LDAP Account Manager

PHP 8.2 compatibility
Windows users: display name can be hidden in server profile
LDAP export: sort entries by DN
Security: you can hide login error details in LAM's main configuration
2 factor authentication: allow to remember device (must be activated in server/self service profile)
RPM package cleanup
LAM Pro:
- Custom scripts: new wildcard INFO.lamLoginDn for current user
- PPolicy: allow password policy for groups and hosts
- Simple security object: allow for hosts
- Apache Guacamole: added ssh, telnet and kubernetes protocols
Fixed bugs:
- SameSite value for cookies changed to Lax to not break Okta/OpenID
- Unix users: file upload did not always set memberUid in group (218)

PHP 7.4 required
Usability improvements
DHCP: added "authoritative" option and extra DHCP options + statements
LAM Pro:
- Group of (unique) names/members, Apache Guacamole: support "seeAlso" attribute (hidden by default in server profile)
- Windows: self service: users with expired passwords or forced password change can update their password (requires bind user to be used for all operations)

Allow hostObject for groups and ":" in values
Docker: added Let's Encrypt CA certificates
LAM Pro:
- Added support for simpleSecurityObject
- Added support for Apache Guacamole
- Group of Names: save last selected account type for new members/owners (170)
Fixed bugs:
- PHP 8.1 does not show proper error message when login failed with LDAP search method
- Self service issues on PHP 8.1 (181)
- Custom Fields: switch to Custom Fields tab was required to save an entry (258)
- Group of unique names/members shared same configuration settings with group of names
- Shadow last password change not updated during self service password change

Fixed bugs:

Regression issues due to security fixes (e.g. module settings in server profile)
Password change page not working for access level "Change passwords"

PHP 8.1 compatibility
Extended user account status and locking options
Unix: added Gecos to profile editor
389ds: added hints why login failed if account is locked/deactivated/expired
Removed Zarafa support (please switch to Kopano)
Tree view: display binary data as base64 encoded text
Tree view: better support for move operations and ordered attributes
LAM Pro:
- New captcha providers: hCaptcha and Friendly Captcha
- PPolicy: allow to specify unlock value for "pwdAccountLockedTime"
Fixed bugs:
- Hidden account is displayed (257)
- Change of RDN failed for OpenLDAP entries
- Tree view issues with browser auto-completion (176)
- Unauthenticated Arbitrary Object Instantiation / Unauthenticated Remote Code Execution (GHSA-r387-grjx-qgvw, CVE-2022-31084)
- Incorrect Default Permissions (GHSA-q8g5-45m4-q95p, CVE-2022-31087)
- Incorrect Regular Expressions (GHSA-q9pc-x84w-982x, CVE-2022-31086)
- Unauthenticated LDAP Injection (GHSA-wxf8-9x99-6gp4, CVE-2022-31088)
- Reflected XSS (Internet Explorer only) (GHSA-6m3q-5c84-6h6j, CVE-2022-31085)

Fixed bugs:
- Security issues in PDF editor and profile editor (170, CVE-2022-24851)

Tree view:
- Support multiple roots (e.g. add "cn=config")
- Added function to check password hashes against a given password
Shadow: allow to set shadowLastChange in file upload
Docker: upgrade OS to Debian Bullseye
LAM Pro:
- Support multiple TO addresses for license expiration email
- Custom scripts: $INFO.debug$ wildcard prints all possible wildcards and their values
- Custom scripts: extra INFO wildcards for password change options
- Configuration import: allow to select self service profiles to import (168)
Fixed bugs:
- Tree view: check session expiration

Restyling of LAM
Allow to override global password policy in server profile (160)
Do not print random password if sent via email (165)
LAM Pro:
- PowerDNS support
- Device: allow multiple cn values
Fixed bugs:
- PDF does not contain all group members (249)
- File upload issue on PHP 8 (153)
- Export issue on non-Pro version (155)

2-factor authentication with OpenID
Send proper response code on failed login
LAM Pro:
- OpenLDAP 2FA support for TOTP
Fixed bugs:
- Issues with list filter if only one result is found (241)
- Allow to sync empty list of groups in group of names user module (242)
- Windows lockout duration and password maximum age computed incorrectly
- Wrong status for nsAccountLock (245)

Allow to store whole LAM configuration in MySQL database
Docker: new options for configuration location and LAM Pro license
Full PHP 8 compatibility
Replaced tree view and moved it to tools menu
Wildcards in edit screen support lower-case mode (e.g. "$_firstname")
Windows: more fields can be hidden
LAM Pro:
- Export/Import of cron jobs
- Mail server encryption type can be configured (TLS/SSL/none)
- User self registration: support to define uid field to use constant or custom validation
- Group of names user module: allow to sync memberships from other user
- Custom fields:
  - Support password change dialog in user edit view
  - Added date and email validation for text fields
  - Support password reset page for password fields
  - New field types: LDAP date, LDAP date and time
- Password self reset: fields on first page can be prefilled by URL parameter
Fixed bugs:
- Truncated mail text field in "LAM Pro password mail settings" and 2FA base URLs
- 389ds: support password change and force password in one save action

Pages