1default.conf(5)              FreeIPA Manual Pages              default.conf(5)
2
3
4

NAME

6       default.conf - IPA configuration file
7

SYNOPSIS

9       /etc/ipa/default.conf,    ~/.ipa/default.conf,    /etc/ipa/server.conf,
10       /etc/ipa/cli.conf
11

DESCRIPTION

13       The default.conf configuration file is used to set system-wide defaults
14       to be applied when running IPA clients and servers.
15
16       Users  may create an optional configuration file in ~/.ipa/default.conf
17       which will be merged into the system-wide defaults file.
18
19       The following files are read, in order:
20           ~/.ipa/default.conf
21           /etc/ipa/<context>.conf
22           /etc/ipa/default.conf
23           built-in constants
24
25       The IPA server does not read ~/.ipa/default.conf.
26
27       The first setting wins.
28

SYNTAX

30       The configuration options are not case sensitive.  The  values  may  be
31       case sensitive, depending on the option.
32
33       Blank  lines  are ignored.  Lines beginning with # are comments and are
34       ignored.
35
36       Valid lines consist of an option name, an equals sign and a value. Spa‐
37       ces  surrounding  equals  sign are ignored. An option terminates at the
38       end of a line.
39
40       Values should not be quoted, the quotes will not be stripped.
41
42           # Wrong - don't include quotes
43           verbose = "True"
44
45           # Right - Properly formatted options
46           verbose = True
47           verbose=True
48
49       Options must appear in the section named [global]. There are  no  other
50       sections defined or used currently.
51
52       Options  may  be  defined  that are not used by IPA. Be careful of mis‐
53       spellings, they will not be rejected.
54

OPTIONS

56       The following options are relevant for the server:
57
58       basedn <base>
59              Specifies the base DN to use when  performing  LDAP  operations.
60              The base must be in DN format (dc=example,dc=com).
61
62       ca_agent_port <port>
63              Specifies the secure CA agent port. The default is 8443.
64
65       ca_ee_port <port>
66              Specifies the secure CA end user port. The default is 8443.
67
68       ca_host <hostname>
69              Specifies  the  hostname of the dogtag CA server. The default is
70              the hostname of the IPA server.
71
72       ca_port <port>
73              Specifies the insecure CA end user port. The default is 8080.
74
75       certmonger_wait_timeout <seconds>
76              The time to wait for a certmonger  request  to  complete  during
77              installation. The default value is 300 seconds.
78
79       context <context>
80              Specifies  the  context  that  IPA is being executed in. IPA may
81              operate  differently  depending  on  the  context.  The  current
82              defined  contexts are cli and server. Additionally this value is
83              used to load /etc/ipa/context.conf to  provide  context-specific
84              configuration. For example, if you want to always perform client
85              requests in verbose mode but do not want to have verbose enabled
86              on the server, add the verbose option to /etc/ipa/cli.conf.
87
88       debug <boolean>
89              When  True  provides detailed information. Specifically this set
90              the global log level to "debug". Default is False.
91
92       dogtag_version <version>
93              Stores the version of Dogtag. Value 9 is assumed if  not  speci‐
94              fied otherwise.
95
96       domain <domain>
97              The domain of the IPA server e.g. example.com.
98
99       enable_ra <boolean>
100              Specifies  whether the CA is acting as an RA agent, such as when
101              dogtag is being used as the Certificate Authority. This  setting
102              only applies to the IPA server configuration.
103
104       fallback <boolean>
105              Specifies  whether an IPA client should attempt to fall back and
106              try other services if the first connection fails.
107
108       host <hostname>
109              Specifies the local system hostname.
110
111       http_timeout <seconds>
112              Timeout  for  HTTP  blocking  requests  (e.g.  connection).  The
113              default value is 30 seconds.
114
115       in_server <boolean>
116              Specifies  whether requests should be forwarded to an IPA server
117              or handled locally. This is used internally by IPA in a  similar
118              way  as  context. The same IPA framework is used by the ipa com‐
119              mand-line tool and the server. This setting tells the  framework
120              whether  it  should  execute  the command as if on the server or
121              forward it via XML-RPC to a remote server.
122
123       in_tree <boolean>
124              This is used in development and is generally a  detected  value.
125              It means that the code is being executed within a source tree.
126
127       interactive <boolean>
128              Specifies  whether  values  should  be  prompted for or not. The
129              default is True.
130
131       kinit_lifetime <time duration spec>
132              Controls the lifetime of ticket obtained by users authenticating
133              to  the  WebGUI  using  login/password. The expected format is a
134              time duration string. Examples are "2 hours", "1h:30m", "10 min‐
135              utes",   "5min,  30sec".  When  the  parameter  is  not  set  in
136              default.conf, the ticket will have a duration inherited from the
137              default   value  for  kerberos  clients,  that  can  be  set  as
138              ticket_lifetime in  krb5.conf.  When  the  ticket  lifetime  has
139              expired, the ticket is not valid anymore and the GUI will prompt
140              to re-login with a message "Your session has expired. Please re-
141              login."
142
143       ldap_uri <URI>
144              Specifies  the URI of the IPA LDAP server to connect to. The URI
145              scheme may be one of ldap or ldapi. The default is to use ldapi,
146              e.g. ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
147
148       log_logger_XXX <comma separated list of regexps>
149              loggers matching regexp will be assigned XXX level.
150
151              Logger  levels  can be explicitly specified for specific loggers
152              as opposed to a global logging level. Specific loggers are indi‐
153              cated  by  a  list of regular expressions bound to a level. If a
154              logger's name matches the regexp then it is assigned that level.
155              This config item must begin with "log_logger_level_" and then be
156              followed by a symbolic or numeric log level, for example:
157
158                log_logger_level_debug = ipalib\.dn\..*
159
160                log_logger_level_35 = ipalib\.plugins\.dogtag
161
162              The first line says any logger belonging to the ipalib.dn module
163              will have it's level configured to debug.
164
165              The  second  line say the ipa.plugins.dogtag logger will be con‐
166              figured to level 35.
167
168              This config item is useful when you only want  to  see  the  log
169              output  from one or more selected loggers. Turning on the global
170              debug flag will produce  an  enormous  amount  of  output.  This
171              allows  you  to  leave the global debug flag off and selectively
172              enable output from a  specific  logger.  Typically  loggers  are
173              bound to classes and plugins.
174
175              Note: logger names are a dot ('.') separated list forming a path
176              in the logger tree.  The dot character is also a regular expres‐
177              sion  metacharacter  (matches  any character) therefore you will
178              usually need to escape the dot in the logger names by  preceding
179              it with a backslash.
180
181       mode <mode>
182              Specifies  the mode the server is running in. The currently sup‐
183              port values are production and development. When running in pro‐
184              duction mode some self-tests are skipped to improve performance.
185
186       mount_ipa <URI>
187              Specifies  the mount point that the development server will reg‐
188              ister. The default is /ipa/
189
190       prompt_all <boolean>
191              Specifies that all options should be prompted  for  in  the  IPA
192              client, even optional values. Default is False.
193
194       ra_plugin <name>
195              Specifies  the  name  of  the  CA  back  end to use. The current
196              options are dogtag and none.  This  is  a  server-side  setting.
197              Changing  this  value  is  not recommended as the CA back end is
198              only set up during initial installation.
199
200       realm <realm>
201              Specifies the Kerberos realm.
202
203       replication_wait_timeout <seconds>
204              The time to wait for a new entry to be replicated during replica
205              installation. The default value is 300 seconds.
206
207       server <hostname>
208              Specifies the IPA Server hostname.
209
210       skip_version_check <boolean>
211              Skip  client  vs.  server  API  version  checking.  Can  lead to
212              errors/strange  behavior  when  newer  clients  talk  to   older
213              servers. Use with caution.
214
215       startup_timeout <time in seconds>
216              Controls  the amount of time waited when starting a service. The
217              default value is 120 seconds.
218
219       startup_traceback <boolean>
220              If the IPA server fails to start and  this  value  is  True  the
221              server will attempt to generate a python traceback to make iden‐
222              tifying the underlying problem easier.
223
224       validate_api <boolean>
225              Used internally in the IPA source package to verify that the API
226              has  not  changed. This is used to prevent regressions. If it is
227              true then some errors are ignored so enough of the IPA framework
228              can  be loaded to verify all of the API, even if optional compo‐
229              nents are not installed. The default is False.
230
231       verbose <boolean>
232              When True provides more information. Specifically this sets  the
233              global log level to "info".
234
235       wait_for_dns <number of attempts>
236              Controls  whether  the IPA commands dnsrecord-{add,mod,del} work
237              synchronously or not. The DNS commands will repeat  DNS  queries
238              up  to  the  specified  number  of attempts until the DNS server
239              returns an up-to-date answer to a query  for  modified  records.
240              Delay between retries is one second.
241
242              The  DNS  commands will raise a DNSDataMismatch exception if the
243              answer doesn't match the expected value even after the specified
244              number of attempts.
245
246              The  DNS  queries  will  be  sent  to the resolver configured in
247              /etc/resolv.conf on the IPA server.
248
249              Do not enable this in production! This will  cause  problems  if
250              the  resolver  on  IPA server uses a caching server instead of a
251              local authoritative server or e.g. if DNS answers  are  modified
252              by DNS64. The default is disabled (the option is not present).
253
254       xmlrpc_uri <URI>
255              Specifies  the  URI of the XML-RPC server for a client. This may
256              be used by IPA, and is used by  some  external  tools,  such  as
257              ipa-getcert. Example: https://ipa.example.com/ipa/xml
258
259       jsonrpc_uri <URI>
260              Specifies  the URI of the JSON server for a client. This is used
261              by IPA. If not given, it is derived  from  xmlrpc_uri.  Example:
262              https://ipa.example.com/ipa/json
263
264       rpc_protocol <URI>
265              Specifies  the  type  of RPC calls IPA makes: 'jsonrpc' or 'xml‐
266              rpc'. Defaults to 'jsonrpc'.
267
268       The following define the containers  for  the  IPA  server.  Containers
269       define where in the DIT that objects can be found. The full location is
270       the value of container + basedn.
271                container_accounts: cn=accounts
272                container_applications: cn=applications,cn=configs,cn=policies
273                container_automount: cn=automount
274                container_configs: cn=configs,cn=policies
275                container_dns: cn=dns
276                container_group: cn=groups,cn=accounts
277                container_hbac: cn=hbac
278                container_hbacservice: cn=hbacservices,cn=hbac
279                container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
280                container_host: cn=computers,cn=accounts
281                container_hostgroup: cn=hostgroups,cn=accounts
282                container_netgroup: cn=ng,cn=alt
283                container_permission: cn=permissions,cn=pbac
284                container_policies: cn=policies
285                container_policygroups: cn=policygroups,cn=configs,cn=policies
286                container_policylinks: cn=policylinks,cn=configs,cn=policies
287                container_privilege: cn=privileges,cn=pbac
288                container_rolegroup: cn=roles,cn=accounts
289                container_roles: cn=roles,cn=policies
290                container_service: cn=services,cn=accounts
291                container_sudocmd: cn=sudocmds,cn=sudo
292                container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
293                container_sudorule: cn=sudorules,cn=sudo
294                container_user: cn=users,cn=accounts
295                container_vault: cn=vaults,cn=kra
296                container_virtual: cn=virtual operations,cn=etc
297
298

FILES

300       /etc/ipa/default.conf
301              system-wide IPA configuration file
302
303       $HOME/.ipa/default.conf
304              user IPA configuration file
305
306       It is also possible to define context-specific configuration files. The
307       context  is  set  when  the  IPA  api is initialized. The two currently
308       defined contexts in IPA are cli and server. This is helpful, for  exam‐
309       ple,  if  you  only  want  debug  enabled  on the server and not in the
310       client. If this is set to True in default.conf it will affect both  the
311       ipa  client  tool  and the IPA server. If it is only set in server.conf
312       then only the server will have debug set. These files will be loaded if
313       they exist:
314
315       /etc/ipa/cli.conf
316              system-wide IPA client configuration file
317
318       /etc/ipa/server.conf
319              system-wide IPA server configuration file
320

SEE ALSO

322       ipa(1)
323
324
325
326FreeIPA                           Feb 21 2011                  default.conf(5)
Impressum