X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;ds=sidebyside;f=gosa-core%2Fcontrib%2Fgosa.conf.5;h=4f345f311950c59bbd1574a744f9c2f5de652b94;hb=ac6345f04f25fa089082b215d60af36849ba2342;hp=63d66f8a92181cc2c708b2027182b1c26ed0edbb;hpb=3ca3190832f90fafaad74db9863a98e8cf88cdda;p=gosa.git diff --git a/gosa-core/contrib/gosa.conf.5 b/gosa-core/contrib/gosa.conf.5 index 63d66f8a9..4f345f311 100644 --- a/gosa-core/contrib/gosa.conf.5 +++ b/gosa-core/contrib/gosa.conf.5 @@ -1,4 +1,4 @@ -.TH gosa.conf 5 +.TH gosa.conf 5 "2008-04-07" "GOsa v2.6" "Debian" .SH NAME gosa.conf - GOsa configuration file .SH DESCRIPTION @@ -27,7 +27,7 @@ information about several locations. .nf - + ... @@ -172,15 +172,15 @@ each location definition inside of this global definition. .nf
@@ -190,41 +190,42 @@ each location definition inside of this global definition. .fi +.PP .B Generic options .PP -.B forceglobals +.B forceGlobals .I bool .PP The -.I forceglobals +.I forceGlobals statement enables PHP security checks to force register_global settings to be switched off. .PP -.B forcessl +.B forceSSL .I bool .PP The -.I forceglobals +.I forceSSL statement enables PHP security checks to force encrypted access to the web interface. GOsa will try to redirect to the same URL - just with https://. .PP -.B warnssl +.B warnSSL .I bool .PP The -.I warnssl +.I warnSSL statement enables PHP security checks to detect non encrypted access to the web interface. GOsa will display a warning in this case. .PP -.B uniq_identifier +.B modificationDetectionAttribute .I string .PP The -.I uniq_identifier +.I modificationDetectionAttribute statement enables GOsa to check if a entry currently being edited has been modified from someone else outside GOsa in the meantime. It will display an informative dialog then. It can be set to @@ -250,11 +251,11 @@ list. GOsa will not log anything, if the logging value is empty. .PP -.B login_attribute +.B loginAttribute .I string .PP The -.I login_attribute +.I loginAttribute statement tells GOsa which LDAP attribute is used as the login name during login. It can be set to .I uid, mail @@ -262,60 +263,60 @@ or .I both. .PP -.B enableCopyPaste +.B copyPaste .I bool .PP The -.I enableCopyPaste +.I copyPaste statement enables copy and paste for LDAP entries managed with GOsa. .PP -.B enable_snapshot +.B snapshots .I bool .PP The -.I enable_snapshot +.I snapshots statement enables a snapshot mechaism in GOsa. This enables you to save certain states of entries and restore them later on. .PP -.B snapshot_base +.B snapshotBase .I dn .PP The -.I snapshot_base +.I snapshotBase statement defines the base where snapshots should be stored inside of the LDAP. .PP -.B snapshot_server -.I url +.B snapshotURI +.I uri .PP The -.I snapshot_server -variable defines the LDAP URL for the server which is used to do object +.I snapshotURI +variable defines the LDAP URI for the server which is used to do object snapshots. .PP -.B snapshot_user +.B snapshotAdminDn .I dn .PP The -.I snapshot_user +.I snapshotAdminDn variable defines the user which is used to authenticate when connecting to -.I snapshot_server. +.I snapshotURI. .PP -.B snapshot_password +.B snapshotAdminPassword .I string .PP The -.I snapshot_password +.I snapshotAdminPassword variable defines the credentials which are used in combination with -.I snapshot_user +.I snapshotAdminDn and -.I snapshot_server +.I snapshotURI in order to authenticate. .PP @@ -328,11 +329,11 @@ statement defines the LDAP base, where GOsa stores management information, such as site wide locking and user notifications. .PP -.B compile +.B templateCompileDirectory .I path .PP The -.I compile +.I templateCompileDirectory statements defines the path, where the PHP templating engins .I smarty should store its compiled GOsa templates for improved speed. This path @@ -351,30 +352,30 @@ The value should be a unix conform timezone value like in /etc/timezone. .PP -.B governmentmode +.B honourIvbbAttributes .I bool .PP The -.I governmentmode +.I honourIvbbAttributes statement enables the IVBB mode inside of GOsa. You need the ivbb.schema file from used by german authorities. .PP -.B strict +.B strictNamingRules .I bool .PP The -.I strict +.I strictNamingRules statement enables strict checking of uids and group names. If you need characters like . or - inside of your accounts, set this to .I false. .PP -.B strict_units +.B honourUnitTags .I bool .PP The -.I strict_units +.I honourUnitTags statement enables checking of .I unitTag attributes when using administrative units. If this is set to @@ -395,77 +396,913 @@ on unix systems, you've to adjust your NSS configuration to use rfc2307bis style groups, too. .PP +.B ppdPath +.I path +.PP +The +.I ppdPath +variable defines where to store PPD files for the GOto environment plugins. +.PP +.B resolutions +.I path +.PP +The +.I resolutions +variable defines a plain text file which contains additional resolutions +to be shown in the environment and system plugins. +.PP +.B htaccessAuthentication +.I bool +.PP +The +.I htaccessAuthentication +variable tells GOsa to use either htaccess authentication or LDAP authentication. This +can be used if you want to use i.e. kerberos to authenticate the users. +.PP +.B gosaSupportURI +.I URI +.PP +The +.I gosaSupportURI +defines the major gosa-si server host and the password for GOsa to connect to it. +can be used if you want to use i.e. kerberos to authenticate the users. +The format is: +.nf +credentials@host:port +.fi +.PP +.B Browser and display options +.B listSummary +.I true/false +.PP +The +.I listSummary +statement determines whether a status bar will be shown on the bottom of +GOsa generated lists, displaying a short summary of type and number of +elements in the list. +.PP +.B iconsize +.I size value +.PP +The +.I iconsize +statement sets the icon size in the main menu. Its value should be something +like 48x48. +.PP +.B sendCompressedOutput +.I true/false +.PP +The +.I sendCompressedOutput +statement determines whether PHP should send compressed HTML pages to +browsers or not. This may increase or decrease the performance, depending +on your network. +.PP +.B storeFilterSettings +.I true/false +.PP +The +.I storeFilterSettings +statement determines whether GOsa should store filter and plugin settings +inside of a cookie. +.PP -.B Display options +.B language +.I string .PP -.I The -.B list_summary -.I statement +The +.I language +statement defines the default language used by GOsa. Normally GOsa autodetects +the language from the browser settings. If this is not working or you want to +force the language, just add the language code (i.e. de for german) here. .PP -.B list_summary -.I true/false + +.B theme +.I string .PP The -.I list_summary -statement determines whether a status bar will be shown on the bottom of -GOsa generated lists, displaying a short summary of type and number of -elements in the list. +.I theme +statement defines what theme is used to display GOsa pages. You can install some +corporate identity like theme and/or modify certain templates to fit your needs +within themes. Take a look at the GOsa +.I FAQ +for more information. .PP -.B Password options +.B sessionLifetime +.I int .PP -.I The -.B pwminlen -.I statement +The +.I sessionLifetime +value defines when a session will expire in seconds. For Debian systems, this will +not work because the sessions will be removed by a cron job instead. Please modify +the value inside of your php.ini instead. +.PP + +.B primaryGroupFilter +.I bool +.PP +The +.I primaryGroupFilter +variable enables or disables the group filter to show primary user groups. It is +time consuming to evaluate which groups are primary and which are not. So you may +want to set it to +.I true +if your group plugin is slow. +.PP + +.B iePngWorkaround +.I bool .PP -.B pwminlen +The +.I iePngWorkaround +variable enables or disables a workaround for IE < 7 in order to display transparent +PNG files correctly. This drastically slows down browsing. Please use Firefox or Opera +instead. +.PP +.PP + + +.B Password options +.PP +.B passwordMinLength .I integer .PP The -.I pwminlen +.I passwordMinLength statement determines whether a newly entered password has to be of a minimum length. .PP -.I The -.B pwdiffer -.I statement -.PP -.B pwdiffer +.B passwordMinDiffer .I integer .PP The -.I pwdiffer +.I passwordMinDiffer statement determines whether a newly entered password has to be checked to have at least n different characters. .PP -.I The -.B externalpwdhook -.I statement -.PP -.B externalpwdhook +.B passwordHook .I path .PP The -.I externalpwdhook +.I passwordHook can specify an external script to handle password settings at some other -location besides the LDAP. +location besides the LDAP. It will be called this way: + +.nf +/path/to/your/script "username" "oldpassword" "newpassword" +.fi + +.B handleExpiredAccounts +.I bool +.PP +The +.I handleExpiredAccounts +statement enables shadow attribute tests during the login to the GOsa web +interface and forces password renewal or account lockout. +.PP + +.B useSaslForKerberos +.I bool +.PP +The +.I useSaslForKerberos +statement defines the way the kerberos realm is stored in the +.I userPassword +attribute. Set it to +.I true +in order to get {sasl}user@REALM.NET, or to +.I false +to get {kerberos}user@REALM.NET. The latter is outdated, but may be +needed from time to time. +.PP +.PP + + +.B LDAP options +.PP +.B ldapMaxQueryTime +.I integer +.PP +The +.I ldapMaxQueryTime +statement tells GOsa to stop LDAP actions if there is no answer within the +specified number of seconds. +.PP + +.B schemaCheck +.I bool +.PP +The +.I schemaCheck +statement enables or disables schema checking during login. It is recommended +to switch this on in order to let GOsa handle object creation more efficient. +.PP + +.B ldapTLS +.I bool +.PP +The +.I ldapTLS +statement enables or disables TLS operating on LDAP connections. +.PP + +.B accountPrimaryAttribute +.I cn/uid +.PP +The +.I accountPrimaryAttribute +option tells GOsa how to create new accounts. Possible values are +.I uid +and +.I cn. +In the first case GOsa creates uid style DN entries: +.nf +uid=superuser,ou=staff,dc=example,dc=net +.fi +In the second case, GOsa creates cn style DN entries: +.nf +cn=Foo Bar,ou=staff,dc=example,dc=net +.fi +If you choose "cn" to be your +.I accountPrimaryAttribute +you can decide whether to include the personal title in your dn by +selecting +.I personalTitleInDN. +.PP + +.B personalTitleInDN +.I bool +.PP +The +.I personalTitleInDN +option tells GOsa to include the personal title in user DNs when +.I accountPrimaryAttribute +is set to "cn". + +.B userRDN +.I string +.PP +The +.I userRDN +statement defines the location where new accounts will be created inside of +defined departments. The default is +.I ou=people. +.PP + +.B groupsRDN +.I string +.PP +The +.I groupsRDN +statement defines the location where new groups will be created inside of +defined departments. The default is +.I ou=groups. +.PP + +.B sudoRDN +.I string +.PP +The +.I sudoRDN +statement defines the location where new groups will be created inside of +defined departments. The default is +.I ou=groups. +.PP + +.B sambaMachineAccountRDN +.I string +.PP +This statement defines the location where GOsa looks for new samba workstations. +.PP + +.B ogroupRDN +.I string +.PP +This statement defines the location where GOsa creates new object groups inside of defined +departments. Default is +.I ou=groups. +.PP + +.B serverRDN +.I string +.PP +This statement defines the location where GOsa creates new servers inside of defined +departments. Default is +.I ou=servers. +.PP + +.B terminalRDN +.I string +.PP +This statement defines the location where GOsa creates new terminals inside of defined +departments. Default is +.I ou=terminals. +.PP + +.B workstationRDN +.I string +.PP +This statement defines the location where GOsa creates new workstations inside of defined +departments. Default is +.I ou=workstations. +.PP + +.B printerRDN +.I string +.PP +This statement defines the location where GOsa creates new printers inside of defined +departments. Default is +.I ou=printers. +.PP + +.B componentRDN +.I string +.PP +This statement defines the location where GOsa creates new network components inside of defined +departments. Default is +.I ou=components. +.PP + +.B phoneRDN +.I string +.PP +This statement defines the location where GOsa creates new phones inside of defined +departments. Default is +.I ou=phones. +.PP + +.B phoneConferenceRDN +.I string +.PP +This statement defines the location where GOsa creates new phone conferences inside of defined +departments. Default is +.I ou=conferences. +.PP + +.B faxBlocklistRDN +.I string +.PP +This statement defines the location where GOsa creates new fax blocklists inside of defined +departments. Default is +.I ou=blocklists. +.PP + +.B systemIncomingRDN +.I string +.PP +This statement defines the location where GOsa looks for new systems to be joined to the LDAP. +Default is +.I ou=incoming. +.PP + +.B systemRDN +.I string +.PP +This statement defines the base location for servers, workstations, terminals, phones and +components. Default is +.I ou=systems. +.PP + +.B ogroupRDN +.I string +.PP +This statement defines the location where GOsa looks for object groups. +Default is +.I ou=groups. +.PP + +.B aclRoleRDN +.I string +.PP +This statement defines the location where GOsa stores ACL role definitions. +Default is +.I ou=aclroles. +.PP + +.B phoneMacroRDN +.I string +.PP +This statement defines the location where GOsa stores phone macros for use with the Asterisk +phone server. +Default is +.I ou=macros,ou=asterisk,ou=configs,ou=systems. +.PP + +.B faiBaseRDN +.I string +.PP +This statement defines the location where GOsa looks for FAI settings. +Default is +.I ou=fai,ou=configs,ou=systems. +.PP + +.B faiScriptRDN, faiHookRDN, faiTemplateRDN, faiVariableRDN, faiProfileRDN, faiPackageRDN, faiPartitionRDN +.I string +.PP +These statement define the location where GOsa stores FAI classes. The complete base for the +corresponding class is an additive of +.B faiBaseRDN +an and this value. +.PP + +.B deviceRDN +.I string +.PP +This statement defines the location where GOsa looks for devices. +Default is +.I ou=devices. +.PP + +.B mimetypeRDN +.I string +.PP +This statement defines the location where GOsa stores mime type definitions. +Default is +.I ou=mimetypes. +.PP + +.B applicationRDN +.I string +.PP +This statement defines the location where GOsa stores application definitions. +Default is +.I ou=apps. +.PP + +.B ldapFilterNestingLimit +.I integer +.PP +The +.I ldapFilterNestingLimit +statement can be used to speed up group handling for groups with several hundreds of members. +The default behaviour is, that GOsa will resolv the memberUid values in a group to real names. +To achieve this, it writes a single filter to minimize searches. Some LDAP servers (namely +Sun DS) simply crash when the filter gets too big. You can set a member limit, where GOsa will +stop to do these lookups. +.PP + +.B ldapSizelimit +.I integer +.PP +The +.I ldapSizelimit +statement tells GOsa to retrieve the specified maximum number of results. The user will get +a warning, that not all entries were shown. +.PP + +.B ldapFollowReferrals +.I bool +.PP +The +.I ldapFollowReferrals +statement tells GOsa to follow LDAP referrals. +.PP +.PP + + +.B Account creation options +.PP +.B uidNumberBase +.I integer +.PP +The +.I uidNumberBase +statement defines where to start looking for a new free user id. This should be synced +with your +.I adduser.conf +to avoid overlapping uidNumber values between local and LDAP based lookups. The uidNumberBase +can even be dynamic. Take a look at the +.I nextIdHook +definition below. +.PP + +.B gidNumberBase +.I integer +.PP +The +.I gidNumberBase +statement defines where to start looking for a new free group id. This should be synced +with your +.I adduser.conf +to avoid overlapping gidNumber values between local and LDAP based lookups. The gidNumberBase +can even be dynamic. Take a look at the +.I nextIdHook +definition below. +.PP + +.B minId +.I integer +.PP +The +.I minId +statement defines the minimum assignable user or group id to avoid security leaks with +uid 0 accounts. +.PP + +.B nextIdHook +.I path +.PP +The +.I nextIdHook +statement defines a script to be called for finding the next free id for users or groups +externaly. It gets called with the current entry "dn" and the attribute to be ID'd. It +should return an integer value. +.PP + +.B hash +.I string +.PP +The +.I hash +statement defines the default password hash to choose for new accounts. Valid values are +.I crypt/standard-des, crypt/md5, crypt/enhanced-des, crypt/blowfish, md5, sha, ssha, smd5, clear +and +.I sasl. +These values will be overridden when using templates. +.PP + +.B idGenerator +.I string +.PP +The +.I idGenerator +statement describes an automatic way to generate new user ids. There are two basic +functions supported - which can be combined: + + a) using attributes + + You can specify LDAP attributes (currently only sn and givenName) in + braces {} and add a percent sign befor it. Optionally you can strip it + down to a number of characters, specified in []. I.e. + +.nf + idGenerator="{%sn}-{%givenName[2-4]}" +.fi + + will generate an ID using the full surename, adding a dash, and adding at + least the first two characters of givenName. If this ID is used, it'll + use up to four characters. If no automatic generation is possible, a + input box is shown. + + b) using automatic id's + + I.e. specifying + +.nf + idGenerator="acct{id:3}" +.fi + + will generate a three digits id with the next free entry appended to + "acct". + +.nf + idGenerator="ext{id#3}" +.fi + + will generate a three digits random number appended to "ext". +.PP +.PP + + +.B Samba options +.PP +.B sambaSID +.I string +.PP +The +.I sambaSID +statement defines a samba SID if not available inside of the LDAP. You can retrieve +the current sid by +.I net getlocalsid. +.PP + +.B sambaRidBase +.I integer +.PP +The +.I sambaRidBase +statement defines the base id to add to ordinary sid calculations - if not available +inside of the LDAP. +.PP + +.B sambaversion +.I 2/3 +.PP +The +.I sambaversion +statement defines the version of samba you want to write LDAP entries for. Be sure +to include the correct schema in this case. Valid values are 2 and 3. +.PP + +.B sambaHashHook +.I path +.PP +The +.I sambaHashHook +statement contains an executable to generate samba hash values. This is required +for password synchronization, but not required if you apply gosa-si services. +If you don't have mkntpasswd from the samba distribution installed, you can use +perl to generate the hash: + +.nf +perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen \\$ARGV[0]), $/;" +.if +.PP + +.B sambaidmapping +.I bool +.PP +The +.I sambaidmapping +statement tells GOsa to maintain sambaIdmapEntry objects. Depending on your +setup this can drastically improve the windows login performance. +.PP +.PP + +.B Asterisk options +.PP +.B ctiHook +.I path +.PP +The +.I ctiHook +statement defines a script to be executed if someone clicks on a phone number +inside of the addressbook plugin. It gets called with two parameters: + +.nf +ctiHook $source_number $destination_number +.fi + +This script can be used to do automatted dialing from the addressbook. +.PP +.PP + +.B Mail options +.PP +.B mailMethod +.I cyrus/kolab/golab/sendmail +.PP +The +.I mailMethod +statement tells GOsa which mail method the setup should use to communicate +with a possible mail server. Leave this undefined if your mail method does +not match the predefined ones. + +.I cyrus +maintains accounts and sieve scripts in cyrus servers. +.I kolab +is like cyrus, but lets the kolab daemon maintain the accounts. +.I golab is like cyrus - just with kolab attributes. +.I sendmail just disables everything which is IMAP dependent. +.PP + +.B cyrusUseSlashes +.I bool +.PP +The +.I cyrusUseSlashes +statement determines if GOsa should use "foo/bar" or "foo.bar" namespaces +in IMAP. Unix style is with slashes. + +.B postfixRestrictionFilters +.I path +.PP +The +.I postfixRestrictionFilters +statement defines a file to include for the postfix module in order +to display user defined restriction filters. + +.B postfixProtocols +.I path +.PP +The +.I postfixProtocols +statement defines a file to include for the postfix module in order +to display user defined protocols. + +.B mailAttribute +.I mail/uid +.PP +The +.I mailAttribute +statement determines which attribute GOsa will use to create accounts. +Valid values are +.I mail +and +.I uid. + +.B vacationTemplateDirectory +.I path +.PP +The +.I vacationTemplateDirectory +statement sets the path where GOsa will look for vacation message +templates. Default is /etc/gosa/vacation. + +Example template /etc/gosa/vacation/business.txt: + +.nf + DESC:Away from desk + Hi, I'm currently away from my desk. You can contact me on + my cell phone via %mobile. + + Greetings, + %givenName %sn +.fi +.PP + + +.B Debug options +.PP +.B displayerrors +.I bool +.PP +The +.I displayerrors +statement tells GOsa to show PHP errors in the upper part of the screen. This +should be disabled in productive deployments, because there might be some +important passwords arround. +.PP + +.B ldapstats +.I bool .PP +The +.I ldapstats +statement tells GOsa to track LDAP timing statistics to the syslog. This may +help to find indexing problems or bad search filters. +.PP + +.B ignoreAcl +.I dn +.PP +The +.I ignoreAcl +value tells GOsa to ignore complete ACL sets for the given DN. Add your +DN here and you'll be able to restore accidently dropped ACLs. +.PP + +.B debuglevel +.I integer +.PP +The +.I debuglevel +value tells GOsa to display certain information on each page load. Value +is an AND combination of the following byte values: + +DEBUG_TRACE = 1 + +DEBUG_LDAP = 2 + +DEBUG_MYSQL = 4 + +DEBUG_SHELL = 8 + +DEBUG_POST = 16 + +DEBUG_SESSION = 32 + +DEBUG_CONFIG = 64 + +DEBUG_ACL = 128 +.PP + +.SH LDAP resource definition +For every location you define inside your gosa.conf, you need at least +one entry of the type +.I referral. +These entries define the way how to connect to some directory service. +.B Example: + +.nf + +.fi + +.I uri +is a valid LDAP uri extendet by the base this referral is responsible for. +.I admin +is the DN which has the permission to write LDAP entries. And +.I password +is the corresponding password for this DN. + +You can define a set of referrals if you have several server to +connect to. + +.SH Settings for the environment plugin + +In order to make full use of the environment plugin, you may want +to define the location where kiosk profiles will be stored on the +servers harddisk. + +This is done by the +.I kioskPath +keyword defined within the +.I environment +class definition inside your gosa.conf. + +.B Example: + +.nf + +.fi + +Make sure, that this path is writeable by GOsa. + +.SH Settings for the FAI plugin + +The FAI plugin can be used in a way that it generates branched or +freezed releases inside your repository. Specifying the +.I postcreate +and +.I postmodify +keywords in the +.I servrepository +definition, calls the provided script as a hook when adding or +removing branches. This script should do the rest inside of your +repository. + +.B Example: + +.nf +