Reference Guide › Configuration Files › The uxauth.ini File › agent

agent

The [agent] section contains tokens that control the various UNAB parameters.

ac_registration_interval

Defines the interval, in seconds, for registering UNAB with the CA ControlMinder endpoint. A value of 0 specifies no registration.

Default: 60

Note: UNAB attempts to register with the endpoint only if CA ControlMinder is installed on the UNIX host.

ad_group_deny_gid_list

Defines the GIDs (comma-separated) of Active Directory groups that cannot log in.

Example: ad_group_deny_gid_list = 11,14

Note: This parameter is valid in full integration mode only.

Default: Token not set (no default)

ad_group_minimal_gid

Defines the minimal GID of Active Directory groups that can log in.

Note: This parameter is valid in full integration mode only.

Default: Token not set (no default)

ad_user_deny_uid_list

Defines the UIDs (comma-separated) of Active Directory users that cannot log in.

Example: ad_user_deny_uid_list = 12,37

Note: This parameter is valid in full integration mode only.

Default: Token not set (no default)

ad_user_minimal_uid

Defines the minimal UID of Active Directory users that can log in.

Note: This parameter is valid in full integration mode only.

Default: Token not set (no default)

agent_open_files_max

Specifies the maximum number of opened files, that the UNAB agent can use. The UNAB agent restarts if it exceeds the maximum value.

Default: 100

Example: agent_open_files_max = 100

agent_restart_delay

Specifies the time, in minutes, when uxauthd restarts to recover from the critical problem.

Values: positive integer or -1 to cancel uxauthd restart.

Default: 60

Example: agent_restart_delay = 60

agent_vmemory_max

Specifies the maximum virtual memory size, in megabytes, that the UNAB agent can use. The UNAB agent restarts if it exceeds the maximum value.

Default: 300

Example: agent_vmemory_max = 300

computer_password_change_interval

Specifies the Active Directory computer password renewal interval in days.

Values: Nd, N=a number greater than 1.

Default: 0d, Password change is disabled

debug_backup

Specifies whether to back up the debug messages file.

Limits: yes, no

Default: yes

debug_backup_file

Defines the name of the backup debug messages file. If you do not use a full pathname to the file, UNAB creates the file in the directory InstallDir/log/debug/.

Default: agent_debug.back

debug_file

Defines the file name that UNAB writes the debug messages to. If you do not use a full pathname to the file, UNAB creates this file in the directory InstallDir/log/debug/.

Default: agent_debug

debug_size

Defines the maximum size of the debug messages file in megabytes.

Default: 512

Note: When the file exceeds the maximum size, the agent renames the file to backup and creates a messages file.

debug_level

Specifies the level of debug messages in the debug file.

Limits: disabled, high, medium, low

• disabled: Does not write debug messages to file
• high: Writes HIGH level debug messages to file
• medium: Writes HIGH and MEDIUM level debug messages to file
• low: Writes HIGH, MEDIUM and LOW debug message to file

Default: disabled

debug_zones

Specifies whether to log debug messages for submodules (zones). To write debug messages for more than one zone, specify the sum of the zone values.

Limits: -1, 1, 2, 4, 8, 16, or a sum of positive values.

• zone -1: Write debug messages for all zones.
• zone 1: Write debug messages for the General zone.
• zone 2: Write debug messages for the Entire communication zone.
• zone 4: Write debug messages for the Scheduler zone.
• zone 8: Write debug messages for the PAM communication zone.
• zone 16: Write debug messages for the NSS communication zone.

Example: To log debug messages for the zones "General" and "Scheduler", set the value of debug_zones to 5.

Default: -1

default_login_access

Specifies the default access mode if there are no rules that define access for users and groups.

Limits: 0, no access; 1, access granted

Default: 0

Note: This parameter is valid in full integration mode only.

groups_allow_file

Defines the location of the local groups.allow file.

Default: /opt/CA/uxauth/etc/groups.allow

Note: This parameter is valid in full integration mode only.

groups_deny_file

Defines the location of the local groups.deny file.

Default: /opt/CA/uxauth/etc/groups.deny

Note: This parameter is valid in full integration mode only.

heartbeat_send_interval

Defines the interval, in seconds, for sending a heartbeat to the CA ControlMinder Distribution Host.

Default: 3600

health_check_interval

Specifies the interval, in seconds, between the uxauthd internal self check.

Values: positive integer or -1 to cancel the self check.

Default: 300

Example: health_check_interval = 300

ldap_connection_lifetime

Defines the maximum period, in seconds, for keeping unused LDAP connections open. When set to 0 UNAB destroys the connection immediately after an LDAP operation.

Default: 60

LIC98Dir

Defines the location of the CA license library.

Default: /opt/CA/SharedComponents/ca_lic

login_name_type

Specifies whether mapped users can log in using their UNIX user name or enterprise user name.

Limits: 1, UNIX login name; 2, enterprise login name

Default: 1

message_read_interval

Specifies the interval, in seconds, for reading the CA ControlMinder policy queue.

Default: 60

message_read_timeout

Defines the timeout period, in milliseconds, for reading the CA ControlMinder policy queue.

Default: 1

nss_cache_update_grp_login

Specifies whether NSS updates the group cache after every user login.

Limits: yes, no

Default: yes

Note: This parameter is valid in full integration mode only.

nss_cache_update_grp_mode

Specifies the group cache updating method.

Limits: 0, no updating; 1, incremental updating; 2, full updating

Default: 1

Note: This parameter is valid in full integration mode only.

nss_cache_update_interval

Defines the interval, in minutes, for updating the users and groups cache.

Default: 60

Note: This parameter is valid in full integration mode only.

nss_cache_update_startup

Specifies the method of updating the NSS user and group cache during the agent startup.

Limits: 0, no updating; 1, incremental updating; 2, full updating

Default: 1

Note: This parameter is valid in full integration mode only.

nss_cache_update_usr_login

Specifies whether NSS updates the user cache after every user login.

Limits: yes, no

Default: yes

Note: This parameter is valid in full integration mode only.

nss_cache_update_usr_mode

Specifies the user cache updating method.

Limits: 0, no updating; 1, incremental updating; 2, full updating

Default: 1

Note: This parameter is valid in full integration mode only.

ntp_server

Defines the name or IP address of the NTP server.

Default: none

offline_logon

Specifies whether users can continue accessing the UNIX host when the Active Directory is not available.

Limits: no, offline connection disabled; yes, offline connection enabled

Default: yes

offline_logon_max_fail

Defines the maximum number of failed offline logon attempts.

Default: 5

offline_logon_period

Defines the maximum period, in days, that an offline authentication is permitted after the last successful online authentication.

Default: 30

partial_user_login_policy

Defines whether a corresponding policy is needed for a partial user login.

Limits: no, partial user can log in with no corresponding policy deployed on the host; yes, partial user can log in only when a corresponding policy is deployed on the host.

Default: no

Note: The default value is 'no’ for backward compatibility with previous UNAB versions.

report_user_mapped_name

Specifies the displayed user name in audit files and reports when the user is in mapped mode.

Limits: no, report displayed with the UNIX user name; yes, report displayed with the user mapped name.

Default: no

tgt_renew_interval

Defines the Ticket Granting Ticket (TGT) renewal interval in seconds.

Default: 7200

tgt_renewable_lifetime

Defines the Ticket Granting Ticket (TGT) renewal maximum period in days.

Default: 30d

time_sync_interval

Defines the clock synchronization interval in seconds.

Default: 300

unix_shells

Defines the rules for converting Active Directory users shell to a supported UNIX shell. If no match is found, then the shell that is defined as other is used.

Default (HP-UX): sh=/sbin/sh,csh/sbin/csh,bash=/sbin/bash,ksh=/sbin/ksh,tcsh=/sbin/tcsh,other=/sbin/sh

Default (all other OS): sh=/bin/sh,csh/bin/csh,bash=/bin/bash,ksh=/bin/ksh,tcsh=/bin/tcsh,other=/bin/sh

Note: This parameter is valid in full integration mode only.

use_local_policy

Specifies whether to use the local login policy (.allow and .deny files).

Limits: no, use the enterprise login policy only; yes, use the enterprise login policy and then the local login policy.

Default: no

use_nested_group_aclshell that is definedSpecifies whether nested groups are used for the user ACL.

Limits: no, nested groups are not used; yes, nested groups are used.

Default: yes

use_time_sync

Specifies the clocks synchronization options.

Limits: no, manual synchronization; yes, automatic synchronization

Default: no

use_wingrp

Specifies whether UNAB stores the Active Directory groups in a database for CA ControlMinder use.

To work in partial integration mode while CA ControlMinder is not integrated, disable group database creation when configuring UNAB.

Limits: no, yes

Default: yes

users_allow_file

Defines the location of the local users.allow file.

Default: /opt/CA/uxauth/etc/users.allow

Note: This parameter is valid in full integration mode only.

users_deny_file

Defines the location of the local users.deny file.

Default: /opt/CA/uxauth/etc/users.deny

Note: This parameter is valid in full integration mode only.

user_ticket_cleanup_interval

Specifies the cleanup interval, in seconds, for deleting expired user tickets.

Limits: any positive integer

Default: 3600

watchdog_check_interval

Specifies the time interval in which the UNAB watchdog checks for uxauthd existence.

Default: 60 seconds

Example: watchdog_check_interval = 60

watchdog_enabled

Specifies whether to use the UNAB watchdog to protect the daemon agent. The UNAB watchdog can also be run as a daemon when UNAB is installed without CA ControlMinder.

Default: yes

Example: watchdog_enabled = yes

wingrp_update_interval

Defines the interval, in minutes, for updating the UNAB Active Directory groups database.

Default: 60

Note: This parameter is valid in full integration mode only.

wingrp_update_login

Specifies whether the Windows group database is updated every user login.

Limits: yes, no

Default: yes

Note: This parameter is valid in full integration mode only.

windgrp_update_mode

Specifies the method of updating the UNAB Active Directory groups database.

Limits: 0, no updating; 1, incremental updating; 2, full updating

Default: 1

Note: This parameter is valid in full integration mode only.

wingrp_update_startup

Specifies the method of updating the Active Directory groups database during the UNAB startup process.

Limits: 0 no updating, 1 incremental updating, 2 full updating

Default: 1

Note: This parameter is valid in full integration mode only.

working_threads

Defines the number of working threads in the agent.

Default: 64