On top of the page you see the link to the user login page. Copy this link address and give it to your users.
Below the link you can specify several options.
Table 8.1.
| Server address | The address of your LDAP server. For LDAP+SSL use "ldaps://myserver" |
| Activate TLS | Activates TLS encryption. Please note that this cannot be combined with LDAP+SSL ("ldaps://"). |
| Follow referrals | By default LAM will not follow LDAP referrals. This is ok for most installations. If you use LDAP referrals please activate the referral option in advanced settings. |
| LDAP user + password | The DN and password which is used to search for users in the LDAP database. It is sufficient if this DN has only read rights. If you leave these fields empty LAM will try to connect anonymously. |
| Use for all operations | By default LAM will use the credentials of the user that logged in to white pages for read/modify operations. If you select this box then the connection user specified before will be used instead. Please note that this can be a security risk because the user requires write access to all users. You need to make sure that your LAM server is well protected. |
| Authentication method | The default method is user and password login. You can choose anonymous authentication if this is a public profile. If you use Okta or OpenID for 2FA then you can also select to trust the 2FA provider. In this case the user does not need to enter any password in LAM itself (SSO). |
| LDAP suffix | The part of the LDAP tree where LAM should search for users |
| LDAP search attribute | Here you can specify the attribute that must contain the user name provided at the white pages login. |
| Additional LDAP filter | Use this to enter an additional LDAP filter (e.g. "(objectClass=inetOrgPerson)") to reduce the number of accounts who may use white pages. |
| Language | This language for this profile. |
LAM supports 2-factor authentication for your users. This means the user will not only authenticate by user+password but also with e.g. a token generated by a mobile device. This adds more security because the token is generated on a physically separated device (typically mobile phone).
Configuration
Please see the 2FA appendix for configuration details of the different providers.
Remember device
You can allow users to remember the 2FA device for privacyIDEA, WebAuthn and YubiKey. When a device is remembered then users can login for the specified time without presenting their 2nd factor.
The password for the device remembering is used to authenticate the device data. It can be any long passphrase (use > 30 characters). LAM auto-generates one for you. If you change the passphrase then all device data gets invalid and users need to represent their 2nd factor again (which then can be saved again).
Login
After logging in with user + password LAM will ask for the 2nd factor. If the user has setup multiple factors then he can choose one of them.
LAM Pro can optionally display a captcha to verify that logins are not from robots. Captchas will be displayed when you tick the checkbox to secure login with a captcha. The supported captcha providers are:
Google reCAPTCHA
You will need the site and secret key for your domain. They can be retrieved from here: https://www.google.com/recaptcha
Please note that your web server must be able to access "https://www.google.com/recaptcha/api/siteverify" to verify the captchas.
Friendly Captcha
Please enter your site (see applications) and API key. The web server must be able to contact "https://api.friendlycaptcha.com" for verification.
hCaptcha
Please enter your site and secret key (not API key). The web server must be able to contact "https://hcaptcha.com" for verification.
Here you can specify custom labels and text to provide familiar names and explanatory text.
Table 8.2.
| Login attribute label | This is the description for the LDAP search attribute. Set it to something which your users are familiar with. |
| Password field label | This text is placed as label for the password field on the login page. LAM will use "Password" if you do not enter any text. |
| Login caption | This text is displayed on the login page inside the login mask. |
| Login header | This text is displayed on the login page above the login mask. |
| Login footer | This text is displayed on the login page below the login mask. |
| Page header | This text is displayed as header on the white pages main page where your users browse the data. |
| Page footer | This text is displayed as footer on the white pages main page where your users browse the data. |
LAM provides some predefined themes for the white pages. You are free to use them and/or adapt the colors and background image to your corporate design. The primary color is used for the primary button (e.g. submit button). The background color is used for the panels and page background (if no image is set).
The background image can be any image URL or one of the provided background images. Enter "background" to get an auto-completion list of existing images.
Predefined themes:
City
Coast
Grand canyon
Mountain
Ocean
Rain forest
Stars
Additional CSS links
Here you can specify additional CSS links to change the layout of the white pages pages. This is useful to adapt them to your corporate design. Please enter one link per line (e.g. https://example.com/style.css).
Display
Use this to define if your users can see the list view, gallery view or both. Users can switch between both modes when both are enabled.
Each profile can have a number of tabs (e.g. users and groups). They are fully configurable regarding their displayed data and can contain any type of LDAP entries. E.g. you could display hardware/room entries next to your users.
Main settings
These are the basic settings for the entries of the tab.
Table 8.3.
| Label | Tab label for user GUI |
| LDAP suffix | LDAP suffix that contains the entries to display |
| Additional LDAP filter | LDAP filter to limit the entries that are displayed (e.g. "jpegPhoto=*" or "objectClass=person") |
| Searchable attributes | List of LDAP attribute names that can be searched by the user via the top search. The columns in list view have additional filters that are independent from this setting. |
List view
This defines how the entries are displayed in the list view (table). Make sure to not add too many items here to keep the table readable.
Each table column is defined by an item that defines a label and a display value. The items can be one of the following:
Table 8.4.
| Type | Description for value option |
|---|---|
| Text | Displays a plain text value. The "value" of the item can be an LDAP attribute name or plain text with wildcards. Wildcards can be LDAP attributes (surrounded by "$") of the LDAP entry (e.g. "$givenName$ $sn$" for first + last name). |
| Displays a clickable email address. The "value" must be the LDAP attribute name (e.g. "mail"). No wildcards allowed. | |
| Telephone number | Displays a clickable telephone number. The "value" must be the LDAP attribute name (e.g. "telephoneNumber"). No wildcards allowed. |
| Image | Displays an image. The "value" must be the LDAP attribute name (e.g. "jpegPhoto"). No wildcards allowed. |
| Link | Displays a clickable link to the detail view of another entry (e.g. group). The "value" must be the LDAP attribute name followed by a colon and the display value (e.g. "manager:cn"). You can use wildcards for the display value (e.g. "manager:$givenName$ $sn$"). Wildcards will be resolved using the linked entry's attributes. |
Gallery view
The gallery view shows the entries as cards. Each card has a title that can contain wildcards like the text items above (e.g. "$givenName$ $sn$" for first + last name). It is recommended to use an image item as first item. See list view for the different item types.
Detail view
When a user clicks on an entry then the detail view is opened. Here you can display more information that does not fit in the list/gallery view.
The detail view has a title that can contain wildcards like the text items above (e.g. "$givenName$ $sn$" for first + last name). See list view for the different item types.
