=== Service Desk ===

LDAP Tool Box Service Desk is a web application for administrators and support teams. It allows to browse accounts in an LDAP directory, view and update their status.

Features:

- Quick search for an account
- View main attributes
- View account and password status
- Test current password
- Reset password and force password change at next connection
- Lock and unlock account
- Dashboards:
        * Accounts locked
        * Accounts with a password that will soon expire
        * Accounts with an expired password
        * Accounts idle (never connected or not connected since a number of days)

'''You need to install these prerequisites'''

- Apache or another web server
- php
- php-ldap
- Smarty (version 3)


'''Installation'''

Download from Tar ball (Service Desk)
https://ltb-project.org/download.html

{{{
tar -zxvf ltb-project-service-desk-*.tar.gz
}}}

Install files in /usr/share/:

{{{
mv ltb-project-service-desk-* /usr/share/service-desk
}}}

Configure the repository:

{{{
vi /etc/apt/sources.list.d/ltb-project.list
}}}

{{{
deb [arch=amd64] https://ltb-project.org/debian/stable stable main
}}}

Import repository key:

{{{
wget -O - https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project | sudo apt-key add -
}}}

Then update:

{{{
apt update
}}}

You are now ready to install:

{{{
apt install service-desk
}}}

**//Note-//** You may need to install first the package {{{php-Smarty}}} which is not in official repositories.

'''Apache configuration'''

{{{
<VirtualHost *:80>
   ServerName sd.example.com

   DocumentRoot /usr/share/service-desk/htdocs
   DirectoryIndex index.php

   <Directory /usr/share/service-desk/htdocs>
       AllowOverride None
       Require all granted
   </Directory>

   LogLevel warn
   ErrorLog /var/log/apache2/sd_error.log
   CustomLog /var/log/apache2/sd_access.log combined
</VirtualHost>
}}}

**//Note-//** The application can also be published in a directory inside the default host

[[Image( SD.png, 850px, nolink))]]

'''LDAP authentication and authorization'''

You can use Apache [https://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html mod_authnz_ldap]. This module checks user credentials against the LDAP directory and can restrict access to users or groups.

{{{
<Directory /usr/share/service-desk/htdocs>
    AllowOverride None
    AuthType basic
    AuthName "LTB Service Desk"
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ldap.example.com/dc=example,dc=com?uid
    Require ldap-group cn=support,ou=groups,dc=example,dc=com
</Directory>
}}}

'''External authentication'''

You can use any authentication source and authentication protocols, like CAS, SAML or OpenID Connect. Configuring these solutions is out of scope of the current documentation.

'''General parameters'''

Set default language in $lang

{{{
$lang = "en";
}}}

'''Dates'''

You can adapt how dates are displayed with specifiers [https://www.php.net/strftime see strftime reference]

'''Logo'''

You change the default logo with your own. Set the path to your logo in $logo:

{{{
$logo = "images/ltb-logo.png";
}}}

'''Background'''

You change the background image with your own. Set the path to image in $background_image:

{{{
$background_image = "images/unsplash-space.jpeg";
}}}

'''Custom CSS'''

To easily customize CSS, you can use a separate CSS file:

{{{
$custom_css = "css/custom.css";
}}}

'''Debug'''

You can turn on debug mode with $debug:

{{{
$debug = true;
}}}

This is also possible to enable Smarty debug, for web interface issues:

{{{
$smarty_debug = true;
}}}

'''Smarty'''

You need to define where Smarty is installed:
{{{
define("SMARTY", "/usr/share/php/smarty3/Smarty.class.php");
}}}

'''Notify administrator by mail'''

It is possible to provide mail of administrator to service-desk using a HTTP header.

$header_name_notify_admin_by_mail is name of header that will be provided to cgi script as HTTP_$header_name_notify_admin_by_mail to set administrator mail from webserver.

{{{
$header_name_notify_admin_by_mail = "SSP-Admin-Mail";
}}}

Using Apache, we may set such header using the following:

{{{
<VirtualHost *:80>
   ServerName ssp.domain1.com
   RequestHeader setIfEmpty SSP-Admin-Mail admin@example.com
   [...]
</VirtualHost>
}}}

'''LDAP Parameters'''

Use an LDAP URI to configure the location of your LDAP server in $ldap_url:

{{{
$ldap_url = "ldap://localhost:389";
}}}

You can set several URI, so that next server will be tried if the previous is down:

{{{
$ldap_url = "ldap://server1 ldap://server2";
}}}

To use SSL, set ldaps in the URI:

{{{
$ldap_url = "ldaps://localhost";
}}}

To use StartTLS, set true in $ldap_starttls:

{{{
$ldap_starttls = true;
}}}

'''Credentials'''

Configure DN and password in $ldap_bindn and $ldap_bindpw:

{{{
$ldap_binddn = "cn=manager,dc=example,dc=com";
$ldap_bindpw = "secret";
}}}

'''LDAP Base'''

You can set global base in $ldap_base:

{{{
$ldap_base = "dc=example,dc=com";
}}}

'''User search parameters'''

You can set base of the search in $ldap_user_base:

{{{
$ldap_user_base = "ou=users,".$ldap_base;
}}}

The filter can be set in $ldap_user_filter:
{{{
$ldap_user_filter = "(objectClass=inetOrgPerson)";
}}}

'''Size limit'''

It is advised to set a search limit on client side if no limit is set by the server:

{{{
$ldap_size_limit = 100;
}}}

'''Default password policy'''

Set $ldap_default_ppolicy value if a default policy is configured in your LDAP directory.

{{{
$ldap_default_ppolicy = "cn=default,ou=ppolicy,dc=example,dc=com";
}}}

'''Search parameters'''

Configure attributes on which the search is done:

{{{
$search_attributes = array('uid', 'cn', 'mail');
}}}

By default, search is done with substring match. This can be changed to use exact match:

{{{
$search_use_substring_match = false;
}}}

'''Results display'''

Configure items shown when displaying results:

{{{
search_result_items = array('identifier', 'mail', 'mobile');
}}}

'''Datatables'''

Define pagination values in dropdown:

{{{
$datatables_page_length_choices = array(10, 25, 50, 100, -1); // -1 means All
}}}

Set default pagination for results (can also be used to force the length without $datatables_page_length_choices):

{{{
$datatables_page_length_default = 10;
}}}

Enable or disable autoPrint feature:

{{{
$datatables_auto_print = true;
}}}
[[Image( SD2.png, 850px, nolink))]]

'''Display parameters'''

Configure which items are displayed:

{{{
$display_items = array('identifier', 'firstname', 'lastname', 'title', 'businesscategory', 'employeenumber', 'employeetype', 'mail', 'phone', 'mobile', 'fax', 'postaladdress', 'street', 'postalcode', 'l', 'state', 'organizationalunit', 'organization');
}}}

Set which item is use as title:

{{{
$display_title = "fullname";
}}}

Choose to show undefined values:

{{{
$display_show_undefined = false;
}}}

'''Account information panel'''

Configure which items are displayed:

{{{
$display_password_items = array('pwdchangedtime', 'pwdreset', 'pwdaccountlockedtime', 'pwdfailuretime','pwdpolicysubentry', 'authtimestamp', 'created', 'modified');
}}}

You can also display the password expiration date in this panel by enabling this option:

{{{
$display_password_expiration_date = true;
}}}

'''Check password'''

This feature allows to enter a password and check authentication.

//Note-// the authentification can fail even if the password is correct. This is the case if account is locked or password is expired.

To enable this feature:

{{{
$use_checkpassword = true;
}}}

'''Reset password'''

This feature allows to reset a password and set the reset at next connection flag.

To enable this feature:

{{{
$use_resetpassword = true;
}}}

When changing the password, you can force the user to reset it at next connection. To configure the default value presented in the form:

{{{
$resetpassword_reset_default = true;
}}}

If you do not want to let the choice to reset at next connection, you can hide this button:

{{{
$use_resetpassword_resetchoice = false;
}}}

In this case, the value set in $resetpassword_reset_default will be applied.

'''Notify user by mail'''

You can notify the user by mail when the password is reset:

{{{
$notify_on_change = true;
}}}

'''Notify administrator by mail'''

$notify_admin_by_mail_list is a a php array list of mails of admins to set directly in service-desk configuration.

$header_name_notify_admin_by_mail is name of header that will be provided to cgi script as HTTP_$header_name_notify_admin_by_mail to set administrator mail from webserver. This setting allows webserver to select an administrator mail related to current http session. Its value should be a valid mail according to rfc822

If those are set any administrator mail will receive a notification that user password was changed.

Remark this is not controled by $notify_on_change, which is only for user.

{{{
$notify_admin_by_mail_list=array( 'a@example.com','b@example.com' 'c@example.com');
$header_name_notify_admin_by_mail=SD_ADMIN_MAIL;
}}}

'''Lock account'''

This feature allows to lock the account permanently. The button is only displayed if the account is not locked.

To enable this feature:

{{{
$use_lockaccount = true;
}}}

'''Unlock account'''

This feature allows to unlock the account. It is only displayed if the account is already locked.

To enable this feature:

{{{
$use_unlockaccount = true;
}}}

'''Dashboards'''

This page will list all currently locked accounts.

To enable it:

{{{
$use_searchlocked = true;
}}}

'''Soon expired passwords'''

This page will list all accounts with a password that will expire in the next days.

To enable it:

{{{
$use_searchwillexpire = true;
}}}

You can also configure the number of days before expiration:

{{{
$willexpiredays = 14;
}}}

'''Expired passwords'''

This page will list all accounts with an expired password.

To enable it:

{{{
$use_searchexpired = true;
}}}

'''Idle accounts'''

This page will list all accounts never connected, or not connected since a number of days.

To enable it:

{{{
$use_searchidle = true;
}}}

You can also configure the number of idle days:

{{{
$idledays = 60;
}}}

'''Mail'''

Set the LDAP attributes where user email may be stored:

{{{
$mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );
}}}

You can also define which LDAP attribute contains the user name (will be used in mail body content):

{{{
$mail_username_attribute = "cn";
}}}

'''Sender name'''

You can change the default From header and add a signature:

{{{
$mail_from = "admin@example.com";
$mail_from_name = "Self Service Password administrator";
$mail_signature = "";
}}}

'''Change password notification'''

Use this option to send a confirmation mail to the user, just after a successful password change:

{{{
$notify_on_change = true;
}}}

This option is false by default.

'''PHPMailer'''

You have to set all parameters for PHPMailer if you use mail notification.

{{{
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'localhost';
$mail_smtp_auth = false;
$mail_smtp_user = '';
$mail_smtp_pass = '';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
}}}

See https://github.com/PHPMailer/PHPMailer for more information

**Click [wiki:campuswifiandeduroam2023Agenda/pwdp here] for password policy**

**Click [wiki:campuswifiandeduroam2023Agenda/pwden here] for Password Expiry Email Notification**