The parameters used for configuring Linux User Management are listed in the /etc/nam.conf file. The configuration file is stored in the UTF-8 format.
Table 6-2 contains the list of parameters in /etc/nam.conf.
Table 6-2 Linux User Management Configuration Parameters
Parameter |
Description |
Default Value |
---|---|---|
preferred-server |
Specifies the eDirectory LDAP server to be contacted. The value can be host name, alias, DNS name, or IP address. The value is set when you configure Linux User Management. |
The default is a null string. |
base-name |
Specifies the context in eDirectory where NAM is installed. The value is set when you configure NAM. |
Not applicable. |
num-threads |
Specifies the number of worker threads in the cache daemon. The value can range from 1 to 25. |
The default is 10. |
schema |
Indicates the type of schema that is supported. The values can be fusion or rfc2307. |
The default schema is rfc2307. |
enable-persistent-cache |
Specifies whether a persistent cache is to be maintained on the local workstation to store user and group profiles. Values can be yes or no. |
The default value is yes. |
cache-only |
Specifies whether namcd uses only the cache for information about users and groups. If the information about users and groups is not found in the cache, namcd does not request this information from LDAP. The values can be yes or no. |
The default value is no. |
persistent-search |
Specifies whether namcd uses the LDAP persistent search feature. This feature allows namcd to listen to change events in LDAP related to Posix groups and triggers the cache refresh if the change event is relevant. The values can be yes or no. |
The default value is no. |
case-sensitive |
Specifies whether user names are case sensitive. Values can be yes or no. NOTE:You should not use the convert-lowercase and case-sensitive options together because it might lead to login failures, especially when both lowercase and uppercase are used to specify usernames. |
The default value is no. |
convert-lowercase |
convert-lower-case=[no|yes|user|group] This option is used to determine the capitalization of the output data. convert-lower-case=no: Does not convert users and groups to lower-case. convert-lower-case=yes: Converts users and groups to lower-case. convert-lower-case=user: Converts only users to lower-case. convert-lower-case=group: Converts only groups to lower-case. |
The default value is no. |
user-hash-size |
Specifies the hash size for the persistent cache to store user entries. The value should be a prime number greater than or equal to 1/4 of the number of user entries. The value can range from 1 to 9973. |
The default is 211. |
group-hash-size |
Specifies the hash size for the persistent cache to store group entries. The value should be a prime number greater than or equal to 1/4 of the number of group entries. The value can range from 1 to 9973. |
The default is 211. |
persistent-cache-refresh-period |
Specifies how frequently user and group entries stored in the persistent cache are to be refreshed from eDirectory. A larger value results in less network traffic and less load on the server, but the cache might reflect stale information if the eDirectory database is modified. The value can range from 1 to 2147483647 seconds. |
The default period is 28800 seconds (8 hours). |
persistent-cache-refresh-flag |
Specifies whether all user and group entries or only those used in the current boot session are to be refreshed. This can take the values all or accessed. |
The default is all. |
create-home |
Creates user home directories. Values can be yes or no. |
The default value is yes. |
support-alias-name |
Specifies whether to support alias objects (users/groups) in eDirectory. Values can be yes or no. |
The default value is no. |
support-outside-base-name |
Specifies whether to support objects (users/groups) outside the base context to which NAM is configured. Values can be yes or no. If objects (users/groups) with the same name are present in the base context, preference is given to the base context objects. |
The default value is yes. |
user-context |
Specifies the user context to which Linux User objects are to be migrated. |
The default value is null. |
group-context |
Specifies the group context to which Linux Group objects are to be migrated. |
The default value is null. |
type-of-authentication |
Specifies the type of authentication, either simple (non-SSL) or SSL-based. Values can be 1 (simple authentication) or 2 (SSL-based authentication). |
The default value is 2. |
certificate-file-type |
Specifies the certificate file format. Two values are possible: der and base64. |
The default value is der. |
ldap-ssl-port |
Specifies the LDAP SSL port. |
The default is 636. |
ldap-port |
Specifies the LDAP connection port. |
The default is 389. |
admin-name |
Specifies the LDAP server administrator's name. |
The default value is a null string. |
alternative-ldap-server-list |
Specifies a comma-separated list of names of alternate LDAP servers. |
The default value is a null string. |
log-file-location |
Specifies the log file location for namcd. The namcd.log file is created at a specified location. For example, if log-file-location=/var/opt/novell/log/, then the log is placed at /var/opt/novell/log/namcd.log. |
By default namcd uses syslog. Log messages are stored in /var/log/messages. |
log-level |
Specifies the debug log level for namcd logs. Values are 0 to 5. |
The default value is 0. |
workstation-context |
This parameter is automatically populated with a value of the context location of the workstation object. |
Not applicable. |
one-exclude-deny-service |
Specifies that the access to a service is denied to a user, even if just one of its groups has that service in its uamPosixPamServiceExclude list. The default value is No. That is, by default, a user is granted access to a service, unless all of the user's groups have that service in the uamPamPosixExcludelist. If the one-exclude-deny-service parameter is set to Yes, any group that has a service specified in uamPosixPamServiceExcludelist attribute will override any other group allowing access to the service. For example, assume that you have a user associated with groups G1,G2, and G3. Only group G1 has the ssh service specified as a service to be excluded in the uamPosixPamServiceExcludelist attribute. In this example, if the one-exclude-deny-service parameter is set to Yes, the user is denied the ssh service even if the service is not present in the uamPosixPamServiceExcludelist attribute of groups G2 and G3. However, if the one-exclude-deny-service parameter is set to No (the default setting), the user is allowed access to the ssh service. NOTE:Because access to a service is allowed or granted based on the one-exclude-deny-service parameter alone, having a different setting on different servers can cause a drastic change in behavior. For example, if this parameter is enabled on some servers and disabled on other servers, the same user might be allowed access to a service on some servers and denied access to the same service on other servers. |
The default value is No. |
umask |
Specifies the umask for the home directories that are created during namuseradd. NOTE:This parameter is used only by the namuseradd utility with the -m option. This parameter is not used by services like SSH or FTP for home directory creation on user login. |
The default value is 0022. |
max-privfile-size |
Specifies the maximum size of the /var/lib/novell-lum/.rights file in KB. This file is used internally by pam_nam.so to store the user privileges for authenticating the SFCB service. When the maximum file size is reached, the file is re-initialized. |
The default size of the file is 100 KB. |
nam-nss-timeout |
Specifies the time (in seconds) for which nsswitch will wait for a namcd response before timing out. The default value is 60 seconds. You can specify a timeout value from 0 to 180 seconds. If namcd becomes unresponsive, it is recommended to specify a lesser timeout value. On the other hand, if namcd is heavily loaded with concurrent FTP login requests and login failures are observed, it is recommended to specify a greater timeout value. |
The default value is 60 seconds. |
dont-deny-pamservice |
Enhances the performance of a LUM-enabled service login by excluding the uamPosixPAMServiceExcludeList and uamPosixWorkstationList attribute searches for a user and the associated groups. The default value is No. NOTE:If you enable this parameter, the pamServiceExclude option on a user or group will not be in effect. |
The default value is No. |
non-posix-members |
Specifies if the namgrouplist tool and getent group should return non-posix members for the group objects. If the parameter value is set to yes, non-posix or non-user member objects of the group are also returned. If the value is set to no, only user objects are returned. When you swap the value of this parameter, for the changes to take effect, it is recommended to refresh the namcd cache by running the namconfig cache_refresh command. |
The default value is set to yes. |