Chapter 3. Managing entries in your LDAP directory

Table of Contents

Users
Personal
Unix
Shadow
Hosts
Samba 3
Quota
Kolab
phpGroupWare
Asterisk
EDU person
Password policy (LAM Pro)
Mail routing
SSH keys
IMAP mailboxes
Account
Groups
Unix
Unix groups with rfc2307bis schema (LAM Pro)
Samba 3
phpGroupWare
Quota
Hosts
Account
Device (LAM Pro)
Samba 3
IP addresses (LAM Pro)
MAC addresses
Samba 3 domains
Group of (unique) names (LAM Pro)
Asterisk
Zarafa (LAM Pro)
Configuration
DHCP
Aliases (LAM Pro)
Mail aliases
NIS net groups
NIS objects (LAM Pro)
Automount objects (LAM Pro)
Password policies (LAM Pro)
Custom scripts (LAM Pro)
Sudo roles (LAM Pro)
Tree view (LDAP browser)
Typical usage scenarios

This chapter will give you instructions how to manage the different LDAP entries in your directory.

Please note that not all account types are manageable with the free LAM release. LAM Pro provides some more account types and modules to support additional LDAP object classes.

Additional types:

Additional modules:

Basic page layout:

After the login LAM will present you its main page. It consists of a header part which is equal for all pages and the content area which covers most the of the page.

The header part includes the links to manage all account types (e.g. users and groups) and open the tree view (LDAP browser). There is also the logout link and a tools entry.

When you login the you will see an account listing in the content area.

Here you can create, delete and modify accounts. Use the action buttons at the left or double click on an entry to edit it.

The suffix selection box allows you to list only the accounts which are located in a subtree of your LDAP directory.

You can change the number of shown entries per page with "Change settings". Depending on the account type there may be additional settings. E.g. the user list can convert group numbers to group names.

When you select to edit an entry then LAM will show all its data on a tabbed view. There is one tab for each functional part of the account. You can set default values by loading an account profile.

Users

Personal

This module is the most common basis for user accounts in LAM. You can use it stand-alone to manage address book entries or in combination with Unix, Samba or other modules.

The Personal module provides support for managing various personal data of your users including mail addresses and telephone numbers. You can also add photos of your users. If you do not need to manage all attributes then you can deactivate them in your server profile.

Table 3.1. LDAP attribute mappings

Attribute nameName inside LAM
businessCategoryBusiness category
carLicenseCar license
cn/commonNameCommon name
departmentNumberDepartment(s)
descriptionDescription
employeeTypeEmployee type
facsimileTelephoneNumber/faxFax number
givenName/gnFirst name
homePhoneHome telephone number
jpegPhotoPhoto
lLocation
mail/rfc822MailboxEmail address
managerManager
mobile/mobileTelephoneNumberMobile number
physicalDeliveryOfficeNameOffice name
postalAddressPostal address
postalCodePostal code
postOfficeBoxPost office box
roomNumberRoom number
sn/surnameLast name
stState
street/streetAddressStreet
telephoneNumberTelephone number
titleJob title
uid/useridUser name
userPasswordPassword

Unix

The Unix module manages Unix user accounts including group memberships.

Shadow

LAM supports the management of the LDAP substitution of /etc/shadow. Here you can setup password policies for your Unix accounts and also view the last password change of a user.

Hosts

You can specify a list of valid host names where the user may login. If you add the value "*" then the user may login to any host. This can be further restricted by adding explicit deny entries which are prefixed with "!" (e.g. "!hr_server").

Please note that your PAM settings need to support host restrictions.

Samba 3

LAM supports full Samba 3 user management including logon hours and terminal server options.

Quota

You can manage file system quotas with LAM. This requires to setup lamdaemon. File system quotas are not stored inside LAM but managed directly on the specified servers.

Kolab

This module supports to manage Kolab accounts with LAM. E.g. you can set the user's mail quota and define invitation policies.

Please enter an email address at the Personal page and set a Unix password first. Both are required that Kolab accepts the accounts.

Kolab users should not be directly deleted with LAM. You can mark an account for deletion which then is done by the Kolab server itself. This makes sure that the mailbox etc. is also deleted.

phpGroupWare

You may manage several attributes of phpGroupWare users inside LAM. This includes the expiration date and account status. You may also check when the user logged in the last time and from where.

Asterisk

LAM supports Asterisk accounts, too. See the Asterisk section for details.

EDU person

EDU person accounts are mainly used in university networks. You can specify the principal name, nick names and much more.

Password policy (LAM Pro)

OpenLDAP supports the ppolicy overlay to manage password policies for LDAP entries. LAM Pro supports managing the policies and assigning them to user accounts.

Please add the account type "Password policies" to your LAM server profile and activate the "Password policy" module for the user type.

You can assign any password policy which is found in the LDAP suffix of the "Password policies" type. When you set the policy to "default" then OpenLDAP will use the default policy as defined in your slapd.conf file.

Mail routing

LAM supports to manage mail routing for user accounts. You can specify a routing address, the mail server and a number of local addresses to route. This feature can be activated by adding the "Mail routing" module to the user account type in your server profile.

SSH keys

You can manage your public keys for SSH in LAM if you installed the LPK patch for SSH. Activate the "SSH public key" module for users in the server profile and you can add keys to your user entries.

IMAP mailboxes

LAM may create and delete mailboxes on an IMAP server for your user accounts. You will need an IMAP server that supports either SSL or TLS for this feature.

To activate the mailbox management module please add the "Mailbox (imapAccess)" module for the type user in your LAM server profile:

Now configure the module on the tab "Module settings". Here you can specify the IMAP server name, encryption options, the authentication for the IMAP connection and the valid mail domains. LAM can use either your LAM login password for the IMAP connection or display a dialog where you need to enter the password. The mail domains specify for which accounts mailboxes may be created/deleted. E.g. if you enter "lam-demo.org" then mailboxes can be managed for "user@lam-demo.org" but not for "user@example.com".

You need to install the SSL certificate of the CA that signed your server certificate. This is usually done by installing the certificate in /etc/ssl/certs. Different Linux distributions may offer different ways to do this. For Debian please copy the certificate in "/usr/local/share/ca-certificates" and run "update-ca-certificates" as root.

It is not recommended to disable the validation of IMAP server certificates.

When you edit an user account then you will now see the tab "Mailbox". Here you can create/delete the mailbox for this user.

Account

This is a very simple module to manage accounts based on the object class "account". Usually, this is used for host accounts only. Please pay attention that users based on the "account" object class cannot have contact information (e.g. telephone number) as with "inetOrgPerson".

You can enter a user/host name and a description for your accounts.