Yolinux.com

libuser.conf manpage

Search topic Section


libuser.conf(5)		      File Formats Manual	       libuser.conf(5)



NAME
       libuser.conf - configuration for libuser and libuser utilities


FILE FORMAT
       libuser.conf  is a text file.  Leading and trailing white space on each
       line is ignored.	 Lines starting with # are ignored.

       The file defines variables grouped into sections.  Each section	starts
       with a section header:
	      [section name]
       A single section header can appear more than once in the file.

       The  lines  following  a section header define variables from that sec-
       tion:
	      variable = value
       The value can be empty.

       A variable can have more than one value, specified by using  more  than
       one  line  defining  that  variable.   All  currently defined variables
       accept only the first value and ignore the others, if any.


[defaults]
       create_modules
	      A list of module names  to  use  when  creating  user  or	 group
	      entries, unless the application specifies a different list.  The
	      module names in the list can be separated using  space,  tab  or
	      comma.  Default value is files shadow.


       crypt_style
	      The  algorithm  to use for password encryption when creating new
	      passwords.  The current algorithm may be retained when  changing
	      a password of an existing user, depending on the application.

	      Possible	values	are des, md5, blowfish, sha256 and sha512, all
	      case-insensitive.	  Unrecognized	values	are  treated  as  des.
	      Default value is des.


       hash_rounds_min, hash_rounds_max
	      These  variables	specify an inclusive range of hash rounds used
	      when crypt_style is sha256 or sha512.  A number of  hash	rounds
	      is  chosen  from	this  interval	randomly.   A larger number of
	      rounds makes password  checking,	and  brute-force  attempts  to
	      guess  the  password  by reversing the hash, more CPU-intensive.
	      The number of  rounds  is	 restricted  to	 the  interval	[1000,
	      999999999].

	      If  only	one of the above variables is specified, the number of
	      rounds used is specified by  the	other  variable.   If  neither
	      variable is specified, the number of rounds is chosen by libc.


       mailspooldir
	      The directory containing user's mail spool files.	 Default value
	      is /var/mail.


       moduledir
	      The directory containing libuser modules.	  Default  value  uses
	      the  modules installed with libuser, corresponding to the archi-
	      tecture  of  the	libuser	 library,  e.g.	 /usr/lib/libuser   or
	      /usr/lib64/libuser  (assuming libuser was configured with --pre-
	      fix=/usr).


       modules
	      A list of module names to use when not creating  user  or	 group
	      entries, unless the application specifies a different list.  The
	      module names in the list can be separated using  space,  tab  or
	      comma.  Default value is files shadow.


       skeleton
	      The  directory  containing  files	 to copy to newly created home
	      directories.  Default value is /etc/skel.


[import]
       login_defs
	      A path to the login.defs file from shadow.  If this variable  is
	      defined,	the variables from the named file are used in place of
	      some  libuser  variables.	  Variables  explicitly	  defined   in
	      libuser.conf are not affected by contents of login.defs.

	      The following variables are imported:
				   |
	      Variable		   | Imported as
	      ---------------------+-------------------------------
	      ENCRYPT_METHOD	   | defaults/crypt_style
	      GID_MIN		   | groupdefaults/LU_GIDNUMBER
	      MAIL_DIR		   | defaults/mailspooldir
	      MD5_CRYPT_ENAB	   | defaults/crypt_style
	      PASS_MAX_DAYS	   | userdefaults/LU_SHADOWMAX
	      PASS_MIN_DAYS	   | userdefaults/LU_SHADOWMIN
	      PASS_WARN_AGE	   | userdefaults/LU_SHADOWWARNING
	      SHA_CRYPT_MIN_ROUNDS | defaults/hash_rounds_min
	      SHA_CRYPT_MAX_ROUNDS | defaults/hash_rounds_max
	      UID_MIN		   | userdefaults/LU_UIDNUMBER

	      The  following variables are not imported: CREATE_HOME, GID_MAX,
	      MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX,  UMASK,  USERDEL_CMD,	 USER-
	      GROUPS_ENAB


       default_useradd
	      A	 path  to the default/useradd file from useradd in shadow.  If
	      this variable is defined, the variables from the named file  are
	      used  in	place of some libuser variables.  Variables explicitly
	      defined  in  libuser.conf	 are  not  affected  by	 contents   of
	      default/useradd.

	      The following variables are imported:
		       |
	      Variable | Imported as
	      ---------+--------------------------------
	      EXPIRE   | userdefaults/LU_SHADOWEXPIRE
	      GROUP    | userdefaults/LU_GIDNUMBER
	      HOME     | userdefaults/LU_HOMEDIRECTORY
	      INACTIVE | userdefaults/LU_SHADOWINACTIVE
	      SHELL    | userdefaults/LU_LOGINSHELL
	      SKEL     | defaults/skeleton

	      The HOME variable value has /%n appended to it before importing.


[userdefaults]
       This  section  defines attribute values of newly created user entities.
       There is one special variable:


       LU_UIDNUMBER
	      A decimal number, the first allowed UID value for regular	 users
	      (not system users).  Default value is 500.


       All  other  variables  have  the same names as the attribute names from
       <libuser/entity.h> and define attribute values.	Either the macro  name
       (e.g.  LU_GECOS)	 or  the macro content (e.g. pw_gecos) can be used; if
       both are used, the one appearing later in  the  configuration  file  is
       used.

       The  %  character  in  the  value  of the variable introduces an escape
       sequence: %n is replaced by the user name, %d is	 replaced  by  current
       date  in days since the epoch, %u is replaced by the user's UID.	 There
       is no way to escape the % character and avoid this substitution.

       After the userdefaults section is processed, modules may	 define	 addi-
       tional  attributes or even override the attributes defined in this sec-
       tion.


[groupdefaults]
       The groupdefaults section is similar to	userdefaults.	There  is  one
       special variable:


       LU_GIDNUMBER
	      A decimal number, the first allowed GID value for regular groups
	      (not system groups).  Default value is 500.


       The other variables follow the same rules as in the  userdefaults  sec-
       tion,  except that %n and %u are replaced by the group name and group's
       GID, respectively.

       After the groupdefaults section is processed, modules may define	 addi-
       tional  attributes or even override the attributes defined in this sec-
       tion.


[files]
       Configures the files module, which manages /etc/group and  /etc/passwd.
       The configuration variables are probably useful only for libuser devel-
       opment.


       directory
	      The directory containing the group and  passwd  files.   Default
	      value is /etc.


       nonroot
	      Allow module initialization when not invoked as the root user if
	      the value is yes.


[shadow]
       Configures  the	files	module,	  which	  manages   /etc/gshadow   and
       /etc/shadow.   The configuration variables are probably useful only for
       libuser development.


       directory
	      The directory containing the gshadow and shadow files.   Default
	      value is /etc.


       nonroot
	      Allow module initialization when not invoked as the root user if
	      the value is yes.


[ldap]
       Configures the ldap module, which manages an user  database  accessible
       using LDAP.


       userBranch
	      The LDAP suffix for user entities.  Default value is ou=People.


       groupBranch
	      The LDAP suffix for group entities.  Default value is ou=Group.


       server A domain name or an URI of the LDAP server.  The URI can use the
	      ldap, ldapi or the ldaps protocol.  When a simple domain name is
	      used,  the connection fails if TLS can not be used; an URI using
	      the ldap protocol allows connection without TLS.	TLS  is	 never
	      used with the ldapi protocol.  Default value is ldap.


       basedn The base DN of the server.  Default value is dc=example,dc=com.


       binddn A	 DN for binding to the server.	If the value is empty or bind-
	      ing using this DN fails, a DN of	uid=user,userBranch,basedn  is
	      used,  where  userBranch and basedn are variables from this sec-
	      tion and user is the user name  of  the  invoking	 user,	unless
	      overridden  by  the  user	 variable  from this section.  Default
	      value is cn=manager,dc=example,dc=com.


       user   The SASLv2 identity for authenticating to the LDAP server,  also
	      overrides the user name for generating a bind DN.	 Default value
	      is the name of the invoking user.


       password
	      The password used for a simple bind by default.  If  not	speci-
	      fied,  there is no default and the user must supply the password
	      each time.

	      IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN  THE  SYS-
	      TEM-WIDE	/etc/libuser.conf  FILE.   The	configuration  file is
	      world-readable by default, and setuid programs that prompt for a
	      server  name  could be used to send the password to an attacker-
	      controlled server.


       authuser
	      The SASLv2 authorization user, if non-empty.  Default  value  is
	      empty.


       bindtype
	      The  list	 of  bind  types to use, separated by commas.  Allowed
	      bind types are simple, sasl, and sasl/mechanism, where mechanism
	      is a SASL mechanism.  The bind types (but not necessarily mecha-
	      nism) are case-insensitive.  If more than one bind type is spec-
	      ified,  their  relative order is ignored.	 Default value is sim-
	      ple,sasl.



[sasl]
       Configures the sasl module, which manages a SASLv2 user database.


       appname
	      Name of the SASLv2 application.  Default value is empty.


       domain Domain used by libuser for  the  SASLv2  authentication  object.
	      Default value is empty.


BUGS
       Invalid lines in the configuration file (or the imported shadow config-
       uration files) are silently ignored.


FILES
       /etc/libuser.conf
	      The default location of the configuration file. Can be  overrid-
	      den  by the LIBUSER_CONF environment variable, except in set-uid
	      or set-gid programs.



libuser				  2010-02-08		       libuser.conf(5)