15.6. The LDAP Account Manager
The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL/TLS. LAM can be used to manage Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines (hosts).
LAM is available from the LAM home page and from its mirror sites. LAM has been released under the GNU GPL version 2. The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter of 2005.
LAM is a useful tool that provides a simple Web-based device that can be used to manage the contents of the LDAP directory to:
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts.
The default password is "lam." It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections to LAM using only SSL.
APACHE CONFIGURATION STEPS FOR LAM
An example of a working file is shown here in Example 15.6.2. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates is very useful and will help many administrators to avoid pitfalls. Your configuration file obviously reflects the configuration options that are preferred at your site.
It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in Figure 15.6.
Figure 15.6. The LDAP Account Manager Login Screen
The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in Figure 15.7. It is important that you correctly set the minimum and maximum UID/GID values that are permitted for use at your site. The default values may not be compatible with a need to modify initial default account values for well-known Windows network users and groups. The best work-around is to temporarily set the minimum values to zero (0) to permit the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups.
Figure 15.7. The LDAP Account Manager Configuration Screen
LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space.
When you log onto LAM the opening screen drops you right into the user manager as shown in Figure 15.8. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, is easy to follow and very clear in both layout and intent. It is a simple matter to edit generic settings, UNIX specific parameters, and then Samba account requirements. Each step involves clicking a button that intuitively drives you through the process. When you have finished editing simply press the Final button.
Figure 15.8. The LDAP Account Manager User Edit Screen
The edit screen for groups is shown in Figure 15.9. As with the edit screen for user accounts, group accounts may be rapidly dealt with. Figure 15.10 shows a sub-screen from the group editor that permits users to be assigned secondary group memberships.
Figure 15.9. The LDAP Account Manager Group Edit Screen
Figure 15.10. The LDAP Account Manager Group Membership Edit Screen
The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen Figure 15.11 will, in most cases, not be used.
Figure 15.11. The LDAP Account Manager Host Edit Screen
One aspect of LAM that may annoy some users is the way it forces certain conventions on the administrator. For example, LAM does not permit the creation of Windows user and group accounts that contain spaces even though the underlying UNIX/Linux operating system may exhibit no problems with them. Given the propensity for using upper-case characters and spaces (particularly in the default Windows account names) this may cause some annoyance. For the rest, LAM is a very useful administrative tool.
The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features (e.g., logon hours). The new plugin-based architecture also allows management of much more different account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another important point is the tree view which allows browsing and editing LDAP objects directly.