1default.conf(5) IPA Manual Pages default.conf(5)
2
3
4
6 default.conf - IPA configuration file
7
9 /etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf,
10 /etc/ipa/cli.conf
11
13 The default.conf configuration file is used to set system-wide defaults
14 to be applied when running IPA clients and servers.
15
16 Users may create an optional configuration file in ~/.ipa/default.conf
17 which will be merged into the system-wide defaults file.
18
19 The following files are read, in order:
20 ~/.ipa/default.conf
21 /etc/ipa/<context>.conf
22 /etc/ipa/default.conf
23 built-in constants
24
25 The IPA server does not read ~/.ipa/default.conf.
26
27 The first setting wins.
28
30 The configuration options are not case sensitive. The values may be
31 case sensitive, depending on the option.
32
33 Blank lines are ignored. Lines beginning with # are comments and are
34 ignored.
35
36 Valid lines consist of an option name, an equals sign and a value. Spa‐
37 ces surrounding equals sign are ignored. An option terminates at the
38 end of a line.
39
40 Values should not be quoted, the quotes will not be stripped.
41
42 # Wrong - don't include quotes
43 verbose = "True"
44
45 # Right - Properly formatted options
46 verbose = True
47 verbose=True
48
49 Options must appear in the section named [global]. There are no other
50 sections defined or used currently.
51
52 Options may be defined that are not used by IPA. Be careful of mis‐
53 spellings, they will not be rejected.
54
56 The following options are relevant for the server:
57
58 basedn <base>
59 Specifies the base DN to use when performing LDAP operations.
60 The base must be in DN format (dc=example,dc=com).
61
62 ca_agent_port <port>
63 Specifies the secure CA agent port. The default is 8443.
64
65 ca_host <hostname>
66 Specifies the hostname of the dogtag CA server. The default is
67 the hostname of the IPA server.
68
69 ca_port <port>
70 Specifies the insecure CA end user port. The default is 8080.
71
72 certmonger_wait_timeout <seconds>
73 The time to wait for a certmonger request to complete during in‐
74 stallation. The default value is 300 seconds.
75
76 context <context>
77 Specifies the context that IPA is being executed in. IPA may op‐
78 erate differently depending on the context. The current defined
79 contexts are cli, server and dns. Additionally this value is
80 used to load /etc/ipa/context.conf to provide context-specific
81 configuration. For example, if you want to always perform client
82 requests in verbose mode but do not want to have verbose enabled
83 on the server, add the verbose option to /etc/ipa/cli.conf.
84
85 debug <boolean>
86 When True provides detailed information. Specifically this set
87 the global log level to "debug". Default is False.
88
89 dogtag_version <version>
90 Stores the version of Dogtag. Value 9 is assumed if not speci‐
91 fied otherwise.
92
93 domain <domain>
94 The domain of the IPA server e.g. example.com.
95
96 enable_ra <boolean>
97 Specifies whether the CA is acting as an RA agent, such as when
98 dogtag is being used as the Certificate Authority. This setting
99 only applies to the IPA server configuration.
100
101 fallback <boolean>
102 Specifies whether an IPA client should attempt to fall back and
103 try other services if the first connection fails.
104
105 host <hostname>
106 Specifies the local system hostname.
107
108 http_timeout <seconds>
109 Timeout for HTTP blocking requests (e.g. connection). The de‐
110 fault value is 30 seconds.
111
112 in_server <boolean>
113 Specifies whether requests should be forwarded to an IPA server
114 or handled locally. This is used internally by IPA in a similar
115 way as context. The same IPA framework is used by the ipa com‐
116 mand-line tool and the server. This setting tells the framework
117 whether it should execute the command as if on the server or
118 forward it via XML-RPC to a remote server.
119
120 in_tree <boolean>
121 This is used in development and is generally a detected value.
122 It means that the code is being executed within a source tree.
123
124 interactive <boolean>
125 Specifies whether values should be prompted for or not. The de‐
126 fault is True.
127
128 kinit_lifetime <time duration spec>
129 Controls the lifetime of ticket obtained by users authenticating
130 to the WebGUI using login/password. The expected format is a
131 time duration string. Examples are "2 hours", "1h:30m", "10 min‐
132 utes", "5min, 30sec". When the parameter is not set in de‐
133 fault.conf, the ticket will have a duration inherited from the
134 default value for kerberos clients, that can be set as
135 ticket_lifetime in krb5.conf. When the ticket lifetime has ex‐
136 pired, the ticket is not valid anymore and the GUI will prompt
137 to re-login with a message "Your session has expired. Please re-
138 login."
139
140 ldap_cache <boolean>
141 Enable a per-request LDAP cache. The default is True.
142
143 ldap_cache_size <integer>
144 The maximum number of entries cached if ldap_cache is True.
145 Since this cache is per-request it is not expected to be very
146 large. The default is 100. Setting the value < 1 effectively
147 disables the cache regardless of the ldap_cache setting
148
149 ldap_cache_debug <boolean>
150 Log details on hits, misses, etc. for the LDAP cache if the
151 cache is enabled.
152
153 ldap_uri <URI>
154 Specifies the URI of the IPA LDAP server to connect to. The URI
155 scheme may be one of ldap or ldapi. The default is to use ldapi,
156 e.g. ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
157
158 log_logger_XXX <comma separated list of regexps>
159 loggers matching regexp will be assigned XXX level.
160
161 Logger levels can be explicitly specified for specific loggers
162 as opposed to a global logging level. Specific loggers are indi‐
163 cated by a list of regular expressions bound to a level. If a
164 logger's name matches the regexp then it is assigned that level.
165 This config item must begin with "log_logger_level_" and then be
166 followed by a symbolic or numeric log level, for example:
167
168 log_logger_level_debug = ipalib\.dn\..*
169
170 log_logger_level_35 = ipalib\.plugins\.dogtag
171
172 The first line says any logger belonging to the ipalib.dn module
173 will have it's level configured to debug.
174
175 The second line say the ipa.plugins.dogtag logger will be con‐
176 figured to level 35.
177
178 This config item is useful when you only want to see the log
179 output from one or more selected loggers. Turning on the global
180 debug flag will produce an enormous amount of output. This al‐
181 lows you to leave the global debug flag off and selectively en‐
182 able output from a specific logger. Typically loggers are bound
183 to classes and plugins.
184
185 Note: logger names are a dot ('.') separated list forming a path
186 in the logger tree. The dot character is also a regular expres‐
187 sion metacharacter (matches any character) therefore you will
188 usually need to escape the dot in the logger names by preceding
189 it with a backslash.
190
191 mode <mode>
192 Specifies the mode the server is running in. The currently sup‐
193 port values are production and developer. When running in pro‐
194 duction mode some self-tests are skipped to improve performance.
195
196 mount_ipa <URI>
197 Specifies the mount point that the development server will reg‐
198 ister. The default is /ipa/
199
200 oidc_child_debug_level <debuglevel>
201 Specifies the debug level of oidc_child, a helper process used
202 by ipa-otpd for OIDC/OAuth2 authentication. Level can be between
203 0 and 10, the higher the more details. If the level is 6 or
204 higher HTTP debug output is added as well.
205
206 passkey_child_debug_level <debuglevel>
207 Specifies the debug level of passkey_child, a helper process
208 used by ipa-otpd for passkey authentication. Level can be be‐
209 tween 0 and 10, the higher the more details. If the level is 6
210 or higher libfido2 debug output is added as well.
211
212 prompt_all <boolean>
213 Specifies that all options should be prompted for in the IPA
214 client, even optional values. Default is False.
215
216 ra_plugin <name>
217 Specifies the name of the CA back end to use. The current op‐
218 tions are dogtag and none. This is a server-side setting. Chang‐
219 ing this value is not recommended as the CA back end is only set
220 up during initial installation.
221
222 realm <realm>
223 Specifies the Kerberos realm.
224
225 replication_wait_timeout <seconds>
226 The time to wait for a new entry to be replicated during replica
227 installation. The default value is 300 seconds.
228
229 schema_ttl <seconds>
230 The number of seconds for the ipa tool to cache the IPA API and
231 help schema. Reducing this value during development is helpful
232 so that API changes are seen sooner in the tool. Setting this on
233 a server will define the TTL for all client versions > 4.3.1.
234 Client versions > 4.3.1 that connect to IPA servers older than
235 4.3.1 will use the client-side configuration value. The default
236 is 3600 seconds. 0 disables the cache. A change in the ttl will
237 not be immediately recognized by clients. They will use the new
238 value once their current cache expires.
239
240 server <hostname>
241 Specifies the IPA Server hostname.
242
243 skip_version_check <boolean>
244 Skip client vs. server API version checking. Can lead to er‐
245 rors/strange behavior when newer clients talk to older servers.
246 Use with caution.
247
248 startup_timeout <time in seconds>
249 Controls the amount of time waited when starting a service. The
250 default value is 120 seconds.
251
252 startup_traceback <boolean>
253 If the IPA server fails to start and this value is True the
254 server will attempt to generate a python traceback to make iden‐
255 tifying the underlying problem easier.
256
257 validate_api <boolean>
258 Used internally in the IPA source package to verify that the API
259 has not changed. This is used to prevent regressions. If it is
260 true then some errors are ignored so enough of the IPA framework
261 can be loaded to verify all of the API, even if optional compo‐
262 nents are not installed. The default is False.
263
264 verbose <boolean>
265 When True provides more information. Specifically this sets the
266 global log level to "info".
267
268 wait_for_dns <number of attempts>
269 Controls whether the IPA commands dnsrecord-{add,mod,del} work
270 synchronously or not. The DNS commands will repeat DNS queries
271 up to the specified number of attempts until the DNS server re‐
272 turns an up-to-date answer to a query for modified records. De‐
273 lay between retries is one second.
274
275 The DNS commands will raise a DNSDataMismatch exception if the
276 answer doesn't match the expected value even after the specified
277 number of attempts.
278
279 The DNS queries will be sent to the resolver configured in
280 /etc/resolv.conf on the IPA server.
281
282 Do not enable this in production! This will cause problems if
283 the resolver on IPA server uses a caching server instead of a
284 local authoritative server or e.g. if DNS answers are modified
285 by DNS64. The default is disabled (the option is not present).
286
287 xmlrpc_uri <URI>
288 Specifies the URI of the XML-RPC server for a client. This may
289 be used by IPA, and is used by some external tools, such as
290 ipa-getcert. Example: https://ipa.example.com/ipa/xml
291
292 jsonrpc_uri <URI>
293 Specifies the URI of the JSON server for a client. This is used
294 by IPA. If not given, it is derived from xmlrpc_uri. Example:
295 https://ipa.example.com/ipa/json
296
297 rpc_protocol <URI>
298 Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xml‐
299 rpc'. Defaults to 'jsonrpc'.
300
301 The following define the containers for the IPA server. Containers de‐
302 fine where in the DIT that objects can be found. The full location is
303 the value of container + basedn.
304 container_accounts: cn=accounts
305 container_applications: cn=applications,cn=configs,cn=policies
306 container_automount: cn=automount
307 container_configs: cn=configs,cn=policies
308 container_dns: cn=dns
309 container_group: cn=groups,cn=accounts
310 container_hbac: cn=hbac
311 container_hbacservice: cn=hbacservices,cn=hbac
312 container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
313 container_host: cn=computers,cn=accounts
314 container_hostgroup: cn=hostgroups,cn=accounts
315 container_netgroup: cn=ng,cn=alt
316 container_permission: cn=permissions,cn=pbac
317 container_policies: cn=policies
318 container_policygroups: cn=policygroups,cn=configs,cn=policies
319 container_policylinks: cn=policylinks,cn=configs,cn=policies
320 container_privilege: cn=privileges,cn=pbac
321 container_rolegroup: cn=roles,cn=accounts
322 container_roles: cn=roles,cn=policies
323 container_service: cn=services,cn=accounts
324 container_sudocmd: cn=sudocmds,cn=sudo
325 container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
326 container_sudorule: cn=sudorules,cn=sudo
327 container_user: cn=users,cn=accounts
328 container_vault: cn=vaults,cn=kra
329 container_virtual: cn=virtual operations,cn=etc
330
331
333 /etc/ipa/default.conf
334 system-wide IPA configuration file
335
336 $HOME/.ipa/default.conf
337 user IPA configuration file
338
339 It is also possible to define context-specific configuration files. The
340 context is set when the IPA api is initialized. The currently defined
341 contexts in IPA are cli, server and dns. This is helpful, for example,
342 if you only want debug enabled on the server and not in the client. If
343 this is set to True in default.conf it will affect both the ipa client
344 tool and the IPA server. If it is only set in server.conf then only the
345 server will have debug set. These files will be loaded if they exist:
346
347 /etc/ipa/cli.conf
348 system-wide IPA client configuration file
349
350 /etc/ipa/server.conf
351 system-wide IPA server configuration file
352
354 An example of a context-specific configuration file is
355 /etc/ipa/dns.conf to be used to increase debug output of the IPA DNSSEC
356 daemons.
357
358 [global]
359 debug = True
360
362 ipa(1)
363
364
365
366IPA Feb 21 2011 default.conf(5)