summaryrefslogtreecommitdiffstats
path: root/ipa-client/man/default.conf.5
blob: dbc8a5b4647439de4de7c01152d098eb0561e236 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
.\" A man page for default.conf
.\" Copyright (C) 2011 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@@redhat.com>
.\"
.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
default.conf \- IPA configuration file
.SH "SYNOPSIS"
/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf
.SH "DESCRIPTION"
The \fIdefault.conf \fRconfiguration file is used to set system\-wide defaults to be applied when running IPA clients and servers.

Users may create an optional configuration file in \fI~/.ipa/default.conf\fR which will be merged into the system\-wide defaults file.

The following files are read, in order:
.nf
    ~/.ipa/default.conf
    /etc/ipa/<context>.conf
    /etc/ipa/default.conf
    built\-in constants
.fi

The IPA server does not read ~/.ipa/default.conf.

The first setting wins.
.SH "SYNTAX"
The configuration options are not case sensitive. The values may be case sensitive, depending on the option.

Blank lines are ignored.
Lines beginning with # are comments and are ignored.

Valid lines consist of an option name, an equals sign and a value. Spaces surrounding equals sign are ignored. An option terminates at the end of a line.

Values should not be quoted, the quotes will not be stripped.

.np
    # Wrong \- don't include quotes
    verbose = "True"

    # Right \- Properly formatted options
    verbose = True
    verbose=True
.fi

Options must appear in the section named [global]. There are no other sections defined or used currently.

Options may be defined that are not used by IPA. Be careful of misspellings, they will not be rejected.
.SH "OPTIONS"
The following options are relevant for the server:
.TP
.B basedn\fR <base>
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
.TP
.B ca_agent_port <port>
Specifies the secure CA agent port. The default is 9443 for Dogtag 9, and 8443 for Dogtag 10.
.TP
.B ca_ee_port <port>
Specifies the secure CA end user port. The default is 9444 for Dogtag 9, and 8443 for Dogtag 10.
.TP
.B ca_host <hostname>
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
.TP
.B ca_port <port>
Specifies the insecure CA end user port. The default is 9180 for Dogtag 9, and 8080 for Dogtag 10.
.TP
.B context <context>
Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
.TP
.B debug <boolean>
When True provides detailed information. Specifically this set the global log level to "debug". Default is False.
.TP
.B dogtag_version <version>
Stores the version of Dogtag. Value 9 is assumed if not specified otherwise.
.TP
.B domain <domain>
The domain of the IPA server e.g. example.com.
.TP
.B enable_ra <boolean>
Specifies whether the CA is acting as an RA agent, such as when dogtag is being used as the Certificate Authority. This setting only applies to the IPA server configuration.
.TP
.B fallback <boolean>
Specifies whether an IPA client should attempt to fall back and try other services if the first connection fails.
.TP
.B host <hostname>
Specifies the local system hostname.
.TP
.B in_server <boolean>
Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
.TP
.B in_tree  <boolean>
This is used in development and is generally a detected value. It means that the code is being executed within a source tree.
.TP
.B interactive <boolean>
Specifies whether values should be prompted for or not. The default is True.
.TP
.B ldap_uri <URI>
Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
.TP
.B log_logger_XXX <comma separated list of regexps>
loggers matching regexp will be assigned XXX level.
.IP
Logger levels can be explicitly specified for specific loggers as
opposed to a global logging level. Specific loggers are indicated
by a list of regular expressions bound to a level. If a logger's
name matches the regexp then it is assigned that level. This config item
must begin with "log_logger_level_" and then be
followed by a symbolic or numeric log level, for example:
.IP
  log_logger_level_debug = ipalib\\.dn\\..*
.IP
  log_logger_level_35 = ipalib\\.plugins\\.dogtag
.IP
The first line says any logger belonging to the ipalib.dn module
will have it's level configured to debug.
.IP
The second line say the ipa.plugins.dogtag logger will be
configured to level 35.
.IP
This config item is useful when you only want to see the log output from
one or more selected loggers. Turning on the global debug flag will produce
an enormous amount of output. This allows you to leave the global debug flag
off and selectively enable output from a specific logger. Typically loggers
are bound to classes and plugins.
.IP
Note: logger names are a dot ('.') separated list forming a path
in the logger tree.  The dot character is also a regular
expression metacharacter (matches any character) therefore you
will usually need to escape the dot in the logger names by
preceeding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.
.TP
.B mount_ipa <URI>
Specifies the mount point that the development server will register. The default is /ipa/
.TP
.B prompt_all <boolean>
Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
.TP
.B ra_plugin <name>
Specifies the name of the CA back end to use. The current options are \fBdogtag\fR and \fBnone\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
.TP
.B realm <realm>
Specifies the Kerberos realm.
.TP
.B session_auth_duration <time duration spec>
Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec".
.TP
.B session_duration_type <inactivity_timeout|from_start>
Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration.
.TP
.B server <hostname>
Specifies the IPA Server hostname.
.TP
.B startup_timeout <time in seconds>
Controls the amount of time waited when starting a service. The default value is 120 seconds.
.TP
.B startup_traceback <boolean>
If the IPA server fails to start and this value is True the server will attempt to generate a python traceback to make identifying the underlying problem easier.
.TP
.B validate_api <boolean>
Used internally in the IPA source package to verify that the API has not changed. This is used to prevent regressions. If it is true then some errors are ignored so enough of the IPA framework can be loaded to verify all of the API, even if optional components are not installed. The default is False.
.TP
.B verbose <boolean>
When True provides more information. Specifically this sets the global log level to "info".
.TP
.B wait_for_dns <number of attempts>
Controls whether the IPA commands dnsrecord\-{add,mod,del} work synchronously or not. The DNS commands will repeat DNS queries up to the specified number of attempts until the DNS server returns an up-to-date answer to a query for modified records. Delay between retries is one second.
.IP
The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match the expected value even after the specified number of attempts.
.IP
The DNS queries will be sent to the resolver configured in /etc/resolv.conf on the IPA server.
.IP
Do not enable this in production! This will cause problems if the resolver on IPA server uses a caching server instead of a local authoritative server or e.g. if DNS answers are modified by DNS64. The default is disabled (the option is not present).
.TP
.B xmlrpc_uri <URI>
Specifies the URI of the XML\-RPC server for a client. This may be used by IPA, and is used by some external tools, such as ipa\-getcert. Example: https://ipa.example.com/ipa/xml
.TP
.B jsonrpc_uri <URI>
Specifies the URI of the JSON server for a client. This is used by IPA. If not given, it is derived from xmlrpc_uri. Example: https://ipa.example.com/ipa/json
.TP
.B rpc_protocol <URI>
Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xmlrpc'. Defaults to 'jsonrpc'.
.TP
The following define the containers for the IPA server. Containers define where in the DIT that objects can be found. The full location is the value of container + basedn.
  container_accounts: cn=accounts
  container_applications: cn=applications,cn=configs,cn=policies
  container_automount: cn=automount
  container_configs: cn=configs,cn=policies
  container_dns: cn=dns
  container_group: cn=groups,cn=accounts
  container_hbac: cn=hbac
  container_hbacservice: cn=hbacservices,cn=hbac
  container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
  container_host: cn=computers,cn=accounts
  container_hostgroup: cn=hostgroups,cn=accounts
  container_netgroup: cn=ng,cn=alt
  container_permission: cn=permissions,cn=pbac
  container_policies: cn=policies
  container_policygroups: cn=policygroups,cn=configs,cn=policies
  container_policylinks: cn=policylinks,cn=configs,cn=policies
  container_privilege: cn=privileges,cn=pbac
  container_rolegroup: cn=roles,cn=accounts
  container_roles: cn=roles,cn=policies
  container_service: cn=services,cn=accounts
  container_sudocmd: cn=sudocmds,cn=sudo
  container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
  container_sudorule: cn=sudorules,cn=sudo
  container_user: cn=users,cn=accounts
  container_virtual: cn=virtual operations,cn=etc

.SH "FILES"
.TP
.I /etc/ipa/default.conf
system\-wide IPA configuration file
.TP
.I $HOME/.ipa/default.conf
user IPA configuration file
.TP
It is also possible to define context\-specific configuration files. The \fBcontext\fR is set when the IPA api is initialized. The two currently defined contexts in IPA are \fBcli\fR and \fBserver\fR. This is helpful, for example, if you only want \fBdebug\fR enabled on the server and not in the client. If this is set to True in \fIdefault.conf\fR it will affect both the ipa client tool and the IPA server. If it is only set in \fIserver.conf\fR then only the server will have \fBdebug\fR set. These files will be loaded if they exist:
.TP
.I /etc/ipa/cli.conf
system\-wide IPA client configuration file
.TP
.I /etc/ipa/server.conf
system\-wide IPA server configuration file
.SH "SEE ALSO"
.BR ipa (1)