|
if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postModify</entry>
|
|
|
|
<entry>Executed after an account was modified (does <emphasis
|
|
role="bold">not</emphasis> run if preModify or LDAP operations
|
|
fail)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preDelete</entry>
|
|
|
|
<entry>Executed before an account is modified (cancels operation
|
|
if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postDelete</entry>
|
|
|
|
<entry>Executed after an account was modified (does <emphasis
|
|
role="bold">not</emphasis> run if preDelete or LDAP operations
|
|
fail)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>manual</entry>
|
|
|
|
<entry>Can be run manually on account page. If you add
|
|
LAMLABEL="text" before the command then LAM will use the text as
|
|
label for the button in account edit screen.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para><emphasis role="bold">Script:</emphasis></para>
|
|
|
|
<para>You can execute any script which is located on the filesystem of
|
|
your webserver. The path may be absolute or relative to the PATH-variable
|
|
of the environment of your webserver process. It is also possible to add
|
|
commandline arguments to your scripts. Additionally, LAM will resolve
|
|
wildcards to LDAP attributes. If your script includes an wildcard in the
|
|
format $ATTRIBUTE$ then LAM will replace it with the attribute value of
|
|
the current LDAP entry. The values of multi-value attributes are separated
|
|
by commas. E.g. if you create an account with the attribute "uid" and
|
|
value "steve" then LAM will resolve "$uid$" to "steve".</para>
|
|
|
|
<para>Please note that manual scripts can only use the current LDAP
|
|
attribute values of the account. Any modifications done that are not saved
|
|
will not be available. Manual scripts are also not available for new
|
|
accounts that are not yet saved to LDAP.</para>
|
|
|
|
<para>You can switch LAM's logging to debug mode if you are unsure which
|
|
attributes with which values are available.</para>
|
|
|
|
<para>The following special wildcards are available for automatic
|
|
scripts:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">$INFO.userPasswordClearText$:</emphasis>
|
|
cleartext password when Unix/Windows password is changed (e.g. useful
|
|
for external password synchronisation) for new/modified
|
|
accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis
|
|
role="bold">$INFO.userPasswordStatusChange$:</emphasis> provides
|
|
additional information if the Personal/Unix password locking status
|
|
was changed, possible values: locked, unlocked, unchanged</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis
|
|
role="bold">$INFO.passwordSelfResetAnswerClearText$</emphasis>:
|
|
cleartext answer to security question</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$INFO.389lockingStatusChange$:</emphasis>
|
|
for 389ds account locking, provides information if account was
|
|
unlocked. Possible values: unchanged, unlocked</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis
|
|
role="bold">$INFO.389deactivationStatusChange$:</emphasis> for 389ds
|
|
account locking, provides information if account was deactivated.
|
|
Possible values: unchanged, activated, deactivated</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$NEW.<attribute>$:</emphasis> the
|
|
value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
|
|
accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$DEL.<attribute>$:</emphasis> the
|
|
value of a deleted attribute (e.g. $DEL.telephoneNumber$) for modified
|
|
accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$MOD.<attribute>$:</emphasis> the
|
|
new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
|
|
modified accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$ORIG.<attribute>$:</emphasis> the
|
|
original value of an attribute (e.g. $ORIG.telephoneNumber$) for
|
|
modified accounts</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Output may contain HTML:</emphasis> If your
|
|
scripts generate HTML output then activate this option.</para>
|
|
|
|
<para><emphasis role="bold">Hide command in messages:</emphasis> You may
|
|
want to prevent that your users see the executed commands. In this case
|
|
activating this option will only show the command output but not the
|
|
command itself.</para>
|
|
|
|
<para/>
|
|
|
|
<para>You can see a preview of the commands which will be automatically
|
|
executed on the "Custom scripts" tab. Here you can also run the manual
|
|
scripts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Sudo roles (LAM Pro)</title>
|
|
|
|
<para>You can manage your sudo roles in LDAP if you have installed the
|
|
sudo-ldap package or <ulink
|
|
url="http://www.sudo.ws/sudo/readme_ldap.html">compiled sudo with LDAP
|
|
support</ulink>.</para>
|
|
|
|
<para>To activate sudo management in LAM Pro edit your server profile and
|
|
add the type "Sudo roles".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sudoRole1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sudoRole2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can create sudo commands.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sudoRole.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The sudo roles in LDAP work similar to those in /etc/sudoers. You
|
|
can specify who may run which commands as which user. It is also possible
|
|
to specify options like NOPASSWD.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>LDAP views based on nsview (LAM Pro)</title>
|
|
|
|
<para>LAM Pro supports LDAP views based on the "nsview" object class.
|
|
These views allow to create an organizational unit that shows a subset of
|
|
your LDAP content. The subset is determined by an LDAP filter.</para>
|
|
|
|
<para><emphasis role="bold">Configuration:</emphasis></para>
|
|
|
|
<para>To activate view management in LAM Pro edit your server profile and
|
|
add the type "LDAP views".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nsview1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nsview2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you are ready to create your views. Each view has a name, LDAP
|
|
filter and an optional description.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nsview4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_nsview3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Auto delete (LAM Pro)</title>
|
|
|
|
<para>This module allows to mark any new entry to be marked for auto
|
|
deletion. The cleanup is done by the LDAP server itself. Please note that
|
|
this will not delete any relations etc. in other entries (e.g. group
|
|
memberships).</para>
|
|
|
|
<para><emphasis role="bold">Requirements</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>PHP 7.2 or later: the module will not be shown if you use an
|
|
older PHP version since the required LDAP commands are not
|
|
supported.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP server with DDS (Dynamic Directory Services) support: your
|
|
LDAP server needs to be configured to allow auto deletion of entries.
|
|
See e.g. <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">OpenLDAP
|
|
configuration</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Your user has the right to set a deletion date. This is
|
|
configured on your LDAP server via ACLs. E.g. OpenLDAP requires manage
|
|
rights to attribute "entryTtl".</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Restrictions</emphasis></para>
|
|
|
|
<para>The maximum time for auto deletion is one year and six days. This is
|
|
a restriction by the DDS standard itself. The deletion date can be
|
|
extended for existing accounts but always by a maximum of one year and six
|
|
days.</para>
|
|
|
|
<para>You should configure the maximum TTL value on your LDAP server as
|
|
default is often much less than a year.</para>
|
|
|
|
<para>A deletion date on an existing entry cannot be removed but only be
|
|
extended.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>You can add the auto delete module to any account type.</para>
|
|
|
|
<para><graphic fileref="images/mod_autoDelete1.png"/></para>
|
|
|
|
<para><emphasis role="bold">Usage</emphasis></para>
|
|
|
|
<para>You can set a deletion time for any new account. Please note the
|
|
restrictions above. If you get an error about invalid TTL then you might
|
|
have exceeded the maximum TTL.</para>
|
|
|
|
<para>Existing accounts cannot be marked for deletion. But you may update
|
|
the deletion date on existing accounts that are already marked for
|
|
deletion.</para>
|
|
|
|
<para>Profile editor can be used to setup a default deletion time.</para>
|
|
|
|
<screenshot>
|
|
<graphic fileref="images/mod_autoDelete2.png"/>
|
|
</screenshot>
|
|
|
|
<para/>
|
|
</section>
|
|
|
|
<section>
|
|
<title>General information</title>
|
|
|
|
<para>This module is available for all account types. It shows some
|
|
internal information about the LDAP entries like the creation time and who
|
|
modified the entry.</para>
|
|
|
|
<para>If you use the "memberOf" overlay in OpenLDAP then this will also
|
|
show group memberships done by the overlay.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_generalInformation.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tree view (LDAP browser)</title>
|
|
|
|
<para>The tree view provides a raw view on your LDAP directory. This
|
|
feature is for people who are experienced with LDAP and need special
|
|
functionality which the LAM account modules not provide. E.g. if you want
|
|
to add a special object class to an account or edit attributes ignoring
|
|
LAM's syntax checks.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/tree1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>There are also some special functions available:</para>
|
|
|
|
<para><emphasis role="bold">Show internal attributes:</emphasis> Shows
|
|
internal attributes of the current entry. This includes information about
|
|
the creator and creation time of the entry.</para>
|
|
</section>
|
|
</chapter>
|