The [pmd] section contains the attributes used by the sepmdd daemon when building and maintaining a PMDB.
Specifies the minimum number of attempts that sepmdd should make to resend the next queued update to an unavailable subscriber. The sepmdd loops through the list of subscribers for outstanding updates and increments the counter each time it cannot resend the update to an unavailable subscriber. The subscriber is marked unavailable after the minimum number of attempts specified in this token.
Default: 4
Specifies the maximum time, in seconds, that the sepmdd daemon waits while attempting to update a subscriber database during the first scan of its subscriber list. If the time elapses and the daemon does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list.
After completing the first scan of the subscriber list, sepmdd then performs a second scan in which it attempts to update the subscribers it did not succeed in updating during the first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).
Default: 3
Specifies the time, in minutes, to wait before trying to resend an update to an unavailable subscriber, after the minimum number of attempts specified in _min_retries_ has been made. It marks the subscriber available after the number of minutes defined by this token elapses.
A subscriber is marked unavailable until:
Note: Shutting down sepmdd too often is not desirable because it takes time to restart the daemon, which results in slowing the whole propagation process. Allowing it to be on all the time is also undesirable because there maybe some stability issues, but it is only a conjecture.
Default: 30
Specifies the time, in minutes of activities before sepmdd quits. If the token value is zero, sepmdd never quits.
Default: 0
If this token is set to no, commands that failed to execute by the policy model are not propagated to the subscribers.
Default: none
Specifies an exclude file.
The exclude file contains host names (one on each line) that should be excluded from receiving policy model updates.
Default: none
Tells the pmdb to exclude the local host from receiving updates as a subscriber.
Possible values: yes, no.
Default: no
Enables/disables the promote offset in update file when subscriber is excluded.
Values:
"pmdwait”—do not promote offset
Otherwise—"bypass"
Default: pmdwait
Specifies the name of the filter file.
Specifies whether CA ControlMinder truncates the update file even if there are no subscribers to the Policy Model.
You can truncate the update file manually (sepmd -t), and CA ControlMinder also truncates the file automatically based on a separate configuration setting (trigger_auto_truncate) that defines the event that triggers automatic truncation.
Note: If all subscribers to the Policy Model are "Out of sync", the Policy Model effectively has no subscribers.
Default: Yes
Specifies the name of the group file for a new UNIX group. sepmdd saves the group entry of the new UNIX group in this file.
Default: group
Specifies whether to use Dual Control. The valid values for this token are yes and no.
If yes is selected, then the PMDB cannot be updated directly, but only through a transaction; and each transaction entered by one administrator must be processed by another administrator before the commands are implemented on the PMDB.
Default: no
Specifies the name of the password file for new UNIX users. sepmdd stores the password entry of new UNIX users in this file.
Default: passwd
Indicates whether sepmd sends the contents of Policy Model password files and group files.
If this token is set to yes, the sepmd -n option sends the contents of the Policy Model password files and group files.
If this token is set to no, the sepmd -n option does not send the contents of the policy model password files and group files.
Default: yes
Determines whether sepmdd attempts to synchronize UIDs between a Policy Model and its subscribers. The valid values for this token are yes and no.
If the token is no, sepmdd does not attempt to synchronize UIDs. Users are assigned the first available UID on each subscriber host.
If the token is yes, sepmdd attempts to synchronize UIDs. For example, if a new UNIX user is created on the PMDB with a UID of 1000, sepmdd transfers that UID to the subscribers. If UID 1000 is already in use on one of the subscribers, then the update on that subscriber fails.
sepmdd only tries to synchronize UIDs if the original command sent to the PMDB did not specify a UID for the user. If the original command did specify a UID, the specified UID is sent to all the subscribers.
Default: yes
Specifies whether the database is created with special TNG classes and resources.
Valid values are:
"0" to create the database without the special TNG classes
"1" to create the database with all the special TNG classes
Default: 0
Specifies the path of the maker-checker policy.
Default: /opt/CA/eTrustAccessControl/policies/maker
Defines the size of the Policy Model update file, in megabytes, that triggers an automatic truncating of the update file.
If you use a value that is less than the lower limit, CA ControlMinder uses the default value. If you use a value that is greater than the upper limit, CA ControlMinder uses the upper limit value.
Limits: 1 - 2000 MB
Default: 1024 MB
Defines the frequency at which the Policy Model propagates commands to subscribers while it is processing incoming events.
The frequency is a factor of the updates_in_chunk setting, and determines how many commands the PMD processes before it sends the next subscriber in line one set of commands. For example, if you set this to 3 and updates_in_chunk is set to 10, the PMD will process 30 commands before it sends a set of commands (10) once to the next subscriber in line. A value of 0 means that the PMD does not propagate commands while processing incoming events.
Default: 1
Determines the maximum number of commands that the Policy Model sends to each of its subscribers in each cycle of a loop.
Default: 20
Specifies whether update information saved to the updates.dat file is encrypted.
Default: no
Determines whether to use a shadow file when you reference the PMDB native environment.
Default: no
Specifies the name of the password shadow file (a security file on an NIS server) that is used for building the NIS password map. This token is relevant only if you set UseShadow to yes.
Default: /etc/shadow
Copyright © 2013 CA Technologies.
All rights reserved.
|
|