6.2 Editing the nam.conf File

The parameters used for configuring Linux User Management are listed in the /etc/nam.conf file. The configuration file is stored in the UTF-8 format.

Table 6-2 contains the list of parameters in /etc/nam.conf.

Table 6-2 Linux User Management Configuration Parameters

Parameter

Description

Default Value

preferred-server

Specifies the eDirectory LDAP server to be contacted. The value can be host name, alias, DNS name, or IP address. The value is set when you configure Linux User Management.

The default is a null string.

base-name

Specifies the context in eDirectory where NAM is installed. The value is set when you configure NAM.

Not applicable.

num-threads

Specifies the number of worker threads in the cache daemon. The value can range from 1 to 25.

The default is 10.

schema

Indicates the type of schema that is supported. The values can be fusion or rfc2307.

The default schema is rfc2307.

enable-persistent-cache

Specifies whether a persistent cache is to be maintained on the local workstation to store user and group profiles. Values can be yes or no.

The default value is yes.

cache-only

Specifies whether namcd uses only the cache for information about users and groups.

If the information about users and groups is not found in the cache, namcd does not request this information from LDAP.

The values can be yes or no.

The default value is no.

persistent-search

Specifies whether namcd uses the LDAP persistent search feature. This feature allows namcd to listen to change events in LDAP related to Posix groups and triggers the cache refresh if the change event is relevant.

The values can be yes or no.

The default value is no.

case-sensitive

Specifies whether user names are case sensitive. Values can be yes or no.

NOTE:You should not use the convert-lowercase and case-sensitive options together because it might lead to login failures, especially when both lowercase and uppercase are used to specify usernames.

The default value is no.

convert-lowercase

convert-lower-case=[no|yes|user|group]

This option is used to determine the capitalization of the output data.

convert-lower-case=no: Does not convert users and groups to lower-case.

convert-lower-case=yes: Converts users and groups to lower-case.

convert-lower-case=user: Converts only users to lower-case.

convert-lower-case=group: Converts only groups to lower-case.

The default value is no.

user-hash-size

Specifies the hash size for the persistent cache to store user entries. The value should be a prime number greater than or equal to 1/4 of the number of user entries. The value can range from 1 to 9973.

The default is 211.

group-hash-size

Specifies the hash size for the persistent cache to store group entries. The value should be a prime number greater than or equal to 1/4 of the number of group entries. The value can range from 1 to 9973.

The default is 211.

persistent-cache-refresh-period

Specifies how frequently user and group entries stored in the persistent cache are to be refreshed from eDirectory. A larger value results in less network traffic and less load on the server, but the cache might reflect stale information if the eDirectory database is modified. The value can range from 1 to 2147483647 seconds.

The default period is 28800 seconds (8 hours).

persistent-cache-refresh-flag

Specifies whether all user and group entries or only those used in the current boot session are to be refreshed. This can take the values all or accessed.

The default is all.

create-home

Creates user home directories. Values can be yes or no.

The default value is yes.

support-alias-name

Specifies whether to support alias objects (users/groups) in eDirectory. Values can be yes or no.

The default value is no.

support-outside-base-name

Specifies whether to support objects (users/groups) outside the base context to which NAM is configured. Values can be yes or no. If objects (users/groups) with the same name are present in the base context, preference is given to the base context objects.

The default value is yes.

user-context

Specifies the user context to which Linux User objects are to be migrated.

The default value is null.

group-context

Specifies the group context to which Linux Group objects are to be migrated.

The default value is null.

type-of-authentication

Specifies the type of authentication, either simple (non-SSL) or SSL-based. Values can be 1 (simple authentication) or 2 (SSL-based authentication).

The default value is 2.

certificate-file-type

Specifies the certificate file format. Two values are possible: der and base64.

The default value is der.

ldap-ssl-port

Specifies the LDAP SSL port.

The default is 636.

ldap-port

Specifies the LDAP connection port.

The default is 389.

admin-name

Specifies the LDAP server administrator's name.

The default value is a null string.

alternative-ldap-server-list

Specifies a comma-separated list of names of alternate LDAP servers.

The default value is a null string.

log-file-location

Specifies the log file location for namcd. The namcd.log file is created at a specified location.

For example, if log-file-location=/var/opt/novell/log/, then the log is placed at /var/opt/novell/log/namcd.log.

By default namcd uses syslog. Log messages are stored in /var/log/messages.

log-level

Specifies the debug log level for namcd logs. Values are 0 to 5.

The default value is 0.

workstation-context

This parameter is automatically populated with a value of the context location of the workstation object.

Not applicable.

one-exclude-deny-service

Specifies that the access to a service is denied to a user, even if just one of its groups has that service in its uamPosixPamServiceExclude list. The default value is No. That is, by default, a user is granted access to a service, unless all of the user's groups have that service in the uamPamPosixExcludelist.

If the one-exclude-deny-service parameter is set to Yes, any group that has a service specified in uamPosixPamServiceExcludelist attribute will override any other group allowing access to the service.

For example, assume that you have a user associated with groups G1,G2, and G3. Only group G1 has the ssh service specified as a service to be excluded in the uamPosixPamServiceExcludelist attribute. In this example, if the one-exclude-deny-service parameter is set to Yes, the user is denied the ssh service even if the service is not present in the uamPosixPamServiceExcludelist attribute of groups G2 and G3. However, if the one-exclude-deny-service parameter is set to No (the default setting), the user is allowed access to the ssh service.

NOTE:Because access to a service is allowed or granted based on the one-exclude-deny-service parameter alone, having a different setting on different servers can cause a drastic change in behavior. For example, if this parameter is enabled on some servers and disabled on other servers, the same user might be allowed access to a service on some servers and denied access to the same service on other servers.

The default value is No.

umask

Specifies the umask for the home directories that are created during namuseradd.

NOTE:This parameter is used only by the namuseradd utility with the -m option. This parameter is not used by services like SSH or FTP for home directory creation on user login.

The default value is 0022.

max-privfile-size

Specifies the maximum size of the /var/lib/novell-lum/.rights file in KB. This file is used internally by pam_nam.so to store the user privileges for authenticating the SFCB service. When the maximum file size is reached, the file is re-initialized.

The default size of the file is 100 KB.

nam-nss-timeout

Specifies the time (in seconds) for which nsswitch will wait for a namcd response before timing out. The default value is 60 seconds. You can specify a timeout value from 0 to 180 seconds.

If namcd becomes unresponsive, it is recommended to specify a lesser timeout value. On the other hand, if namcd is heavily loaded with concurrent FTP login requests and login failures are observed, it is recommended to specify a greater timeout value.

The default value is 60 seconds.

dont-deny-pamservice

Enhances the performance of a LUM-enabled service login by excluding the uamPosixPAMServiceExcludeList and uamPosixWorkstationList attribute searches for a user and the associated groups. The default value is No.

NOTE:If you enable this parameter, the pamServiceExclude option on a user or group will not be in effect.

The default value is No.

non-posix-members

Specifies if the namgrouplist tool and getent group should return non-posix members for the group objects. If the parameter value is set to yes, non-posix or non-user member objects of the group are also returned. If the value is set to no, only user objects are returned.

When you swap the value of this parameter, for the changes to take effect, it is recommended to refresh the namcd cache by running the namconfig cache_refresh command.

The default value is set to yes.