pmd (pmd.ini)

The [pmd] section contains the attributes used by the sepmdd daemon when building and maintaining a PMDB.
capamsc141
The [pmd] section contains the attributes used by the sepmdd daemon when building and maintaining a PMDB.
  • _min_retries_
    Specifies the minimum number of attempts that sepmdd should make to resend the next queued update to an unavailable subscriber. The sepmdd loops through the list of subscribers for outstanding updates and increments the counter each time it cannot resend the update to an unavailable subscriber. The subscriber is marked unavailable after the minimum number of attempts specified in this token.
    Default:
    4
  • _QD_timeout_
    Specifies the maximum time, in seconds, that the sepmdd daemon waits while attempting to update a subscriber database during the first scan of its subscriber list. If the time elapses and the daemon does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list.
    After completing the first scan of the subscriber list, sepmdd then performs a second scan in which it attempts to update the subscribers it did not succeed in updating during the first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).
    Default:
    3
  • _retry_timeout_
    Specifies the time, in minutes, to wait before trying to resend an update to an unavailable subscriber, after the minimum number of attempts specified in _min_retries_ has been made. It marks the subscriber available after the number of minutes defined by this token elapses.
    A subscriber is marked unavailable until:
    • It is manually released.
    • sepmdd is manually shutdown and restarted. The sepmdd is restarted if:
      1. if a language facility attempts to connect to it.
      2. if a parent PMDB wants to send an update.
      3. the pull option is triggered by a subscriber. This optionally occurs when 
        PAM Server Control
        starts on the subscriber.
    • The pull option is triggered by the unavailable subscriber.
    Shutting down sepmdd too often is not desirable because it takes time to restart the daemon, which results in slowing the whole propagation process. Allowing it to be on all the time is also undesirable because there maybe some stability issues, but it is only a conjecture.
    Default:
    30
  • _shutoff_time_
    Specifies the time, in minutes of activities before sepmdd quits. If the token value is zero, sepmdd never quits.
    Default:
    0
  • always_propagate
    If this token is set to no, commands that failed to execute by the policy model are not propagated to the subscribers.
    Default
    : none
  • exclude_file
    Specifies an exclude file.
    The exclude file contains host names (one on each line) that should be excluded from receiving policy model updates.
    Default:
    none
  • exclude_localhost
    Tells the pmdb to exclude the local host from receiving updates as a subscriber.
    Possible values: yes, no.
    Default:
    no
  • exclude_method
    Enables/disables the promote offset in update file when subscriber is excluded.
    Values:
    "pmdwaitdo not promote offset
    Otherwise"bypass"
    Default:
    pmdwait
  • filter
    Specifies the name of the filter file.
  • force_auto_truncate
    Specifies whether 
    PAM Server Control
    truncates the update file even if there are no subscribers to the Policy Model.
    You can truncate the update file manually (sepmd -t), and 
    PAM Server Control
    also truncates the file automatically based on a separate configuration setting (trigger_auto_truncate) that defines the event that triggers automatic truncation.
    Note:
    If all subscribers to the Policy Model are "Out of sync", the Policy Model effectively has no subscribers.
    Default:
    Yes
  • group_file_name
    Specifies the name of the group file for a new UNIX group. sepmdd saves the group entry of the new UNIX group in this file.
    Default:
    group
  • is_maker_checker
    Specifies whether to use Dual Control. The valid values for this token are yes and no.
    If
    yes
    is selected, then the PMDB cannot be updated directly, but only through a transaction; and each transaction entered by one administrator must be processed by another administrator before the commands are implemented on the PMDB.
    Default:
    no
  • password_file_name
    Specifies the name of the password file for new UNIX users. sepmdd stores the password entry of new UNIX users in this file.
    Default:
    passwd
  • send_unix_env
    Indicates whether sepmd sends the contents of Policy Model password files and group files.
    If this token is set to
    yes
    , the
    sepmd -n
    option sends the contents of the Policy Model password files and group files.
    If this token is set to
    no
    , the
    sepmd -n
    option does not send the contents of the policy model password files and group files.
    Default:
    yes
  • synch_uid
    Determines whether sepmdd attempts to synchronize UIDs between a Policy Model and its subscribers. The valid values for this token are yes and no.
    If the token is
    no
    , sepmdd does not attempt to synchronize UIDs. Users are assigned the first available UID on each subscriber host.
    If the token is
    yes
    , sepmdd attempts to synchronize UIDs. For example, if a new UNIX user is created on the PMDB with a UID of 1000, sepmdd transfers that UID to the subscribers. If UID 1000 is already in use on one of the subscribers, then the update on that subscriber fails.
    sepmdd only tries to synchronize UIDs if the original command sent to the PMDB did not specify a UID for the user. If the original command did specify a UID, the specified UID is sent to all the subscribers.
    Default:
    yes
  • TNG_Environment
    Specifies whether the database is created with special TNG classes and resources.
    Valid values are:
    "0" to create the database without the special TNG classes
    "1" to create the database with all the special TNG classes
    Default:
    0
  • transaction_lib
    Specifies the path of the maker-checker policy.
    Default:
    /opt/CA/eTrustAccessControl/policies/maker
  • trigger_auto_truncate
    Defines the size of the Policy Model update file, in megabytes, that triggers an automatic truncating of the update file.
    If you use a value that is less than the lower limit, 
    PAM Server Control
    uses the default value. If you use a value that is greater than the upper limit, 
    PAM Server Control
    uses the upper limit value.
    Limits:
    1 - 2000 MB
    Default:
    1024 MB
  • update_while_processing
    Defines the frequency at which the Policy Model propagates commands to subscribers while it is processing incoming events.
    The frequency is a factor of the updates_in_chunk setting, and determines how many commands the PMD processes before it sends the next subscriber in line one set of commands. For example, if you set this to 3 and updates_in_chunk is set to 10, the PMD will process 30 commands before it sends a set of commands (10) once to the next subscriber in line. A value of 0 means that the PMD does not propagate commands while processing incoming events.
    Default:
    1
  • updates_in_chunk
    Determines the maximum number of commands that the Policy Model sends to each of its subscribers in each cycle of a loop.
    Default:
    20
  • UseEncryption
    Specifies whether update information saved to the updates.dat file is encrypted.
    Default:
    no
  • UseShadow
    Determines whether to use a shadow file when you reference the PMDB native environment.
    Default:
    no
  • YpServerSecure
    Specifies the name of the password shadow file (a security file on an NIS server) that is used for building the NIS password map. This token is relevant only if you set UseShadow to yes.
    Default:
    /etc/shadow