![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
index 63d66f8a92181cc2c708b2027182b1c26ed0edbb..e4eea1301a1393cb6a32ba3d6c23cfa58aa30cda 100644 (file)
-.TH gosa.conf 5
+.TH gosa.conf 5 "2008-04-07" "GOsa v2.6" "Debian"
.SH NAME
gosa.conf - GOsa configuration file
.SH DESCRIPTION
.SH NAME
gosa.conf - GOsa configuration file
.SH DESCRIPTION
.fi
.fi
+.PP
.B Generic options
.PP
.B Generic options
.PP
use rfc2307bis style groups, too.
.PP
use rfc2307bis style groups, too.
.PP
+.B ppd_path
+.I path
+.PP
+The
+.I ppd_path
+variable defines where to store PPD files for the GOto environment plugins.
+.PP
+.B resolutions
+.I path
+.PP
+The
+.I pppd_pathpd_path
+variable defines a plain text file which contains additional resolutions
+to be shown in the environment and system plugins.
+.PP
+.B htaccess_auth
+.I bool
+.PP
+The
+.I htaccess_auth
+variable tells GOsa to use either htaccess authentication or LDAP authentication. This
+can be used if you want to use i.e. kerberos to authenticate the users.
+.PP
+.B gosa_si
+.I bool
+.PP
+The
+.I gosa_si
+defines the major gosa-si server host and the password for GOsa to connect to it.
+can be used if you want to use i.e. kerberos to authenticate the users.
+The format is:
+.nf
+credentials@host:port
+.fi
+.PP
+.B Browser and display options
-
-
-
-
-.B Display options
-.PP
-.I The
-.B list_summary
-.I statement
-.PP
.B list_summary
.I true/false
.PP
.B list_summary
.I true/false
.PP
elements in the list.
.PP
elements in the list.
.PP
-.B Password options
+.B iconsize
+.I size value
.PP
.PP
-.I The
-.B pwminlen
-.I statement
+The
+.I iconsize
+statement sets the icon size in the main menu. Its value should be something
+like 48x48.
+.PP
+
+.B compressed
+.I true/false
+.PP
+The
+.I compressed
+statement determines whether PHP should send compressed HTML pages to
+browsers or not. This may increase or decrease the performance, depending
+on your network.
+.PP
+
+.B save_filter
+.I true/false
+.PP
+The
+.I save_filter
+statement determines whether GOsa should store filter and plugin settings
+inside of a cookie.
+.PP
+
+.B lang
+.I string
+.PP
+The
+.I lang
+statement defines the default language used by GOsa. Normally GOsa autodetects
+the language from the browser settings. If this is not working or you want to
+force the language, just add the language code (i.e. de for german) here.
+.PP
+
+.B theme
+.I string
+.PP
+The
+.I theme
+statement defines what theme is used to display GOsa pages. You can install some
+corporate identity like theme and/or modify certain templates to fit your needs
+within themes. Take a look at the GOsa
+.I FAQ
+for more information.
+.PP
+
+.B session_lifetime
+.I int
+.PP
+The
+.I session_lifetime
+value defines when a session will expire in seconds. For Debian systems, this will
+not work because the sessions will be removed by a cron job instead. Please modify
+the value inside of your php.ini instead.
+.PP
+
+.B noprimarygroup
+.I bool
+.PP
+The
+.I noprimarygroup
+variable enables or disables the group filter to show primary user groups. It is
+time consuming to evaluate which groups are primary and which are not. So you may
+want to set it to
+.I true
+if your group plugin is slow.
+.PP
+
+.B ie_png_workaround
+.I bool
+.PP
+The
+.I ie_png_workaround
+variable enables or disables a workaround for IE < 7 in order to display transparent
+PNG files correctly. This drastically slows down browsing. Please use Firefox or Opera
+instead.
+.PP
+.PP
+
+
+.B Password options
.PP
.B pwminlen
.I integer
.PP
.B pwminlen
.I integer
a minimum length.
.PP
a minimum length.
.PP
-.I The
-.B pwdiffer
-.I statement
-.PP
.B pwdiffer
.I integer
.PP
.B pwdiffer
.I integer
.PP
to have at least n different characters.
.PP
to have at least n different characters.
.PP
-.I The
-.B externalpwdhook
-.I statement
-.PP
.B externalpwdhook
.I path
.PP
The
.I externalpwdhook
can specify an external script to handle password settings at some other
.B externalpwdhook
.I path
.PP
The
.I externalpwdhook
can specify an external script to handle password settings at some other
-location besides the LDAP.
+location besides the LDAP. It will be called this way:
+
+.nf
+/path/to/your/script "username" "oldpassword" "newpassword"
+.fi
+
+.B account_expiration
+.I bool
+.PP
+The
+.I account_expiration
+statement enables shadow attribute tests during the login to the GOsa web
+interface and forces password renewal or account lockout.
.PP
.PP
+.B krbsasl
+.I bool
+.PP
+The
+.I krbsasl
+statement defines the way the kerberos realm is stored in the
+.I userPassword
+attribute. Set it to
+.I true
+in order to get {sasl}user@REALM.NET, or to
+.I false
+to get {kerberos}user@REALM.NET. The latter is outdated, but may be
+needed from time to time.
+.PP
+.PP
+.B LDAP options
+.PP
+.B max_ldap_query_time
+.I integer
+.PP
+The
+.I max_ldap_query_time
+statement tells GOsa to stop LDAP actions if there is no answer within the
+specified number of seconds.
+.PP
+
+.B schema_check
+.I bool
+.PP
+The
+.I schema_check
+statement enables or disables schema checking during login. It is recommended
+to switch this on in order to let GOsa handle object creation more efficient.
+.PP
+
+.B tls
+.I bool
+.PP
+The
+.I tls
+statement enables or disables TLS operating on LDAP connections.
+.PP
+
+.B dnmode
+.I cn/uid
+.PP
+The
+.I dnmode
+option tells GOsa how to create new accounts. Possible values are
+.I uid
+and
+.I cn.
+In the first case GOsa creates uid style DN entries:
+.nf
+uid=superuser,ou=staff,dc=example,dc=net
+.fi
+In the second case, GOsa creates cn style DN entries:
+.nf
+cn=Foo Bar,ou=staff,dc=example,dc=net
+.fi
+If you choose "cn" to be your
+.I dnmode
+you can decide whether to include the personal title in your dn by
+selecting
+.I include_personal_title.
+.PP
+
+.B include_personal_title
+.I bool
+.PP
+The
+.I include_personal_title
+option tells GOsa to include the personal title in user DNs when
+.I dnmode
+is set to "cn".
+
+.B people
+.I string
+.PP
+The
+.I people
+statement defines the location where new accounts will be created inside of
+defined departments. The default is
+.I ou=people.
+.PP
+
+.B groups
+.I string
+.PP
+The
+.I groups
+statement defines the location where new groups will be created inside of
+defined departments. The default is
+.I ou=groups.
+.PP
+
+.B sudoou
+.I string
+.PP
+The
+.I sudoou
+statement defines the location where new groups will be created inside of
+defined departments. The default is
+.I ou=groups.
+.PP
+
+.B winstations
+.I string
+.PP
+This statement defines the location where GOsa looks for new samba workstations.
+.PP
+
+.B ogroupou
+.I string
+.PP
+This statement defines the location where GOsa creates new object groups inside of defined
+departments. Default is
+.I ou=groups.
+.PP
+
+.B serverou
+.I string
+.PP
+This statement defines the location where GOsa creates new servers inside of defined
+departments. Default is
+.I ou=servers.
+.PP
+
+.B terminalou
+.I string
+.PP
+This statement defines the location where GOsa creates new terminals inside of defined
+departments. Default is
+.I ou=terminals.
+.PP
+
+.B workstationou
+.I string
+.PP
+This statement defines the location where GOsa creates new workstations inside of defined
+departments. Default is
+.I ou=workstations.
+.PP
+
+.B printerou
+.I string
+.PP
+This statement defines the location where GOsa creates new printers inside of defined
+departments. Default is
+.I ou=printers.
+.PP
+
+.B componentou
+.I string
+.PP
+This statement defines the location where GOsa creates new network components inside of defined
+departments. Default is
+.I ou=components.
+.PP
+
+.B phoneou
+.I string
+.PP
+This statement defines the location where GOsa creates new phones inside of defined
+departments. Default is
+.I ou=phones.
+.PP
+
+.B conferenceou
+.I string
+.PP
+This statement defines the location where GOsa creates new phone conferences inside of defined
+departments. Default is
+.I ou=conferences.
+.PP
+
+.B blocklistou
+.I string
+.PP
+This statement defines the location where GOsa creates new fax blocklists inside of defined
+departments. Default is
+.I ou=blocklists.
+.PP
+
+.B incomingou
+.I string
+.PP
+This statement defines the location where GOsa looks for new systems to be joined to the LDAP.
+Default is
+.I ou=incoming.
+.PP
+
+.B systemsou
+.I string
+.PP
+This statement defines the base location for servers, workstations, terminals, phones and
+components. Default is
+.I ou=systems.
+.PP
+
+.B ldap_filter_nesting_limit
+.I integer
+.PP
+The
+.I ldap_filter_nesting_limit
+statement can be used to speed up group handling for groups with several hundreds of members.
+The default behaviour is, that GOsa will resolv the memberUid values in a group to real names.
+To achieve this, it writes a single filter to minimize searches. Some LDAP servers (namely
+Sun DS) simply crash when the filter gets too big. You can set a member limit, where GOsa will
+stop to do these lookups.
+.PP
+
+.B sizelimit
+.I integer
+.PP
+The
+.I sizelimit
+statement tells GOsa to retrieve the specified maximum number of results. The user will get
+a warning, that not all entries were shown.
+.PP
+
+.B recursive
+.I bool
+.PP
+The
+.I recursive
+statement tells GOsa to follow LDAP referrals.
+.PP
+.PP
+
+
+.B Account creation options
+.PP
+.B uidbase
+.I integer
+.PP
+The
+.I uidbase
+statement defines where to start looking for a new free user id. This should be synced
+with your
+.I adduser.conf
+to avoid overlapping uidNumber values between local and LDAP based lookups. The uidbase
+can even be dynamic. Take a look at the
+.I base_hook
+definition below.
+.PP
+
+.B gidbase
+.I integer
+.PP
+The
+.I gidbase
+statement defines where to start looking for a new free group id. This should be synced
+with your
+.I adduser.conf
+to avoid overlapping gidNumber values between local and LDAP based lookups. The gidbase
+can even be dynamic. Take a look at the
+.I base_hook
+definition below.
+.PP
+
+.B minid
+.I integer
+.PP
+The
+.I minid
+statement defines the minimum assignable user or group id to avoid security leaks with
+uid 0 accounts.
+.PP
+
+.B base_hook
+.I path
+.PP
+The
+.I base_hook
+statement defines a script to be called for finding the next free id for users or groups
+externaly. It gets called with the current entry "dn" and the attribute to be ID'd. It
+should return an integer value.
+.PP
+
+.B hash
+.I string
+.PP
+The
+.I hash
+statement defines the default password hash to choose for new accounts. Valid values are
+.I crypt/standard-des, crypt/md5, crypt/enhanced-des, crypt/blowfish, md5, sha, ssha, smd5, clear
+and
+.I sasl.
+These values will be overridden when using templates.
+.PP
+
+.B idgen
+.I string
+.PP
+The
+.I idgen
+statement describes an automatic way to generate new user ids. There are two basic
+functions supported - which can be combined:
+
+ a) using attributes
+
+ You can specify LDAP attributes (currently only sn and givenName) in
+ braces {} and add a percent sign befor it. Optionally you can strip it
+ down to a number of characters, specified in []. I.e.
+
+.nf
+ idgen="{%sn}-{%givenName[2-4]}"
+.fi
+
+ will generate an ID using the full surename, adding a dash, and adding at
+ least the first two characters of givenName. If this ID is used, it'll
+ use up to four characters. If no automatic generation is possible, a
+ input box is shown.
+
+ b) using automatic id's
+
+ I.e. specifying
+
+.nf
+ idgen="acct{id:3}"
+.fi
+
+ will generate a three digits id with the next free entry appended to
+ "acct".
+
+.nf
+ idgen="ext{id#3}"
+.fi
+
+ will generate a three digits random number appended to "ext".
+.PP
+.PP
+
+
+.B Samba options
+.PP
+.B sid
+.I string
+.PP
+The
+.I sid
+statement defines a samba SID if not available inside of the LDAP. You can retrieve
+the current sid by
+.I net getlocalsid.
+.PP
+
+.B ridbase
+.I integer
+.PP
+The
+.I ridbase
+statement defines the base id to add to ordinary sid calculations - if not available
+inside of the LDAP.
+.PP
+
+.B sambaversion
+.I 2/3
+.PP
+The
+.I sambaversion
+statement defines the version of samba you want to write LDAP entries for. Be sure
+to include the correct schema in this case. Valid values are 2 and 3.
+.PP
+
+.B smbhash
+.I path
+.PP
+The
+.I smbhash
+statement contains an executable to generate samba hash values. This is required
+for password synchronization, but not required if you apply gosa-si services.
+If you don't have mkntpasswd from the samba distribution installed, you can use
+perl to generate the hash:
+
+.nf
+perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen \\$ARGV[0]), $/;"
+.if
+.PP
+
+.B sambaidmapping
+.I bool
+.PP
+The
+.I sambaidmapping
+statement tells GOsa to maintain sambaIdmapEntry objects. Depending on your
+setup this can drastically improve the windows login performance.
+.PP
+.PP
+
+.B Asterisk options
+.PP
+.B ctihook
+.I path
+.PP
+The
+.I ctihook
+statement defines a script to be executed if someone clicks on a phone number
+inside of the addressbook plugin. It gets called with two parameters:
+
+.nf
+ctihook $source_number $destination_number
+.fi
+
+This script can be used to do automatted dialing from the addressbook.
+.PP
+.PP
+
+.B Mail options
+.PP
+.B mailMethod
+.I cyrus/kolab/golab/sendmail
+.PP
+The
+.I mailMethod
+statement tells GOsa which mail method the setup should use to communicate
+with a possible mail server. Leave this undefined if your mail method does
+not match the predefined ones.
+
+.I cyrus
+maintains accounts and sieve scripts in cyrus servers.
+.I kolab
+is like cyrus, but lets the kolab daemon maintain the accounts.
+.I golab is like cyrus - just with kolab attributes.
+.I sendmail just disables everything which is IMAP dependent.
+.PP
+
+.B cyrusunixstyle
+.I bool
+.PP
+The
+.I cyrusunixstyle
+statement determines if GOsa should use "foo/bar" or "foo.bar" namespaces
+in IMAP. Unix style is with slashes.
+
+.B additionalrestrictionfilters
+.I path
+.PP
+The
+.I additionalrestrictionfilters
+statement defines a file to include for the postfix module in order
+to display user defined restriction filters.
+
+.B additionalprotocols
+.I path
+.PP
+The
+.I additionalprotocols
+statement defines a file to include for the postfix module in order
+to display user defined protocols.
+
+.B mail_attrib
+.I mail/uid
+.PP
+The
+.I mail_attrib
+statement determines which attribute GOsa will use to create accounts.
+Valid values are
+.I mail
+and
+.I uid.
+
+.B vacationdir
+.I path
+.PP
+The
+.I vacationdir
+statement sets the path where GOsa will look for vacation message
+templates. Default is /etc/gosa/vacation.
+
+Example template /etc/gosa/vacation/business.txt:
+
+.nf
+ DESC:Away from desk
+ Hi, I'm currently away from my desk. You can contact me on
+ my cell phone via %mobile.
+
+ Greetings,
+ %givenName %sn
+.fi
+.PP
+
+
+.B Debug options
+.PP
+.B displayerrors
+.I bool
+.PP
+The
+.I displayerrors
+statement tells GOsa to show PHP errors in the upper part of the screen. This
+should be disabled in productive deployments, because there might be some
+important passwords arround.
+.PP
+
+.B ldapstats
+.I bool
+.PP
+The
+.I ldapstats
+statement tells GOsa to track LDAP timing statistics to the syslog. This may
+help to find indexing problems or bad search filters.
+.PP
+
+.B ignore_acl
+.I dn
+.PP
+The
+.I ignore_acl
+value tells GOsa to ignore complete ACL sets for the given DN. Add your
+DN here and you'll be able to restore accidently dropped ACLs.
+.PP
+
+.B debuglevel
+.I integer
+.PP
+The
+.I debuglevel
+value tells GOsa to display certain information on each page load. Value
+is an AND combination of the following byte values:
+
+DEBUG_TRACE = 1
+
+DEBUG_LDAP = 2
+
+DEBUG_MYSQL = 4
+
+DEBUG_SHELL = 8
+
+DEBUG_POST = 16
+
+DEBUG_SESSION = 32
+
+DEBUG_CONFIG = 64
+
+DEBUG_ACL = 128
+.PP
+
+
+.SH LDAP resource definition
+
+For every location you define inside your gosa.conf, you need at least
+one entry of the type
+.I referral.
+These entries define the way how to connect to some directory service.
+
+.B Example:
+
+.nf
+ <referral url="ldap://ldap.example.net/dc=example,dc=net"
+ admin="cn=gosa-admin,dc=example,dc=net"
+ password="secret" />
+.fi
+
+.I url
+is a valid LDAP url extendet by the base this referral is responsible for.
+.I admin
+is the DN which has the permission to write LDAP entries. And
+.I password
+is the corresponding password for this DN.
+
+You can define a set of referrals if you have several server to
+connect to.
.SH AUTHOR
.B gosa.conf(5)
.SH AUTHOR
.B gosa.conf(5)