File: /home/posscale/subdomains/Phone_directories/docs/manual/ch03s02.html
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Server profiles</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="LDAP Account Manager - Manual"><link rel="up" href="ch03.html" title="Chapter�3.�Configuration"><link rel="prev" href="ch03.html" title="Chapter�3.�Configuration"><link rel="next" href="ch04.html" title="Chapter�4.�Managing entries in your LDAP directory"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Server profiles</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch03.html">Prev</a>�</td><th width="60%" align="center">Chapter�3.�Configuration</th><td width="20%" align="right">�<a accesskey="n" href="ch04.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="serverProfiles"></a>Server profiles</h2></div></div></div><p>The server profiles store information about your LDAP server (e.g.
host name) and what kind of accounts (e.g. users and groups) you would
like to manage. There is no limit on the number of server profiles. See
the <a class="link" href="ch03s02.html#confTypicalScenarios" title="Typical scenarios">typical scenarios</a> about
how to structure your server profiles.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="idp50259488"></a>Manage server profiles</h3></div></div></div><p>Select "Manage server profiles" to open the profile management
page.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles1.png"></div></div><p>Here you can create, rename and delete server profiles. The
<a class="link" href="apb.html#a_configPasswords" title="LAM configuration passwords">passwords</a> of your server
profiles can also be reset.</p><p>You may also specify the default server profile. This is the
server profile which is preselected at the login page. It also
specifies the language of the login and configuration pages.</p><p><span class="bold"><strong>Templates for new server
profiles</strong></span></p><p>You can create a new server profile based on one of the built-in
templates or any existing profile. Of course, the account types and
selected modules can be changed after you created your profile.</p><p>Built-in templates:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>addressbook: simple profile for user management with
inetOrgPerson object class</p></li><li class="listitem"><p>samba3: Samba 3 users, groups, hosts and domains</p></li><li class="listitem"><p>unix: Unix users and groups (posixAccount/Group)</p></li><li class="listitem"><p>windows_samba4: Active Directory user, group and host
management</p></li></ul></div><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles2.png"></div></div><p>All operations on the profile management page require that you
authenticate yourself with the <a class="link" href="apb.html#a_configPasswords" title="LAM configuration passwords">configuration master
password</a>.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="idp50272256"></a>Editing a server profile</h3></div></div></div><p>Please select you server profile and enter its password to edit
a server profile.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles3.png"></div></div><p>Each server profile contains the following information:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="bold"><strong>General settings:</strong></span> general
settings about your LDAP server (e.g. host name and security
settings)</p></li><li class="listitem"><p><span class="bold"><strong>Account types:</strong></span> list of
account types (e.g. users and groups) that you would like to
manage and type specific settings (e.g. LDAP suffix)</p></li><li class="listitem"><p><span class="bold"><strong>Modules:</strong></span> list of modules
which define what account aspects (e.g. Unix, Samba, Kolab) you
would like to manage</p></li><li class="listitem"><p><span class="bold"><strong>Module settings:</strong></span> settings
which are specific for the selected account modules on the page
before</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="general_settings"></a>General settings</h4></div></div></div><p>Here you can specify the LDAP server and some security
settings.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles4.png"></div></div><p>The server address of your LDAP server can be a DNS name or an
IP address. Use ldap:// for unencrypted LDAP connections or TLS
encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
specified with ldaps://. The port value is optional. TLS cannot be
combined with ldaps://.</p><p>Hint: If you use a master/slave setup with referrals then
point LAM to your master server. Due to bugs in the underlying LDAP
libraries pointing to a slave might cause issues on write
operations.</p><p>LAM includes an LDAP browser which allows direct modification
of LDAP entries. If you would like to use it then enter the LDAP
suffix at "Tree suffix".</p><p>The search limit is used to reduce the number of search
results which are returned by your LDAP server.</p><p>The access level specifies if LAM should allow to modify LDAP
entries. This feature is only available in LAM Pro. LAM non-Pro
releases use write access. See <a class="link" href="ch06.html" title="Chapter�6.�Access levels and password reset page (LAM Pro)">this page</a> for details on
the different access levels.</p><p><span class="bold"><strong>Advanced options</strong></span></p><p>By default LAM will not follow LDAP referrals. This is ok for
most installations. If you use LDAP referrals please activate the
referral option in advanced settings.</p><p>Paged results should be activated only if you encounter any
problems regarding size limits on Active Directory. LAM will then
query LDAP to return results in chunks of 999 entries.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles5.png"></div></div><p>LAM is translated to many different languages. Here you can
select the default language for this server profile. The language
setting may be overriden at the LAM login page.</p><p>Please also set your time zone here.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles6.png"></div></div><p><a name="profile_mail"></a>LAM can manage user home directories and
quotas with an external script. You can specify the home directory
server and where the script is located. The default rights for new
home directories can be set, too.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles9.png"></div></div><p>LAM Pro users can send out changed passwords to their users.
Here you can specify the options for these mails.</p><p>If you select "Allow alternate address" then password mails
can be sent to any address (e.g. a secondary address if the user
account is also bound to the mailbox).</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles8.png"></div></div><p>LAM supports two methods for login. The first one is to
specify a fixed list of LDAP DNs that are allowed to login. Please
enter one DN per line.</p><p>The second one is to let LAM search for the DN in your
directory. E.g. if a user logs in with the user name "joe" then LAM
will do an LDAP search for this user name. When it finds a matching
DN then it will use this to authenticate the user. The wildcard
"%USER%" will be replaced by "joe" in this example. This way you can
provide login by user name, email address or other LDAP
attributes.</p><p>Additionally, you can enable HTTP authentication when using
"LDAP search". This way the web server is responsible to
authenticate your users. LAM will use the given user name + password
for the LDAP login. You can also configure this to setup advanced
login restrictions (e.g. require group memberships for login). To
setup HTTP authentication in Apache please see this <a class="ulink" href="http://httpd.apache.org/docs/2.2/howto/auth.html" target="_top">link</a>
and an example for LDAP authentication <a lang="" class="link" href="apbs06.html#apache_http_auth" title="Use LDAP HTTP authentication for LAM">here</a>.</p><p><span class="bold"><strong>Hint:</strong></span> LDAP search with group
membership check can be done with either <a class="link" href="apbs06.html#apache_http_auth" title="Use LDAP HTTP authentication for LAM">HTTP authentication</a> or LDAP
overlays like <a class="ulink" href="http://www.openldap.org/doc/admin24/overlays.html" target="_top">"memberOf"</a>
or <a class="ulink" href="http://www.openldap.org/doc/admin24/overlays.html" target="_top">"Dynamic
lists"</a>. Dynamic lists allow to insert virtual attributes to
your user entries. These can then be used for the LDAP filter (e.g.
"(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles7.png"></div></div><p>You may also change the password of this server profile.
Please just enter the new password in both password fields.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50308720"></a>Account types</h4></div></div></div><p>LAM supports to manage various types of LDAP entries (e.g.
users, groups, DHCP entries, ...). On this page you can select which
types of entries you want to manage with LAM.</p><div class="screenshot"><div class="mediaobject"><img src="images/configTypes1.png"></div></div><p>The section at the top shows a list of possible types. You can
activate them by simply clicking on the plus sign next to it.</p><p>Each account type has the following options:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="bold"><strong>LDAP suffix:</strong></span> the LDAP
suffix where entries of this type should be managed</p></li><li class="listitem"><p><span class="bold"><strong>List attributes:</strong></span> a list
of attributes which are shown in the account lists</p></li><li class="listitem"><p><span class="bold"><strong>Additional LDAP filter:</strong></span>
LAM will automatically detect the right LDAP entries for each
account type. This can be used to further limit the number of
visible entries (e.g. if you want to manage only some specific
groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
user who is logged in.</p></li><li class="listitem"><p><span class="bold"><strong>Hidden:</strong></span> This is used to
hide account types that should not be displayed but are required
by other account types. E.g. you can hide the Samba domains
account type and still assign domains when you edit your
users.</p></li><li class="listitem"><p><span class="bold"><strong>Read-only (LAM Pro only):</strong></span>
This allows to set a single account type to read-only mode.
Please note that this is a restriction on functional level (e.g.
group memberships can be changed on user page even if groups are
read-only) and is no replacement for setting up proper ACLs on
your LDAP server.</p></li><li class="listitem"><p><span class="bold"><strong>Custom label:</strong></span> Here you
can set a custom label for the account types. Use this if the
standard label does not fit for you (e.g. enter "Servers" for
hosts).</p></li><li class="listitem"><p><span class="bold"><strong>No new entries (LAM Pro
only):</strong></span> Use this if you want to prevent that new
accounts of this type are created by your users. The GUI will
hide buttons to create new entries and also disable file upload
for this type.</p></li><li class="listitem"><p><span class="bold"><strong>Disallow delete (LAM Pro
only):</strong></span> Use this if you want to prevent that accounts
of this type are deleted by your users.</p></li></ul></div><div class="screenshot"><div class="mediaobject"><img src="images/configTypes2.png"></div></div><p>On the next page you can specify in detail what extensions
should be enabled for each account type.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50327088"></a>Modules</h4></div></div></div><p>The modules specify the active extensions for each account
type. E.g. here you can setup if your user entries should be address
book entries only or also support Unix or Samba.</p><div class="screenshot"><div class="mediaobject"><img src="images/configModules1.png"></div></div><p>Each account type needs a so called "base module". This is the
basement for all LDAP entries of this type. Usually, it provides the
structural object class for the LDAP entries. There must be exactly
one active base module for each account type.</p><p>Furthermore, there may be any number of additional active
account modules. E.g. you may select "Personal" as base module and
Unix + Samba as additional modules.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50331344"></a>Module settings</h4></div></div></div><p>Depending on the activated account modules there may be
additional configuration options available. They can be found on the
"Module settings" tab. E.g. the Personal account module allows to
hide several input fields and the Unix module requires to specify
ranges for UID numbers.</p><div class="screenshot"><div class="mediaobject"><img src="images/configSettings1.png"></div></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="idp50334608"></a>Cron jobs (LAM Pro)</h3></div></div></div><p>LAM Pro can execute common tasks via cron job. This can be used
to e.g. notify your users before their passwords expire.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50335776"></a>LDAP and database configuration</h4></div></div></div><p>Please add the LDAP bind user and password for all jobs. This
LDAP account will be used to perform all LDAP read and write
operations.</p><p>Next, select the database type where LAM should store job
related data. Supported databases are SQLite and MySQL.</p><p><span class="bold"><strong>SQLite</strong></span></p><p>This is a simple file based database. It needs no special
database server. The database file will be located next to the
server profile in config directory.</p><p>You will need to install the SQLite PDO module for PHP
(pdo_sqlite.so). For Debian this is located in package
php5-sqlite.</p><div class="screenshot"><div class="mediaobject"><img src="images/jobs1.png"></div></div><p><span class="bold"><strong>MySQL</strong></span></p><p>This will store all job data in an external MySQL
database.</p><p>You will need to install the MySQL PDO module for PHP
(pdo_mysql.so). For Debian this is located in package
php5-mysql.</p><p>Steps to create a MySQL database and user:</p><div class="literallayout"><p>#�login<br>
mysql�-u�root�-p<br>
#�create�a�database<br>
mysql>�create�database�lam_cron;<br>
#�<br>
mysql>�CREATE�USER�'lam_cron'@'%'�IDENTIFIED�BY�'password';<br>
mysql>�CREATE�USER�'lam_cron'@'localhost'�IDENTIFIED�BY�'password';<br>
#�grant�access�for�new�user<br>
mysql>�GRANT�ALL�PRIVILEGES�ON�lam_cron.*�TO�'lam_cron'@'%';<br>
mysql>�GRANT�ALL�PRIVILEGES�ON�lam_cron.*�TO�'lam_cron'@'localhost';<br>
</p></div><div class="screenshot"><div class="mediaobject"><img src="images/jobs3.png"></div></div><div class="literallayout"><p><br>
</p></div><p><span class="bold"><strong>Test your settings</strong></span></p><p>After the LDAP and database settings are done you can test
your settings.</p><p><span class="bold"><strong>Cron entry</strong></span></p><p>LAM also prints the crontab line that you need to run the
configured jobs on a daily basis. The command must be run as the
same user as your webserver is running. You are free to change the
starting time of the script or run it more often.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50350000"></a>Adding jobs</h4></div></div></div><p>To add a new job just click on the "Add job" button and select
the job type you need. Depending on the job type jobs may be added
multiple times with different configurations.</p><p>For descriptions about the available job types see next
chapters.</p><div class="screenshot"><div class="mediaobject"><img src="images/jobs2.png"></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50353488"></a>PPolicy: Notify users about password expiration</h4></div></div></div><p>This will send your users an email reminder before their
password expires.</p><p>You need to activate the PPolicy module for users to be able
to add this job. The job can be added multiple times (e.g. to send a
second warning at a later time).</p><p>LAM calculates the expiration date based on the last password
change and the assigned password policy (or the default
policy).</p><div class="screenshot"><div class="mediaobject"><img src="images/jobs_ppolicy1.png"></div></div><div class="table"><a name="idp50357376"></a><p class="title"><b>Table�3.1.�Options</b></p><div class="table-contents"><table summary="Options" border="1"><colgroup><col><col></colgroup><tbody><tr><td><span class="bold"><strong>Option</strong></span></td><td><span class="bold"><strong>Description</strong></span></td></tr><tr><td>From address</td><td>The email address to set as FROM.</td></tr><tr><td>Reply-to address</td><td>Optional Reply-to address for email.</td></tr><tr><td>Subject</td><td>The email subject line. Supports wildcards, see
below.</td></tr><tr><td>Text</td><td>The email body text. Supports wildcards, see
below.</td></tr><tr><td>Notification period</td><td>Number of days to notify before password
expires.</td></tr><tr><td>Default password policy</td><td>Default PPolicy password policy entry (object class
"pwdPolicy").</td></tr></tbody></table></div></div><br class="table-break"><p>Wildcards:</p><p>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50369408"></a>Shadow: Notify users about password expiration</h4></div></div></div><p>This will send your users an email reminder before their
password expires.</p><p>You need to activate the Shadow module for users to be able to
add this job. The job can be added multiple times (e.g. to send a
second warning at a later time).</p><p>LAM calculates the expiration date based on the last password
change, the password warning time (attribute "shadowWarning") and
the specified notification period.</p><p>Examples:</p><p>Warning time = 14, notification period = 10: LAM will send out
the email 24 days before the password expires</p><p>Warning time = 14, notification period = 0: LAM will send out
the email 14 days before the password expires</p><div class="screenshot"><div class="mediaobject"><img src="images/jobs_shadow1.png"></div></div><div class="table"><a name="idp50374736"></a><p class="title"><b>Table�3.2.�Options</b></p><div class="table-contents"><table summary="Options" border="1"><colgroup><col><col></colgroup><tbody><tr><td><span class="bold"><strong>Option</strong></span></td><td><span class="bold"><strong>Description</strong></span></td></tr><tr><td>From address</td><td>The email address to set as FROM.</td></tr><tr><td>Reply-to address</td><td>Optional Reply-to address for email.</td></tr><tr><td>Subject</td><td>The email subject line. Supports wildcards, see
below.</td></tr><tr><td>Text</td><td>The email body text. Supports wildcards, see
below.</td></tr><tr><td>Notification period</td><td>Number of days to notify before password
expires.</td></tr></tbody></table></div></div><br class="table-break"><p>Wildcards:</p><p>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50385520"></a>Windows: Notify users about password expiration</h4></div></div></div><p>This will send your users an email reminder before their
password expires.</p><p>You need to activate the Windows module for users to be able
to add this job. The job can be added multiple times (e.g. to send a
second warning at a later time).</p><p>LAM calculates the expiration date based on the last password
change and the domain policy.</p><div class="screenshot"><div class="mediaobject"><img src="images/jobs_windows1.png"></div></div><div class="table"><a name="idp50389360"></a><p class="title"><b>Table�3.3.�Options</b></p><div class="table-contents"><table summary="Options" border="1"><colgroup><col><col></colgroup><tbody><tr><td><span class="bold"><strong>Option</strong></span></td><td><span class="bold"><strong>Description</strong></span></td></tr><tr><td>From address</td><td>The email address to set as FROM.</td></tr><tr><td>Reply-to address</td><td>Optional Reply-to address for email.</td></tr><tr><td>Subject</td><td>The email subject line. Supports wildcards, see
below.</td></tr><tr><td>Text</td><td>The email body text. Supports wildcards, see
below.</td></tr><tr><td>Notification period</td><td>Number of days to notify before password
expires.</td></tr></tbody></table></div></div><br class="table-break"><p>Wildcards:</p><p>You can enter LDAP attributes as wildcards in the form
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
For the common name it would be "@@cn@@".</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="confTypicalScenarios"></a>Typical scenarios</h3></div></div></div><p>This is a list of typical scenarios how your LDAP environment
may look like and how to structure the server profiles for it.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50401680"></a>Simple: One LDAP directory managed by a small group of
admins</h4></div></div></div><p>This is the easiest and most common scenario. You want to
manage a single LDAP server and there is only one or a few admins.
In this case just create one server profile and you are done. The
admins may be either specified as a fixed list or by using an LDAP
search at login time.</p><div class="screenshot"><div class="mediaobject"><img src="images/LDAPStructuresSimple.png"></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50404896"></a>Advanced: One LDAP server which is managed by different admin
groups</h4></div></div></div><p>Large organisations may have one big LDAP directory for all
user/group accounts. But the users are managed by different groups
of admins (e.g. departments, locations, subsidiaries, ...). The
users are typically divided into organisational units in the LDAP
tree. Admins may only manage the users in their part of the
tree.</p><div class="screenshot"><div class="mediaobject"><img src="images/LDAPStructuresAdvanced.png"></div></div><p>In this situation it is recommended to create one server
profile for each admin group (e.g. department). Setup the LDAP
suffixes in the server profiles to point to the needed
organisational units. E.g. use
ou=people,ou=department1,dc=company,dc=com or
ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
Do the same for groups, hosts, ... This way each admin group will
only see its own users. You may want to use LDAP search for the LAM
login in this scenario. This will prevent that you need to update a
server profile if the number of admins changes.</p><p><span class="bold"><strong>Attention:</strong></span> LAM's feature to
automatically find free UIDs/GIDs for new users/groups will not work
in this case. LAM uses the user/group suffix to search for already
assigned UIDs/GIDs. As an alternative you can specify different
UID/GID ranges for each department. Then the UIDs/GIDs will stay
unique for the whole directory.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50410496"></a>Multiple LDAP servers</h4></div></div></div><p>You can manage as many LDAP servers with LAM as you wish. This
scenario is similar to the advanced scenario above. Just create one
server profile for each LDAP server.</p><div class="screenshot"><div class="mediaobject"><img src="images/LDAPStructuresMultiServer.png"></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="idp50413504"></a>Single LDAP directory with lots of users (>10 000)</h4></div></div></div><p>LAM was tested to work with 10 000 users. If you have a lot
more users then you have basically two options.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Divide your LDAP tree in organisational units: This is
usually the best performing option. Put your accounts in several
organisational units and setup LAM as in the advanced scenario
above.</p></li><li class="listitem"><p>Increase memory limit: Increase the memory_limit parameter
in your php.ini. This will allow LAM to read more entries. But
this will slow down the response times of LAM.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch03.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="ch03.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="ch04.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�3.�Configuration�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�4.�Managing entries in your LDAP directory</td></tr></table></div></body></html>