1libuser.conf(5)               File Formats Manual              libuser.conf(5)
2
3
4

NAME

6       libuser.conf - configuration for libuser and libuser utilities
7
8

FILE FORMAT

10       libuser.conf  is a text file.  Leading and trailing white space on each
11       line is ignored.  Lines starting with # are ignored.
12
13       The file defines variables grouped into sections.  Each section  starts
14       with a section header:
15              [section name]
16       A single section header can appear more than once in the file.
17
18       The  lines  following  a section header define variables from that sec‐
19       tion:
20              variable = value
21       The value can be empty.
22
23       A variable can have more than one value, specified by using  more  than
24       one  line  defining  that  variable.   All  currently defined variables
25       accept only the first value and ignore the others, if any.
26
27

[defaults]

29       create_modules
30              A list of module names  to  use  when  creating  user  or  group
31              entries, unless the application specifies a different list.  The
32              module names in the list can be separated using  space,  tab  or
33              comma.  Default value is files shadow.
34
35
36       crypt_style
37              The  algorithm  to use for password encryption when creating new
38              passwords.  The current algorithm may be retained when  changing
39              a password of an existing user, depending on the application.
40
41              Possible  values  are des, md5, blowfish, sha256 and sha512, all
42              case-insensitive.   Unrecognized  values  are  treated  as  des.
43              Default value is des.
44
45
46       hash_rounds_min, hash_rounds_max
47              These  variables  specify an inclusive range of hash rounds used
48              when crypt_style is sha256 or sha512.  A number of  hash  rounds
49              is  chosen  from  this  interval  randomly.   A larger number of
50              rounds makes password  checking,  and  brute-force  attempts  to
51              guess  the  password  by reversing the hash, more CPU-intensive.
52              The number of  rounds  is  restricted  to  the  interval  [1000,
53              999999999].
54
55              If  only  one of the above variables is specified, the number of
56              rounds used is specified by  the  other  variable.   If  neither
57              variable is specified, the number of rounds is chosen by libc.
58
59
60       mailspooldir
61              The directory containing user's mail spool files.  Default value
62              is /var/mail.
63
64
65       moduledir
66              The directory containing libuser modules.   Default  value  uses
67              the  modules installed with libuser, corresponding to the archi‐
68              tecture  of  the  libuser  library,  e.g.  /usr/lib/libuser   or
69              /usr/lib64/libuser  (assuming libuser was configured with --pre‐
70              fix=/usr).
71
72
73       modules
74              A list of module names to use when not creating  user  or  group
75              entries, unless the application specifies a different list.  The
76              module names in the list can be separated using  space,  tab  or
77              comma.  Default value is files shadow.
78
79
80       skeleton
81              The  directory  containing  files  to copy to newly created home
82              directories.  Default value is /etc/skel.
83
84

[import]

86       login_defs
87              A path to the login.defs file from shadow.  If this variable  is
88              defined,  the variables from the named file are used in place of
89              some  libuser  variables.   Variables  explicitly   defined   in
90              libuser.conf are not affected by contents of login.defs.
91
92              The following variables are imported:
93
94              Variable             │ Imported as
95              ─────────────────────├───────────────────────────────
96              ENCRYPT_METHOD       defaults/crypt_style
97              GID_MIN              groupdefaults/LU_GIDNUMBER
98              MAIL_DIR             defaults/mailspooldir
99              MD5_CRYPT_ENAB       defaults/crypt_style
100              PASS_MAX_DAYS        userdefaults/LU_SHADOWMAX
101              PASS_MIN_DAYS        userdefaults/LU_SHADOWMIN
102              PASS_WARN_AGE        userdefaults/LU_SHADOWWARNING
103              SHA_CRYPT_MIN_ROUNDS defaults/hash_rounds_min
104              SHA_CRYPT_MAX_ROUNDS defaults/hash_rounds_max
105              UID_MIN              userdefaults/LU_UIDNUMBER
106
107              The  following variables are not imported: CREATE_HOME, GID_MAX,
108              MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX,  UMASK,  USERDEL_CMD,  USER‐
109              GROUPS_ENAB
110
111
112       default_useradd
113              A  path  to the default/useradd file from useradd in shadow.  If
114              this variable is defined, the variables from the named file  are
115              used  in  place of some libuser variables.  Variables explicitly
116              defined  in  libuser.conf  are  not  affected  by  contents   of
117              default/useradd.
118
119              The following variables are imported:
120
121              Variable │ Imported as
122              ─────────├────────────────────────────────
123              EXPIRE   userdefaults/LU_SHADOWEXPIRE
124              GROUP    userdefaults/LU_GIDNUMBER
125              HOME     userdefaults/LU_HOMEDIRECTORY
126              INACTIVE userdefaults/LU_SHADOWINACTIVE
127              SHELL    userdefaults/LU_LOGINSHELL
128              SKEL     defaults/skeleton
129
130              The HOME variable value has /%n appended to it before importing.
131
132

[userdefaults]

134       This  section  defines attribute values of newly created user entities.
135       There is one special variable:
136
137
138       LU_UIDNUMBER
139              A decimal number, the first allowed UID value for regular  users
140              (not system users).  Default value is 500.
141
142
143       All  other  variables  have  the same names as the attribute names from
144       <libuser/entity.h> and define attribute values.  Either the macro  name
145       (e.g.  LU_GECOS)  or  the macro content (e.g. pw_gecos) can be used; if
146       both are used, the one appearing later in  the  configuration  file  is
147       used.
148
149       The  %  character  in  the  value  of the variable introduces an escape
150       sequence: %n is replaced by the user name, %d is  replaced  by  current
151       date  in days since the epoch, %u is replaced by the user's UID.  There
152       is no way to escape the % character and avoid this substitution.
153
154       After the userdefaults section is processed, modules may  define  addi‐
155       tional  attributes or even override the attributes defined in this sec‐
156       tion.
157
158

[groupdefaults]

160       The groupdefaults section is similar to  userdefaults.   There  is  one
161       special variable:
162
163
164       LU_GIDNUMBER
165              A decimal number, the first allowed GID value for regular groups
166              (not system groups).  Default value is 500.
167
168
169       The other variables follow the same rules as in the  userdefaults  sec‐
170       tion,  except that %n and %u are replaced by the group name and group's
171       GID, respectively.
172
173       After the groupdefaults section is processed, modules may define  addi‐
174       tional  attributes or even override the attributes defined in this sec‐
175       tion.
176
177

[files]

179       Configures the files module, which manages /etc/group and  /etc/passwd.
180       The configuration variables are probably useful only for libuser devel‐
181       opment.
182
183
184       directory
185              The directory containing the group and  passwd  files.   Default
186              value is /etc.
187
188
189       nonroot
190              Allow module initialization when not invoked as the root user if
191              the value is yes.
192
193

[shadow]

195       Configures  the  files   module,   which   manages   /etc/gshadow   and
196       /etc/shadow.   The configuration variables are probably useful only for
197       libuser development.
198
199
200       directory
201              The directory containing the gshadow and shadow files.   Default
202              value is /etc.
203
204
205       nonroot
206              Allow module initialization when not invoked as the root user if
207              the value is yes.
208
209

[ldap]

211       Configures the ldap module, which manages an user  database  accessible
212       using LDAP.
213
214
215       userBranch
216              The LDAP suffix for user entities.  Default value is ou=People.
217
218
219       groupBranch
220              The LDAP suffix for group entities.  Default value is ou=Group.
221
222
223       server A domain name or an URI of the LDAP server.  The URI can use the
224              ldap, ldapi or the ldaps protocol.  When a simple domain name is
225              used,  the connection fails if TLS can not be used; an URI using
226              the ldap protocol allows connection without TLS.  TLS  is  never
227              used with the ldapi protocol.  Default value is ldap.
228
229
230       basedn The base DN of the server.  Default value is dc=example,dc=com.
231
232
233       binddn A  DN for binding to the server.  If the value is empty or bind‐
234              ing using this DN fails, a DN of  uid=user,userBranch,basedn  is
235              used,  where  userBranch and basedn are variables from this sec‐
236              tion and user is the user name  of  the  invoking  user,  unless
237              overridden  by  the  user  variable  from this section.  Default
238              value is cn=manager,dc=example,dc=com.
239
240
241       user   The SASLv2 identity for authenticating to the LDAP server,  also
242              overrides the user name for generating a bind DN.  Default value
243              is the name of the invoking user.
244
245
246       password
247              The password used for a simple bind by default.  If  not  speci‐
248              fied,  there is no default and the user must supply the password
249              each time.
250
251              IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN  THE  SYS‐
252              TEM-WIDE  /etc/libuser.conf  FILE.   The  configuration  file is
253              world-readable by default, and setuid programs that prompt for a
254              server  name  could be used to send the password to an attacker-
255              controlled server.
256
257
258       authuser
259              The SASLv2 authorization user, if non-empty.  Default  value  is
260              empty.
261
262
263       bindtype
264              The  list  of  bind  types to use, separated by commas.  Allowed
265              bind types are simple, sasl, and sasl/mechanism, where mechanism
266              is a SASL mechanism.  The bind types (but not necessarily mecha‐
267              nism) are case-insensitive.  If more than one bind type is spec‐
268              ified,  their  relative order is ignored.  Default value is sim‐
269              ple,sasl.
270
271

[sasl]

273       Configures the sasl module, which manages a SASLv2 user database.
274
275
276       appname
277              Name of the SASLv2 application.  Default value is empty.
278
279
280       domain Domain used by libuser for  the  SASLv2  authentication  object.
281              Default value is empty.
282
283

BUGS

285       Invalid lines in the configuration file (or the imported shadow config‐
286       uration files) are silently ignored.
287
288

FILES

290       /etc/libuser.conf
291              The default location of the configuration file. Can be  overrid‐
292              den  by the LIBUSER_CONF environment variable, except in set-uid
293              or set-gid programs.
294
295
296
297libuser                           2010-02-08                   libuser.conf(5)
Impressum