LAM manages various types of user accounts. This includes address book entries, Unix, Samba, Zarafa and much more.
Account list settings:
The user list includes two special options to change how your users are displayed.
Translate GID number to group name: By default the user list can show the primary group IDs (GIDs) of your users. There are often cases where it is more suitable to show the group name instead. This can be done by activating this option. Please note that LAM will execute more LDAP queries which may result in decreased performance.
Show account status: If you activate this option then there will be an additional column displayed that shows if the account is locked. You can see more details when moving the mouse cursor over the lock icon. This function supports Unix, Samba and PPolicy.
Quick account (un)locking:
When you edit an user then LAM supports to quickly lock/unlock the whole account. This includes Unix, Samba and PPolicy. LAM can also remove group memberships if an account is locked.
You will see the current status of all account parts in the title area of the account.
If you click on the lock icon then a dialog will be opened to change these values. Depending on which parts are locked LAM will provide options to lock/unlock account parts.
This module is the most common basis for user accounts in LAM. You can use it stand-alone to manage address book entries or in combination with Unix, Samba or other modules.
The Personal module provides support for managing various personal data of your users including mail addresses and telephone numbers. You can also add photos of your users. If you do not need to manage all attributes then you can deactivate them in your server profile.
User certificates can be uploaded and downloaded. LAM will automatically convert PEM to DER format.
Table 3.1. LDAP attribute mappings
Attribute name | Name inside LAM |
---|---|
businessCategory | Business category |
carLicense | Car license |
cn/commonName | Common name |
departmentNumber | Department(s) |
description | Description |
employeeNumber | Employee number |
employeeType | Employee type |
facsimileTelephoneNumber/fax | Fax number |
givenName/gn | First name |
homePhone | Home telephone number |
initials | Initials |
jpegPhoto | Photo |
l | Location |
mail/rfc822Mailbox | Email address |
manager | Manager |
mobile/mobileTelephoneNumber | Mobile number |
organizationName/o | Organisation |
physicalDeliveryOfficeName | Office name |
postalAddress | Postal address |
postalCode | Postal code |
postOfficeBox | Post office box |
registeredAddress | Registered address |
roomNumber | Room number |
sn/surname | Last name |
st | State |
street/streetAddress | Street |
telephoneNumber | Telephone number |
title | Job title |
userCertificate | User certificates |
uid/userid | User name |
userPassword | Password |
The Unix module manages Unix user accounts including group memberships.
There are several configuration options for this module:
UID generator: LAM will suggest UID numbers for your accounts. Please note that it may happen that there are duplicate IDs assigned if users create accounts at the same time. Use an overlay like "Attribute Uniqueness" if you have lots of LAM admins creating accounts.
Fixed range: LAM searches for free numbers within the given limits. LAM always tries to use a free UID that is greater than the existing UIDs to prevent collisions with deleted accounts.
Samba ID pool: This uses a special LDAP entry that includes attributes that store a counter for the last used UID/GID. Please note that this requires that you install the Samba schema and create an LDAP entry of object class "sambaUnixIdPool".
Password hash type: If possible use CRYPT-SHA512 or SSHA to protect your user's passwords.
Login shells: List of valid login shells that can be selected when editing an account.
Hidden options: Some input fields can be hidden to simplify the GUI if you do not need them.
The user name is automatically filled as specified in the configuration (default smiller for Steve Miller). Of course, the suggested value can be changed any time. Common name is also filled with first/last name by default.
Group memberships can be changed when clicking on "Edit groups". Here you can select the Unix groups and group of names memberships.
To enable "Group of names" please either add the groups module "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of names".
You can also create home directories for your users if you setup lamdaemon. This allows you to create the directories on the local or remote servers.
It is also possible to check the status of the user's home directories. If needed the directories can be created or removed at any time.
This module manages memberships in group of (unique) names. To activate this feature please add the user module "Group of names (groupOfNamesUser)" to your LAM server profile.
Please note that this module cannot be used if the Unix module is active. In this case group memberships may be managed with the Unix module.
The module automatically detects if groups are based on "groupOfNames" or "groupOfUniqueNames" and sets the correct attribute.
LAM supports the management of the LDAP substitution of /etc/shadow. Here you can setup password policies for your Unix accounts and also view the last password change of a user.
LAM Pro allows your users to reset their passwords by answering a security question. The reset link is displayed on the self service page. Additionally, you can set question + answer in the admin interface.
Please note that self service and LAM admin interface are separated functionalities. You need to specify the list of possible security questions in both self service profile(s) and server profile(s).
Schema
Please install the schema that comes with LAM Pro: docs/schema/passwordSelfReset.schema or docs/schema/passwordSelfReset.ldif
This allows to set a security question + answer for each account.
Activate password self reset module
Please activate the password self reset module in your LAM Pro server profile.
Now select the tab "Module settings" and specify the list of possible security questions. Only these questions will be selectable when you later edit accounts.
Edit users
After everything is setup please login to LAM Pro and edit your users. You will see a new tab called "Password self reset". Here you can activate/remove the password self reset function for each user. You can also change the security question and answer.
You can specify a list of valid host names where the user may login. If you add the value "*" then the user may login to any host. This can be further restricted by adding explicit deny entries which are prefixed with "!" (e.g. "!hr_server").
Please note that your PAM settings need to support host restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the account facility of pam_ldap will perform the checks and return an error when no proper host attribute is present. Please note that users without host attribute cannot login to such a configured server.
Please activate the account type "Users" in your LAM server profile and then add the user module "Windows (windowsUser)(*)".
The default list attributes are for Unix and not suitable for Windows (blank lines in account table). Please use "#cn;#givenName;#sn;#mail" or select your own attributes to display in the account list.
Now you can manage your Windows users and e.g. assign groups.
Attention: Password changes require a secure connection via ldaps://. Check your LAM server profile if password changes are refused by the server.
You can manage file system quotas with LAM. This requires to setup lamdaemon. LAM connects to your server via SSH and manages the disk filesystem quotas. The quotas are stored directly on the filesystem. This is the default mechanism to store quotas for most systems.
Please add the module "Quota (quota)" for users to your LAM server profile to enable this feature.
If you store the quota information directly inside LDAP please see the next section.
You can store your filesystem quotas directly in LDAP. See Linux DiskQuota for details since it requires quota tools that support LDAP. You will need to install the quota LDAP schema to manage the object class "systemQuotas".
Please add the module "Quota (systemQuotas)" for users to your LAM server profile to enable this feature.
If you store the quota information on the filesystem please see the previous section.
This module supports to manage Kolab accounts with LAM. E.g. you can set the user's mail quota and define invitation policies.
Please enter an email address at the Personal page and set a Unix password first. Both are required that Kolab accepts the accounts. The email address ("Personal" page) must match your Kolab domain, otherwise the account will not work.
Attention: The mailbox server cannot be changed after the account has been saved. Please make sure that the value is correct.
Kolab users should not be directly deleted with LAM. You can mark an account for deletion which then is done by the Kolab server itself. This makes sure that the mailbox etc. is also deleted.
If you upgrade existing non-Kolab accounts please make sure that the account has an Unix password.
LAM supports Asterisk accounts, too. See the Asterisk section for details.
EDU person accounts are mainly used in university networks. You can specify the principal name, nick names and much more.
OpenLDAP supports the ppolicy overlay to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to user accounts.
Please add the account type "Password policies" to your LAM server profile and activate the "Password policy" module for the user type.
You can assign any password policy which is found in the LDAP suffix of the "Password policies" type. When you set the policy to "default" then OpenLDAP will use the default policy as defined in your slapd.conf file.
FreeRadius is a software that implements the RADIUS authentication protocol. LAM allows you to mange several of the FreeRadius attributes.
To activate the FreeRadius plugin please activate the FreeRadius user module in your server profile:
You can disable unneeded fields on the tab "Module settings":
Now you will see the tab "FreeRadius" when editing users. The extension can be (de)activated for each user. You can setup e.g. realm, IP and expiration date.
You can manage your Heimdal Kerberos accounts with LAM Pro. Please add the user module "Kerberos (heimdalKerberos)" to activate this feature.
Setup password changing
LAM Pro cannot generate the password hashes itself because Heimdal uses a propietary format for them. Therefore, LAM Pro needs to call e.g. kadmin to set the password.
The wildcards @@password@@ and @@principal@@ are replaced with password and principal name. Please use keytab authentication for this command since it must run without any interaction.
Example to create a keytab: ktutil -k /root/lam.keytab add -p lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1
Security hint: Please secure your LAM Pro server since the new passwords will be visible for a short term in the process list during password change.
User management
You can specify the principal/user name, ticket lifetimes and expiration dates. Additionally, you can set various account options.
You can manage your MIT Kerberos accounts with LAM Pro. Please add the user module "Kerberos (mitKerberos)" to activate this feature. If you want to manage entries based on the structural object class "krbPrincipal" please use "Kerberos (mitKerberosStructural)" instead.
Setup password changing
LAM Pro cannot generate the password hashes itself because MIT uses a propietary format for them. Therefore, LAM Pro needs to call kadmin/kadmin.local to set the password.
LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to set the password. Please use keytab authentication for this command since it must run without any interaction.
Keytabs may be created with the "ktutil" application.
Security hint: Please secure your LAM Pro server since the new passwords will be visible for a short term in the process list during password change.
Example commands:
/usr/sbin/kadmin -k -t /home/www-data/apache.keytab -p realm/changepwd
sudo /usr/sbin/kadmin.local
User management
You can specify the principal/user name, ticket lifetimes and expiration dates. Additionally, you can set various account options.
LAM Pro manages all qmail attributes for users. This includes mail addresses, ID numbers and quota settings.
Please note that the main mail address is managed on tab "Personal" if this module is active. Otherwise, it will be on the qmail tab.
You can hide several qmail options if you do not want to manage them with LAM. This can be done on the module settings tab of your LAM server profile.
LAM supports to manage mail routing for user accounts. You can specify a routing address, the mail server and a number of local addresses to route. This feature can be activated by adding the "Mail routing" module to the user account type in your server profile.
You can manage your public keys for SSH in LAM if you installed the LPK patch for SSH. Activate the "SSH public key" module for users in the server profile and you can add keys to your user entries.
You can setup PAM to check if a user is allowed to run a specific service (e.g. sshd) by reading the LDAP attribute "authorizedService". This way you can manage all allowed services via LAM.
To activate this PAM feature please setup your /etc/libnss-ldap.conf and set "pam_check_service_attr" to "yes".
Inside LAM you can now set the allowed services. You may also setup default services in your account profiles.
You can define a list of services in your LAM server profile that is used for autocompletion.
The autocompletion will show all values that contains the entered text. To display the whole list you can press backspace in the empty input field. Of course, you can also insert a service name that is not in the list.
LAM may create and delete mailboxes on an IMAP server for your user accounts. You will need an IMAP server that supports either SSL or TLS for this feature.
To activate the mailbox management module please add the "Mailbox (imapAccess)" module for the type user in your LAM server profile:
Now configure the module on the tab "Module settings". Here you can specify the IMAP server name, encryption options, the authentication for the IMAP connection and the valid mail domains. LAM can use either your LAM login password for the IMAP connection or display a dialog where you need to enter the password. The mail domains specify for which accounts mailboxes may be created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be managed for "user@lam-demo.org" but not for "user@example.com".
You need to install the SSL certificate of the CA that signed your server certificate. This is usually done by installing the certificate in /etc/ssl/certs. Different Linux distributions may offer different ways to do this. For Debian please copy the certificate in "/usr/local/share/ca-certificates" and run "update-ca-certificates" as root.
It is not recommended to disable the validation of IMAP server certificates.
When you edit an user account then you will now see the tab "Mailbox". Here you can create/delete the mailbox for this user.
This is a very simple module to manage accounts based on the object class "account". Usually, this is used for host accounts only. Please pay attention that users based on the "account" object class cannot have contact information (e.g. telephone number) as with "inetOrgPerson".
You can enter a user/host name and a description for your accounts.