Provided by: cpu_1.4.3-12_amd64 
NAME
cpu.conf - cpu configuration file
DESCRIPTION
This file stores all configurable options for CPU and CPU modules. You can specify the location of the
configuration file at runtime by specifying the --config or -C command line switches (see cpu(8)). Each
CPU module has its own configuration section, but they are all documented here. It is recommended that
the config file have strict permissions such as 600. Please note that configuration options take the
following format: option = value and section headers are of the format [HEADER]
GLOBAL OPTIONS
Global options should be under the section marked [GLOBAL]. All options under this section impact all
operations.
DEFAULT_METHOD = method
Specifies what the default administration method is. This value should be a string of either ldap
or passwd.
CRACKLIB_DICTIONARY = file
If CPU was compiled --with-libcrack file should be the location of cracklib_dict.
LDAP OPTIONS
LDAP options should be under the section marked [LDAP]. These options are only useful when
DEFAULT_METHOD is set to ldap or when ldap was specified at the command line with the -M switch. These
options are only used by the LDAP module.
LDAP_HOST = hostname
hostname should be either the IP address or the hostname of the server running the LDAP directory
that you wish to administer users on. This can be overridden with the -N command line switch.
LDAP_PORT = port
port is the port that the LDAP server specified by LDAP_HOST is listening on. This value must be
non negative. This can be overridden by the -P command line switch.
BIND_DN = dn
dn should be the fully qualified DN of an LDAP entity with appropriate rights to perform any
actions that you wish. This value can be overridden by the -D command line switch.
BIND_PASS = password
password is the password of the entity specified by BIND_DN. This value is passed directly to the
server, so it may be stored encrypted if your server supports this. This value can be overridden
by the -w command line switch.
USER_BASE = base_dn
base_dn is the base dn that users should be added to, search for, deleted from, or modified from.
In general if you wish to add a user to the following dn: ou=users,o=company,c=us base_dn should
be set to ou=users,o=company,c=us. If you set this value to o=company,c=us users will be added to
that dn, although for searching purposes the scope is more broad. This value can be overridden at
the command line with the -U switch.
GROUP_BASE = base_dn
base_dn is the base dn that groups should be added to, search for, deleted from, or modified from.
In general if you wish to add a group to the following dn: ou=group,o=company,c=us base_dn should
be set to ou=group,o=company,c=us. If you set this value to o=company,c=us groups will be added to
that dn, although for searching purposes the scope is more broad. This value can be overridden at
the command line with the -B switch.
USER_OBJECT_CLASS = object_class
GROUP_OBJECT_CLASS = object_class
object_class is a comma separated list of object classes that are required by your LDAP
directories schema in order to add or modify users and groups. The default should be fine, consult
your vendors documentation or contact cpu-users@lists.sourceforge.net if you have problems.
USER_FILTER = filter
GROUP_FILTER = filter
filter is a filter that adhears to the following BNF:
<filter> ::= '(' <filtercomp> ')'
<filtercomp> ::= <and> | <or> | <not> | <simple>
<and> ::= '&' <filterlist>
<or> ::= '|' <filterlist>
<not> ::= '!' <filter>
<filterlist> ::= <filter> | <filter> <filterlist>
<simple> ::= <attributetype> <filtertype> <attributevalue>
<filtertype> ::= '=' | '~=' | '<=' | '>='
These filters are utilized to locate users and groups, as well as to aid in finding new uid's and
gid's.
USER_CN_STRING = string
string is used during user creation. It allows you to specify the dn of the user. The dn becomes
string=login,...
GROUP_CN_STRING = string
string is used during group creation. It allows you to specify the dn of the group. The dn becomes
string=groupname,...
TIMEOUT = timeout
timeout should be a value in seconds and greater than 0. If unspecified the default is 60. This
value determines the duration after which an operation should be aborted.
The following options are still used by the [LDAP] section, but are more user centric and less ldap
centric.
SKEL_DIR = dir
dir should be the path for a directory that files are to be copied from when -m is given at the
command line. This value can be overridden by the -k command line switch.
DEFAULT_SHELL = shell
The default name of the user's login shell. This value can be overridden by the -s command line
switch.
HOME_DIRECTORY = directory
New users will be created using directory prepended to the users login name. If this variable is
undefined, it must be specified at the command line with the -d switch. When specified at the
command line that value is used for the users home directory.
MAX_UIDNUMBER = integer
MIN_UIDNUMBER = integer
MAX_GIDNUMBER = integer
MIN_GIDNUMBER = integer
ID_MAX_PASSES = integer
These values control gid and uid generation. When a uid is not specified at the command line (for
a useradd) these values are used for finding the next unused uid (random or linear). Similar for
groupadd. These are pretty self evident. ID_MAX_PASSES is the number of times that a search should
be performed before giving up.
RANDOM = true or false
If RANDOM is true, then a random number will be generated and searched for (this number, if unused
in the directory, will be the users uid or a groups gid). If a user or group with that ID exists,
the process will continue for ID_MAX_PASSES. If true, a linear scan will be done starting at
MIN_UIDNUMBER (or GIDNUMBER) and will not stop until an unused ID is found or the number of scans
is equal to ID_MAX_PASSES. If random is false, only one query is done on the directory, but it may
still be a bit slower then setting random to true in some cases.
USERGROUPS = yes or no
The USERGROUPS can be either yes or no. If yes, each created user will be given their own group to
use as a default. If no, each created user will be placed in the group whose gid is USER_GID.
USERS_GID = integer
If USERGROUPS is no, then USERS_GID should be the GID of the group ´users´ (or the equivalent
group) on your system. If this is unspecified, the default is 100.
GECOS = string
The default value for a user's gecos field. This can be overridden at the command line with the -c
switch.
PASSWORD_FILE = file
The value should be a Unix style, passwd formatted file. In order to use this value the -F switch
must be used at the command line. This value can be empty if a file is provided with the -F
switch. In this case, the users attributes are taken from the file (if the user is found) and used
in the LDAP entry.
SHADOW_FILE = file
The value should be a Unix style, shadow formatted file. In order to use this value the -S switch
must be used at the command line. This value can be empty if a file is provided with the -S
switch. In this case, the users attributes are taken from the file (if the user is found) and used
in the LDAP entry (including the password).
HASH = hash
hash is a hash of either clear, md5crypt, crypt, sha1, ssha1, md5, or smd5 to be used when hashing
user passwords. This is largely implementation dependent but all are supported. If you are taking
passwords from a standard password file, this should be clear (I think, need to check...). This
can be overridden at the command line with the -H switch.
SHADOWLASTCHANGE = integer
SHADOWMAX = integer
SHADOWWARING = integer
SHADOWEXPIRE = integer
SHADOWFLAG = integer
SHADOWMIN = integer
SHADOWINACTIVE = integer
These values are better documented in shadow(3) and in shadow(5). These are not required by
RFC2307 but are by some ldap authentication implementations. These values can only be specified
here, or taken from an existing shadow file for the user.
ADD_SCRIPT = executable
DEL_SCRIPT = executable
ADD_SCRIPT and DEL_SCRIPT work the same, however ADD_SCRIPT is used only for a useradd operation
and DEL_SCRIPT is used only for a userdel operation. These can be overridden via the command line
switch -X. If specified in the configuration file or at the command line, the script is executed
after a successful useradd or userdel. The first argument to the script is the login name as
specified at the command line.
PASSWD OPTIONS
Password options should be under the section marked [PASSWD]. These options are only useful when
DEFAULT_METHOD is set to passwd or when passwd was specified at the command line with the -M switch.
These options are only used by the passwd module. This module is not yet functional, so I won't document
the options.
SEE ALSO
cpu-ldap(8) cpu(8)
AUTHORS
Blake Matheny <bmatheny@purdue.edu>
The current version of this software is always available at http://cpu.sourceforge.net
BUGS
To report a bug or problem, please e-mail:
cpu-users@lists.sourceforge.net
TODO
See TODO file that accompanied software. Please e-mail us with any additional suggestions.
17 February 2003 CPU.CONF(5)