From 91a0ddaaefbe285d9a5c5eb95c90b027dc78f208 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Fri, 27 Sep 2024 19:49:20 +0200 Subject: [PATCH] Doc for OpenLDAP/AD --- conf/config.inc.php | 3 ++- docs/enableaccount.rst | 33 +++++++++++++++++++++++++++++++++ docs/index.rst | 1 + docs/ldap-parameters.rst | 22 +++++++++++++++++++++- docs/lockaccount.rst | 4 ++-- 5 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 docs/enableaccount.rst diff --git a/conf/config.inc.php b/conf/config.inc.php index cf8dbb4..29f889e 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -23,7 +23,9 @@ # All the default values are kept here, you should not modify it but use # config.inc.local.php file instead to override the settings from here. #============================================================================== + # LDAP +$ldap_type = "openldap"; $ldap_url = "ldap://localhost"; $ldap_starttls = false; $ldap_binddn = "cn=manager,dc=example,dc=com"; @@ -38,7 +40,6 @@ #$ldap_default_ppolicy = "cn=default,ou=ppolicy,dc=example,dc=com"; $ldap_lastauth_attribute = "authTimestamp"; #$ldap_network_timeout = 10; -$ldap_type = "openldap"; # Override LDAP password policy configuration #$ldap_lockout_duration = 3600; # 1 hour diff --git a/docs/enableaccount.rst b/docs/enableaccount.rst new file mode 100644 index 0000000..8b88451 --- /dev/null +++ b/docs/enableaccount.rst @@ -0,0 +1,33 @@ +Enable and disable account +========================== + +Show enabled status +------------------- + +Service Desk will display if account is enabled or not. To allow this feature: + +.. code-block:: php + + $show_enablestatus = true; + +Enable account +-------------- + +This feature allows to enable the account. The button is only displayed if the account is disabled. + +To enable this feature: + +.. code-block:: php + + $use_enableaccount = true; + +Disable account +--------------- + +This feature allows to disable the account. It is only displayed if the account is enabled. + +To enable this feature: + +.. code-block:: php + + $use_disableaccount = true; diff --git a/docs/index.rst b/docs/index.rst index 8755370..a0bf276 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -26,6 +26,7 @@ LDAP Tool Box Service Desk documentation checkpassword.rst resetpassword.rst lockaccount.rst + enableaccount.rst hook.rst dashboards.rst configuration-mail.rst diff --git a/docs/ldap-parameters.rst b/docs/ldap-parameters.rst index a6c126b..0ca7620 100644 --- a/docs/ldap-parameters.rst +++ b/docs/ldap-parameters.rst @@ -1,6 +1,17 @@ LDAP parameters =============== +Type of directory +----------------- + +You can define the type of LDAP directory (``openldap`` or ``activedirectory``). The default value is ``openldap``. + +.. code-block:: php + + $ldap_type = "openldap"; + +.. tip:: Other configuration parameters could be impacted by this choice, check their documentation. + Server address -------------- @@ -40,7 +51,7 @@ Configure DN and password in ``$ldap_bindn`` and ``$ldap_bindpw``: $ldap_binddn = "cn=manager,dc=example,dc=com"; $ldap_bindpw = "secret"; -.. tip:: You can use the LDAP admin account or any service account. The account needs to read users, password policy entries and write ``userPassword`` and ``pwdReset`` attributes in user entries. Note that using the LDAP admin account will bypass any password policy like minimal size or password history when reseting the password. +.. tip:: You can use the LDAP admin account or any service account. The account needs to read users, password policy entries and write password and some other related attributes in user entries. On OpenLDAP, using the LDAP admin account will bypass any password policy like minimal size or password history when reseting the password. LDAP Base --------- @@ -106,6 +117,13 @@ Set ``$ldap_default_ppolicy`` value if a default policy is configured in your LD .. tip:: Password policy is first searched in ``pwdPolicySubentry`` attribute of user entry, then fallback to default policy. +You can override some policies, like lockout duration or password maximal age: + +.. code-block:: php + + $ldap_lockout_duration = 3600; # 1 hour + $ldap_password_max_age = 7889400; # 3 months + Last authentication attribute ----------------------------- @@ -114,3 +132,5 @@ The last authentication date can be stored in different attributes depending on .. code-block:: php $ldap_lastauth_attribute = "pwdLastSuccess"; + +.. tip:: This attribute is automatically configured for Active Directory. diff --git a/docs/lockaccount.rst b/docs/lockaccount.rst index 2fe21e3..78c134e 100644 --- a/docs/lockaccount.rst +++ b/docs/lockaccount.rst @@ -1,5 +1,5 @@ -Lock account -============ +Lock and unlock account +======================= Show lock status ----------------