In the [seos] section, the tokens determine the global settings that is used by CA ControlMinder.
Specifies the directory where the CA ControlMinder Security Administrator rulers and other configuration files are stored.
Default: ACInstallDir/data
Determines the login authority method. Valid values are:
native–login checks the user password against the UNIX passwd or shadow file.
eTrust–when the user does not exist in the Native environment, checks the user password against the CA ControlMinder database.
PAM–when the user does not exist in the Native environment, checks the login through the PAM module. This is only supported on machines where PAM is supported. PAM is used to validate the user for users such as LDAP-defined users.
Default: native
Defines the language client module that is allowed to authenticate outside of native authentication. This token is set by the client inside the lca API calls before the authentication. Changing this token can affect other clients authenticating in non native mode.
No default.
Specifies whether the PMDB uses the fast database copy device.
Valid values are:
no-Use the old device.
yes-Use the fast database copy device.
Default: yes
Specifies the format for displaying the year using four digits or last two digits.
For example, setting the token to yes displays 2000 instead of 00.
Valid values include the following:
yes-four digits
no-two digits
This token influences the output that is produced by secons -tv, dbmgr -d, and the seaudit utility.
Default: yes (four‑digit)
Defines the distinguished name of the search base for user data queries in the LDAP Directory Information Tree (DIT) by CA ControlMinder LDAP-enabled utilities (such as sebuildla).
For example, use the following format, replacing inputs with your own:
o=organization_name,c=country_name
Default: Token not set
Important! To set up sebuildla and the required LDAP configuration settings you must to be familiar with LDAP and be able to execute the ldapsearch command. We recommend that you read the man pages for ldap(1), ldapsearch(1) and the information about setting up in the documentation for your LDAP client.
Defines a space-separated list of the host names where the LDAP servers are running for CA ControlMinder LDAP-enabled utilities.
Default: Token not set (localhost).
Defines the directory where the Netscape-style certificate database is located.
This token is required for sebuildla on platforms that use the Netscape LDAP SDK API for LDAP over SSL (Solaris). For sebuildla to work, a certificate database must contain a valid certificate for the LDAP server.
Note: sebuildla uses LDAP over SSL with server authentication (that is, no client authentication). Consult your PKI toolkit documentation for details on setting up secure services.
Default: /.netscape
Defines the name of the key database file.
Note: This setting is for AIX only as an AIX key database can have an arbitrary name (as opposed to Netscape security databases, which have names like certX.db and keyY.db depending on the implementation version, and so only the ldap_certdb_path is required for finding them).
Default: Token not set
Specifies the bind method that CA ControlMinder uses for LDAP-enabled utilities to access the LDAP service.
By default, sebuildla uses simple authentication with all security mechanisms. In simple authentication, ldap_userdn and the corresponding credential are passed to the LDAP server. sebuildla stores user credentials in encrypted form in ldapcred.dat at ACInstallDir/etc. These two parameters approximate the account and password combination that is required by the LDAP server.
Note: For SASL or TLSv.1/SSL, consult your LDAP server documentation. For a particular ldap_method setting to take effect, the corresponding mechanism must be supported and configured in the native LDAP client that is deployed on the computer where sebuildla is executed (that is, with TLS/SSL operations, valid certificates should be installed on the server and client side).
Valid values are:
0-Standard LDAP
1-SASL (RFC 2222)
2-LDAPS (LDAP over SSL - server authentication only.)
Note: The method that you use determines how you set up the ldap_userdn token and its corresponding credential (through seldapcred utility).
Default: 0
Defines the LDAP server port for CA ControlMinder LDAP-enabled utilities. Change this token if your LDAP server is not using the standard LDAP port (389).
Default: Token not set (389).
Defines the maximum number of LDAP entries sebuildla retrieves in each batch query.
Use this token when you do not want to change the LDAP server-side size limit parameter. Normally, sebuildla attempts to retrieve all data in one instance, which, if there are numerous user entries, may exceed the server's size limit and may cause the LDAP operation to fail. If you set ldap_query_size, sebuildla need not retrieve all entries for the operation not to fail. If the total number of user entries is greater than either the ldap_query_size or the server-side size limit, the number of entries that are retrieved corresponds with the lower number of these two settings.
Important! Enabling batch queries can affect sebuildla performance. Consider using this setting only where the LDAP environment has numerous user data (thousands of entries) in the DIT (Directory Information Tree).
Note: For information about server-side LDAP controls, for example, the OpenLDAP server (slapd) sizelimit parameter, consult your LDAP server documentation.
Default: Token not set (empty)
Defines the maximum amount of time (in seconds) that CA ControlMinder LDAP-enabled utilities wait when binding to the LDAP service and obtaining LDAP search results, before terminating the connection. The time that it takes to retrieve information from the LDAP service depends on how fast the LDAP service is, and how much user data is stored in the DIT. Use this token to account for these aspects.
Note: You may also need to adjust server-side LDAP controls to avoid truncated search results. For example, for the OpenLDAP server (slapd) you need to adjust the sizelimit parameter. Consult your LDAP server documentation for more information.
Default: Token not set (15 seconds)
Defines the name of the attribute that contains the user name in the LDAP DIT. RFC 2307 (An Approach for Using LDAP as a Network Information Service) prescribes uid as this attribute, which is the default value for this token. Change this token to let CA ControlMinder LDAP-enabled utilities operate against LDAP DITs with non-standard schemas.
Default: Token not set (uid).
Defines the name of the attribute that contains the UID number in the LDAP DIT. RFC 2307 prescribes uidNumber as this attribute, which is the default value for this token. Change this token to let CA ControlMinder LDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.
Default: Token not set (uidNumber).
Defines the name of the object class that contains the user data in the LDAP DIT. RFC 2307 prescribes posixAccount as this object class, which is the default value for this token. Change this token to let CA ControlMinder LDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.
Default: Token not set (posixAccount).
Defines the distinguished name (DN) of the LDAP user that CA ControlMinder LDAP-enabled utilities use for retrieving user data from the LDAP DIT. Based on RFC 2307, CA ControlMinder expects to find the user data in the uid and uidNumber attributes of the ou=People level in the DIT. For security reasons, we recommend that this user (ldap_userdn) is given access to this data only.
If anonymous access to the DIT is permitted, you can keep this token empty. Otherwise, you must set this token and must run the seldapcred utility for CA ControlMinder LDAP-enabled utilities to authenticate to the LDAP service (you only need to do this once as seldapcred stores your encrypted credential in a file for reuse).
For example, set this token as follows:
ldap_userdn = uid=user1,ou=People,dc=myCompany,dc=com
Default: Token not set
Specifies whether to retrieve user information from the LDAP Directory Information Tree (DIT).
Limits: yes, no
Default: no
Specifies whether to enable detailed account of LDAP operations involved in sebuildla getting user data.
Use this setting when you set up LDAP data retrieval in sebuildla or when troubleshooting.
Valid values are 0-disabled; a non-zero integer-enabled.
Default: 0
Determines the language for the CA ControlMinder daemons and utilities. CA ControlMinder can function in several languages.
Supported languages include: C, Japanese, Chinese‑s, Chinese-t
For the complete list of languages, see /etc/ca/localeX/calocmap.txt; on Linux, see /opt/CA/SharedComponents/cawin/locale/.
Default: C
Valid on SOLARIS, HP-UX, and LINUX only.
Specifies whether the local host enables use of PAM for authentication and password changes in the LDAP database.
To do that, it checks whether the PAM library can be dynamically loaded (the library must exist on your system).
Valid values are: 'no', 'yes'.
Default: yes
Defines a comma-separated list of policy model databases (PMDBs) from which this computer accepts updates. The local CA ControlMinder database rejects updates from any PMDB that is not specified in this list.
You can also specify a file path that contains a line-separated list of PMDBs.
Set this token to "_NO_MASTER_" for the local CA ControlMinder database to accept updates from any PMDB.
If you do not set this token, the local CA ControlMinder database does not accept updates from any PMDB.
Each PMDB is specified in the following format: pmd_name@hostname
For example:
parent_pmd = pmd1@host1,pmd2@host1,pmd3@host2 parent_pmd = /opt/CA/AccessControl/parent_pmdbs_file
Default: Token is not set (database does not accept updates from any PMDB).
Note: sepass does not support multiple destinations on the parent_pmd token.
Specifies the PMDB to which sepass sends password updates.
If you do not set this token, it inherits the value of the parent_pmd token.
The format is pmd_name@hostname.
The parent_pmd and passwd_pmd tokens can have the same value. If the values in the parent_pmd and passwd_pmd tokens are not the same, the passwd_pmd database sends its updates to the parent_pmd database for distribution. Therefore, the parent_pmd database must be a child (subscriber) of the passwd_pmd database.
No default.
Note: sepass does not support multiple destinations on the passwd_pmd token.
Controls the way seagent identifies the connecting client.
Valid values include the following:
yes-seagent looks up the IP address of the open client's socket.
no-seagent uses the host name as received from the client; seagent does not resolve any host names. (The same effect can be achieved by disabling class TERMINAL.)
Default: yes
Specifies the PMDB used as the secondary target for password replacement for users who are not defined in the primary target (passwd_pmd).
The format is pmd_name@hostname.
No default.
Specifies the directory in which CA ControlMinder is installed.
You can install CA ControlMinder in any directory, if it is not on an NFS‑mounted file system.
Default: ACInstallDir
Specifies whether CA ControlMinder should synchronize its ACL permissions with the ACL and other permissions of the native UNIX system, if they exist.
Valid values include the following:
no-Do not synchronize the UNIX file permissions with CA ControlMinder ACLs.
warn-Do not synchronize ACL permissions, but issue a warning if the permissions in CA ControlMinder and UNIX conflict.
traditional-Change rwx permissions for the group and the owner according to CA ControlMinder ACLs, issue a warning in all other cases.
acl-Change native file-system ACLs according to CA ControlMinder ACLs (on platforms that support ACLs).
force-Functions the same as traditional or acl (on platforms that support ACLs), but also forces mapping defaccess to "other" permissions.
Note: On HP-UX and Sun Solaris 2.5 (and above), support is provided for file system ACLs. On other platforms and operating system versions, only traditional permissions mode of a file are supported.
Default: no
Specifies whether the database is created with special Unicenter TNG classes and resources.
Valid values include the following:
0-Create the database without the special Unicenter TNG classes.
1-Create the database with all the special Unicenter TNG classes.
Default: 0
Specifies the directory where Unicenter TNG is installed.
Valid values are the base Unicenter TNG directory (or .uniprodloc).
No default
Specifies the directory where CA ControlMinder is physically located. The CA ControlMinder directory may be a symbolic link to another physical location. This token points to the actual physical location where CA ControlMinder is installed.
Default: ACInstallDir
Determines whether the RPC portmapper is required. The presence of the RPC portmapper is required if you want to use the old (1.43) CA ControlMinder protocol. The old protocol is required to support NIS+ password changes.
This token replaces the old_protocol token.
Valid values include the following:
yes-Use the RPC portmapper to assign the port.
no-Use the port that is specified by the ServicePort token.
Default: no
Copyright © 2013 CA Technologies.
All rights reserved.
|
|