1default.conf(5) IPA Manual Pages default.conf(5)
2
6 default.conf - IPA configuration file
7
9 /etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf,
10 /etc/ipa/cli.conf
11
13 The default.conf configuration file is used to set system-wide defaults
14 to be applied when running IPA clients and servers.
15 Users may create an optional configuration file in ~/.ipa/default.conf
17 which will be merged into the system-wide defaults file.
18 The following files are read, in order:
20 ~/.ipa/default.conf
21 /etc/ipa/<context>.conf
22 /etc/ipa/default.conf
23 built-in constants
24 The IPA server does not read ~/.ipa/default.conf.
26 The first setting wins.
28
30 The configuration options are not case sensitive. The values may be
31 case sensitive, depending on the option.
32 Blank lines are ignored. Lines beginning with # are comments and are
34 ignored.
35 Valid lines consist of an option name, an equals sign and a value. Spa‐
37 ces surrounding equals sign are ignored. An option terminates at the
38 end of a line.
39 Values should not be quoted, the quotes will not be stripped.
41 # Wrong - don't include quotes
43 verbose = "True"
44 # Right - Properly formatted options
46 verbose = True
47 verbose=True
48 Options must appear in the section named [global]. There are no other
50 sections defined or used currently.
51 Options may be defined that are not used by IPA. Be careful of mis‐
53 spellings, they will not be rejected.
54
56 The following options are relevant for the server:
57 basedn <base>
59 Specifies the base DN to use when performing LDAP operations.
60 The base must be in DN format (dc=example,dc=com).
61 ca_agent_port <port>
63 Specifies the secure CA agent port. The default is 8443.
64 ca_ee_port <port>
66 Specifies the secure CA end user port. The default is 8443.
67 ca_host <hostname>
69 Specifies the hostname of the dogtag CA server. The default is
70 the hostname of the IPA server.
71 ca_port <port>
73 Specifies the insecure CA end user port. The default is 8080.
74 context <context>
76 Specifies the context that IPA is being executed in. IPA may
77 operate differently depending on the context. The current
78 defined contexts are cli and server. Additionally this value is
79 used to load /etc/ipa/context.conf to provide context-specific
80 configuration. For example, if you want to always perform client
81 requests in verbose mode but do not want to have verbose enabled
82 on the server, add the verbose option to /etc/ipa/cli.conf.
83 debug <boolean>
85 When True provides detailed information. Specifically this set
86 the global log level to "debug". Default is False.
87 dogtag_version <version>
89 Stores the version of Dogtag. Value 9 is assumed if not speci‐
90 fied otherwise.
91 domain <domain>
93 The domain of the IPA server e.g. example.com.
94 enable_ra <boolean>
96 Specifies whether the CA is acting as an RA agent, such as when
97 dogtag is being used as the Certificate Authority. This setting
98 only applies to the IPA server configuration.
99 fallback <boolean>
101 Specifies whether an IPA client should attempt to fall back and
102 try other services if the first connection fails.
103 host <hostname>
105 Specifies the local system hostname.
106 in_server <boolean>
108 Specifies whether requests should be forwarded to an IPA server
109 or handled locally. This is used internally by IPA in a similar
110 way as context. The same IPA framework is used by the ipa com‐
111 mand-line tool and the server. This setting tells the framework
112 whether it should execute the command as if on the server or
113 forward it via XML-RPC to a remote server.
114 in_tree <boolean>
116 This is used in development and is generally a detected value.
117 It means that the code is being executed within a source tree.
118 interactive <boolean>
120 Specifies whether values should be prompted for or not. The
121 default is True.
122 kinit_lifetime <time duration spec>
124 Controls the lifetime of ticket obtained by users authenticating
125 to the WebGUI using login/password. The expected format is a
126 time duration string. Examples are "2 hours", "1h:30m", "10 min‐
127 utes", "5min, 30sec". When the parameter is not set in
128 default.conf, the ticket will have a duration inherited from the
129 default value for kerberos clients, that can be set as
130 ticket_lifetime in krb5.conf. When the ticket lifetime has
131 expired, the ticket is not valid anymore and the GUI will prompt
132 to re-login with a message "Your session has expired. Please re-
133 login."
134 ldap_uri <URI>
136 Specifies the URI of the IPA LDAP server to connect to. The URI
137 scheme may be one of ldap or ldapi. The default is to use ldapi,
138 e.g. ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
139 log_logger_XXX <comma separated list of regexps>
141 loggers matching regexp will be assigned XXX level.
142 Logger levels can be explicitly specified for specific loggers
144 as opposed to a global logging level. Specific loggers are indi‐
145 cated by a list of regular expressions bound to a level. If a
146 logger's name matches the regexp then it is assigned that level.
147 This config item must begin with "log_logger_level_" and then be
148 followed by a symbolic or numeric log level, for example:
149 log_logger_level_debug = ipalib\.dn\..*
151 log_logger_level_35 = ipalib\.plugins\.dogtag
153 The first line says any logger belonging to the ipalib.dn module
155 will have it's level configured to debug.
156 The second line say the ipa.plugins.dogtag logger will be con‐
158 figured to level 35.
159 This config item is useful when you only want to see the log
161 output from one or more selected loggers. Turning on the global
162 debug flag will produce an enormous amount of output. This
163 allows you to leave the global debug flag off and selectively
164 enable output from a specific logger. Typically loggers are
165 bound to classes and plugins.
166 Note: logger names are a dot ('.') separated list forming a path
168 in the logger tree. The dot character is also a regular expres‐
169 sion metacharacter (matches any character) therefore you will
170 usually need to escape the dot in the logger names by preceding
171 it with a backslash.
172 mode <mode>
174 Specifies the mode the server is running in. The currently sup‐
175 port values are production and development. When running in pro‐
176 duction mode some self-tests are skipped to improve performance.
177 mount_ipa <URI>
179 Specifies the mount point that the development server will reg‐
180 ister. The default is /ipa/
181 prompt_all <boolean>
183 Specifies that all options should be prompted for in the IPA
184 client, even optional values. Default is False.
185 ra_plugin <name>
187 Specifies the name of the CA back end to use. The current
188 options are dogtag and none. This is a server-side setting.
189 Changing this value is not recommended as the CA back end is
190 only set up during initial installation.
191 realm <realm>
193 Specifies the Kerberos realm.
194 server <hostname>
196 Specifies the IPA Server hostname.
197 skip_version_check <boolean>
199 Skip client vs. server API version checking. Can lead to
200 errors/strange behavior when newer clients talk to older
201 servers. Use with caution.
202 startup_timeout <time in seconds>
204 Controls the amount of time waited when starting a service. The
205 default value is 120 seconds.
206 startup_traceback <boolean>
208 If the IPA server fails to start and this value is True the
209 server will attempt to generate a python traceback to make iden‐
210 tifying the underlying problem easier.
211 validate_api <boolean>
213 Used internally in the IPA source package to verify that the API
214 has not changed. This is used to prevent regressions. If it is
215 true then some errors are ignored so enough of the IPA framework
216 can be loaded to verify all of the API, even if optional compo‐
217 nents are not installed. The default is False.
218 verbose <boolean>
220 When True provides more information. Specifically this sets the
221 global log level to "info".
222 wait_for_dns <number of attempts>
224 Controls whether the IPA commands dnsrecord-{add,mod,del} work
225 synchronously or not. The DNS commands will repeat DNS queries
226 up to the specified number of attempts until the DNS server
227 returns an up-to-date answer to a query for modified records.
228 Delay between retries is one second.
229 The DNS commands will raise a DNSDataMismatch exception if the
231 answer doesn't match the expected value even after the specified
232 number of attempts.
233 The DNS queries will be sent to the resolver configured in
235 /etc/resolv.conf on the IPA server.
236 Do not enable this in production! This will cause problems if
238 the resolver on IPA server uses a caching server instead of a
239 local authoritative server or e.g. if DNS answers are modified
240 by DNS64. The default is disabled (the option is not present).
241 xmlrpc_uri <URI>
243 Specifies the URI of the XML-RPC server for a client. This may
244 be used by IPA, and is used by some external tools, such as
245 ipa-getcert. Example: https://ipa.example.com/ipa/xml
246 jsonrpc_uri <URI>
248 Specifies the URI of the JSON server for a client. This is used
249 by IPA. If not given, it is derived from xmlrpc_uri. Example:
250 https://ipa.example.com/ipa/json
251 rpc_protocol <URI>
253 Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xml‐
254 rpc'. Defaults to 'jsonrpc'.
255 The following define the containers for the IPA server. Containers
257 define where in the DIT that objects can be found. The full location is
258 the value of container + basedn.
259 container_accounts: cn=accounts
260 container_applications: cn=applications,cn=configs,cn=policies
261 container_automount: cn=automount
262 container_configs: cn=configs,cn=policies
263 container_dns: cn=dns
264 container_group: cn=groups,cn=accounts
265 container_hbac: cn=hbac
266 container_hbacservice: cn=hbacservices,cn=hbac
267 container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
268 container_host: cn=computers,cn=accounts
269 container_hostgroup: cn=hostgroups,cn=accounts
270 container_netgroup: cn=ng,cn=alt
271 container_permission: cn=permissions,cn=pbac
272 container_policies: cn=policies
273 container_policygroups: cn=policygroups,cn=configs,cn=policies
274 container_policylinks: cn=policylinks,cn=configs,cn=policies
275 container_privilege: cn=privileges,cn=pbac
276 container_rolegroup: cn=roles,cn=accounts
277 container_roles: cn=roles,cn=policies
278 container_service: cn=services,cn=accounts
279 container_sudocmd: cn=sudocmds,cn=sudo
280 container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
281 container_sudorule: cn=sudorules,cn=sudo
282 container_user: cn=users,cn=accounts
283 container_vault: cn=vaults,cn=kra
284 container_virtual: cn=virtual operations,cn=etc
285
288 /etc/ipa/default.conf
289 system-wide IPA configuration file
290 $HOME/.ipa/default.conf
292 user IPA configuration file
293 It is also possible to define context-specific configuration files. The
295 context is set when the IPA api is initialized. The two currently
296 defined contexts in IPA are cli and server. This is helpful, for exam‐
297 ple, if you only want debug enabled on the server and not in the
298 client. If this is set to True in default.conf it will affect both the
299 ipa client tool and the IPA server. If it is only set in server.conf
300 then only the server will have debug set. These files will be loaded if
301 they exist:
302 /etc/ipa/cli.conf
304 system-wide IPA client configuration file
305 /etc/ipa/server.conf
307 system-wide IPA server configuration file
308
310 ipa(1)
311IPA Feb 21 2011 default.conf(5)