1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Groups</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="LDAP Account Manager - Manual"><link rel="up" href="ch03.html" title="Chapter�3.�Managing entries in your LDAP directory"><link rel="prev" href="ch03.html" title="Chapter�3.�Managing entries in your LDAP directory"><link rel="next" href="ch03s03.html" title="Hosts"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch03.html">Prev</a>�</td><th width="60%" align="center">Chapter�3.�Managing entries in your LDAP directory</th><td width="20%" align="right">�<a accesskey="n" href="ch03s03.html">Next</a></td></tr></table><hr></div><div class="section" title="Groups"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="idp5767232"></a>Groups</h2></div></div></div><p></p><div class="section" title="Unix"><div class="titlepage"><div><div><h3 class="title"><a name="idp5768128"></a>Unix</h3></div></div></div><p>This module is used to manage Unix group entries. This is the
2
default module to manage Unix groups and uses the nis.schema. Suse
3
users who use the rfc2307bis.schema need to use LAM Pro.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_unixGroup.png"></div></div></div><div class="section" title="Unix groups with rfc2307bis schema (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5771152"></a>Unix groups with rfc2307bis schema (LAM Pro)</h3></div></div></div><p>Some applications (e.g. Suse Linux) use the rfc2307bis schema
4
for Unix accounts instead of the nis schema. In this case group
5
accounts are based on the object class <a lang="" class="link" href="ch03s05.html" title="Group of (unique) names (LAM Pro)">groupOf(Unique)Names</a> or namedObject.
6
The object class posixGroup is auxiliary in this case.</p><p>LAM Pro supports these groups with a special account module:
7
<span class="bold"><strong>rfc2307bisPosixGroup</strong></span></p><p>Use this module only if your system depends on the rfc2307bis
8
schema. The module can be selected in the LAM configuration. Instead
9
of using groupOfNames as basis for your groups you may also use
10
namedObject.</p><div class="screenshot"><div class="mediaobject"><img src="images/rfc2307bis.png"></div></div><div class="screenshot"><div class="mediaobject"><img src="images/mod_unixGroupLAMPro.png"></div></div></div><div class="section" title="Samba 3"><div class="titlepage"><div><div><h3 class="title"><a name="idp5778256"></a>Samba 3</h3></div></div></div><p>LAM supports managing Samba 3 groups. You can set special group
11
types and also create Windows predefined groups like "Domain
12
admins".</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_sambaGroup.png"></div></div></div><div class="section" title="Quota"><div class="titlepage"><div><div><h3 class="title"><a name="idp5781216"></a>Quota</h3></div></div></div><p>You can manage file system quotas with LAM. This requires to
13
setup <a class="link" href="apd.html" title="Appendix�D.�Setup for home directory and quota management">lamdaemon</a>. File system quotas
14
are not stored inside LAM but managed directly on the specified
15
servers.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_quotaGroup.png"></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch03.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="ch03.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="ch03s03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�3.�Managing entries in your LDAP directory�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Hosts</td></tr></table></div></body></html>
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Users</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="LDAP Account Manager - Manual"><link rel="up" href="ch03.html" title="Chapter�3.�Managing entries in your LDAP directory"><link rel="prev" href="ch03.html" title="Chapter�3.�Managing entries in your LDAP directory"><link rel="next" href="ch03s03.html" title="Groups"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch03.html">Prev</a>�</td><th width="60%" align="center">Chapter�3.�Managing entries in your LDAP directory</th><td width="20%" align="right">�<a accesskey="n" href="ch03s03.html">Next</a></td></tr></table><hr></div><div class="section" title="Users"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="idp5607232"></a>Users</h2></div></div></div><p>LAM manages various types of user accounts. This includes address
2
book entries, Unix, Samba, Zarafa and much more.</p><div class="literallayout"><p><br>
3
</p></div><p><span class="bold"><strong>Account list settings:</strong></span></p><p>The user list includes two special options to change how your
4
users are displayed.</p><div class="screenshot"><div class="mediaobject"><img src="images/userListOptions.png"></div></div><p><span class="emphasis"><em>Translate GID number to group name:</em></span> By
5
default the user list can show the primary group IDs (GIDs) of your
6
users. There are often cases where it is more suitable to show the group
7
name instead. This can be done by activating this option. Please note
8
that LAM will execute more LDAP queries which may result in decreased
9
performance.</p><div class="screenshot"><div class="mediaobject"><img src="images/userListOptionTransPrimary.png"></div></div><p><span class="emphasis"><em>Show account status:</em></span> If you activate this
10
option then there will be an additional column displayed that shows if
11
the account is locked. You can see more details when moving the mouse
12
cursor over the lock icon. This function supports Unix, Samba and
13
PPolicy.</p><div class="screenshot"><div class="mediaobject"><img src="images/userListOptionAccountStatus.png"></div></div><div class="literallayout"><p><br>
14
</p></div><p><span class="bold"><strong>Quick account (un)locking:</strong></span></p><p>When you edit an user then LAM supports to quickly lock/unlock the
15
whole account. This includes Unix, Samba and PPolicy. LAM can also
16
remove group memberships if an account is locked.</p><p>You will see the current status of all account parts in the title
17
area of the account.</p><div class="screenshot"><div class="mediaobject"><img src="images/userAccountStatus1.png"></div></div><p>If you click on the lock icon then a dialog will be opened to
18
change these values. Depending on which parts are locked LAM will
19
provide options to lock/unlock account parts.</p><div class="screenshot"><div class="mediaobject"><img src="images/userAccountStatus2.png"></div></div><div class="screenshot"><div class="mediaobject"><img src="images/userAccountStatus3.png"></div></div><div class="section" title="Personal"><div class="titlepage"><div><div><h3 class="title"><a name="idp5625584"></a>Personal</h3></div></div></div><p>This module is the most common basis for user accounts in LAM.
20
You can use it stand-alone to manage address book entries or in
21
combination with Unix, Samba or other modules.</p><p>The Personal module provides support for managing various
22
personal data of your users including mail addresses and telephone
23
numbers. You can also add photos of your users. If you do not need to
24
manage all attributes then you can deactivate them in your server
25
profile.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_personal.png"></div></div><p>User certificates can be uploaded and downloaded. LAM will
26
automatically convert PEM to DER format.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_personal2.png"></div></div><div class="table"><a name="idp5631328"></a><p class="title"><b>Table�3.1.�LDAP attribute mappings</b></p><div class="table-contents"><table summary="LDAP attribute mappings" border="1"><colgroup><col><col></colgroup><thead><tr><th align="center">Attribute name</th><th align="center">Name inside LAM</th></tr></thead><tbody><tr><td>businessCategory</td><td>Business category</td></tr><tr><td>carLicense</td><td>Car license</td></tr><tr><td>cn/commonName</td><td>Common name</td></tr><tr><td>departmentNumber</td><td>Department(s)</td></tr><tr><td>description</td><td>Description</td></tr><tr><td>employeeNumber</td><td>Employee number</td></tr><tr><td>employeeType</td><td>Employee type</td></tr><tr><td>facsimileTelephoneNumber/fax</td><td>Fax number</td></tr><tr><td>givenName/gn</td><td>First name</td></tr><tr><td>homePhone</td><td>Home telephone number</td></tr><tr><td>initials</td><td>Initials</td></tr><tr><td>jpegPhoto</td><td>Photo</td></tr><tr><td>l</td><td>Location</td></tr><tr><td>mail/rfc822Mailbox</td><td>Email address</td></tr><tr><td>manager</td><td>Manager</td></tr><tr><td>mobile/mobileTelephoneNumber</td><td>Mobile number</td></tr><tr><td>organizationName/o</td><td>Organisation</td></tr><tr><td>physicalDeliveryOfficeName</td><td>Office name</td></tr><tr><td>postalAddress</td><td>Postal address</td></tr><tr><td>postalCode</td><td>Postal code</td></tr><tr><td>postOfficeBox</td><td>Post office box</td></tr><tr><td>registeredAddress</td><td>Registered address</td></tr><tr><td>roomNumber</td><td>Room number</td></tr><tr><td>sn/surname</td><td>Last name</td></tr><tr><td>st</td><td>State</td></tr><tr><td>street/streetAddress</td><td>Street</td></tr><tr><td>telephoneNumber</td><td>Telephone number</td></tr><tr><td>title</td><td>Job title</td></tr><tr><td>userCertificate</td><td>User certificates</td></tr><tr><td>uid/userid</td><td>User name</td></tr><tr><td>userPassword</td><td>Password</td></tr></tbody></table></div></div><br class="table-break"></div><div class="section" title="Unix"><div class="titlepage"><div><div><h3 class="title"><a name="idp5670960"></a>Unix</h3></div></div></div><p>The Unix module manages Unix user accounts including group
27
memberships.</p><p>There are several configuration options for this module:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>UID generator: LAM will suggest UID numbers for your
28
accounts. Please note that it may happen that there are duplicate
29
IDs assigned if users create accounts at the same time. Use an
30
<a class="ulink" href="http://www.openldap.org/doc/admin24/overlays.html" target="_top">overlay</a>
31
like "Attribute Uniqueness" if you have lots of LAM admins
32
creating accounts.</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>Fixed range: LAM searches for free numbers within the
33
given limits. LAM always tries to use a free UID that is
34
greater than the existing UIDs to prevent collisions with
35
deleted accounts.</p></li><li class="listitem"><p>Samba ID pool: This uses a special LDAP entry that
36
includes attributes that store a counter for the last used
37
UID/GID. Please note that this requires that you install the
38
Samba schema and create an LDAP entry of object class
39
"sambaUnixIdPool".</p></li></ul></div></li><li class="listitem"><p>Password hash type: If possible use CRYPT-SHA512 or SSHA to
40
protect your user's passwords.</p></li><li class="listitem"><p>Login shells: List of valid login shells that can be
41
selected when editing an account.</p></li><li class="listitem"><p>Hidden options: Some input fields can be hidden to simplify
42
the GUI if you do not need them.</p></li></ul></div><div class="screenshot"><div class="mediaobject"><img src="images/mod_unixUserConfig.png"></div></div><p>The user name is automatically filled as specified in the
43
configuration (default smiller for Steve Miller). Of course, the
44
suggested value can be changed any time. Common name is also filled
45
with first/last name by default.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_unixUser.png"></div></div><p>Group memberships can be changed when clicking on "Edit groups".
46
Here you can select the Unix groups and group of names
47
memberships.</p><p>To enable "Group of names" please either add the groups module
48
"groupOfNames"/"groupOfUniqueNames" or add the account type "Group of
49
names".</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_unixUserGroups.png"></div></div><p>You can also create home directories for your users if you setup
50
<a class="link" href="apd.html" title="Appendix�D.�Setup for home directory and quota management">lamdaemon</a>. This allows you to
51
create the directories on the local or remote servers.</p><p>It is also possible to check the status of the user's home
52
directories. If needed the directories can be created or removed at
53
any time.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_unixUserHomedir.png"></div></div></div><div class="section" title="Group of names (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5690048"></a>Group of names (LAM Pro)</h3></div></div></div><p>This module manages memberships in group of (unique) names. To
54
activate this feature please add the user module "Group of names
55
(groupOfNamesUser)" to your LAM server profile.</p><p>Please note that this module cannot be used if the Unix module
56
is active. In this case group memberships may be managed with the Unix
57
module.</p><p>The module automatically detects if groups are based on
58
"groupOfNames" or "groupOfUniqueNames" and sets the correct
59
attribute.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_groupOfNamesUser.png"></div></div></div><div class="section" title="Shadow"><div class="titlepage"><div><div><h3 class="title"><a name="idp5694160"></a>Shadow</h3></div></div></div><p>LAM supports the management of the LDAP substitution of
60
/etc/shadow. Here you can setup password policies for your Unix
61
accounts and also view the last password change of a user.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_shadow.png"></div></div></div><div class="section" title="Password self reset (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5697168"></a>Password self reset (LAM Pro)</h3></div></div></div><p>LAM Pro allows your users to reset their passwords by answering
62
a security question. The reset link is displayed on the <a class="link" href="ch06s03.html#PasswordSelfReset" title="Password self reset">self service page</a>. Additionally,
63
you can set question + answer in the admin interface.</p><p>Please note that self service and LAM admin interface are
64
separated functionalities. You need to specify the list of possible
65
security questions in both self service profile(s) and server
66
profile(s).</p><p><span class="bold"><strong>Schema</strong></span></p><p>Please install the schema that comes with LAM Pro:
67
docs/schema/passwordSelfReset.schema or
68
docs/schema/passwordSelfReset.ldif</p><p>This allows to set a security question + answer for each
69
account.</p><p><span class="bold"><strong>Activate password self reset
70
module</strong></span></p><p>Please activate the password self reset module in your LAM Pro
71
server profile.</p><div class="screenshot"><div class="mediaobject"><img src="images/passwordSelfReset7.png"></div></div><p>Now select the tab "Module settings" and specify the list of
72
possible security questions. Only these questions will be selectable
73
when you later edit accounts.</p><div class="screenshot"><div class="mediaobject"><img src="images/passwordSelfReset8.png"></div></div><p><span class="bold"><strong>Edit users</strong></span></p><p>After everything is setup please login to LAM Pro and edit your
74
users. You will see a new tab called "Password self reset". Here you
75
can activate/remove the password self reset function for each user.
76
You can also change the security question and answer.</p><div class="screenshot"><div class="mediaobject"><img src="images/passwordSelfReset9.png"></div></div></div><div class="section" title="Hosts"><div class="titlepage"><div><div><h3 class="title"><a name="idp5709760"></a>Hosts</h3></div></div></div><p>You can specify a list of valid host names where the user may
77
login. If you add the value "*" then the user may login to any host.
78
This can be further restricted by adding explicit deny entries which
79
are prefixed with "!" (e.g. "!hr_server").</p><p>Please note that your PAM settings need to support host
80
restrictions. This feature is enabled by setting <span class="bold"><strong>pam_check_host_attr yes</strong></span> in your <span class="bold"><strong>/etc/pam_ldap.conf</strong></span>. When it is enabled then the
81
account facility of pam_ldap will perform the checks and return an
82
error when no proper host attribute is present. Please note that users
83
without host attribute cannot login to such a configured
84
server.</p><div class="screenshot"><div class="mediaobject"><img src="images/hostObject.png"></div></div></div><div class="section" title="Samba 3"><div class="titlepage"><div><div><h3 class="title"><a name="idp5714896"></a>Samba 3</h3></div></div></div><p>LAM supports full Samba 3 user management including logon hours
85
and terminal server options.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_samba3User1.png"></div></div><div class="screenshot"><div class="mediaobject"><img src="images/mod_samba3User2.png"></div></div><div class="screenshot"><div class="mediaobject"><img src="images/mod_samba3User3.png"></div></div></div><div class="section" title="Windows (Samba 4)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5721104"></a>Windows (Samba 4)</h3></div></div></div><p>Please activate the account type "Users" in your LAM server
86
profile and then add the user module "Windows
87
(windowsUser)(*)".</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_windowsUser4.png"></div></div><p>The default list attributes are for Unix and not suitable for
88
Windows (blank lines in account table). Please use
89
"#cn;#givenName;#sn;#mail" or select your own attributes to display in
90
the account list.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_windowsUser1.png"></div></div><p>Now you can manage your Windows users and e.g. assign
91
groups.</p><p><span class="bold"><strong>Attention:</strong></span> Password changes
92
require a secure connection via ldaps://. Check your LAM server
93
profile if password changes are refused by the server.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_windowsUser2.png"></div></div><div class="screenshot"><div class="mediaobject"><img src="images/mod_windowsUser3.png"></div></div></div><div class="section" title="Filesystem quota (lamdaemon)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5731152"></a>Filesystem quota (lamdaemon)</h3></div></div></div><p>You can manage file system quotas with LAM. This requires to
94
setup <a class="link" href="apd.html" title="Appendix�D.�Setup for home directory and quota management">lamdaemon</a>. LAM connects to
95
your server via SSH and manages the disk filesystem quotas. The quotas
96
are stored directly on the filesystem. This is the default mechanism
97
to store quotas for most systems.</p><p>Please add the module "Quota (quota)" for users to your LAM
98
server profile to enable this feature.</p><p>If you store the quota information directly inside LDAP please
99
see the next section.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_quotaUser.png"></div></div></div><div class="section" title="Filesystem quota (LDAP)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5735904"></a>Filesystem quota (LDAP)</h3></div></div></div><p>You can store your filesystem quotas directly in LDAP. See
100
<a class="ulink" href="http://sourceforge.net/projects/linuxquota/" target="_top">Linux
101
DiskQuota</a> for details since it requires quota tools that
102
support LDAP. You will need to install the quota LDAP schema to manage
103
the object class "systemQuotas".</p><p>Please add the module "Quota (systemQuotas)" for users to your
104
LAM server profile to enable this feature.</p><p>If you store the quota information on the filesystem please see
105
the previous section.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_systemQuotas.png"></div></div></div><div class="section" title="Kolab"><div class="titlepage"><div><div><h3 class="title"><a name="idp5740592"></a>Kolab</h3></div></div></div><p>This module supports to manage Kolab accounts with LAM. E.g. you
106
can set the user's mail quota and define invitation policies.</p><p>Please enter an email address at the Personal page and set a
107
Unix password first. Both are required that Kolab accepts the
108
accounts. The email address ("Personal" page) must match your Kolab
109
domain, otherwise the account will not work.</p><p><span class="bold"><strong>Attention:</strong></span> The mailbox server
110
cannot be changed after the account has been saved. Please make sure
111
that the value is correct.</p><p>Kolab users should not be directly deleted with LAM. You can
112
mark an account for deletion which then is done by the Kolab server
113
itself. This makes sure that the mailbox etc. is also deleted.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_kolab.png"></div></div><p>If you upgrade existing non-Kolab accounts please make sure that
114
the account has an Unix password.</p></div><div class="section" title="Asterisk"><div class="titlepage"><div><div><h3 class="title"><a name="idp5746336"></a>Asterisk</h3></div></div></div><p>LAM supports Asterisk accounts, too. See the <a class="link" href="ch03s07.html" title="Asterisk">Asterisk</a> section for details.</p></div><div class="section" title="EDU person"><div class="titlepage"><div><div><h3 class="title"><a name="idp5748112"></a>EDU person</h3></div></div></div><p>EDU person accounts are mainly used in university networks. You
115
can specify the principal name, nick names and much more.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_eduPerson.png"></div></div></div><div class="section" title="Password policy (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5751056"></a>Password policy (LAM Pro)</h3></div></div></div><p>OpenLDAP supports the <a class="ulink" href="http://linux.die.net/man/5/slapo-ppolicy" target="_top">ppolicy</a> overlay
116
to manage password policies for LDAP entries. LAM Pro supports <a class="link" href="ch03s15.html" title="Password policies (LAM Pro)">managing the policies</a> and assigning them to
117
user accounts.</p><p>Please add the account type "Password policies" to your LAM
118
server profile and activate the "Password policy" module for the user
119
type.</p><div class="screenshot"><div class="mediaobject"><img src="images/ppolicyUser.png"></div></div><p>You can assign any password policy which is found in the LDAP
120
suffix of the "Password policies" type. When you set the policy to
121
"default" then OpenLDAP will use the default policy as defined in your
122
slapd.conf file.</p></div><div class="section" title="FreeRadius"><div class="titlepage"><div><div><h3 class="title"><a name="idp5756384"></a>FreeRadius</h3></div></div></div><p>FreeRadius is a software that implements the RADIUS
123
authentication protocol. LAM allows you to mange several of the
124
FreeRadius attributes.</p><p>To activate the FreeRadius plugin please activate the FreeRadius
125
user module in your server profile:</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_freeRadius1.png"></div></div><p>You can disable unneeded fields on the tab "Module
126
settings":</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_freeRadius2.png"></div></div><p>Now you will see the tab "FreeRadius" when editing users. The
127
extension can be (de)activated for each user. You can setup e.g.
128
realm, IP and expiration date.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_freeRadius3.png"></div></div></div><div class="section" title="Heimdal Kerberos (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5764208"></a>Heimdal Kerberos (LAM Pro)</h3></div></div></div><p>You can manage your Heimdal Kerberos accounts with LAM Pro.
129
Please add the user module "Kerberos (heimdalKerberos)" to activate
130
this feature.</p><p><span class="bold"><strong>Setup password changing</strong></span></p><p>LAM Pro cannot generate the password hashes itself because
131
Heimdal uses a propietary format for them. Therefore, LAM Pro needs to
132
call e.g. kadmin to set the password.</p><p>The wildcards @@password@@ and @@principal@@ are replaced with
133
password and principal name. Please use keytab authentication for this
134
command since it must run without any interaction.</p><p>Example to create a keytab: ktutil -k /root/lam.keytab add -p
135
lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1</p><p>Security hint: Please secure your LAM Pro server since the new
136
passwords will be visible for a short term in the process list during
137
password change.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_kerberos2.png"></div></div><p><span class="bold"><strong>User management</strong></span></p><p>You can specify the principal/user name, ticket lifetimes and
138
expiration dates. Additionally, you can set various account
139
options.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_kerberos1.png"></div></div></div><div class="section" title="MIT Kerberos (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5773136"></a>MIT Kerberos (LAM Pro)</h3></div></div></div><p>You can manage your MIT Kerberos accounts with LAM Pro. Please
140
add the user module "Kerberos (mitKerberos)" to activate this feature.
141
If you want to manage entries based on the structural object class
142
"krbPrincipal" please use "Kerberos (mitKerberosStructural)"
143
instead.</p><p><span class="bold"><strong>Setup password changing</strong></span></p><p>LAM Pro cannot generate the password hashes itself because MIT
144
uses a propietary format for them. Therefore, LAM Pro needs to call
145
kadmin/kadmin.local to set the password.</p><p>LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to
146
set the password. Please use keytab authentication for this command
147
since it must run without any interaction.</p><p>Keytabs may be created with the "ktutil" application.</p><p>Security hint: Please secure your LAM Pro server since the new
148
passwords will be visible for a short term in the process list during
149
password change.</p><p>Example commands:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p
150
realm/changepwd</p></li><li class="listitem"><p>sudo /usr/sbin/kadmin.local</p></li></ul></div><div class="screenshot"><div class="mediaobject"><img src="images/mod_mitKerberos1.png"></div></div><p><span class="bold"><strong>User management</strong></span></p><p>You can specify the principal/user name, ticket lifetimes and
151
expiration dates. Additionally, you can set various account
152
options.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_mitKerberos2.png"></div></div></div><div class="section" title="Qmail (LAM Pro)"><div class="titlepage"><div><div><h3 class="title"><a name="idp5784480"></a>Qmail (LAM Pro)</h3></div></div></div><p>LAM Pro manages all qmail attributes for users. This includes
153
mail addresses, ID numbers and quota settings.</p><p>Please note that the main mail address is managed on tab
154
"Personal" if this module is active. Otherwise, it will be on the
155
qmail tab.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_qmail2.png"></div></div><p>You can hide several qmail options if you do not want to manage
156
them with LAM. This can be done on the module settings tab of your LAM
157
server profile.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_qmail1.png"></div></div></div><div class="section" title="Mail routing"><div class="titlepage"><div><div><h3 class="title"><a name="idp5790160"></a>Mail routing</h3></div></div></div><p>LAM supports to manage mail routing for user accounts. You can
158
specify a routing address, the mail server and a number of local
159
addresses to route. This feature can be activated by adding the "Mail
160
routing" module to the user account type in your server
161
profile.</p><div class="screenshot"><div class="mediaobject"><img src="images/mailRouting.png"></div></div></div><div class="section" title="SSH keys"><div class="titlepage"><div><div><h3 class="title"><a name="idp5793264"></a>SSH keys</h3></div></div></div><p>You can manage your public keys for SSH in LAM if you installed
162
the <a class="ulink" href="http://code.google.com/p/openssh-lpk/" target="_top">LPK patch for
163
SSH</a>. Activate the "SSH public key" module for users in the
164
server profile and you can add keys to your user entries.</p><div class="screenshot"><div class="mediaobject"><img src="images/ldapPublicKey.png"></div></div></div><div class="section" title="Authorized services"><div class="titlepage"><div><div><h3 class="title"><a name="idp5796928"></a>Authorized services</h3></div></div></div><p>You can setup PAM to check if a user is allowed to run a
165
specific service (e.g. sshd) by reading the LDAP attribute
166
"authorizedService". This way you can manage all allowed services via
167
LAM.</p><p></p><p>To activate this PAM feature please setup your <span class="bold"><strong>/etc/libnss-ldap.conf</strong></span> and set
168
"pam_check_service_attr" to "yes".</p><p></p><p>Inside LAM you can now set the allowed services. You may also
169
setup default services in your account profiles.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_authorizedServices.png"></div></div><p>You can define a list of services in your LAM server profile
170
that is used for autocompletion.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_authorizedServices3.png"></div></div><p>The autocompletion will show all values that contains the
171
entered text. To display the whole list you can press backspace in the
172
empty input field. Of course, you can also insert a service name that
173
is not in the list.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_authorizedServices2.png"></div></div></div><div class="section" title="IMAP mailboxes"><div class="titlepage"><div><div><h3 class="title"><a name="idp5806416"></a>IMAP mailboxes</h3></div></div></div><p>LAM may create and delete mailboxes on an IMAP server for your
174
user accounts. You will need an IMAP server that supports either SSL
175
or TLS for this feature.</p><p>To activate the mailbox management module please add the
176
"Mailbox (imapAccess)" module for the type user in your LAM server
177
profile:</p><div class="screenshot"><div class="mediaobject"><img src="images/imapAccess1.png"></div></div><p>Now configure the module on the tab "Module settings". Here you
178
can specify the IMAP server name, encryption options, the
179
authentication for the IMAP connection and the valid mail domains. LAM
180
can use either your LAM login password for the IMAP connection or
181
display a dialog where you need to enter the password. The mail
182
domains specify for which accounts mailboxes may be created/deleted.
183
E.g. if you enter "lam-demo.org" then mailboxes can be managed for
184
"user@lam-demo.org" but not for "user@example.com".</p><p>You need to install the SSL certificate of the CA that signed
185
your server certificate. This is usually done by installing the
186
certificate in /etc/ssl/certs. Different Linux distributions may offer
187
different ways to do this. For Debian please copy the certificate in
188
"/usr/local/share/ca-certificates" and run "update-ca-certificates" as
189
root.</p><p>It is not recommended to disable the validation of IMAP server
190
certificates.</p><div class="screenshot"><div class="mediaobject"><img src="images/imapAccess2.png"></div></div><p>When you edit an user account then you will now see the tab
191
"Mailbox". Here you can create/delete the mailbox for this
192
user.</p><div class="screenshot"><div class="mediaobject"><img src="images/imapAccess3.png"></div></div></div><div class="section" title="Account"><div class="titlepage"><div><div><h3 class="title"><a name="s_account"></a>Account</h3></div></div></div><p>This is a very simple module to manage accounts based on the
193
object class "account". Usually, this is used for host accounts only.
194
Please pay attention that users based on the "account" object class
195
cannot have contact information (e.g. telephone number) as with
196
"inetOrgPerson".</p><p>You can enter a user/host name and a description for your
197
accounts.</p><div class="screenshot"><div class="mediaobject"><img src="images/mod_account.png"></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch03.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="ch03.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="ch03s03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�3.�Managing entries in your LDAP directory�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Groups</td></tr></table></div></body></html>