1 | # $Id$ |
---|
2 | |
---|
3 | =head1 DESCRIPTION |
---|
4 | |
---|
5 | =head1 SPECIFIC SETUP PARAMTERS |
---|
6 | |
---|
7 | =head2 db_conn |
---|
8 | |
---|
9 | The C<libpq> connection parameters, eg a semin colon separated paramaters |
---|
10 | containing the server, the database name, user and password, etc... |
---|
11 | |
---|
12 | =head2 remove_old_dpmt |
---|
13 | |
---|
14 | By default when the department is changed on a user account it remains in the |
---|
15 | department group as a secondary department. |
---|
16 | |
---|
17 | Setting C<remove_old_dpmt> to true in the config will force user removal from |
---|
18 | the group when department is changed. |
---|
19 | The user can still be added back later. |
---|
20 | |
---|
21 | =head1 FEATURES |
---|
22 | |
---|
23 | =head2 Network managment |
---|
24 | |
---|
25 | Link::Accounts can build automatically some part of your DNS or DHCP |
---|
26 | configuration. |
---|
27 | |
---|
28 | To do this you have to create a C<netzone> object. Such object need a type: |
---|
29 | |
---|
30 | =over 4 |
---|
31 | |
---|
32 | =item dns: to build a DNS zone for classic domain |
---|
33 | |
---|
34 | =item reverse: for reverse IP address (168.192.in-addr.arpa) |
---|
35 | |
---|
36 | =item dhcp: ISC dscpd configuration for fixed address |
---|
37 | |
---|
38 | =item puppet: puppet configuration |
---|
39 | |
---|
40 | =back |
---|
41 | |
---|
42 | The way it works is quite simple, each zone will make the code to write a file |
---|
43 | you can include in your server configuration. The match is done by looking the |
---|
44 | zone IP address masks and the host IPs. |
---|
45 | |
---|
46 | For example someone having a zone named C<private.mydomain.com> having masks |
---|
47 | C<192.168.5.0/24>, and having an host named C<foo> with IP C<192.168.5.3> and |
---|
48 | another host C<bar> with IP C<192.168.13.78>. The zone built will look likes: |
---|
49 | |
---|
50 | foo IN A 192.168.5.3 |
---|
51 | |
---|
52 | As you can see this DNS zone is not valid: the goal of such feature is to make |
---|
53 | the repetive work for us, not to manage the full zone (even such feature could |
---|
54 | be possible). The repetitive work is declaring the hundred computers our users |
---|
55 | have. |
---|
56 | |
---|
57 | The output will be happend to a template have the name of the zone suffixed by |
---|
58 | C<.in>. You can put in this template evering about the zone declaration (SOA, |
---|
59 | NS, TXT...). |
---|
60 | |
---|
61 | =head2 User endcircuit |
---|
62 | |
---|
63 | The C<endcircuit> attribute contain the deadline for people to make |
---|
64 | admnistrative task when starting to work. |
---|
65 | If set this attribute take precedence to C<expire> attribute for computed |
---|
66 | attributes (C<accountExpires> for Active Directory). |
---|
67 | |
---|
68 | =head2 User Employment |
---|
69 | |
---|
70 | The employment object allow you to set time when you're user have a status. This |
---|
71 | allow through 'Employment' module for la-sync-manager to automate changes. |
---|
72 | |
---|
73 | The synchronized attributes are: |
---|
74 | |
---|
75 | =over 4 |
---|
76 | |
---|
77 | =item C<company> |
---|
78 | |
---|
79 | =item C<department> |
---|
80 | |
---|
81 | =item C<contratType> |
---|
82 | |
---|
83 | =item C<managerContact> |
---|
84 | |
---|
85 | =item C<expire> |
---|
86 | |
---|
87 | =item C<endcircuit> |
---|
88 | |
---|
89 | =back |
---|
90 | |
---|
91 | To avoid error when modifying user direclty when you're using employment those |
---|
92 | attribute become on user's side become read-only once an employment exists. |
---|
93 | |
---|
94 | You can change this beaviour using C<employment_lock_user> parameter: |
---|
95 | |
---|
96 | =over 4 |
---|
97 | |
---|
98 | =item any (default) |
---|
99 | |
---|
100 | Any existing employment lock those attribute, you must |
---|
101 | create another employment to change user status or delete all employements for |
---|
102 | this user. |
---|
103 | |
---|
104 | =item always |
---|
105 | |
---|
106 | The user's attribute are always locked |
---|
107 | |
---|
108 | =item never |
---|
109 | |
---|
110 | The user's attribute are always locked |
---|
111 | |
---|
112 | =item active |
---|
113 | |
---|
114 | Thoses attributes are locked is any employment are still active (ie unfinished |
---|
115 | or coming later). |
---|
116 | |
---|
117 | =item attribute=value |
---|
118 | |
---|
119 | Thoses attributes are read-only if the C<attribute> given contains C<value>, |
---|
120 | C<*> allow to match any value. |
---|
121 | |
---|
122 | =back |
---|
123 | |
---|
124 | When active users become out of any employment all managed attribute are unset |
---|
125 | (except the expire attribute). |
---|
126 | |
---|
127 | A default value for each of this attribute can be set in configuration using |
---|
128 | parameter in form C<unemployment.ATTRIBUTE>. For example |
---|
129 | C<unemployment.contratType=external> will set any C<contratType> to C<external> |
---|
130 | when no employment apply to user anymore. |
---|
131 | |
---|
132 | Only active accounts are modified in this way. |
---|
133 | |
---|
134 | =head3 User endEmployment |
---|
135 | |
---|
136 | This attribute compute the next day the user will leave the company according |
---|
137 | the employment object registered. |
---|
138 | |
---|
139 | The parameter C<employment_delay> give the number of days to ignore when a hole |
---|
140 | exists between two employment. |
---|
141 | |
---|
142 | If no employment are found, if set the date given in C<unemployed_expire> |
---|
143 | database parameter is returned. |
---|
144 | |
---|
145 | =head3 User endStrictEmployment |
---|
146 | |
---|
147 | This attribute compute the next day the user will leave the company according |
---|
148 | the employment object registered. |
---|
149 | |
---|
150 | It does not take C<employment_delay> parameter into account. |
---|
151 | |
---|
152 | If no employment are found, if set the date given in C<unemployed_expire> |
---|
153 | database parameter is returned. |
---|
154 | |
---|
155 | =head3 User endLastEmployment |
---|
156 | |
---|
157 | This attribute return the very last end of all registered employment fr this |
---|
158 | user. |
---|
159 | |
---|
160 | =head3 User endCurrentEmployment |
---|
161 | |
---|
162 | The end of the employment matching current date. |
---|
163 | |
---|
164 | =head3 Account Expiration |
---|
165 | |
---|
166 | When using employment, account expiration are set to match employment. By |
---|
167 | default the expiration is set to C<endEmployment> value. |
---|
168 | |
---|
169 | This behaviour can be changed by setting C<expireOn> parameter into base |
---|
170 | definition: |
---|
171 | |
---|
172 | =over 4 |
---|
173 | |
---|
174 | =item any of endCurrentEmployment, endEmployment, endStrictEmployment, endLastEmployment |
---|
175 | |
---|
176 | =item never |
---|
177 | |
---|
178 | The expire date is left unchanged and must managed manually. |
---|
179 | |
---|
180 | =back |
---|
181 | |
---|
182 | =head2 Group AutoMemberFilter |
---|
183 | |
---|
184 | Group objects contains users members by setting either C<members> or |
---|
185 | C<memberUID> attributes. |
---|
186 | |
---|
187 | Sometimes it can be usefull to have group automatically populated by arbitrary |
---|
188 | rules. |
---|
189 | |
---|
190 | This is possible by setting a filter in the C<autoMemberFilter> attribute, |
---|
191 | The filter format is the same the one used by L<la-search>, the attribute is |
---|
192 | multivaluable. |
---|
193 | |
---|
194 | So for example one can create an account automatically a group containing people |
---|
195 | having "Olivier" as first name: |
---|
196 | |
---|
197 | autoMemberFilter: givenBame=Olivier |
---|
198 | |
---|
199 | A probably more usefull example is a group containing people from two others |
---|
200 | groups: |
---|
201 | |
---|
202 | autoMemberFilter: memberOf=group1 |
---|
203 | autoMemberFilter: memberOf=group2 |
---|
204 | |
---|
205 | The C<members> or C<memberUID> attribute becomes read-only attribute once |
---|
206 | C<autoMemberFilter> attribute is set. |
---|
207 | |
---|
208 | =head2 Aliases AutoMemberFilter |
---|
209 | |
---|
210 | This attribute allow to create automatics dynamics aliases according filter |
---|
211 | rules exactly like L<Group AutoMemberFilter> works. |
---|
212 | |
---|
213 | The C<forward> attributes is automatically set with email address of selected |
---|
214 | user, user w/o email address are ignored. |
---|
215 | |
---|
216 | =head2 Group AutoFromSutype |
---|
217 | |
---|
218 | Group object can be tagged with the C<sutype> attribute. |
---|
219 | |
---|
220 | When C<autoFromSutype> is set the group member will be computed from member of |
---|
221 | all groups having C<sutype> set this value. |
---|
222 | |
---|
223 | The goal of this attribute is to setup magic group like with the |
---|
224 | C<autoMemberFilter> but working even a new group is created. |
---|
225 | |
---|
226 | =head2 Aliases AutoFromSutype |
---|
227 | |
---|
228 | This attribute allow to create automatics dynamics aliases according filter |
---|
229 | rules exactly like L<Group AutoFromType> works. |
---|
230 | |
---|
231 | The C<forward> attributes is automatically set with email address of selected |
---|
232 | user, user w/o email address are ignored. |
---|