1libuser.conf(5) File Formats Manual libuser.conf(5)
2
6 libuser.conf - configuration for libuser and libuser utilities
7
10 libuser.conf is a text file. Leading and trailing white space on each
11 line is ignored. Lines starting with # are ignored.
12 The file defines variables grouped into sections. Each section starts
14 with a section header:
15 [section name]
16 A single section header can appear more than once in the file.
17 The lines following a section header define variables from that sec‐
19 tion:
20 variable = value
21 The value can be empty.
22 A variable can have more than one value, specified by using more than
24 one line defining that variable. All currently defined variables ac‐
25 cept only the first value and ignore the others, if any.
26
29 create_modules
30 A list of module names to use when creating user or group en‐
31 tries, unless the application specifies a different list. The
32 module names in the list can be separated using space, tab or
33 comma. Default value is files shadow.
34 crypt_style
37 The algorithm to use for password encryption when creating new
38 passwords. The current algorithm may be retained when changing
39 a password of an existing user, depending on the application.
40 Possible values are des, md5, blowfish, sha256, sha512, and
42 yescrypt, all case-insensitive. Unrecognized values are treated
43 as des. Default value is des.
44 hash_rounds_min, hash_rounds_max
47 These variables specify an inclusive range of hash rounds used
48 when crypt_style is sha256 or sha512. A number of hash rounds
49 is chosen from this interval randomly. A larger number of
50 rounds makes password checking, and brute-force attempts to
51 guess the password by reversing the hash, more CPU-intensive.
52 The number of rounds is restricted to the interval [1000,
53 999999999].
54 If only one of the above variables is specified, the number of
56 rounds used is specified by the other variable. If neither
57 variable is specified, the number of rounds is chosen by libc.
58 mailspooldir
61 The directory containing user's mail spool files. Default value
62 is /var/mail.
63 moduledir
66 The directory containing libuser modules. Default value uses
67 the modules installed with libuser, corresponding to the archi‐
68 tecture of the libuser library, e.g. /usr/lib/libuser or
69 /usr/lib64/libuser (assuming libuser was configured with --pre‐
70 fix=/usr).
71 modules
74 A list of module names to use when not creating user or group
75 entries, unless the application specifies a different list. The
76 module names in the list can be separated using space, tab or
77 comma. Default value is files shadow.
78 skeleton
81 The directory containing files to copy to newly created home di‐
82 rectories. Default value is /etc/skel.
83
86 login_defs
87 A path to the login.defs file from shadow. If this variable is
88 defined, the variables from the named file are used in place of
89 some libuser variables. Variables explicitly defined in
90 libuser.conf are not affected by contents of login.defs.
91 The following variables are imported:
93 │
94 Variable │ Imported as
95 ─────────────────────├───────────────────────────────
96 ENCRYPT_METHOD │ defaults/crypt_style
97 GID_MIN │ groupdefaults/LU_GIDNUMBER
98 MAIL_DIR │ defaults/mailspooldir
99 MD5_CRYPT_ENAB │ defaults/crypt_style
100 PASS_MAX_DAYS │ userdefaults/LU_SHADOWMAX
101 PASS_MIN_DAYS │ userdefaults/LU_SHADOWMIN
102 PASS_WARN_AGE │ userdefaults/LU_SHADOWWARNING
103 SHA_CRYPT_MIN_ROUNDS │ defaults/hash_rounds_min
104 SHA_CRYPT_MAX_ROUNDS │ defaults/hash_rounds_max
105 UID_MIN │ userdefaults/LU_UIDNUMBER
106 The following variables are not imported: CREATE_HOME, GID_MAX,
108 MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX, UMASK, USERDEL_CMD, USER‐
109 GROUPS_ENAB
110 default_useradd
113 A path to the default/useradd file from useradd in shadow. If
114 this variable is defined, the variables from the named file are
115 used in place of some libuser variables. Variables explicitly
116 defined in libuser.conf are not affected by contents of de‐
117 fault/useradd.
118 The following variables are imported:
120 │
121 Variable │ Imported as
122 ─────────├────────────────────────────────
123 EXPIRE │ userdefaults/LU_SHADOWEXPIRE
124 GROUP │ userdefaults/LU_GIDNUMBER
125 HOME │ userdefaults/LU_HOMEDIRECTORY
126 INACTIVE │ userdefaults/LU_SHADOWINACTIVE
127 SHELL │ userdefaults/LU_LOGINSHELL
128 SKEL │ defaults/skeleton
129 The HOME variable value has /%n appended to it before importing.
131
134 This section defines attribute values of newly created user entities.
135 There is one special variable:
136 LU_UIDNUMBER
139 A decimal number, the first allowed UID value for regular users
140 (not system users). Default value is 500.
141 All other variables have the same names as the attribute names from
144 <libuser/entity.h> and define attribute values. Either the macro name
145 (e.g. LU_GECOS) or the macro content (e.g. pw_gecos) can be used; if
146 both are used, the one appearing later in the configuration file is
147 used.
148 The % character in the value of the variable introduces an escape se‐
150 quence: %n is replaced by the user name, %d is replaced by current date
151 in days since the epoch, %u is replaced by the user's UID. There is no
152 way to escape the % character and avoid this substitution.
153 After the userdefaults section is processed, modules may define addi‐
155 tional attributes or even override the attributes defined in this sec‐
156 tion.
157
160 The groupdefaults section is similar to userdefaults. There is one
161 special variable:
162 LU_GIDNUMBER
165 A decimal number, the first allowed GID value for regular groups
166 (not system groups). Default value is 500.
167 The other variables follow the same rules as in the userdefaults sec‐
170 tion, except that %n and %u are replaced by the group name and group's
171 GID, respectively.
172 After the groupdefaults section is processed, modules may define addi‐
174 tional attributes or even override the attributes defined in this sec‐
175 tion.
176
179 Configures the files module, which manages /etc/group and /etc/passwd.
180 The configuration variables are probably useful only for libuser devel‐
181 opment.
182 directory
185 The directory containing the group and passwd files. Default
186 value is /etc.
187 nonroot
190 Allow module initialization when not invoked as the root user if
191 the value is yes.
192 allow_id_duplicates
195 Allow to use duplicate uid/gid.The default value is no.
196
199 Configures the files module, which manages /etc/gshadow and
200 /etc/shadow. The configuration variables are probably useful only for
201 libuser development.
202 directory
205 The directory containing the gshadow and shadow files. Default
206 value is /etc.
207 nonroot
210 Allow module initialization when not invoked as the root user if
211 the value is yes.
212
215 Configures the ldap module, which manages an user database accessible
216 using LDAP.
217 userBranch
220 The LDAP suffix for user entities. Default value is ou=People.
221 groupBranch
224 The LDAP suffix for group entities. Default value is ou=Group.
225 server A domain name or an URI of the LDAP server. The URI can use the
228 ldap, ldapi or the ldaps protocol. When a simple domain name is
229 used, the connection fails if TLS can not be used; an URI using
230 the ldap protocol allows connection without TLS. TLS is never
231 used with the ldapi protocol. Default value is ldap.
232 basedn The base DN of the server. Default value is dc=example,dc=com.
235 binddn A DN for binding to the server. If the value is empty or bind‐
238 ing using this DN fails, a DN of uid=user,userBranch,basedn is
239 used, where userBranch and basedn are variables from this sec‐
240 tion and user is the user name of the invoking user, unless
241 overridden by the user variable from this section. Default
242 value is cn=manager,dc=example,dc=com.
243 user The SASLv2 identity for authenticating to the LDAP server, also
246 overrides the user name for generating a bind DN. Default value
247 is the name of the invoking user.
248 password
251 The password used for a simple bind by default. If not speci‐
252 fied, there is no default and the user must supply the password
253 each time.
254 IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN THE SYS‐
256 TEM-WIDE /etc/libuser.conf FILE. The configuration file is
257 world-readable by default, and setuid programs that prompt for a
258 server name could be used to send the password to an attacker-
259 controlled server.
260 authuser
263 The SASLv2 authorization user, if non-empty. Default value is
264 empty.
265 bindtype
268 The list of bind types to use, separated by commas. Allowed
269 bind types are simple, sasl, and sasl/mechanism, where mechanism
270 is a SASL mechanism. The bind types (but not necessarily mecha‐
271 nism) are case-insensitive. If more than one bind type is spec‐
272 ified, their relative order is ignored. Default value is sim‐
273 ple,sasl.
274
277 Configures the sasl module, which manages a SASLv2 user database.
278 appname
281 Name of the SASLv2 application. Default value is empty.
282 domain Domain used by libuser for the SASLv2 authentication object.
285 Default value is empty.
286
289 Invalid lines in the configuration file (or the imported shadow config‐
290 uration files) are silently ignored.
291
294 /etc/libuser.conf
295 The default location of the configuration file. Can be overrid‐
296 den by the LIBUSER_CONF environment variable, except in set-uid
297 or set-gid programs.
298libuser 2010-02-08 libuser.conf(5)