Home : Computers : Linux : Man Pages : libuser.conf

libuser.conf



FILE FORMAT

       libuser.conf  is a text file.  Leading and trailing white space on each
       line is ignored.  Lines starting with # are ignored.

       The file defines variables grouped into sections.  Each section  starts
       with a section header:
              [section name]
       A single section header can appear more than once in the file.

       The  lines  following  a section header define variables from that sec-
       tion:
              variable = value
       The value can be empty.

       A variable can have more than one value, specified by using  more  than
       one  line  defining  that  variable.   All  currently defined variables
       accept only the first value and ignore the others, if any.


[defaults]

       create_modules
              A list of module names  to  use  when  creating  user  or  group
              entries, unless the application specifies a different list.  The
              module names in the list can be separated using  space,  tab  or
              comma.  Default value is files shadow.

       crypt_style
              The  algorithm  to use for password encryption when creating new
              passwords.  The current algorithm may be retained when  changing
              a password of an existing user, depending on the application.

              Possible  values  are des, md5, blowfish, sha256 and sha512, all
              case-insensitive.   Unrecognized  values  are  treated  as  des.
              Default value is des.

       hash_rounds_min, hash_rounds_max
              These  variables  specify an inclusive range of hash rounds used
              when crypt_style is sha256 or sha512.  A number of  hash  rounds
              is  chosen  from  this  interval  randomly.   A larger number of
              rounds makes password  checking,  and  brute-force  attempts  to
              guess  the  password  by reversing the hash, more CPU-intensive.
              The number of  rounds  is  restricted  to  the  interval  [1000,
              999999999].

              If  only  one of the above variables is specified, the number of
              rounds used is specified by  the  other  variable.   If  neither
              variable is specified, the number of rounds is chosen by libc.

              A list of module names to use when not creating  user  or  group
              entries, unless the application specifies a different list.  The
              module names in the list can be separated using  space,  tab  or
              comma.  Default value is files shadow.

       skeleton
              The  directory  containing  files  to copy to newly created home
              directories.  Default value is /etc/skel.


[import]

       login_defs
              A path to the login.defs file from shadow.  If this variable  is
              defined,  the variables from the named file are used in place of
              some  libuser  variables.   Variables  explicitly   defined   in
              libuser.conf are not affected by contents of login.defs.

              The following variables are imported:
                                   |
              Variable             | Imported as
              ---------------------+-------------------------------
              ENCRYPT_METHOD       | defaults/crypt_style
              GID_MIN              | groupdefaults/LU_GIDNUMBER
              MAIL_DIR             | defaults/mailspooldir
              MD5_CRYPT_ENAB       | defaults/crypt_style
              PASS_MAX_DAYS        | userdefaults/LU_SHADOWMAX
              PASS_MIN_DAYS        | userdefaults/LU_SHADOWMIN
              PASS_WARN_AGE        | userdefaults/LU_SHADOWWARNING
              SHA_CRYPT_MIN_ROUNDS | defaults/hash_rounds_min
              SHA_CRYPT_MAX_ROUNDS | defaults/hash_rounds_max
              UID_MIN              | userdefaults/LU_UIDNUMBER

              The  following variables are not imported: CREATE_HOME, GID_MAX,
              MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX,  UMASK,  USERDEL_CMD,  USER-
              GROUPS_ENAB

       default_useradd
              A  path  to the default/useradd file from useradd in shadow.  If
              this variable is defined, the variables from the named file  are
              used  in  place of some libuser variables.  Variables explicitly
              defined  in  libuser.conf  are  not  affected  by  contents   of
              default/useradd.

              The following variables are imported:
                       |
              Variable | Imported as
              ---------+--------------------------------
              EXPIRE   | userdefaults/LU_SHADOWEXPIRE
              GROUP    | userdefaults/LU_GIDNUMBER
              HOME     | userdefaults/LU_HOMEDIRECTORY
              (not system users).  Default value is 500.

       All  other  variables  have  the same names as the attribute names from
       <libuser/entity.h> and define attribute values.  Either the macro  name
       (e.g.  LU_GECOS)  or  the macro content (e.g. pw_gecos) can be used; if
       both are used, the one appearing later in  the  configuration  file  is
       used.

       The  %  character  in  the  value  of the variable introduces an escape
       sequence: %n is replaced by the user name, %d is  replaced  by  current
       date  in days since the epoch, %u is replaced by the user's UID.  There
       is no way to escape the % character and avoid this substitution.

       After the userdefaults section is processed, modules may  define  addi-
       tional  attributes or even override the attributes defined in this sec-
       tion.


[groupdefaults]

       The groupdefaults section is similar to  userdefaults.   There  is  one
       special variable:

       LU_GIDNUMBER
              A decimal number, the first allowed GID value for regular groups
              (not system groups).  Default value is 500.

       The other variables follow the same rules as in the  userdefaults  sec-
       tion,  except that %n and %u are replaced by the group name and group's
       GID, respectively.

       After the groupdefaults section is processed, modules may define  addi-
       tional  attributes or even override the attributes defined in this sec-
       tion.


[files]

       Configures the files module, which manages /etc/group and  /etc/passwd.
       The configuration variables are probably useful only for libuser devel-
       opment.

       directory
              The directory containing the group and  passwd  files.   Default
              value is /etc.

       nonroot
              Allow module initialization when not invoked as the root user if
              the value is yes.
              Allow module initialization when not invoked as the root user if
              the value is yes.


[ldap]

       Configures the ldap module, which manages an user  database  accessible
       using LDAP.

       userBranch
              The LDAP suffix for user entities.  Default value is ou=People.

       groupBranch
              The LDAP suffix for group entities.  Default value is ou=Group.

       server A domain name or an URI of the LDAP server.  The URI can use the
              ldap, ldapi or the ldaps protocol.  When a simple domain name is
              used,  the connection fails if TLS can not be used; an URI using
              the ldap protocol allows connection without TLS.  TLS  is  never
              used with the ldapi protocol.  Default value is ldap.

       basedn The base DN of the server.  Default value is dc=example,dc=com.

       binddn A  DN for binding to the server.  If the value is empty or bind-
              ing using this DN fails, a DN of  uid=user,userBranch,basedn  is
              used,  where  userBranch and basedn are variables from this sec-
              tion and user is the user name  of  the  invoking  user,  unless
              overridden  by  the  user  variable  from this section.  Default
              value is cn=manager,dc=example,dc=com.

       user   The SASLv2 identity for authenticating to the LDAP server,  also
              overrides the user name for generating a bind DN.  Default value
              is the name of the invoking user.

       password
              The password used for a simple bind by default.  If  not  speci-
              fied,  there is no default and the user must supply the password
              each time.

              IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN  THE  SYS-
              TEM-WIDE  /etc/libuser.conf  FILE.   The  configuration  file is
              world-readable by default, and setuid programs that prompt for a
              server  name  could be used to send the password to an attacker-
              controlled server.



[sasl]

       Configures the sasl module, which manages a SASLv2 user database.

       appname
              Name of the SASLv2 application.  Default value is empty.

       domain Domain used by libuser for  the  SASLv2  authentication  object.
              Default value is empty.


BUGS

       Invalid lines in the configuration file (or the imported shadow config-
       uration files) are silently ignored.


FILES

       /etc/libuser.conf
              The default location of the configuration file. Can be  overrid-
              den  by the LIBUSER_CONF environment variable, except in set-uid
              or set-gid programs.


libuser 2010-02-08 libuser.conf(5)



Subscribe to us on YouTube