6.2 Editing the nam.conf File

The parameters used for configuring Linux User Management are listed in the /etc/nam.conf file. The configuration file is stored in the UTF-8 format.

Table 6-2 contains the list of parameters in /etc/nam.conf.

Table 6-2 Linux User Management Configuration Parameters

Parameter

Description

Default Value

preferred-server

Specifies the eDirectory LDAP server to be contacted. The value can be host name, alias, DNS name, or IP address. The value is set when you configure Linux User Management.

The default is a null string.

base-name

Specifies the context in eDirectory where Linux User Management is installed. The value is set when you configure Linux User Management.

The default value is a null string.

num-threads

Specifies the number of worker threads in the cache daemon. The value can range from 1 to 25.

The default is 10.

schema

Indicates whether eDirectory 8.1 or earlier or the RFC 2307 schema is supported.

The default schema is rfc2307.

enable-persistent-cache

Specifies whether a persistent cache is to be maintained on the local workstation to store user and group profiles. Values can be yes or no.

The default value is yes.

user-hash-size

Specifies the hash size for the persistent cache to store user entries. The value should be a prime number greater than or equal to 1/4th of the number of user entries. The value can range from 1 to 9973.

The default is 211.

group-hash-size

Specifies the hash size for persistent cache to store group entries. The value should be a prime number greater than or equal to 1/4th of the number of group entries. The value can range from 1 to 9973.

The default is 211.

persistent-cache-refresh-period

Specifies how frequently user and group entries stored in the persistent cache are to be refreshed from eDirectory. A larger value results in less network traffic and less load on the server, but the cache might reflect stale information if the eDirectory database is modified. The value can range from 1 to 2147483647 seconds.

The default period is 28800 seconds (8 hours).

persistent-cache-refresh-flag

Specifies whether all user and group entries or only those used in the current boot session are to be refreshed. This can take the values all or accessed.

The default is all.

create-home

Creates user home directories. Values can be yes or no.

The default value is yes.

user-context

Specifies the user context to which Linux User objects are to be migrated. This is not used in Linux User Management 2.2.

The default value is ou = Linux-users,<base_name>.

group-context

Specifies the group context to which Linux Group objects are to be migrated. This is not used in Linux User Management 2.2.

The default value is ou = Linux-groups,<base_name>.

type-of-authentication

Specifies the type of authentication, either simple (non-SSL) or SSL-based. Values can be 1 (simple authentication) or 2 (SSL-based authentication).

The default value is 2.

certificate-file-type

Specifies the certificate file format. Two values are possible: der and base64.

The default value is der.

ldap-ssl-port

Specifies the LDAP SSL port.

The default is 636.

ldap-port

Specifies the LDAP connection port.

The default is 389.

admin-fdn

Specifies the LDAP server administrator's name.

The default value is a null string.

alternative-ldap-server-list

Specifies a comma-separated list of names of replica servers.

The default value is a null string.

support-alias-name

Specifies whether to support alias objects (users/groups) in eDirectory. Values can be yes or no.

The default value is no.

support-outside-base-name

Specifies whether to support objects (users/groups) outside the domain to which NAM is configured. Values can be yes or no. If objects (users/groups) with the same name are present in the local domain, then preference is given to the local domain objects.

The default value is yes.

proxy-user-fdn

Specifies the full distinguished name of the proxy user that performs searches.

This value is optional.

proxy-user-pwd

Specifies the password of the proxy user (proxy-user-fdn).

This value is optional.

case-sensitive

Specifies whether to enforce case sensitive user names.

The default value is no.

cache-only

Specifies whether namcd uses only the cache for information about users and groups.

If the information about users and groups is not found in the cache, namcd does not request this information from LDAP.

The values can be yes or no.

The default value is no.

persistent-search

Specifies whether namcd uses the LDAP persistent search feature. This feature allows namcd to listen to change events in LDAP related to Posix groups and trigger the cache refresh if the change event is relevant.

The values can be yes or no.

The default value is no.

convert-lowercase

Specifies whether to treat all usernames and groupnames as lowercase names.

The default value is no.

workstation-context

This parameter is automatically populated with a value of the context location of the workstation object.

Not Aplicable.

one-exclude-deny-service

Specifies that the access to a service is denied to a user, even if just one of its groups has that service in its uamPosixPamServiceExclude list. The default value is No. That is, by default, a user is granted access to a service, unless all of the user's groups has that service in the uamPamPosixExcludelist.

If the one-exclude-deny-service parameter is set to Yes, any group which has a service specified in uamPosixPamServiceExcludelist attribute will override any other group allowing access to the service.

Consider an example where you have a user associated with groups G1,G2, G3 and only for group G1, ssh service is specified as a service to be excluded in the uamPosixPamServiceExcludelist attribute. In this example, if the one-exclude-deny-service parameter is set to Yes, the user will be denied the ssh service irrespective of the service not being present in the uamPosixPamServiceExcludelist attribute of groups G2 and G3. However, if the one-exclude-deny-service parameter is set to No (default setting), the user will be allowed access to ssh service.

NOTE:Since access to a service is allowed or granted based on the one-exclude-deny-service parameter alone, having a different setting on different servers can have a drastic change in the behavior. For example, if this parameter is enabled on some servers and disabled on other servers, a user may be allowed access to a service only on some servers and the same user may be denied access to the same service on other servers.

The default value is No.

nam-nss-timeout

Specifies the time (in seconds) for which nsswitch will wait for a namcd response before timing out. The default value is 60 seconds. You can specify a timeout value from 0 to 180 seconds.

If namcd becomes unresponsive, it is recommended to specify a lesser timeout value. On the other hand, if namcd is heavily loaded with concurrent FTP login requests and login failures are observed, it is recommended to specify a greater timeout value.

The default value is 60 seconds.