Provided by: cpu_1.4.3-12_amd64 bug

NAME

       cpu.conf - cpu configuration file

DESCRIPTION

       This  file  stores  all  configurable options for CPU and CPU modules. You can specify the
       location of the configuration file at runtime by specifying the  --config  or  -C  command
       line  switches  (see  cpu(8)). Each CPU module has its own configuration section, but they
       are all documented here. It is recommended that the config file  have  strict  permissions
       such  as  600.  Please note that configuration options take the following format: option =
       value and section headers are of the format [HEADER]

GLOBAL OPTIONS

       Global options should be under the section marked [GLOBAL]. All options under this section
       impact all operations.

       DEFAULT_METHOD = method
              Specifies  what the default administration method is. This value should be a string
              of either ldap or passwd.

       CRACKLIB_DICTIONARY = file
              If CPU was compiled --with-libcrack file should be the location of cracklib_dict.

LDAP OPTIONS

       LDAP options should be under the section marked [LDAP].  These  options  are  only  useful
       when DEFAULT_METHOD is set to ldap or when ldap was specified at the command line with the
       -M switch. These options are only used by the LDAP module.

       LDAP_HOST = hostname
              hostname should be either the IP address or the hostname of the server running  the
              LDAP  directory  that  you wish to administer users on. This can be overridden with
              the -N command line switch.

       LDAP_PORT = port
              port is the port that the LDAP server specified by LDAP_HOST is listening on.  This
              value must be non negative. This can be overridden by the -P command line switch.

       BIND_DN = dn
              dn  should  be  the fully qualified DN of an LDAP entity with appropriate rights to
              perform any actions that you wish. This value can be overridden by the  -D  command
              line switch.

       BIND_PASS = password
              password  is  the password of the entity specified by BIND_DN. This value is passed
              directly to the server, so it may be stored encrypted if your server supports this.
              This value can be overridden by the -w command line switch.

       USER_BASE = base_dn
              base_dn  is the base dn that users should be added to, search for, deleted from, or
              modified from. In general  if  you  wish  to  add  a  user  to  the  following  dn:
              ou=users,o=company,c=us  base_dn  should  be set to ou=users,o=company,c=us. If you
              set this value to o=company,c=us users will be  added  to  that  dn,  although  for
              searching  purposes  the  scope is more broad.  This value can be overridden at the
              command line with the -U switch.

       GROUP_BASE = base_dn
              base_dn is the base dn that groups should be added to, search for, deleted from, or
              modified  from.  In  general  if  you  wish  to  add  a  group to the following dn:
              ou=group,o=company,c=us base_dn should be set to  ou=group,o=company,c=us.  If  you
              set  this  value  to  o=company,c=us  groups will be added to that dn, although for
              searching purposes the scope is more broad.  This value can be  overridden  at  the
              command line with the -B switch.

       USER_OBJECT_CLASS = object_class

       GROUP_OBJECT_CLASS = object_class
              object_class  is a comma separated list of object classes that are required by your
              LDAP directories schema in order to add or modify users  and  groups.  The  default
              should   be   fine,   consult   your   vendors   documentation   or   contact  cpu-
              users@lists.sourceforge.net if you have problems.

       USER_FILTER = filter

       GROUP_FILTER = filter
              filter is a filter that adhears to the following BNF:
                      <filter> ::= '(' <filtercomp> ')'
                      <filtercomp> ::= <and> | <or> | <not> | <simple>
                      <and> ::= '&' <filterlist>
                      <or> ::= '|' <filterlist>
                      <not> ::= '!' <filter>
                      <filterlist> ::= <filter> | <filter> <filterlist>
                      <simple> ::= <attributetype> <filtertype> <attributevalue>
                      <filtertype> ::= '=' | '~=' | '<=' | '>='
              These filters are utilized to locate users and groups, as well as to aid in finding
              new uid's and gid's.

       USER_CN_STRING = string
              string  is  used during user creation. It allows you to specify the dn of the user.
              The dn becomes string=login,...

       GROUP_CN_STRING = string
              string is used during group creation. It allows you to specify the dn of the group.
              The dn becomes string=groupname,...

       TIMEOUT = timeout
              timeout should be a value in seconds and greater than 0. If unspecified the default
              is 60. This value determines the  duration  after  which  an  operation  should  be
              aborted.

       The  following options are still used by the [LDAP] section, but are more user centric and
       less ldap centric.

       SKEL_DIR = dir
              dir should be the path for a directory that files are to be copied from when -m  is
              given  at  the  command  line.  This value can be overridden by the -k command line
              switch.

       DEFAULT_SHELL = shell
              The default name of the user's login shell. This value can be overridden by the  -s
              command line switch.

       HOME_DIRECTORY = directory
              New  users  will  be  created using directory prepended to the users login name. If
              this variable is undefined, it must be specified at the command line  with  the  -d
              switch.  When  specified  at the command line that value is used for the users home
              directory.

       MAX_UIDNUMBER = integer

       MIN_UIDNUMBER = integer

       MAX_GIDNUMBER = integer

       MIN_GIDNUMBER = integer

       ID_MAX_PASSES = integer
              These values control gid and uid generation. When a uid is  not  specified  at  the
              command  line (for a useradd) these values are used for finding the next unused uid
              (random  or  linear).  Similar  for  groupadd.  These  are  pretty  self   evident.
              ID_MAX_PASSES  is  the  number  of  times  that a search should be performed before
              giving up.

       RANDOM = true or false
              If RANDOM is true, then a random number will be generated and  searched  for  (this
              number,  if  unused  in the directory, will be the users uid or a groups gid). If a
              user or group with that ID exists, the process will continue for ID_MAX_PASSES.  If
              true,  a linear scan will be done starting at MIN_UIDNUMBER (or GIDNUMBER) and will
              not stop until an  unused  ID  is  found  or  the  number  of  scans  is  equal  to
              ID_MAX_PASSES.  If random is false, only one query is done on the directory, but it
              may still be a bit slower then setting random to true in some cases.

       USERGROUPS =  yes or no
              The USERGROUPS can be either yes or no. If yes, each created  user  will  be  given
              their own group to use as a default. If no, each created user will be placed in the
              group whose gid is USER_GID.

       USERS_GID =  integer
              If USERGROUPS is no, then USERS_GID should be the GID of the group ´users´ (or  the
              equivalent group) on your system. If this is unspecified, the default is 100.

       GECOS = string
              The  default  value for a user's gecos field. This can be overridden at the command
              line with the -c switch.

       PASSWORD_FILE = file
              The value should be a Unix style, passwd formatted file. In order to use this value
              the  -F  switch must be used at the command line. This value can be empty if a file
              is provided with the -F switch. In this case, the users attributes are  taken  from
              the file (if the user is found) and used in the LDAP entry.

       SHADOW_FILE = file
              The value should be a Unix style, shadow formatted file. In order to use this value
              the -S switch must be used at the command line. This value can be empty if  a  file
              is  provided  with the -S switch. In this case, the users attributes are taken from
              the file (if the user  is  found)  and  used  in  the  LDAP  entry  (including  the
              password).

       HASH = hash
              hash  is  a  hash of either clear, md5crypt, crypt, sha1, ssha1, md5, or smd5 to be
              used when hashing user passwords. This is largely implementation dependent but  all
              are  supported.  If  you  are  taking passwords from a standard password file, this
              should be clear (I think, need to check...). This can be overridden at the  command
              line with the -H switch.

       SHADOWLASTCHANGE = integer

       SHADOWMAX = integer

       SHADOWWARING = integer

       SHADOWEXPIRE = integer

       SHADOWFLAG = integer

       SHADOWMIN = integer

       SHADOWINACTIVE = integer
              These  values  are  better documented in shadow(3) and in shadow(5).  These are not
              required by RFC2307 but are by  some  ldap  authentication  implementations.  These
              values  can  only  be specified here, or taken from an existing shadow file for the
              user.

       ADD_SCRIPT = executable

       DEL_SCRIPT = executable
              ADD_SCRIPT and DEL_SCRIPT work the same, however ADD_SCRIPT  is  used  only  for  a
              useradd operation and DEL_SCRIPT is used only for a userdel operation. These can be
              overridden via the command line switch -X. If specified in the  configuration  file
              or  at  the  command  line,  the  script  is executed after a successful useradd or
              userdel. The first argument to the script is the login name  as  specified  at  the
              command line.

PASSWD OPTIONS

       Password  options  should  be  under  the  section marked [PASSWD]. These options are only
       useful when DEFAULT_METHOD is set to passwd or when passwd was specified  at  the  command
       line  with the -M switch. These options are only used by the passwd module. This module is
       not yet functional, so I won't document the options.

SEE ALSO

       cpu-ldap(8) cpu(8)

AUTHORS

       Blake Matheny <bmatheny@purdue.edu>

       The current version of this software is always available at http://cpu.sourceforge.net

BUGS

       To report a bug or problem, please e-mail:

       cpu-users@lists.sourceforge.net

TODO

       See TODO file that accompanied software. Please e-mail us with any additional suggestions.

                                         17 February 2003                             CPU.CONF(5)