1libuser.conf(5) File Formats Manual libuser.conf(5)
2
3
4
6 libuser.conf - configuration for libuser and libuser utilities
7
8
10 libuser.conf is a text file. Leading and trailing white space on each
11 line is ignored. Lines starting with # are ignored.
12
13 The file defines variables grouped into sections. Each section starts
14 with a section header:
15 [section name]
16 A single section header can appear more than once in the file.
17
18 The lines following a section header define variables from that sec‐
19 tion:
20 variable = value
21 The value can be empty.
22
23 A variable can have more than one value, specified by using more than
24 one line defining that variable. All currently defined variables
25 accept only the first value and ignore the others, if any.
26
27
29 create_modules
30 A list of module names to use when creating user or group
31 entries, unless the application specifies a different list. The
32 module names in the list can be separated using space, tab or
33 comma. Default value is files shadow.
34
35
36 crypt_style
37 The algorithm to use for password encryption when creating new
38 passwords. The current algorithm may be retained when changing
39 a password of an existing user, depending on the application.
40
41 Possible values are des, md5, blowfish, sha256 and sha512, all
42 case-insensitive. Unrecognized values are treated as des.
43 Default value is des.
44
45
46 hash_rounds_min, hash_rounds_max
47 These variables specify an inclusive range of hash rounds used
48 when crypt_style is sha256 or sha512. A number of hash rounds
49 is chosen from this interval randomly. A larger number of
50 rounds makes password checking, and brute-force attempts to
51 guess the password by reversing the hash, more CPU-intensive.
52 The number of rounds is restricted to the interval [1000,
53 999999999].
54
55 If only one of the above variables is specified, the number of
56 rounds used is specified by the other variable. If neither
57 variable is specified, the number of rounds is chosen by libc.
58
59
60 mailspooldir
61 The directory containing user's mail spool files. Default value
62 is /var/mail.
63
64
65 moduledir
66 The directory containing libuser modules. Default value uses
67 the modules installed with libuser, corresponding to the archi‐
68 tecture of the libuser library, e.g. /usr/lib/libuser or
69 /usr/lib64/libuser (assuming libuser was configured with --pre‐
70 fix=/usr).
71
72
73 modules
74 A list of module names to use when not creating user or group
75 entries, unless the application specifies a different list. The
76 module names in the list can be separated using space, tab or
77 comma. Default value is files shadow.
78
79
80 skeleton
81 The directory containing files to copy to newly created home
82 directories. Default value is /etc/skel.
83
84
86 login_defs
87 A path to the login.defs file from shadow. If this variable is
88 defined, the variables from the named file are used in place of
89 some libuser variables. Variables explicitly defined in
90 libuser.conf are not affected by contents of login.defs.
91
92 The following variables are imported:
93 │
94 Variable │ Imported as
95 ─────────────────────├───────────────────────────────
96 ENCRYPT_METHOD │ defaults/crypt_style
97 GID_MIN │ groupdefaults/LU_GIDNUMBER
98 MAIL_DIR │ defaults/mailspooldir
99 MD5_CRYPT_ENAB │ defaults/crypt_style
100 PASS_MAX_DAYS │ userdefaults/LU_SHADOWMAX
101 PASS_MIN_DAYS │ userdefaults/LU_SHADOWMIN
102 PASS_WARN_AGE │ userdefaults/LU_SHADOWWARNING
103 SHA_CRYPT_MIN_ROUNDS │ defaults/hash_rounds_min
104 SHA_CRYPT_MAX_ROUNDS │ defaults/hash_rounds_max
105 UID_MIN │ userdefaults/LU_UIDNUMBER
106
107 The following variables are not imported: CREATE_HOME, GID_MAX,
108 MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX, UMASK, USERDEL_CMD, USER‐
109 GROUPS_ENAB
110
111
112 default_useradd
113 A path to the default/useradd file from useradd in shadow. If
114 this variable is defined, the variables from the named file are
115 used in place of some libuser variables. Variables explicitly
116 defined in libuser.conf are not affected by contents of
117 default/useradd.
118
119 The following variables are imported:
120 │
121 Variable │ Imported as
122 ─────────├────────────────────────────────
123 EXPIRE │ userdefaults/LU_SHADOWEXPIRE
124 GROUP │ userdefaults/LU_GIDNUMBER
125 HOME │ userdefaults/LU_HOMEDIRECTORY
126 INACTIVE │ userdefaults/LU_SHADOWINACTIVE
127 SHELL │ userdefaults/LU_LOGINSHELL
128 SKEL │ defaults/skeleton
129
130 The HOME variable value has /%n appended to it before importing.
131
132
134 This section defines attribute values of newly created user entities.
135 There is one special variable:
136
137
138 LU_UIDNUMBER
139 A decimal number, the first allowed UID value for regular users
140 (not system users). Default value is 500.
141
142
143 All other variables have the same names as the attribute names from
144 <libuser/entity.h> and define attribute values. Either the macro name
145 (e.g. LU_GECOS) or the macro content (e.g. pw_gecos) can be used; if
146 both are used, the one appearing later in the configuration file is
147 used.
148
149 The % character in the value of the variable introduces an escape
150 sequence: %n is replaced by the user name, %d is replaced by current
151 date in days since the epoch, %u is replaced by the user's UID. There
152 is no way to escape the % character and avoid this substitution.
153
154 After the userdefaults section is processed, modules may define addi‐
155 tional attributes or even override the attributes defined in this sec‐
156 tion.
157
158
160 The groupdefaults section is similar to userdefaults. There is one
161 special variable:
162
163
164 LU_GIDNUMBER
165 A decimal number, the first allowed GID value for regular groups
166 (not system groups). Default value is 500.
167
168
169 The other variables follow the same rules as in the userdefaults sec‐
170 tion, except that %n and %u are replaced by the group name and group's
171 GID, respectively.
172
173 After the groupdefaults section is processed, modules may define addi‐
174 tional attributes or even override the attributes defined in this sec‐
175 tion.
176
177
179 Configures the files module, which manages /etc/group and /etc/passwd.
180 The configuration variables are probably useful only for libuser devel‐
181 opment.
182
183
184 directory
185 The directory containing the group and passwd files. Default
186 value is /etc.
187
188
189 nonroot
190 Allow module initialization when not invoked as the root user if
191 the value is yes.
192
193
195 Configures the files module, which manages /etc/gshadow and
196 /etc/shadow. The configuration variables are probably useful only for
197 libuser development.
198
199
200 directory
201 The directory containing the gshadow and shadow files. Default
202 value is /etc.
203
204
205 nonroot
206 Allow module initialization when not invoked as the root user if
207 the value is yes.
208
209
211 Configures the ldap module, which manages an user database accessible
212 using LDAP.
213
214
215 userBranch
216 The LDAP suffix for user entities. Default value is ou=People.
217
218
219 groupBranch
220 The LDAP suffix for group entities. Default value is ou=Group.
221
222
223 server A domain name or an URI of the LDAP server. The URI can use the
224 ldap, ldapi or the ldaps protocol. When a simple domain name is
225 used, the connection fails if TLS can not be used; an URI using
226 the ldap protocol allows connection without TLS. TLS is never
227 used with the ldapi protocol. Default value is ldap.
228
229
230 basedn The base DN of the server. Default value is dc=example,dc=com.
231
232
233 binddn A DN for binding to the server. If the value is empty or bind‐
234 ing using this DN fails, a DN of uid=user,userBranch,basedn is
235 used, where userBranch and basedn are variables from this sec‐
236 tion and user is the user name of the invoking user, unless
237 overridden by the user variable from this section. Default
238 value is cn=manager,dc=example,dc=com.
239
240
241 user The SASLv2 identity for authenticating to the LDAP server, also
242 overrides the user name for generating a bind DN. Default value
243 is the name of the invoking user.
244
245
246 password
247 The password used for a simple bind by default. If not speci‐
248 fied, there is no default and the user must supply the password
249 each time.
250
251 IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN THE SYS‐
252 TEM-WIDE /etc/libuser.conf FILE. The configuration file is
253 world-readable by default, and setuid programs that prompt for a
254 server name could be used to send the password to an attacker-
255 controlled server.
256
257
258 authuser
259 The SASLv2 authorization user, if non-empty. Default value is
260 empty.
261
262
263 bindtype
264 The list of bind types to use, separated by commas. Allowed
265 bind types are simple, sasl, and sasl/mechanism, where mechanism
266 is a SASL mechanism. The bind types (but not necessarily mecha‐
267 nism) are case-insensitive. If more than one bind type is spec‐
268 ified, their relative order is ignored. Default value is sim‐
269 ple,sasl.
270
271
273 Configures the sasl module, which manages a SASLv2 user database.
274
275
276 appname
277 Name of the SASLv2 application. Default value is empty.
278
279
280 domain Domain used by libuser for the SASLv2 authentication object.
281 Default value is empty.
282
283
285 Invalid lines in the configuration file (or the imported shadow config‐
286 uration files) are silently ignored.
287
288
290 /etc/libuser.conf
291 The default location of the configuration file. Can be overrid‐
292 den by the LIBUSER_CONF environment variable, except in set-uid
293 or set-gid programs.
294
295
296
297libuser 2010-02-08 libuser.conf(5)