1default.conf(5) FreeIPA Manual Pages default.conf(5)
2
3
4
6 default.conf - IPA configuration file
7
9 /etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf,
10 /etc/ipa/cli.conf
11
13 The default.conf configuration file is used to set system-wide defaults
14 to be applied when running IPA clients and servers.
15
16 Users may create an optional configuration file in ~/.ipa/default.conf
17 which will be merged into the system-wide defaults file.
18
19 The following files are read, in order:
20 ~/.ipa/default.conf
21 /etc/ipa/<context>.conf
22 /etc/ipa/default.conf
23 built-in constants
24
25 The IPA server does not read ~/.ipa/default.conf.
26
27 The first setting wins.
28
30 The configuration options are not case sensitive. The values may be
31 case sensitive, depending on the option.
32
33 Blank lines are ignored. Lines beginning with # are comments and are
34 ignored.
35
36 Valid lines consist of an option name, an equals sign and a value. Spa‐
37 ces surrounding equals sign are ignored. An option terminates at the
38 end of a line.
39
40 Values should not be quoted, the quotes will not be stripped.
41
42 # Wrong - don't include quotes
43 verbose = "True"
44
45 # Right - Properly formatted options
46 verbose = True
47 verbose=True
48
49 Options must appear in the section named [global]. There are no other
50 sections defined or used currently.
51
52 Options may be defined that are not used by IPA. Be careful of mis‐
53 spellings, they will not be rejected.
54
56 The following options are relevant for the server:
57
58 basedn <base>
59 Specifies the base DN to use when performing LDAP operations.
60 The base must be in DN format (dc=example,dc=com).
61
62 ca_agent_port <port>
63 Specifies the secure CA agent port. The default is 8443.
64
65 ca_ee_port <port>
66 Specifies the secure CA end user port. The default is 8443.
67
68 ca_host <hostname>
69 Specifies the hostname of the dogtag CA server. The default is
70 the hostname of the IPA server.
71
72 ca_port <port>
73 Specifies the insecure CA end user port. The default is 8080.
74
75 certmonger_wait_timeout <seconds>
76 The time to wait for a certmonger request to complete during
77 installation. The default value is 300 seconds.
78
79 context <context>
80 Specifies the context that IPA is being executed in. IPA may
81 operate differently depending on the context. The current
82 defined contexts are cli and server. Additionally this value is
83 used to load /etc/ipa/context.conf to provide context-specific
84 configuration. For example, if you want to always perform client
85 requests in verbose mode but do not want to have verbose enabled
86 on the server, add the verbose option to /etc/ipa/cli.conf.
87
88 debug <boolean>
89 When True provides detailed information. Specifically this set
90 the global log level to "debug". Default is False.
91
92 dogtag_version <version>
93 Stores the version of Dogtag. Value 9 is assumed if not speci‐
94 fied otherwise.
95
96 domain <domain>
97 The domain of the IPA server e.g. example.com.
98
99 enable_ra <boolean>
100 Specifies whether the CA is acting as an RA agent, such as when
101 dogtag is being used as the Certificate Authority. This setting
102 only applies to the IPA server configuration.
103
104 fallback <boolean>
105 Specifies whether an IPA client should attempt to fall back and
106 try other services if the first connection fails.
107
108 host <hostname>
109 Specifies the local system hostname.
110
111 http_timeout <seconds>
112 Timeout for HTTP blocking requests (e.g. connection). The
113 default value is 30 seconds.
114
115 in_server <boolean>
116 Specifies whether requests should be forwarded to an IPA server
117 or handled locally. This is used internally by IPA in a similar
118 way as context. The same IPA framework is used by the ipa com‐
119 mand-line tool and the server. This setting tells the framework
120 whether it should execute the command as if on the server or
121 forward it via XML-RPC to a remote server.
122
123 in_tree <boolean>
124 This is used in development and is generally a detected value.
125 It means that the code is being executed within a source tree.
126
127 interactive <boolean>
128 Specifies whether values should be prompted for or not. The
129 default is True.
130
131 kinit_lifetime <time duration spec>
132 Controls the lifetime of ticket obtained by users authenticating
133 to the WebGUI using login/password. The expected format is a
134 time duration string. Examples are "2 hours", "1h:30m", "10 min‐
135 utes", "5min, 30sec". When the parameter is not set in
136 default.conf, the ticket will have a duration inherited from the
137 default value for kerberos clients, that can be set as
138 ticket_lifetime in krb5.conf. When the ticket lifetime has
139 expired, the ticket is not valid anymore and the GUI will prompt
140 to re-login with a message "Your session has expired. Please re-
141 login."
142
143 ldap_uri <URI>
144 Specifies the URI of the IPA LDAP server to connect to. The URI
145 scheme may be one of ldap or ldapi. The default is to use ldapi,
146 e.g. ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
147
148 log_logger_XXX <comma separated list of regexps>
149 loggers matching regexp will be assigned XXX level.
150
151 Logger levels can be explicitly specified for specific loggers
152 as opposed to a global logging level. Specific loggers are indi‐
153 cated by a list of regular expressions bound to a level. If a
154 logger's name matches the regexp then it is assigned that level.
155 This config item must begin with "log_logger_level_" and then be
156 followed by a symbolic or numeric log level, for example:
157
158 log_logger_level_debug = ipalib\.dn\..*
159
160 log_logger_level_35 = ipalib\.plugins\.dogtag
161
162 The first line says any logger belonging to the ipalib.dn module
163 will have it's level configured to debug.
164
165 The second line say the ipa.plugins.dogtag logger will be con‐
166 figured to level 35.
167
168 This config item is useful when you only want to see the log
169 output from one or more selected loggers. Turning on the global
170 debug flag will produce an enormous amount of output. This
171 allows you to leave the global debug flag off and selectively
172 enable output from a specific logger. Typically loggers are
173 bound to classes and plugins.
174
175 Note: logger names are a dot ('.') separated list forming a path
176 in the logger tree. The dot character is also a regular expres‐
177 sion metacharacter (matches any character) therefore you will
178 usually need to escape the dot in the logger names by preceding
179 it with a backslash.
180
181 mode <mode>
182 Specifies the mode the server is running in. The currently sup‐
183 port values are production and development. When running in pro‐
184 duction mode some self-tests are skipped to improve performance.
185
186 mount_ipa <URI>
187 Specifies the mount point that the development server will reg‐
188 ister. The default is /ipa/
189
190 prompt_all <boolean>
191 Specifies that all options should be prompted for in the IPA
192 client, even optional values. Default is False.
193
194 ra_plugin <name>
195 Specifies the name of the CA back end to use. The current
196 options are dogtag and none. This is a server-side setting.
197 Changing this value is not recommended as the CA back end is
198 only set up during initial installation.
199
200 realm <realm>
201 Specifies the Kerberos realm.
202
203 replication_wait_timeout <seconds>
204 The time to wait for a new entry to be replicated during replica
205 installation. The default value is 300 seconds.
206
207 server <hostname>
208 Specifies the IPA Server hostname.
209
210 skip_version_check <boolean>
211 Skip client vs. server API version checking. Can lead to
212 errors/strange behavior when newer clients talk to older
213 servers. Use with caution.
214
215 startup_timeout <time in seconds>
216 Controls the amount of time waited when starting a service. The
217 default value is 120 seconds.
218
219 startup_traceback <boolean>
220 If the IPA server fails to start and this value is True the
221 server will attempt to generate a python traceback to make iden‐
222 tifying the underlying problem easier.
223
224 validate_api <boolean>
225 Used internally in the IPA source package to verify that the API
226 has not changed. This is used to prevent regressions. If it is
227 true then some errors are ignored so enough of the IPA framework
228 can be loaded to verify all of the API, even if optional compo‐
229 nents are not installed. The default is False.
230
231 verbose <boolean>
232 When True provides more information. Specifically this sets the
233 global log level to "info".
234
235 wait_for_dns <number of attempts>
236 Controls whether the IPA commands dnsrecord-{add,mod,del} work
237 synchronously or not. The DNS commands will repeat DNS queries
238 up to the specified number of attempts until the DNS server
239 returns an up-to-date answer to a query for modified records.
240 Delay between retries is one second.
241
242 The DNS commands will raise a DNSDataMismatch exception if the
243 answer doesn't match the expected value even after the specified
244 number of attempts.
245
246 The DNS queries will be sent to the resolver configured in
247 /etc/resolv.conf on the IPA server.
248
249 Do not enable this in production! This will cause problems if
250 the resolver on IPA server uses a caching server instead of a
251 local authoritative server or e.g. if DNS answers are modified
252 by DNS64. The default is disabled (the option is not present).
253
254 xmlrpc_uri <URI>
255 Specifies the URI of the XML-RPC server for a client. This may
256 be used by IPA, and is used by some external tools, such as
257 ipa-getcert. Example: https://ipa.example.com/ipa/xml
258
259 jsonrpc_uri <URI>
260 Specifies the URI of the JSON server for a client. This is used
261 by IPA. If not given, it is derived from xmlrpc_uri. Example:
262 https://ipa.example.com/ipa/json
263
264 rpc_protocol <URI>
265 Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xml‐
266 rpc'. Defaults to 'jsonrpc'.
267
268 The following define the containers for the IPA server. Containers
269 define where in the DIT that objects can be found. The full location is
270 the value of container + basedn.
271 container_accounts: cn=accounts
272 container_applications: cn=applications,cn=configs,cn=policies
273 container_automount: cn=automount
274 container_configs: cn=configs,cn=policies
275 container_dns: cn=dns
276 container_group: cn=groups,cn=accounts
277 container_hbac: cn=hbac
278 container_hbacservice: cn=hbacservices,cn=hbac
279 container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
280 container_host: cn=computers,cn=accounts
281 container_hostgroup: cn=hostgroups,cn=accounts
282 container_netgroup: cn=ng,cn=alt
283 container_permission: cn=permissions,cn=pbac
284 container_policies: cn=policies
285 container_policygroups: cn=policygroups,cn=configs,cn=policies
286 container_policylinks: cn=policylinks,cn=configs,cn=policies
287 container_privilege: cn=privileges,cn=pbac
288 container_rolegroup: cn=roles,cn=accounts
289 container_roles: cn=roles,cn=policies
290 container_service: cn=services,cn=accounts
291 container_sudocmd: cn=sudocmds,cn=sudo
292 container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
293 container_sudorule: cn=sudorules,cn=sudo
294 container_user: cn=users,cn=accounts
295 container_vault: cn=vaults,cn=kra
296 container_virtual: cn=virtual operations,cn=etc
297
298
300 /etc/ipa/default.conf
301 system-wide IPA configuration file
302
303 $HOME/.ipa/default.conf
304 user IPA configuration file
305
306 It is also possible to define context-specific configuration files. The
307 context is set when the IPA api is initialized. The two currently
308 defined contexts in IPA are cli and server. This is helpful, for exam‐
309 ple, if you only want debug enabled on the server and not in the
310 client. If this is set to True in default.conf it will affect both the
311 ipa client tool and the IPA server. If it is only set in server.conf
312 then only the server will have debug set. These files will be loaded if
313 they exist:
314
315 /etc/ipa/cli.conf
316 system-wide IPA client configuration file
317
318 /etc/ipa/server.conf
319 system-wide IPA server configuration file
320
322 ipa(1)
323
324
325
326FreeIPA Feb 21 2011 default.conf(5)