LDAP Account Manager

LAM requires PHP 8.0.2 or later
Docker: upgrade to Debian 12
LAM Pro:
- Request access: new module to allow users to request group memberships via self service
- Custom scripts: support to specify the subtype of an account
- Custom fields: Display groups in server profile as accordion (236)
- PPolicy and Shadow cron jobs for password expiration notification: added option to ignore expiration warning time

Multi edit tool: allow attribute placeholders in values
Accessibility improvements
LAM Pro:
- Custom fields: support "\" in date regex for text fields
- MIT Kerberos: replaced realm setting in profile editor with user name (e.g. to be able set "$user@LAM.LOCAL")
Fixed bugs:
- Custom fields: issues when same field name is used in multiple groups, field names are now generated by LAM (235)
- Custom scripts: preDelete script causes error message for return code 0 (246)

Duo 2FA: switch to frameless login and support for universal prompt
Docker: support for linux/arm64 (Apple Silicon)
Account lists: support account status in table for any account type that supports it (e.g. groups with PPolicy attributes)
Windows: allow to set no password expiration via account profile
Accessibility improvements
LAM Pro:
- PPolicy: support to edit existing policies that are not based on "device" (but e.g. on "person")
- SMTP server settings: settings can be tested before saving
Fixed bugs:
- Selecting entries from a filtered list selection did not work (223)
- Lamdaemon: support to delete home directories if "rm" command is aliased to "rm -i"
- Windows: "Managed by" was not changeable, account list rendering of manager/member/managedBy
- Tree view: allow to add entries of attribute olcModuleLoad

PHP 8.2 compatibility
Windows users: display name can be hidden in server profile
LDAP export: sort entries by DN
Security: you can hide login error details in LAM's main configuration
2 factor authentication: allow to remember device (must be activated in server/self service profile)
RPM package cleanup
LAM Pro:
- Custom scripts: new wildcard INFO.lamLoginDn for current user
- PPolicy: allow password policy for groups and hosts
- Simple security object: allow for hosts
- Apache Guacamole: added ssh, telnet and kubernetes protocols
Fixed bugs:
- SameSite value for cookies changed to Lax to not break Okta/OpenID
- Unix users: file upload did not always set memberUid in group (218)

PHP 7.4 required
Usability improvements
DHCP: added "authoritative" option and extra DHCP options + statements
LAM Pro:
- Group of (unique) names/members, Apache Guacamole: support "seeAlso" attribute (hidden by default in server profile)
- Windows: self service: users with expired passwords or forced password change can update their password (requires bind user to be used for all operations)

Allow hostObject for groups and ":" in values
Docker: added Let's Encrypt CA certificates
LAM Pro:
- Added support for simpleSecurityObject
- Added support for Apache Guacamole
- Group of Names: save last selected account type for new members/owners (170)
Fixed bugs:
- PHP 8.1 does not show proper error message when login failed with LDAP search method
- Self service issues on PHP 8.1 (181)
- Custom Fields: switch to Custom Fields tab was required to save an entry (258)
- Group of unique names/members shared same configuration settings with group of names
- Shadow last password change not updated during self service password change

Fixed bugs:

Regression issues due to security fixes (e.g. module settings in server profile)
Password change page not working for access level "Change passwords"

PHP 8.1 compatibility
Extended user account status and locking options
Unix: added Gecos to profile editor
389ds: added hints why login failed if account is locked/deactivated/expired
Removed Zarafa support (please switch to Kopano)
Tree view: display binary data as base64 encoded text
Tree view: better support for move operations and ordered attributes
LAM Pro:
- New captcha providers: hCaptcha and Friendly Captcha
- PPolicy: allow to specify unlock value for "pwdAccountLockedTime"
Fixed bugs:
- Hidden account is displayed (257)
- Change of RDN failed for OpenLDAP entries
- Tree view issues with browser auto-completion (176)
- Unauthenticated Arbitrary Object Instantiation / Unauthenticated Remote Code Execution (GHSA-r387-grjx-qgvw, CVE-2022-31084)
- Incorrect Default Permissions (GHSA-q8g5-45m4-q95p, CVE-2022-31087)
- Incorrect Regular Expressions (GHSA-q9pc-x84w-982x, CVE-2022-31086)
- Unauthenticated LDAP Injection (GHSA-wxf8-9x99-6gp4, CVE-2022-31088)
- Reflected XSS (Internet Explorer only) (GHSA-6m3q-5c84-6h6j, CVE-2022-31085)

Fixed bugs:
- Security issues in PDF editor and profile editor (170, CVE-2022-24851)

Tree view:
- Support multiple roots (e.g. add "cn=config")
- Added function to check password hashes against a given password
Shadow: allow to set shadowLastChange in file upload
Docker: upgrade OS to Debian Bullseye
LAM Pro:
- Support multiple TO addresses for license expiration email
- Custom scripts: $INFO.debug$ wildcard prints all possible wildcards and their values
- Custom scripts: extra INFO wildcards for password change options
- Configuration import: allow to select self service profiles to import (168)
Fixed bugs:
- Tree view: check session expiration

Pages