Reference Guide › Configuration Files › The pmd.ini File › pmd

pmd

The [pmd] section contains the attributes used by the sepmdd daemon when building and maintaining a PMDB.

_min_retries_

Specifies the minimum number of attempts that sepmdd should make to resend the next queued update to an unavailable subscriber. The sepmdd loops through the list of subscribers for outstanding updates and increments the counter each time it cannot resend the update to an unavailable subscriber. The subscriber is marked unavailable after the minimum number of attempts specified in this token.

Default: 4

_QD_timeout_

Specifies the maximum time, in seconds, that the sepmdd daemon waits while attempting to update a subscriber database during the first scan of its subscriber list. If the time elapses and the daemon does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list.

After completing the first scan of the subscriber list, sepmdd then performs a second scan in which it attempts to update the subscribers it did not succeed in updating during the first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).

Default: 3

_retry_timeout_

Specifies the time, in minutes, to wait before trying to resend an update to an unavailable subscriber, after the minimum number of attempts specified in _min_retries_ has been made. It marks the subscriber available after the number of minutes defined by this token elapses.

A subscriber is marked unavailable until:

• It is manually released.
• sepmdd is manually shutdown and restarted. The sepmdd is restarted if:
  • if a language facility attempts to connect to it.
  • if a parent PMDB wants to send an update.
  • the pull option is triggered by a subscriber. This optionally occurs when CA ControlMinder starts on the subscriber.
• The pull option is triggered by the unavailable subscriber.

Note: Shutting down sepmdd too often is not desirable because it takes time to restart the daemon, which results in slowing the whole propagation process. Allowing it to be on all the time is also undesirable because there maybe some stability issues, but it is only a conjecture.

Default: 30

_shutoff_time_

Specifies the time, in minutes of activities before sepmdd quits. If the token value is zero, sepmdd never quits.

Default: 0

always_propagate

If this token is set to no, commands that failed to execute by the policy model are not propagated to the subscribers.

Default: none

exclude_file

Specifies an exclude file.

The exclude file contains host names (one on each line) that should be excluded from receiving policy model updates.

Default: none

exclude_localhost

Tells the pmdb to exclude the local host from receiving updates as a subscriber.

Possible values: yes, no.

Default: no

exclude_method

Enables/disables the promote offset in update file when subscriber is excluded.

Values:

"pmdwait”—do not promote offset

Otherwise—"bypass"

Default: pmdwait

filter

Specifies the name of the filter file.

force_auto_truncate

Specifies whether CA ControlMinder truncates the update file even if there are no subscribers to the Policy Model.

You can truncate the update file manually (sepmd -t), and CA ControlMinder also truncates the file automatically based on a separate configuration setting (trigger_auto_truncate) that defines the event that triggers automatic truncation.

Note: If all subscribers to the Policy Model are "Out of sync", the Policy Model effectively has no subscribers.

Default: Yes

group_file_name

Specifies the name of the group file for a new UNIX group. sepmdd saves the group entry of the new UNIX group in this file.

Default: group

is_maker_checker

Specifies whether to use Dual Control. The valid values for this token are yes and no.

If yes is selected, then the PMDB cannot be updated directly, but only through a transaction; and each transaction entered by one administrator must be processed by another administrator before the commands are implemented on the PMDB.

Default: no

password_file_name

Specifies the name of the password file for new UNIX users. sepmdd stores the password entry of new UNIX users in this file.

Default: passwd

send_unix_env

Indicates whether sepmd sends the contents of Policy Model password files and group files.

If this token is set to yes, the sepmd -n option sends the contents of the Policy Model password files and group files.

If this token is set to no, the sepmd -n option does not send the contents of the policy model password files and group files.

Default: yes

synch_uid

Determines whether sepmdd attempts to synchronize UIDs between a Policy Model and its subscribers. The valid values for this token are yes and no.

If the token is no, sepmdd does not attempt to synchronize UIDs. Users are assigned the first available UID on each subscriber host.

If the token is yes, sepmdd attempts to synchronize UIDs. For example, if a new UNIX user is created on the PMDB with a UID of 1000, sepmdd transfers that UID to the subscribers. If UID 1000 is already in use on one of the subscribers, then the update on that subscriber fails.

sepmdd only tries to synchronize UIDs if the original command sent to the PMDB did not specify a UID for the user. If the original command did specify a UID, the specified UID is sent to all the subscribers.

Default: yes

TNG_Environment

Specifies whether the database is created with special TNG classes and resources.

Valid values are:

"0" to create the database without the special TNG classes

"1" to create the database with all the special TNG classes

Default: 0

transaction_lib

Specifies the path of the maker-checker policy.

Default: /opt/CA/eTrustAccessControl/policies/maker

trigger_auto_truncate

Defines the size of the Policy Model update file, in megabytes, that triggers an automatic truncating of the update file.

If you use a value that is less than the lower limit, CA ControlMinder uses the default value. If you use a value that is greater than the upper limit, CA ControlMinder uses the upper limit value.

Limits: 1 - 2000 MB

Default: 1024 MB

update_while_processing

Defines the frequency at which the Policy Model propagates commands to subscribers while it is processing incoming events.

The frequency is a factor of the updates_in_chunk setting, and determines how many commands the PMD processes before it sends the next subscriber in line one set of commands. For example, if you set this to 3 and updates_in_chunk is set to 10, the PMD will process 30 commands before it sends a set of commands (10) once to the next subscriber in line. A value of 0 means that the PMD does not propagate commands while processing incoming events.

Default: 1

updates_in_chunk

Determines the maximum number of commands that the Policy Model sends to each of its subscribers in each cycle of a loop.

Default: 20

UseEncryption

Specifies whether update information saved to the updates.dat file is encrypted.

Default: no

UseShadow

Determines whether to use a shadow file when you reference the PMDB native environment.

Default: no

YpServerSecure

Specifies the name of the password shadow file (a security file on an NIS server) that is used for building the NIS password map. This token is relevant only if you set UseShadow to yes.

Default: /etc/shadow