X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=gosa-core%2Fcontrib%2Fgosa.conf.5;h=e4eea1301a1393cb6a32ba3d6c23cfa58aa30cda;hb=589ac260aa0a61b14c6245f70aba7efdf0c7f406;hp=63d66f8a92181cc2c708b2027182b1c26ed0edbb;hpb=3ca3190832f90fafaad74db9863a98e8cf88cdda;p=gosa.git diff --git a/gosa-core/contrib/gosa.conf.5 b/gosa-core/contrib/gosa.conf.5 index 63d66f8a9..e4eea1301 100644 --- a/gosa-core/contrib/gosa.conf.5 +++ b/gosa-core/contrib/gosa.conf.5 @@ -1,4 +1,4 @@ -.TH gosa.conf 5 +.TH gosa.conf 5 "2008-04-07" "GOsa v2.6" "Debian" .SH NAME gosa.conf - GOsa configuration file .SH DESCRIPTION @@ -190,6 +190,7 @@ each location definition inside of this global definition. .fi +.PP .B Generic options .PP @@ -395,24 +396,50 @@ on unix systems, you've to adjust your NSS configuration to use rfc2307bis style groups, too. .PP +.B ppd_path +.I path +.PP +The +.I ppd_path +variable defines where to store PPD files for the GOto environment plugins. +.PP +.B resolutions +.I path +.PP +The +.I pppd_pathpd_path +variable defines a plain text file which contains additional resolutions +to be shown in the environment and system plugins. +.PP +.B htaccess_auth +.I bool +.PP +The +.I htaccess_auth +variable tells GOsa to use either htaccess authentication or LDAP authentication. This +can be used if you want to use i.e. kerberos to authenticate the users. +.PP +.B gosa_si +.I bool +.PP +The +.I gosa_si +defines the major gosa-si server host and the password for GOsa to connect to it. +can be used if you want to use i.e. kerberos to authenticate the users. +The format is: +.nf +credentials@host:port +.fi +.PP +.B Browser and display options - - - - -.B Display options -.PP -.I The -.B list_summary -.I statement -.PP .B list_summary .I true/false .PP @@ -423,11 +450,91 @@ GOsa generated lists, displaying a short summary of type and number of elements in the list. .PP -.B Password options +.B iconsize +.I size value .PP -.I The -.B pwminlen -.I statement +The +.I iconsize +statement sets the icon size in the main menu. Its value should be something +like 48x48. +.PP + +.B compressed +.I true/false +.PP +The +.I compressed +statement determines whether PHP should send compressed HTML pages to +browsers or not. This may increase or decrease the performance, depending +on your network. +.PP + +.B save_filter +.I true/false +.PP +The +.I save_filter +statement determines whether GOsa should store filter and plugin settings +inside of a cookie. +.PP + +.B lang +.I string +.PP +The +.I lang +statement defines the default language used by GOsa. Normally GOsa autodetects +the language from the browser settings. If this is not working or you want to +force the language, just add the language code (i.e. de for german) here. +.PP + +.B theme +.I string +.PP +The +.I theme +statement defines what theme is used to display GOsa pages. You can install some +corporate identity like theme and/or modify certain templates to fit your needs +within themes. Take a look at the GOsa +.I FAQ +for more information. +.PP + +.B session_lifetime +.I int +.PP +The +.I session_lifetime +value defines when a session will expire in seconds. For Debian systems, this will +not work because the sessions will be removed by a cron job instead. Please modify +the value inside of your php.ini instead. +.PP + +.B noprimarygroup +.I bool +.PP +The +.I noprimarygroup +variable enables or disables the group filter to show primary user groups. It is +time consuming to evaluate which groups are primary and which are not. So you may +want to set it to +.I true +if your group plugin is slow. +.PP + +.B ie_png_workaround +.I bool +.PP +The +.I ie_png_workaround +variable enables or disables a workaround for IE < 7 in order to display transparent +PNG files correctly. This drastically slows down browsing. Please use Firefox or Opera +instead. +.PP +.PP + + +.B Password options .PP .B pwminlen .I integer @@ -438,10 +545,6 @@ statement determines whether a newly entered password has to be of a minimum length. .PP -.I The -.B pwdiffer -.I statement -.PP .B pwdiffer .I integer .PP @@ -451,21 +554,592 @@ statement determines whether a newly entered password has to be checked to have at least n different characters. .PP -.I The -.B externalpwdhook -.I statement -.PP .B externalpwdhook .I path .PP The .I externalpwdhook can specify an external script to handle password settings at some other -location besides the LDAP. +location besides the LDAP. It will be called this way: + +.nf +/path/to/your/script "username" "oldpassword" "newpassword" +.fi + +.B account_expiration +.I bool +.PP +The +.I account_expiration +statement enables shadow attribute tests during the login to the GOsa web +interface and forces password renewal or account lockout. .PP +.B krbsasl +.I bool +.PP +The +.I krbsasl +statement defines the way the kerberos realm is stored in the +.I userPassword +attribute. Set it to +.I true +in order to get {sasl}user@REALM.NET, or to +.I false +to get {kerberos}user@REALM.NET. The latter is outdated, but may be +needed from time to time. +.PP +.PP +.B LDAP options +.PP +.B max_ldap_query_time +.I integer +.PP +The +.I max_ldap_query_time +statement tells GOsa to stop LDAP actions if there is no answer within the +specified number of seconds. +.PP + +.B schema_check +.I bool +.PP +The +.I schema_check +statement enables or disables schema checking during login. It is recommended +to switch this on in order to let GOsa handle object creation more efficient. +.PP + +.B tls +.I bool +.PP +The +.I tls +statement enables or disables TLS operating on LDAP connections. +.PP + +.B dnmode +.I cn/uid +.PP +The +.I dnmode +option tells GOsa how to create new accounts. Possible values are +.I uid +and +.I cn. +In the first case GOsa creates uid style DN entries: +.nf +uid=superuser,ou=staff,dc=example,dc=net +.fi +In the second case, GOsa creates cn style DN entries: +.nf +cn=Foo Bar,ou=staff,dc=example,dc=net +.fi +If you choose "cn" to be your +.I dnmode +you can decide whether to include the personal title in your dn by +selecting +.I include_personal_title. +.PP + +.B include_personal_title +.I bool +.PP +The +.I include_personal_title +option tells GOsa to include the personal title in user DNs when +.I dnmode +is set to "cn". + +.B people +.I string +.PP +The +.I people +statement defines the location where new accounts will be created inside of +defined departments. The default is +.I ou=people. +.PP + +.B groups +.I string +.PP +The +.I groups +statement defines the location where new groups will be created inside of +defined departments. The default is +.I ou=groups. +.PP + +.B sudoou +.I string +.PP +The +.I sudoou +statement defines the location where new groups will be created inside of +defined departments. The default is +.I ou=groups. +.PP + +.B winstations +.I string +.PP +This statement defines the location where GOsa looks for new samba workstations. +.PP + +.B ogroupou +.I string +.PP +This statement defines the location where GOsa creates new object groups inside of defined +departments. Default is +.I ou=groups. +.PP + +.B serverou +.I string +.PP +This statement defines the location where GOsa creates new servers inside of defined +departments. Default is +.I ou=servers. +.PP + +.B terminalou +.I string +.PP +This statement defines the location where GOsa creates new terminals inside of defined +departments. Default is +.I ou=terminals. +.PP + +.B workstationou +.I string +.PP +This statement defines the location where GOsa creates new workstations inside of defined +departments. Default is +.I ou=workstations. +.PP + +.B printerou +.I string +.PP +This statement defines the location where GOsa creates new printers inside of defined +departments. Default is +.I ou=printers. +.PP + +.B componentou +.I string +.PP +This statement defines the location where GOsa creates new network components inside of defined +departments. Default is +.I ou=components. +.PP + +.B phoneou +.I string +.PP +This statement defines the location where GOsa creates new phones inside of defined +departments. Default is +.I ou=phones. +.PP + +.B conferenceou +.I string +.PP +This statement defines the location where GOsa creates new phone conferences inside of defined +departments. Default is +.I ou=conferences. +.PP + +.B blocklistou +.I string +.PP +This statement defines the location where GOsa creates new fax blocklists inside of defined +departments. Default is +.I ou=blocklists. +.PP + +.B incomingou +.I string +.PP +This statement defines the location where GOsa looks for new systems to be joined to the LDAP. +Default is +.I ou=incoming. +.PP + +.B systemsou +.I string +.PP +This statement defines the base location for servers, workstations, terminals, phones and +components. Default is +.I ou=systems. +.PP + +.B ldap_filter_nesting_limit +.I integer +.PP +The +.I ldap_filter_nesting_limit +statement can be used to speed up group handling for groups with several hundreds of members. +The default behaviour is, that GOsa will resolv the memberUid values in a group to real names. +To achieve this, it writes a single filter to minimize searches. Some LDAP servers (namely +Sun DS) simply crash when the filter gets too big. You can set a member limit, where GOsa will +stop to do these lookups. +.PP + +.B sizelimit +.I integer +.PP +The +.I sizelimit +statement tells GOsa to retrieve the specified maximum number of results. The user will get +a warning, that not all entries were shown. +.PP + +.B recursive +.I bool +.PP +The +.I recursive +statement tells GOsa to follow LDAP referrals. +.PP +.PP + + +.B Account creation options +.PP +.B uidbase +.I integer +.PP +The +.I uidbase +statement defines where to start looking for a new free user id. This should be synced +with your +.I adduser.conf +to avoid overlapping uidNumber values between local and LDAP based lookups. The uidbase +can even be dynamic. Take a look at the +.I base_hook +definition below. +.PP + +.B gidbase +.I integer +.PP +The +.I gidbase +statement defines where to start looking for a new free group id. This should be synced +with your +.I adduser.conf +to avoid overlapping gidNumber values between local and LDAP based lookups. The gidbase +can even be dynamic. Take a look at the +.I base_hook +definition below. +.PP + +.B minid +.I integer +.PP +The +.I minid +statement defines the minimum assignable user or group id to avoid security leaks with +uid 0 accounts. +.PP + +.B base_hook +.I path +.PP +The +.I base_hook +statement defines a script to be called for finding the next free id for users or groups +externaly. It gets called with the current entry "dn" and the attribute to be ID'd. It +should return an integer value. +.PP + +.B hash +.I string +.PP +The +.I hash +statement defines the default password hash to choose for new accounts. Valid values are +.I crypt/standard-des, crypt/md5, crypt/enhanced-des, crypt/blowfish, md5, sha, ssha, smd5, clear +and +.I sasl. +These values will be overridden when using templates. +.PP + +.B idgen +.I string +.PP +The +.I idgen +statement describes an automatic way to generate new user ids. There are two basic +functions supported - which can be combined: + + a) using attributes + + You can specify LDAP attributes (currently only sn and givenName) in + braces {} and add a percent sign befor it. Optionally you can strip it + down to a number of characters, specified in []. I.e. + +.nf + idgen="{%sn}-{%givenName[2-4]}" +.fi + + will generate an ID using the full surename, adding a dash, and adding at + least the first two characters of givenName. If this ID is used, it'll + use up to four characters. If no automatic generation is possible, a + input box is shown. + + b) using automatic id's + + I.e. specifying + +.nf + idgen="acct{id:3}" +.fi + + will generate a three digits id with the next free entry appended to + "acct". + +.nf + idgen="ext{id#3}" +.fi + + will generate a three digits random number appended to "ext". +.PP +.PP + + +.B Samba options +.PP +.B sid +.I string +.PP +The +.I sid +statement defines a samba SID if not available inside of the LDAP. You can retrieve +the current sid by +.I net getlocalsid. +.PP + +.B ridbase +.I integer +.PP +The +.I ridbase +statement defines the base id to add to ordinary sid calculations - if not available +inside of the LDAP. +.PP + +.B sambaversion +.I 2/3 +.PP +The +.I sambaversion +statement defines the version of samba you want to write LDAP entries for. Be sure +to include the correct schema in this case. Valid values are 2 and 3. +.PP + +.B smbhash +.I path +.PP +The +.I smbhash +statement contains an executable to generate samba hash values. This is required +for password synchronization, but not required if you apply gosa-si services. +If you don't have mkntpasswd from the samba distribution installed, you can use +perl to generate the hash: + +.nf +perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen \\$ARGV[0]), $/;" +.if +.PP + +.B sambaidmapping +.I bool +.PP +The +.I sambaidmapping +statement tells GOsa to maintain sambaIdmapEntry objects. Depending on your +setup this can drastically improve the windows login performance. +.PP +.PP + +.B Asterisk options +.PP +.B ctihook +.I path +.PP +The +.I ctihook +statement defines a script to be executed if someone clicks on a phone number +inside of the addressbook plugin. It gets called with two parameters: + +.nf +ctihook $source_number $destination_number +.fi + +This script can be used to do automatted dialing from the addressbook. +.PP +.PP + +.B Mail options +.PP +.B mailMethod +.I cyrus/kolab/golab/sendmail +.PP +The +.I mailMethod +statement tells GOsa which mail method the setup should use to communicate +with a possible mail server. Leave this undefined if your mail method does +not match the predefined ones. + +.I cyrus +maintains accounts and sieve scripts in cyrus servers. +.I kolab +is like cyrus, but lets the kolab daemon maintain the accounts. +.I golab is like cyrus - just with kolab attributes. +.I sendmail just disables everything which is IMAP dependent. +.PP + +.B cyrusunixstyle +.I bool +.PP +The +.I cyrusunixstyle +statement determines if GOsa should use "foo/bar" or "foo.bar" namespaces +in IMAP. Unix style is with slashes. + +.B additionalrestrictionfilters +.I path +.PP +The +.I additionalrestrictionfilters +statement defines a file to include for the postfix module in order +to display user defined restriction filters. + +.B additionalprotocols +.I path +.PP +The +.I additionalprotocols +statement defines a file to include for the postfix module in order +to display user defined protocols. + +.B mail_attrib +.I mail/uid +.PP +The +.I mail_attrib +statement determines which attribute GOsa will use to create accounts. +Valid values are +.I mail +and +.I uid. + +.B vacationdir +.I path +.PP +The +.I vacationdir +statement sets the path where GOsa will look for vacation message +templates. Default is /etc/gosa/vacation. + +Example template /etc/gosa/vacation/business.txt: + +.nf + DESC:Away from desk + Hi, I'm currently away from my desk. You can contact me on + my cell phone via %mobile. + + Greetings, + %givenName %sn +.fi +.PP + + +.B Debug options +.PP +.B displayerrors +.I bool +.PP +The +.I displayerrors +statement tells GOsa to show PHP errors in the upper part of the screen. This +should be disabled in productive deployments, because there might be some +important passwords arround. +.PP + +.B ldapstats +.I bool +.PP +The +.I ldapstats +statement tells GOsa to track LDAP timing statistics to the syslog. This may +help to find indexing problems or bad search filters. +.PP + +.B ignore_acl +.I dn +.PP +The +.I ignore_acl +value tells GOsa to ignore complete ACL sets for the given DN. Add your +DN here and you'll be able to restore accidently dropped ACLs. +.PP + +.B debuglevel +.I integer +.PP +The +.I debuglevel +value tells GOsa to display certain information on each page load. Value +is an AND combination of the following byte values: + +DEBUG_TRACE = 1 + +DEBUG_LDAP = 2 + +DEBUG_MYSQL = 4 + +DEBUG_SHELL = 8 + +DEBUG_POST = 16 + +DEBUG_SESSION = 32 + +DEBUG_CONFIG = 64 + +DEBUG_ACL = 128 +.PP + + +.SH LDAP resource definition + +For every location you define inside your gosa.conf, you need at least +one entry of the type +.I referral. +These entries define the way how to connect to some directory service. + +.B Example: + +.nf + +.fi + +.I url +is a valid LDAP url extendet by the base this referral is responsible for. +.I admin +is the DN which has the permission to write LDAP entries. And +.I password +is the corresponding password for this DN. + +You can define a set of referrals if you have several server to +connect to. .SH AUTHOR .B gosa.conf(5)