bionic (5) libuser.conf.5.gz

Provided by: libuser_0.62~dfsg-0.1ubuntu2_amd64 bug

NAME

       libuser.conf - configuration for libuser and libuser utilities

FILE FORMAT

       libuser.conf  is  a text file.  Leading and trailing white space on each line is ignored.  Lines starting
       with # are ignored.

       The file defines variables grouped into sections.  Each section starts with a section header:
              [section name]
       A single section header can appear more than once in the file.

       The lines following a section header define variables from that section:
              variable = value
       The value can be empty.

       A variable can have more than one value, specified by using more than one line  defining  that  variable.
       All currently defined variables accept only the first value and ignore the others, if any.

[defaults]

       create_modules
              A  list  of  module  names  to  use  when  creating  user or group entries, unless the application
              specifies a different list.  The module names in the list can be separated  using  space,  tab  or
              comma.  Default value is files shadow.

       crypt_style
              The  algorithm  to use for password encryption when creating new passwords.  The current algorithm
              may be retained when changing a password of an existing user, depending on the application.

              Possible values are des, md5, blowfish, sha256 and  sha512,  all  case-insensitive.   Unrecognized
              values are treated as des.  Default value is des.

       hash_rounds_min, hash_rounds_max
              These  variables  specify  an  inclusive  range  of hash rounds used when crypt_style is sha256 or
              sha512.  A number of hash rounds is chosen from this interval randomly.  A larger number of rounds
              makes  password  checking,  and  brute-force attempts to guess the password by reversing the hash,
              more CPU-intensive.  The number of rounds is restricted to the interval [1000, 999999999].

              If only one of the above variables is specified, the number of rounds used  is  specified  by  the
              other variable.  If neither variable is specified, the number of rounds is chosen by libc.

       mailspooldir
              The directory containing user's mail spool files.  Default value is /var/mail.

       moduledir
              The  directory containing libuser modules.  Default value uses the modules installed with libuser,
              corresponding  to  the  architecture  of   the   libuser   library,   e.g.   /usr/lib/libuser   or
              /usr/lib64/libuser (assuming libuser was configured with --prefix=/usr).

       modules
              A  list  of  module  names  to use when not creating user or group entries, unless the application
              specifies a different list.  The module names in the list can be separated  using  space,  tab  or
              comma.  Default value is files shadow.

       skeleton
              The  directory  containing  files  to  copy  to  newly created home directories.  Default value is
              /etc/skel.

[import]

       login_defs
              A path to the login.defs file from shadow.  If this variable is defined, the  variables  from  the
              named  file  are  used  in  place  of  some  libuser  variables.   Variables explicitly defined in
              libuser.conf are not affected by contents of login.defs.

              The following variables are imported:
                                   │
              Variable             │ Imported as
              ─────────────────────├───────────────────────────────
              ENCRYPT_METHODdefaults/crypt_style
              GID_MINgroupdefaults/LU_GIDNUMBER
              MAIL_DIRdefaults/mailspooldir
              MD5_CRYPT_ENABdefaults/crypt_style
              PASS_MAX_DAYSuserdefaults/LU_SHADOWMAX
              PASS_MIN_DAYSuserdefaults/LU_SHADOWMIN
              PASS_WARN_AGEuserdefaults/LU_SHADOWWARNING
              SHA_CRYPT_MIN_ROUNDSdefaults/hash_rounds_min
              SHA_CRYPT_MAX_ROUNDSdefaults/hash_rounds_max
              UID_MINuserdefaults/LU_UIDNUMBER

              The following  variables  are  not  imported:  CREATE_HOME,  GID_MAX,  MAIL_FILE,  SYSLOG_SG_ENAB,
              UID_MAX, UMASK, USERDEL_CMD, USERGROUPS_ENAB

       default_useradd
              A  path  to  the  default/useradd  file  from useradd in shadow.  If this variable is defined, the
              variables from the named file are used in place of some libuser variables.   Variables  explicitly
              defined in libuser.conf are not affected by contents of default/useradd.

              The following variables are imported:
                       │
              Variable │ Imported as
              ─────────├────────────────────────────────
              EXPIREuserdefaults/LU_SHADOWEXPIRE
              GROUPuserdefaults/LU_GIDNUMBER
              HOMEuserdefaults/LU_HOMEDIRECTORY
              INACTIVEuserdefaults/LU_SHADOWINACTIVE
              SHELLuserdefaults/LU_LOGINSHELL
              SKELdefaults/skeleton

              The HOME variable value has /%n appended to it before importing.

[userdefaults]

       This section defines attribute values of newly created user entities.  There is one special variable:

       LU_UIDNUMBER
              A decimal number, the first allowed UID value for regular users (not system users).  Default value
              is 500.

       All other variables have the same names  as  the  attribute  names  from  <libuser/entity.h>  and  define
       attribute  values.   Either  the  macro  name (e.g. LU_GECOS) or the macro content (e.g. pw_gecos) can be
       used; if both are used, the one appearing later in the configuration file is used.

       The % character in the value of the variable introduces an escape sequence: %n is replaced  by  the  user
       name, %d is replaced by current date in days since the epoch, %u is replaced by the user's UID.  There is
       no way to escape the % character and avoid this substitution.

       After the userdefaults section is processed, modules may define additional attributes  or  even  override
       the attributes defined in this section.

[groupdefaults]

       The groupdefaults section is similar to userdefaults.  There is one special variable:

       LU_GIDNUMBER
              A  decimal  number,  the  first allowed GID value for regular groups (not system groups).  Default
              value is 500.

       The other variables follow the same rules as in the userdefaults section,  except  that  %n  and  %u  are
       replaced by the group name and group's GID, respectively.

       After  the  groupdefaults section is processed, modules may define additional attributes or even override
       the attributes defined in this section.

[files]

       Configures the files module, which manages /etc/group and /etc/passwd.  The configuration  variables  are
       probably useful only for libuser development.

       directory
              The directory containing the group and passwd files.  Default value is /etc.

       nonroot
              Allow module initialization when not invoked as the root user if the value is yes.

[shadow]

       Configures the files module, which manages /etc/gshadow and /etc/shadow.  The configuration variables are
       probably useful only for libuser development.

       directory
              The directory containing the gshadow and shadow files.  Default value is /etc.

       nonroot
              Allow module initialization when not invoked as the root user if the value is yes.

[ldap]

       Configures the ldap module, which manages an user database accessible using LDAP.

       userBranch
              The LDAP suffix for user entities.  Default value is ou=People.

       groupBranch
              The LDAP suffix for group entities.  Default value is ou=Group.

       server A domain name or an URI of the LDAP server.  The  URI  can  use  the  ldap,  ldapi  or  the  ldaps
              protocol.   When a simple domain name is used, the connection fails if TLS can not be used; an URI
              using the ldap protocol allows connection without TLS.  TLS is never used with the ldapi protocol.
              Default value is ldap.

       basedn The base DN of the server.  Default value is dc=example,dc=com.

       binddn A  DN  for  binding  to the server.  If the value is empty or binding using this DN fails, a DN of
              uid=user,userBranch,basedn is used, where userBranch and basedn are variables  from  this  section
              and  user  is the user name of the invoking user, unless overridden by the user variable from this
              section.  Default value is cn=manager,dc=example,dc=com.

       user   The SASLv2 identity for authenticating to the LDAP  server,  also  overrides  the  user  name  for
              generating a bind DN.  Default value is the name of the invoking user.

       password
              The  password  used  for  a simple bind by default.  If not specified, there is no default and the
              user must supply the password each time.

              IT IS STRONGLY RECOMMENDED NOT TO STORE A PASSWORD IN THE SYSTEM-WIDE /etc/libuser.conf FILE.  The
              configuration file is world-readable by default, and setuid programs that prompt for a server name
              could be used to send the password to an attacker-controlled server.

       authuser
              The SASLv2 authorization user, if non-empty.  Default value is empty.

       bindtype
              The list of bind types to use, separated by commas.  Allowed bind  types  are  simple,  sasl,  and
              sasl/mechanism,  where  mechanism  is  a  SASL  mechanism.   The  bind  types (but not necessarily
              mechanism) are case-insensitive.  If more than one bind type is specified, their relative order is
              ignored.  Default value is simple,sasl.

[sasl]

       Configures the sasl module, which manages a SASLv2 user database.

       appname
              Name of the SASLv2 application.  Default value is empty.

       domain Domain used by libuser for the SASLv2 authentication object.  Default value is empty.

BUGS

       Invalid  lines  in  the  configuration  file  (or  the  imported shadow configuration files) are silently
       ignored.

FILES

       /etc/libuser.conf
              The default location of the configuration file. Can be overridden by the LIBUSER_CONF  environment
              variable, except in set-uid or set-gid programs.