default.conf - IPA configuration file
/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf,
/etc/ipa/cli.conf
The default.conf configuration file is used to set
system-wide defaults to be applied when running IPA clients and servers.
Users may create an optional configuration file in
~/.ipa/default.conf which will be merged into the system-wide
defaults file.
The following files are read, in order:
~/.ipa/default.conf
/etc/ipa/<context>.conf
/etc/ipa/default.conf
built-in constants
The IPA server does not read ~/.ipa/default.conf.
The first setting wins.
The configuration options are not case sensitive. The values may
be case sensitive, depending on the option.
Blank lines are ignored. Lines beginning with # are comments and
are ignored.
Valid lines consist of an option name, an equals sign and a value.
Spaces surrounding equals sign are ignored. An option terminates at the end
of a line.
Values should not be quoted, the quotes will not be stripped.
# Wrong - don't include quotes
verbose = "True"
# Right - Properly formatted options
verbose = True
verbose=True
Options must appear in the section named [global]. There are no
other sections defined or used currently.
Options may be defined that are not used by IPA. Be careful of
misspellings, they will not be rejected.
The following options are relevant for the server:
- basedn
<base>
- Specifies the base DN to use when performing LDAP operations. The base
must be in DN format (dc=example,dc=com).
- ca_agent_port
<port>
- Specifies the secure CA agent port. The default is 8443.
- ca_ee_port
<port>
- Specifies the secure CA end user port. The default is 8443.
- ca_host
<hostname>
- Specifies the hostname of the dogtag CA server. The default is the
hostname of the IPA server.
- ca_port
<port>
- Specifies the insecure CA end user port. The default is 8080.
- context
<context>
- Specifies the context that IPA is being executed in. IPA may operate
differently depending on the context. The current defined contexts are cli
and server. Additionally this value is used to load
/etc/ipa/context.conf to provide context-specific configuration.
For example, if you want to always perform client requests in verbose mode
but do not want to have verbose enabled on the server, add the verbose
option to /etc/ipa/cli.conf.
- debug
<boolean>
- When True provides detailed information. Specifically this set the global
log level to "debug". Default is False.
- dogtag_version
<version>
- Stores the version of Dogtag. Value 9 is assumed if not specified
otherwise.
- domain
<domain>
- The domain of the IPA server e.g. example.com.
- enable_ra
<boolean>
- Specifies whether the CA is acting as an RA agent, such as when dogtag is
being used as the Certificate Authority. This setting only applies to the
IPA server configuration.
- fallback
<boolean>
- Specifies whether an IPA client should attempt to fall back and try other
services if the first connection fails.
- host
<hostname>
- Specifies the local system hostname.
- in_server
<boolean>
- Specifies whether requests should be forwarded to an IPA server or handled
locally. This is used internally by IPA in a similar way as context. The
same IPA framework is used by the ipa command-line tool and the server.
This setting tells the framework whether it should execute the command as
if on the server or forward it via XML-RPC to a remote server.
- in_tree
<boolean>
- This is used in development and is generally a detected value. It means
that the code is being executed within a source tree.
- interactive
<boolean>
- Specifies whether values should be prompted for or not. The default is
True.
- kinit_lifetime
<time duration spec>
- Controls the lifetime of ticket obtained by users authenticating to the
WebGUI using login/password. The expected format is a time duration
string. Examples are "2 hours", "1h:30m", "10
minutes", "5min, 30sec". When the parameter is not set in
default.conf, the ticket will have a duration inherited from the default
value for kerberos clients, that can be set as ticket_lifetime in
krb5.conf. When the ticket lifetime has expired, the ticket is not valid
anymore and the GUI will prompt to re-login with a message "Your
session has expired. Please re-login."
- ldap_uri
<URI>
- Specifies the URI of the IPA LDAP server to connect to. The URI scheme may
be one of ldap or ldapi. The default is to use ldapi, e.g.
ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
- log_logger_XXX
<comma separated list of regexps>
- loggers matching regexp will be assigned XXX level.
- Logger levels can be explicitly specified for specific loggers as opposed
to a global logging level. Specific loggers are indicated by a list of
regular expressions bound to a level. If a logger's name matches the
regexp then it is assigned that level. This config item must begin with
"log_logger_level_" and then be followed by a symbolic or
numeric log level, for example:
-
log_logger_level_debug = ipalib\.dn\..*
-
log_logger_level_35 = ipalib\.plugins\.dogtag
- The first line says any logger belonging to the ipalib.dn module will have
it's level configured to debug.
- The second line say the ipa.plugins.dogtag logger will be configured to
level 35.
- This config item is useful when you only want to see the log output from
one or more selected loggers. Turning on the global debug flag will
produce an enormous amount of output. This allows you to leave the global
debug flag off and selectively enable output from a specific logger.
Typically loggers are bound to classes and plugins.
- Note: logger names are a dot ('.') separated list forming a path in the
logger tree. The dot character is also a regular expression metacharacter
(matches any character) therefore you will usually need to escape the dot
in the logger names by preceding it with a backslash.
- mode
<mode>
- Specifies the mode the server is running in. The currently support values
are production and development. When running in production
mode some self-tests are skipped to improve performance.
- mount_ipa
<URI>
- Specifies the mount point that the development server will register. The
default is /ipa/
- prompt_all
<boolean>
- Specifies that all options should be prompted for in the IPA client, even
optional values. Default is False.
- ra_plugin
<name>
- Specifies the name of the CA back end to use. The current options are
dogtag and none. This is a server-side setting. Changing
this value is not recommended as the CA back end is only set up during
initial installation.
- realm
<realm>
- Specifies the Kerberos realm.
- server
<hostname>
- Specifies the IPA Server hostname.
- skip_version_check
<boolean>
- Skip client vs. server API version checking. Can lead to errors/strange
behavior when newer clients talk to older servers. Use with caution.
- startup_timeout
<time in seconds>
- Controls the amount of time waited when starting a service. The default
value is 120 seconds.
- startup_traceback
<boolean>
- If the IPA server fails to start and this value is True the server will
attempt to generate a python traceback to make identifying the underlying
problem easier.
- validate_api
<boolean>
- Used internally in the IPA source package to verify that the API has not
changed. This is used to prevent regressions. If it is true then some
errors are ignored so enough of the IPA framework can be loaded to verify
all of the API, even if optional components are not installed. The default
is False.
- verbose
<boolean>
- When True provides more information. Specifically this sets the global log
level to "info".
- wait_for_dns
<number of attempts>
- Controls whether the IPA commands dnsrecord-{add,mod,del} work
synchronously or not. The DNS commands will repeat DNS queries up to the
specified number of attempts until the DNS server returns an up-to-date
answer to a query for modified records. Delay between retries is one
second.
- The DNS commands will raise a DNSDataMismatch exception if the answer
doesn't match the expected value even after the specified number of
attempts.
- The DNS queries will be sent to the resolver configured in
/etc/resolv.conf on the IPA server.
- Do not enable this in production! This will cause problems if the resolver
on IPA server uses a caching server instead of a local authoritative
server or e.g. if DNS answers are modified by DNS64. The default is
disabled (the option is not present).
- xmlrpc_uri
<URI>
- Specifies the URI of the XML-RPC server for a client. This may be used by
IPA, and is used by some external tools, such as ipa-getcert. Example:
https://ipa.example.com/ipa/xml
- jsonrpc_uri
<URI>
- Specifies the URI of the JSON server for a client. This is used by IPA. If
not given, it is derived from xmlrpc_uri. Example:
https://ipa.example.com/ipa/json
- rpc_protocol
<URI>
- Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xmlrpc'. Defaults
to 'jsonrpc'.
- The following define the
containers for the IPA server. Containers define where in the DIT that
objects can be found. The full location is the value of container +
basedn.
-
container_accounts: cn=accounts
container_applications: cn=applications,cn=configs,cn=policies
container_automount: cn=automount
container_configs: cn=configs,cn=policies
container_dns: cn=dns
container_group: cn=groups,cn=accounts
container_hbac: cn=hbac
container_hbacservice: cn=hbacservices,cn=hbac
container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
container_host: cn=computers,cn=accounts
container_hostgroup: cn=hostgroups,cn=accounts
container_netgroup: cn=ng,cn=alt
container_permission: cn=permissions,cn=pbac
container_policies: cn=policies
container_policygroups: cn=policygroups,cn=configs,cn=policies
container_policylinks: cn=policylinks,cn=configs,cn=policies
container_privilege: cn=privileges,cn=pbac
container_rolegroup: cn=roles,cn=accounts
container_roles: cn=roles,cn=policies
container_service: cn=services,cn=accounts
container_sudocmd: cn=sudocmds,cn=sudo
container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
container_sudorule: cn=sudorules,cn=sudo
container_user: cn=users,cn=accounts
container_vault: cn=vaults,cn=kra
container_virtual: cn=virtual operations,cn=etc