In the [passwd] section, the tokens define password replacement and other user‑related services.
Specifies the range of GIDs that the user can add, update, and delete. Values outside this range represent reserved GIDs that CA ControlMinder cannot update.
Note: If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved GIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit.For example, if AllowedUidRange = 100, 3000, then 101 is treated as the lower limit and 2999 is treated as the higher limit.
Limits: -1 to 2147483647
Default: 100,30000
Specifies the range of UIDs that the user can add, update, and delete. Values outside this range represent reserved UIDs that CA ControlMinder cannot update.
Note: If only one integer is specified, all integers between the specified integer and the default upper limit (30000) are reserved UIDs. If you specify a number that is higher than the upper limit, the default upper limit is applied. If you specify a negative number that is less than the lower limit, the default lower limit (100) is applied. The applied lower limit for any number is +1 of the specified lower limit. The applied higher limit for any number is -1 of the specified higher limit.For example, if AllowedUidRange = 100, 3000, then 101 is treated as the lower limit and 2999 is treated as the higher limit.
Limits: -1 to 2147483647
Default: 100,30000
Specifies whether root password changes made using sepass -p or sepass -s are sent to the Policy Model. The PMD then propagates the password to its subscribers.
Valid values are yes and no.
Default: no
Specifies whether the local host uses PAM for password authentication and changes in the LDAP database.
Default: no
Specifies whether to enforce password rules for ADMIN and PWMANAGER users.
Default: no
Specifies whether selang should check the Password Rules for all the users.
Valid values are yes and no.
If this token is set to yes, selang checks the Password Rules for all the users.
If this token is set to no, selang checks the Password Rules only for the user who changes the password.
Default: no
Note: This token is supported when using the API only.
(DEC UNIX only). Specifies whether an exit script runs after each CA ControlMinder command that creates, updates or removes a user record, or after each user password changed with the sepass utility.
Note: For more usage instructions, see the README file in ACInstallDir/samples/exits-src/USER_POST directory.
Default: no
Specifies the default home directory of the system. The user's home directory is a subdirectory of the specified system home directory. For example, if the system home directory is /home, the new user's home directory is /home/username. If specified, the value for this token overrides the value in the client's lang.ini file. If you specify nohomedir then a home directory is not automatically set.
Default: /home
Specifies the default password program. If specified, this password program is used when sepass is started and seosd is not running.
Default: /bin/passwd
Specifies the primary group that CA ControlMinder assigns to a new UNIX user if no value is entered.
Default: other
Specifies the default shell that CA ControlMinder assigns to a new UNIX user if no value is entered. If specified, the value for this token overrides the value in the client's lang.ini file.
Default: /bin/sh (or /sbin/sh on HP-UX)
Defines the full pathname of the file containing the words that cannot be used as passwords.
Note: To use this file, you must set the dictionary format password rule (use_dbdict) to file and set UseDict setting to yes. If the dictionary format is set to db, passwords that cannot be used are taken from the CA ControlMinder database and this setting is ignored. This is the default on UNIX.
Important! This token is obsolete. Use dictionary in the database instead.
Default: /usr/dict/words
Specifies whether sepass generates a new password by itself.
Valid values are yes and no.
If you set this token to no, the user is asked to enter a new password.
Default: no
Specifies whether CA ControlMinder updates the group ownership of the user's home home directory when the user's primary group changes.
Valid values are yes and no
Default: yes
Specifies whether the local host is an NIS or NIS+ client.
Valid values are no, nis, or nisplus.
Default: no
Specifies whether this station is an NIS+ server.
Valid values are yes and no.
If token value is yes, CA ControlMinder treats password replacements as NIS+ password replacements.
Default: no
Determines whether the default setting for sepass includes the -l flag.
Valid values are yes and no.
If this token is set to yes, sepass will replace the password only in the local; that is, in the local password file (usually /etc/passwd), security files, and the local database.
Default: no
Specifies whether the default setting for sepass includes the ‑p flag. If token value is yes, it instructs sepass to change the password only on the PMDB at the host specified.
If no such database is defined, sepass does nothing.
Default: no
Specifies which method is used to encrypt user passwords when passwords are distributed as part of the Policy Model service.
Valid values are:
1 - Compatibility mode, to distribute passwords between CA ControlMinder systems that do not use long passwords (This includes all machines running pre-r12.0 versions of CA ControlMinder.)
2 - MD5 mode, to distribute passwords between CA ControlMinder systems that use long passwords and are also running Linux.
3 - Bidirectional mode, to distribute passwords securely, as clear text within encrypted messages, between any CA ControlMinder systems that use long passwords.
Default: 1
Indicates whether the password changes are propagated to an NT host.
Setting this token to NT means that one of the hosts you are administering is an NT host.
Default: none
Specifies which method is used to encrypt user passwords when storing these passwords locally.
Valid values are:
crypt - The standard one-way UNIX encryption that uses only the first eight characters of the password (as a DES key). Specifying crypt disables the use of long passwords.
md5 - MD5 hash function that can encrypt passwords of indefinite length. Specifying md5 enables the use of long passwords.
Default: crypt
Specifies whether to prompt local users for their old password when sepass is invoked through /opt/CA/AccessControl/bin/segrace. (You must use the full path).
Setting this token to yes indicates that the users are prompted for their old passwords.
Default: yes
Specifies whether sepass displays a copyright notice and a message about propagating passwords to Policy Models.
Default: no
Specifies whether sepass lets a privileged user change the root password as if changed by root (using the -x option).
Valid Values are:
yes-Privileged users can use sepass to change the root password as if changed by root. They cannot change the root password as themselves (administrative change).
no-Privileged users can use sepass to change the root password only as themselves (administrative change).
For example, a privileged user can use the following command to change the root password if this token is set to yes:
sepass -x root
The same user cannot use the following command to change the root password:
sepass root
If this token is set to no, the opposite is true.
Default: no
Specifies whether the previous group file owner, group, and mode are preserved after an update of a group in the UNIX environment.
Valid values are yes and no.
If you set this token to no, new values are set to 0, 0, 644 respectively.
Default: no
Specifies whether the previous password file owner, group, and mode are preserved after an update of a user in the UNIX environment.
Valid values are yes and no.
If you set this token to no, new values are set to 0, 0, 644 respectively.
Default: no
(AIX platforms only). Specifies whether the ADMCHG flag gets added to the user entry in the /etc/security/passwd file when an administrator changes the password from selang or using sepass.
Default: no
Specifies which free UID algorithm to employ when adding new users. Setting it to any other value would select the older process. The new algorithm provides for UID numbers over 4 KB and is faster.
Default: new
Specifies whether to use the dictionary file (set with the Dictionary setting) when verifying a password.
Note: To use the dictionary file, you must also set the dictionary format password rule (use_dbdict) to file. If the dictionary format is set to db, passwords that cannot be used are taken from the CA ControlMinder database and this setting is ignored.
Default: no
Specifies the command to use for generating the NIS group map.
Default: make group
Specifies the name of the makefile directory to be used when creating NIS maps.
Default: /var/yp
Specifies the command to use for generating the NIS password map.
Default: make passwd
Specifies the group file from which the NIS group map is made.
Default: /etc/group
Specifies the password file from which the NIS password map is made.
Default: /etc/passwd
Specifies the name of the security file containing passwords that is used for building the NIS password map.
Default: Varies by platform:
Specifies the time, in seconds, that a new client (selang, Security Administrator, and so forth) can run the ypbind test, which determines whether the local host is connected to a NIS server. At expiration, the client exits and an error message appears.
The default value of zero (0) means that no ypbind test is conducted.
Default: 0
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|