YIAMKiosk supports a wide range of directory servers like the well known Microsoft Active Directory, Novell/NetIQ eDirectory and OpenLDAP. Also some uncommon ones like DirectoryServer389 and others are fully supported. This makes YIAMKiosk to the number one choice of password self service solutions. It uses several attributes to store information like password history, recovery questions and answers, last password change date and optionally some information like email addresses or mobile phone numbers for SMS notifications. These changes require modifications to the schema of your directory server in order for YIAMKiosk to function properly. Additionally, at least a number of users and groups must be selected or setup to perform specific operations, and finally those users need to get credentials and permissions in order to be able to perform their tasks. Let’s start with creating the proxy user, which is used for administrative tasks in YIAMKiosk.
Create Proxy User¶
The proxy user performs most actions, especially when no user is authenticated within the session. Actions that the proxy user performs are:
- Looking up users
- Testing LDAP connections
- Validation of attributes and security questions during Password reset
- Reading user data
- (Re)setting passwords
- Creating new accounts (if New User module is enabled)
Therefore the proxy user needs access to the users in the user subtree and be able to read and write:
- userPassword or equivalent password attributes
- pwmEventLog, pwmLastPwdUpdate, pwmGUID (or other configured attributes)
Additionally, the proxy user needs to have read access to most other attributes of active users.
In YIAMKiosk administrators can be a single user or a group of users. An administrator needs read access to the user tree of the directory, but actually does nothing to modify them. An administrator can access administrative functions withing YIAMKiosk (e.g. change the configuration etc.), but is not a directory administrator.
Create Test User¶
Optionally a test user can be setup to monitor the connection to the directory server and to perform basic health and functional tests. If a testuser has been created, YIAMKiosk tries to periodically connect to the directory server and perform some standard actions (e.g. login, set password etc.). The test user is a normal user account, that must be allowed to modify its own password and some attributes.
Create Group for Admins¶
The proper way to assign an administrator for YIAMKiosk is to create a group, assign users to this group and set the group in the YIAMKiosk configuration. That way all users in that group will be granted administrative access to YIAMKiosk after login.