File: ch02s02.html

package info (click to toggle)
ldap-account-manager 3.7-2
  • links: PTS
  • area: main
  • in suites: wheezy
  • size: 34,660 kB
  • sloc: php: 49,813; perl: 305; makefile: 169; sh: 156; pascal: 132; xml: 111
file content (105 lines) | stat: -rw-r--r-- 15,524 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Server profiles</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="LDAP Account Manager - Manual"><link rel="up" href="ch02.html" title="Chapter2.Configuration"><link rel="prev" href="ch02.html" title="Chapter2.Configuration"><link rel="next" href="ch03.html" title="Chapter3.Managing entries in your LDAP directory"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Server profiles</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch02.html">Prev</a></td><th width="60%" align="center">Chapter2.Configuration</th><td width="20%" align="right"><a accesskey="n" href="ch03.html">Next</a></td></tr></table><hr></div><div class="section" title="Server profiles"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="idp5398080"></a>Server profiles</h2></div></div></div><p>The server profiles store information about your LDAP server (e.g.
      host name) and what kind of accounts (e.g. users and groups) you would
      like to manage. There is no limit on the number of server profiles. See
      the <a class="link" href="ch02s02.html#confTypicalScenarios" title="Typical scenarios">typical scenarios</a> about
      how to structure your server profiles.</p><div class="section" title="Manage server profiles"><div class="titlepage"><div><div><h3 class="title"><a name="idp5399984"></a>Manage server profiles</h3></div></div></div><p>Select "Manage server profiles" to open the profile management
        page.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles1.png"></div></div><p>Here you can create, rename and delete server profiles. The
        <a class="link" href="apb.html#a_configPasswords" title="LAM configuration passwords">passwords</a> of your server
        profiles can also be reset.</p><p>You may also specify the default server profile. This is the
        server profile which is preselected at the login page. It also
        specifies the language of the login and configuration pages.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles2.png"></div></div><p>You can create a new server profile by simply entering its name
        and password. After you created a new profile you can go back to the
        profile login and edit your new server profile.</p><p>All operations on the profile management page require that you
        authenticate yourself with the <a class="link" href="apb.html#a_configPasswords" title="LAM configuration passwords">configuration master
        password</a>.</p></div><div class="section" title="Editing a server profile"><div class="titlepage"><div><div><h3 class="title"><a name="idp5407856"></a>Editing a server profile</h3></div></div></div><p>Please select you server profile and enter its password to edit
        a server profile.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles3.png"></div></div><p>Each server profile contains the following information:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="bold"><strong>General settings:</strong></span> general
            settings about your LDAP server (e.g. host name and security
            settings)</p></li><li class="listitem"><p><span class="bold"><strong>Account types:</strong></span> list of
            account types (e.g. users and groups) that you would like to
            manage and type specific settings (e.g. LDAP suffix)</p></li><li class="listitem"><p><span class="bold"><strong>Modules:</strong></span> list of modules
            which define what account aspects (e.g. Unix, Samba, Kolab) you
            would like to manage</p></li><li class="listitem"><p><span class="bold"><strong>Module settings:</strong></span> settings
            which are specific for the selected account modules on the page
            before</p></li></ul></div><div class="section" title="General settings"><div class="titlepage"><div><div><h4 class="title"><a name="idp5417008"></a>General settings</h4></div></div></div><p>Here you can specify the LDAP server and some security
          settings.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles4.png"></div></div><p>The server address of your LDAP server can be a DNS name or an
          IP address. Use ldap:// for unencrypted LDAP connections or TLS
          encrypted connections. LDAP+SSL (LDAPS) encrypted connections are
          specified with ldaps://. The port value is optional. TLS cannot be
          combined with ldaps://.</p><p>LAM includes an LDAP browser which allows direct modification
          of LDAP entries. If you would like to use it then enter the LDAP
          suffix at "Tree suffix".</p><p>The search limit is used to reduce the number of search
          results which are returned by your LDAP server.</p><p>The access level specifies if LAM should allow to modify LDAP
          entries. This feature is only available in LAM Pro. LAM non-Pro
          releases use write access. See <a class="link" href="ch05.html" title="Chapter5.Access levels and password reset page (LAM Pro)">this page</a> for details on
          the different access levels.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles5.png"></div></div><p>LAM is translated to many different languages. Here you can
          select the default language for this server profile. The language
          setting may be overriden at the LAM login page.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles6.png"></div></div><p>LAM can manage user home directories and quotas with an
          external script. You can specify the home directory server and where
          the script is located. The default rights for new home directories
          can be set, too.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles8.png"></div></div><p>LAM supports two methods for login. The first one is to
          specify a fixed list of LDAP DNs that are allowed to login. Please
          enter one DN per line.</p><p>The second one is to let LAM search for the DN in your
          directory. E.g. if a user logs in with the user name "joe" then LAM
          will do an LDAP search for this user name. When it finds a matching
          DN then it will use this to authenticate the user. The wildcard
          "%USER%" will be replaced by "joe" in this example. This way you can
          provide login by user name, email address or other LDAP
          attributes.</p><p>Additionally, you can enable HTTP authentication when using
          "LDAP search". This way the web server is responsible to
          authenticate your users. LAM will use the given user name + password
          for the LDAP login. You can also configure this to setup advanced
          login restrictions (e.g. require group memberships for login). To
          setup HTTP authentication in Apache please see this <a class="ulink" href="http://httpd.apache.org/docs/2.2/howto/auth.html" target="_top">link</a>
          and an example for LDAP authentication <a class="link" href="apbs06.html#apache_http_auth" title="Use LDAP HTTP authentication for LAM">here</a>.</p><div class="screenshot"><div class="mediaobject"><img src="images/configProfiles7.png"></div></div><p>You may also change the password of this server profile.
          Please just enter the new password in both password fields.</p></div><div class="section" title="Account types"><div class="titlepage"><div><div><h4 class="title"><a name="idp5434736"></a>Account types</h4></div></div></div><p>LAM supports to manage various types of LDAP entries (e.g.
          users, groups, DHCP entries, ...). On this page you can select which
          types of entries you want to manage with LAM.</p><div class="screenshot"><div class="mediaobject"><img src="images/configTypes1.png"></div></div><p>The section at the top shows a list of possible types. You can
          activate them by simply clicking on the plus sign next to it.</p><p>Each account type has the following options:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="bold"><strong>LDAP suffix:</strong></span> the LDAP
              suffix where entries of this type should be managed</p></li><li class="listitem"><p><span class="bold"><strong>List attributes:</strong></span> a list
              of attributes which are shown in the account lists</p></li></ul></div><div class="screenshot"><div class="mediaobject"><img src="images/configTypes2.png"></div></div><p>On the next page you can specify in detail what extensions
          should be enabled for each account type.</p></div><div class="section" title="Modules"><div class="titlepage"><div><div><h4 class="title"><a name="idp5443920"></a>Modules</h4></div></div></div><p>The modules specify the active extensions for each account
          type. E.g. here you can setup if your user entries should be address
          book entries only or also support Unix or Samba.</p><div class="screenshot"><div class="mediaobject"><img src="images/configModules1.png"></div></div><p>Each account type needs a so called "base module". This is the
          basement for all LDAP entries of this type. Usually, it provides the
          structural object class for the LDAP entries. There must be exactly
          one active base module for each account type.</p><p>Furthermore, there may be any number of additional active
          account modules. E.g. you may select "Personal" as base module and
          Unix + Samba as additional modules.</p></div><div class="section" title="Module settings"><div class="titlepage"><div><div><h4 class="title"><a name="idp5448176"></a>Module settings</h4></div></div></div><p>Depending on the activated account modules there may be
          additional configuration options available. They can be found on the
          "Module settings" tab. E.g. the Personal account module allows to
          hide several input fields and the Unix module requires to specify
          ranges for UID numbers.</p><div class="screenshot"><div class="mediaobject"><img src="images/configSettings1.png"></div></div></div></div><div class="section" title="Typical scenarios"><div class="titlepage"><div><div><h3 class="title"><a name="confTypicalScenarios"></a>Typical scenarios</h3></div></div></div><p>This is a list of typical scenarios how your LDAP environment
        may look like and how to structure the server profiles for it.</p><div class="section" title="Simple: One LDAP directory managed by a small group of admins"><div class="titlepage"><div><div><h4 class="title"><a name="idp5452848"></a>Simple: One LDAP directory managed by a small group of
          admins</h4></div></div></div><p>This is the easiest and most common scenario. You want to
          manage a single LDAP server and there is only one or a few admins.
          In this case just create one server profile and you are done. The
          admins may be either specified as a fixed list or by using an LDAP
          search at login time.</p><div class="screenshot"><div class="mediaobject"><img src="images/LDAPStructuresSimple.png"></div></div></div><div class="section" title="Advanced: One LDAP server which is managed by different admin groups"><div class="titlepage"><div><div><h4 class="title"><a name="idp5456064"></a>Advanced: One LDAP server which is managed by different admin
          groups</h4></div></div></div><p>Large organisations may have one big LDAP directory for all
          user/group accounts. But the users are managed by different groups
          of admins (e.g. departments, locations, subsidiaries, ...). The
          users are typically divided into organisational units in the LDAP
          tree. Admins may only manage the users in their part of the
          tree.</p><div class="screenshot"><div class="mediaobject"><img src="images/LDAPStructuresAdvanced.png"></div></div><p>In this situation it is recommended to create one server
          profile for each admin group (e.g. department). Setup the LDAP
          suffixes in the server profiles to point to the needed
          organisational units. E.g. use
          ou=people,ou=department1,dc=company,dc=com or
          ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
          Do the same for groups, hosts, ... This way each admin group will
          only see its own users. You may want to use LDAP search for the LAM
          login in this scenario. This will prevent that you need to update a
          server profile if the number of admins changes.</p><p><span class="bold"><strong>Attention:</strong></span> LAM's feature to
          automatically find free UIDs/GIDs for new users/groups will not work
          in this case. LAM uses the user/group suffix to search for already
          assigned UIDs/GIDs. As an alternative you can specify different
          UID/GID ranges for each department. Then the UIDs/GIDs will stay
          unique for the whole directory.</p></div><div class="section" title="Multiple LDAP servers"><div class="titlepage"><div><div><h4 class="title"><a name="idp5461664"></a>Multiple LDAP servers</h4></div></div></div><p>You can manage as many LDAP servers with LAM as you wish. This
          scenario is similar to the advanced scenario above. Just create one
          server profile for each LDAP server.</p><div class="screenshot"><div class="mediaobject"><img src="images/LDAPStructuresMultiServer.png"></div></div></div><div class="section" title="Single LDAP directory with lots of users (&gt;10 000)"><div class="titlepage"><div><div><h4 class="title"><a name="idp5464672"></a>Single LDAP directory with lots of users (&gt;10 000)</h4></div></div></div><p>LAM was tested to work with 10 000 users. If you have a lot
          more users then you have basically two options.</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Divide your LDAP tree in organisational units: This is
              usually the best performing option. Put your accounts in several
              organisational units and setup LAM as in the advanced scenario
              above.</p></li><li class="listitem"><p>Increase memory limit: Increase the memory_limit parameter
              in your php.ini. This will allow LAM to read more entries. But
              this will slow down the response times of LAM.</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch02.html">Prev</a></td><td width="20%" align="center"><a accesskey="u" href="ch02.html">Up</a></td><td width="40%" align="right"><a accesskey="n" href="ch03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter2.Configuration</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">Chapter3.Managing entries in your LDAP directory</td></tr></table></div></body></html>