.\" to process use the following command .\" groff -man -Tascii manpagename.1 .TH CPU.CONF 5 "17 February 2003" .SH NAME cpu.conf \- cpu configuration file .SH DESCRIPTION This file stores all configurable options for CPU and CPU modules. You can specify the location of the configuration file at runtime by specifying the \fI--config\fR or \fI-C\fR command line switches (see \fBcpu(8)\fR). Each CPU module has its own configuration section, but they are all documented here. It is recommended that the config file have strict permissions such as 600. Please note that configuration options take the following format: option = value and section headers are of the format [HEADER] .SH GLOBAL OPTIONS Global options should be under the section marked [GLOBAL]. All options under this section impact all operations. .IP "\fBDEFAULT_METHOD\fR = \fImethod\fR" Specifies what the default administration method is. This value should be a string of either ldap or passwd. .IP "\fBCRACKLIB_DICTIONARY\fR = \fIfile\fR" If CPU was compiled --with-libcrack \fIfile\fR should be the location of cracklib_dict. .SH LDAP OPTIONS LDAP options should be under the section marked [LDAP]. These options are only useful when \fBDEFAULT_METHOD\fR is set to ldap or when ldap was specified at the command line with the \fB-M\fR switch. These options are only used by the LDAP module. .IP "\fBLDAP_HOST\fR = \fIhostname\fR" \fIhostname\fR should be either the IP address or the hostname of the server running the LDAP directory that you wish to administer users on. This can be overridden with the \fB-N\fR command line switch. .IP "\fBLDAP_PORT\fR = \fIport\fR" \fIport\fR is the port that the LDAP server specified by \fBLDAP_HOST\fR is listening on. This value must be non negative. This can be overridden by the \fB-P\fR command line switch. .IP "\fBBIND_DN\fR = \fIdn\fR" \fIdn\fR should be the fully qualified DN of an LDAP entity with appropriate rights to perform any actions that you wish. This value can be overridden by the \fB-D\fR command line switch. .IP "\fBBIND_PASS\fR = \fIpassword\fR" \fIpassword\fR is the password of the entity specified by \fBBIND_DN\fR. This value is passed directly to the server, so it may be stored encrypted if your server supports this. This value can be overridden by the \fB-w\fR command line switch. .IP "\fBUSER_BASE\fR = \fIbase_dn\fR" \fIbase_dn\fR is the base dn that users should be added to, search for, deleted from, or modified from. In general if you wish to add a user to the following dn: ou=users,o=company,c=us \fIbase_dn\fR should be set to ou=users,o=company,c=us. If you set this value to o=company,c=us users will be added to that dn, although for searching purposes the scope is more broad. This value can be overridden at the command line with the \fB-U\fR switch. .IP "\fBGROUP_BASE\fR = \fIbase_dn\fR" \fIbase_dn\fR is the base dn that groups should be added to, search for, deleted from, or modified from. In general if you wish to add a group to the following dn: ou=group,o=company,c=us \fIbase_dn\fR should be set to ou=group,o=company,c=us. If you set this value to o=company,c=us groups will be added to that dn, although for searching purposes the scope is more broad. This value can be overridden at the command line with the \fB-B\fR switch. .IP "\fBUSER_OBJECT_CLASS\fR = \fIobject_class\fR" .IP "\fBGROUP_OBJECT_CLASS\fR = \fIobject_class\fR" \fIobject_class\fR is a comma separated list of object classes that are required by your LDAP directories schema in order to add or modify users and groups. The default should be fine, consult your vendors documentation or contact \fIcpu-users@lists.sourceforge.net\fR if you have problems. .IP "\fBUSER_FILTER\fR = \fIfilter\fR" .IP "\fBGROUP_FILTER\fR = \fIfilter\fR" \fIfilter\fR is a filter that adhears to the following BNF: .nf ::= '(' ')' ::= | | | ::= '&' ::= '|' ::= '!' ::= | ::= ::= '=' | '~=' | '<=' | '>=' .fi These filters are utilized to locate users and groups, as well as to aid in finding new uid's and gid's. .IP "\fBUSER_CN_STRING\fR = \fIstring\fR" \fIstring\fR is used during user creation. It allows you to specify the dn of the user. The dn becomes string=login,... .IP "\fBGROUP_CN_STRING\fR = \fIstring\fR" \fIstring\fR is used during group creation. It allows you to specify the dn of the group. The dn becomes string=groupname,... .IP "\fBTIMEOUT\fR = \fItimeout\fR" \fItimeout\fR should be a value in seconds and greater than 0. If unspecified the default is 60. This value determines the duration after which an operation should be aborted. .LP The following options are still used by the [LDAP] section, but are more user centric and less ldap centric. .IP "\fBSKEL_DIR\fR = \fIdir\fR" \fIdir\fR should be the path for a directory that files are to be copied from when \fB-m\fR is given at the command line. This value can be overridden by the \fB-k\fR command line switch. .IP "\fBDEFAULT_SHELL\fR = \fIshell\fR" The default name of the user's login shell. This value can be overridden by the \fB-s\fR command line switch. .IP "\fBHOME_DIRECTORY\fR = \fIdirectory\fR" New users will be created using \fIdirectory\fR prepended to the users login name. If this variable is undefined, it must be specified at the command line with the \fB-d\fR switch. When specified at the command line that value is used for the users home directory. .IP "\fBMAX_UIDNUMBER\fR = \fIinteger\fR" .IP "\fBMIN_UIDNUMBER\fR = \fIinteger\fR" .IP "\fBMAX_GIDNUMBER\fR = \fIinteger\fR" .IP "\fBMIN_GIDNUMBER\fR = \fIinteger\fR" .IP "\fBID_MAX_PASSES\fR = \fIinteger\fR" These values control gid and uid generation. When a uid is not specified at the command line (for a useradd) these values are used for finding the next unused uid (random or linear). Similar for groupadd. These are pretty self evident. \fBID_MAX_PASSES\fR is the number of times that a search should be performed before giving up. .IP "\fBRANDOM\fR = \fBtrue or false\fR" If \fBRANDOM\fR is \fItrue\fR, then a random number will be generated and searched for (this number, if unused in the directory, will be the users uid or a groups gid). If a user or group with that ID exists, the process will continue for \fBID_MAX_PASSES\fR. If \fItrue\fR, a linear scan will be done starting at \fBMIN_UIDNUMBER\fR (or GIDNUMBER) and will not stop until an unused ID is found or the number of scans is equal to \fBID_MAX_PASSES\fR. If random is false, only one query is done on the directory, but it may still be a bit slower then setting random to true in some cases. .IP "\fBUSERGROUPS\fR = \fB yes or no\fR" The \fBUSERGROUPS\fR can be either yes or no. If yes, each created user will be given their own group to use as a default. If no, each created user will be placed in the group whose gid is USER_GID. .IP "\fBUSERS_GID\fR = \fB integer\fR" If \fBUSERGROUPS\fR is no, then \fBUSERS_GID\fR should be the GID of the group \'users\' (or the equivalent group) on your system. If this is unspecified, the default is 100. .IP "\fBGECOS\fR = \fBstring\fR" The default value for a user's gecos field. This can be overridden at the command line with the \fB-c\fR switch. .IP "\fBPASSWORD_FILE\fR = \fBfile\fR" The value should be a Unix style, passwd formatted file. In order to use this value the \fB-F\fR switch must be used at the command line. This value can be empty if a file is provided with the \fB-F\fR switch. In this case, the users attributes are taken from the file (if the user is found) and used in the LDAP entry. .IP "\fBSHADOW_FILE\fR = \fBfile\fR" The value should be a Unix style, shadow formatted file. In order to use this value the \fB-S\fR switch must be used at the command line. This value can be empty if a file is provided with the \fB-S\fR switch. In this case, the users attributes are taken from the file (if the user is found) and used in the LDAP entry (including the password). .IP "\fBHASH\fR = \fBhash\fR" \fIhash\fR is a hash of either clear, md5crypt, crypt, sha1, ssha1, md5, or smd5 to be used when hashing user passwords. This is largely implementation dependent but all are supported. If you are taking passwords from a standard password file, this should be clear (I think, need to check...). This can be overridden at the command line with the \fB-H\fR switch. .IP "\fBSHADOWLASTCHANGE\fR = \fIinteger\fR" .IP "\fBSHADOWMAX\fR = \fIinteger\fR" .IP "\fBSHADOWWARING\fR = \fIinteger\fR" .IP "\fBSHADOWEXPIRE\fR = \fIinteger\fR" .IP "\fBSHADOWFLAG\fR = \fIinteger\fR" .IP "\fBSHADOWMIN\fR = \fIinteger\fR" .IP "\fBSHADOWINACTIVE\fR = \fIinteger\fR" These values are better documented in \fBshadow(3)\fR and in \fBshadow(5)\fR. These are not required by RFC2307 but are by some ldap authentication implementations. These values can only be specified here, or taken from an existing shadow file for the user. .IP "\fBADD_SCRIPT\fR = \fBexecutable\fR" .IP "\fBDEL_SCRIPT\fR = \fBexecutable\fR" ADD_SCRIPT and DEL_SCRIPT work the same, however ADD_SCRIPT is used only for a useradd operation and DEL_SCRIPT is used only for a userdel operation. These can be overridden via the command line switch -X. If specified in the configuration file or at the command line, the script is executed after a successful useradd or userdel. The first argument to the script is the login name as specified at the command line. .SH PASSWD OPTIONS Password options should be under the section marked [PASSWD]. These options are only useful when \fBDEFAULT_METHOD\fR is set to passwd or when passwd was specified at the command line with the \fB-M\fR switch. These options are only used by the passwd module. This module is not yet functional, so I won't document the options. .SH SEE ALSO .B cpu-ldap(8) cpu(8) .SH AUTHORS Blake Matheny The current version of this software is always available at .I http://cpu.sourceforge.net .SH BUGS To report a bug or problem, please e-mail: cpu-users@lists.sourceforge.net .SH TODO See TODO file that accompanied software. Please e-mail us with any additional suggestions.