9700 lines
311 KiB
XML
9700 lines
311 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
<book>
|
|
<title>LDAP Account Manager - Manual</title>
|
|
|
|
<preface>
|
|
<title>Overview</title>
|
|
|
|
<para>LDAP Account Manager (LAM) manages user, group and host accounts in
|
|
an LDAP directory. LAM runs on any webserver with PHP5 support and
|
|
connects to your LDAP server unencrypted or via SSL/TLS.</para>
|
|
|
|
<para>LAM supports Samba 3, Unix, Zarafa, Kolab 2/3, address book entries,
|
|
NIS mail aliases, MAC addresses and much more. There is a tree viewer
|
|
included to allow access to the raw LDAP attributes. You can use templates
|
|
for account creation and use multiple configuration profiles.</para>
|
|
|
|
<para><ulink
|
|
url="https://www.ldap-account-manager.org/">https://www.ldap-account-manager.org/</ulink></para>
|
|
|
|
<para>Copyright (C) 2003 - 2014 Roland Gruber
|
|
<post@rolandgruber.de></para>
|
|
|
|
<para><emphasis role="bold">Key features:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>managing user/group/host/domain entries</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>account profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>account creation via file upload</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>multiple configuration profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP browser</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>schema browser</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>OU editor</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>PDF export for all accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>manage user/group Quota and create home directories</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Requirements:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>PHP5 (>= 5.2.4)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Any standard LDAP server (e.g. OpenLDAP, Active Directory, Samba
|
|
4, OpenDJ, 389 Directory Server, Apache DS, ...)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A recent web browser that supports CSS2 and JavaScript, at
|
|
minimum:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Firefox 3</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Internet Explorer 8<emphasis role="bold"> (compatibility
|
|
mode turned off)</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Opera 10</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The default password to edit the configuration options is
|
|
"lam".</para>
|
|
|
|
<para><emphasis role="bold">License:</emphasis></para>
|
|
|
|
<para>LAM is published under the GNU General Public License. The complete
|
|
list of licenses can be found in the copyright file.</para>
|
|
|
|
<para><emphasis role="bold">Default password:</emphasis></para>
|
|
|
|
<para>The default password for the LAM configuration is "lam".</para>
|
|
|
|
<literallayout>
|
|
Have fun!
|
|
The LAM development team</literallayout>
|
|
</preface>
|
|
|
|
<preface>
|
|
<title>Architecture</title>
|
|
|
|
<para>There are basically two groups of users for LAM:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">LDAP administrators and support
|
|
staff:</emphasis></para>
|
|
|
|
<para>These people administer LDAP entries like user accounts, groups,
|
|
...</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Users:</emphasis></para>
|
|
|
|
<para>This includes all people who need to manage their own data
|
|
inside the LDAP directory. E.g. these people edit their contact
|
|
information with LAM self service (LAM Pro).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lam_architecture.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Therefore, LAM is split into two separate parts, LAM for admins and
|
|
for users. LAM for admins allows to manage various types of LDAP entries
|
|
(e.g. users, groups, hosts, ...). It also contains tools like batch
|
|
upload, account profiles, LDAP schema viewer and an LDAP browser. LAM for
|
|
users focuses on end users. It provides a self service for the users to
|
|
edit their personal data (e.g. contact information). The LAM administrator
|
|
is able to specify what data may be changed by the users. The design is
|
|
also adaptable to your corporate design.</para>
|
|
|
|
<para>LAM for admins/users is accessible via HTTP(S) by all major web
|
|
browsers (Firefox, IE, Opera, ...).</para>
|
|
|
|
<para><emphasis role="bold">LAM runtime environment:</emphasis></para>
|
|
|
|
<para>LAM runs on PHP. Therefore, it is independant of CPU architecture
|
|
and operating system (OS). You can run LAM on any OS which supports Apache
|
|
or other PHP compatible web servers.</para>
|
|
|
|
<para><emphasis role="bold">Home directory server:</emphasis></para>
|
|
|
|
<para>You can manage user home directories and their quotas inside LAM.
|
|
The home directories may reside on the server where LAM is installed or
|
|
any remote server. The commands for home directory management are secured
|
|
by SSH. LAM will use the user name and password of the logged in LAM
|
|
administrator for authentication.</para>
|
|
|
|
<para><emphasis role="bold">LDAP directory:</emphasis></para>
|
|
|
|
<para>LAM connects to your LDAP server via standard LDAP protocol. It also
|
|
supports encrypted connections with SSL and TLS.</para>
|
|
</preface>
|
|
|
|
<chapter id="a_installation">
|
|
<title>Installation</title>
|
|
|
|
<section id="a_install">
|
|
<title>New installation</title>
|
|
|
|
<section>
|
|
<title>Requirements</title>
|
|
|
|
<para>LAM has the following requirements to run:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Apache webserver (SSL recommended) with PHP module (PHP 5
|
|
(>= 5.2.4) with ldap, gettext, xml, openssl and optional
|
|
mcrypt)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Some LAM plugins may require additional PHP extensions (you
|
|
will get a note on the login page if something is missing)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Perl (optional, needed only for lamdaemon)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Any standard LDAP server (e.g. OpenLDAP, Active Directory,
|
|
Samba 4, OpenDJ, 389 Directory Server, Apache DS, ...)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A recent web browser that supports CSS2 and JavaScript, at
|
|
minimum:</para>
|
|
|
|
<para><itemizedlist>
|
|
<listitem>
|
|
<para>Firefox 3</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Internet Explorer 8 <emphasis
|
|
role="bold">(compatibility mode turned
|
|
off)</emphasis></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Opera 10</para>
|
|
</listitem>
|
|
</itemizedlist></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>MCrypt will be used to store your LDAP password encrypted in the
|
|
session file.</para>
|
|
|
|
<para>Please note that LAM does not ship with a selinux policy. Please
|
|
disable selinux or create your own policy.</para>
|
|
|
|
<para>See <link linkend="a_schema">LDAP schema fles</link> for
|
|
information about used LDAP schema files.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Prepackaged releases</title>
|
|
|
|
<para>LAM is available as prepackaged version for various
|
|
platforms.</para>
|
|
|
|
<section>
|
|
<title>Debian</title>
|
|
|
|
<informaltable frame="none" tabstyle="noborder">
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/debian.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>LAM is part of the official Debian repository. New
|
|
releases are uploaded to unstable and will be available
|
|
automatically in testing and the stable releases. You can
|
|
run<literal> </literal><para><emphasis role="bold">apt-get
|
|
install ldap-account-manager</emphasis></para>to install LAM
|
|
on your server. Additionally, you may download the latest
|
|
LAM Debian packages from the <ulink type=""
|
|
url="http://www.ldap-account-manager.org/">LAM
|
|
homepage</ulink> or the <ulink
|
|
url="http://packages.debian.org/search?keywords=ldap-account-manager">Debian
|
|
package homepage</ulink>.<para><emphasis
|
|
role="bold">Installation of the latest packages on Debian
|
|
Squeeze</emphasis></para><orderedlist>
|
|
<listitem>
|
|
<para>Install php-fpdf 1.7.dfsg-1 from here:</para>
|
|
|
|
<para><ulink
|
|
url="http://packages.debian.org/wheezy/all/php-fpdf/download">http://packages.debian.org/wheezy/all/php-fpdf/download</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Install the LAM package</para>
|
|
|
|
<para>dpkg -i ldap-account-manager_*.deb</para>
|
|
|
|
<para>If you get any messages about missing
|
|
dependencies run now: apt-get -f install</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Install the lamdaemon package (optional)</para>
|
|
|
|
<para>dpkg -i
|
|
ldap-account-manager-lamdaemon_*.deb</para>
|
|
</listitem>
|
|
</orderedlist></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Suse/Fedora</title>
|
|
|
|
<informaltable frame="none">
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/suse.png" />
|
|
</imageobject>
|
|
</inlinemediaobject><para></para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/fedora.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>There are RPM packages available on the <ulink
|
|
type="" url="http://www.ldap-account-manager.org/">LAM
|
|
homepage</ulink>. The packages can be installed with these
|
|
commands:<para><emphasis role="bold">rpm -e
|
|
ldap-account-manager
|
|
ldap-account-manager-lamdaemon</emphasis> (if an older
|
|
version is installed)</para><para><emphasis role="bold">rpm
|
|
-i <path to LAM package></emphasis></para></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Other RPM based distributions</title>
|
|
|
|
<para>The RPM packages for Suse/Fedora are very generic and should
|
|
be installable on other RPM-based distributions, too. The Fedora
|
|
packages use apache:apache as file owner and the Suse ones use
|
|
wwwrun:www.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>FreeBSD</title>
|
|
|
|
<informaltable frame="none">
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/freebsd.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>LAM is part of the official FreeBSD ports tree. For
|
|
more details see these pages:<para>FreeBSD-SVN: <ulink
|
|
url="http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/"
|
|
userlevel="">http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/</ulink></para><para>FreshPorts:
|
|
<ulink
|
|
url="http://www.freshports.org/sysutils/ldap-account-manager">http://www.freshports.org/sysutils/ldap-account-manager</ulink></para></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Installing the tar.bz2</title>
|
|
|
|
<section>
|
|
<title>Extract the archive</title>
|
|
|
|
<para>Please extract the archive with the following command:</para>
|
|
|
|
<para>tar xjf ldap-account-manager-<version>.tar.bz2</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Install the files</title>
|
|
|
|
<section>
|
|
<title>Manual copy</title>
|
|
|
|
<para>Copy the files into the html-file scope of the web server.
|
|
For example /apache/htdocs.</para>
|
|
|
|
<para>Then set the appropriate file permissions:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>lam/sess: write permission for apache user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>lam/tmp: write permission for apache user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>lam/config (with subdirectories): write permission for
|
|
apache user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>lam/lib: lamdaemon.pl must be set executable</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>With configure script</title>
|
|
|
|
<para>Instead of manually copying files you can also use the
|
|
included configure script to install LAM. Just run these commands
|
|
in the extracted directory:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>./configure</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>make install</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Options for "./configure":</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>--with-httpd-user=USER USER is the name of your Apache
|
|
user account (default httpd)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>--with-httpd-group=GROUP GROUP is the name of your
|
|
Apache group (default httpd)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>--with-web-root=DIRECTORY DIRECTORY is the name where
|
|
LAM should be installed (default /usr/local/lam)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Configuration files</title>
|
|
|
|
<para>Copy config/config.cfg_sample to config/config.cfg and
|
|
config/lam.conf_sample to config/lam.conf. Open the index.html in
|
|
your web browser:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Follow the link "LAM configuration" from the start page to
|
|
<link linkend="a_configuration">configure LAM</link>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Select "Edit general settings" to setup global settings
|
|
and to change the <link linkend="a_configPasswords">master
|
|
configuration password</link> (default is "lam").</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Select "Edit server profiles" to setup your server
|
|
profiles. There should be the lam profile which you just copied
|
|
from the sample file. The default password is "lam". Now change
|
|
the settings to fit for your environment.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>System configuration</title>
|
|
|
|
<section>
|
|
<title>PHP</title>
|
|
|
|
<para>LAM runs with PHP5 (>= 5.2.4). Needed changes in your
|
|
php.ini:</para>
|
|
|
|
<para>memory_limit = 64M</para>
|
|
|
|
<para>If you run PHP with activated <ulink
|
|
url="http://www.hardened-php.net/suhosin/index.html">Suhosin</ulink>
|
|
extension please check your logs for alerts. E.g. LAM requires that
|
|
"suhosin.post.max_name_length" and
|
|
"suhosin.request.max_varname_length" are increased (e.g. to
|
|
256).</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Locales for non-English translation</title>
|
|
|
|
<para>If you want to use a translated version of LAM be sure to
|
|
install the needed locales. The following table shows the needed
|
|
locales for the different languages.</para>
|
|
|
|
<table>
|
|
<title>Locales</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Language</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Locale</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Catalan</entry>
|
|
|
|
<entry>ca_ES.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Chinese (Simplified)</entry>
|
|
|
|
<entry>zh_CN.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Chinese (Traditional)</entry>
|
|
|
|
<entry>zh_TW.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Czech</entry>
|
|
|
|
<entry>cs_CZ.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Dutch</entry>
|
|
|
|
<entry>nl_NL.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>English - Great Britain</entry>
|
|
|
|
<entry>no extra locale needed</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>English - USA</entry>
|
|
|
|
<entry>en_US.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>French</entry>
|
|
|
|
<entry>fr_FR.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>German</entry>
|
|
|
|
<entry>de_DE.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Hungarian</entry>
|
|
|
|
<entry>hu_HU.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Italian</entry>
|
|
|
|
<entry>it_IT.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Japanese</entry>
|
|
|
|
<entry>ja_JP.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Polish</entry>
|
|
|
|
<entry>pl_PL.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Portuguese</entry>
|
|
|
|
<entry>pt_BR.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Russian</entry>
|
|
|
|
<entry>ru_RU.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Slovak</entry>
|
|
|
|
<entry>sk_SK.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Spanish</entry>
|
|
|
|
<entry>es_ES.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Turkish</entry>
|
|
|
|
<entry>tr_TR.utf8</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Ukrainian</entry>
|
|
|
|
<entry>uk_UA.utf8</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>You can get a list of all installed locales on your system by
|
|
executing:</para>
|
|
|
|
<para>locale -a</para>
|
|
|
|
<para>Debian users can add locales with "dpkg-reconfigure
|
|
locales".</para>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Upgrading LAM or migrate from LAM to LAM Pro</title>
|
|
|
|
<para>Upgrading from LAM to LAM Pro is like installing a new LAM
|
|
version. Simply install the LAM Pro packages/tar.bz2 instead of the LAM
|
|
ones.</para>
|
|
|
|
<section>
|
|
<title>Install new version</title>
|
|
|
|
<para><emphasis role="bold">Backup configuration
|
|
files</emphasis></para>
|
|
|
|
<para>Configuration files need only to be backed up for .tar.bz2
|
|
installations. DEB/RPM installations do not require this step.</para>
|
|
|
|
<para>LAM stores all configuration files in the "config" folder.
|
|
Please backup the following files and copy them after the new version
|
|
is installed.</para>
|
|
|
|
<simplelist>
|
|
<member>config/*.conf</member>
|
|
|
|
<member>config/config.cfg</member>
|
|
|
|
<member>config/pdf/*.xml</member>
|
|
|
|
<member>config/profiles/*</member>
|
|
</simplelist>
|
|
|
|
<para>LAM Pro only:</para>
|
|
|
|
<simplelist>
|
|
<member>config/selfService/*.*</member>
|
|
</simplelist>
|
|
|
|
<para><emphasis role="bold">Uninstall current LAM (Pro)
|
|
version</emphasis></para>
|
|
|
|
<para>If you used the DEB/RPM installation packages then remove the
|
|
ldap-account-manager and ldap-account-manager-lamdaemon
|
|
packages.</para>
|
|
|
|
<para>Otherwise, remove the folder where you installed LAM via
|
|
configure or by copying the files.</para>
|
|
|
|
<para><emphasis role="bold">Install new LAM (Pro)
|
|
version</emphasis></para>
|
|
|
|
<para>Please <link linkend="a_install">install</link> the new LAM
|
|
(Pro) release. Skip the part about setting up LAM configuration
|
|
files.</para>
|
|
|
|
<para><emphasis role="bold">Restore configuration
|
|
files</emphasis></para>
|
|
|
|
<para>This step can be skipped if you installed the DEB/RPM
|
|
packages.</para>
|
|
|
|
<para>Please restore your configuration files from the backup. Copy
|
|
all files from the backup folder to the config folder in your LAM Pro
|
|
installation. Do not simply replace the folder because the new LAM
|
|
(Pro) release might include additional files in this folder. Overwrite
|
|
any existing files with your backup files.</para>
|
|
|
|
<para><emphasis role="bold">Final steps</emphasis></para>
|
|
|
|
<para>Now open your webbrowser and point it to the LAM login page. All
|
|
your settings should be migrated.</para>
|
|
|
|
<para>Please check also the <link linkend="a_versUpgrade">version
|
|
specific instructions</link>. They might include additional
|
|
actions.</para>
|
|
</section>
|
|
|
|
<section id="a_versUpgrade">
|
|
<title>Version specific upgrade instructions</title>
|
|
|
|
<section>
|
|
<title>4.4 -> 4.5</title>
|
|
|
|
<para>LAM will no longer follow referrals by default. This is ok for
|
|
most installations. If you use LDAP referrals please activate
|
|
referral following for your server profile (tab General settings
|
|
-> Server settings -> Advanced options).</para>
|
|
|
|
<para>The self service pages now have an own option for allowed IPs.
|
|
If your LAM installation uses IP restrictions please update the LAM
|
|
main configuration.</para>
|
|
|
|
<para>Password self reset (LAM Pro) allows to set a backup email
|
|
address. You need to <link
|
|
linkend="passwordSelfResetSchema_update">update</link> the LDAP
|
|
schema if you want to use this feature.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>4.3 -> 4.4</title>
|
|
|
|
<para>Apache configuration: LAM supports Apache 2.2 and 2.4. This
|
|
requires that your Apache server has enabled the "version" module.
|
|
For Debian and Fedora this is the default setup. The Suse RPM will
|
|
try to enable the version module during installation.</para>
|
|
|
|
<para>Kolab: User accounts get the object class "mailrecipient" by
|
|
default. You can change this behaviour in the module settings
|
|
section of your LAM server profile.</para>
|
|
|
|
<para>Windows: sAMAccountName is no longer set by default. Enable it
|
|
in server profile if needed. The possible domains for the user name
|
|
can also be set in server profile.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>4.2.1 -> 4.3</title>
|
|
|
|
<para>LAM is no more shipped as tar.gz package but as tar.bz2 which
|
|
allows smaller file sizes.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>4.1 -> 4.2/4.2.1</title>
|
|
|
|
<para>Zarafa users: The default attribute for mail aliases is now
|
|
"dn". If you use "uid" and did not change the server profile for a
|
|
long time please check your LAM server profile for this setting and
|
|
save it.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>4.0 -> 4.1</title>
|
|
|
|
<para><emphasis role="bold">Unix:</emphasis> The list of valid login
|
|
shells is no longer configured in "config/shells" but in the
|
|
server/self service profiles (Unix settings). LAM will use the
|
|
following shells by default: /bin/bash, /bin/csh, /bin/dash,
|
|
/bin/false, /bin/ksh, /bin/sh.</para>
|
|
|
|
<para>Please update your server/self service profile if you would
|
|
like to change the list of valid login shells.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.9 -> 4.0</title>
|
|
|
|
<para>The account profiles and PDF structures are now separated by
|
|
server profile. This means that if you edit e.g. an account profile
|
|
in server profile A then this change will not affect the account
|
|
profiles in server profile B.</para>
|
|
|
|
<para>LAM will automatically migrate your existing files as soon as
|
|
the login page is loaded.</para>
|
|
|
|
<para>Special install instructions:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Debian: none, config files will be migrated when opening
|
|
LAM's login page</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Suse/Fedora RPM:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Run "rpm -e ldap-account-manager
|
|
ldap-account-manager-lamdaemon"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>You may get warnings like "warning:
|
|
/var/lib/ldap-account-manager/config/profiles/default.user
|
|
saved as
|
|
/var/lib/ldap-account-manager/config/profiles/default.user.rpmsave"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Please rename all files "*.rpmsave" and remove the
|
|
file extension ".rpmsave". E.g. "default.user.rpmsave" needs
|
|
to be renamed to "default.user".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Install the LAM packages with "rpm -i". E.g. "rpm -i
|
|
ldap-account-manager-4.0-0.suse.1.noarch.rpm".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Open LAM's login page in your browser to complete the
|
|
migration</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>tar.gz: standard upgrade steps, config files will be
|
|
migrated when opening LAM's login page</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.7 -> 3.9</title>
|
|
|
|
<para>No changes.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.6 -> 3.7</title>
|
|
|
|
<para>Asterisk extensions: The extension entries are now grouped by
|
|
extension name and account context. LAM will automatically assign
|
|
priorities and set same owners for all entries.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.5.0 -> 3.6</title>
|
|
|
|
<para><emphasis role="bold">Debian users:</emphasis> LAM 3.6
|
|
requires to install FPDF 1.7. You can download the package <ulink
|
|
url="http://packages.debian.org/search?keywords=php-fpdf&searchon=names&suite=all&section=all">here</ulink>.
|
|
If you use Debian Stable (Squeeze) please use the package from
|
|
Testing (Wheezy).</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.4.0 -> 3.5.0</title>
|
|
|
|
<para><emphasis role="bold">LAM Pro:</emphasis> The global
|
|
config/passwordMailTemplate.txt is no longer supported. You can
|
|
setup the mail settings now for each LAM server profile which
|
|
provides more flexibility.</para>
|
|
|
|
<para><emphasis role="bold">Suse/Fedora RPM
|
|
installations:</emphasis> LAM is now installed to
|
|
/usr/share/ldap-account-manager and
|
|
/var/lib/ldap-account-manager.</para>
|
|
|
|
<para>Please note that configuration files are not migrated
|
|
automatically. Please move the files from /srv/www/htdocs/lam/config
|
|
(Suse) or /var/www/html/lam/config (Fedora) to
|
|
/var/lib/ldap-account-manager/config.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.3.0 -> 3.4.0</title>
|
|
|
|
<para>No changes.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.2.0 -> 3.3.0</title>
|
|
|
|
<para>If you use custom images for the PDF export then these images
|
|
need to be 5 times bigger than before (e.g. 250x250px instead of
|
|
50x50px). This allows to use images with higher resolution.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.1.0 -> 3.2.0</title>
|
|
|
|
<para>No changes.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>3.0.0 -> 3.1.0</title>
|
|
|
|
<para>LAM supported to set a list of valid workstations on the
|
|
"Personal" page. This required to change the LDAP schema. Since
|
|
3.1.0 this is replaced by the new "Hosts" module for users.</para>
|
|
|
|
<para>Lamdaemon: The sudo entry needs to be changed to
|
|
".../lamdaemon.pl *".</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>2.3.0 -> 3.0.0</title>
|
|
|
|
<para>No changes.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>2.2.0 -> 2.3.0</title>
|
|
|
|
<para><emphasis role="bold">LAM Pro:</emphasis> There is now a
|
|
separate account type for group of (unique) names. Please edit your
|
|
server profiles to activate the new account type.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>1.1.0 -> 2.2.0</title>
|
|
|
|
<para>No changes.</para>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="a_uninstall">
|
|
<title>Uninstallation of LAM (Pro)</title>
|
|
|
|
<para>If you used the prepackaged installation packages then remove the
|
|
ldap-account-manager and ldap-account-manager-lamdaemon packages.</para>
|
|
|
|
<para>Otherwise, remove the folder where you installed LAM via configure
|
|
or by copying the files.</para>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter id="a_configuration">
|
|
<title>Configuration</title>
|
|
|
|
<para>After you <link linkend="a_installation">installed</link> LAM you
|
|
can configure it to fit your needs. The complete configuration can be done
|
|
inside the application. There is no need to edit configuration
|
|
files.</para>
|
|
|
|
<para>Please point you browser to the location where you installed LAM.
|
|
E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
|
|
via the tar.bz2 then this may vary. You should see the following
|
|
page:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/login.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you see an error message then you might need to install an
|
|
additional PHP extension. Please follow the instructions and reload the
|
|
page afterwards.</para>
|
|
|
|
<para>Now you are ready to configure LAM. Click on the "LAM configuration"
|
|
link to proceed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configOverview.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Here you can change LAM's general settings, setup server profiles
|
|
for your LDAP server(s) and configure the <link
|
|
linkend="a_selfService">self service</link> (LAM Pro). You should start
|
|
with the general settings and then setup a server profile.</para>
|
|
|
|
<section>
|
|
<title>General settings</title>
|
|
|
|
<para>After selecting "Edit general settings" you will need to enter the
|
|
<link linkend="a_configPasswords">master configuration password</link>.
|
|
The default password for new installations is "lam". Now you can edit
|
|
the general settings.</para>
|
|
|
|
<section>
|
|
<title>Security settings</title>
|
|
|
|
<para>Here you can set a time period after which inactive sessions are
|
|
automatically invalidated. The selected value represents minutes of
|
|
inactivity.</para>
|
|
|
|
<para>You may also set a list of IP addresses which are allowed to
|
|
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
|
|
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
|
access LAM via an untrusted IP only get blank pages. There is a
|
|
separate field for LAM Pro self service.</para>
|
|
|
|
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
|
data like passwords in your session files. This is only available when
|
|
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
|
|
adds extra security but also costs performance. If you manage a large
|
|
directory you might want to disable this and take other actions to
|
|
secure your LAM server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para id="conf_sslCert"><emphasis role="bold">SSL certificate
|
|
setup:</emphasis></para>
|
|
|
|
<para>By default, LAM uses the CA certificates that are preinstalled
|
|
on your system. This will work if you connect via SSL/TLS to an LDAP
|
|
server that uses a certificate signed by a well-known CA. In case you
|
|
use your own CA (e.g. company internal CA) you can import the CA
|
|
certificates here.</para>
|
|
|
|
<para>Please note that this can affect other web applications on the
|
|
same server if they require different certificates. There seem to be
|
|
problems on Debian systems and you may also need to restart Apache. In
|
|
case of any problems please delete the uploaded certificates and use
|
|
the <link linkend="ssl_certSystem">system setup</link>.</para>
|
|
|
|
<para>You can either upload a DER/PEM formatted certificate file or
|
|
import the certificates directly from an LDAP server that is available
|
|
with LDAP+SSL (ldaps://). LAM will automatically override system
|
|
certificates if at least one certificate is uploaded/imported.</para>
|
|
|
|
<para>The whole certificate list can be downloaded in PEM format. You
|
|
can also delete single certificates from the list.</para>
|
|
|
|
<para>Please note that you might need to restart your webserver if you
|
|
do any changes to this configuration.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Password policy</title>
|
|
|
|
<para>This allows you to specify a central password policy for LAM.
|
|
The policy is valid for all password fields inside LAM admin
|
|
(excluding tree view) and LAM self service. Configuration passwords do
|
|
not need to follow this policy.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can set the minimum password length and also the complexity
|
|
of the passwords.</para>
|
|
</section>
|
|
|
|
<section id="conf_logging">
|
|
<title>Logging</title>
|
|
|
|
<para>LAM can log events (e.g. user logins). You can use system
|
|
logging (syslog for Unix, event viewer for Windows) or log to a
|
|
separate file. Please note that LAM may log sensitive data (e.g.
|
|
passwords) at log level "Debug". Production systems should be set to
|
|
"Warning" or "Error".</para>
|
|
|
|
<para>The PHP error reporting is only for developers. By default LAM
|
|
does not show PHP notice messages in the web pages. You can select to
|
|
use the php.ini setting here or printing all errors and
|
|
notices.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Additional options</title>
|
|
|
|
<para id="mailEOL"><emphasis role="bold">Email
|
|
format</emphasis></para>
|
|
|
|
<para>Some email servers are not standards compatible. If you receive
|
|
mails that look broken you can change the line endings for sent mails
|
|
here. Default is to use "\r\n".</para>
|
|
|
|
<para>At the moment, this option is only available in LAM Pro as there
|
|
is no mail sending in the free version. See <link
|
|
linkend="mailSetup">here</link> for setting up your SMTP
|
|
server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Change master password</title>
|
|
|
|
<para>If you would like to change the master configuration password
|
|
then enter a new password here.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Server profiles</title>
|
|
|
|
<para>The server profiles store information about your LDAP server (e.g.
|
|
host name) and what kind of accounts (e.g. users and groups) you would
|
|
like to manage. There is no limit on the number of server profiles. See
|
|
the <link linkend="confTypicalScenarios">typical scenarios</link> about
|
|
how to structure your server profiles.</para>
|
|
|
|
<section>
|
|
<title>Manage server profiles</title>
|
|
|
|
<para>Select "Manage server profiles" to open the profile management
|
|
page.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Here you can create, rename and delete server profiles. The
|
|
<link linkend="a_configPasswords">passwords</link> of your server
|
|
profiles can also be reset.</para>
|
|
|
|
<para>You may also specify the default server profile. This is the
|
|
server profile which is preselected at the login page. It also
|
|
specifies the language of the login and configuration pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can create a new server profile by simply entering its name
|
|
and password. After you created a new profile you can go back to the
|
|
profile login and edit your new server profile.</para>
|
|
|
|
<para>All operations on the profile management page require that you
|
|
authenticate yourself with the <link
|
|
linkend="a_configPasswords">configuration master
|
|
password</link>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Editing a server profile</title>
|
|
|
|
<para>Please select you server profile and enter its password to edit
|
|
a server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Each server profile contains the following information:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">General settings:</emphasis> general
|
|
settings about your LDAP server (e.g. host name and security
|
|
settings)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Account types:</emphasis> list of
|
|
account types (e.g. users and groups) that you would like to
|
|
manage and type specific settings (e.g. LDAP suffix)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Modules:</emphasis> list of modules
|
|
which define what account aspects (e.g. Unix, Samba, Kolab) you
|
|
would like to manage</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Module settings:</emphasis> settings
|
|
which are specific for the selected account modules on the page
|
|
before</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<section id="general_settings">
|
|
<title>General settings</title>
|
|
|
|
<para>Here you can specify the LDAP server and some security
|
|
settings.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The server address of your LDAP server can be a DNS name or an
|
|
IP address. Use ldap:// for unencrypted LDAP connections or TLS
|
|
encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
|
|
specified with ldaps://. The port value is optional. TLS cannot be
|
|
combined with ldaps://.</para>
|
|
|
|
<para>LAM includes an LDAP browser which allows direct modification
|
|
of LDAP entries. If you would like to use it then enter the LDAP
|
|
suffix at "Tree suffix".</para>
|
|
|
|
<para>The search limit is used to reduce the number of search
|
|
results which are returned by your LDAP server.</para>
|
|
|
|
<para>The access level specifies if LAM should allow to modify LDAP
|
|
entries. This feature is only available in LAM Pro. LAM non-Pro
|
|
releases use write access. See <link
|
|
linkend="a_accessLevelPasswordReset">this page</link> for details on
|
|
the different access levels.</para>
|
|
|
|
<para>By default LAM will not follow LDAP referrals. This is ok for
|
|
most installations. If you use LDAP referrals please activate the
|
|
referral option in advanced settings.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM is translated to many different languages. Here you can
|
|
select the default language for this server profile. The language
|
|
setting may be overriden at the LAM login page.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM can manage user home directories and quotas with an
|
|
external script. You can specify the home directory server and where
|
|
the script is located. The default rights for new home directories
|
|
can be set, too.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM Pro users can send out changed passwords to their users.
|
|
Here you can specify the options for these mails.</para>
|
|
|
|
<para>If you select "Allow alternate address" then password mails
|
|
can be sent to any address (e.g. a secondary address if the user
|
|
account is also bound to the mailbox).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM supports two methods for login. The first one is to
|
|
specify a fixed list of LDAP DNs that are allowed to login. Please
|
|
enter one DN per line.</para>
|
|
|
|
<para>The second one is to let LAM search for the DN in your
|
|
directory. E.g. if a user logs in with the user name "joe" then LAM
|
|
will do an LDAP search for this user name. When it finds a matching
|
|
DN then it will use this to authenticate the user. The wildcard
|
|
"%USER%" will be replaced by "joe" in this example. This way you can
|
|
provide login by user name, email address or other LDAP
|
|
attributes.</para>
|
|
|
|
<para>Additionally, you can enable HTTP authentication when using
|
|
"LDAP search". This way the web server is responsible to
|
|
authenticate your users. LAM will use the given user name + password
|
|
for the LDAP login. You can also configure this to setup advanced
|
|
login restrictions (e.g. require group memberships for login). To
|
|
setup HTTP authentication in Apache please see this <ulink
|
|
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>
|
|
and an example for LDAP authentication <link lang=""
|
|
linkend="apache_http_auth">here</link>.</para>
|
|
|
|
<para><emphasis role="bold">Hint:</emphasis> LDAP search with group
|
|
membership check can be done with either <link
|
|
linkend="apache_http_auth">HTTP authentication</link> or LDAP
|
|
overlays like <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">"memberOf"</ulink>
|
|
or <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">"Dynamic
|
|
lists"</ulink>. Dynamic lists allow to insert virtual attributes to
|
|
your user entries. These can then be used for the LDAP filter (e.g.
|
|
"(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You may also change the password of this server profile.
|
|
Please just enter the new password in both password fields.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Account types</title>
|
|
|
|
<para>LAM supports to manage various types of LDAP entries (e.g.
|
|
users, groups, DHCP entries, ...). On this page you can select which
|
|
types of entries you want to manage with LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configTypes1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The section at the top shows a list of possible types. You can
|
|
activate them by simply clicking on the plus sign next to it.</para>
|
|
|
|
<para>Each account type has the following options:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">LDAP suffix:</emphasis> the LDAP
|
|
suffix where entries of this type should be managed</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">List attributes:</emphasis> a list
|
|
of attributes which are shown in the account lists</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Additional LDAP filter:</emphasis>
|
|
LAM will automatically detect the right LDAP entries for each
|
|
account type. This can be used to further limit the number of
|
|
visible entries (e.g. if you want to manage only some specific
|
|
groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
|
|
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
|
|
user who is logged in.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Hidden:</emphasis> This is used to
|
|
hide account types that should not be displayed but are required
|
|
by other account types. E.g. you can hide the Samba domains
|
|
account type and still assign domains when you edit your
|
|
users.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Read-only (LAM Pro only):</emphasis>
|
|
This allows to set a single account type to read-only mode.
|
|
Please note that this is a restriction on functional level (e.g.
|
|
group memberships can be changed on user page even if groups are
|
|
read-only) and is no replacement for setting up proper ACLs on
|
|
your LDAP server.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Custom label:</emphasis> Here you
|
|
can set a custom label for the account types. Use this if the
|
|
standard label does not fit for you (e.g. enter "Servers" for
|
|
hosts).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">No new entries (LAM Pro
|
|
only):</emphasis> Use this if you want to prevent that new
|
|
accounts of this type are created by your users. The GUI will
|
|
hide buttons to create new entries and also disable file upload
|
|
for this type.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Disallow delete (LAM Pro
|
|
only):</emphasis> Use this if you want to prevent that accounts
|
|
of this type are deleted by your users.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configTypes2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On the next page you can specify in detail what extensions
|
|
should be enabled for each account type.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Modules</title>
|
|
|
|
<para>The modules specify the active extensions for each account
|
|
type. E.g. here you can setup if your user entries should be address
|
|
book entries only or also support Unix or Samba.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configModules1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Each account type needs a so called "base module". This is the
|
|
basement for all LDAP entries of this type. Usually, it provides the
|
|
structural object class for the LDAP entries. There must be exactly
|
|
one active base module for each account type.</para>
|
|
|
|
<para>Furthermore, there may be any number of additional active
|
|
account modules. E.g. you may select "Personal" as base module and
|
|
Unix + Samba as additional modules.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Module settings</title>
|
|
|
|
<para>Depending on the activated account modules there may be
|
|
additional configuration options available. They can be found on the
|
|
"Module settings" tab. E.g. the Personal account module allows to
|
|
hide several input fields and the Unix module requires to specify
|
|
ranges for UID numbers.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configSettings1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="confTypicalScenarios">
|
|
<title>Typical scenarios</title>
|
|
|
|
<para>This is a list of typical scenarios how your LDAP environment
|
|
may look like and how to structure the server profiles for it.</para>
|
|
|
|
<section>
|
|
<title>Simple: One LDAP directory managed by a small group of
|
|
admins</title>
|
|
|
|
<para>This is the easiest and most common scenario. You want to
|
|
manage a single LDAP server and there is only one or a few admins.
|
|
In this case just create one server profile and you are done. The
|
|
admins may be either specified as a fixed list or by using an LDAP
|
|
search at login time.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/LDAPStructuresSimple.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Advanced: One LDAP server which is managed by different admin
|
|
groups</title>
|
|
|
|
<para>Large organisations may have one big LDAP directory for all
|
|
user/group accounts. But the users are managed by different groups
|
|
of admins (e.g. departments, locations, subsidiaries, ...). The
|
|
users are typically divided into organisational units in the LDAP
|
|
tree. Admins may only manage the users in their part of the
|
|
tree.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/LDAPStructuresAdvanced.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>In this situation it is recommended to create one server
|
|
profile for each admin group (e.g. department). Setup the LDAP
|
|
suffixes in the server profiles to point to the needed
|
|
organisational units. E.g. use
|
|
ou=people,ou=department1,dc=company,dc=com or
|
|
ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
|
|
Do the same for groups, hosts, ... This way each admin group will
|
|
only see its own users. You may want to use LDAP search for the LAM
|
|
login in this scenario. This will prevent that you need to update a
|
|
server profile if the number of admins changes.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> LAM's feature to
|
|
automatically find free UIDs/GIDs for new users/groups will not work
|
|
in this case. LAM uses the user/group suffix to search for already
|
|
assigned UIDs/GIDs. As an alternative you can specify different
|
|
UID/GID ranges for each department. Then the UIDs/GIDs will stay
|
|
unique for the whole directory.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Multiple LDAP servers</title>
|
|
|
|
<para>You can manage as many LDAP servers with LAM as you wish. This
|
|
scenario is similar to the advanced scenario above. Just create one
|
|
server profile for each LDAP server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/LDAPStructuresMultiServer.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Single LDAP directory with lots of users (>10 000)</title>
|
|
|
|
<para>LAM was tested to work with 10 000 users. If you have a lot
|
|
more users then you have basically two options.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Divide your LDAP tree in organisational units: This is
|
|
usually the best performing option. Put your accounts in several
|
|
organisational units and setup LAM as in the advanced scenario
|
|
above.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Increase memory limit: Increase the memory_limit parameter
|
|
in your php.ini. This will allow LAM to read more entries. But
|
|
this will slow down the response times of LAM.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter>
|
|
<title>Managing entries in your LDAP directory</title>
|
|
|
|
<para>This chapter will give you instructions how to manage the different
|
|
LDAP entries in your directory.</para>
|
|
|
|
<para>Please note that not all account types are manageable with the free
|
|
LAM release. LAM Pro provides some more account types (e.g. group of
|
|
names, aliases, ...) and modules (e.g. Zarafa, custom scripts, ...) to
|
|
support additional LDAP object classes. All LAM Pro features are marked in
|
|
this manual.</para>
|
|
|
|
<para><emphasis role="bold">Basic page layout:</emphasis></para>
|
|
|
|
<para>After the login LAM will present you its main page. It consists of a
|
|
header part which is equal for all pages and the content area which covers
|
|
most the of the page.</para>
|
|
|
|
<para>The header part includes the links to manage all account types (e.g.
|
|
users and groups) and open the tree view (LDAP browser). There is also the
|
|
logout link and a tools entry.</para>
|
|
|
|
<para>When you login the you will see an account listing in the content
|
|
area.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mainpage.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Here you can create, delete and modify accounts. Use the action
|
|
buttons at the left or double click on an entry to edit it.</para>
|
|
|
|
<para>The suffix selection box allows you to list only the accounts which
|
|
are located in a subtree of your LDAP directory.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/listConfig.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can change the number of shown entries per page with "Change
|
|
settings". Depending on the account type there may be additional settings.
|
|
E.g. the user list can convert group numbers to group names.</para>
|
|
|
|
<para>When you select to edit an entry then LAM will show all its data on
|
|
a tabbed view. There is one tab for each functional part of the account.
|
|
You can set default values by loading an <link
|
|
linkend="a_accountProfile">account profile</link>.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/editView.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section>
|
|
<title>Typical usage scenarios</title>
|
|
|
|
<para>Here is a list of typical usage scenarios and what account types
|
|
and modules you need to configure.</para>
|
|
|
|
<para><emphasis role="bold">Address book entries:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Unix accounts:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Unix)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix (posixGroup))</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Suse users may need to use Group (Group of names + Unix
|
|
(rfc2307bisPosixGroup)) because of Suse's special LDAP schema.</para>
|
|
|
|
<para><emphasis role="bold">Samba 3 accounts:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + User + Samba 3)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix + Samba 3)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Account + Unix + Samba 3)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba domains (Samba domain)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Samba 4/Active Directory:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Windows)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Windows)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Windows)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Please note that must change the attributes that are shown in the
|
|
account lists. Otherwise, the account tables will show empty lines. See
|
|
the documentation for the Windows user/group/host modules.</para>
|
|
|
|
<para>For Samba 4 with Zarafa use the following modules:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Windows + Zarafa (+ Zarafa contact))</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Windows + Zarafa)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Windows + Zarafa)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Zarafa dynamic groups (Zarafa dynamic group)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Zarafa address lists (Zarafa address list)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>See also the <link linkend="s_zarafa">Zarafa</link> section for
|
|
additional settings (e.g. using Zarafa AD schema).</para>
|
|
|
|
<para><emphasis role="bold">Asterisk:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Asterisk)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Asterisk extensions (Asterisk extension)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Zarafa:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Unix + Zarafa (+ Zarafa contact))</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix + Zarafa)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Zarafa dynamic groups (Zarafa dynamic group)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Zarafa address lists (Zarafa address list)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hosts (Device + Zarafa + IP Address)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">PyKota:</emphasis></para>
|
|
|
|
<para>Account types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Users (Personal + Unix + PyKota)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Groups (Unix + PyKota)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Printers (PyKota)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Billing codes (PyKota)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Users</title>
|
|
|
|
<para>LAM manages various types of user accounts. This includes address
|
|
book entries, Unix, Samba, Zarafa and much more.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Account list settings:</emphasis></para>
|
|
|
|
<para>The user list includes two special options to change how your
|
|
users are displayed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userListOptions.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis>Translate GID number to group name:</emphasis> By
|
|
default the user list can show the primary group IDs (GIDs) of your
|
|
users. There are often cases where it is more suitable to show the group
|
|
name instead. This can be done by activating this option. Please note
|
|
that LAM will execute more LDAP queries which may result in decreased
|
|
performance.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userListOptionTransPrimary.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis>Show account status:</emphasis> If you activate this
|
|
option then there will be an additional column displayed that shows if
|
|
the account is locked. You can see more details when moving the mouse
|
|
cursor over the lock icon. This function supports Unix, Samba and
|
|
PPolicy.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userListOptionAccountStatus.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Quick account (un)locking:</emphasis></para>
|
|
|
|
<para>When you edit an user then LAM supports to quickly lock/unlock the
|
|
whole account. This includes Unix, Samba and PPolicy. LAM can also
|
|
remove group memberships if an account is locked.</para>
|
|
|
|
<para>You will see the current status of all account parts in the title
|
|
area of the account.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userAccountStatus1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you click on the lock icon then a dialog will be opened to
|
|
change these values. Depending on which parts are locked LAM will
|
|
provide options to lock/unlock account parts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userAccountStatus2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/userAccountStatus3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section>
|
|
<title>Personal</title>
|
|
|
|
<para>This module is the most common basis for user accounts in LAM.
|
|
You can use it stand-alone to manage address book entries or in
|
|
combination with Unix, Samba or other modules.</para>
|
|
|
|
<para>The Personal module provides support for managing various
|
|
personal data of your users including mail addresses and telephone
|
|
numbers. You can also add photos of your users (please install <ulink
|
|
url="http://www.php.net/manual/en/book.imagick.php">PHP
|
|
Imagick/ImageMagick</ulink> for full file format support). If you do
|
|
not need to manage all attributes then you can deactivate them in your
|
|
server profile.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Please activate the module "Personal (inetOrgPerson)" for
|
|
users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The module manages lots of fields. Probably, you will not need
|
|
all of them. You can hide fields in module settings.</para>
|
|
|
|
<para>In advanced options you may also set fields to read-only (for
|
|
existing accounts) and define limits for photo files.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">User management</emphasis></para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>User certificates can be uploaded and downloaded. LAM will
|
|
automatically convert PEM to DER format.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_personal2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<table>
|
|
<title>LDAP attribute mappings</title>
|
|
|
|
<tgroup cols="2">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">Attribute name</entry>
|
|
|
|
<entry align="center">Name inside LAM</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>businessCategory</entry>
|
|
|
|
<entry>Business category</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>carLicense</entry>
|
|
|
|
<entry>Car license</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>cn/commonName</entry>
|
|
|
|
<entry>Common name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>departmentNumber</entry>
|
|
|
|
<entry>Department(s)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>description</entry>
|
|
|
|
<entry>Description</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>employeeNumber</entry>
|
|
|
|
<entry>Employee number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>employeeType</entry>
|
|
|
|
<entry>Employee type</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>facsimileTelephoneNumber/fax</entry>
|
|
|
|
<entry>Fax number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>givenName/gn</entry>
|
|
|
|
<entry>First name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>homePhone</entry>
|
|
|
|
<entry>Home telephone number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>initials</entry>
|
|
|
|
<entry>Initials</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>jpegPhoto</entry>
|
|
|
|
<entry>Photo</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>l</entry>
|
|
|
|
<entry>Location</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>mail/rfc822Mailbox</entry>
|
|
|
|
<entry>Email address</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>manager</entry>
|
|
|
|
<entry>Manager</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>mobile/mobileTelephoneNumber</entry>
|
|
|
|
<entry>Mobile number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>organizationName/o</entry>
|
|
|
|
<entry>Organisation</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>physicalDeliveryOfficeName</entry>
|
|
|
|
<entry>Office name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postalAddress</entry>
|
|
|
|
<entry>Postal address</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postalCode</entry>
|
|
|
|
<entry>Postal code</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postOfficeBox</entry>
|
|
|
|
<entry>Post office box</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>registeredAddress</entry>
|
|
|
|
<entry>Registered address</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>roomNumber</entry>
|
|
|
|
<entry>Room number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>sn/surname</entry>
|
|
|
|
<entry>Last name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>st</entry>
|
|
|
|
<entry>State</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>street/streetAddress</entry>
|
|
|
|
<entry>Street</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>telephoneNumber</entry>
|
|
|
|
<entry>Telephone number</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>title</entry>
|
|
|
|
<entry>Job title</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>userCertificate</entry>
|
|
|
|
<entry>User certificates</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>uid/userid</entry>
|
|
|
|
<entry>User name</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>userPassword</entry>
|
|
|
|
<entry>Password</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Unix</title>
|
|
|
|
<para>The Unix module manages Unix user accounts including group
|
|
memberships.</para>
|
|
|
|
<para>There are several configuration options for this module:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>UID generator: LAM will suggest UID numbers for your
|
|
accounts. Please note that it may happen that there are duplicate
|
|
IDs assigned if users create accounts at the same time. Use an
|
|
<ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
|
|
like "Attribute Uniqueness" (<link
|
|
linkend="a_openldap_unique">example</link>) if you have lots of
|
|
LAM admins creating accounts.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Fixed range: LAM searches for free numbers within the
|
|
given limits. LAM always tries to use a free UID that is
|
|
greater than the existing UIDs to prevent collisions with
|
|
deleted accounts.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba ID pool: This uses a special LDAP entry that
|
|
includes attributes that store a counter for the last used
|
|
UID/GID. Please note that this requires that you install the
|
|
Samba schema and create an LDAP entry of object class
|
|
"sambaUnixIdPool".</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Password hash type: If possible use CRYPT-SHA512 or SSHA to
|
|
protect your user's passwords.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Login shells: List of valid login shells that can be
|
|
selected when editing an account.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Hidden options: Some input fields can be hidden to simplify
|
|
the GUI if you do not need them.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserConfig.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The user name is automatically filled as specified in the
|
|
configuration (default smiller for Steve Miller). Of course, the
|
|
suggested value can be changed any time. Common name is also filled
|
|
with first/last name by default.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUser.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group memberships can be changed when clicking on "Edit groups".
|
|
Here you can select the Unix groups and group of names
|
|
memberships.</para>
|
|
|
|
<para>To enable "Group of names" please either add the groups module
|
|
"groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
|
|
names".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserGroups.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can also create home directories for your users if you setup
|
|
<link linkend="a_lamdaemon">lamdaemon</link>. This allows you to
|
|
create the directories on the local or remote servers.</para>
|
|
|
|
<para>It is also possible to check the status of the user's home
|
|
directories. If needed the directories can be created or removed at
|
|
any time.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixUserHomedir.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Group of names (LAM Pro)</title>
|
|
|
|
<para>This module manages memberships in group of (unique) names. To
|
|
activate this feature please add the user module "Group of names
|
|
(groupOfNamesUser)" to your LAM server profile.</para>
|
|
|
|
<para>Please note that this module cannot be used if the Unix module
|
|
is active. In this case group memberships may be managed with the Unix
|
|
module.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_groupOfNamesUser2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The module automatically detects if groups are based on
|
|
"groupOfNames" or "groupOfUniqueNames" and sets the correct
|
|
attribute.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_groupOfNamesUser.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="organizationalRoleUser">
|
|
<title>Organizational roles (LAM Pro)</title>
|
|
|
|
<para>LAM can manage role memberships in <link
|
|
linkend="organizationalRole">organizationalRole</link> objects. To
|
|
activate this feature please add the user module "Roles
|
|
(organizationalRoleUser)" to your LAM server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRoleUser1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now, there will be a new tab "Roles" when you edit your user
|
|
accounts. Here you can select the role memberships.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRoleUser2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shadow</title>
|
|
|
|
<para>LAM supports the management of the LDAP substitution of
|
|
/etc/shadow. Here you can setup password policies for your Unix
|
|
accounts and also view the last password change of a user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_shadow.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title id="passwordSelfResetUser">Password self reset (LAM
|
|
Pro)</title>
|
|
|
|
<para>LAM Pro allows your users to reset their passwords by answering
|
|
a security question. The reset link is displayed on the <link
|
|
linkend="PasswordSelfReset">self service page</link>. Additionally,
|
|
you can set question + answer in the admin interface.</para>
|
|
|
|
<para>Please note that self service and LAM admin interface are
|
|
separated functionalities. You need to specify the list of possible
|
|
security questions in both self service profile(s) and server
|
|
profile(s).</para>
|
|
|
|
<para><emphasis role="bold">Schema installation</emphasis></para>
|
|
|
|
<para>Please install the LDAP schema as described <link
|
|
linkend="a_passwordSelfResetSchema">here</link>.</para>
|
|
|
|
<para><emphasis role="bold">Activate password self reset
|
|
module</emphasis></para>
|
|
|
|
<para>Please activate the password self reset module in your LAM Pro
|
|
server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now select the tab "Module settings" and specify the list of
|
|
possible security questions. Only these questions will be selectable
|
|
when you later edit accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Edit users</emphasis></para>
|
|
|
|
<para>After everything is setup please login to LAM Pro and edit your
|
|
users. You will see a new tab called "Password self reset". Here you
|
|
can activate/remove the password self reset function for each user.
|
|
You can also change the security question and answer.</para>
|
|
|
|
<para>If you set a backup email address then confirmation emails will
|
|
also be sent to this address. This is useful if the user password
|
|
grants access to the user's primary mailbox. So passwords can be
|
|
unlocked with an external email address.</para>
|
|
|
|
<para><emphasis role="bold">Hint:</emphasis> You can add the
|
|
passwordSelfReset object class to all your users with the <link
|
|
linkend="toolMultiEdit">multi edit</link> tool.</para>
|
|
|
|
<para><emphasis role="bold">Samba 4 note:</emphasis> Due to a <ulink
|
|
url="https://bugzilla.samba.org/show_bug.cgi?id=10094">bug</ulink> in
|
|
Samba 4 you need to add the extension, save, and then select a
|
|
question and set the answer. If you add the extension, set
|
|
question/answer and then save all together this will cause an LDAP
|
|
error and no changes will be saved.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts</title>
|
|
|
|
<para>You can specify a list of valid host names where the user may
|
|
login. If you add the value "*" then the user may login to any host.
|
|
This can be further restricted by adding explicit deny entries which
|
|
are prefixed with "!" (e.g. "!hr_server").</para>
|
|
|
|
<para>Please note that your PAM settings need to support host
|
|
restrictions. This feature is enabled by setting <emphasis
|
|
role="bold">pam_check_host_attr yes</emphasis> in your <emphasis
|
|
role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the
|
|
account facility of pam_ldap will perform the checks and return an
|
|
error when no proper host attribute is present. Please note that users
|
|
without host attribute cannot login to such a configured
|
|
server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/hostObject.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>LAM supports full Samba 3 user management including logon hours
|
|
and terminal server options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3User1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3User2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_samba3User3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Windows (Samba 4)</title>
|
|
|
|
<para>Please activate the account type "Users" in your LAM server
|
|
profile and then add the user module "Windows
|
|
(windowsUser)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for
|
|
Windows (blank lines in account table). Please use
|
|
"#cn;#givenName;#sn;#mail" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab "Module settings" you can specify the possible Windows
|
|
domain names and if pre-Windows 2000 user names should be
|
|
managed.</para>
|
|
|
|
<para>NIS support is deactivated by default. Enable it if
|
|
needed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can manage your Windows users and e.g. assign groups.
|
|
You might want to set the default domain name in the <link
|
|
linkend="a_accountProfile">profile editor</link>.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> Password changes
|
|
require a secure connection via ldaps://. Check your LAM server
|
|
profile if password changes are refused by the server.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsUser3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Filesystem quota (lamdaemon)</title>
|
|
|
|
<para>You can manage file system quotas with LAM. This requires to
|
|
setup <link linkend="a_lamdaemon">lamdaemon</link>. LAM connects to
|
|
your server via SSH and manages the disk filesystem quotas. The quotas
|
|
are stored directly on the filesystem. This is the default mechanism
|
|
to store quotas for most systems.</para>
|
|
|
|
<para>Please add the module "Quota (quota)" for users to your LAM
|
|
server profile to enable this feature.</para>
|
|
|
|
<para>If you store the quota information directly inside LDAP please
|
|
see the next section.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_quotaUser.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Filesystem quota (LDAP)</title>
|
|
|
|
<para>You can store your filesystem quotas directly in LDAP. See
|
|
<ulink url="http://sourceforge.net/projects/linuxquota/">Linux
|
|
DiskQuota</ulink> for details since it requires quota tools that
|
|
support LDAP. You will need to install the quota LDAP schema to manage
|
|
the object class "systemQuotas".</para>
|
|
|
|
<para>Please add the module "Quota (systemQuotas)" for users to your
|
|
LAM server profile to enable this feature.</para>
|
|
|
|
<para>If you store the quota information on the filesystem please see
|
|
the previous section.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_systemQuotas.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Kolab</title>
|
|
|
|
<para>This module supports to manage Kolab accounts with LAM. E.g. you
|
|
can set the user's mail quota and define invitation policies.</para>
|
|
|
|
<para>Please add the Kolab user module in your LAM server profile to
|
|
activate Kolab support.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Attention: LAM will add the object class "mailrecipient" by
|
|
default. This object class is available on 389 directory server but
|
|
may not be present on e.g. OpenLDAP. Please deactivate the following
|
|
setting (LAM server profile, module settings) if you do not use this
|
|
object class.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Please enter an email address at the Personal page and set a
|
|
Unix password first. Both are required that Kolab accepts the
|
|
accounts. The email address ("Personal" page) must match your Kolab
|
|
domain, otherwise the account will not work.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> The mailbox server
|
|
cannot be changed after the account has been saved. Please make sure
|
|
that the value is correct.</para>
|
|
|
|
<para>Kolab users should not be directly deleted with LAM. You can
|
|
mark an account for deletion which then is done by the Kolab server
|
|
itself. This makes sure that the mailbox etc. is also deleted.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you upgrade existing non-Kolab accounts please make sure that
|
|
the account has an Unix password.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Asterisk</title>
|
|
|
|
<para>LAM supports Asterisk accounts, too. See the <link
|
|
linkend="type_asterisk">Asterisk</link> section for details.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>EDU person</title>
|
|
|
|
<para>EDU person accounts are mainly used in university networks. You
|
|
can specify the principal name, nick names and much more.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_eduPerson.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota</title>
|
|
|
|
<para>There are two LAM user modules depending if your user entries
|
|
should be built on object class "pykotaObject" or a different
|
|
structural object class (e.g. "inetOrgPerson"). For "pykotaObject"
|
|
please select "PyKota (pykotaUserStructural(*))" and "PyKota
|
|
(pykotaUser)" in all other cases.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>To display the job history please setup the job DN on tab
|
|
"Module settings":</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can add the PyKota extension to your user accounts. Here
|
|
you can setup the printing options and add payments for this
|
|
user.</para>
|
|
|
|
<para>For LAM Pro there are also self service fields to allow users
|
|
e.g. to view their current balance and job history.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You may also view the payment and job history.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaUser5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Password policy (LAM Pro)</title>
|
|
|
|
<para>OpenLDAP supports the <ulink
|
|
url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
|
|
to manage password policies for LDAP entries. LAM Pro supports <link
|
|
linkend="a_ppolicy">managing the policies</link> and assigning them to
|
|
user accounts.</para>
|
|
|
|
<para>Please add the account type "Password policies" to your LAM
|
|
server profile and activate the "Password policy" module for the user
|
|
type.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ppolicyUser.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can assign any password policy which is found in the LDAP
|
|
suffix of the "Password policies" type. When you set the policy to
|
|
"default" then OpenLDAP will use the default policy as defined in your
|
|
slapd.conf file.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> Locking and
|
|
unlocking requires that you also activate the option "Lockout users"
|
|
in the assigned <link linkend="a_ppolicy">password policy</link>.
|
|
Otherwise, it will have no effect.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>FreeRadius</title>
|
|
|
|
<para>FreeRadius is a software that implements the RADIUS
|
|
authentication protocol. LAM allows you to mange several of the
|
|
FreeRadius attributes.</para>
|
|
|
|
<para>To activate the FreeRadius plugin please activate the FreeRadius
|
|
user module in your server profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_freeRadius1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can disable unneeded fields on the tab "Module
|
|
settings":</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_freeRadius2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you will see the tab "FreeRadius" when editing users. The
|
|
extension can be (de)activated for each user. You can setup e.g.
|
|
realm, IP and expiration date.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_freeRadius3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Heimdal Kerberos (LAM Pro)</title>
|
|
|
|
<para>You can manage your Heimdal Kerberos accounts with LAM Pro.
|
|
Please add the user module "Kerberos (heimdalKerberos)" to activate
|
|
this feature.</para>
|
|
|
|
<para><emphasis role="bold">Setup password changing</emphasis></para>
|
|
|
|
<para>LAM Pro cannot generate the password hashes itself because
|
|
Heimdal uses a propietary format for them. Therefore, LAM Pro needs to
|
|
call e.g. kadmin to set the password.</para>
|
|
|
|
<para>The wildcards @@password@@ and @@principal@@ are replaced with
|
|
password and principal name. Please use keytab authentication for this
|
|
command since it must run without any interaction.</para>
|
|
|
|
<para>Example to create a keytab: ktutil -k /root/lam.keytab add -p
|
|
lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1</para>
|
|
|
|
<para>Security hint: Please secure your LAM Pro server since the new
|
|
passwords will be visible for a short term in the process list during
|
|
password change.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kerberos2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User management</emphasis></para>
|
|
|
|
<para>You can specify the principal/user name, ticket lifetimes and
|
|
expiration dates. Additionally, you can set various account
|
|
options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kerberos1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>MIT Kerberos (LAM Pro)</title>
|
|
|
|
<para>You can manage your MIT Kerberos accounts with LAM Pro. Please
|
|
add the user module "Kerberos (mitKerberos)" to activate this feature.
|
|
If you want to manage entries based on the structural object class
|
|
"krbPrincipal" please use "Kerberos (mitKerberosStructural)"
|
|
instead.</para>
|
|
|
|
<para><emphasis role="bold">Setup password changing</emphasis></para>
|
|
|
|
<para>LAM Pro cannot generate the password hashes itself because MIT
|
|
uses a propietary format for them. Therefore, LAM Pro needs to call
|
|
kadmin/kadmin.local to set the password.</para>
|
|
|
|
<para>LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
|
|
set the password. Please use keytab authentication for this command
|
|
since it must run without any interaction.</para>
|
|
|
|
<para>Keytabs may be created with the "ktutil" application.</para>
|
|
|
|
<para>Security hint: Please secure your LAM Pro server since the new
|
|
passwords will be visible for a short term in the process list during
|
|
password change.</para>
|
|
|
|
<para>Example commands:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
|
|
realm/changepwd</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>sudo /usr/sbin/kadmin.local</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_mitKerberos1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">User management</emphasis></para>
|
|
|
|
<para>You can specify the principal/user name, ticket lifetimes and
|
|
expiration dates. Additionally, you can set various account
|
|
options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_mitKerberos2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="mailAliasesUser">
|
|
<title>Mail aliases</title>
|
|
|
|
<para>This module allows to add/remove the user in mail alias
|
|
entries.</para>
|
|
|
|
<para><emphasis role="bold">Note:</emphasis> You need to activate the
|
|
<link linkend="mailAliases">mail alias type</link> for this
|
|
module.</para>
|
|
|
|
<para>To activate mail aliases for users please select the module
|
|
"Mail aliases (nisMailAliasUser)":</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab Module settings you can select if you want to set the
|
|
user name or email as recipient in alias entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you will see the mail aliases tab when editing an
|
|
user.</para>
|
|
|
|
<para>The red cross will only remove the user from the alias entry. If
|
|
you click the trash can button then the whole alias entry (which may
|
|
contain other users) will be deleted.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can add the user to existing alias entries or create
|
|
completly new ones.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAliasUser3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Qmail (LAM Pro)</title>
|
|
|
|
<para>LAM Pro manages all qmail attributes for users. This includes
|
|
mail addresses, ID numbers and quota settings.</para>
|
|
|
|
<para>Please note that the main mail address is managed on tab
|
|
"Personal" if this module is active. Otherwise, it will be on the
|
|
qmail tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_qmail2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can hide several qmail options if you do not want to manage
|
|
them with LAM. This can be done on the module settings tab of your LAM
|
|
server profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_qmail1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Mail routing</title>
|
|
|
|
<para>LAM supports to manage mail routing for user accounts. You can
|
|
specify a routing address, the mail server and a number of local
|
|
addresses to route. This feature can be activated by adding the "Mail
|
|
routing" module to the user account type in your server
|
|
profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mailRouting.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>SSH keys</title>
|
|
|
|
<para>You can manage your public keys for SSH in LAM if you installed
|
|
the <ulink url="http://code.google.com/p/openssh-lpk/">LPK patch for
|
|
SSH</ulink>. Activate the "SSH public key" module for users in the
|
|
server profile and you can add keys to your user entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ldapPublicKey.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Authorized services</title>
|
|
|
|
<para>You can setup PAM to check if a user is allowed to run a
|
|
specific service (e.g. sshd) by reading the LDAP attribute
|
|
"authorizedService". This way you can manage all allowed services via
|
|
LAM.</para>
|
|
|
|
<para></para>
|
|
|
|
<para>To activate this PAM feature please setup your <emphasis
|
|
role="bold">/etc/libnss-ldap.conf</emphasis> and set
|
|
"pam_check_service_attr" to "yes".</para>
|
|
|
|
<para></para>
|
|
|
|
<para>Inside LAM you can now set the allowed services. You may also
|
|
setup default services in your account profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_authorizedServices.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can define a list of services in your LAM server profile
|
|
that is used for autocompletion.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_authorizedServices3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The autocompletion will show all values that contains the
|
|
entered text. To display the whole list you can press backspace in the
|
|
empty input field. Of course, you can also insert a service name that
|
|
is not in the list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_authorizedServices2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IMAP mailboxes</title>
|
|
|
|
<para>LAM may create and delete mailboxes on an IMAP server for your
|
|
user accounts. You will need an IMAP server that supports either SSL
|
|
or TLS for this feature.</para>
|
|
|
|
<para>To activate the mailbox management module please add the
|
|
"Mailbox (imapAccess)" module for the type user in your LAM server
|
|
profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/imapAccess1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now configure the module on the tab "Module settings". Here you
|
|
can specify the IMAP server name, encryption options, the
|
|
authentication for the IMAP connection and the valid mail domains. LAM
|
|
can use either your LAM login password for the IMAP connection or
|
|
display a dialog where you need to enter the password. It is also
|
|
possible to store the admin password in your server profile. This is
|
|
not recommended for security reasons.</para>
|
|
|
|
<para>The user name can either be a fixed name (e.g. "admin") or it
|
|
can be generated with LDAP attributes of the LAM admn user. E.g. $uid$
|
|
will be transformed to "myUser" if you login with
|
|
"uid=myUser,ou=people,dc=example,dc=com".</para>
|
|
|
|
<para>The mail domains specify for which accounts mailboxes may be
|
|
created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can
|
|
be managed for "user@lam-demo.org" but not for "user@example.com". Use
|
|
"*" for any domain.</para>
|
|
|
|
<para>You need to install the SSL certificate of the CA that signed
|
|
your server certificate. This is usually done by installing the
|
|
certificate in /etc/ssl/certs. Different Linux distributions may offer
|
|
different ways to do this. For Debian please copy the certificate in
|
|
"/usr/local/share/ca-certificates" and run "update-ca-certificates" as
|
|
root.</para>
|
|
|
|
<para>It is not recommended to disable the validation of IMAP server
|
|
certificates.</para>
|
|
|
|
<para>The prefix, user name attribute and path separator specifies how
|
|
your mailboxes are named (e.g. "user.myUser@localhost" or
|
|
"user/myUser"). Select the values depending on your IMAP server
|
|
settings.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/imapAccess2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>When you edit an user account then you will now see the tab
|
|
"Mailbox". Here you can create/delete the mailbox for this
|
|
user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/imapAccess3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="s_account">
|
|
<title>Account</title>
|
|
|
|
<para>This is a very simple module to manage accounts based on the
|
|
object class "account". Usually, this is used for host accounts only.
|
|
Please pay attention that users based on the "account" object class
|
|
cannot have contact information (e.g. telephone number) as with
|
|
"inetOrgPerson".</para>
|
|
|
|
<para>You can enter a user/host name and a description for your
|
|
accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_account.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Groups</title>
|
|
|
|
<para></para>
|
|
|
|
<section>
|
|
<title>Unix</title>
|
|
|
|
<para>This module is used to manage Unix group entries. This is the
|
|
default module to manage Unix groups and uses the nis.schema. Suse
|
|
users who use the <link
|
|
linkend="rfc2307bisPosixGroup">rfc2307bis.schema</link> need to use
|
|
LAM Pro.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>Please add the account type "Groups" and then select account
|
|
module "Unix (posixGroup)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupConfig1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>GID generator: LAM will suggest GID numbers for your accounts.
|
|
Please note that it may happen that there are duplicate IDs assigned
|
|
if users create groups at the same time. Use an <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">overlay</ulink>
|
|
like "Attribute Uniqueness" (<link
|
|
linkend="a_openldap_unique">example</link>) if you have lots of LAM
|
|
admins creating groups.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Fixed range: LAM searches for free numbers within the given
|
|
limits. LAM always tries to use a free GID that is greater than
|
|
the existing GIDs to prevent collisions with deleted
|
|
groups.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Samba ID pool: This uses a special LDAP entry that includes
|
|
attributes that store a counter for the last used UID/GID. Please
|
|
note that this requires that you install the Samba schema and
|
|
create an LDAP entry of object class "sambaUnixIdPool".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Disable membership management: Disables group membership
|
|
management. This is useful if memberships are e.g. managed via
|
|
group of names.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupConfig.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group management:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroup.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Group membership management:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroup2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="rfc2307bisPosixGroup">
|
|
<title>Unix groups with rfc2307bis schema (LAM Pro)</title>
|
|
|
|
<para>Some applications (e.g. Suse Linux) use the rfc2307bis schema
|
|
for Unix accounts instead of the nis schema. In this case group
|
|
accounts are based on the object class <link lang=""
|
|
linkend="a_groupOfNames">groupOf(Unique)Names</link> or namedObject.
|
|
The object class posixGroup is auxiliary in this case.</para>
|
|
|
|
<para>LAM Pro supports these groups with a special account module:
|
|
<emphasis role="bold">rfc2307bisPosixGroup</emphasis></para>
|
|
|
|
<para>Use this module only if your system depends on the rfc2307bis
|
|
schema. The module can be selected in the LAM configuration. Instead
|
|
of using groupOfNames as basis for your groups you may also use
|
|
namedObject.</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/rfc2307bis.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_unixGroupLAMPro.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>LAM supports managing Samba 3 groups. You can set special group
|
|
types and also create Windows predefined groups like "Domain
|
|
admins".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaGroup.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Windows (Samba 4)</title>
|
|
|
|
<para>LAM can manage your Windows groups. Please enable the account
|
|
type "Groups" in your LAM server profile and then add the group module
|
|
"Windows (windowsGroup)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for
|
|
Windows (blank lines in account table). Please use
|
|
"#cn;#member;#description" or select your own attributes to display in
|
|
the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>NIS support is deactivated by default. Enable it if needed on
|
|
tab "Module settings".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can edit your groups inside LAM. You can manage the
|
|
group name, description and its type. Of course, you can also set the
|
|
group members.</para>
|
|
|
|
<para>Group scopes:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Global: Use this for groups with frequent changes. Global
|
|
groups are not replicated to other domains.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Universal: Groups with universal scope are used to
|
|
consolidate groups that span domains. They are globally
|
|
replicated.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Domain local: Groups with domain local scope can be used to
|
|
set permissions inside one domain. They are not replicated to
|
|
other domains.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Group type:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Security: Use this group type to control permissions.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Distribution: These groups are only used for email
|
|
applications. They cannot be used to control permissions.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsGroup2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Kolab</title>
|
|
|
|
<para>Please activate the Kolab group module in your LAM server
|
|
profile to activate Kolab support.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can specify the email address and also set allowed sender
|
|
and recipient addresses.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Quota</title>
|
|
|
|
<para>You can manage file system quotas with LAM. This requires to
|
|
setup <link linkend="a_lamdaemon">lamdaemon</link>. File system quotas
|
|
are not stored inside LAM but managed directly on the specified
|
|
servers.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_quotaGroup.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota</title>
|
|
|
|
<para>There are two LAM group modules depending if your group entries
|
|
should be built on object class "pykotaObject" or a different
|
|
structural object class (e.g. "posixGroup"). For "pykotaObject" please
|
|
select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)"
|
|
in all other cases.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaGroup1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can add the PyKota extension to your groups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaGroup2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Hosts</title>
|
|
|
|
<section>
|
|
<title>Account</title>
|
|
|
|
<para>Please see the description <link
|
|
linkend="s_account">here</link>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Device (LAM Pro)</title>
|
|
|
|
<para>The device object class allows to manage general information
|
|
about all sorts of devices (e.g. computers, network hardware, ...).
|
|
You can enter the serial number, location and a describing text. It is
|
|
also possible to specify the owner of the device.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/device.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>You can manage Samba 3 host entries by adding the Unix and Samba
|
|
3 account modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaHost1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_sambaHost2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Windows (Samba 4)</title>
|
|
|
|
<para>LAM can manage your Windows servers and workstations. Please
|
|
enable the account type "Hosts" in your LAM server profile and then
|
|
add the host module "Windows (windowsHost)(*)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsServer3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The default list attributes are for Unix and not suitable for
|
|
Windows (blank lines in account table). Please use
|
|
"#cn;#description;#location" or select your own attributes to display
|
|
in the account list.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsServer2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you will see you computer accounts inside LAM. You can set
|
|
e.g. the server's description and location information.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_windowsServer1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IP addresses (LAM Pro)</title>
|
|
|
|
<para>You can manage the IP addresses of host accounts with the ipHost
|
|
module. It manages the following information:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>IP addresses (IPv4/IPv6)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>location of the host</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>manager: the person who is responsible for the host</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can activate this extension by adding the module ipHost to
|
|
the list of active host modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ipHost.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>MAC addresses</title>
|
|
|
|
<para>Hosts can have an unlimited number of MAC addresses. To enable
|
|
this feature just add the "MAC address" module to the host account
|
|
type.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/macAddress.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Puppet</title>
|
|
|
|
<para>LAM supports to manage your <ulink
|
|
url="http://puppetlabs.com/">Puppet</ulink> configuration. You can
|
|
edit all attributes like environment, classes, variables and parent
|
|
node.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>To activate this feature please edit your LAM server profile and
|
|
add the host module "Puppet (puppetClient)" on tab "Modules". This
|
|
will add the Puppet tab to your host pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_puppet2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On tab "Module settings" in your LAM server profile you may also
|
|
setup some common environment names. LAM will use them to provide
|
|
autocompletion hints when editing the environment for a node.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_puppet3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Editing nodes</emphasis></para>
|
|
|
|
<para>When you edit a host entry then you will see the tab "Puppet".
|
|
Here you can add/remove the Puppet extension and edit all
|
|
attributes.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_puppet1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3 domains</title>
|
|
|
|
<para>Samba 3 stores information about its domain settings inside LDAP.
|
|
This includes the domain name, its SID and some policies. You can manage
|
|
all these attributes with LAM.</para>
|
|
|
|
<para>Please activate the account type "Samba domains" in your LAM
|
|
server profile. Please notice that Samba by default uses the LDAP root
|
|
for domain objects (e.g. dc=example,dc=com).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sambaDomains1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This will add a new tab to LAM where you can manage domain
|
|
information.</para>
|
|
|
|
<para>The domain name, SID and RID base can only be specified for new
|
|
domains and are not changeable via LAM at a later time. You may setup
|
|
several password policies for your Samba domains and also some RID
|
|
options that influence the creation of SIDs for
|
|
users/groups/hosts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sambaDomains2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="a_groupOfNames">
|
|
<title>Group of (unique) names (LAM Pro)</title>
|
|
|
|
<para>These classes can be used to represent group relations. Since they
|
|
allow DNs as members you can also use them to represent nested
|
|
groups.</para>
|
|
|
|
<para><emphasis role="bold">Configuration:</emphasis></para>
|
|
|
|
<para>Activate the account type "Group of names" in your LAM server
|
|
profile to use these account modules. Alternatively, you can use the
|
|
account type "Groups".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the module "Group of names (groupOfNames)" or "Group of
|
|
unique names (groupOfUniqueNames)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On the module settings tab you set some options like the display
|
|
format for members/owners and if fields like description should not be
|
|
displayed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Group management:</emphasis></para>
|
|
|
|
<para>Group of (unique) names have four basic attributes:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Name: a unique name for the group</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Description: optional description</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Owner: the account which owns this group (optional)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Members: the members of the group (at least one is
|
|
required)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You can add any accounts as members. This includes other groups
|
|
which leads to nested groups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/groupOfNames1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="organizationalRole">
|
|
<title>Organizational roles (LAM Pro)</title>
|
|
|
|
<para>This module manages roles via the organizationalRole object class.
|
|
There is also a <link linkend="organizationalRoleUser">user
|
|
module</link> to manage memberships on the user edit page.</para>
|
|
|
|
<para><emphasis role="bold">Configuration:</emphasis></para>
|
|
|
|
<para>Activate the account type "Groups" in your LAM server profile to
|
|
use this account module. Alternatively, you can use the account type
|
|
"Group of names".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the module "Role (organizationalRole)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>On the module settings tab you set some options like the display
|
|
format for members and if description should not be displayed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Role management:</emphasis></para>
|
|
|
|
<para>You can add any accounts as members. This includes other roles
|
|
which leads to nested roles (needs to be supported by LDAP client
|
|
applications).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_organizationalRole5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="type_asterisk">
|
|
<title>Asterisk</title>
|
|
|
|
<para>LAM includes large support for Asterisk. You can add Asterisk
|
|
extensions (including voicemail) to your users and also manage Asterisk
|
|
extensions.</para>
|
|
|
|
<para>The Asterisk support for users can be added by selecting the
|
|
Asterisk and Asterisk voicemail modules for users in your LAM server
|
|
profile. This will add the following tabs to your user accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asterisk.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The Asterisk module allows to edit a large amount of attributes.
|
|
Therefore, you can hide unused fields. Please edit you server profile
|
|
(Module settings) to do so.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asteriskConfig.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Of course, the voicemail part of Asterisk is also
|
|
supported.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asteriskVoicemail.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you also want to manage Asterisk extensions then simply add the
|
|
account type "Asterisk extensions" and its module to your server
|
|
profile.</para>
|
|
|
|
<para>LAM groups your Asterisk extension entries by extension name and
|
|
account context. If you edit an extension then you will see the Asterisk
|
|
entries as rules. LAM manages that all rule entries have the same owners
|
|
and assigns the priorities.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/asteriskExtension.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="s_zarafa">
|
|
<title>Zarafa (LAM Pro)</title>
|
|
|
|
<para>Zarafa is an OpenSource collaboration software. LAM Pro provides
|
|
support to manage Zarafa server entries, users and groups. It covers all
|
|
settings for these types including resource and quota settings.</para>
|
|
|
|
<para>LAM Pro is an official Zarafa Certified Integration.</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa_logo_integrations_certified_140px.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<section>
|
|
<title>Configuration</title>
|
|
|
|
<para>To enable Zarafa support in LAM Pro please activate the Zarafa
|
|
modules for the Users, Groups and Hosts account types in you server
|
|
profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> LAM Pro uses the
|
|
Zarafa OpenLDAP schema as default. This schema fits for OpenLDAP,
|
|
OpenDJ, Apache Directory server and other common LDAP servers. If you
|
|
run Samba 4 or Active Directory then you need to switch the schema to
|
|
"Active Directory" on the module settings tab:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can configure which parts of the Zarafa user options should
|
|
be enabled. E.g. if you do not want to manage quotas per user then you
|
|
can hide these options on the tab "Module settings".</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">"Send as" attribute:</emphasis> Here you
|
|
can specify how "Send as" privileges should be managed. LAM supports
|
|
"uid" and "dn".</para>
|
|
|
|
<para>If you select "uid" the LAM will store user names in the
|
|
zarafaSendAsPrivilege attribute. This way you are restricted to
|
|
specify user accounts as "Send as" allowed.</para>
|
|
|
|
<para>You can also set this option to "dn" and LAM will store DNs in
|
|
the zarafaSendAsPrivilege attribute. In this case you may specify
|
|
users and groups as "Send as" allowed.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Examples for your Zarafa ldap.cfg:</para>
|
|
|
|
<para>"Send as" attribute: <emphasis role="bold">dn</emphasis></para>
|
|
|
|
<para>ldap_user_sendas_attribute_type = dn</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>"Send as" attribute: <emphasis role="bold">uid</emphasis></para>
|
|
|
|
<para>ldap_user_sendas_attribute_type = text</para>
|
|
|
|
<para>ldap_user_sendas_relation_attribute = uid</para>
|
|
|
|
<para><literallayout>
|
|
Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.
|
|
|
|
|
|
</literallayout></para>
|
|
|
|
<para><emphasis role="bold">Features:</emphasis> Zarafa 7 allows to
|
|
enable IMAP/POP3 for each user. Please hide the option "Features" if
|
|
you use Zarafa 6.x.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<section>
|
|
<title>Users</title>
|
|
|
|
<para>This is an example of the user edit page with all possible
|
|
settings. This includes email settings, quotas and some options
|
|
(e.g. hide from address book). You can also set the resource type
|
|
and capacity for meeting rooms and equipment. The Zarafa extension
|
|
can be added and removed at any time for every user.</para>
|
|
|
|
<para>Please note that the option "Features" requires Zarafa 7.
|
|
Please hide this option in the LAM server profile if you run Zarafa
|
|
6.x.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Contacts</title>
|
|
|
|
<para>LAM Pro can manage your Zarafa contact entries. You can set
|
|
the email aliases and "send as" privileges. Additionally, accounts
|
|
may be hidden in the address book or disabled.</para>
|
|
|
|
<para>Please note that you can either use the Zarafa user module or
|
|
Zarafa contact. LAM Pro will disable the other tab when enabling one
|
|
of them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Groups</title>
|
|
|
|
<para>This is the edit page for groups. You can enter an email
|
|
address and additional aliases for your groups. It is also possible
|
|
to specify options (e.g. hide from address book). The extension can
|
|
be added/removed dynamically.</para>
|
|
|
|
<para>Please note that the option "Send-as privileges" requires the
|
|
Zarafa 7.0.3 schema. Please hide this option in the LAM server
|
|
profile if you run Zarafa < 7.0.3.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Servers</title>
|
|
|
|
<para>The Zarafa extension for host accounts allows to set the
|
|
connection ports and file path. You can add/remove the extension at
|
|
any time.</para>
|
|
|
|
<para>Setting the public store option is only possible for new host
|
|
entries.</para>
|
|
|
|
<para>Please note that the proxy URL option requires the Zarafa 7.1
|
|
schema. Please hide this option in your LAM server profile if you
|
|
use an older version.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Address lists</title>
|
|
|
|
<para>Zarafa allows to store address lists in LDAP. You need to
|
|
define a search base and LDAP filter for each address list. E.g.
|
|
entering "ou=people,dc=company,dc=com" as base and "uid=*" will
|
|
select all users that are stored in
|
|
"ou=people,dc=company,dc=com".</para>
|
|
|
|
<para>You can also hide your lists from the address book or
|
|
temporarily disable them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Dynamic groups</title>
|
|
|
|
<para>Zarafa allows to define dynamic groups in LDAP. You need to
|
|
define a search base and LDAP filter for each group. E.g. entering
|
|
"ou=people,dc=company,dc=com" as base and "uid=*" will select all
|
|
users that are stored in "ou=people,dc=company,dc=com".</para>
|
|
|
|
<para>Dynamic groups may have an email address and multiple email
|
|
alias addresses.</para>
|
|
|
|
<para>You can also hide your dynamic groups from the address book or
|
|
temporarily disable them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/zarafa7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Kolab shared folders</title>
|
|
|
|
<para>Please add the account type "Kolab shared folders" in your LAM
|
|
server profile and set the correct LDAP suffix.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the "Kolab shared folder" module on tab "Modules".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can start to add shared folders inside LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_kolab9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>DHCP</title>
|
|
|
|
<para>You can mange your DHCP server with LAM. It supports to manage
|
|
subnets, fixed IP entries, IP ranges and DDNS. The DHCP can be activated
|
|
by adding the account type DHCP to your server profile. Please also add
|
|
the DHCP modules.</para>
|
|
|
|
<para>LAM requires that you use an LDAP entry with the object class
|
|
"dhcpService" or "dhcpServer" as suffix for this account type. If the
|
|
"dhcpServer" entry points to a "dhcpService" entry via "dhcpServiceDN"
|
|
then you need to use the DN of the "dhcpService" entry as LDAP suffix
|
|
for DHCP.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Example server
|
|
entry:</emphasis><code></code></para>
|
|
|
|
<para><code>dn:
|
|
cn=server,ou=dhcp,dc=ldap-account-manager,dc=org</code></para>
|
|
|
|
<para><code>objectclass: dhcpServer</code></para>
|
|
|
|
<para><code>objectclass: dhcpOptions</code></para>
|
|
|
|
<para><code>objectclass: top</code></para>
|
|
|
|
<para><code>cn: server</code></para>
|
|
|
|
<para><code>dhcpcomments: My DHCP server</code></para>
|
|
|
|
<para><code>dhcpoption: domain-name
|
|
"ldap-account-manager.org"</code></para>
|
|
|
|
<para><code>dhcpoption: domain-name-servers 192.168.1.1</code></para>
|
|
|
|
<para><code>dhcpoption: routers 192.168.1.1</code></para>
|
|
|
|
<para><code>dhcpoption: netbios-name-servers 192.168.1.1</code></para>
|
|
|
|
<para><code>dhcpoption: subnet-mask 255.255.255.0</code></para>
|
|
|
|
<para><code>dhcpoption: netbios-node-type 8</code></para>
|
|
|
|
<para><code>dhcpstatements: default-lease-time 3600</code></para>
|
|
|
|
<para><code>dhcpstatements: max-lease-time 7200</code></para>
|
|
|
|
<para><code>dhcpstatements: include "mykey"</code></para>
|
|
|
|
<para><code>dhcpstatements: ddns-update-style interim</code></para>
|
|
|
|
<para><code>dhcpstatements: update-static-leases true</code></para>
|
|
|
|
<para><code>dhcpstatements: ignore client-updates</code></para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Example settings for
|
|
dhcpd.conf:</emphasis></para>
|
|
|
|
<para><code>ddns-update-style none;</code></para>
|
|
|
|
<para><code>deny unknown-clients;</code></para>
|
|
|
|
<para><code>ldap-server "server";</code></para>
|
|
|
|
<para><code>ldap-dhcp-server-cn "server";</code></para>
|
|
|
|
<para><code>ldap-port 389;</code></para>
|
|
|
|
<para><code>ldap-username
|
|
"uid=dhcp,ou=people,dc=ldap-account-manager,dc=org";</code></para>
|
|
|
|
<para><code>ldap-password "{SSHA}XXXXXXXXXXXX";</code></para>
|
|
|
|
<para><code>ldap-base-dn
|
|
"ou=dhcp,dc=ldap-account-manager,dc=org";</code></para>
|
|
|
|
<para><code>ldap-method dynamic;</code></para>
|
|
|
|
<para><code>ldap-debug-file
|
|
"/var/log/dhcp-ldap-startup.log";</code></para>
|
|
|
|
<para><code></code></para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">slapd.conf changes:</emphasis></para>
|
|
|
|
<para><code>include /etc/ldap/schema/dhcp.schema</code></para>
|
|
|
|
<para><code>index dhcpHWAddress eq</code></para>
|
|
|
|
<para><code>index dhcpClassData eq</code><literallayout>
|
|
Run slapindex to rebuild the index.
|
|
|
|
</literallayout></para>
|
|
|
|
<para>You can manage the settings of your DHCP service/server
|
|
entry:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpMainSettings.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can easily create new subnet entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/dhcpSettings.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>It is also possible to specify a list of fixed IPs.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/fixedIP.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>IP ranges may be specified.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ranges.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>If you activated DDNS in the server entry then you may also
|
|
specify the DDNS settings for this subnet.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ddns.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Bind DLZ (LAM Pro)</title>
|
|
|
|
<para><ulink url="http://bind-dlz.sourceforge.net">Bind DLZ</ulink> is
|
|
an extension to the DNS server <ulink
|
|
url="http://www.isc.org/software/bind">Bind</ulink> that allows to store
|
|
DNS entries inside LDAP. Please install the Bind DLZ schema file on your
|
|
LDAP server. It is part of the DLZ patch.</para>
|
|
|
|
<para><emphasis role="bold">Configuration</emphasis></para>
|
|
|
|
<para>First, you need to add the Bind DNS account type and the Bind DLZ
|
|
module:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Please set the LDAP suffix either to an existing DNS zone
|
|
(dlzZone) or an organizational unit that should include your DNS
|
|
zones.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Automatic PTR management</emphasis></para>
|
|
|
|
<para>LAM can automatically create/delete PTR entries for the entered
|
|
IPv4/6 records. You can enable this feature on the module settings
|
|
tab.</para>
|
|
|
|
<para>PTR records will get the same TTL as IP records. Please note that
|
|
you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa")
|
|
under the same suffix as your other DNS entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind12.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Zone management</emphasis></para>
|
|
|
|
<para>If you do not yet have a DNS zone then LAM can create one for you.
|
|
In list view switch the suffix to an organizational unit DN. Now you
|
|
will see a button "New zone".</para>
|
|
|
|
<para>This will create the zone container entry and a default DNS entry
|
|
"@" for authoritative information. Now switch the suffix to your new
|
|
zone and start adding DNS entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">DNS entries</emphasis></para>
|
|
|
|
<para>LAM supports the following DNS record types:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SOA: authoritative information</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>NS: name servers</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A/AAAA: IP addresses</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>PTR: reverse DNS entries</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CNAME: alias names</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>MX: mail servers</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>TXT: text records</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>SRV: service entries</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Authoritative (SOA) and name server (NS)
|
|
records</emphasis></para>
|
|
|
|
<para>Here you can manage general information about the zone like
|
|
timeouts and name servers. Please note that name servers must be
|
|
inserted in a special format (dot at the end).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">IP addresses (A/AAAA)</emphasis></para>
|
|
|
|
<para>LAM will automatically set the correct type (A/AAAA) depending if
|
|
you enter an IPv4 or IPv6 address.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Reverse DNS entries</emphasis></para>
|
|
|
|
<para>Reverse DNS entries are important when you need to find the DNS
|
|
name that is associated with a given IP address. Reverse DNS entries are
|
|
stored in a separate DNS zone.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Alias names (CNAME)</emphasis></para>
|
|
|
|
<para>Sometimes a DNS entry should simply point to a different DNS entry
|
|
(e.g. for migrations). This can be done by adding an alias name.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Mail servers (MX)</emphasis></para>
|
|
|
|
<para>The mail server entries define where mails to a domain should be
|
|
delivered. The server with the lowest preference has the highest
|
|
priority.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Text records (TXT)</emphasis></para>
|
|
|
|
<para>Text records can be added to store a description or other data
|
|
(e.g. SPF information).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind10.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Services (SRV)</emphasis></para>
|
|
|
|
<para>Service records can be used to specify which servers provide
|
|
common services such as LDAP. Please note that the host name must be
|
|
_SERVICE._PROTOCOL (e.g. _ldap._tcp).</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Priority: The priority of the target host, lower value means more
|
|
preferred.</para>
|
|
|
|
<para>Weight: A relative weight for records with the same priority. E.g.
|
|
weights 20 and 80 for a service will result in 20% queries to the one
|
|
server and 80% to the other.</para>
|
|
|
|
<para>Port: The port number that is used for your service.</para>
|
|
|
|
<para>Server: DNS name where service can be reached (with dot at the
|
|
end).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_bind11.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">File upload</emphasis></para>
|
|
|
|
<para>You can upload complete DNS zones via LAM's file upload. Here is
|
|
an example for a zone file and the corresponding CSV file.</para>
|
|
|
|
<table>
|
|
<title>Zone file</title>
|
|
|
|
<tgroup cols="4">
|
|
<tbody>
|
|
<row>
|
|
<entry>@</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>SOA</entry>
|
|
|
|
<entry>ns1.example.com admin.ns1.example.com (1 360000 3600
|
|
3600000 370000)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>NS</entry>
|
|
|
|
<entry>ns1.example.com.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>NS</entry>
|
|
|
|
<entry>ns2.example.com.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>MX</entry>
|
|
|
|
<entry>10 mail1.example.com</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>MX</entry>
|
|
|
|
<entry>20 mail2.example.com</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>foo</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>A</entry>
|
|
|
|
<entry>123.123.123.100</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>foo2</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>CNAME</entry>
|
|
|
|
<entry>foo.example.com</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>bar</entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>A</entry>
|
|
|
|
<entry>123.123.123.101</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>IN</entry>
|
|
|
|
<entry>AAAA</entry>
|
|
|
|
<entry>1:2:3:4:5</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>Please check that you have an existing zone entry that can be used
|
|
for the file upload. See above to create a new zone.</para>
|
|
|
|
<para>Hint: If you use the function above to create a new zone then
|
|
please skip the "@" entry in the CSV file below. LAM creates this entry
|
|
with sample data.</para>
|
|
|
|
<para>In this example we assume that the following zone extry
|
|
exists:</para>
|
|
|
|
<literallayout>dn: dlzZoneName=example.com,ou=bind,dc=example,dc=com
|
|
dlzzonename: example.com
|
|
objectclass: dlzZone
|
|
objectclass: top
|
|
|
|
</literallayout>
|
|
|
|
<para>Here is the corresponding CSV file: <ulink
|
|
url="resources/bindUpload.csv">bindUpload.csv</ulink></para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Aliases (LAM Pro)</title>
|
|
|
|
<para>Some applications use the object class "alias" to link LDAP
|
|
entries to other parts of the LDAP tree. Activate the account type
|
|
"Aliases" in your LAM server profile to use this account type.</para>
|
|
|
|
<para>Currently, only user accounts can be aliased with the "uidObject"
|
|
object class.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/alias.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/alias2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="mailAliases">
|
|
<title>Mail aliases</title>
|
|
|
|
<para>You can manage mail aliases (e.g. for NIS) inside LAM. This can be
|
|
used to replace local /etc/aliases files with LDAP.</para>
|
|
|
|
<para>Note: Use the <link linkend="mailAliasesUser">mail alias user
|
|
module</link> to manage mail aliases on user pages.</para>
|
|
|
|
<para>All accounts of this type are based on the "nisMailAlias" object
|
|
class and may have "cn" and "rfc822MailMember" attributes. To activate
|
|
this type please add "Mail aliases" in your LAM server profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAlias1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You need to select the Mail aliases module on the next tab.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAlias3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The mail aliases will then appear as separate tab inside LAM. You
|
|
may then manage the aliases with their names and recipient
|
|
addresses.</para>
|
|
|
|
<para>There are mail/user icons that allow to select a mail address/user
|
|
name from the existing users.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisMailAlias2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS net groups</title>
|
|
|
|
<para>LAM supports to define NIS netgroups. You can use them e.g. to
|
|
restrict SSH access to your machines.</para>
|
|
|
|
<para>Add the NIS net group account type and its module to your server
|
|
profile. Then you can manage net groups in LAM. Net groups may contain
|
|
other net groups as child groups. You can either insert the host/user
|
|
names manually or print the search buttons next to the input fields to
|
|
find existing entries in your directory.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisNetgroup.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NIS objects (LAM Pro)</title>
|
|
|
|
<para>You can manage NIS objects with LAM Pro. This allows you define
|
|
network mount points in LDAP.</para>
|
|
|
|
<para>Add the NIS objects type to your LAM configuration and then the
|
|
NIS objects module. This will add the NIS objects tab to LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/nisObject.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Automount objects (LAM Pro)</title>
|
|
|
|
<para>LAM Pro allows you to manage automount entries. Please activate
|
|
the account type "Automount objects" in your LAM Pro server
|
|
profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/automount1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the correct automount module. Usually, this is "Automount
|
|
entry (automount)". If you use Suse Linux with RFC2307bis schema please
|
|
select "Automount entry (rfc2307bisAutomount)".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/automount3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This will add a new tab to LAM Pro's main screen which includes a
|
|
list of all automount entries. Here you can easily create new
|
|
entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/automount2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Please see the following external HowTos for more information on
|
|
automounting and LDAP:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><ulink
|
|
url="https://help.ubuntu.com/community/AutofsLDAP">AutofsLDAP</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink type=""
|
|
url="http://www.pro-linux.de/artikel/2/760/automount-ueber-ldap.html">Automount
|
|
über LDAP (German)</ulink></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Oracle databases (LAM Pro)</title>
|
|
|
|
<para>Oracle allows to manage connection data that is stored in
|
|
tnsnames.ora to be stored in an LDAP directory.</para>
|
|
|
|
<para><emphasis role="bold">Initial setup</emphasis></para>
|
|
|
|
<para>LDAP server setup:</para>
|
|
|
|
<para>You will need to install the correct Oracle LDAP schema files on
|
|
your LDAP server. If you run no Oracle LDAP server then you can get them
|
|
(oidbase.schema, oidnet.schema, oidrdbms.schema, alias.schema) e.g. from
|
|
<ulink
|
|
url="http://www.idevelopment.info/data/Oracle/DBA_tips/LDAP/LDAP_8.shtml">here</ulink>.</para>
|
|
|
|
<para>Next you need to create the root entry for Oracle. It should look
|
|
like this:</para>
|
|
|
|
<programlisting>dn: cn=OracleContext,dc=example,dc=com
|
|
objectclass: orclContext
|
|
cn: OracleContext</programlisting>
|
|
|
|
<para>You can create it with LAM's tree view. Please note that "cn" must
|
|
be set to "OracleContext".</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>LAM setup:</para>
|
|
|
|
<para>Edit your LAM server profile and add the Oracle account
|
|
type:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>In case you manage a single Oracle context just enter the
|
|
cn=OracleContext entry as LDAP suffix. If you manage multiple Oracle
|
|
context entries then set the LDAP suffix to a parent entry of
|
|
them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next, add the Oracle module:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can login to LAM and start to add database
|
|
entries.<literallayout>
|
|
</literallayout></para>
|
|
|
|
<para><emphasis role="bold">Managing database entries</emphasis></para>
|
|
|
|
<para>Each database has a service name, the connection string and an
|
|
optional description.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_oracle4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Database client setup for
|
|
LDAP</emphasis></para>
|
|
|
|
<para>You need to activate the LDAP adapter to make the database tools
|
|
reading LDAP. Edit network/admin/sqlnet.ora like this:</para>
|
|
|
|
<programlisting>NAMES.DIRECTORY_PATH= (TNSNAMES, LDAP)</programlisting>
|
|
|
|
<para>Then add a file called ldap.ora next to your sqlnet.ora and set
|
|
the LDAP server and DN suffix where cn=OracleContext is stored:</para>
|
|
|
|
<programlisting>DIRECTORY_SERVERS= (ldap.example.com:389:636)
|
|
DEFAULT_ADMIN_CONTEXT = "ou=ctx1,ou=oracle,o=test,c=de"
|
|
DIRECTORY_SERVER_TYPE = OID</programlisting>
|
|
|
|
<para>This will allow e.g. tnsping to get the connection data from
|
|
LDAP:</para>
|
|
|
|
<programlisting>[oracle@oracle bin]$ tnsping mydb
|
|
|
|
TNS Ping Utility for Linux: Version 12.1.0.1.0 - Production on 09-FEB-2014 18:06:54
|
|
|
|
Copyright (c) 1997, 2013, Oracle. All rights reserved.
|
|
|
|
Used parameter files:
|
|
/home/oracle/app/oracle/product/12.1.0/dbhome_1/network/admin/sqlnet.ora
|
|
|
|
Used <emphasis role="bold">LDAP</emphasis> adapter to resolve the alias
|
|
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=mydb.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)))
|
|
OK (10 msec)</programlisting>
|
|
</section>
|
|
|
|
<section id="a_ppolicy">
|
|
<title>Password policies (LAM Pro)</title>
|
|
|
|
<para>OpenLDAP supports the <ulink
|
|
url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
|
|
to manage password policies for LDAP entries. This allows you to set
|
|
password policies which are independent from your applications. The
|
|
policies are managed internally by the LDAP server.</para>
|
|
|
|
<para>You can manage these policies with LAM Pro with the account type
|
|
"Password policies".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ppolicy.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You will need to add the ppolicy schema to your OpenLDAP
|
|
configuration and activate the <ulink
|
|
url="http://linux.die.net/man/5/slapo-ppolicy">ppolicy</ulink> overlay
|
|
module in slapd.conf to use this feature.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota printers</title>
|
|
|
|
<para>Please add the account type "Printers (PyKota printers)" on tab
|
|
"Account types" in your server profile and setup the LDAP suffix where
|
|
printers are stored.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the PyKota printer module on tab "Account
|
|
modules".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Next you can start managing printers inside LAM. Here you can
|
|
setup the costs for a print job. LAM will also show if the printer is
|
|
member of any printer groups.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can also setup printer groups. Just add some members to your
|
|
new group.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaPrinter5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PyKota billing codes</title>
|
|
|
|
<para>Please add the account type "Billing codes" on tab "Account types"
|
|
in your server profile and setup the LDAP suffix where billing codes are
|
|
stored.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Then add the PyKota billing code module on tab "Account
|
|
modules".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now login to LAM and you will see the billing code tab where you
|
|
can manage your entries. If jobs were printed with a billing code then
|
|
you will also see the balance and page count.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_pykotaCode4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Custom fields (LAM Pro)</title>
|
|
|
|
<para>This module allows you to manage LDAP attributes that are not
|
|
covered by the other LAM modules (e.g. if you use custom LDAP schemas).
|
|
You can fully define how your input fields look like:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Label</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP attribute name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Unique name for field</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Help text</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Read-only display</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Field type: text, password, text area, checkbox, radio
|
|
buttons, select list, file upload</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Validation via regular expression</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Error message if validation fails</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Limitations:</para>
|
|
|
|
<para>Custom fields cannot manage</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>structural object classes</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>attributes that require validation rules across multiple
|
|
attributes or cannot be described by a simple regular
|
|
expression</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Activating the custom fields
|
|
module:</emphasis></para>
|
|
|
|
<para>You may specify custom fields for all of your account types.
|
|
Please enter tab "Modules" in your server profile. Now activate the
|
|
"Custom fields (customFields)" module for all needed account
|
|
types.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields14.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Setting label and icon:</emphasis></para>
|
|
|
|
<para>You may set the label that is displayed e.g. on the tab when
|
|
editing an account. It is also possible to specify an icon (must be a
|
|
valid URL like "/images/icon.png" or "http://server/images/icon.png").
|
|
The icon size should be 32x32 pixels.</para>
|
|
|
|
<para>LAM will display a default icon and "Custom fields" as label if
|
|
you do not enter any values.</para>
|
|
|
|
<para>You may also specify how LAM displays cutom fields when there are
|
|
multiple field groups. The default is accordion view where you can
|
|
switch field groups by clicking on the title. You may also deactivate
|
|
this mode. Then all field groups are displayed one below the
|
|
other.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields25.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Defining groups:</emphasis></para>
|
|
|
|
<para>All input fields are devided into groups. A group may contain one
|
|
or more object classes and allows you to add/remove a certain set of
|
|
input fields.</para>
|
|
|
|
<para>E.g. you may define two groups - "My application A" and "My
|
|
application B" - that manage different LDAP attributes and object
|
|
classes. This way you will be able to control both attribute sets
|
|
independently.</para>
|
|
|
|
<para>To create a group please edit your server profile and switch to
|
|
tab "Module settings". You will see the section "Custom fields" which
|
|
allows you to add new groups. Now select your account type (e.g. Users)
|
|
and specify an alias for your group. This alias will be printed as group
|
|
header when you later edit an account in the admin interface.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields15.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>After you created your new group you can setup the managed object
|
|
classes. If you specify any object classes then you will later be able
|
|
to add/remove a complete set of attributes including their object
|
|
classes.</para>
|
|
|
|
<para>Skipping the object classes field is only useful if you want to
|
|
manage some attributes that are not yet supported by LAM but there is
|
|
already a LAM module that manages the object class.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields16.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The group may look like when you edit a user.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields19.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields20.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Adding fields:</emphasis></para>
|
|
|
|
<para>Now you can add a new field that manages an LDAP attribute. Simply
|
|
fill the fields and press on "Add".</para>
|
|
|
|
<para>Please note that the field name cannot be changed later. It is the
|
|
unique ID for this field.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields17.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Examples for fields and their representation:</para>
|
|
|
|
<para><emphasis role="bold">Text field:</emphasis></para>
|
|
|
|
<para>Text fields allow to specify a <link
|
|
linkend="customFields_validation_expressions_admin">validation
|
|
expression</link> and error message.</para>
|
|
|
|
<para>You can also enable auto-completion. In this case LAM will search
|
|
all accounts for the given attribute and provide auto-completion hints
|
|
when the user edits this field. This should only be used if there is a
|
|
limited number of different values for this attribute.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Password field:</emphasis></para>
|
|
|
|
<para>You can also manage custom password fields. LAM Pro will display
|
|
two fields where the user must enter the same password. You can hash the
|
|
password if needed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Text area:</emphasis></para>
|
|
|
|
<para>This adds a multi-line field. The options are similar to text
|
|
fields. Additionally, you can set the size with the number of columns
|
|
and rows.</para>
|
|
|
|
<para>Please note that the <link
|
|
linkend="customFields_validation_expressions_admin">validation
|
|
expression</link> should be set to multi-line. This is done by adding
|
|
"m" at the end.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Checkbox:</emphasis></para>
|
|
|
|
<para>Sometimes you may want to allow only yes/no values for your LDAP
|
|
attributes. This can be represented by a checkbox. You can specify the
|
|
values for checked and unchecked. The default value is set if the LDAP
|
|
attribute has no value.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Radio buttons:</emphasis></para>
|
|
|
|
<para>This displays a list of radio buttons where the user can select
|
|
one value.</para>
|
|
|
|
<para>You can specify a mapping of LDAP attribute values and their
|
|
display (label) on the Self Service page. To add more mapping fields
|
|
please press "Add more mapping fields".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields10.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields11.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Select list:</emphasis></para>
|
|
|
|
<para>Select lists allow the user to select a value in a large list of
|
|
options. The definition of the possible values and their display is
|
|
similar to radio buttons.</para>
|
|
|
|
<para>You can also allow multiple values.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields12.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields13.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields18.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para id="customFields_validation_expressions_admin"><emphasis
|
|
role="bold">Validation expressions:</emphasis></para>
|
|
|
|
<para>The validation expressions follow the standard of <ulink
|
|
url="http://perldoc.perl.org/perlre.html">Perl regular
|
|
expressions</ulink>. They start and end with a "/". The beginning of a
|
|
line is specified by "^" and the end by "$".</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
|
|
be empty ("+").</para>
|
|
|
|
<para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
|
|
means ignore case) and numbers. The value must not be empty
|
|
("+").</para>
|
|
|
|
<para>Special characters that must be escaped with "\": "\", ".", "(",
|
|
")"</para>
|
|
|
|
<para>E.g. /^[a-z0-9\.]$/i</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">File upload:</emphasis></para>
|
|
|
|
<para>This is used for binary data. You can restrict uploaded data to a
|
|
given file extension and set the maximum file size.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields21.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<para>The uploaded data may also be downloaded via LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields22.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Custom scripts (LAM Pro)</title>
|
|
|
|
<para>LAM Pro allows you to execute scripts whenever an account is
|
|
created, modified or deleted. This can be useful to automate processes
|
|
which needed manual work afterwards (e.g. sending your user a welcome
|
|
mail or register a mailbox). Additionally, you can specify manual scipts
|
|
that can be executed from within LAM Pro.</para>
|
|
|
|
<para>To activate this feature please add the "Custom scripts" module to
|
|
all needed account types on the configuration pages.</para>
|
|
|
|
<para>You can specify multiple scripts for each action type (e.g.
|
|
modify) and account type (e.g. user). The scripts need to be located on
|
|
the filesystem of your webserver and will be executed in its user
|
|
environment. E.g. if you webserver runs as user www-data with the group
|
|
www-data then the custom scripts will be run under this user with his
|
|
rights. The output of the scripts will be shown in LAM.</para>
|
|
|
|
<para>You can specify the scripts on the LAM configuration pages.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Syntax:</emphasis></para>
|
|
|
|
<para>Please enter one script per line. Each line has the following
|
|
format: <account type> <action> <script></para>
|
|
|
|
<para>E.g.: user preModify /usr/bin/myCustomScript -u $uid$</para>
|
|
|
|
<para><emphasis role="bold">Account types:</emphasis></para>
|
|
|
|
<para>You can setup scripts for all available account types (e.g. user,
|
|
group, host, ...). Please see the help on the configuration page about
|
|
your current active account types.</para>
|
|
|
|
<para><emphasis role="bold">Actions:</emphasis></para>
|
|
|
|
<table>
|
|
<title>Action types</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Action name</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Description</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preCreate</entry>
|
|
|
|
<entry>executed before creating a new account (cancels operation
|
|
if a script returns an exit code > 0, not available for file
|
|
upload)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postCreate</entry>
|
|
|
|
<entry>executed after creating a new account (does <emphasis
|
|
role="bold">not</emphasis> run if preCreate or LDAP operations
|
|
fail)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preModify</entry>
|
|
|
|
<entry>executed before an account is modified (cancels operation
|
|
if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postModify</entry>
|
|
|
|
<entry>executed after an account was modified (does <emphasis
|
|
role="bold">not</emphasis> run if preModify or LDAP operations
|
|
fail)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>preDelete</entry>
|
|
|
|
<entry>executed before an account is modified (cancels operation
|
|
if a script returns an exit code > 0)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>postDelete</entry>
|
|
|
|
<entry>executed after an account was modified (does <emphasis
|
|
role="bold">not</emphasis> run if preDelete or LDAP operations
|
|
fail)</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>manual</entry>
|
|
|
|
<entry>can be run manually on account page</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para><emphasis role="bold">Script:</emphasis></para>
|
|
|
|
<para>You can execute any script which is located on the filesystem of
|
|
your webserver. The path may be absolute or relative to the
|
|
PATH-variable of the environment of your webserver process. It is also
|
|
possible to add commandline arguments to your scripts. Additionally, LAM
|
|
will resolve wildcards to LDAP attributes. If your script includes an
|
|
wildcard in the format $ATTRIBUTE$ then LAM will replace it with the
|
|
attribute value of the current LDAP entry. The values of multi-value
|
|
attributes are separated by commas. E.g. if you create an account with
|
|
the attribute "uid" and value "steve" then LAM will resolve "$uid$" to
|
|
"steve".</para>
|
|
|
|
<para>Please note that manual scripts can only use the current LDAP
|
|
attribute values of the account. Any modifications done that are not
|
|
saved will not be available. Manual scripts are also not available for
|
|
new accounts that are not yet saved to LDAP.</para>
|
|
|
|
<para>You can switch LAM's logging to debug mode if you are unsure which
|
|
attributes with which values are available.</para>
|
|
|
|
<para>The following special wildcards are available for automatical
|
|
scripts:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">$INFO.userPasswordClearText$:</emphasis>
|
|
cleartext password when Unix/Windows password is changed (e.g.
|
|
useful for external password synchronisation) for new/modified
|
|
accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis
|
|
role="bold">$INFO.userPasswordStatusChange$:</emphasis> provides
|
|
additional information if the Unix password locking status was
|
|
changed, possible values: locked, unlocked, unchanged</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis
|
|
role="bold">$INFO.passwordSelfResetAnswerClearText$</emphasis>:
|
|
cleartext answer to security question</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$NEW.<attribute>$:</emphasis> the
|
|
value of a new attribute (e.g. $NEW.telephoneNumber$) for modified
|
|
accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$DEL.<attribute>$:</emphasis> the
|
|
value of a deleted attribute (e.g. $DEL.telephoneNumber$) for
|
|
modified accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$MOD.<attribute>$:</emphasis> the
|
|
new value of a modified attribute (e.g. $MOD.telephoneNumber$) for
|
|
modified accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">$ORIG.<attribute>$:</emphasis> the
|
|
original value of an attribute (e.g. $ORIG.telephoneNumber$) for
|
|
modified accounts</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Output may contain HTML:</emphasis> If your
|
|
scripts generate HTML output then activate this option.</para>
|
|
|
|
<para><emphasis role="bold">Hide command in messages:</emphasis> You may
|
|
want to prevent that your users see the executed commands. In this case
|
|
activating this option will only show the command output but not the
|
|
command itself.</para>
|
|
|
|
<para></para>
|
|
|
|
<para>You can see a preview of the commands which will be automatically
|
|
executed on the "Custom scripts" tab. Here you can also run the manual
|
|
scripts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customScripts2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Sudo roles (LAM Pro)</title>
|
|
|
|
<para>You can manage your sudo roles in LDAP if you have installed the
|
|
sudo-ldap package or <ulink
|
|
url="http://www.sudo.ws/sudo/readme_ldap.html">compiled sudo with LDAP
|
|
support</ulink>.</para>
|
|
|
|
<para>To activate sudo management in LAM Pro edit your server profile
|
|
and add the type "Sudo roles".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sudoRole1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sudoRole2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now you can create sudo commands.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/sudoRole.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The sudo roles in LDAP work similar to those in /etc/sudoers. You
|
|
can specify who may run which commands as which user. It is also
|
|
possible to specify options like NOPASSWD.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>General information</title>
|
|
|
|
<para>This module is available for all account types. It shows some
|
|
internal information about the LDAP entries like the creation time and
|
|
who modified the entry.</para>
|
|
|
|
<para>If you use the "memberOf" overlay in OpenLDAP then this will also
|
|
show group memberships done by the overlay.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/mod_generalInformation.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tree view (LDAP browser)</title>
|
|
|
|
<para>The tree view provides a raw view on your LDAP directory. This
|
|
feature is for people who are experienced with LDAP and need special
|
|
functionality which the LAM account modules not provide. E.g. if you
|
|
want to add a special object class to an account or edit attributes
|
|
ignoring LAM's syntax checks.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/tree1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>There are also some special functions available:</para>
|
|
|
|
<para><emphasis role="bold">Export:</emphasis> This allows you to export
|
|
entries to a file (e.g. LDIF or CSV format).</para>
|
|
|
|
<para><emphasis role="bold">Show internal attributes:</emphasis> Shows
|
|
internal attributes of the current entry. This includes information
|
|
about the creator and creation time of the entry.</para>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter>
|
|
<title>Tools</title>
|
|
|
|
<para></para>
|
|
|
|
<section id="a_accountProfile">
|
|
<title>Profile editor</title>
|
|
|
|
<para>The account profiles are templates for your accounts. Here you can
|
|
specify default values which can then be loaded when you create
|
|
accounts. You may also load a template for an existing account to reset
|
|
it to default values. When you create a new account then LAM will always
|
|
load the profile named <emphasis role="bold">"default"</emphasis>. This
|
|
account profile can include default values for all your accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/profileEditor2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can enter the LDAP suffix, RDN identifier and various other
|
|
attributes depending on account type and activated modules.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/profileEditor.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Import/export:</emphasis></para>
|
|
|
|
<para>Profiles can be exported to and imported from other server
|
|
profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/profileEditor3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/profileEditor4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>There is a special export target called "*Global templates". All
|
|
profiles exported here will be copied to all other server profiles
|
|
(incl. new ones). But existing profiles with the same name are not
|
|
overwritten. So a profile in global templates is treated as default
|
|
profile for all server profiles.</para>
|
|
|
|
<para>Use this if you would like to setup default profiles that are
|
|
valid for all server profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/profileEditor5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>File upload</title>
|
|
|
|
<para>When you need to create lots of accounts then you can use LAM's
|
|
file upload to create them. LAM will read a CSV formatted file and
|
|
create the related LDAP entries. Please check the data in you CSV file
|
|
carefully. LAM will do less checks for the file upload than for single
|
|
account creation.</para>
|
|
|
|
<para>At the first page please select the account type and what
|
|
extensions should be activated.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/fileUpload1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The next page shows all available options for the file upload. You
|
|
will also find a sample CSV file which can be used as template for your
|
|
CSV file. All red options are required columns in the file. You need to
|
|
specify a value for each account.</para>
|
|
|
|
<para>When you upload the CSV file then LAM first does some checks on
|
|
this file. This includes syntax checks and if all required data was
|
|
entered. No changes in the LDAP directory are done at this time.</para>
|
|
|
|
<para>If the checks were successful then LAM will ask again if you want
|
|
to create the accounts. You will also have the chance to check the
|
|
upload by viewing the changes in LDIF format.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/fileUpload2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title id="toolMultiEdit">Multi edit</title>
|
|
|
|
<para>This tool allows you to modify a large list of LDAP entries in
|
|
batch mode. You can add new attributes/object classes, remove attributes
|
|
and set attributes to a specific value.</para>
|
|
|
|
<para>At the beginning, you need to specify where the entries are stored
|
|
that should be changed. You can select an account suffix, the tree
|
|
suffix or enter your own DN by selecting "Other".</para>
|
|
|
|
<para>Next, enter an additional LDAP filter to limit the entries that
|
|
should be changed. E.g. use "(objectclass=inetOrgPerson)" to filter for
|
|
users. You may also enter e.g. "(!(objectClass=passwordSelfReset))" to
|
|
match all accounts that do not yet have the <link
|
|
linkend="passwordSelfResetUser">password self reset</link>
|
|
feature.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Now, it is time to define the changes that should be done. The
|
|
following operations are possible:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Add: Adds an attribute value if not yet existing. Please do
|
|
not use for single-value attributes that already have a
|
|
value.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Modify: Sets an attribute to the given value. If the attribute
|
|
does not yet exist then it is added. If the attribute has multiple
|
|
values then all other values are removed.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Delete: Deletes the specified value from this attribute. If
|
|
you leave the value field blank then all attribute values are
|
|
removed.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Please note that all actions are run as separate LDAP commands.
|
|
You cannot add an object class and a required attribute at the same
|
|
time.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/multiEdit1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Dry run</emphasis></para>
|
|
|
|
<para>You should always start with a dry run. It will not do any changes
|
|
to your LDAP directory but print out all modifications that will be
|
|
done. You will also be able to download the changes in LDIF format to
|
|
use with ldapmodify. This is useful if you want to adjust some actions
|
|
manually.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/multiEdit2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Apply changes</emphasis></para>
|
|
|
|
<para>This will run the actions against your LDAP directory. You will
|
|
see which accounts are edited in the progress area and also if any
|
|
errors occured.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/multiEdit3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>OU editor</title>
|
|
|
|
<para>This is a simple editor to add/delete organisational units in your
|
|
LDAP tree. This way you can structure the accounts.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/ouEditor.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PDF editor</title>
|
|
|
|
<para>All accounts in LAM may be exported as PDF files. You can specify
|
|
the page structure and displayed information by editing the PDF
|
|
profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/pdfEditor2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>When you export accounts to PDF then each account will get its own
|
|
page inside the PDF. There is a headline on each page where you can show
|
|
a page title. You may also add a logo to each page. To add more logos
|
|
please use the logo management on the PDF editor main page.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/pdfEditor.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>The main part is structured into sections of information. Each
|
|
section has a title. This can either be static text or the value of an
|
|
attribute. You may also insert a static text block as section. Sections
|
|
can be moved by using the arrows next to the section title.</para>
|
|
|
|
<para>Each section can contain multiple fields which usually represent
|
|
LDAP attributes. You can simply add new fields by selecting the field
|
|
name and its position. Then use the arrows to move the field inside the
|
|
section.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Import/export:</emphasis></para>
|
|
|
|
<para>PDF structures can be exported to and imported from other server
|
|
profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/pdfEditor3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/pdfEditor4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>There is a special export target called "*Global templates". All
|
|
PDF structures exported here will be copied to all other server profiles
|
|
(incl. new ones). But existing PDF structures with the same name are not
|
|
overwritten. So a PDF structure in global templates is treated as
|
|
default structure for all server profiles.</para>
|
|
|
|
<para>Use this if you would like to setup default PDF structures that
|
|
are valid for all server profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/pdfEditor5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Logo management:</emphasis></para>
|
|
|
|
<para>You can upload image files to put a custom logo on the PDF files.
|
|
The image file name must end with .png or .jpg and the size must not
|
|
exceed 2000x300px.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/pdfEditor6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Schema browser</title>
|
|
|
|
<para>Here you browse the schema of your LDAP server. You can view what
|
|
object classes, attributes, syntaxes and matching rules are available.
|
|
This is useful if you need to check if a certain object class is
|
|
available.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schemaBrowser.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Server information</title>
|
|
|
|
<para>This shows information and statistics about your LDAP server. This
|
|
includes the suffixes, used overlays, connection data and operation
|
|
statistics. You will need "cn=monitor" setup to see all details. Some
|
|
data may not be available depending on your LDAP server software.</para>
|
|
|
|
<para>Please see the following links how to setup "cn=monitor":</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><ulink
|
|
url="http://www.openldap.org/doc/admin24/monitoringslapd.html">OpenLDAP</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink type=""
|
|
url="http://directory.fedoraproject.org/wiki/Howto:CN%3DMonitor_LDAP_Monitoring">389
|
|
server</ulink></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/serverInfo.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tests</title>
|
|
|
|
<para>This allows you to check if your LDAP schema is compatible with
|
|
LAM and to find possible problems.</para>
|
|
|
|
<section>
|
|
<title>Lamdaemon test</title>
|
|
|
|
<para>LAM provides an external script to manage home directories and
|
|
quotas. You can test here if everything is setup correctly.</para>
|
|
|
|
<para>If you get an error like "no tty present and no askpass program
|
|
specified" then the path to the lamdaemon.pl may be wrong. Please see
|
|
the <link linkend="a_lamdaemon">lamdaemon installation
|
|
instructions</link> for setup details.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lamdaemonTest.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Schema test</title>
|
|
|
|
<para>This will test if your LDAP schema supports all object classes
|
|
and attributes of the active LAM modules. If you get a message that
|
|
something is missing please check that you installed all <link
|
|
linkend="a_schema">required schemas</link>.</para>
|
|
|
|
<para>If you get error messages about object class violations then
|
|
this test can tell you what is missing.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schemaTest.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter id="a_accessLevelPasswordReset">
|
|
<title>Access levels and password reset page (LAM Pro)</title>
|
|
|
|
<para>You can define different access levels for each profile to allow or
|
|
disallow write access. The password reset page helps your deskside support
|
|
staff to reset user passwords.</para>
|
|
|
|
<section>
|
|
<title id="s_accessLevel">Access levels</title>
|
|
|
|
<para>There are three access levels:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Write access (default)</emphasis></para>
|
|
|
|
<para>There are no restrictions. LAM admin users can manage account,
|
|
create profiles and set passwords.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Change passwords</emphasis></para>
|
|
|
|
<para>Similar to "Read only" except that the <link
|
|
linkend="s_pwdReset">password reset page</link> is available.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Read only</emphasis></para>
|
|
|
|
<para>No write access to the LDAP database is allowed. It is also
|
|
impossible to manage account and PDF profiles.</para>
|
|
|
|
<para>Accounts may be viewed but no changes can be saved.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The access level can be set on the server configuration
|
|
page:</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accessLevel.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot></para>
|
|
</section>
|
|
|
|
<section id="s_pwdReset">
|
|
<title>Password reset page</title>
|
|
|
|
<para>This special page allows your deskside support staff to reset the
|
|
Unix and Samba passwords of your users. Account may also be (un)locked
|
|
If you set the <link linkend="s_accessLevel">access level</link> to
|
|
"Change passwords" then LAM will not allow any changes to the LDAP
|
|
database except password changes via this page. The account pages will
|
|
be still available in read-only mode.</para>
|
|
|
|
<para>You can open the password reset page by clicking on the key symbol
|
|
on each user account:</para>
|
|
|
|
<para><screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordReset1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>There are three different options to set a new
|
|
password:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">set random password and display it on
|
|
screen</emphasis></para>
|
|
|
|
<para>This will set the user's password to a random value. The
|
|
password will be 11 characters long with a random combination of
|
|
letters, digits and ".-_".</para>
|
|
|
|
<para>You may want to use this method to tell users their new
|
|
passwords via phone.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">set random password and mail it to
|
|
user</emphasis></para>
|
|
|
|
<para>If the user account has set the mail attribute then LAM can
|
|
send your user a mail with the new password. You can change the mail
|
|
template to fit your needs. Please configure your LAM server profile
|
|
to setup the sender address, subject and mail body. Please see <link
|
|
linkend="mailEOL">email format option</link> in case of broken
|
|
mails. See <link linkend="mailSetup">here</link> for setting up your
|
|
SMTP server.</para>
|
|
|
|
<para>Using this method will prevent that your support staff knows
|
|
the new password.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">set specific password</emphasis></para>
|
|
|
|
<para>Here you can specify your own password.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordReset2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM will display contact information about the user like the
|
|
user's name, email address and telephone number. This will help your
|
|
deskside support to easily contact your users.</para>
|
|
|
|
<para><emphasis role="bold">Options:</emphasis></para>
|
|
|
|
<para>Depending on the account there may be additional options
|
|
available.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Sync Samba NT/LM password with Unix
|
|
password:</emphasis> If a user account has Samba passwords set then
|
|
LAM will offer to synchronize the passwords.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Unlock Samba account:</emphasis> Locked
|
|
Samba accounts can be unlocked with the password change.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Update Samba password
|
|
timestamps:</emphasis> This will set the timestamps when the
|
|
password was changed (sambaPwdLastSet). Only existing attributes are
|
|
updated. No new attributes are added.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Sync Kerberos password with Unix
|
|
password:</emphasis> This will also update the Heimdal Kerberos
|
|
password.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Sync Asterisk (voicemail) password with
|
|
Unix password:</emphasis> Changes also the Asterisk
|
|
passwords.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">Force password change:</emphasis> This
|
|
will force the user to change his password at next login. This
|
|
option supports Shadow, Samba 3 and PPolicy (automatically
|
|
detected).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Account (un)locking:</emphasis></para>
|
|
|
|
<para>Depending if the account includes a Unix/Samba extension and
|
|
PPolicy is activated the page will show options to (un)lock the account.
|
|
E.g. if the account is fully unlocked then there will be no unlocking
|
|
options printed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordReset3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</chapter>
|
|
|
|
<chapter id="a_selfService">
|
|
<title>Self service (LAM Pro)</title>
|
|
|
|
<section>
|
|
<title>Preparations</title>
|
|
|
|
<section>
|
|
<title>OpenLDAP ACLs</title>
|
|
|
|
<para>By default only a few administrative users have write access to
|
|
the LDAP database. Before your users may change their settings you
|
|
must allow them to change their LDAP data.</para>
|
|
|
|
<para>Hint: The ACLs below are not required if you decide to run all
|
|
operations as the LDAP bind user (option "Use for all
|
|
operations").</para>
|
|
|
|
<para>This can be done by adding ACLs to your slapd.conf or
|
|
slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to
|
|
these:</para>
|
|
|
|
<para><emphasis role="bold">access to</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> attrs=userPassword</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by self write</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by anonymous auth</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by * none</emphasis></para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">access to</emphasis></para>
|
|
|
|
<para><emphasis role="bold">
|
|
attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by self write</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by * read</emphasis></para>
|
|
|
|
<para>If you do not want them to change all attributes then reduce the
|
|
list to fit your needs. Some modules may require additional LDAP
|
|
attributes. You can use the tree view to get the technical attribute
|
|
names e.g. by selecting an user account.</para>
|
|
|
|
<para>Usually, the slapd.conf file is located in /etc/ldap or
|
|
/etc/openldap.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Other LDAP servers</title>
|
|
|
|
<para>There exist many LDAP implementations. If you do not use
|
|
OpenLDAP you need to write your own ACLs. Please check the manual of
|
|
your LDAP server for instructions.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Creating a self service profile</title>
|
|
|
|
<para>A self service profile defines what input fields your users see
|
|
and some other general settings like the login caption.</para>
|
|
|
|
<para>When you go to the LAM configuration page you will see the self
|
|
service link at the bottom. This will lead you to the self service
|
|
configuration pages</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now we need to create a new self service profile. Click on the
|
|
link to manage the self service profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Specify a name for the new profile and enter your master
|
|
configuration password (default is "lam") to save the profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now go back to the profile login and enter your master
|
|
configuration password to edit your new profile.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Edit your new profile</title>
|
|
|
|
<section id="selfServiceBasicSettings">
|
|
<title>Basic settings</title>
|
|
|
|
<para>On top of the page you see the link to the user login page. Copy
|
|
this link address and give it to your users.</para>
|
|
|
|
<para>Below the link you can specify several options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<table border="0">
|
|
<title>General options</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry>Server address</entry>
|
|
|
|
<entry>The address of your LDAP server. For LDAP+SSL use
|
|
"ldaps://myserver"</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Activate TLS</entry>
|
|
|
|
<entry>Activates TLS encryption. Please note that this cannot
|
|
be combined with LDAP+SSL ("ldaps://").</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP suffix</entry>
|
|
|
|
<entry>The part of the LDAP tree where LAM should search for
|
|
users</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP search attribute</entry>
|
|
|
|
<entry>Here you can specify if your users can login with user
|
|
name + password, email + password or other attributes.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP user + password</entry>
|
|
|
|
<entry>The DN and password which is used to search for users
|
|
in the LDAP database. It is sufficient if this DN has only
|
|
read rights. If you leave these fields empty LAM will try to
|
|
connect anonymously.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Use for all operations</entry>
|
|
|
|
<entry>By default LAM will use the credentials of the user
|
|
that logged in to self service for read/modify operations. If
|
|
you select this box then the connection user specified before
|
|
will be used instead. Please note that this can be a security
|
|
risk because the user requires write access to all users. You
|
|
need to make sure that your LAM server is well
|
|
protected.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Additional LDAP filter</entry>
|
|
|
|
<entry>Use this to enter an additional LDAP filter (e.g.
|
|
"(objectClass=passwordSelfReset)") to reduce the number of
|
|
accounts who may use self service.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>HTTP authentication</entry>
|
|
|
|
<entry>You can enable HTTP authentication for your users. This
|
|
way the web server is responsible to authenticate your users.
|
|
LAM will use the given user name + password for the LDAP
|
|
login. To setup HTTP authentication in Apache please see this
|
|
<ulink
|
|
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login attribute label</entry>
|
|
|
|
<entry>This is the description for the LDAP search attribute.
|
|
Set it to something which your users are familiar
|
|
with.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Password field label</entry>
|
|
|
|
<entry>This text is placed as label for the password field on
|
|
the login page. LAM will use "Password" if you do not enter
|
|
any text.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login caption</entry>
|
|
|
|
<entry>This text is displayed at the login page. You can input
|
|
HTML, too.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Main page caption</entry>
|
|
|
|
<entry>This text is displayed at self service main page where
|
|
your users change their data. You can input HTML, too.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Page header</entry>
|
|
|
|
<entry>This HTML code will be placed on top of all self
|
|
service pages. E.g. you can use this to place your custom
|
|
logo. Any HTML code is permitted.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Additional CSS links</entry>
|
|
|
|
<entry>Here you can specify additional CSS links to change the
|
|
layout of the self service pages. This is useful to adapt them
|
|
to your corporate design. Please enter one link per
|
|
line.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Page layout</title>
|
|
|
|
<para>Here you can specify what input fields your users can see. It is
|
|
also possible to group several input fields.</para>
|
|
|
|
<para>Please use the arrow signs to change the order of the
|
|
fields/groups.</para>
|
|
|
|
<para>You may also set some fields as read-only for your users. This
|
|
can be done by clicking on the lock symbol. Read-only fields can be
|
|
used to show your users additional data on the self service page that
|
|
must not be changed by themselves (e.g. first/last name).</para>
|
|
|
|
<para>Sometimes, you may want to set a custom label for an input
|
|
field. Click on the edit icon to set your own label text (Personal:
|
|
Department is relabeled as "Business unit" here).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Possible input fields</emphasis></para>
|
|
|
|
<para>This is a list of input fields you may add to the self service
|
|
page.</para>
|
|
|
|
<table>
|
|
<title>Self service fields</title>
|
|
|
|
<tgroup cols="3">
|
|
<tbody>
|
|
<row>
|
|
<entry align="center"><emphasis role="bold">Account
|
|
type</emphasis></entry>
|
|
|
|
<entry align="center"><emphasis
|
|
role="bold">Option</emphasis></entry>
|
|
|
|
<entry align="center"><emphasis
|
|
role="bold">Description</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows=""><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_asterisk.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Asterisk (voicemail)</entry>
|
|
|
|
<entry>Sync Asterisk password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Asterisk
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_heimdal.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Kerberos</entry>
|
|
|
|
<entry>Sync Kerberos password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Kerberos
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_kolab.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Kolab</entry>
|
|
|
|
<entry>Delegates</entry>
|
|
|
|
<entry>Allows to manage delegate permissions</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Invitation policy</entry>
|
|
|
|
<entry>Invitation policy management</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Password policy</entry>
|
|
|
|
<entry>Last password change</entry>
|
|
|
|
<entry>read-only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="2"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Password self reset</entry>
|
|
|
|
<entry>Question</entry>
|
|
|
|
<entry>Security question selection</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Answer</entry>
|
|
|
|
<entry>Security answer</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Backup email</entry>
|
|
|
|
<entry>(External) backup email address that has no relation to
|
|
user password.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="26"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_user.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Personal</entry>
|
|
|
|
<entry>Business category</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Car license</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Department</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Description</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Email address</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Fax number</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>First name</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Home telephone number</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Initials</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Job title</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Last name</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Location</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Mobile number</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Office name</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Organisational unit</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Photo</entry>
|
|
|
|
<entry>Shows the user photo if set. The user may also remove
|
|
the photo or upload a new one.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Postal address</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Postal code</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Post office box</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Registered address</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Room number</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>State</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Street</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Telephone number</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>User certificates</entry>
|
|
|
|
<entry>Upload of user certificates in PEM or DER
|
|
format</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>User name</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Web site</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="4"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Samba 3</entry>
|
|
|
|
<entry>Password</entry>
|
|
|
|
<entry>Input field to set a new NT/LM password. The attribute
|
|
"sambaPwdLastSet" is updated if it existed before.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Sync Samba LM password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Samba LM
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Sync Samba NT password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Samba NT
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Update attribute "sambaPwdLastSet" on password
|
|
change</entry>
|
|
|
|
<entry>Updates the password timestamp when password is
|
|
synchronized with Unix.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Last password change (read-only)</entry>
|
|
|
|
<entry>Displays the date and time of the user's last password
|
|
change.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Shadow</entry>
|
|
|
|
<entry>Last password change (read-only)</entry>
|
|
|
|
<entry>Displays the date and time of the user's last password
|
|
change (Unix).</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="8"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Windows</entry>
|
|
|
|
<entry>Password</entry>
|
|
|
|
<entry>Change the user's password</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Location</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Office name</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Postal code</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Post office box</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>State</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Street</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Telephone number</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Web site</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="2"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_unix.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Unix</entry>
|
|
|
|
<entry>Common name</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login shell</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Password</entry>
|
|
|
|
<entry>This is also the source for several password
|
|
synchronization options.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_zarafa.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> Zarafa</entry>
|
|
|
|
<entry>"Send as" privileges</entry>
|
|
|
|
<entry>Define user who may send mails as this user</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Email aliases</entry>
|
|
|
|
<entry>Email aliases</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="3"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_pykota.png" />
|
|
</imageobject>
|
|
</inlinemediaobject> PyKota</entry>
|
|
|
|
<entry>Balance (read-only)</entry>
|
|
|
|
<entry>Current balance for printing</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Total paid (read-only)</entry>
|
|
|
|
<entry>Total money paid</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Payment history</entry>
|
|
|
|
<entry>History of user payments</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Job history</entry>
|
|
|
|
<entry>History of printed jobs</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Module settings</title>
|
|
|
|
<para>This allows to configure some module specific options (e.g.
|
|
custom scripts or password hash type).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="PasswordSelfReset">
|
|
<title>Password self reset</title>
|
|
|
|
<para><emphasis role="bold">Schema installation</emphasis></para>
|
|
|
|
<para>Please install the LDAP schema as described <link
|
|
linkend="a_passwordSelfResetSchema">here</link>.</para>
|
|
|
|
<para><emphasis role="bold">Settings</emphasis></para>
|
|
|
|
<para>You can allow your users to reset their passwords themselves.
|
|
This will reduce your administrative costs for cases where users
|
|
forget their passwords.</para>
|
|
|
|
<para>To enable this feature please activate the checkbox "Enable
|
|
password self reset link".</para>
|
|
|
|
<para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro
|
|
uses security questions by default. Activate confirmation mails and
|
|
then deactivate security questions if you want to use only email
|
|
validation.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can now configure the minimum answer length for password
|
|
reset answers. This is checked when you allow you users to specify
|
|
their answers via the self service. Additionally, you can specify the
|
|
text of the password reset link (default: "Forgot password?"). The
|
|
link is displayed below the password field on the self service login
|
|
page.</para>
|
|
|
|
<para>Next, please enter the DN and password of an LDAP entry that is
|
|
allowed to reset the passwords. This entry needs write access to the
|
|
attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
|
|
also needs read access to uid, mail, passwordSelfResetQuestion and
|
|
passwordSelfResetAnswer. Please note that LAM Pro saves the password
|
|
on your server file system. Therefore, it is required to protect your
|
|
server against unauthorised access.</para>
|
|
|
|
<para>Please also specify the list of password reset questions that
|
|
the user can choose.</para>
|
|
|
|
<para>Please note that self service and LAM admin interface are
|
|
separated functionalities. You need to specify the list of possible
|
|
security questions in both self service profile(s) and server
|
|
profile(s).</para>
|
|
|
|
<literallayout> </literallayout>
|
|
|
|
<para>You can inform your users via mail about their password change.
|
|
The mail can include the new password by using the special wildcard
|
|
"@@newPassword@@". Additionally, you may want to insert other
|
|
wildcards that are replaced by the corresponding LDAP attributes. E.g.
|
|
"@@uid@@" will be replaced by the user name. Please see <link
|
|
linkend="mailEOL">email format option</link> in case of broken mails.
|
|
See <link linkend="mailSetup">here</link> for setting up your SMTP
|
|
server.</para>
|
|
|
|
<literallayout> </literallayout>
|
|
|
|
<para>LAM Pro can send your users an email with a confirmation link to
|
|
validate their email address. Of course, this should only be used if
|
|
the email account is independent from the user password (e.g. at
|
|
external provider) or you use the backup email address feature. The
|
|
mail body must include the confirmation link by using the special
|
|
wildcard "@@resetLink@@". Additionally, you may want to insert other
|
|
wildcards that are replaced by the corresponding LDAP attributes. E.g.
|
|
"@@uid@@" will be replaced by the user name.</para>
|
|
|
|
<para>There is also an option to skip the security question at all if
|
|
email verification is enabled. In this case the password can be reset
|
|
directly after clicking on the confirmation link. Please handle with
|
|
care since anybody with access to the user's mail account can reset
|
|
the password.</para>
|
|
|
|
<para><emphasis role="bold">Troubleshooting:</emphasis></para>
|
|
|
|
<para>If you get messages like "Unable to find user account." this can
|
|
have multiple reasons:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>security questions enabled but no security question and/or
|
|
answer set for this user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>user name + email combination does not exist</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>no connection to LDAP server</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Turn on logging in LAM's main configuration settings. The exact
|
|
reason is logged on notice level.</para>
|
|
|
|
<para><emphasis role="bold">New fields for self service
|
|
page</emphasis></para>
|
|
|
|
<para>There are special fields that you may put on the self service
|
|
page for your users. These fields allow them to change the reset
|
|
question and its answer. It is also possible to set a backup email
|
|
address to reset passwords with an external email address.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This is an example how can be presented to your users on the
|
|
self service page:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Password reset link</emphasis></para>
|
|
|
|
<para>After activating the password self reset feature there will be a
|
|
new link on the self service login page. The text can be configured as
|
|
described above (default: "Forgot password?").</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>When a user clicks on the link then he will be asked for
|
|
identification with his user name and email address.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM Pro will use this information to find the correct LDAP entry
|
|
of this user. It then displays the user's security question and input
|
|
fields for his new password. If the answer is correct then the new
|
|
password will be set. Additionally, pwdAccountLockedTime will be
|
|
removed and shadowLastChange updated to the current time if
|
|
existing.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>User self registration</title>
|
|
|
|
<para>With LAM Pro your users can create their own accounts if you
|
|
like. LAM Pro will display an additional link on the self service
|
|
login page that allows you users to create a new account including
|
|
email validation (see <link linkend="mailSetup">here</link> for
|
|
setting up your SMTP server).</para>
|
|
|
|
<para>You enable this feature in your self service profile. Just
|
|
activate the checkbox "Enable self registration link".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Options:</emphasis></para>
|
|
|
|
<para><emphasis>Link text:</emphasis> This is the label for the link
|
|
to the self registration. If empty "Register new account" will be
|
|
used.</para>
|
|
|
|
<para><emphasis>Admin DN and password:</emphasis> Please enter the
|
|
LDAP DN and its password that should be used to create new users. This
|
|
DN also needs to be able to do LDAP searches by uid in the self
|
|
service part of your LDAP tree.</para>
|
|
|
|
<para><emphasis>Object classes:</emphasis> This is a list of object
|
|
classes that are used to build the new user accounts. Please enter one
|
|
object class in each line.</para>
|
|
|
|
<para><emphasis>Attributes:</emphasis> This is a list of additional
|
|
attributes that the user can enter. Please note that user name,
|
|
password and email address are mandatory anyway and need not be
|
|
specified.</para>
|
|
|
|
<para>Each line represents one LDAP attribute. The settings are
|
|
separated by "::". The first setting specifies the field type. The
|
|
second setting is the LDAP attribute name. Depending on the field type
|
|
you can enter additional options:</para>
|
|
|
|
<table>
|
|
<title></title>
|
|
|
|
<tgroup cols="6">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Description</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Type</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Attribute name</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">First option</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Second option</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Third option</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>An optional input field that is displayed on the
|
|
registration page.</entry>
|
|
|
|
<entry>optional</entry>
|
|
|
|
<entry>e.g. "givenName"</entry>
|
|
|
|
<entry>Label that is displayed on page</entry>
|
|
|
|
<entry>optional regular expression for validation (e.g.
|
|
"/^[0-9a-zA-Z]+$/")</entry>
|
|
|
|
<entry>validation message if value does not match validation
|
|
expression</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>A required input field that is displayed on the
|
|
registration page. Self registration cannot be done if such a
|
|
field is left empty by the user.</entry>
|
|
|
|
<entry>required</entry>
|
|
|
|
<entry>e.g. "sn"</entry>
|
|
|
|
<entry>Label that is displayed on page</entry>
|
|
|
|
<entry>optional regular expression for validation (e.g.
|
|
"/^[0-9a-zA-Z]+$/")</entry>
|
|
|
|
<entry>validation message if value does not match validation
|
|
expression</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Constant attribute value, not visible for the user. Can
|
|
be used to set some initial values or data that must not be
|
|
edited by the user.</entry>
|
|
|
|
<entry>constant</entry>
|
|
|
|
<entry>e.g. "homeDirectory"</entry>
|
|
|
|
<entry>attribute value, supports wirldcards to insert other
|
|
attribute values (e.g. "@@uid@@")</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>For a syntax description of validation expressions see <ulink
|
|
url="http://perldoc.perl.org/perlre.html">here</ulink>. Validation is
|
|
optional, you can leave these options blank.</para>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
|
|
<para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please
|
|
enter a valid first name.</para>
|
|
|
|
<para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a
|
|
valid last name.</para>
|
|
|
|
<para>constant::homeDirectory::/home/@@uid@@</para>
|
|
|
|
<para>If you use the object class "inetOrgPerson" and do not provide
|
|
the "cn" attribute then LAM will set it to the user name value.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Please note that only simple input boxes are supported for
|
|
account registration. The user may log in to self service when his
|
|
account was created to manage all his attributes.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">User view:</emphasis></para>
|
|
|
|
<para>The user can register by clicking on a link on the self service
|
|
login page:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Here he can insert the data that you specified in the self
|
|
service profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM will then send him an email with a validation link that is
|
|
valid for 24 hours. When he clicks on this link then the account will
|
|
be created in the self service user suffix. The DN will look like
|
|
this: <emphasis>uid=<user name>,...</emphasis></para>
|
|
|
|
<para>Please see <link linkend="mailEOL">email format option</link> in
|
|
case of broken mails.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Custom fields (LAM Pro)</title>
|
|
|
|
<para>This module allows you to manage LDAP attributes that are not
|
|
covered by the other LAM modules (e.g. if you use custom LDAP
|
|
schemas). You can fully define how your input fields look like:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Label</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP attribute name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Unique name for field</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Help text</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Read-only display</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Field type: text, password, text area, checkbox, radio
|
|
buttons, select list, file upload</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Validation via regular expression</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Error message if validation fails</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>To create custom fields for the Self Service please edit your
|
|
Self Service profile and switch to tab "Module settings". Here you can
|
|
add a new field. Simply fill the fields and press on "Add".</para>
|
|
|
|
<para>Please note that the field name cannot be changed later. It is
|
|
the unique ID for this field.</para>
|
|
|
|
<para>After you created your fields please press on "Sync fields with
|
|
page layout". Now you can switch to tab "Page layout" and add your new
|
|
fields like any other standard field.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Examples for fields and their representation in Self
|
|
Service:</para>
|
|
|
|
<para><emphasis role="bold">Text field:</emphasis></para>
|
|
|
|
<para>Text fields allow to specify a <link
|
|
linkend="customFields_validation_expressions">validation
|
|
expression</link> and error message.</para>
|
|
|
|
<para>You can also enable auto-completion. In this case LAM will
|
|
search all accounts for the given attribute and provide
|
|
auto-completion hints when the user edits this field. This should only
|
|
be used if there is a limited number of different values for this
|
|
attribute.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields2.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields3.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Password field:</emphasis></para>
|
|
|
|
<para>You can also manage custom password fields. LAM Pro will display
|
|
two fields where the user must enter the same password. You can hash
|
|
the password if needed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields5.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Text area:</emphasis></para>
|
|
|
|
<para>This adds a multi-line field. The options are similar to text
|
|
fields. Additionally, you can set the size with the number of columns
|
|
and rows.</para>
|
|
|
|
<para>Please note that the <link
|
|
linkend="customFields_validation_expressions">validation
|
|
expression</link> should be set to multi-line. This is done by adding
|
|
"m" at the end.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields6.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields7.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Checkbox:</emphasis></para>
|
|
|
|
<para>Sometimes you may want to allow only yes/no values for your LDAP
|
|
attributes. This can be represented by a checkbox. You can specify the
|
|
values for checked and unchecked. The default value is set if the LDAP
|
|
attribute has no value.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields8.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields9.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Radio buttons:</emphasis></para>
|
|
|
|
<para>This displays a list of radio buttons where the user can select
|
|
one value.</para>
|
|
|
|
<para>You can specify a mapping of LDAP attribute values and their
|
|
display (label) on the Self Service page. To add more mapping fields
|
|
please press "Add more mapping fields".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields10.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields11.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Select list:</emphasis></para>
|
|
|
|
<para>Select lists allow the user to select a value in a large list of
|
|
options. The definition of the possible values and their display is
|
|
similar to radio buttons.</para>
|
|
|
|
<para>You can also allow multiple values.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields12.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields13.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields18.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para id="customFields_validation_expressions"><emphasis
|
|
role="bold">Validation expressions:</emphasis></para>
|
|
|
|
<para>The validation expressions follow the standard of <ulink
|
|
url="http://perldoc.perl.org/perlre.html">Perl regular
|
|
expressions</ulink>. They start and end with a "/". The beginning of a
|
|
line is specified by "^" and the end by "$".</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must
|
|
not be empty ("+").</para>
|
|
|
|
<para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
|
|
means ignore case) and numbers. The value must not be empty
|
|
("+").</para>
|
|
|
|
<para>Special characters that must be escaped with "\": "\", ".", "(",
|
|
")"</para>
|
|
|
|
<para>E.g. /^[a-z0-9\.]$/i</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">File upload:</emphasis></para>
|
|
|
|
<para>This is used for binary data. You can restrict uploaded data to
|
|
a given file extension and set the maximum file size.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields23.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<para>The uploaded data may also be downloaded via LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields24.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Adapt the self service to your corporate design</title>
|
|
|
|
<para>LAM Pro allows you to integrate customs CSS style definitions and
|
|
design the header of all self service pages. This way you can integrate
|
|
you own logo and use your company's colors.</para>
|
|
|
|
<section>
|
|
<title>Custom header</title>
|
|
|
|
<para>The default LAM Pro header includes a logo and a horizontal
|
|
line. You can enter any HTML code here. It will be included in the
|
|
self services pages after the body tag.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configPageHeader.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>CSS files</title>
|
|
|
|
<para>Usually, companies have regulations about their corporate design
|
|
and use common CSS files. This assures a common appearance of all
|
|
intranet pages (e.g. colors and fonts). To include additional CSS
|
|
files just use the following setting for this task. The additional CSS
|
|
links will be added after LAM Pro's default CSS link. This way you can
|
|
overwrite LAM Pro's style.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configCSS.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</chapter>
|
|
|
|
<appendix id="a_schema">
|
|
<title>LDAP schema files</title>
|
|
|
|
<para>Here is a list of needed LDAP schema files for the different LAM
|
|
modules. For OpenLDAP we also provide a source where you can get the
|
|
files.</para>
|
|
|
|
<table frame="none" lang="" role="" tabstyle="nogrid">
|
|
<title>LDAP schema files</title>
|
|
|
|
<tgroup cols="6">
|
|
<thead>
|
|
<row>
|
|
<entry></entry>
|
|
|
|
<entry>Account type</entry>
|
|
|
|
<entry>Object class(es)</entry>
|
|
|
|
<entry>Schema name</entry>
|
|
|
|
<entry>Source</entry>
|
|
|
|
<entry>Notes</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_unix.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Unix accounts</entry>
|
|
|
|
<entry>posixAccount, shadowAccount, hostObject, posixGroup</entry>
|
|
|
|
<entry>nis.schema, rfc2307bis.schema, ldapns.schema
|
|
(hostObject)</entry>
|
|
|
|
<entry>Part of OpenLDAP installation, part of libpam-ldap
|
|
(ldapns.schema)</entry>
|
|
|
|
<entry>The rfc2307bis.schema is only supported by LAM Pro. Use the
|
|
nis.schema if you do not want to upgrade to LAM Pro.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_inetOrgPerson.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Address book entries</entry>
|
|
|
|
<entry>inetOrgPerson</entry>
|
|
|
|
<entry>inetorgperson.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Samba 3 accounts</entry>
|
|
|
|
<entry>sambaSamAccount, sambaGroupMapping, sambaDomain</entry>
|
|
|
|
<entry>samba.schema</entry>
|
|
|
|
<entry>Part of Samba tarball (examples/LDAP/samba.schema)</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Windows AD (Samba 4)</entry>
|
|
|
|
<entry>user, group, computer</entry>
|
|
|
|
<entry></entry>
|
|
|
|
<entry>Samba 4 built-in</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_kolab.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Kolab 2/3 users</entry>
|
|
|
|
<entry>kolabUser</entry>
|
|
|
|
<entry>kolab2/3.schema, rfc2739.schema</entry>
|
|
|
|
<entry>Part of Kolab 2/3 installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_asterisk.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Asterisk (extension)</entry>
|
|
|
|
<entry>AsteriskSIPUser, AsteriskExtension</entry>
|
|
|
|
<entry>asterisk.schema</entry>
|
|
|
|
<entry>Part of Asterisk installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_pykota.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>PyKota users, groups, printers and billing codes</entry>
|
|
|
|
<entry>pykotaObject, pykotaAccount, pykotaAccountBalance,
|
|
pykotaGroup, pykotaPrinter, pykotaBilling</entry>
|
|
|
|
<entry>pykota.schema</entry>
|
|
|
|
<entry>Part of PyKota installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Mail routing</entry>
|
|
|
|
<entry>inetLocalMailRecipient</entry>
|
|
|
|
<entry>misc.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_hostObject.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Hosts</entry>
|
|
|
|
<entry>hostObject, device</entry>
|
|
|
|
<entry>ldapns.schema</entry>
|
|
|
|
<entry>Part of libpam-ldap installation</entry>
|
|
|
|
<entry>The device object class is only available in LAM
|
|
Pro.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_authorizedServices.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Authorized services</entry>
|
|
|
|
<entry>authorizedServiceObject</entry>
|
|
|
|
<entry>ldapns.schema</entry>
|
|
|
|
<entry>Part of libpam-ldap installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Mail aliases</entry>
|
|
|
|
<entry>nisMailAlias</entry>
|
|
|
|
<entry>misc.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Qmail user</entry>
|
|
|
|
<entry>qmailUser</entry>
|
|
|
|
<entry>qmail.schema</entry>
|
|
|
|
<entry>Part of <ulink
|
|
url="http://www.nrg4u.com/">qmail_ldap</ulink></entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mac.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>MAC addresses</entry>
|
|
|
|
<entry>ieee802device</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ipHost.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>IP addresses</entry>
|
|
|
|
<entry>ipHost</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_puppet.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Puppet</entry>
|
|
|
|
<entry>puppetClient</entry>
|
|
|
|
<entry>puppet.schema</entry>
|
|
|
|
<entry><ulink
|
|
url="https://github.com/puppetlabs/puppet/blob/master/ext/ldap/puppet.schema">Puppet
|
|
on GitHub</ulink></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_eduPerson.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>EDU person</entry>
|
|
|
|
<entry>eduPerson</entry>
|
|
|
|
<entry>eduperson.schema</entry>
|
|
|
|
<entry><ulink
|
|
url="http://middleware.internet2.edu/eduperson/">http://middleware.internet2.edu</ulink></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_user.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Simple Accounts</entry>
|
|
|
|
<entry>account</entry>
|
|
|
|
<entry>cosine.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>SSH public keys</entry>
|
|
|
|
<entry>ldapPublicKey</entry>
|
|
|
|
<entry>openssh-lpk.schema</entry>
|
|
|
|
<entry>Included in patch from <ulink
|
|
url="http://code.google.com/p/openssh-lpk/">http://code.google.com/p/openssh-lpk/</ulink></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_quota.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Filesystem quotas</entry>
|
|
|
|
<entry>systemQuotas</entry>
|
|
|
|
<entry>quota.schema</entry>
|
|
|
|
<entry><ulink
|
|
url="http://sourceforge.net/projects/linuxquota/">Linux
|
|
DiskQuota</ulink></entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_group.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Group of (unique) names</entry>
|
|
|
|
<entry>groupOfNames, groupOfUniqueNames</entry>
|
|
|
|
<entry>core.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_group.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Groups</entry>
|
|
|
|
<entry>organizationalRole</entry>
|
|
|
|
<entry>core.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_dhcp.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>DHCP</entry>
|
|
|
|
<entry>dhcpOptions, dhcpSubnet, dhcpServer</entry>
|
|
|
|
<entry>dhcp.schema</entry>
|
|
|
|
<entry>docs/schema/dhcp.schema</entry>
|
|
|
|
<entry>The LDAP suffix should be set to your dhcpServer
|
|
entry.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_bind.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Bind DLZ DNS</entry>
|
|
|
|
<entry>dlzZone, dlzHost, dlzSOARecord, dlzNSRecord, dlzARecord,
|
|
dlzMXRecord, dlzCNameRecord, dlzPTRRecord</entry>
|
|
|
|
<entry>dlz.schema</entry>
|
|
|
|
<entry>part of <ulink url="http://bind-dlz.sourceforge.net/">Bind
|
|
DLZ patch</ulink></entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_alias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Aliases</entry>
|
|
|
|
<entry>alias, uidObject</entry>
|
|
|
|
<entry>core.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_netgroup.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>NIS netgroups</entry>
|
|
|
|
<entry>nisNetgroup</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_nisObject.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>NIS objects</entry>
|
|
|
|
<entry>nisObject</entry>
|
|
|
|
<entry>nis.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_nisObject.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Automount objects</entry>
|
|
|
|
<entry>automount</entry>
|
|
|
|
<entry>autofs.schema, rfc2307bis.schema</entry>
|
|
|
|
<entry>Autofs LDAP</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_oracle.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Oracle databases</entry>
|
|
|
|
<entry>orclNetService</entry>
|
|
|
|
<entry>oidbase.schema, oidnet.schema, oidrdbms.schema,
|
|
alias.schema</entry>
|
|
|
|
<entry>Preinstalled on Oracle directory server, OpenLDAP schemas
|
|
can be downloaded e.g. <ulink
|
|
url="http://www.idevelopment.info/data/Oracle/DBA_tips/LDAP/LDAP_8.shtml">here</ulink></entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ppolicy.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Password policies</entry>
|
|
|
|
<entry>pwdPolicy, device</entry>
|
|
|
|
<entry>ppolicy.schema, core.schema</entry>
|
|
|
|
<entry>Part of OpenLDAP installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_freeRadius.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>FreeRadius users</entry>
|
|
|
|
<entry>radiusprofile</entry>
|
|
|
|
<entry>openldap.schema</entry>
|
|
|
|
<entry>Part of FreeRadius installation</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_heimdal.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Heimdal Kerberos</entry>
|
|
|
|
<entry>krb5KDCEntry</entry>
|
|
|
|
<entry>hdb.schema</entry>
|
|
|
|
<entry>Part of Heimdal Kerberos installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mitKerberos.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>MIT Kerberos</entry>
|
|
|
|
<entry>krbPrincipal, krbPrincipalAux, krbTicketPolicyAux</entry>
|
|
|
|
<entry>kerberos.schema</entry>
|
|
|
|
<entry>Part of MIT Kerberos installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_sudo.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Sudo roles</entry>
|
|
|
|
<entry>sudoRole</entry>
|
|
|
|
<entry>sudo.schema</entry>
|
|
|
|
<entry>Part of sudo-ldap installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_zarafa.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>Zarafa</entry>
|
|
|
|
<entry>zarafa-user, zarafa-group, zarafa-server</entry>
|
|
|
|
<entry>zarafa.schema</entry>
|
|
|
|
<entry>Part of Zarafa installation</entry>
|
|
|
|
<entry>LAM Pro only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></entry>
|
|
|
|
<entry>IMAP mailboxes</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>-</entry>
|
|
|
|
<entry>Does not require any schema.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</appendix>
|
|
|
|
<appendix id="a_security">
|
|
<title>Security</title>
|
|
|
|
<section id="a_configPasswords">
|
|
<title>LAM configuration passwords</title>
|
|
|
|
<para>LAM supports a two level authorization system for its
|
|
configuration. Therefore, there are two types of configuration
|
|
passwords:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">master configuration
|
|
password:</emphasis> needed to change general settings,
|
|
create/delete server profiles and self service profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">server profile password:</emphasis> used
|
|
to change the settings of a server profile (e.g. LDAP server and
|
|
account types to manage)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The master configuration password can be used to reset a server
|
|
profile password. Each server profile has its own profile
|
|
password.</para>
|
|
|
|
<para>Both password types are stored as hash values in the configuration
|
|
files for enhanced security.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Use of SSL</title>
|
|
|
|
<para>The data which is transfered between you and LAM is very
|
|
sensitive. Please always use SSL encrypted connections between LAM and
|
|
your browser to protect yourself against network sniffers.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>LDAP with SSL and TLS</title>
|
|
|
|
<para>SSL will be used if you use ldaps://servername in your
|
|
configuration profile. TLS can be activated with the "Activate TLS"
|
|
option.</para>
|
|
|
|
<para>If your LDAP server uses a SSL certificate of a well-know
|
|
certificate authority (CA) then you probably need no changes. If you use
|
|
a custom CA in your company then there are two ways to setup the CA
|
|
certificates.</para>
|
|
|
|
<section>
|
|
<title>Setup SSL certificates in LAM general settings</title>
|
|
|
|
<para>This is much easier than system level setup and will only affect
|
|
LAM. There might be some cases where other web applications on the
|
|
same web server are influenced.</para>
|
|
|
|
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
|
|
</section>
|
|
|
|
<section id="ssl_certSystem">
|
|
<title>Setup SSL certificates on system level</title>
|
|
|
|
<para>This will make the CA certificates available also to other
|
|
applications on your system (e.g. other web applications).</para>
|
|
|
|
<para>You will need to setup ldap.conf to trust your server
|
|
certificate. Some installations use /etc/ldap.conf and some use
|
|
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
|
|
/etc/ldap/ldap.conf. Specify the server CA certificate with the
|
|
following option:</para>
|
|
|
|
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
|
|
|
<para>This needs to be the public part of the signing certificate
|
|
authority. See "man ldap.conf" for additional options.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>You may also need to specify the CA certificate in your Apache
|
|
configuration by using the option "LDAPTrustedGlobalCert":</para>
|
|
|
|
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Chrooted servers</title>
|
|
|
|
<para>If your server is chrooted and you have no access to /dev/random
|
|
or /dev/urandom this can be a security risk. LAM stores your LDAP
|
|
password encrypted in the session. LAM uses rand() to generate the key
|
|
if /dev/random and /dev/urandom are not accessible. Therefore the key
|
|
can be easily guessed. An attaker needs read access to the session file
|
|
(e.g. by another Apache instance) to exploit this.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Protection of your LDAP password and directory contents</title>
|
|
|
|
<para>You have to install the MCrypt extension for PHP to enable
|
|
encryption.</para>
|
|
|
|
<para>Your LDAP password is stored encrypted in the session file. The
|
|
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
|
|
encrypt the password. All data that was read from LDAP and needs to be
|
|
stored in the session file is also encrypted.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Apache configuration</title>
|
|
|
|
<section>
|
|
<title>Sensitive directories</title>
|
|
|
|
<para>LAM includes several .htaccess files to protect your
|
|
configuration files and temporary data. Apache is often configured to
|
|
not use .htaccess files by default. Therefore, please check your
|
|
Apache configuration and change the override setting to:</para>
|
|
|
|
<para>AllowOverride All</para>
|
|
|
|
<para>If you are experienced in configuring Apache then you can also
|
|
copy the security settings from the .htaccess files to your main
|
|
Apache configuration.</para>
|
|
|
|
<para>If possible, you should not rely on .htaccess files but also
|
|
move the config and sess directory to a place outside of your WWW
|
|
root. You can put a symbolic link in the LAM directory so that LAM
|
|
finds the configuration/session files.</para>
|
|
|
|
<para>Security sensitive directories:</para>
|
|
|
|
<para><emphasis role="bold">config: </emphasis>Contains your LAM
|
|
configuration and account profiles</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM configuration passwords (SSHA hashed)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>default values for new accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">sess:</emphasis> PHP session files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM admin password in clear text or MCrypt encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">tmp:</emphasis> temporary files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>PDF documents which may also include passwords</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>images of your users</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory contents must be accessible by browser but
|
|
directory itself needs not to be browseable</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section id="apache_http_auth">
|
|
<title>Use LDAP HTTP authentication for LAM</title>
|
|
|
|
<para>With HTTP authentication Apache will be responsible to ask for
|
|
the user name and password. Both will then be forwarded to LAM which
|
|
will use it to access LDAP. This approach gives you more flexibility
|
|
to restrict the number of users that may access LAM (e.g. by requiring
|
|
group memberships).</para>
|
|
|
|
<para>First of all you need to load additional Apache modules. These
|
|
are "<ulink
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
|
|
and "<ulink type=""
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
|
|
|
|
<para>Next you can add a file called "lam_auth_ldap" to
|
|
/etc/apache/conf.d. This simple example restricts access to all URLs
|
|
beginning with "lam" to LDAP authentication.</para>
|
|
|
|
<programlisting><location /lam>
|
|
AuthType Basic
|
|
AuthBasicProvider ldap
|
|
AuthName "LAM"
|
|
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
|
|
Require valid-user
|
|
</location></programlisting>
|
|
|
|
<para>You can also require that your users belong to a certain Unix
|
|
group in LDAP:</para>
|
|
|
|
<programlisting><location /lam>
|
|
AuthType Basic
|
|
AuthBasicProvider ldap
|
|
AuthName "LAM"
|
|
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
|
|
Require valid-user
|
|
# force membership of lam-admins
|
|
AuthLDAPGroupAttribute memberUid
|
|
AuthLDAPGroupAttributeIsDN off
|
|
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
|
|
</location></programlisting>
|
|
|
|
<para>Please see the <ulink
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache
|
|
documentation</ulink> for more details.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Self Service behind proxy in DMZ (LAM Pro)</title>
|
|
|
|
<para>In some cases you might want to make the self service accessible
|
|
via the internet. Here is an Apache config to forward only the
|
|
required URLs via a proxy server (lamproxy.company.com) in your DMZ to
|
|
the internal LAM server (lam.company.com).</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/selfServiceProxy.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>This configuration allows your users to open
|
|
https://lamproxy.company.com which will then proxy the self service on
|
|
the internal server.</para>
|
|
|
|
<programlisting><VirtualHost lamproxy.company.com:443>
|
|
ServerName lamproxy.company.com
|
|
ErrorLog /var/log/apache2/lam-proxy-error.log
|
|
CustomLog /var/log/apache2/lam-proxy-access.log combined
|
|
DocumentRoot /var/www/lam-proxy
|
|
<Proxy *>
|
|
Order deny,allow
|
|
Allow from all
|
|
</Proxy>
|
|
SSLProxyEngine on
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/apache2/ssl/apache.pem
|
|
ProxyPreserveHost On
|
|
ProxyRequests off
|
|
loglevel info
|
|
|
|
# redirect front page to self service login page
|
|
RewriteEngine on
|
|
RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
|
|
|
|
# proxy required URLs
|
|
ProxyPass /tmp https://lam.company.com/lam/tmp
|
|
ProxyPass /sess https://lam.company.com/lam/sess
|
|
ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
|
|
ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
|
|
ProxyPass /style https://lam.company.com/lam/style
|
|
ProxyPass /graphics https://lam.company.com/lam/graphics
|
|
|
|
ProxyPassReverse /tmp https://lam.company.com/lam/tmp
|
|
ProxyPassReverse /sess https://lam.company.com/lam/sess
|
|
ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
|
|
ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
|
|
ProxyPassReverse /style https://lam.company.com/lam/style
|
|
ProxyPassReverse /graphics https://lam.company.com/lam/graphics
|
|
</VirtualHost></programlisting>
|
|
</section>
|
|
</section>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>Typical OpenLDAP settings</title>
|
|
|
|
<para>Some basic hints to configure the OpenLDAP server:</para>
|
|
|
|
<para><emphasis id="size_limit_exceeded" role="bold">Size
|
|
limit:</emphasis></para>
|
|
|
|
<para>You will get a message like "LDAP sizelimit exceeded, not all
|
|
entries are shown." when you hit the LDAP search limit.</para>
|
|
|
|
<para>OpenLDAP allows by default 500 return values per search, if you have
|
|
more users/groups/hosts please change this:</para>
|
|
|
|
<para>slapd.conf:</para>
|
|
|
|
<para>e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return
|
|
values</para>
|
|
|
|
<para>slapd.d:</para>
|
|
|
|
<para>e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited
|
|
return values in /etc/ldap/slapd.d/cn=config.ldif</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis id="a_openldap_unique" role="bold">Unique
|
|
attributes:</emphasis></para>
|
|
|
|
<para>There are cases where you do not want that same attribute values
|
|
exist multiple times in your database. A good example are UID/GID
|
|
numbers.</para>
|
|
|
|
<para>OpenLDAP provides the <ulink
|
|
url="http://www.openldap.org/doc/admin24/overlays.html">attribute
|
|
uniqueness overlay</ulink> for this task.</para>
|
|
|
|
<para>Example to force unique UID numbers:</para>
|
|
|
|
<para>In
|
|
<emphasis>/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif</emphasis> add
|
|
"olcModuleLoad: {3}unique" (replace "3" with the highest existing number
|
|
plus one).</para>
|
|
|
|
<para>Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g.
|
|
"olcUniqueURI: ldap:///?uidNumber?sub"</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para id="indices"><emphasis role="bold">Indices:</emphasis></para>
|
|
|
|
<para>Indices will improve the performance when searching for entries in
|
|
the LDAP directory. The following indices are recommended:</para>
|
|
|
|
<simplelist>
|
|
<member>index objectClass eq</member>
|
|
|
|
<member>index default sub</member>
|
|
|
|
<member>index uidNumber eq</member>
|
|
|
|
<member>index gidNumber eq</member>
|
|
|
|
<member>index memberUid eq</member>
|
|
|
|
<member>index cn,sn,uid,displayName pres,sub,eq</member>
|
|
|
|
<member># Samba 3.x</member>
|
|
|
|
<member>index sambaSID eq</member>
|
|
|
|
<member>index sambaPrimaryGroupSID eq</member>
|
|
|
|
<member>index sambaDomainName eq</member>
|
|
</simplelist>
|
|
</appendix>
|
|
|
|
<appendix id="mailSetup">
|
|
<title>Setup of email (SMTP) server</title>
|
|
|
|
<para>LAM always uses a local SMTP email server on the machine where LAM
|
|
is installed. Therefore, there is no need to configure any SMTP settings
|
|
inside LAM itself.</para>
|
|
|
|
<para>The local email server should be configured to forward all emails to
|
|
your company mail server (so-called smarthost). You can use any SMTP
|
|
software that ships with a Sendmail wrapper (e.g. Exim, Postfix, QMail or
|
|
Sendmail itself).</para>
|
|
|
|
<literallayout>
|
|
|
|
</literallayout>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lam_mail.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</appendix>
|
|
|
|
<appendix id="a_lamdaemon">
|
|
<title>Setup for home directory and quota management</title>
|
|
|
|
<para>Lamdaemon.pl is used to modify quota and home directories on a
|
|
remote or local host via SSH (even if homedirs are located on
|
|
localhost).</para>
|
|
|
|
<para>If you want wo use it you have to set up the following things to get
|
|
it to work:</para>
|
|
|
|
<section id="a_lamdaemonConf">
|
|
<title>LDAP Account Manager configuration</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Set the remote or local host in the configuration (e.g.
|
|
127.0.0.1)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Path to lamdaemon.pl, e.g.
|
|
/srv/www/htdocs/lam/lib/lamdaemon.pl If you installed a Debian or
|
|
RPM package then the script will be located at
|
|
/usr/share/ldap-account-manager/lib/lamdaemon.pl.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Your LAM admin user must be a valid Unix account. It needs to
|
|
have the object class "posixAccount" and an attribute "uid". This
|
|
account must be accepted by the SSH daemon of your home directory
|
|
server. Do not create a second local account but change your system
|
|
to accept LDAP users. You can use LAM to add the Unix account part
|
|
to your admin user or create a new account. Please do not forget to
|
|
setup LDAP write access (<ulink
|
|
url="http://www.openldap.org/doc/admin24/access-control.html">ACLs</ulink>)
|
|
if you create a new account.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para></para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lamdaemon.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Note that the builtin admin/manager entries do not work for
|
|
lamdaemon. You need to login with a Unix account.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/lamdaemon1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">OpenLDAP ACL location:</emphasis></para>
|
|
|
|
<para>The access rights for OpenLDAP are configured in
|
|
/etc/ldap/slapd.conf or
|
|
/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Setup sudo</title>
|
|
|
|
<para>The perl script has to run as root. Therefore we need a wrapper,
|
|
sudo. Edit /etc/sudoers on host where homedirs or quotas should be used
|
|
and add the following line:</para>
|
|
|
|
<para>$admin All= NOPASSWD: $path_to_lamdaemon *</para>
|
|
|
|
<para><emphasis condition="">$admin</emphasis> is the admin user from
|
|
LAM (must be a valid Unix account) and
|
|
<emphasis>$path_to_lamdaemon</emphasis> is the path to
|
|
lamdaemon.pl.</para>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
|
|
<para>myAdmin ALL= NOPASSWD: /srv/www/htdocs/lam/lib/lamdaemon.pl
|
|
*</para>
|
|
|
|
<para>You might need to run the sudo command once manually to init sudo.
|
|
The command "sudo -l" will show all possible sudo commands of the
|
|
current user.</para>
|
|
|
|
<para><emphasis role="bold">Attention:</emphasis> Please do not use the
|
|
options "Defaults requiretty" and "Defaults env_reset" in /etc/sudoers.
|
|
Otherwise you might get errors like "you must have a tty to run sudo" or
|
|
"no tty present and no askpass program specified".</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Setup Perl</title>
|
|
|
|
<para>We need an extra Perl module - Quota. To install it, run:</para>
|
|
|
|
<simplelist>
|
|
<member>perl -MCPAN -e shell</member>
|
|
|
|
<member>install Quota</member>
|
|
</simplelist>
|
|
|
|
<para>If your Perl executable is not located in /usr/bin/perl you will
|
|
have to edit the path in the first line of lamdaemon.pl. If you have
|
|
problems compiling the Perl modules try installing a newer release of
|
|
your GCC compiler and the "make" application.</para>
|
|
|
|
<para>Several Linux distributions already include a quota package for
|
|
Perl.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Set up SSH</title>
|
|
|
|
<para>Your SSH daemon must offer the password authentication method. To
|
|
activate it just use this configuration option in
|
|
/etc/ssh/sshd_config:</para>
|
|
|
|
<para>PasswordAuthentication yes</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Troubleshooting</title>
|
|
|
|
<para>If you have problems managing quotas and home directories then
|
|
these points might help:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>There is a test page for lamdaemon: Login to LAM and open
|
|
Tools -> Tests -> Lamdaemon test</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Check /var/log/auth.log or its equivalent on your system. This
|
|
file contains messages about all logins. If the ssh login failed
|
|
then you will find a description about the reason here.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Set sshd in debug mode. In /etc/ssh/sshd_conf add these
|
|
lines:</para>
|
|
|
|
<simplelist>
|
|
<member>SyslogFacility AUTH</member>
|
|
|
|
<member>LogLevel DEBUG3</member>
|
|
</simplelist>
|
|
|
|
<para>Now check /var/log/syslog for messages from sshd.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Error message <emphasis role="bold">"Your LAM admin user (...)
|
|
must be a valid Unix account to work with lamdaemon!"</emphasis>: This
|
|
happens if you use the default LDAP admin/manager user to login to LAM.
|
|
Please see <link linkend="a_lamdaemonConf">here</link> and setup a Unix
|
|
account.</para>
|
|
</section>
|
|
</appendix>
|
|
|
|
<appendix id="a_passwordSelfResetSchema">
|
|
<title>Setup password self reset schema (LAM Pro)</title>
|
|
|
|
<section id="passwordSelfResetSchema_new">
|
|
<title>New installation</title>
|
|
|
|
<para>Please see <link
|
|
linkend="passwordSelfResetSchema_update">here</link> if you want to
|
|
upgrade an existing schema version.</para>
|
|
|
|
<para><emphasis role="bold">Schema installation</emphasis></para>
|
|
|
|
<para>Please install the schema that comes with LAM Pro. The schema
|
|
files are located in:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>tar.bz2: docs/schema</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DEB: /usr/share/doc/ldap-account-manager/docs/schema</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RPM:
|
|
/usr/share/doc/ldap-account-manager-{VERSION}/schema</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">OpenLDAP with slapd.conf
|
|
configuration</emphasis></para>
|
|
|
|
<para>For a configuration with slapd.conf-file copy
|
|
passwordSelfReset.schema to /etc/ldap/schema/ and add this line to
|
|
slapd.conf:</para>
|
|
|
|
<literallayout> include /etc/ldap/schema/passwordSelfReset.schema
|
|
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">OpenLDAP with slapd.d
|
|
configuration</emphasis></para>
|
|
|
|
<para>For slapd.d configurations you need to upload the schema file
|
|
passwordSelfReset.ldif via ldapadd command:</para>
|
|
|
|
<para>ldapadd -x -W -H ldap://localhost -D "cn=admin,o=test,c=de" -f
|
|
passwordSelfReset.ldif</para>
|
|
|
|
<para>Please replace "localhost" with your LDAP server and
|
|
"cn=admin,o=test,c=de" with your LDAP admin user (usually starts with
|
|
cn=admin or cn=manager).</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Samba 4</emphasis></para>
|
|
|
|
<para>The schema files are passwordSelfReset-Samba4-attributes.ldif and
|
|
passwordSelfReset-Samba4-objectClass.ldif.</para>
|
|
|
|
<para>First, you need to edit them and replace "DOMAIN_TOP_DN" with your
|
|
LDAP suffix (e.g. dc=samba4,dc=test).</para>
|
|
|
|
<para>Then install the attribute and afterwards the object class schema
|
|
file:</para>
|
|
|
|
<literallayout> ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-attributes.ldif --option="dsdb:schema update allowed"=true
|
|
ldbmodify -H /var/lib/samba/private/sam.ldb passwordSelfReset-Samba4-objectClass.ldif --option="dsdb:schema update allowed"=true
|
|
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Windows</emphasis></para>
|
|
|
|
<para>The schema file is passwordSelfReset-Windows.ldif.</para>
|
|
|
|
<para>First, you need to edit it and replace "DOMAIN_TOP_DN" with your
|
|
LDAP suffix (e.g. dc=windows,dc=test).</para>
|
|
|
|
<para>Then install the schema file as administrator on a command
|
|
line:</para>
|
|
|
|
<literallayout> ldifde -v -i -f passwordSelfReset-Windows.ldif
|
|
|
|
</literallayout>
|
|
|
|
<para>This allows to set a security question + answer for each
|
|
account.</para>
|
|
</section>
|
|
|
|
<section id="passwordSelfResetSchema_update">
|
|
<title>Schema update</title>
|
|
|
|
<para>The schema files are located in:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>tar.bz2: docs/schema/updates</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DEB:
|
|
/usr/share/doc/ldap-account-manager/docs/schema/updates</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RPM:
|
|
/usr/share/doc/ldap-account-manager-{VERSION}/schema/updates</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Schema versions:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Initial version (LAM Pro 3.6)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Added passwordSelfResetBackupMail (LAM Pro 4.5)</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">OpenLDAP with slapd.conf
|
|
configuration</emphasis></para>
|
|
|
|
<para>Install the schema file like a <link
|
|
linkend="passwordSelfResetSchema_new">new install</link> (skip
|
|
modification of slapd.conf file).</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">OpenLDAP with slapd.d
|
|
configuration</emphasis></para>
|
|
|
|
<para>The upgrade requires to stop the LDAP server.</para>
|
|
|
|
<para>Steps:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Stop OpenLDAP with e.g. "/etc/init.d/slapd stop"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Delete the old schema file. It is located in e.g.
|
|
"/etc/ldap/slapd.d/cn=config/cn=schema" and called
|
|
"cn={XX}passwordselfreset.ldif" (XX can be any number)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Start OpenLDAP with e.g. "/etc/init.d/slapd start"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Install the schema file like a <link
|
|
linkend="passwordSelfResetSchema_new">new install</link></para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Samba 4</emphasis></para>
|
|
|
|
<para>Install the these update files by following the install
|
|
instructions in the file:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>samba4_version_1_to_2_attributes.ldif</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>samba4_version_1_to_2_objectClass.ldif</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Please note that attributes file needs to be installed
|
|
first.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Windows</emphasis></para>
|
|
|
|
<para>Install the file "windows_version_1_to_2.ldif" by following the
|
|
install instructions in the file.</para>
|
|
</section>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>Adapt LAM to your corporate design</title>
|
|
|
|
<para>There are cases where you might want to change LAM's default
|
|
look'n'feel to better integrate it in your company network. Changes can be
|
|
done like this:</para>
|
|
|
|
<para><emphasis role="bold">Change colors, fonts and other parts with
|
|
custom CSS</emphasis></para>
|
|
|
|
<para>You can integrate custom CSS files in LAM. It is recommended to
|
|
write a separate CSS file instead of modifying LAM's default files.</para>
|
|
|
|
<para>The CSS files are located in</para>
|
|
|
|
<literallayout> DEB/RPM: /usr/share/ldap-account-manager/style
|
|
tar.bz2: style
|
|
</literallayout>
|
|
|
|
<para>LAM will automatically integrate all CSS files in alphabetical
|
|
order. E.g. you can create a file called "900_myCompany.css" which will be
|
|
added as last file.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<para>This will change the background color of all pages to turquoise. See
|
|
500_layout.css for LAM's default settings.</para>
|
|
|
|
<programlisting>body {
|
|
background-color: #b6eeff;
|
|
}
|
|
</programlisting>
|
|
|
|
<para>You can use the same way to change fonts, sizes and more.</para>
|
|
|
|
<para>E.g. this will reduce the default font size to 80%:</para>
|
|
|
|
<programlisting>body {
|
|
font-size: 80%;
|
|
}
|
|
|
|
.ui-button-text-only {
|
|
font-size: 100%;
|
|
}
|
|
|
|
.ui-button-text-icon-primary {
|
|
font-size: 100%;
|
|
}
|
|
</programlisting>
|
|
|
|
<para><emphasis role="bold">Custom logo</emphasis><programlisting>/* image in login box */
|
|
td.loginLogo {
|
|
background-image: url(/logos/mylogo.png);
|
|
}
|
|
|
|
/* image (24x24) in header line */
|
|
a.lamLogo {
|
|
background-image: url(/logos/mylogo.png);
|
|
}</programlisting></para>
|
|
|
|
<para><emphasis role="bold">Other images</emphasis></para>
|
|
|
|
<para>All images are located in</para>
|
|
|
|
<literallayout> DEB/RPM: /usr/share/ldap-account-manager/graphics
|
|
tar.bz2: graphics</literallayout>
|
|
|
|
<para>Please note that if you replace images then you need to reapply your
|
|
changes every time you upgrade LAM.</para>
|
|
|
|
<para><emphasis role="bold">Special changes with custom
|
|
JavaScript</emphasis></para>
|
|
|
|
<para>In rare cases it might not be sufficient to write custom CSS or
|
|
replace some image files. E.g. you might want to add custom content to all
|
|
pages.</para>
|
|
|
|
<para>For these cases you can add a custom JavaScript file that contains
|
|
your code.</para>
|
|
|
|
<para>The JavaScript files are located in</para>
|
|
|
|
<literallayout> DEB/RPM: /usr/share/ldap-account-manager/templates/lib
|
|
tar.bz2: templates/lib</literallayout>
|
|
|
|
<para>LAM will automatically integrate all .js files in alphabetical
|
|
order. E.g. you can create a file called "900_myCompany.js" which will be
|
|
added as last file.</para>
|
|
|
|
<para><emphasis role="bold">Self service</emphasis></para>
|
|
|
|
<para>See <link linkend="selfServiceBasicSettings">here</link> for self
|
|
service customisations.</para>
|
|
</appendix>
|
|
|
|
<appendix id="clustering">
|
|
<title>Clustering LAM</title>
|
|
|
|
<para>LAM is a web application based on PHP. Therefore, clustering is not
|
|
directly a part of the application.</para>
|
|
|
|
<para>But here are some hints to run LAM in a clustered
|
|
environment.</para>
|
|
|
|
<para><emphasis role="bold">Application parts:</emphasis></para>
|
|
|
|
<para>LAM can be divided into three parts</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Software</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Configuration files</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Session files and temporary data</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Software:</emphasis></para>
|
|
|
|
<para>This is the simplest part. Just install LAM on each cluster node.
|
|
Please note that if you run LAM Pro you will need either one license for
|
|
each active cluster node or a company license.</para>
|
|
|
|
<para><emphasis role="bold">Configuration files:</emphasis></para>
|
|
|
|
<para>These files include the LAM server profiles, account profiles, PDF
|
|
structures, ... Usually, they do not change frequently and can be put on a
|
|
shared file system (e.g. NFS, AFS, ...).</para>
|
|
|
|
<para>Please link "config" or "/var/lib/ldap-account-manager/config" to a
|
|
directory on your shared file system.</para>
|
|
|
|
<para><emphasis role="bold">Session data and temporary
|
|
files:</emphasis></para>
|
|
|
|
<para>These are critical because the files may change on every page load.
|
|
There are basically two options:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>load balancer with session stickiness: In this case your load
|
|
balancer will forward all requests of a user to the same cluster node.
|
|
In this case you can keep the files locally on your cluster nodes. If
|
|
you already have a load balancer then this is the simplest solution
|
|
and performs best. The disadvantage is that if a node fails then all
|
|
users connected to this node will loose their session and need to
|
|
relogin.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>shared file system: This should only be used if your load
|
|
balancer does not support session stickiness or you use a different
|
|
system to distribute request across the cluster. A shared file system
|
|
will decrease performance for all page loads.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Session data and temporary files are located in "tmp" + "sess" or
|
|
"/var/lib/ldap-account-manager/tmp" +
|
|
"/var/lib/ldap-account-manager/sess".</para>
|
|
</appendix>
|
|
|
|
<appendix>
|
|
<title>Troubleshooting</title>
|
|
|
|
<section>
|
|
<title>Functional issues</title>
|
|
|
|
<para><emphasis role="bold">Size limit</emphasis></para>
|
|
|
|
<para>You will get a message like "LDAP sizelimit exceeded, not all
|
|
entries are shown." when you hit the LDAP search limit. See the <link
|
|
linkend="size_limit_exceeded">OpenLDAP settings</link> to fix
|
|
this.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Invalid syntax errors:</emphasis></para>
|
|
|
|
<para>If you get any strange errors like "Invalid syntax" or "Invalid DN
|
|
syntax" please check if your LDAP schema matches LAM's
|
|
requirements.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Schema test:</emphasis></para>
|
|
|
|
<para>This can be done by running "Tools" -> "Tests" -> "Schema
|
|
test" inside LAM.</para>
|
|
|
|
<para>If there are any object classes or attributes missing you will get
|
|
a notice. See <link linkend="a_schema">LDAP schema files</link> for a
|
|
list of used schemas. You may also want to deactive unused modules in
|
|
your LAM server profile (tab "Modules").</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schemaTest.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><literallayout>
|
|
</literallayout><emphasis role="bold">LDAP Logging:</emphasis></para>
|
|
|
|
<para>If your schema is correct you can turn on LDAP logging to get more
|
|
detailed error messages from your LDAP server.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">OpenLDAP logging:</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
|
|
line "loglevel 256".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
|
|
attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
|
|
Stats" if the attribute is missing.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>After changing the configuration please restart OpenLDAP. It
|
|
usually uses /var/log/syslog for log output.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">PHP logging</emphasis></para>
|
|
|
|
<para>Sometimes it can help to enable PHP logging inside LAM. You can do
|
|
this in the <link linkend="conf_logging">logging area</link> of LAM's
|
|
main configuration. Set the logging option to "all" and check if there
|
|
are any messages printed in your browser window. Please note that not
|
|
every notice message is an error but it may help to find the
|
|
problem.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Performance issues</title>
|
|
|
|
<para>LAM is tested to work with 10000 users with acceptable
|
|
performance. If you have a larger directory or slow hardware then here
|
|
are some points to increase performance.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>The first step is to check if performance problems are caused by
|
|
the LAM web server or the LDAP server. Please check which machine
|
|
suffers from high system load (CPU/memory consumption).</para>
|
|
|
|
<para>High network latency may also be a problem. For large
|
|
installations please make sure that LAM web server and LDAP server are
|
|
located in the same building/server room.</para>
|
|
|
|
<para>If you run LAM on multiple nodes (DNS load balancing/hardware load
|
|
balancer) then also check the <link linkend="clustering">clustering
|
|
section</link>.</para>
|
|
|
|
<section>
|
|
<title>LDAP server</title>
|
|
|
|
<para><emphasis role="bold">Use indices</emphasis></para>
|
|
|
|
<para>Depending on the queries it may help to add some more indices on
|
|
the LDAP server. Depending on your LDAP software it may already
|
|
suggest indices in its log files. See <link
|
|
linkend="indices">here</link> for typical OpenLDAP indices.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Reduce query results by splitting LDAP
|
|
management into multiple server profiles</emphasis></para>
|
|
|
|
<para>If you manage a very large directory then it might already be
|
|
separated into multiple subtrees (e.g. by country, subsidiary, ...).
|
|
Do not use a single LAM server profile to manage your whole directory.
|
|
Use different server profiles for each separated LDAP subtree where
|
|
possible (e.g. one for German users and one for French ones).</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Limit query results</emphasis></para>
|
|
|
|
<para>LAM allows to set an <ulink url="general_settings">LDAP search
|
|
limit</ulink> for each server profile. This will limit the number of
|
|
entries returned by your LDAP server. Use with caution because it can
|
|
cause problems (e.g. with automatic UID generation) when LAM is not
|
|
able to read all entries.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configProfiles4.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>LAM web server</title>
|
|
|
|
<para><emphasis role="bold">Install a PHP
|
|
accelerator</emphasis></para>
|
|
|
|
<para>There are tools like <ulink
|
|
url="http://www.php.net/manual/en/book.apc.php">APC</ulink> (free) or
|
|
<ulink url="http://www.zend.com/en/products/server/">Zend
|
|
Server</ulink> (commercial) that provide caching of PHP pages to
|
|
improve performance. They will reduce the time for parsing the PHP
|
|
pages and IO load.</para>
|
|
|
|
<para>This is a simply way to enhance performance since APC is part of
|
|
most Linux distributions.</para>
|
|
|
|
<para>If you use APC then make sure that it uses enough memory (e.g.
|
|
"apc.shm_size=128M"). You can check the memory usage with the file
|
|
apc.php that is shipped with APC.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/apc.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Disable session
|
|
encryption</emphasis></para>
|
|
|
|
<para>LAM encrypts sensitive data in your session files. You can <link
|
|
linkend="sessionEncryption">disable</link> it to reduce CPU
|
|
load.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configGeneral1.png" />
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</appendix>
|
|
</book>
|