libuser.conf(5) File Formats Manual libuser.conf(5)
NAME
libuser.conf - configuration for libuser and libuser utilities
FILE FORMAT
libuser.conf is a text file. Leading and trailing white space on each
line is ignored. Lines starting with # are ignored.
The file defines variables grouped into sections. Each section starts
with a section header:
[section name]
A single section header can appear more than once in the file.
The lines following a section header define variables from that sec-
tion:
variable = value
The value can be empty.
A variable can have more than one value, specified by using more than
one line defining that variable. All currently defined variables
accept only the first value and ignore the others, if any.
[defaults]
create_modules
A list of module names to use when creating user or group
entries, unless the application specifies a different list. The
module names in the list can be separated using space, tab or
comma. Default value is files shadow.
crypt_style
The algorithm to use for password encryption when creating new
passwords. The current algorithm may be retained when changing
a password of an existing user, depending on the application.
Possible values are des, md5, blowfish, sha256 and sha512, all
case-insensitive. Unrecognized values are treated as des.
Default value is des.
hash_rounds_min, hash_rounds_max
These variables specify an inclusive range of hash rounds used
when crypt_style is sha256 or sha512. A number of hash rounds
is chosen from this interval randomly. A larger number of
rounds makes password checking, and brute-force attempts to
guess the password by reversing the hash, more CPU-intensive.
The number of rounds is restricted to the interval [1000,
999999999].
If only one of the above variables is specified, the number of
rounds used is specified by the other variable. If neither
variable is specified, the number of rounds is chosen by libc.
mailspooldir
The directory containing user's mail spool files. Default value
is /var/mail.
moduledir
The directory containing libuser modules. Default value uses
the modules installed with libuser, corresponding to the archi-
tecture of the libuser library, e.g. /usr/lib/libuser or
/usr/lib64/libuser (assuming libuser was configured with --pre-
fix=/usr).
modules
A list of module names to use when not creating user or group
entries, unless the application specifies a different list. The
module names in the list can be separated using space, tab or
comma. Default value is files shadow.
skeleton
The directory containing files to copy to newly created home
directories. Default value is /etc/skel.
[import]
login_defs
A path to the login.defs file from shadow. If this variable is
defined, the variables from the named file are used in place of
some libuser variables. Variables explicitly defined in
libuser.conf are not affected by contents of login.defs.
The following variables are imported:
|
Variable | Imported as
---------------------+-------------------------------
ENCRYPT_METHOD | defaults/crypt_style
GID_MIN | groupdefaults/LU_GIDNUMBER
MAIL_DIR | defaults/mailspooldir
MD5_CRYPT_ENAB | defaults/crypt_style
PASS_MAX_DAYS | userdefaults/LU_SHADOWMAX
PASS_MIN_DAYS | userdefaults/LU_SHADOWMIN
PASS_WARN_AGE | userdefaults/LU_SHADOWWARNING
SHA_CRYPT_MIN_ROUNDS | defaults/hash_rounds_min
SHA_CRYPT_MAX_ROUNDS | defaults/hash_rounds_max
UID_MIN | userdefaults/LU_UIDNUMBER
The following variables are not imported: CREATE_HOME, GID_MAX,
MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX, UMASK, USERDEL_CMD, USER-
GROUPS_ENAB
default_useradd
A path to the default/useradd file from useradd in shadow. If
this variable is defined, the variables from the named file are
used in place of some libuser variables. Variables explicitly
defined in libuser.conf are not affected by contents of
default/useradd.
The following variables are imported:
|
Variable | Imported as
---------+--------------------------------
EXPIRE | userdefaults/LU_SHADOWEXPIRE
GROUP | userdefaults/LU_GIDNUMBER
HOME | userdefaults/LU_HOMEDIRECTORY
INACTIVE | userdefaults/LU_SHADOWINACTIVE
SHELL | userdefaults/LU_LOGINSHELL
SKEL | defaults/skeleton
The HOME variable value has /%n appended to it before importing.
[userdefaults]
This section defines attribute values of newly created user entities.
There is one special variable:
LU_UIDNUMBER
A decimal number, the first allowed UID value for regular users
(not system users). Default value is 500.
All other variables have the same names as the attribute names from
<libuser/entity.h> and define attribute values. Either the macro name
(e.g. LU_GECOS) or the macro content (e.g. pw_gecos) can be used; if
both are used, the one appearing later in the configuration file is
used.
The % character in the value of the variable introduces an escape
sequence: %n is replaced by the user name, %d is replaced by current
date in days since the epoch, %u is replaced by the user's UID. There
is no way to escape the % character and avoid this substitution.
After the userdefaults section is processed, modules may define addi-
tional attributes or even override the attributes defined in this sec-
tion.
[groupdefaults]
The groupdefaults section is similar to userdefaults. There is one
special variable:
LU_GIDNUMBER
A decimal number, the first allowed GID value for regular groups
(not system groups). Default value is 500.
The other variables follow the same rules as in the userdefaults sec-
tion, except that %n and %u are replaced by the group name and group's
GID, respectively.
After the groupdefaults section is processed, modules may define addi-
tional attributes or even override the attributes defined in this sec-
tion.
[files]
Configures the files module, which manages /etc/group and /etc/passwd.
The configuration variables are probably useful only for libuser devel-
opment.
directory
The directory containing the group and passwd files. Default
value is /etc.
nonroot
Allow module initialization when not invoked as the root user if
the value is yes.
[shadow]
Configures the files module, which manages /etc/gshadow and
/etc/shadow. The configuration variables are probably useful only for
libuser development.
directory
The directory containing the gshadow and shadow files. Default
value is /etc.
nonroot
Allow module initialization when not invoked as the root user if
the value is yes.
[ldap]
Configures the ldap module, which manages an user database accessible
using LDAP.
userBranch
The LDAP suffix for user entities. Default value is ou=People.
groupBranch
The LDAP suffix for group entities. Default value is ou=Group.
server A domain name or an URI of the LDAP server. The URI can use the
ldap, ldapi or the ldaps protocol. When a simple domain name is
used, the connection fails if TLS can not be used; an URI using
the ldap protocol allows connection without TLS. TLS is never
used with the ldapi protocol. Default value is ldap.
basedn The base DN of the server. Default value is dc=example,dc=com.
binddn A DN for binding to the server. If the value is empty or bind-
ing using this DN fails, a DN of uid=user,userBranch,basedn is
used, where userBranch and basedn are variables from this sec-
tion and user is the user name of the invoking user, unless
overridden by the user variable from this section. Default
value is cn=manager,dc=example,dc=com.
user The SASLv2 identity for authenticating to the LDAP server, also
overrides the user name for generating a bind DN. Default value
is the name of the invoking user.
password
The password used for a simple bind by default. If not speci-
fied, there is no default and the user must supply the password
each time.
IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN THE SYS-
TEM-WIDE /etc/libuser.conf FILE. The configuration file is
world-readable by default, and setuid programs that prompt for a
server name could be used to send the password to an attacker-
controlled server.
authuser
The SASLv2 authorization user, if non-empty. Default value is
empty.
bindtype
The list of bind types to use, separated by commas. Allowed
bind types are simple, sasl, and sasl/mechanism, where mechanism
is a SASL mechanism. The bind types (but not necessarily mecha-
nism) are case-insensitive. If more than one bind type is spec-
ified, their relative order is ignored. Default value is sim-
ple,sasl.
[sasl]
Configures the sasl module, which manages a SASLv2 user database.
appname
Name of the SASLv2 application. Default value is empty.
domain Domain used by libuser for the SASLv2 authentication object.
Default value is empty.
BUGS
Invalid lines in the configuration file (or the imported shadow config-
uration files) are silently ignored.
FILES
/etc/libuser.conf
The default location of the configuration file. Can be overrid-
den by the LIBUSER_CONF environment variable, except in set-uid
or set-gid programs.
libuser 2010-02-08 libuser.conf(5)
Linux-Distributionen
Huschi als Linux-Admin