LDAPAccountManager/lam/docs/manual-sources/chapter-tools.xml

487 lines
16 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<chapter>
<title>Tools</title>
<para/>
<section id="a_accountProfile">
<title>Profile editor</title>
<para>The account profiles are templates for your accounts. Here you can
specify default values which can then be loaded when you create accounts.
You may also load a template for an existing account to reset it to
default values. When you create a new account then LAM will always load
the profile named <emphasis role="bold">"default"</emphasis>. This account
profile can include default values for all your accounts.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor2.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para>You can enter the LDAP suffix, RDN identifier and various other
attributes depending on account type and activated modules.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Import/export:</emphasis></para>
<para>Profiles can be exported to and imported from other server
profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor3.png"/>
</imageobject>
</mediaobject>
</screenshot>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor4.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para>There is a special export target called "*Global templates". All
profiles exported here will be copied to all other server profiles (incl.
new ones). But existing profiles with the same name are not overwritten.
So a profile in global templates is treated as default profile for all
server profiles.</para>
<para>Use this if you would like to setup default profiles that are valid
for all server profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/profileEditor5.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section id="tool_upload">
<title>File upload</title>
<para>When you need to create lots of accounts then you can use LAM's file
upload to create them. In contrast to <link linkend="tool_upload">LDAP
import/export</link> this operates on account type level.</para>
<para>LAM will read a CSV formatted file and create the related LDAP
entries. Please check the data in you CSV file carefully. LAM will do less
checks for the file upload than for single account creation.</para>
<para>At the first page please select the account type and what extensions
should be activated.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/fileUpload1.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para>The next page shows all available options for the file upload. You
will also find a sample CSV file which can be used as template for your
CSV file. All red options are required columns in the file. You need to
specify a value for each account.</para>
<para>When you upload the CSV file then LAM first does some checks on this
file. This includes syntax checks and if all required data was entered. No
changes in the LDAP directory are done at this time.</para>
<para>If the checks were successful then LAM will ask again if you want to
create the accounts. You will also have the chance to check the upload by
viewing the changes in LDIF format.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/fileUpload2.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title id="toolMultiEdit">Multi edit</title>
<para>This tool allows you to modify a large list of LDAP entries in batch
mode. You can add new attributes/object classes, remove attributes and set
attributes to a specific value.</para>
<para>At the beginning, you need to specify where the entries are stored
that should be changed. You can select an account suffix, the tree suffix
or enter your own DN by selecting "Other".</para>
<para>Next, enter an additional LDAP filter to limit the entries that
should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for
users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to
match all accounts that do not yet have the <link
linkend="passwordSelfResetUser">password self reset</link> feature.</para>
<literallayout>
</literallayout>
<para>Now, it is time to define the changes that should be done. The
following operations are possible:</para>
<itemizedlist>
<listitem>
<para>Add: Adds an attribute value if not yet existing. Please do not
use for single-value attributes that already have a value.</para>
</listitem>
<listitem>
<para>Modify: Sets an attribute to the given value. If the attribute
does not yet exist then it is added. If the attribute has multiple
values then all other values are removed.</para>
</listitem>
<listitem>
<para>Delete: Deletes the specified value from this attribute. If you
leave the value field blank then all attribute values are
removed.</para>
</listitem>
</itemizedlist>
<para>Please note that all actions are run as separate LDAP commands. You
cannot add an object class and a required attribute at the same
time.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/multiEdit1.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Dry run</emphasis></para>
<para>You should always start with a dry run. It will not do any changes
to your LDAP directory but print out all modifications that will be done.
You will also be able to download the changes in LDIF format to use with
ldapmodify. This is useful if you want to adjust some actions
manually.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/multiEdit2.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Apply changes</emphasis></para>
<para>This will run the actions against your LDAP directory. You will see
which accounts are edited in the progress area and also if any errors
occurred.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/multiEdit3.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section id="tool_importexport">
<title>LDAP import/export</title>
<para>Here you can import and export plain LDAP data. In contrast to <link
linkend="tool_upload">file upload</link> this operates on plain LDAP
attribute level.</para>
<section>
<title>Import</title>
<para>The LDAP import supports input data in <ulink
url="https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format">LDIF</ulink>
format. You can provide plain text or upload an LDIF file.</para>
<para>The "Don't stop on errors" option will cause the import to
continue even if entries could not be created.</para>
<screenshot>
<graphic fileref="images/tool_import.png"/>
</screenshot>
</section>
<section>
<title>Export</title>
<para>Here you can export your plain LDAP data as LDIF or CSV
file.</para>
<screenshot>
<graphic fileref="images/tool_export.png"/>
</screenshot>
<para>Base DN: this is the starting point of the export. Enter a DN or
press the magnifying glass icon to open the DN selection dialog.</para>
<para>Search scope: You can export just the base DN, base DN + its
direct children or the whole subtree.</para>
<para>Search filter: this can be used to filter the entries by
specifying a standard LDAP filter. The preselected filter
"(objectclass=*)" matches all entries.</para>
<para>Attributes: the list of attributes that should be part of export.
"*" matches all standard attributes (excluding system
attributes).</para>
<para>Include system attributes: this will also include system
attributes like the entry creation time and creator's DN.</para>
<para>Save as file: will save to file instead of printing the data on
the web page.</para>
<para>Export format: you can select LDIF or CSV (e.g. for usage in
spreadsheet applications).</para>
<para>End of line: use the one appropriate for your operating
system.</para>
</section>
</section>
<section>
<title>OU editor</title>
<para>This is a simple editor to add/delete organisational units in your
LDAP tree. This way you can structure the accounts.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/ouEditor.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section id="pdfEditor">
<title>PDF editor</title>
<para>All accounts in LAM may be exported as PDF files. You can specify
the page structure and displayed information by editing the PDF
profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor2.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para>When you export accounts to PDF then each account will get its own
page inside the PDF. There is a headline on each page where you can show a
page title. You may also add a logo to each page. To add more logos please
use the logo management on the PDF editor main page.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para>The main part is structured into sections of information. Each
section has a title. This can either be static text or the value of an
attribute. You may also insert a static text block as section. Sections
can be moved by using the arrows next to the section title.</para>
<para>Each section can contain multiple fields which usually represent
LDAP attributes. You can simply add new fields by selecting the field name
and its position. Then use the arrows to move the field inside the
section.</para>
<literallayout>
</literallayout>
<para><emphasis role="bold">Import/export:</emphasis></para>
<para>PDF structures can be exported to and imported from other server
profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor3.png"/>
</imageobject>
</mediaobject>
</screenshot>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor4.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para>There is a special export target called "*Global templates". All PDF
structures exported here will be copied to all other server profiles
(incl. new ones). But existing PDF structures with the same name are not
overwritten. So a PDF structure in global templates is treated as default
structure for all server profiles.</para>
<para>Use this if you would like to setup default PDF structures that are
valid for all server profiles.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor5.png"/>
</imageobject>
</mediaobject>
</screenshot>
<para><emphasis role="bold">Logo management:</emphasis></para>
<para>You can upload image files to put a custom logo on the PDF files.
The image file name must end with .png or .jpg.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/pdfEditor6.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Schema browser</title>
<para>Here you browse the schema of your LDAP server. You can view what
object classes, attributes, syntaxes and matching rules are available.
This is useful if you need to check if a certain object class is
available.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/schemaBrowser.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Server information</title>
<para>This shows information and statistics about your LDAP server. This
includes the suffixes, used overlays, connection data and operation
statistics. You will need "cn=monitor" setup to see all details. Some data
may not be available depending on your LDAP server software.</para>
<para>Please see the following links how to setup "cn=monitor":</para>
<itemizedlist>
<listitem>
<para><ulink
url="http://www.openldap.org/doc/admin24/monitoringslapd.html">OpenLDAP</ulink></para>
</listitem>
<listitem>
<para><ulink type=""
url="http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring">389
server</ulink></para>
</listitem>
</itemizedlist>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/serverInfo.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title id="tool_webauthn">Webauthn devices</title>
<para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
for an overview about Webauthn/FIDO2 in LAM.</para>
<para>Here you can manage your webauthn/FIDO2 devices.</para>
<para>You can register additional security devices and remove old ones. If
no more device is registered then LAM will ask you for registration on
next login.</para>
<screenshot>
<graphic fileref="images/tool_webauthn1.png"/>
</screenshot>
</section>
<section>
<title>Tests</title>
<para>This allows you to check if your LDAP schema is compatible with LAM
and to find possible problems.</para>
<section>
<title>Lamdaemon test</title>
<para>LAM provides an external script to manage home directories and
quotas. You can test here if everything is setup correctly.</para>
<para>If you get an error like "no tty present and no askpass program
specified" then the path to the lamdaemon.pl may be wrong. Please see
the <link linkend="a_lamdaemon">lamdaemon installation
instructions</link> for setup details.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/lamdaemonTest.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
<section>
<title>Schema test</title>
<para>This will test if your LDAP schema supports all object classes and
attributes of the active LAM modules. If you get a message that
something is missing please check that you installed all <link
linkend="a_schema">required schemas</link>.</para>
<para>If you get error messages about object class violations then this
test can tell you what is missing.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/schemaTest.png"/>
</imageobject>
</mediaobject>
</screenshot>
</section>
</section>
</chapter>