Previous Topic: passwdNext Topic: policyfetcher


pmd

In the [pmd] section, the tokens determine the PMDB attributes.

Note: In addition to seos.ini, each policy model has a configuration file named pmd.ini.

_min_retries_

Specifies the minimum number of attempts that sepmdd should make to resend the next queued update to an unavailable subscriber. The sepmdd loops through the list of subscribers for outstanding updates and increments the counter each time it cannot resend the update to an unavailable subscriber. The subscriber is marked unavailable after the minimum number of attempts specified in this token.

Default: 4

_pmd_backup_directory_

Defines the directory that CA ControlMinder uses to store Policy Model backups. CA ControlMinder stores each PMD backup in a subdirectory named pmd_name.

Default: ACInstallDir/data/policies_backup

_pmd_directory_

Specifies the directory in which the PMDBs reside. The name can contain up to 70 alphanumeric characters. Specify the full path of the directory. Each Policy Model resides in the directory pmdDirectory/pmdName.

Default: ACInstallDir/policies

_PMD_DIRECTORY_

Same as _pmd_directory_

_PMD_EXEC

Defines the name of the Policy Model daemon.

_QD_timeout_

Specifies the maximum time, in seconds, that the sepmdd daemon waits while attempting to update a subscriber database during the first scan of its subscriber list. If the time elapses and the daemon does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list.

After completing the first scan of the subscriber list, sepmdd then performs a second scan in which it attempts to update the subscribers it did not succeed in updating during the first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).

Default: 3

_retry_timeout_

Specifies the time, in minutes, to wait before trying to resend an update to an unavailable subscriber, after the minimum number of attempts specified in _min_retries_ has been made. It marks the subscriber available after the number of minutes defined by this token elapses.

A subscriber is marked unavailable until:

Note: Shutting down sepmdd too often is not desirable because it takes time to restart the daemon, which results in slowing the whole propagation process. Allowing it to be on all the time is also undesirable because there maybe some stability issues, but it is only a conjecture.

Default: 30

_shutoff_time_

Specifies the time, in minutes of activities before sepmdd quits. If the token value is zero, sepmdd never quits.

Default: 0

ClientOperationTimeout

Defines the timeout period, in seconds, a client waits for a response from the Policy Model.

Default: 60

is_maker_checker

Specifies whether to use Dual Control.

Valid values are yes and no.

If the token value is yes, you cannot update the database directly, but only through a PMDB, and two administrators-a Maker and a Checker-must collaborate on the update.

Default: Token not set (no)

pass_auth

Specifies whether sepass verifies the invoker's password during a remote password change. The sepass utility always compares the old password the user enters with the password stored in the local prodname database. If you set this token to yes, sepass also compares the old password the user running sepass enters with their own password as it is stored in the remote prodname database (usually pmdb). This means that the sepass user must enter their own password even when changing the password for another user.

Values: yes, no

Default: yes

pull_option

Specifies whether subscriber databases are updated as soon as they become available.

Valid values are yes and no.

If the token value is yes, seagent sends a message to the parent Policy Models of both the local host and any Policy Model on the machine as soon as the subscriber station becomes available. sepmdd then updates the subscriber immediately, instead of waiting for the next half‑hourly retry.

Default: yes

send_unix_env

Specifies whether the sepmd -n option sends the contents of the policy model password files and group files.

Valid values are yes and no.

yes-The sepmd -n option sends the contents of the policy model password files and group files.

no-The sepmd -n option does not send the contents of the policy model password files and group files.

Default: yes

ShutdownWaitingTimeout

Defines the timeout period, in seconds, the Policy Model waits for its components to gracefully shut down. If the Policy Model components did not shut down gracefully, the Policy Model shuts down forcefully.

Default: 60

synch_uid

Specifies whether CA ControlMinder forces subscribers to use the same uid as the parent Policy Model host when creating a new UNIX user.

updates_in_chunk

Define the maximum number of commands that the Policy Model sends to each of its subscribers in each cycle of a loop.

Default: 10

More information:

sepmd Utility