Provided by: freeipa-client_4.7.0~pre1+git20180411-2ubuntu2_amd64 bug

NAME

       default.conf - IPA configuration file

SYNOPSIS

       /etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf

DESCRIPTION

       The default.conf configuration file is used to set system-wide defaults to be applied when
       running IPA clients and servers.

       Users may create an optional configuration  file  in  ~/.ipa/default.conf  which  will  be
       merged into the system-wide defaults file.

       The following files are read, in order:
           ~/.ipa/default.conf
           /etc/ipa/<context>.conf
           /etc/ipa/default.conf
           built-in constants

       The IPA server does not read ~/.ipa/default.conf.

       The first setting wins.

SYNTAX

       The  configuration  options  are  not  case  sensitive.  The values may be case sensitive,
       depending on the option.

       Blank lines are ignored.  Lines beginning with # are comments and are ignored.

       Valid lines consist of an option name, an equals sign  and  a  value.  Spaces  surrounding
       equals sign are ignored. An option terminates at the end of a line.

       Values should not be quoted, the quotes will not be stripped.

           # Wrong - don't include quotes
           verbose = "True"

           # Right - Properly formatted options
           verbose = True
           verbose=True

       Options  must appear in the section named [global]. There are no other sections defined or
       used currently.

       Options may be defined that are not used by IPA. Be careful of misspellings, they will not
       be rejected.

OPTIONS

       The following options are relevant for the server:

       basedn <base>
              Specifies  the  base DN to use when performing LDAP operations. The base must be in
              DN format (dc=example,dc=com).

       ca_agent_port <port>
              Specifies the secure CA agent port. The default is 8443.

       ca_ee_port <port>
              Specifies the secure CA end user port. The default is 8443.

       ca_host <hostname>
              Specifies the hostname of the dogtag CA server. The default is the hostname of  the
              IPA server.

       ca_port <port>
              Specifies the insecure CA end user port. The default is 8080.

       context <context>
              Specifies  the  context  that IPA is being executed in. IPA may operate differently
              depending on the  context.  The  current  defined  contexts  are  cli  and  server.
              Additionally   this   value  is  used  to  load  /etc/ipa/context.conf  to  provide
              context-specific configuration. For example, if you want to always  perform  client
              requests in verbose mode but do not want to have verbose enabled on the server, add
              the verbose option to /etc/ipa/cli.conf.

       debug <boolean>
              When True provides detailed information. Specifically this set the global log level
              to "debug". Default is False.

       dogtag_version <version>
              Stores the version of Dogtag. Value 9 is assumed if not specified otherwise.

       domain <domain>
              The domain of the IPA server e.g. example.com.

       enable_ra <boolean>
              Specifies  whether  the  CA  is acting as an RA agent, such as when dogtag is being
              used as the Certificate Authority. This setting only  applies  to  the  IPA  server
              configuration.

       fallback <boolean>
              Specifies  whether an IPA client should attempt to fall back and try other services
              if the first connection fails.

       host <hostname>
              Specifies the local system hostname.

       in_server <boolean>
              Specifies whether requests should be forwarded to an IPA server or handled locally.
              This  is used internally by IPA in a similar way as context. The same IPA framework
              is used by the ipa command-line  tool  and  the  server.  This  setting  tells  the
              framework  whether  it should execute the command as if on the server or forward it
              via XML-RPC to a remote server.

       in_tree <boolean>
              This is used in development and is generally a detected value. It  means  that  the
              code is being executed within a source tree.

       interactive <boolean>
              Specifies whether values should be prompted for or not. The default is True.

       kinit_lifetime <time duration spec>
              Controls  the  lifetime  of  ticket  obtained by users authenticating to the WebGUI
              using login/password. The expected format is a time duration string.  Examples  are
              "2  hours", "1h:30m", "10 minutes", "5min, 30sec". When the parameter is not set in
              default.conf, the ticket will have a duration inherited from the default value  for
              kerberos  clients, that can be set as ticket_lifetime in krb5.conf. When the ticket
              lifetime has expired, the ticket is not valid anymore and the GUI  will  prompt  to
              re-login with a message "Your session has expired. Please re-login."

       ldap_uri <URI>
              Specifies  the  URI of the IPA LDAP server to connect to. The URI scheme may be one
              of    ldap    or    ldapi.    The    default    is    to    use     ldapi,     e.g.
              ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket

       log_logger_XXX <comma separated list of regexps>
              loggers matching regexp will be assigned XXX level.

              Logger  levels  can  be  explicitly  specified for specific loggers as opposed to a
              global logging  level.  Specific  loggers  are  indicated  by  a  list  of  regular
              expressions  bound  to  a  level.  If a logger's name matches the regexp then it is
              assigned that level. This config item must begin with "log_logger_level_" and  then
              be followed by a symbolic or numeric log level, for example:

                log_logger_level_debug = ipalib\.dn\..*

                log_logger_level_35 = ipalib\.plugins\.dogtag

              The  first  line  says  any logger belonging to the ipalib.dn module will have it's
              level configured to debug.

              The second line say the ipa.plugins.dogtag logger will be configured to level 35.

              This config item is useful when you only want to see the log  output  from  one  or
              more  selected  loggers.  Turning on the global debug flag will produce an enormous
              amount of output.  This  allows  you  to  leave  the  global  debug  flag  off  and
              selectively  enable  output  from a specific logger. Typically loggers are bound to
              classes and plugins.

              Note: logger names are a dot ('.') separated list forming  a  path  in  the  logger
              tree.   The  dot  character is also a regular expression metacharacter (matches any
              character) therefore you will usually need to escape the dot in the logger names by
              preceding it with a backslash.

       mode <mode>
              Specifies  the  mode  the  server  is  running in. The currently support values are
              production and development. When running in production  mode  some  self-tests  are
              skipped to improve performance.

       mount_ipa <URI>
              Specifies the mount point that the development server will register. The default is
              /ipa/

       prompt_all <boolean>
              Specifies that all options should be prompted for in the IPA client, even  optional
              values. Default is False.

       ra_plugin <name>
              Specifies  the  name  of the CA back end to use. The current options are dogtag and
              none. This is a server-side setting. Changing this value is not recommended as  the
              CA back end is only set up during initial installation.

       realm <realm>
              Specifies the Kerberos realm.

       server <hostname>
              Specifies the IPA Server hostname.

       skip_version_check <boolean>
              Skip  client  vs.  server API version checking. Can lead to errors/strange behavior
              when newer clients talk to older servers. Use with caution.

       startup_timeout <time in seconds>
              Controls the amount of time waited when starting a service. The  default  value  is
              120 seconds.

       startup_traceback <boolean>
              If  the IPA server fails to start and this value is True the server will attempt to
              generate a python traceback to make identifying the underlying problem easier.

       validate_api <boolean>
              Used internally in the IPA source package to verify that the API has  not  changed.
              This  is used to prevent regressions. If it is true then some errors are ignored so
              enough of the IPA framework can be loaded  to  verify  all  of  the  API,  even  if
              optional components are not installed. The default is False.

       verbose <boolean>
              When True provides more information. Specifically this sets the global log level to
              "info".

       wait_for_dns <number of attempts>
              Controls whether the IPA commands  dnsrecord-{add,mod,del}  work  synchronously  or
              not.  The  DNS  commands  will  repeat  DNS  queries  up to the specified number of
              attempts until the DNS server returns an up-to-date answer to a query for  modified
              records. Delay between retries is one second.

              The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match
              the expected value even after the specified number of attempts.

              The DNS queries will be sent to the resolver configured in /etc/resolv.conf on  the
              IPA server.

              Do  not  enable this in production! This will cause problems if the resolver on IPA
              server uses a caching server instead of a local authoritative server or e.g. if DNS
              answers are modified by DNS64. The default is disabled (the option is not present).

       xmlrpc_uri <URI>
              Specifies  the URI of the XML-RPC server for a client. This may be used by IPA, and
              is   used   by   some   external   tools,    such    as    ipa-getcert.    Example:
              https://ipa.example.com/ipa/xml

       jsonrpc_uri <URI>
              Specifies  the  URI  of  the  JSON server for a client. This is used by IPA. If not
              given, it is derived from xmlrpc_uri. Example: https://ipa.example.com/ipa/json

       rpc_protocol <URI>
              Specifies the type of RPC calls IPA  makes:  'jsonrpc'  or  'xmlrpc'.  Defaults  to
              'jsonrpc'.

       The following define the containers for the IPA server. Containers define where in the DIT
       that objects can be found. The full location is the value of container + basedn.
                container_accounts: cn=accounts
                container_applications: cn=applications,cn=configs,cn=policies
                container_automount: cn=automount
                container_configs: cn=configs,cn=policies
                container_dns: cn=dns
                container_group: cn=groups,cn=accounts
                container_hbac: cn=hbac
                container_hbacservice: cn=hbacservices,cn=hbac
                container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
                container_host: cn=computers,cn=accounts
                container_hostgroup: cn=hostgroups,cn=accounts
                container_netgroup: cn=ng,cn=alt
                container_permission: cn=permissions,cn=pbac
                container_policies: cn=policies
                container_policygroups: cn=policygroups,cn=configs,cn=policies
                container_policylinks: cn=policylinks,cn=configs,cn=policies
                container_privilege: cn=privileges,cn=pbac
                container_rolegroup: cn=roles,cn=accounts
                container_roles: cn=roles,cn=policies
                container_service: cn=services,cn=accounts
                container_sudocmd: cn=sudocmds,cn=sudo
                container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
                container_sudorule: cn=sudorules,cn=sudo
                container_user: cn=users,cn=accounts
                container_vault: cn=vaults,cn=kra
                container_virtual: cn=virtual operations,cn=etc

FILES

       /etc/ipa/default.conf
              system-wide IPA configuration file

       $HOME/.ipa/default.conf
              user IPA configuration file

       It is also possible to define context-specific configuration files.  The  context  is  set
       when  the  IPA  api  is initialized. The two currently defined contexts in IPA are cli and
       server. This is helpful, for example, if you only want debug enabled on the server and not
       in  the  client. If this is set to True in default.conf it will affect both the ipa client
       tool and the IPA server. If it is only set in server.conf then only the server  will  have
       debug set. These files will be loaded if they exist:

       /etc/ipa/cli.conf
              system-wide IPA client configuration file

       /etc/ipa/server.conf
              system-wide IPA server configuration file

SEE ALSO

       ipa(1)