LAM - LDAP Account Manager

LAM (LDAP Account Manager) is an LDAP management user interface, similar to phpLDAPadmin. I configured it to manage my local Samba4 AD accounts provider.

Note: I installed also Roundcube, some PHP dependencies could be pulled by it.

-1- Download the Fedora/CentOS RPM from https://www.ldap-account-manager.org/lamcms/releases

-2- Install the RPM

yum localinstall ldap-account-manager-5.6-0.fedora.1.noarch.rpm

-3- Go to https://<serverip>/lam, click on LAM configuration

-4- Click “Edit server profiles”, the default password is lam

-5- In a shell type the following command to get the current NethServer setup:

[root@vm5 ~]# account-provider-test dump
{
   "startTls" : "",
   "bindUser" : "VM5$",
   "userDN" : "dc=dpnet,dc=nethesis,dc=it",
   "port" : 636,
   "isAD" : "1",
   "host" : "dpnet.nethesis.it",
   "groupDN" : "dc=dpnet,dc=nethesis,dc=it",
   "isLdap" : "",
   "ldapURI" : "ldaps://dpnet.nethesis.it",
   "baseDN" : "dc=dpnet,dc=nethesis,dc=it",
   "bindPassword" : "secret",
   "bindDN" : "DPNET\\VM5$"
}

-6.a- Copy the values above in the server profile form

-6.b- Scroll down, fill security settings and save

-7.a- Go to “Account types” tab, and fill the form like the following screenshot. Then save

-7.b- Edit the “Modules” tab, by selecting windows modules, then save

-8.a- After saving, the login form is displayed.

-8.b- Log in as “admin/adminpass”. This is the result


Additional information is on TFM:

https://www.ldap-account-manager.org/static/doc/

7 Likes

Hum…where is the module :stuck_out_tongue:

4 Likes

The new version 6.4 of LAM - LDAP Account Manager has been released!

https://www.ldap-account-manager.org/lamcms/

3 Likes

Inspired by @corum in this thread I tested LAM 6.7 and a newer PHP version (>=5.6) is needed so I used nethserver-rh-php71-php-pfm.

At step 2 of the howto I additionally did the following:

yum -y install nethserver-rh-php71-php-fpm rh-php71-php-ldap

Add the FilesMatch/SetHandler to /etc/httpd/conf.d/lam.apache.conf at line 9 so it looks like this:

<Directory /usr/share/ldap-account-manager>
  Options +FollowSymLinks
  AllowOverride All
  Require all granted
  DirectoryIndex index.html
  <FilesMatch \.php$>
      SetHandler "proxy:fcgi://127.0.0.1:9001"
  </FilesMatch>
</Directory>

Restart relevant services.

systemctl restart httpd rh-php71-php-fpm

1 Like

I see hundreds of clicks on the links above… We have an audience!

Is It time for an RPM? :yum:

1 Like

Could help a lot have a module…

1 Like

I feel closer now to using LAM. I followed mrmarkuz posting and installed nethserver-rh-php71-php-fpm rh-php71-php-ldap
made lam.apache.conf the same and restarted httpd rh-php71-php-fpm
now i see
(https://x.x.x.x/lam/graphics/error.png) Your PHP has no imagick support.

Please install the imagick extension for PHP.

so i had to install php-pecl-imagick and rh-php71-php-devel
then:
pecl install imagick
then install mlocate to find the via updatedb and locate php.ini
then
nano /opt/rh/rh-php71/register.content/etc/opt/rh/rh-php71/php.ini
insert
extension=imagick.so

Now i can see login screen :slight_smile:

Again, thank you for your help mrmarkuz :slight_smile:

1 Like

Hello,

I am bumping this up since i have managed to set up LAM to use with Ldap but something is not entirely correct. There seems to be an issue whenever i try to edit or create an LDAP account on LAM:

Was unable to create DN: cn=werwe,ou=People,dc=directory,dc=nh.

LDAP error, server says: Insufficient access - no write access to parent

But i login with a domain admin account (group: domain admins as created by the nethserver LDAP application)

How to i give write access to the LDAP server? Any ideas?

Hi @turin331,

welcome to Nethserver Community.

You need to use user cn=libuser,dc=directory,dc=nh for write access:

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html#service-accounts

Thank you for the reply.

Does cn=libuser,dc=directory,dc=nh need to be set on the LDAP side as well or just use it in the security settings in LAM?

EDIT: Ok this is actually strange. I had to reinstall everything on the server and this time LAM worked fine with the setting i had before. No write permissions issues this time. I ma not sure what fixed this.

1 Like

@mrmarkuz I realized what the issue was. Any new account made that is a member of the domain admin group does not seem to have write permissions. Only the original admin made when the ldap was created.
How do i give permissions to new domain admins?

sorry if these questions sound rudimentary but i am still new to this.

By default the admin user and libuser has full access, you may change to another user but not to a group.

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html#administrative-access

I played with LDAP ACLs and following command worked in my test. Domain admins get write permissions. Please test before using in production.

ldapmodify -Y EXTERNAL <<EOF
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by set="[cn=domain admins,ou=Groups,dc=directory,dc=nh]/memberUid & user/cn" write by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by * read
EOF
2 Likes

Hi Markus,

I finally made it to work and after I installed LAM-6.9.
All seems to work correctly.

Lot is still to adjust, especially the install folder and the security (I installed in /var/www/html with apache:apache), but a document will follow…

Michel-André

1 Like

Thanks for the advice. This does not seem to change anything in my case. I still need to understand ACLs in more depth anyway. So need to study this a bit more

What was the result of the command? Did you get an error message?

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={-1}frontend,cn=config”

No error message.

OK, I am going to recheck…

EDIT:

Sorry, in this case the numbering like {1} is important and I missed it.
Best way to change entries with numbering is to delete and add again.
If it’s not working you may reset to the default settings first and then apply the two following statements again.

Delete the original entry:

ldapmodify -Y EXTERNAL <<EOF
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
olcAccess: {1}
EOF

Add the new entry:

ldapmodify -Y EXTERNAL <<EOF
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by set="[cn=domain admins,ou=Groups,dc=directory,dc=nh]/memberUid & user/cn" write by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by * read
EOF

Restore default settings (in case something gone wrong):

ldapmodify -Y EXTERNAL <<EOF
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
EOF

ldapmodify -Y EXTERNAL <<EOF
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by self write by * peername.ip="127.0.0.1" auth by * ssf=71 auth by * none
olcAccess: {1}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by * read
EOF
1 Like

Great thanks. Unfortunately i had a few other issues with my installation but will try this when i am able.