altSecurityIdentities extends ldapPublicKey
Manages SSH public keys on Windows/Samba 4.

ATTRIBUTES_TO_IGNORE_ON_COPY_DEFAULT  = array('uid', 'uidNumber', 'gid', 'gidNumber', 'cn', 'userpassword', 'sn', 'givenName', 'initials', 'telephoneNumber', 'homePhone', 'mobile', 'facsimileTelephoneNumber', 'pager', 'mail', 'employeeNumber', 'userCertificate;binary', 'userCertificate', 'homeDirectory', 'unixHomeDirectory', 'jpegPhoto')
These attributes will be ignored by default if a new account is copied from an existing one.
SESS_KEY_LIST  = 'ldapPublicKey_keyList'
session variable for existing keys in self service
$attributes  : mixed
contains all ldap attributes which should be written
$autoAddObjectClasses  : mixed
if true, managed object classes are added when an account is created or loaded (default: true)
$messages  : mixed
contains all error messages of a module
$meta  : mixed
includes all meta data provided by the sub class
$moduleSettings  : mixed
configuration settings of all modules
$orig  : mixed
contains all ldap attributes which are loaded from ldap
$selfServiceSettings  : selfServiceProfile
self service profile with settings of all modules
$base  : mixed
name of parent accountContainer ($_SESSION[$base])
$scope  : mixed
the account type of this module (user, group, host)
__construct()  : mixed
Creates a new base module class
addPDFImage()  : mixed
Adds an image to the PDF.
addPDFKeyValue()  : mixed
Adds a simple PDF entry with the given key and value.
addPDFTable()  : mixed
Adds a table entry to the PDF.
build_uploadAccounts()  : array<string|int, mixed>
In this function the LDAP accounts are built.
can_manage()  : bool
Returns true if this module can manage accounts of the current type, otherwise false.
canSelfServiceFieldBeReadOnly()  : bool
Returns if a given self service field can be set in read-only mode.
canSelfServiceFieldBeRelabeled()  : bool
Returns if a self service field can be relabeled.
check_configOptions()  : array<string|int, mixed>
Checks input values of module settings.
check_profileOptions()  : array<string|int, mixed>
Checks input values of account profiles.
checkGlobalConfigOptions()  : void
Checks the global config options.
checkSelfServiceOptions()  : array<string|int, mixed>
Checks if all input values are correct and returns the LDAP attributes which should be changed.
checkSelfServiceSettings()  : array<string|int, mixed>
Checks if the self service settings are valid.
delete_attributes()  : array<string|int, mixed>
This function returns an array with the same syntax as save_attributes().
display_html_attributes()  : htmlElement
This function creates meta HTML code to display the module page.
display_html_delete()  : htmlElement
This function creates meta HTML code which will be displayed when an account should be deleted.
displaySpecialSelfServicePage()  : htmlElement
This function creates meta HTML code to display the module specific page for the self service.
doUploadPostActions()  : array<string|int, mixed>
This function is responsible to do additional tasks after the account has been created in LDAP (e.g. modifying group memberships, adding Quota etc..).
doUploadPreActions()  : array<string|int, mixed>
Runs any actions that need to be done before an LDAP entry is created.
get_alias()  : string
Returns an alias name for the module.
get_configOptions()  : mixed
Returns a list of configuration options.
get_dependencies()  : array<string|int, mixed>
This function returns a list with all depending and conflicting modules.
get_help()  : array<string|int, mixed>
This function returns the help entry array for a specific help id.
get_ldap_filter()  : string
Returns an LDAP filter for the account lists
get_metaData()  : array<string|int, mixed>
Returns meta data that is interpreted by parent class
get_pdfEntries()  : array<string|int, PDFEntry>
Returns the PDF entries for this module.
get_pdfFields()  : array<string|int, mixed>
Returns a hashtable with all entries that may be printed out in the PDF.
get_profileOptions()  : htmlElement
This function defines what attributes will be used in the account profiles and their appearance in the profile editor.
get_RDNAttributes()  : array<string|int, mixed>
Returns a hash array containing a list of possible LDAP attributes that can be used to form the RDN (Relative Distinguished Name).
get_scope()  : string
Returns the account type of this module (user, group, host)
get_uploadColumns()  : array<string|int, mixed>
Returns an array containing all input columns for the file upload.
get_uploadPreDepends()  : array<string|int, mixed>
Returns a list of module names which must be processed in building the account before this module.
getAttributes()  : array<string|int, mixed>
Returns the LDAP attributes which are managed in this module.
getButtonStatus()  : string
Controls if the module button the account page is visible and activated.
getGlobalConfigOptions()  : array<string|int, htmlElement>
Returns a list of config options for LAM's main configuration.
getIcon()  : unknown
Returns the path to the module icon.
getLDAPAliases()  : array<string|int, mixed>
Returns a list of aliases for LDAP attributes.
getLinkToSpecialSelfServicePage()  : string
This allows modules to create a link to a module specific page for the self service.
getListAttributeDescriptions()  : array<string|int, mixed>
Returns a list of attribute descriptions for the account list.
getListFilterFunction()  : callable|null
Returns a callable if there should be a custom filtering for the given attribute name.
getListRenderFunction()  : callable|null
Returns a callable if there should be a custom display for the given attribute name.
getManagedAttributes()  : array<string|int, mixed>
Returns a list of LDAP attributes which are managed by this module.
getManagedHiddenAttributes()  : array<string|int, mixed>
Returns a list of operational LDAP attributes which are managed by this module and need to be explicitly set for LDAP search.
getManagedObjectClasses()  : array<string|int, mixed>
Returns a list of managed object classes for this module.
getOriginalAttributes()  : array<string|int, mixed>
Returns the LDAP attributes which are managed in this module (with unchanged values).
getRequiredExtensions()  : array<string|int, mixed>
This function returns a list of PHP extensions (e.g. hash) which are needed by this module.
getSelfServiceFields()  : array<string|int, mixed>
Returns a list of possible input fields and their descriptions.
getSelfServiceOptions()  : array<string|int, mixed>
Returns the meta HTML code for each input field.
getSelfServiceSearchAttributes()  : array<string|int, mixed>
This function returns a list of possible LDAP attributes (e.g. uid, cn, ...) which can be used to search for LDAP objects.
getSelfServiceSettings()  : htmlElement
Returns a list of self service configuration settings.
getSupportedJobs()  : mixed
Returns a list of jobs that can be run.
getWildCardReplacements()  : array<string|int, mixed>
Returns a list of wildcards that can be replaced in input fields.
handleAjaxRequest()  : mixed
Manages AJAX requests.
hasOnlyVirtualChildren()  : bool
Defines if the LDAP entry has only virtual child entries. This is the case for e.g. LDAP views.
init()  : mixed
Initializes the module after it became part of an {@link accountContainer}
invalidAjaxRequest()  : mixed
Invalid AJAX request received.
is_base_module()  : bool
Returns true if your module is a base module and otherwise false.
load_attributes()  : mixed
This function loads the LDAP attributes when an account should be loaded.
load_profile()  : mixed
This function loads the values from an account profile to the module's internal data structures.
loadAttributesFromAccountCopy()  : void
Loads the LDAP data from an account to copy.
module_complete()  : bool
This function is used to check if all settings for this module have been made.
module_ready()  : bool
This function is used to check if this module page can be displayed.
postDeleteActions()  : array<string|int, mixed>
Allows the module to run commands after the LDAP entry is deleted.
postModifyActions()  : array<string|int, mixed>
Allows the module to run commands after the LDAP entry is changed or created.
postModifySelfService()  : bool
Allows the module to run commands after the LDAP entry is changed or created.
preDeleteActions()  : array<string|int, mixed>
Allows the module to run commands before the LDAP entry is deleted.
preModifyActions()  : array<string|int, mixed>
Allows the module to run commands before the LDAP entry is changed or created.
preModifySelfService()  : bool
Allows the module to run commands before the LDAP entry is changed or created.
process_attributes()  : array<string|int, mixed>
This function processes user input.
runGlobalCronActions()  : void
Runs any global cron actions.
save_attributes()  : array<string|int, mixed>
Returns a list of modifications which have to be made to the LDAP account.
supportsAdminInterface()  : bool
Specifies if this module supports the LAM admin interface.
supportsGlobalCronJob()  : bool
Specifies if the module supports global cron job actions.
addDoubleSelectionArea()  : mixed
Adds an area with two multi-select fields with buttons to move items from right to left and vice-versa.
addMultiValueInputTextField()  : mixed
Adds a text input field that may contain multiple values to the given htmlResponsiveRow.
addMultiValueSelectField()  : mixed
Adds a select field type that may contain multiple values to the given htmlTable.
addMultiValueSelfServiceTextField()  : mixed
Adds a simple text input field for the self service.
addSimpleInputTextField()  : mixed
Adds a simple text input field to the given htmlResponsiveRow.
addSimplePDFField()  : mixed
Adds a simple PDF entry to the given array.
addSimpleReadOnlyField()  : mixed
Adds a simple read-only field to the given container.
addSimpleSelfServiceTextField()  : mixed
Adds a simple text input field for the self service.
checkMultiValueSelfServiceTextField()  : mixed
Checks the input value of a self service multi-value text field.
checkSimpleSelfServiceTextField()  : mixed
Checks the input value of a self service text field.
getAccountContainer()  : accountContainer|null
Returns the {@link accountContainer} object.
getAttributeName()  : string
Returns the LDAP attribute name for the keys.
getObjectClass()  : string
Returns the object class name.
getSelfServiceLabel()  : string
Returns the field label. This can be either the given default label or an override value from profile.
hasObjectClass()  : bool
Returns if the extension uses an object class.
isBooleanConfigOptionSet()  : bool
Returns if the given configuration option is set.
load_Messages()  : mixed
This function fills the $messages variable with output messages from this module.
mapSimpleUploadField()  : mixed
Maps simple upload fields directly to LDAP attribute values.
processMultiValueInputTextField()  : mixed
Validates a multi-value text field.
processMultiValueSelectField()  : mixed
Validates a multi-value select field.
processSimpleTextInput()  : mixed
Validates a text field.
ajaxDeleteSelfServiceKey()  : mixed
Manages the deletion of a key.
ajaxUpload()  : mixed
Handles an AJAX file upload and prints the JSON result.
checkUploadRegex()  : value
Checks the upload value against a list of regular expressions.
getSelfServiceKeys()  : htmlTable
Returns the meta HTML code to display the key area.
getSelfServiceKeysJSBlock()  : htmlJavaScript
Returns the Java Script functions to manage the keys.



These attributes will be ignored by default if a new account is copied from an existing one.

public mixed ATTRIBUTES_TO_IGNORE_ON_COPY_DEFAULT = array('uid', 'uidNumber', 'gid', 'gidNumber', 'cn', 'userpassword', 'sn', 'givenName', 'initials', 'telephoneNumber', 'homePhone', 'mobile', 'facsimileTelephoneNumber', 'pager', 'mail', 'employeeNumber', 'userCertificate;binary', 'userCertificate', 'homeDirectory', 'unixHomeDirectory', 'jpegPhoto')


session variable for existing keys in self service

public mixed SESS_KEY_LIST = 'ldapPublicKey_keyList'



contains all ldap attributes which should be written

protected mixed $attributes


if true, managed object classes are added when an account is created or loaded (default: true)

protected mixed $autoAddObjectClasses = \true


contains all error messages of a module

protected mixed $messages


includes all meta data provided by the sub class

protected mixed $meta


configuration settings of all modules

protected mixed $moduleSettings


contains all ldap attributes which are loaded from ldap

protected mixed $orig


name of parent accountContainer ($_SESSION[$base])

private mixed $base


the account type of this module (user, group, host)

private mixed $scope



Creates a new base module class

public __construct(string $scope) : mixed
$scope : string

the account type (user, group, host)

Return values


Adds an image to the PDF.

public addPDFImage(array<string|int, mixed> &$result, string $attrName) : mixed
$result : array<string|int, mixed>

result array (entry will be added here)

$attrName : string

attribute name

Return values


Adds a simple PDF entry with the given key and value.

public addPDFKeyValue(array<string|int, mixed> &$result, string $name, string $label, mixed $value[, string $delimiter = ', ' ]) : mixed
$result : array<string|int, mixed>

result array (entry will be added here)

$name : string


$label : string

label name

$value : mixed

value as String or array

$delimiter : string = ', '

delimiter if value is array (default: ", ")

Return values


Adds a table entry to the PDF.

public addPDFTable(array<string|int, mixed> &$result, string $name, PDFTable $table) : mixed
$result : array<string|int, mixed>

result array (entry will be added here)

$name : string


$table : PDFTable


Return values


In this function the LDAP accounts are built.

public build_uploadAccounts(array<string|int, mixed> $rawAccounts, array<string|int, mixed> $ids, array<string|int, mixed> &$partialAccounts, array<string|int, mixed> $selectedModules, ConfiguredType &$type) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

Returns an array which contains subarrays to generate StatusMessages if any errors occurred.

$rawAccounts : array<string|int, mixed>

the user input data, contains one subarray for each account.

$ids : array<string|int, mixed>

list of IDs for column position (e.g. "posixAccount_uid" => 5)

$partialAccounts : array<string|int, mixed>

list of hash arrays (name => value) which are later added to LDAP

$selectedModules : array<string|int, mixed>

list of selected account modules

$type : ConfiguredType

account type

Return values
array<string|int, mixed>

list of error messages if any


Returns true if this module can manage accounts of the current type, otherwise false.

public abstract can_manage() : bool

Calling this method does not require the existence of an enclosing .

Return values

true if module fits


Returns if a given self service field can be set in read-only mode.

public canSelfServiceFieldBeReadOnly(string $fieldID, selfServiceProfile $profile) : bool
$fieldID : string

field identifier

$profile : selfServiceProfile

currently edited profile

Return values

may be set read-only


Returns if a self service field can be relabeled.

public canSelfServiceFieldBeRelabeled(string $fieldID, selfServiceProfile $profile) : bool
$fieldID : string

field ID

$profile : selfServiceProfile

currently edited profile

Return values

may be relabeled


Checks input values of module settings.

public check_configOptions(array<string|int, mixed> $typeIds, array<string|int, mixed> &$options) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

If the input data is invalid the return value is an array that contains subarrays to build StatusMessages ('message type', 'message head', 'message text').
If no errors occurred the function returns an empty array.

$typeIds : array<string|int, mixed>

list of account type ids which are used

$options : array<string|int, mixed>

hash array (option name => value) that contains the input. The option values are all arrays containing one or more elements.

Return values
array<string|int, mixed>

list of error messages


Checks input values of account profiles.

public check_profileOptions(array<string|int, mixed> $options, string $typeId) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

$options is an hash array (option name => value) that contains the user input. The option values are all arrays containing one or more elements.
If the input data is invalid the return value is an array that contains arrays to build StatusMessages (message type, message head, message text). If no errors occurred the function returns an empty array.

$options : array<string|int, mixed>

a hash array (name => value) containing the user input

$typeId : string

type id (user, group, host)

Return values
array<string|int, mixed>

list of error messages (array(type, title, text)) to generate StatusMessages, if any


Checks the global config options.

public checkGlobalConfigOptions(array<string|int, mixed> &$options, array<string|int, string> &$messages, array<string|int, string> &$errors) : void
$options : array<string|int, mixed>

config options

$messages : array<string|int, string>

info messages can be added here

$errors : array<string|int, string>

error messages can be added here

Return values


Checks if all input values are correct and returns the LDAP attributes which should be changed.

public checkSelfServiceOptions(string $fields, array<string|int, mixed> $attributes, bool $passwordChangeOnly, array<string|int, mixed> $readOnlyFields) : array<string|int, mixed>

Return values:
messages: array of parameters to create status messages
add: array of attributes to add
del: array of attributes to remove
mod: array of attributes to modify
info: array of values with informational value (e.g. to be used later by pre/postModify actions)

Calling this method does not require the existence of an enclosing .

$fields : string

input fields

$attributes : array<string|int, mixed>

LDAP attributes

$passwordChangeOnly : bool

indicates that the user is only allowed to change his password and no LDAP content is readable

$readOnlyFields : array<string|int, mixed>

list of read-only fields

Return values
array<string|int, mixed>

messages and attributes (array('messages' => [], 'add' => array('mail' => array('test@test.com')), 'del' => [], 'mod' => [], 'info' => []))


Checks if the self service settings are valid.

public checkSelfServiceSettings(array<string|int, mixed> &$options, selfServiceProfile &$profile) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

If the input data is invalid the return value is an array that contains arrays to build StatusMessages (message type, message head, message text). If no errors occurred the function returns an empty array.

$options : array<string|int, mixed>

hash array (option name => value) that contains the input. The option values are all arrays containing one or more elements.

$profile : selfServiceProfile

self service profile

Return values
array<string|int, mixed>

error messages


This function returns an array with the same syntax as save_attributes().

public delete_attributes() : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

It allows additional LDAP changes when an account is deleted.

Return values
array<string|int, mixed>

of LDAP operations, same as for save_attributes()


This function creates meta HTML code to display the module page.

public abstract display_html_attributes() : htmlElement

Calling this method requires the existence of an enclosing .

Return values

meta HTML object


This function creates meta HTML code which will be displayed when an account should be deleted.

public display_html_delete() : htmlElement

Calling this method requires the existence of an enclosing .

This can be used to interact with the user, e.g. should the home directory be deleted? The output of all modules is displayed on a single page.

Return values

meta HTML object


This function is responsible to do additional tasks after the account has been created in LDAP (e.g. modifying group memberships, adding Quota etc..).

public doUploadPostActions(array<string|int, mixed> &$data, array<string|int, mixed> $ids, array<string|int, mixed> $failed, array<string|int, mixed> &$temp, array<string|int, mixed> &$accounts, array<string|int, string> $selectedModules, ConfiguredType $type) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

This function is called as long as the returned status is 'finished'. Please make sure that one function call lasts no longer than 3-4 seconds. Otherwise the upload may fail because the time limit is exceeded. You should not make more than one LDAP operation in each call.

$data : array<string|int, mixed>

array containing one account in each element

$ids : array<string|int, mixed>

maps the column names to keys for the sub arrays (array(<column_name> => ))

$failed : array<string|int, mixed>

list of account numbers which could not be successfully uploaded to LDAP

$temp : array<string|int, mixed>

variable to store temporary data between two post actions

$accounts : array<string|int, mixed>

list of LDAP entries

$selectedModules : array<string|int, string>

selected account modules

$type : ConfiguredType

account type

Return values
array<string|int, mixed>

current status
array (
'status' => 'finished' | 'inProgress' // defines if all operations are complete
'progress' => 0..100 // the progress of the operations in percent
'errors' => array // list of arrays which are used to generate StatusMessages


Runs any actions that need to be done before an LDAP entry is created.

public doUploadPreActions(array<string|int, mixed> $attributes, ConfiguredType $type) : array<string|int, mixed>
$attributes : array<string|int, mixed>

LDAP attributes of this entry (attributes are provided as reference, handle modifications of $attributes with care)

$type : ConfiguredType

account type

Return values
array<string|int, mixed>

array which contains status messages. Each entry is an array containing the status message parameters.


Returns an alias name for the module.

public get_alias() : string

Calling this method does not require the existence of an enclosing .

This function returns a more descriptive string than the class name. Alias names are used for the buttons on the account pages and the module selection in the configuration wizard.
Please take care that your alias name is not too long. It may contain any character but should not include parts that may be interpreted by the browser (e.g. '<' or '>'). If you use different aliases dependent on the account type please make sure that there is a general alias for unknown types.

Return values

alias name


Returns a list of configuration options.

public get_configOptions(array<string|int, mixed> $scopes, array<string|int, mixed> $allScopes) : mixed

Calling this method does not require the existence of an enclosing .

The field names are used as keywords to load and save settings. We recommend to use the module name as prefix for them (e.g. posixAccount_homeDirectory) to avoid naming conflicts.

$scopes : array<string|int, mixed>

account types (user, group, host)

$allScopes : array<string|int, mixed>

list of all active account modules and their account type id (module => array(type id))

Return values

htmlElement or array of htmlElement


This function returns a list with all depending and conflicting modules.

public get_dependencies() : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

The return value is an array with two sub arrays, "depends" and "conflicts". All values of the conflict array are string values with module names. All values of the depends array are either string values with module names or arrays which include only string values with module names.
If an element of the depends array is itself an array, this means that your module depends on one of these modules.

Example: return array("depends" => array("posixAccount", array("qmail", "sendmail")), "conflicts" => array("exim"))

Return values
array<string|int, mixed>

list of dependencies and conflicts


This function returns the help entry array for a specific help id.

public get_help(string $id) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

The result is an hashtable with the following keys:

  • Headline (required)
    The headline of this help entry. Can consist of any alphanumeric characters. No HTML/CSS elements are allowed.
  • Text (required)
    The text of the help entry which may contain any alphanumeric characters.
  • SeeAlso (optional)
    A reference to another related web site. It must be an array containing a field called "text" with the link text that should be displayed and a field called "link" which is the link target.


array('Headline' => 'This is the head line', 'Text' => 'Help content', 'SeeAlso' => array('text' => 'LAM homepage', 'link' => 'http://www.ldap-account-manager.org/'))
$id : string

The id string for the help entry needed.

Return values
array<string|int, mixed>

The desired help entry.


Returns an LDAP filter for the account lists

public get_ldap_filter(string $typeId) : string

Calling this method does not require the existence of an enclosing .

Returns an array('or' => '...', 'and' => '...') that is used to build the LDAP filter. Usually, this is used to filter object classes. All "or" filter parts of the base modules are combined with OR and then combined with the "and" parts.
The resulting LDAP filter will look like this: (&(|(OR1)(OR2)(OR3))(AND1)(AND2)(AND3))

Example: return array('or' => '(objectClass=posixAccount)', 'and' => '(!(uid=*$))')

$typeId : string

account type id

Return values

LDAP filter


Returns the PDF entries for this module.

public get_pdfEntries(array<string|int, mixed> $pdfKeys, string $typeId) : array<string|int, PDFEntry>
$pdfKeys : array<string|int, mixed>

list of PDF keys that are included in document

$typeId : string

type id (user, group, host)

Return values
array<string|int, PDFEntry>

list of key => PDFEntry


Returns a hashtable with all entries that may be printed out in the PDF.

public get_pdfFields(string $typeId) : array<string|int, mixed>
$typeId : string

type id (user, group, host)

Return values
array<string|int, mixed>

PDF entries as key => label


This function defines what attributes will be used in the account profiles and their appearance in the profile editor.

public get_profileOptions(string $typeId) : htmlElement

Calling this method does not require the existence of an enclosing .

The return value is an object implementing htmlElement.
The field name are used as keywords to load and save profiles. We recommend to use the module name as prefix for them (e.g. posixAccount_homeDirectory) to avoid naming conflicts.

$typeId : string

type id (user, group, host, ...)

Return values

meta HTML object


Returns a hash array containing a list of possible LDAP attributes that can be used to form the RDN (Relative Distinguished Name).

public get_RDNAttributes(string $typeId) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

The returned elements have this form: =>
is the name of the LDAP attribute
defines the priority of the attribute (can be "low", "normal", "high")

Example: return array('uid' => 'normal', 'cn' => 'low')

$typeId : string

account type

Return values
array<string|int, mixed>

list of attributes


Returns the account type of this module (user, group, host)

public get_scope() : string
Return values

account type


Returns an array containing all input columns for the file upload.

public get_uploadColumns(array<string|int, mixed> $selectedModules, ConfiguredType &$type) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

This function returns an array which contains subarrays which represent an upload column. Syntax of column arrays:

string: name, // fixed non-translated name which is used as column name (should be of format: _)
string: description, // short descriptive name
string: help, // help ID
string: example, // example value
string: values, // possible input values (optional)
string: default, // default value (optional)
boolean: required // true, if user must set a value for this column
boolean: unique // true if all values of this column must be different values (optional, default: "false")

$selectedModules : array<string|int, mixed>

list of selected account modules

$type : ConfiguredType

account type

Return values
array<string|int, mixed>

column list


Returns a list of module names which must be processed in building the account before this module.

public get_uploadPreDepends() : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

The named modules may not be active, LAM will check this automatically.

Return values
array<string|int, mixed>

list of module names


Returns the LDAP attributes which are managed in this module.

public getAttributes() : array<string|int, mixed>
Return values
array<string|int, mixed>



Controls if the module button the account page is visible and activated.

public getButtonStatus() : string

Calling this method requires the existence of an enclosing .

Possible return values:

  • enabled: button is visible and active
  • disabled: button is visible and deactivated (greyed)
  • hidden: no button will be shown
Return values

status ("enabled", "disabled", "hidden")


Returns a list of config options for LAM's main configuration.

public getGlobalConfigOptions(array<string|int, mixed> $currentSettings) : array<string|int, htmlElement>
$currentSettings : array<string|int, mixed>

current settings

Return values
array<string|int, htmlElement>

config options


Returns the path to the module icon.

public getIcon() : unknown

The path must be relative to graphics (e.g. key.png) or an URL (/icons/icon.png or http://server/icon.png). You can also set $this->meta['icon']. The preferred size is 32x32px.

Return values


Returns a list of aliases for LDAP attributes.

public getLDAPAliases(string $typeId) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

All alias attributes will be renamed to the given attribute names.

$typeId : string

type id (user, group, host)

Return values
array<string|int, mixed>

list of aliases like array("alias name" => "attribute name")


This allows modules to create a link to a module specific page for the self service.

public getLinkToSpecialSelfServicePage(array<string|int, mixed> $settings) : string

The link is shown on the login page of the self service. You can use this to provide e.g. a page to reset passwords.

$settings : array<string|int, mixed>

self service settings

Return values

link text (null if no special page used)


Returns a list of attribute descriptions for the account list.

public getListAttributeDescriptions(ConfiguredType $type) : array<string|int, mixed>
$type : ConfiguredType


Return values
array<string|int, mixed>

attribute name => description label


Returns a callable if there should be a custom filtering for the given attribute name.

public getListFilterFunction(string $attributeName) : callable|null
$attributeName : string

attribute name

Return values

custom function for filtering (?array $values, ?string $filterValue)


Returns a callable if there should be a custom display for the given attribute name.

public getListRenderFunction(string $attributeName) : callable|null
$attributeName : string

attribute name

Return values

custom function for rendering (array $entry, string $attribute)


Returns a list of LDAP attributes which are managed by this module.

public getManagedAttributes(string $typeId) : array<string|int, mixed>

All attribute names will be renamed to match the given spelling.

$typeId : string

type id (user, group, host)

Return values
array<string|int, mixed>

list of attributes


Returns a list of operational LDAP attributes which are managed by this module and need to be explicitly set for LDAP search.

public getManagedHiddenAttributes(string $typeId) : array<string|int, mixed>
$typeId : string

account type id

Return values
array<string|int, mixed>

list of hidden attributes


Returns a list of managed object classes for this module.

public getManagedObjectClasses(string $typeId) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

This is used to fix spelling errors in LDAP-Entries (e.g. if "posixACCOUNT" is read instead of "posixAccount" from LDAP).

Example: return array('posixAccount')

$typeId : string

type id (user, group, host)

Return values
array<string|int, mixed>

list of object classes


Returns the LDAP attributes which are managed in this module (with unchanged values).

public getOriginalAttributes() : array<string|int, mixed>
Return values
array<string|int, mixed>



This function returns a list of PHP extensions (e.g. hash) which are needed by this module.

public getRequiredExtensions() : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

Return values
array<string|int, mixed>



Returns a list of possible input fields and their descriptions.

public getSelfServiceFields() : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

Format: array( => )

Return values
array<string|int, mixed>



Returns the meta HTML code for each input field.

public getSelfServiceOptions(array<string|int, mixed> $fields, array<string|int, mixed> $attributes, bool $passwordChangeOnly, array<string|int, mixed> $readOnlyFields) : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

It is not possible to display help links.

$fields : array<string|int, mixed>

list of active fields

$attributes : array<string|int, mixed>

attributes of LDAP account

$passwordChangeOnly : bool

indicates that the user is only allowed to change his password and no LDAP content is readable

$readOnlyFields : array<string|int, mixed>

list of read-only fields

Return values
array<string|int, mixed>

list of meta HTML elements (field name => htmlResponsiveRow)


This function returns a list of possible LDAP attributes (e.g. uid, cn, ...) which can be used to search for LDAP objects.

public getSelfServiceSearchAttributes() : array<string|int, mixed>

Calling this method does not require the existence of an enclosing .

Return values
array<string|int, mixed>



Returns a list of self service configuration settings.

public getSelfServiceSettings(selfServiceProfile $profile) : htmlElement

Calling this method does not require the existence of an enclosing .

The name attributes are used as keywords to load and save settings. We recommend to use the module name as prefix for them (e.g. posixAccount_homeDirectory) to avoid naming conflicts.

$profile : selfServiceProfile

currently edited profile

Return values

meta HTML object


Returns a list of jobs that can be run.

public getSupportedJobs(LAMConfig &$config) : mixed
$config : LAMConfig


Return values


Returns a list of wildcards that can be replaced in input fields.

public getWildCardReplacements() : array<string|int, mixed>

E.g. "$firstname" is replaced with "givenName" attribute value.

Return values
array<string|int, mixed>

replacements as wildcard => value


Manages AJAX requests.

public handleAjaxRequest() : mixed

This function may be called with or without an account container.

Return values


Defines if the LDAP entry has only virtual child entries. This is the case for e.g. LDAP views.

public hasOnlyVirtualChildren() : bool
Return values

has only virtual children


Initializes the module after it became part of an {@link accountContainer}

public init(string $base) : mixed

Calling this method requires the existence of an enclosing .

$base : string

the name of the object ($_SESSION[$base])

Return values


Invalid AJAX request received.

public static invalidAjaxRequest([string $message = null ]) : mixed
$message : string = null

error message

Return values


Returns true if your module is a base module and otherwise false.

public is_base_module() : bool

Calling this method does not require the existence of an enclosing .

Every account type needs exactly one base module. A base module manages a structural object class. E.g. the inetOrgPerson module is a base module since its object class is structural.

Return values

true if base module (defaults to false if no meta data is provided)


This function loads the LDAP attributes when an account should be loaded.

public load_attributes(array<string|int, mixed> $attributes) : mixed

Calling this method requires the existence of an enclosing .

By default this method loads the object classes and accounts which are specified in and .

$attributes : array<string|int, mixed>

array like the array returned by get_ldap_attributes(dn of account) but without count indices

Return values


This function loads the values from an account profile to the module's internal data structures.

public load_profile(array<string|int, mixed> $profile) : mixed

Calling this method does not require the existence of an enclosing .

$profile : array<string|int, mixed>

hash array with profile values (identifier => value)

Return values


Loads the LDAP data from an account to copy.

public loadAttributesFromAccountCopy(array<string|int, mixed> $ldapAttributes[, array<string|int, mixed> $attributesToIgnore = [] ]) : void
$ldapAttributes : array<string|int, mixed>

LDAP attributes of copy

$attributesToIgnore : array<string|int, mixed> = []

list of attributes to ignore during load (defaults to self::ATTRIBUTES_TO_IGNORE_ON_COPY_DEFAULT)

Return values


This function is used to check if all settings for this module have been made.

public module_complete() : bool

Calling this method requires the existence of an enclosing .

This function tells LAM if it can create/modify the LDAP account. If your module needs any additional input then set this to false. The user will be notified that your module needs more input.
This method's return value defaults to true.

Return values

true, if settings are complete


This function is used to check if this module page can be displayed.

public module_ready() : bool

Calling this method requires the existence of an enclosing .

Your module might depend on input of other modules. This function determines if the user can change to your module page or not. The return value is true if your module accepts input, otherwise false.
This method's return value defaults to true.

Return values

true, if page can be displayed


Allows the module to run commands after the LDAP entry is deleted.

public postDeleteActions() : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

Return values
array<string|int, mixed>

Array which contains status messages. Each entry is an array containing the status message parameters.


Allows the module to run commands after the LDAP entry is changed or created.

public postModifyActions(bool $newAccount, array<string|int, mixed> $attributes) : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

$newAccount : bool

new account

$attributes : array<string|int, mixed>

LDAP attributes of this entry

Return values
array<string|int, mixed>

array which contains status messages. Each entry is an array containing the status message parameters.


Allows the module to run commands after the LDAP entry is changed or created.

public postModifySelfService(bool $newAccount, array<string|int, mixed> $attributes) : bool
$newAccount : bool

is new account or existing one

$attributes : array<string|int, mixed>

LDAP attributes of this entry

Return values

true, if no problems occurred


Allows the module to run commands before the LDAP entry is deleted.

public preDeleteActions() : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

Return values
array<string|int, mixed>

Array which contains status messages. Each entry is an array containing the status message parameters.


Allows the module to run commands before the LDAP entry is changed or created.

public preModifyActions(bool $newAccount, array<string|int, mixed> &$attributes) : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

The modification is aborted if an error message is returned.

$newAccount : bool

new account

$attributes : array<string|int, mixed>

LDAP attributes of this entry (added/modified attributes are provided as reference, handle modifications of $attributes with care)

Return values
array<string|int, mixed>

array which contains status messages. Each entry is an array containing the status message parameters.


Allows the module to run commands before the LDAP entry is changed or created.

public preModifySelfService(bool $newAccount, array<string|int, mixed> $attributes) : bool

An error message should be printed if the function returns false.

$newAccount : bool

is new account or existing one

$attributes : array<string|int, mixed>

LDAP attributes of this entry

Return values

true, if no problems occurred


This function processes user input.

public abstract process_attributes() : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

It checks the user input and saves changes in the module's data structures.

Example: return array(array('ERROR', 'Invalid input!', 'This is not allowed here.'));

Return values
array<string|int, mixed>

Array which contains status messages. Each entry is an array containing the status message parameters.


Runs any global cron actions.

public runGlobalCronActions(bool $isDryRun) : void
$isDryRun : bool

dry-run active


error during execution

Return values


Returns a list of modifications which have to be made to the LDAP account.

public save_attributes() : array<string|int, mixed>

Calling this method requires the existence of an enclosing .

This function returns an array with 3 entries:
array( DN1 ('add' => array($attr), 'remove' => array($attr), 'modify' => array($attr)), DN2 .... )
DN is the DN to change. It is possible to change several DNs (e.g. create a new user and add him to some groups via attribute memberUid)

"add" are attributes which have to be added to the LDAP entry
"remove" are attributes which have to be removed from the LDAP entry
"modify" are attributes which have to be modified in the LDAP entry
"notchanged" are attributes which stay unchanged
"info" values with informational value (e.g. to be used later by pre/postModify actions)

This builds the required commands from $this-attributes and $this->orig.

Return values
array<string|int, mixed>

list of modifications


Specifies if this module supports the LAM admin interface.

public supportsAdminInterface() : bool

The LAM admin interface are the pages that allow to manage e.g. users and groups. In contrast there is also the LAM self service interface. Most modules support the admin interface.

Return values

support admin interface


Specifies if the module supports global cron job actions.

public supportsGlobalCronJob() : bool
Return values

supports cron


Adds an area with two multi-select fields with buttons to move items from right to left and vice-versa.

protected addDoubleSelectionArea(htmlResponsiveRow &$container, string $labelFirst, string $labelSecond, array<string|int, string> $optionsFirst, array<string|int, string> $selectedFirst, array<string|int, string> $optionsSecond, array<string|int, string> $selectedSecond, string $namePrefix[, bool $rightToLeftText = false ][, bool $showFilter = false ]) : mixed

The options of the selects must be presorted.

  • First select: $namePrefix_1
  • Second select: $namePrefix_2
  • Button move left: $namePrefix_left
  • Button move right: $namePrefix_right
$container : htmlResponsiveRow


$labelFirst : string

label of first select

$labelSecond : string

label of second select

$optionsFirst : array<string|int, string>

options of first select ('label' => 'value')

$selectedFirst : array<string|int, string>

selected options of first select

$optionsSecond : array<string|int, string>

options of first select ('label' => 'value')

$selectedSecond : array<string|int, string>

selected options of second select

$namePrefix : string

prefix for select field and button names

$rightToLeftText : bool = false

sets the text direction in select to right to left

$showFilter : bool = false

displays a live filter

Return values


Adds a text input field that may contain multiple values to the given htmlResponsiveRow.

protected addMultiValueInputTextField(htmlResponsiveRow &$container, string $attrName, string $label[, bool $required = false ][, int $length = null ][, bool $isTextArea = false ][, array<string|int, mixed> $autoCompleteValues = null ][, int $fieldSize = null ][, array<string|int, mixed> &$htmlIDs = null ][, string $cssClasses = '' ]) : mixed

The field name will be the same as the attribute name plus a counting number (e.g. street_0). The last field will be followed by a button to add a new value. This is named add_{attribute name} (e.g. add_street). There must be a help entry with the attribute name as ID. A new line will also be added after this entry so multiple calls will show the fields one below the other.

$container : htmlResponsiveRow

parent container

$attrName : string

attribute name

$label : string

label name

$required : bool = false

this is a required field (default false)

$length : int = null

field length

$isTextArea : bool = false

show as text area (default false)

$autoCompleteValues : array<string|int, mixed> = null

values for auto-completion

$fieldSize : int = null

field size

$htmlIDs : array<string|int, mixed> = null

reference to array where to add the generated HTML IDs of the input fields

$cssClasses : string = ''

additional CSS classes of input fields

Return values


Adds a select field type that may contain multiple values to the given htmlTable.

protected addMultiValueSelectField(htmlResponsiveRow &$container, string $attrName, string $label, array<string|int, mixed> $options[, bool $hasDescriptiveOptions = false ][, bool $required = false ][, int $fieldSize = 1 ][, array<string|int, mixed> &$htmlIDs = null ]) : mixed

The field name will be the same as the attribute name plus a counting number (e.g. street_0). The last field will be followed by a button to add a new value. This is named add_{attribute name} (e.g. add_street). There must be a help entry with the attribute name as ID. A new line will also be added after this entry so multiple calls will show the fields one below the other.

$container : htmlResponsiveRow

parent container

$attrName : string

attribute name

$label : string

label name

$options : array<string|int, mixed>

options for the selects

$hasDescriptiveOptions : bool = false

has descriptive options

$required : bool = false

this is a required field (default false)

$fieldSize : int = 1

field size

$htmlIDs : array<string|int, mixed> = null

reference to array where to add the generated HTML IDs of the input fields

Return values


Adds a simple text input field for the self service.

protected addMultiValueSelfServiceTextField(array<string|int, mixed> &$container, string $name, string $label, array<string|int, mixed> &$fields, array<string|int, mixed> &$attributes, array<string|int, mixed> &$readOnlyFields[, bool $required = false ][, bool $isTextArea = false ][, string $attributeName = null ]) : mixed

The field name will be the same as the class name plus "_" plus attribute name (e.g. posixAccount_cn).

$container : array<string|int, mixed>

array that is used as return value for getSelfServiceOptions()

$name : string

attribute name (== field name)

$label : string

label to display in front of input field

$fields : array<string|int, mixed>

list of active fields

$attributes : array<string|int, mixed>

attributes of LDAP account

$readOnlyFields : array<string|int, mixed>

list of read-only fields

$required : bool = false

field is required

$isTextArea : bool = false

display as text area

$attributeName : string = null

attribute name (defaults to $name)

Return values


Adds a simple text input field to the given htmlResponsiveRow.

protected & addSimpleInputTextField(htmlResponsiveRow &$container, string $attrName, string $label[, bool $required = false ][, int $length = null ][, bool $isTextArea = false ][, array<string|int, mixed> $autoCompleteValues = null ]) : mixed

The field name will be the same as the attribute name. There must also be a help entry with the attribute name as ID. A new line will also be added after this entry so multiple calls will show the fields one below the other.

$container : htmlResponsiveRow

parent container

$attrName : string

attribute name

$label : string

label name

$required : bool = false

this is a required field (default false)

$length : int = null

field length

$isTextArea : bool = false

show as text area (default false)

$autoCompleteValues : array<string|int, mixed> = null

values for auto-completion

Return values

reference to htmlResponsiveInputField/htmlResponsiveInputTextarea


Adds a simple PDF entry to the given array.

protected addSimplePDFField(array<string|int, mixed> &$result, string $name, string $label[, string $attrName = null ][, string $delimiter = ', ' ]) : mixed
$result : array<string|int, mixed>

result array (entry will be added here)

$name : string


$label : string

label name

$attrName : string = null

attribute name (default: =$name)

$delimiter : string = ', '

delimiter if multiple attribute values exist (default: ", ")

Return values


Adds a simple read-only field to the given container.

protected addSimpleReadOnlyField(htmlResponsiveRow &$container, string $attrName, string $label) : mixed
$container : htmlResponsiveRow

parent container

$attrName : string

attribute name

$label : string

field label

Return values


Adds a simple text input field for the self service.

protected addSimpleSelfServiceTextField(array<string|int, mixed> &$container, string $name, string $label, array<string|int, mixed> &$fields, array<string|int, mixed> &$attributes, array<string|int, mixed> &$readOnlyFields[, bool $required = false ][, bool $isTextArea = false ][, string $attributeName = null ]) : mixed

The field name will be the same as the class name plus "_" plus attribute name (e.g. posixAccount_cn).

$container : array<string|int, mixed>

array that is used as return value for getSelfServiceOptions()

$name : string

attribute name (== field name)

$label : string

label to display in front of input field

$fields : array<string|int, mixed>

list of active fields

$attributes : array<string|int, mixed>

attributes of LDAP account

$readOnlyFields : array<string|int, mixed>

list of read-only fields

$required : bool = false

field is required

$isTextArea : bool = false

display as text area

$attributeName : string = null

attribute name (defaults to $name)

Return values


Checks the input value of a self service multi-value text field.

protected checkMultiValueSelfServiceTextField(array<string|int, mixed> &$container, string $name, array<string|int, mixed> &$attributes, string $fields, array<string|int, mixed> &$readOnlyFields[, string $validationID = null ][, array<string|int, mixed> $validationMessage = null ][, array<string|int, mixed> $requiredMessage = null ][, string $attributeName = null ]) : mixed

The field name must be the same as the class name plus "_" plus attribute name (e.g. posixAccount_cn). If validation is used then there must exist a message named [{attribute name}][0] (e.g. $this->messages['street'][0]).

$container : array<string|int, mixed>

return value of checkSelfServiceOptions()

$name : string

attribute name

$attributes : array<string|int, mixed>

LDAP attributes

$fields : string

input fields

$readOnlyFields : array<string|int, mixed>

list of read-only fields

$validationID : string = null

validation ID for get_preg()

$validationMessage : array<string|int, mixed> = null

validation message data (defaults to $this->messages[$name][0])

$requiredMessage : array<string|int, mixed> = null

message data when no value is set by user (no check if null)

$attributeName : string = null

attribute name (defaults to $name)

Return values


Checks the input value of a self service text field.

protected checkSimpleSelfServiceTextField(array<string|int, mixed> &$container, string $name, array<string|int, mixed> &$attributes, string $fields, array<string|int, mixed> &$readOnlyFields[, string $validationID = null ][, array<string|int, mixed> $validationMessage = null ][, array<string|int, mixed> $requiredMessage = null ][, string $attributeName = null ]) : mixed

The field name must be the same as the class name plus "_" plus attribute name (e.g. posixAccount_cn). If validation is used then there must exist a message named [{attribute name}][0] (e.g. $this->messages['street'][0]).

$container : array<string|int, mixed>

return value of checkSelfServiceOptions()

$name : string

attribute name

$attributes : array<string|int, mixed>

LDAP attributes

$fields : string

input fields

$readOnlyFields : array<string|int, mixed>

list of read-only fields

$validationID : string = null

validation ID for get_preg()

$validationMessage : array<string|int, mixed> = null

validation message data (defaults to $this->messages[$name][0])

$requiredMessage : array<string|int, mixed> = null

message data when no value is set by user (no check if null)

$attributeName : string = null

attribute name (defaults to $name)

Return values


Returns the LDAP attribute name for the keys.

protected getAttributeName() : string
Return values

attribute name


Returns the object class name.

protected getObjectClass() : string
Return values

object class name


Returns the field label. This can be either the given default label or an override value from profile.

protected getSelfServiceLabel(string $fieldID, string $defaultLabel) : string
$fieldID : string

field ID

$defaultLabel : string

default label text

Return values



Returns if the extension uses an object class.

protected hasObjectClass() : bool
Return values

uses an object class


Returns if the given configuration option is set.

protected isBooleanConfigOptionSet(string $optionName[, bool $default = false ]) : bool

This function returns false if the configuration options cannot be read.

$optionName : string

name of the option

$default : bool = false

default value if config option is not set at all (default: false)

Return values

true if option is set


This function fills the $messages variable with output messages from this module.

protected load_Messages() : mixed

Calling this method requires the existence of an enclosing .

Return values


Maps simple upload fields directly to LDAP attribute values.

protected mapSimpleUploadField(array<string|int, mixed> &$rawAccounts, array<string|int, mixed> &$ids, array<string|int, mixed> &$partialAccounts, string $position, string $colName, string $attrName[, string|array<string|int, string> $regex = null ][, array<string|int, mixed> $message = [] ][, array<string|int, mixed> &$errors = [] ][, string $regexSplit = null ]) : mixed
$rawAccounts : array<string|int, mixed>

the user input data, contains one subarray for each account.

$ids : array<string|int, mixed>

list of IDs for column position (e.g. "posixAccount_uid" => 5)

$partialAccounts : array<string|int, mixed>

list of hash arrays (name => value) which are later added to LDAP

$position : string

current position in CSV

$colName : string

column name

$attrName : string

LDAP attribute name

$regex : string|array<string|int, string> = null

for get_preg() (e.g. 'ascii')

$message : array<string|int, mixed> = []

error message to add if regex does not match

$errors : array<string|int, mixed> = []

list of error messages if any

$regexSplit : string = null

multiple values are separated and can be split with this preg_split expression (e.g. "/;[ ]?/")

Return values


Validates a multi-value text field.

protected processMultiValueInputTextField(string $attrName, array<string|int, mixed> &$errors[, string $validationID = null ][, bool $required = false ]) : mixed

The input fields must be created with function addMultiValueInputTextField(). If validation is used then there must exist a message named [{attribute name}][0] (e.g. $this->messages['street'][0]).

$attrName : string

attribute name

$errors : array<string|int, mixed>

errors array where to put validation errors

$validationID : string = null

validation ID for function get_preg() (default: null, null means no validation)

$required : bool = false

the field is required (default: false)

Return values


Validates a multi-value select field.

protected processMultiValueSelectField(string $attrName) : mixed

The select fields must be created with function addMultiValueSelectField().

$attrName : string

attribute name

Return values


Validates a text field.

protected processSimpleTextInput(string $attrName, array<string|int, mixed> &$errors[, bool $required = false ][, string $validationID = null ]) : mixed

If validation is used then there must exist a message named [{attribute name}][0] (e.g. $this->messages['street'][0]).

$attrName : string

attribute name

$errors : array<string|int, mixed>

errors array where to put validation errors

$required : bool = false

value required

$validationID : string = null

validation ID for function get_preg() (default: null, null means no validation)

Return values


Manages the deletion of a key.

private ajaxDeleteSelfServiceKey(array<string|int, mixed> $data) : mixed
$data : array<string|int, mixed>

JSON data

Return values


Handles an AJAX file upload and prints the JSON result.

private ajaxUpload() : mixed
Return values


Checks the upload value against a list of regular expressions.

private checkUploadRegex(array<string|int, string> $regexIDs, string $value, array<string|int, mixed> $message, int $position, array<string|int, mixed> &$errors) : value
$regexIDs : array<string|int, string>

regular expression IDs for get_preg()

$value : string

value to check

$message : array<string|int, mixed>

error message array if not matching

$position : int

upload position

$errors : array<string|int, mixed>

error messages

Return values

is ok


Returns the meta HTML code to display the key area.

private getSelfServiceKeys() : htmlTable

This also includes the file upload.

Return values

key content

