DESCRIPTION
This file stores all configurable options for CPU and CPU modules. You
can specify the location of the configuration file at runtime by speci-
fying the --config or -C command line switches (see cpu(8)). Each CPU
module has its own configuration section, but they are all documented
here. It is recommended that the config file have strict permissions
such as 600. Please note that configuration options take the following
format: option = value and section headers are of the format [HEADER]
GLOBAL OPTIONS
Global options should be under the section marked [GLOBAL]. All options
under this section impact all operations.
DEFAULT_METHOD = method
Specifies what the default administration method is. This value
should be a string of either ldap or passwd.
CRACKLIB_DICTIONARY = file
If CPU was compiled --with-libcrack file should be the location
of cracklib_dict.
LDAP OPTIONS
LDAP options should be under the section marked [LDAP]. These options
are only useful when DEFAULT_METHOD is set to ldap or when ldap was
specified at the command line with the -M switch. These options are
only used by the LDAP module.
LDAP_HOST = hostname
hostname should be either the IP address or the hostname of the
server running the LDAP directory that you wish to administer
users on. This can be overridden with the -N command line
switch.
LDAP_PORT = port
port is the port that the LDAP server specified by LDAP_HOST is
listening on. This value must be non negative. This can be over-
ridden by the -P command line switch.
BIND_DN = dn
dn should be the fully qualified DN of an LDAP entity with
appropriate rights to perform any actions that you wish. This
value can be overridden by the -D command line switch.
BIND_PASS = password
password is the password of the entity specified by BIND_DN.
This value is passed directly to the server, so it may be stored
encrypted if your server supports this. This value can be over-
ridden by the -w command line switch.
to o=company,c=us groups will be added to that dn, although for
searching purposes the scope is more broad. This value can be
overridden at the command line with the -B switch.
USER_OBJECT_CLASS = object_class
GROUP_OBJECT_CLASS = object_class
object_class is a comma separated list of object classes that
are required by your LDAP directories schema in order to add or
modify users and groups. The default should be fine, consult
your vendors documentation or contact cpu-users@lists.source-
forge.net if you have problems.
USER_FILTER = filter
GROUP_FILTER = filter
filter is a filter that adhears to the following BNF:
<filter> ::= '(' <filtercomp> ')'
<filtercomp> ::= <and> | <or> | <not> | <simple>
<and> ::= '&' <filterlist>
<or> ::= '|' <filterlist>
<not> ::= '!' <filter>
<filterlist> ::= <filter> | <filter> <filterlist>
<simple> ::= <attributetype> <filtertype> <attributevalue>
<filtertype> ::= '=' | '~=' | '<=' | '>='
These filters are utilized to locate users and groups, as well
as to aid in finding new uid's and gid's.
USER_CN_STRING = string
string is used during user creation. It allows you to specify
the dn of the user. The dn becomes string=login,...
GROUP_CN_STRING = string
string is used during group creation. It allows you to specify
the dn of the group. The dn becomes string=groupname,...
TIMEOUT = timeout
timeout should be a value in seconds and greater than 0. If
unspecified the default is 60. This value determines the dura-
tion after which an operation should be aborted.
The following options are still used by the [LDAP] section, but are
more user centric and less ldap centric.
SKEL_DIR = dir
dir should be the path for a directory that files are to be
copied from when -m is given at the command line. This value can
be overridden by the -k command line switch.
DEFAULT_SHELL = shell
The default name of the user's login shell. This value can be
MIN_GIDNUMBER = integer
ID_MAX_PASSES = integer
These values control gid and uid generation. When a uid is not
specified at the command line (for a useradd) these values are
used for finding the next unused uid (random or linear). Similar
for groupadd. These are pretty self evident. ID_MAX_PASSES is
the number of times that a search should be performed before
giving up.
RANDOM = true or false
If RANDOM is true, then a random number will be generated and
searched for (this number, if unused in the directory, will be
the users uid or a groups gid). If a user or group with that ID
exists, the process will continue for ID_MAX_PASSES. If true, a
linear scan will be done starting at MIN_UIDNUMBER (or GIDNUM-
BER) and will not stop until an unused ID is found or the number
of scans is equal to ID_MAX_PASSES. If random is false, only one
query is done on the directory, but it may still be a bit slower
then setting random to true in some cases.
USERGROUPS = yes or no
The USERGROUPS can be either yes or no. If yes, each created
user will be given their own group to use as a default. If no,
each created user will be placed in the group whose gid is
USER_GID.
USERS_GID = integer
If USERGROUPS is no, then USERS_GID should be the GID of the
group default is 100.
GECOS = string
The default value for a user's gecos field. This can be overrid-
den at the command line with the -c switch.
PASSWORD_FILE = file
The value should be a Unix style, passwd formatted file. In
order to use this value the -F switch must be used at the com-
mand line. This value can be empty if a file is provided with
the -F switch. In this case, the users attributes are taken from
the file (if the user is found) and used in the LDAP entry.
SHADOW_FILE = file
The value should be a Unix style, shadow formatted file. In
order to use this value the -S switch must be used at the com-
mand line. This value can be empty if a file is provided with
the -S switch. In this case, the users attributes are taken from
the file (if the user is found) and used in the LDAP entry
(including the password).
HASH = hash
hash is a hash of either clear, crypt, sha1, ssha1, md5, or smd5
SHADOWFLAG = integer
SHADOWMIN = integer
SHADOWINACTIVE = integer
These values are better documented in shadow(3) and in
shadow(5). These are not required by RFC2307 but are by some
ldap authentication implementations. These values can only be
specified here, or taken from an existing shadow file for the
user.
ADD_SCRIPT = executable
DEL_SCRIPT = executable
ADD_SCRIPT and DEL_SCRIPT work the same, however ADD_SCRIPT is
used only for a useradd operation and DEL_SCRIPT is used only
for a userdel operation. These can be overridden via the command
line switch -X. If specified in the configuration file or at the
command line, the script is executed after a successful useradd
or userdel. The first argument to the script is the login name
as specified at the command line.
PASSWD OPTIONS
Password options should be under the section marked [PASSWD]. These
options are only useful when DEFAULT_METHOD is set to passwd or when
passwd was specified at the command line with the -M switch. These
options are only used by the passwd module. This module is not yet
functional, so I won't document the options.
SEE ALSO
cpu-ldap(8) cpu(8)
AUTHORS
Blake Matheny <bmatheny@purdue.edu>
The current version of this software is always availabe at
http://cpu.sourceforge.net
BUGS
To report a bug or problem, please e-mail:
cpu-users@lists.sourceforge.net
TODO
See TODO file that accompanied software. Please e-mail us with any
additional suggestions.
Man(1) output converted with
man2html