Customizing Operations Using Configuration Parameters
In most organizations, the default settings in the /etc/centrifydc/centrifydc.conf configuration file are appropriate and do not require any customization. In some cases, however, you may find it useful to modify the default settings to optimize operations for your environment.
This section provides reference information for the configuration parameters that control the operations on managed computers. Parameters are also documented in comments within the centrifydc.conf file.
Auto Zone Configuration Parameters
| Parameter | Description |
|---|---|
| auto.schema.primary.gid | Specifies the primary GID to use in the profiles automatically generated for users. To use this parameter: You should identify an existing group, such as Domain Users, to use as the primary group. You should verify that the auto.schema.private.group parameter is set to false. The default values for this parameter are platform-dependent, for example, 20 on Mac OS X computers and 65534 on Linux, HP-UX, Solaris, and AIX computers. |
| auto.schema.private.group | Specifies whether the agent should create dynamic private groups. If you set this parameter to true, the primary GID is set to the user's UID and a group is automatically created with a single member. The default value is false, enabling you to set the primary GID using the auto.schema.primary.gid parameter. |
| auto.schema.shell | Specifies the default shell for the logged in user. The default value is /bin/bash on IBM Security Verify Privilege Server Suite Free for Linux and UNIX and Linux and /bin/sh on other platforms, including Solaris, HP-UX, and AIX. |
| auto.schema.homedir | Specifies the home directory for logged in users. The default, if you do not specify this parameter, is: Mac OS X: /Users/%{user}. Linux, HP-UX, and AIX: /home/%{user} Solaris: /export/home/%{user} The variable %{user} is substituted at runtime and replaced with the logon name of the user who is logging on. For example, if the user jsmith logs on to a IBM Security Verify Privilege Server Suite Free for Linux and UNIX computer, the default home directory is set to: /Users/jsmith For example: auto.schema.homedir:/allusers/home/%{user} This parameter is not used if the parameter auto.schema.use.adhomedir is set to true and a home directory is defined in Active Directory for the user. If auto.schema.use.adhomedir is false or no home directory is defined for the user in Active Directory, the home directory is set to the value defined for this parameter. |
| auto.schema.use.adhomedir | Specifies whether or not to use the Active Directory value for the home directory on IBM Security Verify Privilege Server Suite Free for Linux and UNIX computers. Set this parameter value to true to use the home directory defined in Active Directory. If you set this parameter to true but do not define a home directory in Active Directory, the value for auto.schema.homedir is used. Set this parameter to false if you do not want to use the home directory defined in Active Directory. |
| auto.schema.remote.file.service | Specifies the type of remote file service to use for mounting a network home directory on Mac OS X computers. The valid options are: SMB AFP For example: auto.schema.remote.file.service: SMB On Mac OS X computers, mounting a network directory requires that you specify the remote file service type. By identifying the remote file-service type using this parameter, you can type the network path in the format required by Active Directory: /server/share/path The agent then converts the Active Directory path into the format required by Mac OS X. |
| auto.schema.name.format | Specifies how Active Directory user names are transformed into UNIX login names. The valid options are: Active Directory samAccountName or Mac OS X short name (jcool) Active Directory userPrincipalName (jcool@acme.com) Windows NTLM format for domain and user name (acme.comjcool) |
| auto.schema.domain.prefix.domain | Specifies a unique prefix for a trusted domain. You must specify a whole number in the range of 0 - 511. The agent combines the prefix with the lower 22 bits of each user or group RID (relative identifier) to create unique UNIX user identifier (UID) and group identifier (GID) for each user and group. In most cases, this parameter is not necessary because the agent automatically generates the domain prefix from the user or group Security Identifier (SID). However, in a forest with a large number of domains or with cross-forest trusts, domain prefix conflicts are possible. If you attempt to join a computer to a domain and the agent detects conflicting domain prefixes, the join fails with a warning message. You can then set a unique prefix for the conflicting domains. To set this parameter, append the domain name and specify a prefix in the range 0 - 511. For example: auto.schema.domain.prefix.acme.com: 3 auto.schema.domain.prefix.finance.com: 4 auto.schema.domain.prefix.corp.com: 5 |
| auto.schema.search.return.max | Specifies the maximum number of users to returned in search results. Because Auto Zone enables access to all users in a domain, a search could potentially return tens of thousands of users. This parameter causes the search to truncate after the specified number of users. The default is 1000 entries. |
| auto.schema.name.lower | Converts all user names and home directory names to lower case in Active Directory. Set to true to convert user names and home directory names to lowercase. Set to false to leave user names and home directories in their original upper, lower, or mixed case. The default for a new installation is true. The default for an upgrade installation is false. |
| auto.schema.iterate.cache | Specifies that user and group iteration take place only over cached users and groups. The valid options are: true restricts iteration to cached users and groups. false iterates over all users and groups. The default value is false. |
| adclient.ntlm.separators | Specifies the separators that can be used between the domain name and the user name when NTLM format is used. For example: adclient.ntlm.separators: +/ The default allows the following formats for the user joe in the acme.com domain: acme.com+joe acme.com/joe acme.comjoe Note: The backslash character () can be problematic on some UNIX shells, in which case you may need to specify domain user. The first character in the list is the one that adclient uses when generating NTLM names. |
DNS-related configuration parameters
If computers cannot find the Active Directory domain controller, you can use parameters in the centrifydc.conf configuration file to manually identify the domain controllers and the Global Catalog server. You can also use configuration parameters to control how the DNS client processes DNS requests.
| Parameter | Description |
|---|---|
| dns.dc.domain_name | Specifies one or more domain controllers to contact. You must specify the name of the domain controller, not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, you must add entries to the local /etc/hosts for each domain controller if you are not using DNS or if the DNS server cannot locate your domain controllers. For example, to manually specify the domain controller dc1.mylab.test in the mylab.test domain, you would add the following to the /etc/centrifydc/centrifydc.conf file: dns.dc.mylab.test: dc1.mylab.test To specify multiple servers for a domain, use a space to separate the domain controller server names. For example: dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test The agent will attempt to connect to the domain controllers in the order specified. |
| dns.gc.domain_name | Specifies the domain controller that hosts the Global Catalog for a domain. If the Global Catalog is on a different domain controller than the domain controllers you specify with the dns.dc.domain_name parameter, you can use this parameter to specify the location of the Global Catalog. For example: dns.gc.mylab.test: dc3.mylab.test |
| dns.alive.resweep.interval | Controls how frequently the DNS client checks whether there is a faster DNS server available. The default interval for this check is one hour. |
| dns.sweep.pattern | Specifies the protocol and response time to use when the DNS client scans the network for available DNS servers. The dns.tcp.timeout and dns.udp.timeout parameters determine the amount of time to wait if the current server does not respond to a request. If the current server does not respond to a request within the specified time out period, it is considered down and the agent looks for a different server. If the DNS subsystem cannot find a live server, DNS is considered down, and the agent waits for the period of the dns.dead.resweep.interval parameter before performing a sweep to find a new server. |
| dns.tcp.timeout | Specifies the amount of time to wait if the current server does not respond to a TCP request. If the current server does not respond to a request within the specified time out period, it is considered down and the agent looks for a different server. |
| dns.udp.timeout | Specifies the amount of time to wait if the current server does not respond to a UDP request. If the current server does not respond to a request within the specified time out period, it is considered down and the agent looks for a different server. |
| dns.dead.resweep.interval | Specifies the amount of time to wait if DNS is before performing a sweep to find a new DNS server to use. |