1default.conf(5) FreeIPA Manual Pages default.conf(5)
2
3
4
6 default.conf - IPA configuration file
7
9 /etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf,
10 /etc/ipa/cli.conf
11
13 The default.conf configuration file is used to set system-wide defaults
14 to be applied when running IPA clients and servers.
15
16 Users may create an optional configuration file in ~/.ipa/default.conf
17 which will be merged into the system-wide defaults file.
18
19 The following files are read, in order:
20 ~/.ipa/default.conf
21 /etc/ipa/<context>.conf
22 /etc/ipa/default.conf
23 built-in constants
24
25 The IPA server does not read ~/.ipa/default.conf.
26
27 The first setting wins.
28
30 The configuration options are not case sensitive. The values may be
31 case sensitive, depending on the option.
32
33 Blank lines are ignored. Lines beginning with # are comments and are
34 ignored.
35
36 Valid lines consist of an option name, an equals sign and a value. Spa‐
37 ces surrounding equals sign are ignored. An option terminates at the
38 end of a line.
39
40 Values should not be quoted, the quotes will not be stripped.
41
42 # Wrong - don't include quotes
43 verbose = "True"
44
45 # Right - Properly formatted options
46 verbose = True
47 verbose=True
48
49 Options must appear in the section named [global]. There are no other
50 sections defined or used currently.
51
52 Options may be defined that are not used by IPA. Be careful of mis‐
53 spellings, they will not be rejected.
54
56 The following options are relevant for the server:
57
58 basedn <base>
59 Specifies the base DN to use when performing LDAP operations.
60 The base must be in DN format (dc=example,dc=com).
61
62 ca_agent_port <port>
63 Specifies the secure CA agent port. The default is 9443 for Dog‐
64 tag 9, and 8443 for Dogtag 10.
65
66 ca_ee_port <port>
67 Specifies the secure CA end user port. The default is 9444 for
68 Dogtag 9, and 8443 for Dogtag 10.
69
70 ca_host <hostname>
71 Specifies the hostname of the dogtag CA server. The default is
72 the hostname of the IPA server.
73
74 ca_port <port>
75 Specifies the insecure CA end user port. The default is 9180 for
76 Dogtag 9, and 8080 for Dogtag 10.
77
78 context <context>
79 Specifies the context that IPA is being executed in. IPA may
80 operate differently depending on the context. The current
81 defined contexts are cli and server. Additionally this value is
82 used to load /etc/ipa/context.conf to provide context-specific
83 configuration. For example, if you want to always perform client
84 requests in verbose mode but do not want to have verbose enabled
85 on the server, add the verbose option to /etc/ipa/cli.conf.
86
87 debug <boolean>
88 When True provides detailed information. Specifically this set
89 the global log level to "debug". Default is False.
90
91 dogtag_version <version>
92 Stores the version of Dogtag. Value 9 is assumed if not speci‐
93 fied otherwise.
94
95 domain <domain>
96 The domain of the IPA server e.g. example.com.
97
98 enable_ra <boolean>
99 Specifies whether the CA is acting as an RA agent, such as when
100 dogtag is being used as the Certificate Authority. This setting
101 only applies to the IPA server configuration.
102
103 fallback <boolean>
104 Specifies whether an IPA client should attempt to fall back and
105 try other services if the first connection fails.
106
107 host <hostname>
108 Specifies the hostname of the IPA server. This value is used to
109 construct URL values on the client and server.
110
111 in_server <boolean>
112 Specifies whether requests should be forwarded to an IPA server
113 or handled locally. This is used internally by IPA in a similar
114 way as context. The same IPA framework is used by the ipa com‐
115 mand-line tool and the server. This setting tells the framework
116 whether it should execute the command as if on the server or
117 forward it via XML-RPC to a remote server.
118
119 in_tree <boolean>
120 This is used in development and is generally a detected value.
121 It means that the code is being executed within a source tree.
122
123 interactive <boolean>
124 Specifies whether values should be prompted for or not. The
125 default is True.
126
127 ldap_uri <URI>
128 Specifies the URI of the IPA LDAP server to connect to. The URI
129 scheme may be one of ldap or ldapi. The default is to use ldapi,
130 e.g. ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
131
132 log_logger_XXX <comma separated list of regexps>
133 loggers matching regexp will be assigned XXX level.
134
135 Logger levels can be explicitly specified for specific loggers
136 as opposed to a global logging level. Specific loggers are indi‐
137 cated by a list of regular expressions bound to a level. If a
138 logger's name matches the regexp then it is assigned that level.
139 This config item must begin with "log_logger_level_" and then be
140 followed by a symbolic or numeric log level, for example:
141
142 log_logger_level_debug = ipalib\.dn\..*
143
144 log_logger_level_35 = ipalib\.plugins\.dogtag
145
146 The first line says any logger belonging to the ipalib.dn module
147 will have it's level configured to debug.
148
149 The second line say the ipa.plugins.dogtag logger will be con‐
150 figured to level 35.
151
152 This config item is useful when you only want to see the log
153 output from one or more selected loggers. Turning on the global
154 debug flag will produce an enormous amount of output. This
155 allows you to leave the global debug flag off and selectively
156 enable output from a specific logger. Typically loggers are
157 bound to classes and plugins.
158
159 Note: logger names are a dot ('.') separated list forming a path
160 in the logger tree. The dot character is also a regular expres‐
161 sion metacharacter (matches any character) therefore you will
162 usually need to escape the dot in the logger names by preceeding
163 it with a backslash.
164
165 mode <mode>
166 Specifies the mode the server is running in. The currently sup‐
167 port values are production and development. When running in pro‐
168 duction mode some self-tests are skipped to improve performance.
169
170 mount_ipa <URI>
171 Specifies the mount point that the development server will reg‐
172 ister. The default is /ipa/
173
174 prompt_all <boolean>
175 Specifies that all options should be prompted for in the IPA
176 client, even optional values. Default is False.
177
178 ra_plugin <name>
179 Specifies the name of the CA back end to use. The current
180 options are selfsign and dogtag. This is a server-side setting.
181 Changing this value is not recommended as the CA back end is
182 only set up during initial installation.
183
184 realm <realm>
185 Specifies the Kerberos realm.
186
187 session_auth_duration <time duration spec>
188 Specifies the length of time authentication credentials cached
189 in the session are valid. After the duration expires credentials
190 will be automatically reacquired. Examples are "2 hours",
191 "1h:30m", "10 minutes", "5min, 30sec".
192
193 session_duration_type <inactivity_timeout|from_start>
194 Specifies how the expiration of a session is computed. With
195 inactivity_timeout the expiration time is advanced by the value
196 of session_auth_duration everytime the user accesses the ser‐
197 vice. With from_start the session expiration is the start of the
198 user's session plus the value of session_auth_duration.
199
200 server <hostname>
201 Specifies the IPA Server hostname. This option is deprecated.
202
203 startup_timeout <time in seconds>
204 Controls the amount of time waited when starting a service. The
205 default value is 120 seconds.
206
207 startup_traceback <boolean>
208 If the IPA server fails to start and this value is True the
209 server will attempt to generate a python traceback to make iden‐
210 tifying the underlying problem easier.
211
212 validate_api <boolean>
213 Used internally in the IPA source package to verify that the API
214 has not changed. This is used to prevent regressions. If it is
215 true then some errors are ignored so enough of the IPA framework
216 can be loaded to verify all of the API, even if optional compo‐
217 nents are not installed. The default is False.
218
219 verbose <boolean>
220 When True provides more information. Specifically this sets the
221 global log level to "info".
222
223 wait_for_attr <boolean>
224 Debug option. Waits for asynchronous execution of 389-ds postop‐
225 eration plugins before returning data to the client, therefore
226 data added by postoperation plugins is included in the result.
227 Increases execution time.
228
229 xmlrpc_uri <URI>
230 Specifies the URI of the XML-RPC server for a client. This is
231 used by IPA and some external tools as well, such as
232 ipa-getcert. e.g. https://ipa.example.com/ipa/xml
233
234 The following define the containers for the IPA server. Containers
235 define where in the DIT that objects can be found. The full location is
236 the value of container + basedn.
237 container_accounts: cn=accounts
238 container_applications: cn=applications,cn=configs,cn=policies
239 container_automount: cn=automount
240 container_configs: cn=configs,cn=policies
241 container_dns: cn=dns
242 container_entitlements: cn=entitlements,cn=etc
243 container_group: cn=groups,cn=accounts
244 container_hbac: cn=hbac
245 container_hbacservice: cn=hbacservices,cn=hbac
246 container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
247 container_host: cn=computers,cn=accounts
248 container_hostgroup: cn=hostgroups,cn=accounts
249 container_netgroup: cn=ng,cn=alt
250 container_permission: cn=permissions,cn=pbac
251 container_policies: cn=policies
252 container_policygroups: cn=policygroups,cn=configs,cn=policies
253 container_policylinks: cn=policylinks,cn=configs,cn=policies
254 container_privilege: cn=privileges,cn=pbac
255 container_rolegroup: cn=roles,cn=accounts
256 container_roles: cn=roles,cn=policies
257 container_service: cn=services,cn=accounts
258 container_sudocmd: cn=sudocmds,cn=sudo
259 container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
260 container_sudorule: cn=sudorules,cn=sudo
261 container_user: cn=users,cn=accounts
262 container_virtual: cn=virtual operations,cn=etc
263
264
266 /etc/ipa/default.conf
267 system-wide IPA configuration file
268
269 $HOME/.ipa/default.conf
270 user IPA configuration file
271
272 It is also possible to define context-specific configuration files. The
273 context is set when the IPA api is initialized. The two currently
274 defined contexts in IPA are cli and server. This is helpful, for exam‐
275 ple, if you only want debug enabled on the server and not in the
276 client. If this is set to True in default.conf it will affect both the
277 ipa client tool and the IPA server. If it is only set in server.conf
278 then only the server will have debug set. These files will be loaded if
279 they exist:
280
281 /etc/ipa/cli.conf
282 system-wide IPA client configuration file
283
284 /etc/ipa/server.conf
285 system-wide IPA server configuration file
286
288 ipa(1)
289
290
291
292FreeIPA Feb 21 2011 default.conf(5)