1default.conf(5)                IPA Manual Pages                default.conf(5)
2
3
4

NAME

6       default.conf - IPA configuration file
7

SYNOPSIS

9       /etc/ipa/default.conf,    ~/.ipa/default.conf,    /etc/ipa/server.conf,
10       /etc/ipa/cli.conf
11

DESCRIPTION

13       The default.conf configuration file is used to set system-wide defaults
14       to be applied when running IPA clients and servers.
15
16       Users  may create an optional configuration file in ~/.ipa/default.conf
17       which will be merged into the system-wide defaults file.
18
19       The following files are read, in order:
20           ~/.ipa/default.conf
21           /etc/ipa/<context>.conf
22           /etc/ipa/default.conf
23           built-in constants
24
25       The IPA server does not read ~/.ipa/default.conf.
26
27       The first setting wins.
28

SYNTAX

30       The configuration options are not case sensitive.  The  values  may  be
31       case sensitive, depending on the option.
32
33       Blank  lines  are ignored.  Lines beginning with # are comments and are
34       ignored.
35
36       Valid lines consist of an option name, an equals sign and a value. Spa‐
37       ces  surrounding  equals  sign are ignored. An option terminates at the
38       end of a line.
39
40       Values should not be quoted, the quotes will not be stripped.
41
42           # Wrong - don't include quotes
43           verbose = "True"
44
45           # Right - Properly formatted options
46           verbose = True
47           verbose=True
48
49       Options must appear in the section named [global]. There are  no  other
50       sections defined or used currently.
51
52       Options  may  be  defined  that are not used by IPA. Be careful of mis‐
53       spellings, they will not be rejected.
54

OPTIONS

56       The following options are relevant for the server:
57
58       basedn <base>
59              Specifies the base DN to use when  performing  LDAP  operations.
60              The base must be in DN format (dc=example,dc=com).
61
62       ca_agent_port <port>
63              Specifies the secure CA agent port. The default is 8443.
64
65       ca_ee_port <port>
66              Specifies the secure CA end user port. The default is 8443.
67
68       ca_host <hostname>
69              Specifies  the  hostname of the dogtag CA server. The default is
70              the hostname of the IPA server.
71
72       ca_port <port>
73              Specifies the insecure CA end user port. The default is 8080.
74
75       context <context>
76              Specifies the context that IPA is being  executed  in.  IPA  may
77              operate  differently  depending  on  the  context.  The  current
78              defined contexts are cli and server. Additionally this value  is
79              used  to  load /etc/ipa/context.conf to provide context-specific
80              configuration. For example, if you want to always perform client
81              requests in verbose mode but do not want to have verbose enabled
82              on the server, add the verbose option to /etc/ipa/cli.conf.
83
84       debug <boolean>
85              When True provides detailed information. Specifically  this  set
86              the global log level to "debug". Default is False.
87
88       dogtag_version <version>
89              Stores  the  version of Dogtag. Value 9 is assumed if not speci‐
90              fied otherwise.
91
92       domain <domain>
93              The domain of the IPA server e.g. example.com.
94
95       enable_ra <boolean>
96              Specifies whether the CA is acting as an RA agent, such as  when
97              dogtag  is being used as the Certificate Authority. This setting
98              only applies to the IPA server configuration.
99
100       fallback <boolean>
101              Specifies whether an IPA client should attempt to fall back  and
102              try other services if the first connection fails.
103
104       host <hostname>
105              Specifies the local system hostname.
106
107       in_server <boolean>
108              Specifies  whether requests should be forwarded to an IPA server
109              or handled locally. This is used internally by IPA in a  similar
110              way  as  context. The same IPA framework is used by the ipa com‐
111              mand-line tool and the server. This setting tells the  framework
112              whether  it  should  execute  the command as if on the server or
113              forward it via XML-RPC to a remote server.
114
115       in_tree <boolean>
116              This is used in development and is generally a  detected  value.
117              It means that the code is being executed within a source tree.
118
119       interactive <boolean>
120              Specifies  whether  values  should  be  prompted for or not. The
121              default is True.
122
123       kinit_lifetime <time duration spec>
124              Controls the lifetime of ticket obtained by users authenticating
125              to  the  WebGUI  using  login/password. The expected format is a
126              time duration string. Examples are "2 hours", "1h:30m", "10 min‐
127              utes",   "5min,  30sec".  When  the  parameter  is  not  set  in
128              default.conf, the ticket will have a duration inherited from the
129              default   value  for  kerberos  clients,  that  can  be  set  as
130              ticket_lifetime in  krb5.conf.  When  the  ticket  lifetime  has
131              expired, the ticket is not valid anymore and the GUI will prompt
132              to re-login with a message "Your session has expired. Please re-
133              login."
134
135       ldap_uri <URI>
136              Specifies  the URI of the IPA LDAP server to connect to. The URI
137              scheme may be one of ldap or ldapi. The default is to use ldapi,
138              e.g. ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
139
140       log_logger_XXX <comma separated list of regexps>
141              loggers matching regexp will be assigned XXX level.
142
143              Logger  levels  can be explicitly specified for specific loggers
144              as opposed to a global logging level. Specific loggers are indi‐
145              cated  by  a  list of regular expressions bound to a level. If a
146              logger's name matches the regexp then it is assigned that level.
147              This config item must begin with "log_logger_level_" and then be
148              followed by a symbolic or numeric log level, for example:
149
150                log_logger_level_debug = ipalib\.dn\..*
151
152                log_logger_level_35 = ipalib\.plugins\.dogtag
153
154              The first line says any logger belonging to the ipalib.dn module
155              will have it's level configured to debug.
156
157              The  second  line say the ipa.plugins.dogtag logger will be con‐
158              figured to level 35.
159
160              This config item is useful when you only want  to  see  the  log
161              output  from one or more selected loggers. Turning on the global
162              debug flag will produce  an  enormous  amount  of  output.  This
163              allows  you  to  leave the global debug flag off and selectively
164              enable output from a  specific  logger.  Typically  loggers  are
165              bound to classes and plugins.
166
167              Note: logger names are a dot ('.') separated list forming a path
168              in the logger tree.  The dot character is also a regular expres‐
169              sion  metacharacter  (matches  any character) therefore you will
170              usually need to escape the dot in the logger names by  preceding
171              it with a backslash.
172
173       mode <mode>
174              Specifies  the mode the server is running in. The currently sup‐
175              port values are production and development. When running in pro‐
176              duction mode some self-tests are skipped to improve performance.
177
178       mount_ipa <URI>
179              Specifies  the mount point that the development server will reg‐
180              ister. The default is /ipa/
181
182       prompt_all <boolean>
183              Specifies that all options should be prompted  for  in  the  IPA
184              client, even optional values. Default is False.
185
186       ra_plugin <name>
187              Specifies  the  name  of  the  CA  back  end to use. The current
188              options are dogtag and none.  This  is  a  server-side  setting.
189              Changing  this  value  is  not recommended as the CA back end is
190              only set up during initial installation.
191
192       realm <realm>
193              Specifies the Kerberos realm.
194
195       server <hostname>
196              Specifies the IPA Server hostname.
197
198       skip_version_check <boolean>
199              Skip client  vs.  server  API  version  checking.  Can  lead  to
200              errors/strange   behavior  when  newer  clients  talk  to  older
201              servers. Use with caution.
202
203       startup_timeout <time in seconds>
204              Controls the amount of time waited when starting a service.  The
205              default value is 120 seconds.
206
207       startup_traceback <boolean>
208              If  the  IPA  server  fails  to start and this value is True the
209              server will attempt to generate a python traceback to make iden‐
210              tifying the underlying problem easier.
211
212       validate_api <boolean>
213              Used internally in the IPA source package to verify that the API
214              has not changed. This is used to prevent regressions. If  it  is
215              true then some errors are ignored so enough of the IPA framework
216              can be loaded to verify all of the API, even if optional  compo‐
217              nents are not installed. The default is False.
218
219       verbose <boolean>
220              When  True provides more information. Specifically this sets the
221              global log level to "info".
222
223       wait_for_dns <number of attempts>
224              Controls whether the IPA commands  dnsrecord-{add,mod,del}  work
225              synchronously  or  not. The DNS commands will repeat DNS queries
226              up to the specified number of  attempts  until  the  DNS  server
227              returns  an  up-to-date  answer to a query for modified records.
228              Delay between retries is one second.
229
230              The DNS commands will raise a DNSDataMismatch exception  if  the
231              answer doesn't match the expected value even after the specified
232              number of attempts.
233
234              The DNS queries will be  sent  to  the  resolver  configured  in
235              /etc/resolv.conf on the IPA server.
236
237              Do  not  enable  this in production! This will cause problems if
238              the resolver on IPA server uses a caching server  instead  of  a
239              local  authoritative  server or e.g. if DNS answers are modified
240              by DNS64. The default is disabled (the option is not present).
241
242       xmlrpc_uri <URI>
243              Specifies the URI of the XML-RPC server for a client.  This  may
244              be  used  by  IPA,  and  is used by some external tools, such as
245              ipa-getcert. Example: https://ipa.example.com/ipa/xml
246
247       jsonrpc_uri <URI>
248              Specifies the URI of the JSON server for a client. This is  used
249              by  IPA.  If  not given, it is derived from xmlrpc_uri. Example:
250              https://ipa.example.com/ipa/json
251
252       rpc_protocol <URI>
253              Specifies the type of RPC calls IPA makes:  'jsonrpc'  or  'xml‐
254              rpc'. Defaults to 'jsonrpc'.
255
256       The  following  define  the  containers  for the IPA server. Containers
257       define where in the DIT that objects can be found. The full location is
258       the value of container + basedn.
259                container_accounts: cn=accounts
260                container_applications: cn=applications,cn=configs,cn=policies
261                container_automount: cn=automount
262                container_configs: cn=configs,cn=policies
263                container_dns: cn=dns
264                container_group: cn=groups,cn=accounts
265                container_hbac: cn=hbac
266                container_hbacservice: cn=hbacservices,cn=hbac
267                container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
268                container_host: cn=computers,cn=accounts
269                container_hostgroup: cn=hostgroups,cn=accounts
270                container_netgroup: cn=ng,cn=alt
271                container_permission: cn=permissions,cn=pbac
272                container_policies: cn=policies
273                container_policygroups: cn=policygroups,cn=configs,cn=policies
274                container_policylinks: cn=policylinks,cn=configs,cn=policies
275                container_privilege: cn=privileges,cn=pbac
276                container_rolegroup: cn=roles,cn=accounts
277                container_roles: cn=roles,cn=policies
278                container_service: cn=services,cn=accounts
279                container_sudocmd: cn=sudocmds,cn=sudo
280                container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
281                container_sudorule: cn=sudorules,cn=sudo
282                container_user: cn=users,cn=accounts
283                container_vault: cn=vaults,cn=kra
284                container_virtual: cn=virtual operations,cn=etc
285
286

FILES

288       /etc/ipa/default.conf
289              system-wide IPA configuration file
290
291       $HOME/.ipa/default.conf
292              user IPA configuration file
293
294       It is also possible to define context-specific configuration files. The
295       context is set when the IPA  api  is  initialized.  The  two  currently
296       defined  contexts in IPA are cli and server. This is helpful, for exam‐
297       ple, if you only want debug enabled  on  the  server  and  not  in  the
298       client.  If this is set to True in default.conf it will affect both the
299       ipa client tool and the IPA server. If it is only  set  in  server.conf
300       then only the server will have debug set. These files will be loaded if
301       they exist:
302
303       /etc/ipa/cli.conf
304              system-wide IPA client configuration file
305
306       /etc/ipa/server.conf
307              system-wide IPA server configuration file
308

SEE ALSO

310       ipa(1)
311
312
313
314IPA                               Feb 21 2011                  default.conf(5)
Impressum