LDAPAccountManager/lam/docs/manual-sources/chapter-accessLevel.xml

185 lines
6.6 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter id="a_accessLevelPasswordReset">
<title>Access levels and password reset page (LAM Pro)</title>
<para>You can define different access levels for each profile to allow or
disallow write access. The password reset page helps your deskside support
staff to reset user passwords.</para>
<section>
<title id="s_accessLevel">Access levels</title>
<para>There are three access levels:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Write access (default)</emphasis></para>
<para>There are no restrictions. LAM admin users can manage account,
create profiles and set passwords.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Change passwords</emphasis></para>
<para>Similar to "Read only" except that the <link
linkend="s_pwdReset">password reset page</link> is available.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Read only</emphasis></para>
<para>No write access to the LDAP database is allowed. It is also
impossible to manage account and PDF profiles.</para>
<para>Accounts may be viewed but no changes can be saved.</para>
</listitem>
</itemizedlist>
<para>The access level can be set on the server configuration
page:</para>
<para><screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/accessLevel.png" />
</imageobject>
</mediaobject>
</screenshot></para>
</section>
<section id="s_pwdReset">
<title>Password reset page</title>
<para>This special page allows your deskside support staff to reset the
Unix and Samba passwords of your users. Account may also be (un)locked
If you set the <link linkend="s_accessLevel">access level</link> to
"Change passwords" then LAM will not allow any changes to the LDAP
database except password changes via this page. The account pages will
be still available in read-only mode.</para>
<para>You can open the password reset page by clicking on the key symbol
on each user account:</para>
<para><screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/passwordReset1.png" />
</imageobject>
</mediaobject>
</screenshot>There are three different options to set a new password.
You can further restrict these options in server profile
settings.</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">set random password and display it on
screen</emphasis></para>
<para>This will set the user's password to a random value. The
password will be 11 characters long with a random combination of
letters, digits and ".-_".</para>
<para>You may want to use this method to tell users their new
passwords via phone.</para>
</listitem>
<listitem>
<para><emphasis role="bold">set random password and mail it to
user</emphasis></para>
<para>If the user account has set the mail attribute then LAM can
send your user a mail with the new password. You can change the mail
template to fit your needs. Please configure your LAM server profile
to setup the sender address, subject and mail body. See <link linkend="mailSetup">here</link> for setting up your
SMTP server.</para>
<para>Using this method will prevent that your support staff knows
the new password.</para>
</listitem>
<listitem>
<para><emphasis role="bold">set specific password</emphasis></para>
<para>Here you can specify your own password.</para>
</listitem>
</itemizedlist>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/passwordReset2.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>LAM will display contact information about the user like the
user's name, email address and telephone number. This will help your
deskside support to easily contact your users.</para>
<para><emphasis role="bold">Options:</emphasis></para>
<para>Depending on the account there may be additional options
available.</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Sync Samba NT/LM password with Unix
password:</emphasis> If a user account has Samba passwords set then
LAM will offer to synchronize the passwords.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Unlock Samba account:</emphasis> Locked
Samba accounts can be unlocked with the password change.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Update Samba password
timestamps:</emphasis> This will set the timestamps when the
password was changed (sambaPwdLastSet). Only existing attributes are
updated. No new attributes are added.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Sync Kerberos password with Unix
password:</emphasis> This will also update the Heimdal Kerberos
password.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Sync Asterisk (voicemail) password with
Unix password:</emphasis> Changes also the Asterisk
passwords.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Force password change:</emphasis> This
will force the user to change his password at next login. This
option supports Shadow, Samba 3 and PPolicy (automatically
detected).</para>
</listitem>
</itemizedlist>
<literallayout>
</literallayout>
<para><emphasis role="bold">Account (un)locking:</emphasis></para>
<para>Depending if the account includes a Unix/Samba extension and
PPolicy is activated the page will show options to (un)lock the account.
E.g. if the account is fully unlocked then there will be no unlocking
options printed.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/passwordReset3.png" />
</imageobject>
</mediaobject>
</screenshot>
</section>
</chapter>