[1073] | 1 | # $Id$ |
---|
| 2 | |
---|
| 3 | =head1 DESCRIPTION |
---|
| 4 | |
---|
| 5 | =head1 SPECIFIC SETUP PARAMTERS |
---|
| 6 | |
---|
| 7 | =head2 db_conn |
---|
| 8 | |
---|
| 9 | The C<libpq> connection parameters, eg a semin colon separated paramaters |
---|
| 10 | containing the server, the database name, user and password, etc... |
---|
| 11 | |
---|
[1628] | 12 | =head2 remove_old_dpmt |
---|
| 13 | |
---|
| 14 | By default when the department is changed on a user account it remains in the |
---|
| 15 | department group as a secondary department. |
---|
| 16 | |
---|
| 17 | Setting C<remove_old_dpmt> to true in the config will force user removal from |
---|
| 18 | the group when department is changed. |
---|
| 19 | The user can still be added back later. |
---|
| 20 | |
---|
[1135] | 21 | =head1 FEATURES |
---|
| 22 | |
---|
[1323] | 23 | =head2 Network managment |
---|
| 24 | |
---|
| 25 | Link::Accounts can build automatically some part of your DNS or DHCP |
---|
| 26 | configuration. |
---|
| 27 | |
---|
| 28 | To do this you have to create a C<netzone> object. Such object need a type: |
---|
| 29 | |
---|
| 30 | =over 4 |
---|
| 31 | |
---|
| 32 | =item dns: to build a DNS zone for classic domain |
---|
| 33 | |
---|
| 34 | =item reverse: for reverse IP address (168.192.in-addr.arpa) |
---|
| 35 | |
---|
| 36 | =item dhcp: ISC dscpd configuration for fixed address |
---|
| 37 | |
---|
| 38 | =item puppet: puppet configuration |
---|
| 39 | |
---|
[1356] | 40 | =back |
---|
[1323] | 41 | |
---|
| 42 | The way it works is quite simple, each zone will make the code to write a file |
---|
| 43 | you can include in your server configuration. The match is done by looking the |
---|
| 44 | zone IP address masks and the host IPs. |
---|
| 45 | |
---|
| 46 | For example someone having a zone named C<private.mydomain.com> having masks |
---|
| 47 | C<192.168.5.0/24>, and having an host named C<foo> with IP C<192.168.5.3> and |
---|
| 48 | another host C<bar> with IP C<192.168.13.78>. The zone built will look likes: |
---|
| 49 | |
---|
| 50 | foo IN A 192.168.5.3 |
---|
| 51 | |
---|
| 52 | As you can see this DNS zone is not valid: the goal of such feature is to make |
---|
| 53 | the repetive work for us, not to manage the full zone (even such feature could |
---|
| 54 | be possible). The repetitive work is declaring the hundred computers our users |
---|
| 55 | have. |
---|
| 56 | |
---|
| 57 | The output will be happend to a template have the name of the zone suffixed by |
---|
| 58 | C<.in>. You can put in this template evering about the zone declaration (SOA, |
---|
| 59 | NS, TXT...). |
---|
| 60 | |
---|
[1348] | 61 | =head2 User endcircuit |
---|
| 62 | |
---|
| 63 | The C<endcircuit> attribute contain the deadline for people to make |
---|
| 64 | admnistrative task when starting to work. |
---|
| 65 | If set this attribute take precedence to C<expire> attribute for computed |
---|
| 66 | attributes (C<accountExpires> for Active Directory). |
---|
| 67 | |
---|
[1524] | 68 | =head2 User Employment |
---|
[1508] | 69 | |
---|
[1524] | 70 | The employment object allow you to set time when you're user have a status. This |
---|
| 71 | allow through 'Employment' module for la-sync-manager to automate changes. |
---|
| 72 | |
---|
| 73 | The synchronized attributes are: |
---|
| 74 | |
---|
| 75 | =over 4 |
---|
| 76 | |
---|
| 77 | =item C<company> |
---|
| 78 | |
---|
| 79 | =item C<department> |
---|
| 80 | |
---|
| 81 | =item C<contratType> |
---|
| 82 | |
---|
| 83 | =item C<managerContact> |
---|
| 84 | |
---|
| 85 | =item C<expire> |
---|
| 86 | |
---|
| 87 | =item C<endcircuit> |
---|
| 88 | |
---|
| 89 | =back |
---|
| 90 | |
---|
| 91 | To avoid error when modifying user direclty when you're using employment those |
---|
| 92 | attribute become on user's side become read-only once an employment exists. |
---|
| 93 | |
---|
| 94 | You can change this beaviour using C<employment_lock_user> parameter: |
---|
| 95 | |
---|
[1834] | 96 | By default it is impossible to modify or create past employment. This behavior |
---|
| 97 | can be changed by settings C<allow_pasted_employment> parameter in base |
---|
| 98 | configuration. |
---|
| 99 | |
---|
[1524] | 100 | =over 4 |
---|
| 101 | |
---|
| 102 | =item any (default) |
---|
| 103 | |
---|
| 104 | Any existing employment lock those attribute, you must |
---|
| 105 | create another employment to change user status or delete all employements for |
---|
| 106 | this user. |
---|
| 107 | |
---|
| 108 | =item always |
---|
| 109 | |
---|
| 110 | The user's attribute are always locked |
---|
| 111 | |
---|
| 112 | =item never |
---|
| 113 | |
---|
| 114 | The user's attribute are always locked |
---|
| 115 | |
---|
| 116 | =item active |
---|
| 117 | |
---|
| 118 | Thoses attributes are locked is any employment are still active (ie unfinished |
---|
| 119 | or coming later). |
---|
| 120 | |
---|
| 121 | =item attribute=value |
---|
| 122 | |
---|
| 123 | Thoses attributes are read-only if the C<attribute> given contains C<value>, |
---|
| 124 | C<*> allow to match any value. |
---|
| 125 | |
---|
[1528] | 126 | =back |
---|
| 127 | |
---|
[1576] | 128 | When active users become out of any employment all managed attribute are unset |
---|
| 129 | (except the expire attribute). |
---|
| 130 | |
---|
| 131 | A default value for each of this attribute can be set in configuration using |
---|
| 132 | parameter in form C<unemployment.ATTRIBUTE>. For example |
---|
| 133 | C<unemployment.contratType=external> will set any C<contratType> to C<external> |
---|
| 134 | when no employment apply to user anymore. |
---|
| 135 | |
---|
| 136 | Only active accounts are modified in this way. |
---|
| 137 | |
---|
[1524] | 138 | =head3 User endEmployment |
---|
| 139 | |
---|
[1514] | 140 | This attribute compute the next day the user will leave the company according |
---|
[1508] | 141 | the employment object registered. |
---|
| 142 | |
---|
| 143 | The parameter C<employment_delay> give the number of days to ignore when a hole |
---|
[1514] | 144 | exists between two employment. |
---|
[1508] | 145 | |
---|
[1590] | 146 | If no employment are found, if set the date given in C<unemployed_expire> |
---|
| 147 | database parameter is returned. |
---|
| 148 | |
---|
[1524] | 149 | =head3 User endStrictEmployment |
---|
[1514] | 150 | |
---|
| 151 | This attribute compute the next day the user will leave the company according |
---|
| 152 | the employment object registered. |
---|
| 153 | |
---|
| 154 | It does not take C<employment_delay> parameter into account. |
---|
| 155 | |
---|
[1522] | 156 | If no employment are found, if set the date given in C<unemployed_expire> |
---|
| 157 | database parameter is returned. |
---|
| 158 | |
---|
[1524] | 159 | =head3 User endLastEmployment |
---|
[1514] | 160 | |
---|
| 161 | This attribute return the very last end of all registered employment fr this |
---|
| 162 | user. |
---|
| 163 | |
---|
[1524] | 164 | =head3 User endCurrentEmployment |
---|
[1522] | 165 | |
---|
| 166 | The end of the employment matching current date. |
---|
| 167 | |
---|
[1577] | 168 | =head3 Account Expiration |
---|
| 169 | |
---|
| 170 | When using employment, account expiration are set to match employment. By |
---|
| 171 | default the expiration is set to C<endEmployment> value. |
---|
| 172 | |
---|
| 173 | This behaviour can be changed by setting C<expireOn> parameter into base |
---|
| 174 | definition: |
---|
| 175 | |
---|
| 176 | =over 4 |
---|
| 177 | |
---|
| 178 | =item any of endCurrentEmployment, endEmployment, endStrictEmployment, endLastEmployment |
---|
| 179 | |
---|
| 180 | =item never |
---|
| 181 | |
---|
| 182 | The expire date is left unchanged and must managed manually. |
---|
| 183 | |
---|
| 184 | =back |
---|
| 185 | |
---|
[1135] | 186 | =head2 Group AutoMemberFilter |
---|
| 187 | |
---|
| 188 | Group objects contains users members by setting either C<members> or |
---|
| 189 | C<memberUID> attributes. |
---|
| 190 | |
---|
| 191 | Sometimes it can be usefull to have group automatically populated by arbitrary |
---|
| 192 | rules. |
---|
| 193 | |
---|
| 194 | This is possible by setting a filter in the C<autoMemberFilter> attribute, |
---|
| 195 | The filter format is the same the one used by L<la-search>, the attribute is |
---|
| 196 | multivaluable. |
---|
| 197 | |
---|
| 198 | So for example one can create an account automatically a group containing people |
---|
| 199 | having "Olivier" as first name: |
---|
| 200 | |
---|
| 201 | autoMemberFilter: givenBame=Olivier |
---|
| 202 | |
---|
| 203 | A probably more usefull example is a group containing people from two others |
---|
| 204 | groups: |
---|
| 205 | |
---|
| 206 | autoMemberFilter: memberOf=group1 |
---|
| 207 | autoMemberFilter: memberOf=group2 |
---|
| 208 | |
---|
| 209 | The C<members> or C<memberUID> attribute becomes read-only attribute once |
---|
| 210 | C<autoMemberFilter> attribute is set. |
---|
[1490] | 211 | |
---|
| 212 | =head2 Aliases AutoMemberFilter |
---|
| 213 | |
---|
| 214 | This attribute allow to create automatics dynamics aliases according filter |
---|
| 215 | rules exactly like L<Group AutoMemberFilter> works. |
---|
| 216 | |
---|
| 217 | The C<forward> attributes is automatically set with email address of selected |
---|
| 218 | user, user w/o email address are ignored. |
---|
[1782] | 219 | |
---|
| 220 | =head2 Group AutoFromSutype |
---|
| 221 | |
---|
| 222 | Group object can be tagged with the C<sutype> attribute. |
---|
| 223 | |
---|
| 224 | When C<autoFromSutype> is set the group member will be computed from member of |
---|
| 225 | all groups having C<sutype> set this value. |
---|
| 226 | |
---|
| 227 | The goal of this attribute is to setup magic group like with the |
---|
| 228 | C<autoMemberFilter> but working even a new group is created. |
---|
| 229 | |
---|
| 230 | =head2 Aliases AutoFromSutype |
---|
| 231 | |
---|
| 232 | This attribute allow to create automatics dynamics aliases according filter |
---|
[1784] | 233 | rules exactly like L<Group AutoFromSutype> works. |
---|
[1782] | 234 | |
---|
| 235 | The C<forward> attributes is automatically set with email address of selected |
---|
| 236 | user, user w/o email address are ignored. |
---|