LAM has the following requirements to run:

OpenSSL will be used to store your LDAP password encrypted in the session file.

Please note that LAM does not ship with a SELinux policy. Please disable SELinux or create your own policy.

See LDAP schema fles for information about used LDAP schema files.

LAM is available as prepackaged version for various platforms.

Debian/Ubuntu

LAM is part of the official Debian/Ubuntu repository. New releases are uploaded to unstable and will be available automatically in testing and the stable releases. You can run apt-get install ldap-account-manager to install LAM on your server. Additionally, you may download the latest LAM Debian/Ubuntu packages from the LAM homepage or the Debian package homepage. Installation of the latest packages on Debian/Ubuntu Install the LAM package dpkg -i ldap-account-manager_*.deb If you get any messages about missing dependencies run now: apt-get -f install Install the lamdaemon package (optional) dpkg -i ldap-account-manager-lamdaemon_*.deb

Suse/Fedora/CentOS

There are RPM packages available on the LAM homepage. The packages can be installed with these commands: rpm -e ldap-account-manager ldap-account-manager-lamdaemon (if an older version is installed) rpm -i <path to LAM package> Note: The RPM packages do not contain a dependency to PHP due to the various package names for it. Please make sure that you install Apache/Nginx with PHP. Example installation for Apache + PHP 8 on OpenSuse 15: zypper install apache2 php8 apache2-mod_php8 php8-ldap php8-zip php8-soap php8-gd php8-curl php8-gmp php8-mbstring php8-sqlite php8-mysql php8-gettext systemctl enable apache2 systemctl start apache2 firewall-cmd --add-service=http --permanent firewall-cmd --reload

FreeBSD

LAM is part of the official FreeBSD ports tree. For more details see these pages: FreeBSD-SVN: http://svnweb.freebsd.org/ports/head/sysutils/ldap-account-manager/ FreshPorts: http://www.freshports.org/sysutils/ldap-account-manager

You can run LAM and LAM Pro inside Docker. See here for detailed instructions.

Backup configuration files

Configuration files need only to be backed up for .tar.bz2 installations. DEB/RPM installations do not require this step.

LAM stores all configuration files in the "config" folder. Please backup the following files and copy them after the new version is installed.

LAM Pro only:

Uninstall current LAM (Pro) version

If you used the RPM installation packages then remove the ldap-account-manager and ldap-account-manager-lamdaemon packages by calling "rpm -e ldap-account-manager ldap-account-manager-lamdaemon".

Debian/Ubuntu needs no removal of old packages.

For tar.bz2 please remove the folder where you installed LAM via configure or by copying the files.

Install new LAM (Pro) version

Please install the new LAM (Pro) release. Skip the part about setting up LAM configuration files.

Restore configuration files

RPM:

Please check if there are any files ending with ".rpmsave" in /var/lib/ldap-account-manager/config. In this case you need to manually remove the .rpmsave extension by overwriting the package file. E.g. rename default.user.rpmsave to default.user.

DEB:

Nothing needs to be restored.

tar.bz2:

Please restore your configuration files from the backup. Copy all files from the backup folder to the config folder in your LAM Pro installation. Do not simply replace the folder because the new LAM (Pro) release might include additional files in this folder. Overwrite any existing files with your backup files.

Final steps

Now open your webbrowser and point it to the LAM login page. All your settings should be migrated.

Please check also the version specific instructions. They might include additional actions.

You need to follow all steps from your current version to the new version. Unless explicitly noticed there is no need to install an intermediate release.

This defines where LAM should store the configuration settings. By default, local file system is used. If you have installed the PHP PDO extension incl. MySQL then you can also select MySQL here. This will then store all data (server profiles, account profiles, PDF structures, ...) in the database.

Exceptions:

This is very useful when running LAM cloud native e.g. inside Docker.

This is only required when you run LAM Pro. Please enter the license key from your customer profile. In case you have purchased multiple licenses please only enter one license key block per installation.

When you entered the license key then the license details can be seen on LAM configuration overview page.

By default, LAM Pro will show a warning message on the login page 3 weeks before expiration. You can disable this here and/or send out an email instead.

Here you can set a time period after which inactive sessions are automatically invalidated. The selected value represents minutes of inactivity.

If you do not want to expose why the login to LAM failed then activate "Hide LDAP details on failed logins". This way users will not see if their account was not found or is e.g. locked.

You may also set a list of IP addresses which are allowed to access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access LAM via an untrusted IP only get blank pages. There is a separate field for LAM Pro self service.

SSL certificate setup:

By default, LAM uses the CA certificates that are preinstalled on your system. This will work if you connect via SSL/TLS to an LDAP server that uses a certificate signed by a well-known CA. In case you use your own CA (e.g. company internal CA) you can import the CA certificates here.

Please note that this can affect other web applications on the same server if they require different certificates. There seem to be problems on Debian/Ubuntu systems and you may also need to restart Apache. In case of any problems please delete the uploaded certificates and use the system setup.

You can either upload a DER/PEM formatted certificate file or import the certificates directly from an LDAP server that is available with LDAP+SSL (ldaps://). LAM will automatically override system certificates if at least one certificate is uploaded/imported.

The whole certificate list can be downloaded in PEM format. You can also delete single certificates from the list.

Please note that you might need to restart your webserver if you do any changes to this configuration.

This allows you to specify a central password policy for LAM. The policy is valid for all password fields inside LAM admin (excluding tree view) and LAM self service. Configuration passwords do not need to follow this policy.

You can set the minimum password length and also the complexity of the passwords.

External password check

Please note that this option is only displayed if you have installed the PHP Curl extension for your web server.

This will validate passwords using an external service. LAM supports the protocol used by Have I been Pwned. You can use the service directly or setup any custom service with the same API. If the service reports an error LAM will log an error message and the password will be accepted.

Example URL: https://api.pwnedpasswords.com/range/{SHA1PREFIX}

LAM will build a SHA1 hash of the password and send parts of it to the service.

The configured URL must contain the wildcard "{SHA1PREFIX}" which will be replaced with the 5 character hash prefix. The service must then return a list of text lines in the format "<hash suffix>:<number>".

"<hash suffix>" needs to be the suffix of a known insecure password. The "<number>" can be any numeric value and will be ignored by LAM.

Example:

Password hash: 21BD10018A45C4D1DEF81644B54AB7F969B88D65

Hash prefix sent to service: 21BD1

Returned line: 0018A45C4D1DEF81644B54AB7F969B88D65:1

This will reject the password.

LAM can log events (e.g. user logins). You can use e.g. system logging (syslog for Unix, event viewer for Windows) or log to a separate file. Please note that LAM may log sensitive data (e.g. passwords) at log level "Debug". Production systems should be set to "Warning" or "Error".

The PHP error reporting is only for developers. By default LAM does not show PHP notice messages in the web pages. You can select to use the php.ini setting here or printing all errors and notices.

Log destinations:

Here you can configure the mail server settings. If you do not set a mail server then LAM will try to use a locally installed one (e.g. postfix, exim, sendmail).

SMTP setup:

Mail server: enter name + port separated by ":". E.g. "server:25" will use "server" on port 25.

User name: enter the user name if your SMTP server requires authentication

Password: enter the password for the user above

Encryption protocol: Use TLS when unsure. SSL is only for older servers and deprecated. The no encryption setting should not be used for production installations.

See the WebAuthn/FIDO2 appendix for an overview about WebAuthn/FIDO2 in LAM.

Here you can delete any webauthn device registrations. This section is only shown if at least one device is registered.

Enter a part of the user's DN in the input box and perform a search. LAM will show users and devices that match the search. You can then delete a device registration. If the user has no more registered devices then LAM will ask for registration on next login.

Note: You cannot add any device here. This can only be done by the user during login, webauthn tool or self service.

If you would like to change the master configuration password then enter a new password here.

Select "Manage server profiles" to open the profile management page.

Here you can create, rename and delete server profiles. The passwords of your server profiles can also be reset.

You may also specify the default server profile. This is the server profile which is preselected at the login page. It also specifies the language of the login and configuration pages.

Templates for new server profiles

You can create a new server profile based on one of the built-in templates or any existing profile. Of course, the account types and selected modules can be changed after you created your profile.

Built-in templates:

All operations on the profile management page require that you authenticate yourself with the configuration master password.

Please select you server profile and enter its password to edit a server profile.

Each server profile contains the following information:

General settings

Here you can specify the LDAP server and some security settings.

The server address of your LDAP server can be a DNS name or an IP address. Use ldap:// for unencrypted LDAP connections or TLS encrypted connections. LDAP+SSL (LDAPS) encrypted connections are specified with ldaps://. The port value is optional. TLS cannot be combined with ldaps://.

Hint: If you use a master/slave setup with referrals then point LAM to your master server. Due to bugs in the underlying LDAP libraries pointing to a slave might cause issues on write operations.

LAM includes an LDAP browser which allows direct modification of LDAP entries. If you would like to use it then enter the LDAP suffix at "Tree suffix".

The search limit is used to reduce the number of search results which are returned by your LDAP server.

The access level specifies if LAM should allow to modify LDAP entries. This feature is only available in LAM Pro. LAM non-Pro releases use write access. See this page for details on the different access levels.

Advanced options

Display name: Sometimes, you may not want to display the server address on the login page. In this case you can setup a display name here (e.g. "Production").

Follow referrals: By default LAM will not follow LDAP referrals. This is ok for most installations. If you use LDAP referrals please activate the referral option in advanced settings.

Paged results: Paged results should be activated only if you encounter any problems regarding size limits on Active Directory. LAM will then query LDAP to return results in chunks of 999 entries.

Referential integrity overlay: Activate this checkbox if you have any server side extension for referential integrity in place. In this case the server will cleanup references to LDAP entries that are deleted.

The following actions are skipped in this case:

• Users: group of (unique) names: memberships are not deleted when user is deleted

• Users: organizational roles: role assignments are not deleted when user is deleted

• Groups: groupOf(Unique)Names: memberships are not deleted when group is deleted

Hide password prompt for expired password: Hides the password prompt when a user with expired password logs into LAM.

LAM is translated to many different languages. Here you can select the default language for this server profile. The language setting may be overridden at the LAM login page.

Please also set your time zone here.

LAM can manage user home directories and quotas with an external script. You can specify the home directory server and where the script is located. The default rights for new home directories can be set, too.

Note: This requires lamdaemon to be installed on the remote server. This comes as separate package for DEB/RPM. See here.

Script server format:

• "server": "server" is the DNS name of your script server

• "server:NAME": NAME is the display name of this server

• "server:NAME:/prefix": /prefix is the directory prefix for all operations. E.g. creating a home directory "/home/user" would create "/prefix/home/user" then.

You can provide a fixed user name. If you leave the field empty then LAM will use your current account (the account you used to login to LAM).

There are two possibilities to connect to your home directory/quota server:

• SSH key (recommended): Please generate a SSH key pair and provide the location to the private key file. If the key is protected by a password you can also specify it here.

• Password: If you do not set a SSH key then LAM will try to connect with your current account (the password you used to login to LAM).

LAM Pro users may directly set passwords from list view. You can configure if it should be possible to set specific passwords and showing password on screen is allowed.

LAM Pro users can send out changed passwords to their users. Here you can specify the options for these mails.

If you select "Allow alternate address" then password mails can be sent to any address (e.g. a secondary address if the user account is also bound to the mailbox).

LAM supports two methods for login:

• Fixed list

• LDAP search

The first one is to specify a fixed list of LDAP DNs that are allowed to login. Please enter one DN per line.

The second one is to let LAM search for the DN in your directory. E.g. if a user logs in with the user name "joe" then LAM will do an LDAP search for this user name. When it finds a matching DN then it will use this to authenticate the user. The wildcard "%USER%" will be replaced by "joe" in this example. This way you can provide login by user name, email address or other LDAP attributes.

Additionally, you can enable HTTP authentication when using "LDAP search". This way the web server is responsible to authenticate your users. LAM will use the given user name + password for the LDAP login. You can also configure this to setup advanced login restrictions (e.g. require group memberships for login). To setup HTTP authentication in Apache please see this link and an example for LDAP authentication here.

Hint: LDAP search with group membership check can be done with either HTTP authentication or LDAP overlays like "memberOf" or "Dynamic lists". Dynamic lists allow to insert virtual attributes to your user entries. These can then be used for the LDAP filter (e.g. "(&(uid=%USER%)(memberof=cn=admins,ou=groups,dc=company,dc=com))").

Global password policy override

This allows you to override some password policy options of LAM's global password policy (LAM main configuration). You can increase and decrease the values of the global policy.

2-factor authentication

LAM supports 2-factor authentication for your users. This means the user will not only authenticate by user+password but also with e.g. a token generated by a mobile device. This adds more security because the token is generated on a physically separated device (typically mobile phone).

The token is validated by a second application. LAM currently supports:

• privacyIdea

• YubiKey

• Duo

• WebAuthn/FIDO2

• Okta

• OpenID

Configuration options:

privacyIDEA

• Base URL: please enter the URL of your privacyIDEA instance

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "uid").

• Optional: By default LAM will enforce to use a token and reject users that did not setup one. You can set this check to optional. But if a user has setup a token then this will always be required.

• Disable certificate check: This should be used on development instances only. It skips the certificate check when connecting to verification server.

Please note that LAM needs to authenticate to privacyIdea with the user's user name and password WITHOUT second factor. This is needed to get the list of tokens that are setup for the user. You can setup a separate policy (scope: authentication) for LAM inside privacyIdea that has IP restriction ("Client" setting) to LAM's server IP and an action "otppin" "none".

YubiKey

• Base URLs: please enter the URL(s) of your YubiKey verification server(s). If you run a custom verification API such as yubiserver then enter its URL (e.g. http://www.example.com:8000/wsapi/2.0/verify). The URL needs to end with "/wsapi/2.0/verify". For YubiKey cloud these are "https://api.yubico.com/wsapi/2.0/verify", "https://api2.yubico.com/wsapi/2.0/verify", "https://api3.yubico.com/wsapi/2.0/verify", "https://api4.yubico.com/wsapi/2.0/verify" and "https://api5.yubico.com/wsapi/2.0/verify". Enter one URL per line.

• Client id: this is only required for YubiKey cloud. You can register here: https://upgrade.yubico.com/getapikey/

• Secret key: this is only required for YubiKey cloud. You can register here: https://upgrade.yubico.com/getapikey/

• Optional: By default LAM will enforce to use a token and reject users that did not setup one. You can set this check to optional. But if a user has setup a token then this will always be required.

• Disable certificate check: This should be used on development instances only. It skips the certificate check when connecting to verification server.

Duo

This requires to register a new "Web SDK" application in your Duo admin panel.

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "uid").

• Base URL: please enter the API-URL of your Duo instance (e.g. api-12345.duosecurity.com).

• Client id: please enter your client id.

• Secret key: please enter your client secret.

WebAuthn/FIDO2

See the WebAuthn/FIDO2 appendix for an overview about WebAuthn/FIDO2 in LAM.

Users will be asked to register a device during login if no device is setup.

• Domain: Please enter the WebAuthn domain. This is the public domain of the web server (e.g. "example.com"). Do not include protocol or port. Browsers will reject authentication if the domain does not match the web server domain.

• Optional: By default LAM will enforce to use a 2FA device and reject users that do not setup one. You can set this check to optional. But if a user has setup a device then this will always be required.

Okta

This requires to register a new application of type "Web".

There, you will need to configure LAM's 2-factor URLs as "Login redirect URIs" in the new application. They are "https://YOURDOMAIN/lam/templates/login2Factor.php" for admin interface and "https://YOURDOMAIN/lam/templates/selfService/selfService2Factor.php" for self service. You will get an error message during login with the URL to configure in case it was wrong.

On "Sign On" tab you need to add a rule that prompts for the factor.

LAM options:

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "mail").

• Base URL: please enter the URL of your Okta domain (e.g. https://mydomain.okta.com)

• Client id: please enter your application client id.

• Secret key: please enter your application secret key.

OpenID

This will use an OpenID server as 2nd factor for authentication.

LAM options:

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "uid").

• Base URL: please enter the URL of your OpenID client URL. The URL is the one before the "/.well-known/openid-configuration".

• Client id: please enter your application client id.

• Secret key: please enter your application secret key.

KeyCloack example configuration:

Create a new client, select "OpenID Connect" client type and enter a client ID.

Now enable "Client authentication" and enter the valid redirect URLs in the last step.

They are "https://YOURDOMAIN/lam/templates/login2Factor.php" for admin interface and "https://YOURDOMAIN/lam/templates/selfService/selfService2Factor.php" for self service. You will get an error message during login in case it was wrong. Then save the configuration.

Next, switch to tab "Credentials" to get the client secret.

Example configuration values:

• User name: uid

• Base URL: http://openidserver/auth/realms/master

• Client id: demo

• Secret key: 59bdf504-b76e-4138-8421-ef662b2c6c83

Remember device

You can allow users to remember the 2FA device for privacyIDEA, WebAuthn and YubiKey. When a device is remembered then users can login for the specified time without presenting their 2nd factor.

The password for the device remembering is used to authenticate the device data. It can be any long passphrase (use > 30 characters). LAM auto-generates one for you. If you change the passphrase then all device data gets invalid and users need to represent their 2nd factor again (which then can be saved again).

Login

After logging in with user + password LAM will ask for the 2nd factor. If the user has setup multiple factors then he can choose one of them.

Password

You may also change the password of this server profile. Please just enter the new password in both password fields.

Account types

LAM supports to manage various types of LDAP entries (e.g. users, groups, DHCP entries, ...). On this page you can select which types of entries you want to manage with LAM.

The section at the top shows a list of possible types. You can activate them by simply clicking on the plus sign next to it.

Each account type has the following options:

• LDAP suffix: the LDAP suffix where entries of this type should be managed

• List attributes: a list of attributes which are shown in the account lists

• Additional LDAP filter: LAM will automatically detect the right LDAP entries for each account type. This can be used to further limit the number of visible entries (e.g. if you want to manage only some specific groups). You can use "@@LOGIN_DN@@" as wildcard (e.g. "(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the user who is logged in.

• Hidden: This is used to hide account types that should not be displayed but are required by other account types. E.g. you can hide the Samba domains account type and still assign domains when you edit your users.

• Read-only (LAM Pro only): This allows to set a single account type to read-only mode. Please note that this is a restriction on functional level (e.g. group memberships can be changed on user page even if groups are read-only) and is no replacement for setting up proper ACLs on your LDAP server.

• Custom label: Here you can set a custom label for the account types. Use this if the standard label does not fit for you (e.g. enter "Servers" for hosts).

• No new entries (LAM Pro only): Use this if you want to prevent that new accounts of this type are created by your users. The GUI will hide buttons to create new entries and also disable file upload for this type.

• Disallow delete (LAM Pro only): Use this if you want to prevent that accounts of this type are deleted by your users.

On the next page you can specify in detail what extensions should be enabled for each account type.

Modules

The modules specify the active extensions for each account type. E.g. here you can setup if your user entries should be address book entries only or also support Unix or Samba.

Each account type needs a so called "base module". This is the basement for all LDAP entries of this type. Usually, it provides the structural object class for the LDAP entries. There must be exactly one active base module for each account type.

Furthermore, there may be any number of additional active account modules. E.g. you may select "Personal" as base module and Unix + Samba as additional modules.

Module settings

Depending on the activated account modules there may be additional configuration options available. They can be found on the "Module settings" tab. E.g. the Personal account module allows to hide several input fields and the Unix module requires to specify ranges for UID numbers.

LAM Pro can execute common tasks via cron job. This can be used to e.g. notify your users before their passwords expire.

LDAP and database configuration

Please add the LDAP bind user and password for all jobs. This LDAP account will be used to perform all LDAP read and write operations.

Next, select the database type where LAM should store job related data. Supported databases are SQLite and MySQL.

SQLite

This is a simple file based database. It needs no special database server. The database file will be located next to the server profile in config directory.

You will need to install the SQLite PDO module for PHP (pdo_sqlite.so). For Debian/Ubuntu this is located in package php-sqlite3.

MySQL

This will store all job data in an external MySQL database.

You will need to install the MySQL PDO module for PHP (pdo_mysql.so). For Debian/Ubuntu this is located in package php-mysql.

Steps to create a MySQL database and user:

# login
mysql -u root -p
# create a database
mysql> create database lam_cron;
#
mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password';
mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password';
# grant access for new user
mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'%';
mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';

Test your settings

After the LDAP and database settings are done you can test your settings.

Cron entry

LAM also prints the crontab line that you need to run the configured jobs on a daily basis. The command must be run as the same user as your webserver is running. You are free to change the starting time of the script or run it more often.

Dry-run: You can perform a dry-run of the job. This will not perform any actions but only print what would be done. For this please put "--dryRun" at the end of the command. E.g.:

  /usr/share/ldap-account-manager/lib/cron.sh lam 123456789 --dryRun

Adding jobs

To add a new job just click on the "Add job" button and select the job type you need. The list of available jobs depends on your active account modules. E.g. the PPolicy job will only be available if you activated PPolicy user module.

Depending on the job type jobs may be added multiple times with different configurations. For descriptions about the available job types see next chapters.

Available jobs:

• PPolicy: Notify users about password expiration

• 389ds: Notify users about password expiration

• Shadow: Notify users about password expiration

• Shadow: Delete or move expired accounts

• Shadow: Notify users about account expiration

• Windows: Notify users about password expiration

• Windows: Notify users about account expiration

• Windows: Delete or move expired accounts

• Windows: Notify users about their managed groups

• FreeRadius: Delete or move expired accounts

• FreeRadius: Notify users about account expiration

• Qmail: Delete or move expired accounts

• Qmail: Notify users about account expiration

PPolicy: Notify users about password expiration

This will send your users an email reminder before their password expires.

You need to activate the PPolicy module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

LAM calculates the expiration date based on the last password change and the assigned password policy (or the default policy) using attributes pwdMaxAge and pwdExpireWarning. Negative values are possible to send mails when LDAP's warning time already started.

Examples:

Warning time (pwdExpireWarning) = 14 days, notification period = 10: LAM will send out the email 24 days before the password expires

Warning time (pwdExpireWarning) = 14 days, notification period = 0: LAM will send out the email 14 days before the password expires

No warning time (pwdExpireWarning), notification period = 10: LAM will send out the email 10 days before the password expires

Table 3.1. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before password expires.
Default password policy	Default PPolicy password policy entry (object class "pwdPolicy").

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

389ds: Notify users about password expiration

This will send your users an email reminder before their password expires.

You need to activate the Account Locking module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

LAM calculates the expiration date based on the attribute passwordExpirationTime.

Table 3.2. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before password expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Shadow: Notify users about password expiration

This will send your users an email reminder before their password expires.

You need to activate the Shadow module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

LAM calculates the expiration date based on the last password change, the password warning time (attribute "shadowWarning") and the specified notification period. Negative values are possible to send mails when Shadow's warning time already started.

Examples:

Warning time = 14, notification period = 10: LAM will send out the email 24 days before the password expires

Warning time = 14, notification period = 0: LAM will send out the email 14 days before the password expires

Table 3.3. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before password expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Shadow: Delete or move expired accounts

You can automatically delete or move expired accounts. The job checks Shadow account expiration dates (not password expiration dates).

Table 3.4. Options

Option	Description
Delay	Number of days to wait after the account is expired.
Action	Delete or move accounts
Target DN	Move only: specifies the DN where accounts are moved

Shadow: Notify users about account expiration

This will send your users an email reminder before their whole account expires.

You need to activate the Shadow module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

Table 3.5. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before account expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Windows: Notify users about password expiration

This will send your users an email reminder before their password expires.

You need to activate the Windows module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

LAM calculates the expiration date based on the last password change and the domain policy.

Table 3.6. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before password expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Windows: Notify users about account expiration

This will send your users an email reminder before their whole account expires.

You need to activate the Windows module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

Table 3.7. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before account expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Windows: Delete or move expired accounts

You can automatically delete or move expired accounts.

Table 3.8. Options

Option	Description
Delay	Number of days to wait after the account is expired.
Action	Delete or move accounts
Target DN	Move only: specifies the DN where accounts are moved

Windows: Notify users about their managed groups

This will send your users an email with the groups they manage. This also includes a list of users in these groups. The users and groups are searched using the user+group account types that are specified in server profile.

You need to activate the Windows module for users to be able to add this job. The job can be added multiple times.

Table 3.9. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
HTML format	Send email as HTML instead of plain text.
Text	The email body text. Supports wildcards, see below.
Period	Defines how often the mail is sent (e.g. quarterly).

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

Use the wildcard "@@LAM_MANAGED_GROUPS@@" to insert the group listing. This wildcard is mandatory.

FreeRadius: Delete or move expired accounts

You can automatically delete or move expired accounts.

Table 3.10. Options

Option	Description
Delay	Number of days to wait after the account is expired.
Action	Delete or move accounts
Target DN	Move only: specifies the DN where accounts are moved

FreeRadius: Notify users about account expiration

This will send your users an email reminder before their FreeRadius account expires.

You need to activate the FreeRadius module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

Table 3.11. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before account expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Qmail: Delete or move expired accounts

You can automatically delete or move expired accounts. The job reads the qmail deletion date of user accounts.

Table 3.12. Options

Option	Description
Delay	Number of days to wait after the account is expired.
Action	Delete or move accounts
Target DN	Move only: specifies the DN where accounts are moved

Qmail: Notify users about account expiration

This will send your users an email reminder before their Qmail account expires.

You need to activate the Qmail module for users to be able to add this job. The job can be added multiple times (e.g. to send a second warning at a later time).

Table 3.13. Options

Option	Description
From address	The email address to set as FROM.
Reply-to address	Optional Reply-to address for email.
CC address	Optional CC mail address.
BCC address	Optional BCC mail address.
Subject	The email subject line. Supports wildcards, see below.
Text	The email body text. Supports wildcards, see below.
Notification period	Number of days to notify before account expires.

Wildcards:

You can enter LDAP attributes as wildcards in the form @@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@". For the common name it would be "@@cn@@".

There are also two special wildcards for the expiration date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g. "2016-12-31".

Job history

This will show the list of all executed job runs and their result.

This is a list of typical scenarios how your LDAP environment may look like and how to structure the server profiles for it.

Simple: One LDAP directory managed by a small group of admins

This is the easiest and most common scenario. You want to manage a single LDAP server and there is only one or a few admins. In this case just create one server profile and you are done. The admins may be either specified as a fixed list or by using an LDAP search at login time.

Advanced: One LDAP server which is managed by different admin groups

Large organisations may have one big LDAP directory for all user/group accounts. But the users are managed by different groups of admins (e.g. departments, locations, subsidiaries, ...). The users are typically divided into organisational units in the LDAP tree. Admins may only manage the users in their part of the tree.

In this situation it is recommended to create one server profile for each admin group (e.g. department). Setup the LDAP suffixes in the server profiles to point to the needed organisational units. E.g. use ou=people,ou=department1,dc=company,dc=com or ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users. Do the same for groups, hosts, ... This way each admin group will only see its own users. You may want to use LDAP search for the LAM login in this scenario. This will prevent that you need to update a server profile if the number of admins changes.

Attention: LAM's feature to automatically find free UIDs/GIDs for new users/groups will not work in this case. LAM uses the user/group suffix to search for already assigned UIDs/GIDs. As an alternative you can specify different UID/GID ranges for each department. Then the UIDs/GIDs will stay unique for the whole directory.

Multiple LDAP servers

You can manage as many LDAP servers with LAM as you wish. This scenario is similar to the advanced scenario above. Just create one server profile for each LDAP server.

This module is the most common basis for user accounts in LAM. You can use it stand-alone to manage address book entries or in combination with Unix, Samba or other modules.

The Personal module provides support for managing various personal data of your users including mail addresses and telephone numbers. You can also add photos of your users. If you do not need to manage all attributes then you can deactivate them in your server profile.

Configuration

Please activate the module "Personal (inetOrgPerson)" for users.

The module manages lots of fields. Probably, you will not need all of them. You can hide fields in module settings.

In advanced options you may also set fields to read-only (for existing accounts) and define limits for photo files. Additionally, you can add an "ou=addressbook" subentry to each user in case you manage user addressbooks.

User management

User certificates can be uploaded and downloaded. LAM will automatically convert PEM to DER format.

Wildcards

This module provides the following wildcards (others may be provided by other modules). Add a "_" after the "$" to get the value in lower-case (e.g. "$_firstname").

You can use them in the following input fields on user edit screen:

Use this when some of your data always follows the same schema. E.g. using "$firstname $lastname" in common name field can be used like this to get "First Last". You can set the wildcards in profile editor so they are automatically applied for new users.

The Unix module manages Unix user accounts including group memberships.

There are several configuration options for this module:

Group memberships can be changed when clicking on "Edit groups". Here you can select the Unix groups and group of names memberships.

To enable "Group of names" please either add the groups module "groupOfNames"/"groupOfUniqueNames" or add the account type "Group of names".

You can also create home directories for your users if you setup lamdaemon. This allows you to create the directories on the local or remote servers.

It is also possible to check the status of the user's home directories. If needed the directories can be created or removed at any time.

Wildcards

This module provides the following wildcards (others may be provided by other modules). Add a "_" after the "$" to get the value in lower-case (e.g. "$_user").

You can use them in the following input fields on user edit screen:

Use this when some of your data always follows the same schema. E.g. using "/home/$user" in home directory field can be used like this to get "/home/myuser". You can set the wildcards in profile editor so they are automatically applied for new users.

This module manages memberships in group of (unique) names and also group of members.

Please note that this module cannot be used if the Unix module is active. In this case group memberships may be managed with the Unix module.

Configuration

To activate this feature please add the user module "Group of names (groupOfNamesUser)" to your LAM server profile.

The module automatically detects if groups are based on "groupOfNames", "groupOfUniqueNames" or "groupOfMembers" and sets the correct attribute.

LAM can manage role memberships in organizationalRole objects. To activate this feature please add the user module "Roles (organizationalRoleUser)" to your LAM server profile.

User editing

Now, there will be a new tab "Roles" when you edit your user accounts. Here you can select the role memberships.

LAM supports the management of the LDAP substitution of /etc/shadow. Here you can setup password policies for your Unix accounts and also view the last password change of a user.

Configuration

Please add the module "NIS net groups (nisNetGroupUser)" to the list of active user modules.

User editing

You will now see a new tab when editing users. Here you can assign memberships in NIS net groups and also set host/domain.

LAM Pro allows your users to reset their passwords by answering a security question. The reset link is displayed on the self service page. Additionally, you can set question + answer in the admin interface.

Please note that self service and LAM admin interface are separated functionalities. You need to specify the list of possible security questions in both self service profile(s) and server profile(s).

Schema installation

Please install the LDAP schema as described here.

Activate password self reset module

Please activate the password self reset module in your LAM Pro server profile.

Now select the tab "Module settings" and specify the list of possible security questions. Only these questions will be selectable when you later edit accounts unless you explicitly allow to enter custom questions. LAM Pro supports to set up to three security questions per user.

If you do not want to set backup email addresses then you can hide this option.

Edit users

After everything is setup please login to LAM Pro and edit your users. You will see a new tab called "Password self reset". Here you can activate/remove the password self reset function for each user. You can also change the security question and answer.

If you set a backup email address then confirmation emails will also be sent to this address. This is useful if the user password grants access to the user's primary mailbox. So passwords can be unlocked with an external email address.

Hint: You can add the passwordSelfReset object class to all your users with the multi edit tool.

Samba 4 note: Due to a bug in Samba 4 you need to add the extension, save, and then select a question and set the answer. If you add the extension, set question/answer and then save all together this will cause an LDAP error and no changes will be saved.

You can specify a list of valid host names where the user may login. If you add the value "*" then the user may login to any host. This can be further restricted by adding explicit deny entries which are prefixed with "!" (e.g. "!hr_server").

Please note that your PAM settings need to support host restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the account facility of pam_ldap will perform the checks and return an error when no proper host attribute is present. Please note that users without host attribute cannot login to such a configured server.

LAM supports full Samba 3 user management including logon hours and terminal server options.

The module is enabled by adding "Samba 3 (sambaSamAccount)" to your user modules.

In the configuration options you can enable password history checking. Depending on your LDAP server you might need ascending or descending order. Just switch the setting if the password history is not correctly updated.

In case you have no very old Windows clients (e.g. Windows 98) it is recommended to disable LM hashes. They are considered to be insecure.

You can also hide some input fields if you do not need them.

After configuring the module you will see the Samba 3 tab when you edit a user.

Logon hours can be changed.

You can also setup terminal server settings.

Please activate the account type "Users" in your LAM server profile and then add the user module "Windows (windowsUser)(*)".

The default list attributes are for Unix and not suitable for Windows (blank lines in account table). Please use "#cn;#givenName;#sn;#mail" or select your own attributes to display in the account list.

On tab "Module settings" you can specify the possible Windows domain names and if pre-Windows 2000 user names should be managed.

NIS support is deactivated by default. Enable it if needed.

You can also set maximum values for user photos in advanced options.

Now you can manage your Windows users and e.g. assign groups. You might want to set the default domain name in the profile editor.

Attention:

Wildcards

This module provides the following wildcards (others may be provided by other modules). Add a "_" after the "$" to get the value in lower-case (e.g. "$_firstname").

You can use them in the following input fields on user edit screen:

Use this when some of your data always follows the same schema. E.g. using "$firstname $lastname" in common name field can be used like this to get "First Last". You can set the wildcards in profile editor so they are automatically applied for new users.

Please activate the account type "Users" in your LAM server profile and then add the user module "AD LDS (windowsLDSUser)(*)".

The default list attributes are for Unix and not suitable for AD LDS (blank lines in account table). Please use "#cn;#givenName;#sn;#mail" or select your own attributes to display in the account list.

On tab "Module settings" you can specify the possible Windows domain names.

You can also set maximum values for user photos in advanced options.

Now you can manage your AD LDS users and e.g. assign groups. You might want to set the default domain name in the profile editor.

Attention:

Password changes require a secure connection via ldaps://. Check your LAM server profile if password changes are refused by the server.

Wildcards

This module provides the following wildcards (others may be provided by other modules). Add a "_" after the "$" to get the value in lower-case (e.g. "$_firstname").

You can use them in the following input fields on user edit screen:

Use this when some of your data always follows the same schema. E.g. using "$firstname $lastname" in common name field can be used like this to get "Demo User". You can set the wildcards in profile editor so they are automatically applied for new users.

You can manage file system quotas with LAM. This requires to setup lamdaemon. LAM connects to your server via SSH and manages the disk filesystem quotas. The quotas are stored directly on the filesystem. This is the default mechanism to store quotas for most systems.

Please add the module "Quota (quota)" for users to your LAM server profile to enable this feature.

If you store the quota information directly inside LDAP please see the next section.

You can store your filesystem quotas directly in LDAP. See Linux DiskQuota for details since it requires quota tools that support LDAP. You will need to install the quota LDAP schema to manage the object class "systemQuotas".

Please add the module "Quota (systemQuotas)" for users to your LAM server profile to enable this feature.

If you store the quota information on the filesystem please see the previous section.

This module supports to manage Kolab accounts with LAM. E.g. you can set the user's mail quota and define invitation policies.

Please add the Kolab user module in your LAM server profile to activate Kolab support.

Please enter an email address at the Personal page and set a Unix password first. Both are required that Kolab accepts the accounts. The email address ("Personal" page) must match your Kolab domain, otherwise the account will not work.

If you upgrade existing non-Kolab accounts please make sure that the account has an Unix password.

LAM supports Asterisk accounts, too. See the Asterisk section for details.

EDU person accounts are mainly used in university networks. You can specify the principal name, nick names and much more.

There are two LAM user modules depending if your user entries should be built on object class "pykotaObject" or a different structural object class (e.g. "inetOrgPerson"). For "pykotaObject" please select "PyKota (pykotaUserStructural(*))" and "PyKota (pykotaUser)" in all other cases.

To display the job history please setup the job DN on tab "Module settings":

Now you can add the PyKota extension to your user accounts. Here you can setup the printing options and add payments for this user.

For LAM Pro there are also self service fields to allow users e.g. to view their current balance and job history.

You may also view the payment and job history.

OpenLDAP supports the ppolicy overlay to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to user accounts.

Please add the account type "Password policies" to your LAM server profile and activate the "Password policy" module for the user/group/host type.

You can select the password policy and force a password change on next login. Accounts can also be (un)locked.

You can assign any password policy which is found in the LDAP suffix of the "Password policies" type. When you set the policy to "default" then OpenLDAP will use the default policy as defined in your slapd.conf file.

Attention: Locking and unlocking requires that you also activate the option "Lockout users" in the assigned password policy. Otherwise, it will have no effect.

This module allows you to display if users are locked by 389ds server. You can (de)activate your users. The password expiration time can also be managed.

Requirements: 389ds LDAP server

Configuration

Please add the user module "Account locking (locking389ds)".

This will show the password expiration time. You can edit the value if needed.

If there are any failed login attempts then LAM displays their number and till when the user is locked by the system.

The limit of failed login attempts and lockout duration is configured on your LDAP server and not within LAM.

You can unlock the user by clicking on the lock icon.

Here you can also (de)activate the account.

Note: Accounts are only locked by the LDAP server due to failed password attempts. You cannot manually lock an account. Deactivate it in case you want to disable login for a user.

FreeRadius is a software that implements the RADIUS authentication protocol. LAM allows you to manage several of the FreeRadius attributes.

To activate the FreeRadius plugin please activate the FreeRadius user module in your server profile:

You can disable unneeded fields on the tab "Module settings". Here you can also set the DN where your Radius profile templates are stored if you use the option "Profile".

Now you will see the tab "FreeRadius" when editing users. The extension can be (de)activated for each user. You can setup e.g. realm, IP and expiration date.

You can manage your Heimdal Kerberos accounts with LAM Pro. Please add the user module "Kerberos (heimdalKerberos)" to activate this feature.

Setup password changing

LAM Pro cannot generate the password hashes itself because Heimdal uses a proprietary format for them. Therefore, LAM Pro needs to call e.g. kadmin to set the password.

The wildcards @@password@@ and @@principal@@ are replaced with password and principal name. Please use keytab authentication for this command since it must run without any interaction.

Example to create a keytab: ktutil -k /root/lam.keytab add -p lam@LAM.LOCAL -e aes256-cts-hmac-sha1-96 -V 1

Security hint: Please secure your LAM Pro server since the new passwords will be visible for a short term in the process list during password change.

User management

You can specify the principal/user name, ticket lifetimes and expiration dates. Additionally, you can set various account options.

You can manage your MIT Kerberos accounts with LAM Pro. Please add the user module "Kerberos (mitKerberos)" to activate this feature. If you want to manage entries based on the structural object class "krbPrincipal" please use "Kerberos (mitKerberosStructural)" instead.

Setup password changing

LAM Pro cannot generate the password hashes itself because MIT uses a proprietary format for them. Therefore, LAM Pro needs to call kadmin/kadmin.local to set the password.

LAM will add "-q 'cpw -pw PASSWORD PRINCIPAL'" to the command to set the password. Please use keytab authentication for this command since it must run without any interaction.

Keytabs may be created with the "ktutil" application.

Security hint: Please secure your LAM Pro server since the new passwords will be visible for a short term in the process list during password change.

Please note that kadmin/kadmin.local often returns a successful command even if errors occurred (e.g. password policy violations). You need to test this before and if affected then write a wrapper script around kadmin that returns non-zero return codes for errors.

Example commands:

User management

You can specify the principal/user name, ticket lifetimes and expiration dates. Additionally, you can set various account options.

This module allows to add/remove the user in mail alias entries.

Note: You need to activate the mail alias type for this module.

To activate mail aliases for users please select the module "Mail aliases (nisMailAliasUser)":

On tab Module settings you can select if you want to set the user name or email as recipient in alias entries.

Now you will see the mail aliases tab when editing an user.

The red cross will only remove the user from the alias entry. If you click the trash can button then the whole alias entry (which may contain other users) will be deleted.

You can add the user to existing alias entries or create completely new ones.

This module allows to add/remove the Courier extension for users.

Configuration:

Please activate the module Courier for users to enable this extension. The Unix module is optional.

Usage:

Your user tab will now show the Courier extension. This can be added/removed any time.

Here you can configure the home directory in case the Unix module is not activated. Additionally, mailbox folder, quota, server and feature flags can be configured.

LAM Pro manages all qmail attributes for users. This includes mail addresses, ID numbers and quota settings.

Please note that the main mail address is managed on tab "Personal" if this module is active. Otherwise, it will be on the qmail tab.

You can hide several qmail options if you do not want to manage them with LAM. This can be done on the module settings tab of your LAM server profile.

LAM supports to manage mail routing for user accounts.

Module activation:

This feature can be activated by adding the "Mail routing" module to the user account type in your server profile.

Usage

You can specify a routing address, the mail server and a number of local addresses to route.

In case you want to add this extension by default for new users there is an option in profile editor.

Wildcards

The module supports wildcards in the following input fields:

See the other modules that you activated what wildcards they provide (e.g. $user).

You can manage your public keys for SSH in LAM if you installed the LPK patch for SSH or setup AuthorizedKeysCommand (see below).

Activate the "SSH public key" module for users in the server profile and you can add keys to your user entries.

Example for AuthorizedKeysCommand

This will dynamically get the public key from LDAP. In this case there is no need to patch SSH sources.

Create the authentication script in e.g. /usr/bin/ldapAuthSSH.sh

Now setup your sshd_config

You can manage your YubiKey ids with LAM. It supports the yubiKeyUser schema or any other attribute mapping.

Configuration

First, you need to activate the YubiKey module for users in your LAM server profile.

Second, you need to specify which object class and attribute name should be used.

Object class: If you have an object class just for the YubiKey ids then enter it here. LAM will then provide options to add and remove it. In case you reuse some existing attribute from e.g. inetOrgPerson please leave object class name blank.

Attribute name: please enter the attribute name that is used for the key ids.

You will then be able to manage the key ids for your users.

Self Service (LAM Pro)

This will allow your users to update their own keys.

You need to configure the object class and attribute name first. This is done on tab "Module settings" in self service profile.

Attention: Please note that both fields are mandatory here. Even if you reused an attribute from some existing object class you need to set it here. LAM needs this to detect if the user can add keys.

Then add the YubiKey ids field to your self service profile on tab "Page layout".

When a user with the specified object class logs in then the key input fields are shown.

You can setup PAM to check if a user is allowed to run a specific service (e.g. sshd) by reading the LDAP attribute "authorizedService". This way you can manage all allowed services via LAM.

To activate this PAM feature please setup your /etc/libnss-ldap.conf and set "pam_check_service_attr" to "yes".

Inside LAM you can now set the allowed services. You may also setup default services in your account profiles.

You can define a list of services in your LAM server profile that is used for autocompletion.

The autocompletion will show all values that contains the entered text. To display the whole list you can press backspace in the empty input field. Of course, you can also insert a service name that is not in the list.

LAM may create and delete mailboxes on an IMAP server for your user accounts. You will need an IMAP server that supports either SSL or TLS for this feature.

To activate the mailbox management module please add the "Mailbox (imapAccess)" module for the type user in your LAM server profile:

Now configure the module on the tab "Module settings". Here you can specify the IMAP server name, encryption options, the authentication for the IMAP connection and the valid mail domains. LAM can use either your LAM login password for the IMAP connection or display a dialog where you need to enter the password. It is also possible to store the admin password in your server profile. This is not recommended for security reasons.

The user name can either be a fixed name (e.g. "admin") or it can be generated with LDAP attributes of the LAM admin user. E.g. $uid$ will be transformed to "myUser" if you login with "uid=myUser,ou=people,dc=example,dc=com".

The mail domains specify for which accounts mailboxes may be created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be managed for "user@lam-demo.org" but not for "user@example.com". Use "*" for any domain.

You need to install the SSL certificate of the CA that signed your server certificate. This is usually done by installing the certificate in /etc/ssl/certs. Different Linux distributions may offer different ways to do this. For Debian/Ubuntu please copy the certificate in "/usr/local/share/ca-certificates" and run "update-ca-certificates" as root.

It is not recommended to disable the validation of IMAP server certificates.

The prefix, user name attribute and path separator specifies how your mailboxes are named (e.g. "user.myUser@localhost" or "user/myUser"). Select the values depending on your IMAP server settings.

You can specify a list of initial folder names to create for new mailboxes. LAM will then create them with each new mailbox.

When you edit an user account then you will now see the tab "Mailbox". Here you can create/delete the mailbox for this user.

Please note that mailbox creation via file upload is not possible if you configured in LAM server profile to ask for the admin password.

You can manage the IP addresses of user accounts (e.g. assigned by DHCP) with the ipHost module.

Configuration

User editing

This is a very simple module to manage accounts based on the object class "account". Usually, this is used for host accounts only. Please pay attention that users based on the "account" object class cannot have contact information (e.g. telephone number) as with "inetOrgPerson".

You can enter a user/host name and a description for your accounts.

Use this module if you want to use OpenLDAP's builtin 2-factor-authentication with TOTP.

For admin interface add the OpenLDAP TOTP module:

When one of your users activates TOTP then you can see the serial number and TOTP params in user edit screen.

Please note that the token can only be setup by the user in self service. Admins are not able to setup tokens. They can just delete them by removing the extension.

This module is used to manage Unix group entries. This is the default module to manage Unix groups and uses the nis.schema. Suse users who use the rfc2307bis.schema need to use LAM Pro.

Configuration

Special Please add the account type "Groups" and then select account module "Unix (posixGroup)".

Virtual list attributes:

The following virtual attributes can be shown in the group list. These are no real LDAP attributes but extra data that can be shown by LAM.

Module settings:

GID generator: LAM will suggest GID numbers for your accounts. Please note that it may happen that there are duplicate IDs assigned if users create groups at the same time. Use an overlay like "Attribute Uniqueness" (example) if you have lots of LAM admins creating groups.

Disable membership management: Disables group membership management. This is useful if memberships are e.g. managed via group of names.

Group management:

Group membership management:

Some applications (e.g. Suse Linux) use the rfc2307bis schema for Unix accounts instead of the nis schema. In this case group accounts are based on the object class groupOf(Unique)Names or namedObject. The object class posixGroup is auxiliary in this case.

LAM Pro supports these groups with a special account module: rfc2307bisPosixGroup

Use this module only if your system depends on the rfc2307bis schema. The module can be selected in the LAM configuration. Instead of using groupOfNames as basis for your groups you may also use namedObject.

Module activation:

GID generator: LAM will suggest GID numbers for your accounts. Please note that it may happen that there are duplicate IDs assigned if users create groups at the same time. Use an overlay like "Attribute Uniqueness" (example) if you have lots of LAM admins creating groups.

Disable membership management: Disables group membership management. This is useful if memberships are e.g. managed via group of names.

Force sync with group of names: This will automatically set the group memberships of the Unix part to the same members as set on group of names tab.

The GID number will be filled automatically based on the server profile configuration.

Group members can be edited and also synced with Group of (unique) names.

LAM supports managing Samba 3 groups. You can set special group types and also create Windows predefined groups like "Domain admins".

Module activation:

Group editing:

LAM can manage your Windows groups. Please enable the account type "Groups" in your LAM server profile and then add the group module "Windows (windowsGroup)(*)".

The default list attributes are for Unix and not suitable for Windows (blank lines in account table). Please use "#cn;#member;#description" or select your own attributes to display in the account list.

NIS support is deactivated by default. Enable it if needed on tab "Module settings".

Now you can edit your groups inside LAM. You can manage the group name, description and its type. Of course, you can also set the group members.

Group scopes:

Group type:

With "Show effective members" you can show a list of all members of this group including members of subgroups and their subgroups.

LAM can manage your AD LDS groups. Please enable the account type "Groups" in your LAM server profile and then add the group module "AD LDS (windowsLDSGroup)(*)".

The default list attributes are for Unix and not suitable for AD LDS (blank lines in account table). Please use "#cn;#member;#description" or select your own attributes to display in the account list.

Now you can edit your groups inside LAM. You can manage the group name, description and its type. Of course, you can also set the group members.

With "Show effective members" you can show a list of all members of this group including members of subgroups and their subgroups.

Please activate the Kolab group module in your LAM server profile to activate Kolab support.

You can specify the email address and also set allowed sender and recipient addresses.

LAM supports to manage mail routing for group accounts.

Module activation:

This feature can be activated by adding the "Mail routing" module to the group account type in your server profile.

Usage:

You can specify a routing address, the mail server and a number of local addresses to route.

In case you want to add this extension by default for new groups there is an option in profile editor.

You can manage file system quotas with LAM. This requires to setup lamdaemon. File system quotas are not stored inside LAM but managed directly on the specified servers.

Dynamic lists allow you to create LDAP entries that populate the value of an attribute via LDAP query. This is e.g. used to create groups that contain all users in a certain DN.

Please note that this functionality requires configuration on your LDAP server. E.g. on OpenLDAP you need to activate the "dynlist" overlay and need to specify attribute mappings.

Configuration

Add a new group account type and set a unique label for it.

Do not forget to set proper "List attributes" to be shown on the overview page of all dynamic lists.

On tab "Modules" please add the dynamic lists module.

On tab "Module settings" you can now configure your dynamic lists. Here you setup the used object class, RDN attribute, query attribute and list attribute (the one that is populated via query).

In case you have different types of dynamic lists you can simply redo the steps above to create more group types.

Usage

When you login to LAM you will see your new dynamic lists tab.

For each list you can manage the name and query string. LAM also displays which entries are auto-populated to the list.

There are two LAM group modules depending if your group entries should be built on object class "pykotaObject" or a different structural object class (e.g. "posixGroup"). For "pykotaObject" please select "PyKota (pykotaGroupStructural(*))" and "PyKota (pykotaGroup)" in all other cases.

Now you can add the PyKota extension to your groups.

You can specify a list of valid host names where the group's members may login. If you add the value "*" then the users may login to any host. This can be further restricted by adding explicit deny entries which are prefixed with "!" (e.g. "!hr_server").

Please note that your PAM settings need to support host restrictions. This feature is enabled by setting pam_check_host_attr yes in your /etc/pam_ldap.conf. When it is enabled then the account facility of pam_ldap will perform the checks and return an error when no proper host attribute is present. Please note that users without host attribute cannot login to such a configured server.

See password policy for users.

Please see the description here.

The device object class allows to manage general information about all sorts of devices (e.g. computers, network hardware, ...). You can enter the serial number, location and a describing text. It is also possible to specify the owner of the device.

You can manage Samba 3 host entries by adding the Unix and Samba 3 account modules.

LAM can manage your Windows servers and workstations. Please enable the account type "Hosts" in your LAM server profile and then add the host module "Windows (windowsHost)(*)".

The default list attributes are for Unix and not suitable for Windows (blank lines in account table). Please use "#cn;#description;#location" or select your own attributes to display in the account list.

Now you will see you computer accounts inside LAM. You can set e.g. the server's description and location information.

You can manage the IP addresses of host accounts with the ipHost module. It manages the following information:

You can activate this extension by adding the module ipHost to the list of active host modules.

Hosts can have an unlimited number of MAC addresses. To enable this feature just add the "MAC address" module to the host account type.

LAM supports to manage your Puppet configuration. You can edit all attributes like environment, classes, variables and parent node.

Configuration

To activate this feature please edit your LAM server profile and add the host module "Puppet (puppetClient)" on tab "Modules". This will add the Puppet tab to your host pages.

On tab "Module settings" in your LAM server profile you may also setup some common environment names. LAM will use them to provide autocompletion hints when editing the environment for a node.

If you enter any value in "Enforce classes" then LAM will only accept this list of classes.

Editing nodes

When you edit a host entry then you will see the tab "Puppet". Here you can add/remove the Puppet extension and edit all attributes.

NIS netgroups can be used to e.g. restrict SSH access to your machines.

Configuration

Please add the module "NIS net groups (nisNetGroupHost)" to the list of active host modules.

Host editing

You will now see a new tab when editing hosts. Here you can assign memberships in NIS net groups and also set user/domain.

See password policy for users.

Configuration

To enable Kopano support for users please activate the Kopano module for the user account type in you server profile:

Adjust the suffix and list attributes to your needs.

Then select the Kopano user module (tab Modules). You can combine it with Personal module, Unix or Windows.

Next configure the module to your needs (tab Module settings).

Attention: LAM Pro uses the Kopano OpenLDAP schema by default. This schema fits for OpenLDAP, OpenDJ, Apache Directory server and other common LDAP servers. If you run Samba 4 or Active Directory then you need to switch the schema to "Active Directory" on the module settings tab.

You can hide options that you do not need. E.g. if you do not want to manage quotas per user then you can hide these options.

Examples for your Kopano ldap.cfg:

"Send as" attribute: dn

ldap_user_sendas_attribute_type = dn

"Send as" attribute: uid

ldap_user_sendas_attribute_type = text

ldap_user_sendas_relation_attribute = uid

Attention: If the Active Directory schema is used then LAM will always use dn and ignore this setting.

Usage

LAM Pro will now display the Kopano tab on your users. This includes email settings, quotas and some options (e.g. hide from address book). You can also set the resource type and capacity for meeting rooms and equipment. The Kopano extension can be added and removed at any time for every user.

Configuration

The configuration is similar to users. Instead of the Kopano user module please select the contact module.

Usage

LAM Pro will now display the Kopano contact tab on your users. The Kopano extension can be added and removed at any time for every user.

Configuration

To enable Kopano support for groups please activate the Kopano module for the group account type in you server profile:

Adjust the suffix and list attributes to your needs.

Then select the Kopano group module (tab Modules). You can combine it with groups of names module, Unix or Windows.

Next configure the module to your needs (tab Module settings).

Usage

LAM Pro will now display the Kopano tab on your groups. The Kopano extension can be added and removed at any time for every group.

Configuration

To enable Kopano support for address lists please activate the Kopano address list account type in you server profile (tab account types):

Adjust the suffix and list attributes to your needs.

Then select the Kopano address list module (tab Modules).

Usage

LAM Pro will now display the Kopano address list tab.

Configuration

To enable Kopano support for dynamic groups please activate the Kopano dynamic group account type in you server profile (tab account types):

Adjust the suffix and list attributes to your needs.

Then select the Kopano dynamic group module (tab Modules).

Usage

LAM Pro will now display the Kopano address list tab.

Configuration

To enable Kopano support for servers please activate the Kopano server module for the hosts account type in you server profile (tab account types):

Adjust the suffix and list attributes to your needs.

Then select the Kopano server module (tab Modules).

Next configure the module to your needs (tab Module settings).

Usage

LAM Pro will now display the Kopano tab on your hosts. The Kopano extension can be added and removed at any time for every server.

First, you need to add the Bind DNS account type and the Bind DLZ module:

Please set the LDAP suffix either to an existing DNS zone (dlzZone) or an organizational unit that should include your DNS zones.

For regular entry management use "DNS entry (bindDLZ)(*)" module.

XFR

If you want to edit XFR entries please add a second account type for XFR. Recommended list attributes are "#dlzipaddr;#dlzrecordid".

Now use the "XFR (bindDLZXfr)(*)" module for this account type.

Automatic PTR management

LAM can automatically create/delete PTR entries for the entered IPv4/6 records. You can enable this feature on the module settings tab.

PTR records will get the same TTL as IP records. Please note that you need to have matching reverse zones (".in-addr.arpa"/".ip6.arpa") under the same suffix as your other DNS entries.

Zone management

If you do not yet have a DNS zone then LAM can create one for you. In list view switch the suffix to an organizational unit DN. Now you will see a button "New zone".

This will create the zone container entry and a default DNS entry "@" for authoritative information. Now switch the suffix to your new zone and start adding DNS entries.

LAM supports the following DNS record types:

Authoritative (SOA) and name server (NS) records

Here you can manage general information about the zone like timeouts and name servers. Please note that name servers must be inserted in a special format (dot at the end).

IP addresses (A/AAAA)

LAM will automatically set the correct type (A/AAAA) depending if you enter an IPv4 or IPv6 address.

Reverse DNS entries

Reverse DNS entries are important when you need to find the DNS name that is associated with a given IP address. Reverse DNS entries are stored in a separate DNS zone.

Alias names (CNAME)

Sometimes a DNS entry should simply point to a different DNS entry (e.g. for migrations). This can be done by adding an alias name.

Mail servers (MX)

The mail server entries define where mails to a domain should be delivered. The server with the lowest preference has the highest priority.

Text records (TXT)

Text records can be added to store a description or other data (e.g. SPF information).

Services (SRV)

Service records can be used to specify which servers provide common services such as LDAP. Please note that the host name must be _SERVICE._PROTOCOL (e.g. _ldap._tcp).

Priority: The priority of the target host, lower value means more preferred.

Weight: A relative weight for records with the same priority. E.g. weights 20 and 80 for a service will result in 20% queries to the one server and 80% to the other.

Port: The port number that is used for your service.

Server: DNS name where service can be reached (with dot at the end).

File upload

You can upload complete DNS zones via LAM's file upload. Here is an example for a zone file and the corresponding CSV file.

Please check that you have an existing zone entry that can be used for the file upload. See above to create a new zone.

Hint: If you use the function above to create a new zone then please skip the "@" entry in the CSV file below. LAM creates this entry with sample data.

In this example we assume that the following zone entry exists:

Here is the corresponding CSV file: bindUpload.csv

You can manage the XFR entries in the second tab that you configured before.

For each XFR entry you can set a record ID and the IP address.

Note: Use the mail alias user module to manage mail aliases on user pages.

All accounts of this type are based on the "nisMailAlias" object class and may have "cn" and "rfc822MailMember" attributes.

You need to select the Mail aliases module on the next tab.

The mail aliases will then appear as separate tab inside LAM. You may then manage the aliases with their names and recipient addresses.

There are mail/user icons that allow to select a mail address/user name from the existing users.

Mail aliases for Courier SMTP can be used when activating NIS mail aliases and Courier modules:

You will then get the Courier tab for your mail aliases.

The LDAP import supports input data in LDIF format. You can provide plain text or upload an LDIF file.

The "Don't stop on errors" option will cause the import to continue even if entries could not be created.

Here you can export your plain LDAP data as LDIF or CSV file.

Base DN: this is the starting point of the export. Enter a DN or press the magnifying glass icon to open the DN selection dialog.

Search scope: You can export just the base DN, base DN + its direct children or the whole subtree.

Search filter: this can be used to filter the entries by specifying a standard LDAP filter. The preselected filter "(objectclass=*)" matches all entries.

Attributes: the list of attributes that should be part of export. "*" matches all standard attributes (excluding system attributes).

Include system attributes: this will also include system attributes like the entry creation time and creator's DN.

Save as file: will save to file instead of printing the data on the web page.

Export format: you can select LDIF or CSV (e.g. for usage in spreadsheet applications).

End of line: use the one appropriate for your operating system.

LAM provides an external script to manage home directories and quotas. You can test here if everything is setup correctly.

If you get an error like "no tty present and no askpass program specified" then the path to the lamdaemon.pl may be wrong. Please see the lamdaemon installation instructions for setup details.

This will test if your LDAP schema supports all object classes and attributes of the active LAM modules. If you get a message that something is missing please check that you installed all required schemas.

If you get error messages about object class violations then this test can tell you what is missing.

By default only a few administrative users have write access to the LDAP database. Before your users may change their settings you must allow them to change their LDAP data.

Hint: The ACLs below are not required if you decide to run all operations as the LDAP bind user (option "Use for all operations").

This can be done by adding ACLs to your slapd.conf or slapd.d/cn=config/olcDatabase={1}bdb.ldif which look similar to these:

access to

attrs=userPassword

by self write

by anonymous auth

by * none

access to

attrs=mail,sn,givenName,telephoneNumber,mobile,facsimileTelephoneNumber,street,postalAddress,postOfficeBox,postalCode,roomNumber,shadowLastChange,passwordSelfResetAnswer,passwordSelfResetQuestion,passwordSelfResetBackupMail

by self write

by * read

If you do not want them to change all attributes then reduce the list to fit your needs. Some modules may require additional LDAP attributes. You can use the tree view to get the technical attribute names e.g. by selecting an user account.

Usually, the slapd.conf file is located in /etc/ldap or /etc/openldap.

There exist many LDAP implementations. If you do not use OpenLDAP you need to write your own ACLs. Please check the manual of your LDAP server for instructions.

On top of the page you see the link to the user login page. Copy this link address and give it to your users.

Below the link you can specify several options.

2-factor authentication

LAM supports 2-factor authentication for your users. This means the user will not only authenticate by user+password but also with e.g. a token generated by a mobile device. This adds more security because the token is generated on a physically separated device (typically mobile phone).

The token is validated by a second application. LAM currently supports:

• privacyIdea

• YubiKey

• Duo

• WebAuthn/FIDO2

• Okta

• OpenID

privacyIDEA

• Base URL: please enter the URL of your privacyIDEA instance

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "uid")

• Optional: By default LAM will enforce to use a token and reject users that did not setup one. You can set this check to optional. But if a user has setup a token then this will always be required.

• Disable certificate check: This should be used on development instances only. It skips the certificate check when connecting to verification server.

Please note that LAM needs to authenticate to privacyIdea with the user's user name and password WITHOUT second factor. This is needed to get the list of tokens that are setup for the user. You can setup a separate policy (scope: authentication) for LAM inside privacyIdea that has IP restriction ("Client" setting) to LAM's server IP and an action "otppin" "none".

YubiKey

• Base URLs: please enter the URL(s) of your YubiKey verification server(s). If you run a custom verification API such as yubiserver then enter its URL (e.g. http://www.example.com:8000/wsapi/2.0/verify). The URL needs to end with "/wsapi/2.0/verify". For YubiKey cloud these are "https://api.yubico.com/wsapi/2.0/verify", "https://api2.yubico.com/wsapi/2.0/verify", "https://api3.yubico.com/wsapi/2.0/verify", "https://api4.yubico.com/wsapi/2.0/verify" and "https://api5.yubico.com/wsapi/2.0/verify". Enter one URL per line.

• Client id: this is only required for YubiKey cloud. You can register here: https://upgrade.yubico.com/getapikey/

• Secret key: this is only required for YubiKey cloud. You can register here: https://upgrade.yubico.com/getapikey/

• Optional: By default LAM will enforce to use a token and reject users that did not setup one. You can set this check to optional. But if a user has setup a token then this will always be required.

• Disable certificate check: This should be used on development instances only. It skips the certificate check when connecting to verification server.

Duo

This requires to register a new "Web SDK" application in your Duo admin panel.

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "uid").

• Base URL: please enter the API-URL of your Duo instance (e.g. api-12345.duosecurity.com).

• Client id: please enter your client id.

• Secret key: please enter your client secret.

WebAuthn/FIDO2

See the WebAuthn/FIDO2 appendix for an overview about WebAuthn/FIDO2 in LAM.

Users will be asked to register a device during login if no device is setup.

• Domain: Please enter the WebAuthn domain. This is the public domain of the web server (e.g. "example.com"). Do not include protocol or port. Browsers will reject authentication if the domain does not match the web server domain.

• Optional: By default LAM will enforce to use a 2FA device and reject users that do not setup one. You can set this check to optional. But if a user has setup a device then this will always be required.

Okta

This requires to register a new application of type "Web".

There, you will need to configure LAM's 2-factor URLs as "Login redirect URIs" in the new application. They are "https://YOURDOMAIN/lam/templates/login2Factor.php" for admin interface and "https://YOURDOMAIN/lam/templates/selfService/selfService2Factor.php?scope=user&name=YOUR_PROFILE" for self service. You will get an error message during login with the URL to configure in case it was wrong.

On "Sign On" tab you need to add a rule that prompts for the factor.

LAM options:

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "mail").

• Base URL: please enter the URL of your Okta domain (e.g. https://mydomain.okta.com)

• Client id: please enter your application client id.

• Secret key: please enter your application secret key.

OpenID

This will use an OpenID server as 2nd factor for authentication.

LAM options:

• User name attribute: please enter the LDAP attribute name that contains the user ID (e.g. "uid").

• Base URL: please enter the URL of your OpenID client URL. The URL is the one before the "/.well-known/openid-configuration".

• Client id: please enter your application client id.

• Secret key: please enter your application secret key.

KeyCloack example configuration:

Create a new client, select "OpenID Connect" client type and enter a client ID.

Now enable "Client authentication" and enter the valid redirect URLs in the last step.

They are "https://YOURDOMAIN/lam/templates/login2Factor.php" for admin interface and "https://YOURDOMAIN/lam/templates/selfService/selfService2Factor.php" for self service. You will get an error message during login in case it was wrong. Then save the configuration.

Next, switch to tab "Credentials" to get the client secret.

Example configuration values:

• User name: uid

• Base URL: http://openidserver/auth/realms/master

• Client id: demo

• Secret key: 59bdf504-b76e-4138-8421-ef662b2c6c83

Remember device

You can allow users to remember the 2FA device for privacyIDEA, WebAuthn and YubiKey. When a device is remembered then users can login for the specified time without presenting their 2nd factor.

The password for the device remembering is used to authenticate the device data. It can be any long passphrase (use > 30 characters). LAM auto-generates one for you. If you change the passphrase then all device data gets invalid and users need to represent their 2nd factor again (which then can be saved again).

Login

After logging in with user + password LAM will ask for the 2nd factor. If the user has setup multiple factors then he can choose one of them.