2063 lines
63 KiB
XML
2063 lines
63 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<chapter id="a_selfService">
|
|
<title>Self service (LAM Pro)</title>
|
|
|
|
<section>
|
|
<title>Preparations</title>
|
|
|
|
<section id="openldapAcls">
|
|
<title>OpenLDAP ACLs</title>
|
|
|
|
<para>By default only a few administrative users have write access to
|
|
the LDAP database. Before your users may change their settings you must
|
|
allow them to change their LDAP data.</para>
|
|
|
|
<para>Hint: The ACLs below are not required if you decide to run all
|
|
operations as the LDAP bind user (option "Use for all
|
|
operations").</para>
|
|
|
|
<para>This can be done by adding ACLs to your slapd.conf or
|
|
slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to
|
|
these:</para>
|
|
|
|
<para><emphasis role="bold">access to</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> attrs=userPassword</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by self write</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by anonymous auth</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by * none</emphasis></para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">access to</emphasis></para>
|
|
|
|
<para><emphasis role="bold">
|
|
attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by self write</emphasis></para>
|
|
|
|
<para><emphasis role="bold"> by * read</emphasis></para>
|
|
|
|
<para>If you do not want them to change all attributes then reduce the
|
|
list to fit your needs. Some modules may require additional LDAP
|
|
attributes. You can use the tree view to get the technical attribute
|
|
names e.g. by selecting an user account.</para>
|
|
|
|
<para>Usually, the slapd.conf file is located in /etc/ldap or
|
|
/etc/openldap.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Other LDAP servers</title>
|
|
|
|
<para>There exist many LDAP implementations. If you do not use OpenLDAP
|
|
you need to write your own ACLs. Please check the manual of your LDAP
|
|
server for instructions.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Creating a self service profile</title>
|
|
|
|
<para>A self service profile defines what input fields your users see and
|
|
some other general settings like the login caption.</para>
|
|
|
|
<para>When you go to the LAM configuration page you will see the self
|
|
service link at the bottom. This will lead you to the self service
|
|
configuration pages</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now we need to create a new self service profile. Click on the link
|
|
to manage the self service profiles.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Specify a name for the new profile and enter your master
|
|
configuration password (default is "lam") to save the profile.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Now go back to the profile login and enter your master configuration
|
|
password to edit your new profile.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Edit your new profile</title>
|
|
|
|
<section id="selfServiceBasicSettings">
|
|
<title>General settings</title>
|
|
|
|
<para>On top of the page you see the link to the user login page. Copy
|
|
this link address and give it to your users.</para>
|
|
|
|
<para>Below the link you can specify several options.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<table border="0">
|
|
<title>General options</title>
|
|
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row>
|
|
<entry>Server address</entry>
|
|
|
|
<entry>The address of your LDAP server. For LDAP+SSL use
|
|
"ldaps://myserver"</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Activate TLS</entry>
|
|
|
|
<entry>Activates TLS encryption. Please note that this cannot be
|
|
combined with LDAP+SSL ("ldaps://").</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP suffix</entry>
|
|
|
|
<entry>The part of the LDAP tree where LAM should search for
|
|
users</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP search attribute</entry>
|
|
|
|
<entry>Here you can specify if your users can login with user
|
|
name + password, email + password or other attributes.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Follow referrals</entry>
|
|
|
|
<entry>By default LAM will not follow LDAP referrals. This is ok
|
|
for most installations. If you use LDAP referrals please
|
|
activate the referral option in advanced settings.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>LDAP user + password</entry>
|
|
|
|
<entry>The DN and password which is used to search for users in
|
|
the LDAP database. It is sufficient if this DN has only read
|
|
rights. If you leave these fields empty LAM will try to connect
|
|
anonymously.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Use for all operations</entry>
|
|
|
|
<entry>By default LAM will use the credentials of the user that
|
|
logged in to self service for read/modify operations. If you
|
|
select this box then the connection user specified before will
|
|
be used instead. Please note that this can be a security risk
|
|
because the user requires write access to all users. You need to
|
|
make sure that your LAM server is well protected.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Additional LDAP filter</entry>
|
|
|
|
<entry>Use this to enter an additional LDAP filter (e.g.
|
|
"(objectClass=passwordSelfReset)") to reduce the number of
|
|
accounts who may use self service.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>HTTP authentication</entry>
|
|
|
|
<entry>You can enable HTTP authentication for your users. This
|
|
way the web server is responsible to authenticate your users.
|
|
LAM will use the given user name + password for the LDAP login.
|
|
To setup HTTP authentication in Apache please see this <ulink
|
|
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Default language</entry>
|
|
|
|
<entry>This language is preselected on login.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Enforce language</entry>
|
|
|
|
<entry>Disables language selection and uses default
|
|
language.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Time zone</entry>
|
|
|
|
<entry>Please provide your time zone.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Base URL</entry>
|
|
|
|
<entry>Please enter the base URL of your webserver (e.g.
|
|
https://www.example.com). This is used to generate links in
|
|
emails for password self reset and user self
|
|
registration.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login attribute label</entry>
|
|
|
|
<entry>This is the description for the LDAP search attribute.
|
|
Set it to something which your users are familiar with.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Password field label</entry>
|
|
|
|
<entry>This text is placed as label for the password field on
|
|
the login page. LAM will use "Password" if you do not enter any
|
|
text.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login caption</entry>
|
|
|
|
<entry>This text is displayed on the login page inside the login
|
|
mask.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login footer</entry>
|
|
|
|
<entry>This text is displayed on the login page below the login
|
|
mask.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Main page caption</entry>
|
|
|
|
<entry>This text is displayed on the self service main page
|
|
where your users change their data.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Main page footer</entry>
|
|
|
|
<entry>This text is displayed as footer on the self service main
|
|
page where your users change their data.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Page header</entry>
|
|
|
|
<entry>This HTML code will be placed on top of all self service
|
|
pages. E.g. you can use this to place your custom logo. Any HTML
|
|
code is permitted.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Base color</entry>
|
|
|
|
<entry>Here you can change the background color for the user
|
|
pages.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Additional CSS links</entry>
|
|
|
|
<entry>Here you can specify additional CSS links to change the
|
|
layout of the self service pages. This is useful to adapt them
|
|
to your corporate design. Please enter one link per
|
|
line.</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para/>
|
|
|
|
<section id="selfservice_2fa">
|
|
<title>2-factor authentication</title>
|
|
|
|
<para>LAM supports 2-factor authentication for your users. This means
|
|
the user will not only authenticate by user+password but also with
|
|
e.g. a token generated by a mobile device. This adds more security
|
|
because the token is generated on a physically separated device
|
|
(typically mobile phone).</para>
|
|
|
|
<para>The token is validated by a second application. LAM currently
|
|
supports:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><ulink
|
|
url="https://www.privacyidea.org/">privacyIdea</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink url="https://www.yubico.com/">YubiKey</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink url="https://duo.com/">Duo</ulink></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><ulink
|
|
url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">privacyIDEA</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Base URL: please enter the URL of your privacyIDEA
|
|
instance</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>User name attribute: please enter the LDAP attribute name
|
|
that contains the user ID (e.g. "uid")</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Optional: By default LAM will enforce to use a token and
|
|
reject users that did not setup one. You can set this check to
|
|
optional. But if a user has setup a token then this will always be
|
|
required.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Disable certificate check: This should be used on
|
|
development instances only. It skips the certificate check when
|
|
connecting to verification server.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">YubiKey</emphasis></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Base URLs: please enter the URL(s) of your YubiKey
|
|
verification server(s). If you run a custom verification API such
|
|
as yubiserver then enter its URL (e.g.
|
|
http://www.example.com:8000/wsapi/2.0/verify). The URL needs to
|
|
end with "/wsapi/2.0/verify". For YubiKey cloud these are
|
|
"https://api.yubico.com/wsapi/2.0/verify",
|
|
"https://api2.yubico.com/wsapi/2.0/verify",
|
|
"https://api3.yubico.com/wsapi/2.0/verify",
|
|
"https://api4.yubico.com/wsapi/2.0/verify" and
|
|
"https://api5.yubico.com/wsapi/2.0/verify". Enter one URL per
|
|
line.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Client id: this is only required for YubiKey cloud. You can
|
|
register here: https://upgrade.yubico.com/getapikey/</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Secret key: this is only required for YubiKey cloud. You can
|
|
register here: https://upgrade.yubico.com/getapikey/</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Optional: By default LAM will enforce to use a token and
|
|
reject users that did not setup one. You can set this check to
|
|
optional. But if a user has setup a token then this will always be
|
|
required.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Disable certificate check: This should be used on
|
|
development instances only. It skips the certificate check when
|
|
connecting to verification server.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Duo</emphasis></para>
|
|
|
|
<para>This requires to register a new "Web SDK" application in your
|
|
Duo admin panel.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>User name attribute: please enter the LDAP attribute name
|
|
that contains the user ID (e.g. "uid").</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Base URL: please enter the API-URL of your Duo instance
|
|
(e.g. api-12345.duosecurity.com).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Client id: please enter your integration key.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Secret key: please enter your secret key.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
|
|
|
|
<para>See the <link linkend="a_webauthn">Webauthn/FIDO2
|
|
appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
|
|
|
|
<para>Users will be asked to register a device during login if no
|
|
device is setup.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Domain: Please enter the WebAuthn domain. This is the public
|
|
domain of the web server (e.g. "example.com"). Do not include
|
|
protocol or port. Browsers will reject authentication if the
|
|
domain does not match the web server domain.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Optional: By default LAM will enforce to use a 2FA device
|
|
and reject users that do not setup one. You can set this check to
|
|
optional. But if a user has setup a device then this will always
|
|
be required.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>After logging in with user + password LAM will ask for the 2nd
|
|
factor. If the user has setup multiple factors then he can choose one
|
|
of them.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Captcha</title>
|
|
|
|
<para>LAM Pro can optionally display a captcha to verify that logins
|
|
are not from robots. The supported captcha provider is Google
|
|
reCAPTCHA. You will need the site and secret key for your domain. They
|
|
can be retrieved from here: <ulink
|
|
url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para>
|
|
|
|
<para>Please note that your web server must be able to access
|
|
"https://www.google.com/recaptcha/api/siteverify" to verify the
|
|
captchas. Captchas will be displayed when you tick the chekbox to
|
|
secure login with a captcha.</para>
|
|
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/selfServiceCaptcha.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
|
|
<para/>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Page layout</title>
|
|
|
|
<para>Here you can specify what input fields your users can see. It is
|
|
also possible to group several input fields.</para>
|
|
|
|
<para>Please use the arrow signs to change the order of the
|
|
fields/groups.</para>
|
|
|
|
<para>You may also set some fields as read-only for your users. This can
|
|
be done by clicking on the lock symbol. Read-only fields can be used to
|
|
show your users additional data on the self service page that must not
|
|
be changed by themselves (e.g. first/last name).</para>
|
|
|
|
<para>Sometimes, you may want to set a custom label for an input field.
|
|
Click on the edit icon to set your own label text (Personal: Department
|
|
is relabeled as "Business unit" here).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para id="selfservice_fields"><emphasis role="bold">Possible input
|
|
fields</emphasis></para>
|
|
|
|
<para>This is a list of input fields you may add to the self service
|
|
page.</para>
|
|
|
|
<table>
|
|
<title>Self service fields</title>
|
|
|
|
<tgroup cols="3">
|
|
<tbody>
|
|
<row>
|
|
<entry align="center"><emphasis role="bold">Account
|
|
type</emphasis></entry>
|
|
|
|
<entry align="center"><emphasis
|
|
role="bold">Option</emphasis></entry>
|
|
|
|
<entry align="center"><emphasis
|
|
role="bold">Description</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ppolicy.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Account locking</entry>
|
|
|
|
<entry>Password expiration</entry>
|
|
|
|
<entry>Read only value of password expiration date</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows=""><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_asterisk.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Asterisk (voicemail)</entry>
|
|
|
|
<entry>Sync Asterisk password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Asterisk
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_groupOfNames.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject>Group of names</entry>
|
|
|
|
<entry>Group memberships (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_heimdal.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Kerberos</entry>
|
|
|
|
<entry>Sync Kerberos password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Kerberos
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_kolab.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Kolab</entry>
|
|
|
|
<entry>Delegates</entry>
|
|
|
|
<entry>Allows to manage delegate permissions</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Invitation policy</entry>
|
|
|
|
<entry>Invitation policy management</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Password policy</entry>
|
|
|
|
<entry>Last password change</entry>
|
|
|
|
<entry>read-only</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="2"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Password self reset</entry>
|
|
|
|
<entry>Question</entry>
|
|
|
|
<entry>Security question selection</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Answer</entry>
|
|
|
|
<entry>Security answer</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Backup email</entry>
|
|
|
|
<entry>(External) backup email address that has no relation to
|
|
user password.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="27"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_user.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Personal</entry>
|
|
|
|
<entry>Business category</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Car license</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Department</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Description</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Email address</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Fax number</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>First name</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Home telephone number</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Initials</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Job title</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Last name</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Location</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Mobile number</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Office name</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Organisation</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Organisational unit</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Photo</entry>
|
|
|
|
<entry>Shows the user photo if set. The user may also remove the
|
|
photo or upload a new one.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Postal address</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Postal code</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Post office box</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Registered address</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Room number</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>State</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Street</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Telephone number</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>User certificates</entry>
|
|
|
|
<entry>Upload of user certificates in PEM or DER format</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>User name</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Web site</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_mailAlias.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Mail routing</entry>
|
|
|
|
<entry>Local address (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Mail routing address (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="4"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Samba 3</entry>
|
|
|
|
<entry>Password</entry>
|
|
|
|
<entry>Input field to set a new NT/LM password. The attribute
|
|
"sambaPwdLastSet" is updated if it existed before.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Sync Samba LM password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Samba LM
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Sync Samba NT password with Unix password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Samba NT
|
|
password each time the Unix password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Update attribute "sambaPwdLastSet" on password
|
|
change</entry>
|
|
|
|
<entry>Updates the password timestamp when password is
|
|
synchronized with Unix.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Last password change (read-only)</entry>
|
|
|
|
<entry>Displays the date and time of the user's last password
|
|
change.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_ssh.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Shadow</entry>
|
|
|
|
<entry>Account expiration date (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Last password change (read-only)</entry>
|
|
|
|
<entry>Displays the date and time of the user's last password
|
|
change (Unix).</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="10"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_samba.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Windows</entry>
|
|
|
|
<entry>Password</entry>
|
|
|
|
<entry>Change the user's password</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Location</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Mail alias (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Office name</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Postal code</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Post office box</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Proxy-Addresses (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>State</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Street</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Telephone number</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Web site</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="4"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_unix.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Unix</entry>
|
|
|
|
<entry>Common name</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Group memberships (read-only)</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Login shell</entry>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Password</entry>
|
|
|
|
<entry>This is also the source for several password
|
|
synchronization options.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Sync Unix password with Windows password</entry>
|
|
|
|
<entry>This is a hidden field. It will update the Unix password
|
|
each time the Windows password is changed.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/webauthn.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject>Webauthn</entry>
|
|
|
|
<entry>Webauthn devices</entry>
|
|
|
|
<entry>Allows the user to manage his webauthn/FIDO2 security
|
|
keys.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_kopano.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject>Kopano</entry>
|
|
|
|
<entry>"Send as" privileges</entry>
|
|
|
|
<entry>Define user who may send mails as this user</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Email aliases</entry>
|
|
|
|
<entry>Email aliases</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="1"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_zarafa.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> Zarafa</entry>
|
|
|
|
<entry>"Send as" privileges</entry>
|
|
|
|
<entry>Define user who may send mails as this user</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Email aliases</entry>
|
|
|
|
<entry>Email aliases</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry morerows="3"><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/schema_pykota.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject> PyKota</entry>
|
|
|
|
<entry>Balance (read-only)</entry>
|
|
|
|
<entry>Current balance for printing</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Total paid (read-only)</entry>
|
|
|
|
<entry>Total money paid</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Payment history</entry>
|
|
|
|
<entry>History of user payments</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Job history</entry>
|
|
|
|
<entry>History of printed jobs</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Module settings</title>
|
|
|
|
<para>This allows to configure some module specific options (e.g. custom
|
|
scripts or password hash type).</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/conf6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Samba 3</title>
|
|
|
|
<para>LAM Pro can check the password history and minimum age for Samba 3
|
|
password changes. In this case please provide the LDAP suffix where your
|
|
Samba 3 domain(s) are stored.</para>
|
|
|
|
<para>If you leave the field empty then no history and age checks will
|
|
be done.</para>
|
|
|
|
<para>Password history: depending on your LDAP server you might need
|
|
ascending or descending order. Just switch the setting if the password
|
|
history is not correctly updated.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/selfServiceSambaDomains.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section id="PasswordSelfReset">
|
|
<title>Password self reset</title>
|
|
|
|
<para><emphasis role="bold">Schema installation</emphasis></para>
|
|
|
|
<para>Please install the LDAP schema as described <link
|
|
linkend="a_passwordSelfResetSchema">here</link>.</para>
|
|
|
|
<para><emphasis role="bold">Settings</emphasis></para>
|
|
|
|
<para>You can allow your users to reset their passwords themselves. This
|
|
will reduce your administrative costs for cases where users forget their
|
|
passwords.</para>
|
|
|
|
<para>To enable this feature please activate the checkbox "Enable
|
|
password self reset link".</para>
|
|
|
|
<para><emphasis role="bold">Hint:</emphasis> Plese note that LAM Pro
|
|
uses security questions by default. Activate confirmation mails and then
|
|
deactivate security questions if you want to use only email
|
|
validation.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>You can now configure the minimum answer length for password reset
|
|
answers. This is checked when you allow you users to specify their
|
|
answers via the self service. Additionally, you can specify the text of
|
|
the password reset link (default: "Forgot password?"). The link is
|
|
displayed below the password field on the self service login
|
|
page.</para>
|
|
|
|
<para>Next, please enter the DN and password of an LDAP entry that is
|
|
allowed to reset the passwords. This entry needs write access to the
|
|
attributes shadowLastChange, pwdAccountLockedTime and userPassword. It
|
|
also needs read access to uid, mail, passwordSelfResetQuestion and
|
|
passwordSelfResetAnswer. Please note that LAM Pro saves the password on
|
|
your server file system. Therefore, it is required to protect your
|
|
server against unauthorised access.</para>
|
|
|
|
<para>Please also specify the list of password reset questions that the
|
|
user can choose.</para>
|
|
|
|
<para>Please note that self service and LAM admin interface are
|
|
separated functionalities. You need to specify the list of possible
|
|
security questions in both self service profile(s) and server
|
|
profile(s).</para>
|
|
|
|
<literallayout> </literallayout>
|
|
|
|
<para>You can inform your users via mail about their password change.
|
|
The mail can include the new password by using the special wildcard
|
|
"@@newPassword@@". Additionally, you may want to insert other wildcards
|
|
that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@"
|
|
will be replaced by the user name. Please see <link
|
|
linkend="mailEOL">email format option</link> in case of broken mails.
|
|
See <link linkend="mailSetup">here</link> for setting up your SMTP
|
|
server.</para>
|
|
|
|
<literallayout> </literallayout>
|
|
|
|
<para>LAM Pro can send your users an email with a confirmation link to
|
|
validate their email address. Of course, this should only be used if the
|
|
email account is independent from the user password (e.g. at external
|
|
provider) or you use the backup email address feature. The mail body
|
|
must include the confirmation link by using the special wildcard
|
|
"@@resetLink@@". Additionally, you may want to insert other wildcards
|
|
that are replaced by the corresponding LDAP attributes. E.g. "@@uid@@"
|
|
will be replaced by the user name.</para>
|
|
|
|
<para>There is also an option to skip the security question at all if
|
|
email verification is enabled. In this case the password can be reset
|
|
directly after clicking on the confirmation link. Please handle with
|
|
care since anybody with access to the user's mail account can reset the
|
|
password.</para>
|
|
|
|
<para><emphasis role="bold">Captcha support</emphasis></para>
|
|
|
|
<para>LAM Pro can optionally display a captcha to verify that password
|
|
resets are not from robots. The supported captcha provider is Google
|
|
reCAPTCHA. You will need the site and secret key for your domain. This
|
|
is setup on tab "General settings". They can be retrieved from here:
|
|
<ulink
|
|
url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para>
|
|
|
|
<para>Please note that your web server must be able to access
|
|
"https://www.google.com/recaptcha/api/siteverify" to verify the
|
|
captchas. Captchas will be displayed when you tick the chekbox to use a
|
|
captcha.</para>
|
|
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset10.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
|
|
<para><emphasis role="bold">Troubleshooting:</emphasis></para>
|
|
|
|
<para>1. You get messages like "Unable to find user account."</para>
|
|
|
|
<para>This can have multiple reasons:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>security questions enabled but no security question and/or
|
|
answer set for this user</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>user name + email combination does not exist</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>no connection to LDAP server</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Turn on logging in LAM's main configuration settings. The exact
|
|
reason is logged on notice level.</para>
|
|
|
|
<para>2. You do not see security question and answer fields when logged
|
|
into self service.</para>
|
|
|
|
<para>Probably, the user does not have the object class
|
|
"passwordSelfReset" set. You can do this in admin interface. If you have
|
|
multiple users to change then use the <link
|
|
linkend="toolMultiEdit">Multi Edit Tool</link> to add the object
|
|
class.</para>
|
|
|
|
<para><emphasis role="bold">New fields for self service
|
|
page</emphasis></para>
|
|
|
|
<para>There are special fields that you may put on the self service page
|
|
for your users. These fields allow them to change the reset questions
|
|
and its answers. It is also possible to set a backup email address to
|
|
reset passwords with an external email address.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>This is an example how can be presented to your users on the self
|
|
service page:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Password reset link</emphasis></para>
|
|
|
|
<para>After activating the password self reset feature there will be a
|
|
new link on the self service login page. The text can be configured as
|
|
described above (default: "Forgot password?").</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>When a user clicks on the link then he will be asked for
|
|
identification with his user name and email address.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM Pro will use this information to find the correct LDAP entry
|
|
of this user. It then displays the user's security questions and input
|
|
fields for his new password. If the answer is correct then the new
|
|
password will be set. Additionally, pwdAccountLockedTime will be removed
|
|
and shadowLastChange updated to the current time if existing.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/passwordSelfReset6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>User self registration</title>
|
|
|
|
<para>With LAM Pro your users can create their own accounts if you like.
|
|
LAM Pro will display an additional link on the self service login page
|
|
that allows you users to create a new account including email validation
|
|
(see <link linkend="mailSetup">here</link> for setting up your SMTP
|
|
server).</para>
|
|
|
|
<para>You enable this feature in your self service profile. Just
|
|
activate the checkbox "Enable self registration link".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Options:</emphasis></para>
|
|
|
|
<para><emphasis>Link text:</emphasis> This is the label for the link to
|
|
the self registration. If empty "Register new account" will be
|
|
used.</para>
|
|
|
|
<para><emphasis>Admin DN and password:</emphasis> Please enter the LDAP
|
|
DN and its password that should be used to create new users. This DN
|
|
also needs to be able to do LDAP searches by uid in the self service
|
|
part of your LDAP tree.</para>
|
|
|
|
<para><emphasis>Object classes:</emphasis> This is a list of object
|
|
classes that are used to build the new user accounts. Please enter one
|
|
object class in each line. If you use LAM Pro password self reset
|
|
feature then do not forget to add "passwordSelfReset" here.</para>
|
|
|
|
<para/>
|
|
|
|
<para><emphasis>Attributes:</emphasis> This is a list of additional
|
|
attributes that the user can enter. Please note that user name, password
|
|
and email address (attribute "mail") are mandatory anyway and need not
|
|
be specified. Just in case you use the legacy attribute "email" for
|
|
account it needs to be specified (attribute "mail" will then not be
|
|
shown).</para>
|
|
|
|
<para>Each line represents one LDAP attribute. The settings are
|
|
separated by "::". The first setting specifies the field type. The
|
|
second setting is the LDAP attribute name. Depending on the field type
|
|
you can enter additional options:</para>
|
|
|
|
<table>
|
|
<title/>
|
|
|
|
<tgroup cols="6">
|
|
<tbody>
|
|
<row>
|
|
<entry><emphasis role="bold">Description</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Type</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Attribute name</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">First option</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Second option</emphasis></entry>
|
|
|
|
<entry><emphasis role="bold">Third option</emphasis></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>An optional input field that is displayed on the
|
|
registration page.</entry>
|
|
|
|
<entry>optional</entry>
|
|
|
|
<entry>e.g. "givenName"</entry>
|
|
|
|
<entry>Label that is displayed on page</entry>
|
|
|
|
<entry>optional regular expression for validation (e.g.
|
|
"/^[0-9a-zA-Z]+$/")</entry>
|
|
|
|
<entry>validation message if value does not match validation
|
|
expression</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>A required input field that is displayed on the
|
|
registration page. Self registration cannot be done if such a
|
|
field is left empty by the user.</entry>
|
|
|
|
<entry>required</entry>
|
|
|
|
<entry>e.g. "sn"</entry>
|
|
|
|
<entry>Label that is displayed on page</entry>
|
|
|
|
<entry>optional regular expression for validation (e.g.
|
|
"/^[0-9a-zA-Z]+$/")</entry>
|
|
|
|
<entry>validation message if value does not match validation
|
|
expression</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Constant attribute value, not visible for the user. Can
|
|
be used to set some initial values or data that must not be
|
|
edited by the user.</entry>
|
|
|
|
<entry>constant</entry>
|
|
|
|
<entry>e.g. "homeDirectory"</entry>
|
|
|
|
<entry>attribute value, supports wirldcards to insert other
|
|
attribute values (e.g. "@@uid@@")</entry>
|
|
|
|
<entry/>
|
|
|
|
<entry/>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>Auto-numbering for attributes such as uidNumber. Will do
|
|
a search for attribute values in the given range and use highest
|
|
value + 1.</entry>
|
|
|
|
<entry>autorange</entry>
|
|
|
|
<entry>e.g. uidNumber</entry>
|
|
|
|
<entry>LDAP search base, e.g.
|
|
ou=people,dc=company,dc=com</entry>
|
|
|
|
<entry>Minimum value, e.g. 1000</entry>
|
|
|
|
<entry>Maximum value, e.g. 2000</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>For a syntax description of validation expressions see <ulink
|
|
url="http://perldoc.perl.org/perlre.html">here</ulink>. Validation is
|
|
optional, you can leave these options blank.</para>
|
|
|
|
<para><emphasis role="bold">Example:</emphasis></para>
|
|
|
|
<para>optional::givenName::First name::/^[[:alnum:] ]+$/u::Please enter
|
|
a valid first name.</para>
|
|
|
|
<para>required::sn::Last name::/^[[:alnum:] ]+$/u::Please enter a valid
|
|
last name.</para>
|
|
|
|
<para>constant::homeDirectory::/home/@@uid@@</para>
|
|
|
|
<para>autorange::uidNumber::ou=people,dc=company,dc=com::10000::20000</para>
|
|
|
|
<para>If you use the object class "inetOrgPerson" and do not provide the
|
|
"cn" attribute then LAM will set it to the user name value.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>Please note that only simple input boxes are supported for account
|
|
registration. The user may log in to self service when his account was
|
|
created to manage all his attributes.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Captcha support</emphasis></para>
|
|
|
|
<para>LAM Pro can optionally display a captcha to verify that
|
|
registrations are not from robots. The supported captcha provider is
|
|
Google reCAPTCHA. You will need the site and secret key for your domain.
|
|
This is setup on tab "General settings". They can be retrieved from
|
|
here: <ulink
|
|
url="https://www.google.com/recaptcha">https://www.google.com/recaptcha</ulink></para>
|
|
|
|
<para>Please note that your web server must be able to access
|
|
"https://www.google.com/recaptcha/api/siteverify" to verify the
|
|
captchas. Captchas will be displayed when you tick the chekbox to use a
|
|
captcha.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">User view:</emphasis></para>
|
|
|
|
<para>The user can register by clicking on a link on the self service
|
|
login page:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Here he can insert the data that you specified in the self service
|
|
profile:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/accountRegistration3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LAM will then send him an email with a validation link that is
|
|
valid for 24 hours. When he clicks on this link then the account will be
|
|
created in the self service user suffix. The DN will look like this:
|
|
<emphasis>uid=<user name>,...</emphasis></para>
|
|
|
|
<para>Please see <link linkend="mailEOL">email format option</link> in
|
|
case of broken mails.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Custom fields</title>
|
|
|
|
<para>This module allows you to manage LDAP attributes that are not
|
|
covered by the other LAM modules (e.g. if you use custom LDAP schemas).
|
|
You can fully define how your input fields look like:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Label</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>LDAP attribute name</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Unique name for field</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Help text</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Read-only display</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Field type: text, password, text area, checkbox, radio
|
|
buttons, select list, file upload</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Validation via regular expression</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Error message if validation fails</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>To create custom fields for the Self Service please edit your Self
|
|
Service profile and switch to tab "Module settings". Here you can add a
|
|
new field. Simply fill the fields and press on "Add".</para>
|
|
|
|
<para>Please note that the field name cannot be changed later. It is the
|
|
unique ID for this field.</para>
|
|
|
|
<para>After you created your fields please press on "Sync fields with
|
|
page layout". Now you can switch to tab "Page layout" and add your new
|
|
fields like any other standard field.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields1.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Examples for fields and their representation in Self
|
|
Service:</para>
|
|
|
|
<para><emphasis role="bold">Text field:</emphasis></para>
|
|
|
|
<para>Text fields allow to specify a <link
|
|
linkend="customFields_validation_expressions">validation
|
|
expression</link> and error message.</para>
|
|
|
|
<para>You can also enable auto-completion. In this case LAM will search
|
|
all accounts for the given attribute and provide auto-completion hints
|
|
when the user edits this field. This should only be used if there is a
|
|
limited number of different values for this attribute.</para>
|
|
|
|
<para>In case your field is a date value you can show a calendar for
|
|
easy editing.</para>
|
|
|
|
<para>Example calendar formats:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>dd.mm.yy: 31.12.2016</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>yy-mm-dd: 2016-12-31</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>d M, y: 31 Dec, 16</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>d MM, y: 31 December, 2016</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields2.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields3.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Password field:</emphasis></para>
|
|
|
|
<para>You can also manage custom password fields. LAM Pro will display
|
|
two fields where the user must enter the same password. You can hash the
|
|
password if needed.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields4.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields5.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Text area:</emphasis></para>
|
|
|
|
<para>This adds a multi-line field. The options are similar to text
|
|
fields. Additionally, you can set the size with the number of columns
|
|
and rows.</para>
|
|
|
|
<para>Please note that the <link
|
|
linkend="customFields_validation_expressions">validation
|
|
expression</link> should be set to multi-line. This is done by adding
|
|
"m" at the end.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields6.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields7.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Checkbox:</emphasis></para>
|
|
|
|
<para>Sometimes you may want to allow only yes/no values for your LDAP
|
|
attributes. This can be represented by a checkbox. You can specify the
|
|
values for checked and unchecked. The default value is set if the LDAP
|
|
attribute has no value.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields8.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields9.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Radio buttons:</emphasis></para>
|
|
|
|
<para>This displays a list of radio buttons where the user can select
|
|
one value.</para>
|
|
|
|
<para>You can specify a mapping of LDAP attribute values and their
|
|
display (label) on the Self Service page. To add more mapping fields
|
|
please press "Add more mapping fields".</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields10.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields11.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para><emphasis role="bold">Select list:</emphasis></para>
|
|
|
|
<para>Select lists allow the user to select a value in a large list of
|
|
options. The definition of the possible values and their display is
|
|
similar to radio buttons.</para>
|
|
|
|
<para>You can also allow multiple values.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields12.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation in Self Service:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields13.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields18.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LDAP search select list</para>
|
|
|
|
<para>This is similar to "Select list" but the option are read from
|
|
LDAP. You can use this to define e.g. a DN selection list. Multiple
|
|
values are supported.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields26.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>LDAP suffix: The LDAP DN that is used as starting point to search
|
|
for LDAP entries.</para>
|
|
|
|
<para>LDAP filter: Only LDAP entries that match this filter will be
|
|
used. If all entries should be used then use "(objectclass=*)".</para>
|
|
|
|
<para>Attribute name: The values of this attribute will be used to build
|
|
the selection list.</para>
|
|
|
|
<para>Display attributes: List of attributes to show as label for the
|
|
options in select box. Attribute wildcards are surrounded by "$", e.g.
|
|
"$cn$" will be replaced by "cn" attribute. Default is "$dn$".</para>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields27.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">Constant value</emphasis></para>
|
|
|
|
<para>This will set the attribute to a constant value. You can also
|
|
specify wildcards to inject other attribute's values.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields28.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Wildcards:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>%attribute%: attribute value</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>@attribute@: first character of attribute</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>?attribute?: first character of attribute in lower case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>!attribute!: first character of attribute in upper case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>??attribute??: attribute in lower case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>!!attribute!!: attribute in upper case</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>((attribute)): space if attribute is set</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>§attribute|;§; attribute values separted by ";" (you can set
|
|
other separators if you want)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Examples for attributes gn="Steve", sn="Miller" and
|
|
memberUid=("user1", "user2") (specified value -> resulting LDAP
|
|
value):</para>
|
|
|
|
<table border="1">
|
|
<caption/>
|
|
|
|
<tr>
|
|
<th>Constant value</th>
|
|
|
|
<th>Resulting LDAP value</th>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>my constant</td>
|
|
|
|
<td>my constant</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>%gn%</td>
|
|
|
|
<td>Steve</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>%gn%((gn))%sn%</td>
|
|
|
|
<td>Steve Miller (would be "Miller" if gn is empty)</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td>§memberUid|, §</td>
|
|
|
|
<td>user1, user2</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<para/>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<para>The LDAP value will be shown as text.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields29.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para><emphasis role="bold">File upload:</emphasis></para>
|
|
|
|
<para>This is used for binary data. You can restrict uploaded data to a
|
|
given file extension and set the maximum file size.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields23.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<para>Presentation:</para>
|
|
|
|
<para>The uploaded data may also be downloaded via LAM.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/customFields24.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para id="customFields_validation_expressions"><emphasis
|
|
role="bold">Validation expressions:</emphasis></para>
|
|
|
|
<para>The validation expressions follow the standard of <ulink
|
|
url="http://perldoc.perl.org/perlre.html">Perl regular
|
|
expressions</ulink>. They start and end with a "/". The beginning of a
|
|
line is specified by "^" and the end by "$".</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<para>/^[a-z0-9]+$/ allows small letters and numbers. The value must not
|
|
be empty ("+").</para>
|
|
|
|
<para>/^[a-z0-9]+$/i allows small and capital letters ("i" at the end
|
|
means ignore case) and numbers. The value must not be empty
|
|
("+").</para>
|
|
|
|
<para>Special characters that must be escaped with "\": "\", ".", "(",
|
|
")"</para>
|
|
|
|
<para>E.g. /^[a-z0-9\.]$/i</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Adapt the self service to your corporate design</title>
|
|
|
|
<para>LAM Pro allows you to integrate customs CSS style definitions and
|
|
design the header of all self service pages. This way you can integrate
|
|
you own logo and use your company's colors.</para>
|
|
|
|
<section>
|
|
<title>Custom header</title>
|
|
|
|
<para>The default LAM Pro header includes a logo and a horizontal line.
|
|
You can enter any HTML code here. It will be included in the self
|
|
services pages after the body tag.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configPageHeader.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
|
|
<section>
|
|
<title>CSS files</title>
|
|
|
|
<para>Usually, companies have regulations about their corporate design
|
|
and use common CSS files. This assures a common appearance of all
|
|
intranet pages (e.g. colors and fonts). To include additional CSS files
|
|
just use the following setting for this task. The additional CSS links
|
|
will be added after LAM Pro's default CSS link. This way you can
|
|
overwrite LAM Pro's style.</para>
|
|
|
|
<screenshot>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/configCSS.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</screenshot>
|
|
</section>
|
|
</section>
|
|
</chapter>
|