seos

In the [seos] section, the tokens determine the global settings that are used by .
capamsc141
In the [seos] section, the tokens determine the global settings that are used by
Privileged Access Manager
.
  • admin_data
    Specifies the directory where the 
    Privileged Access Manager
    Security Administrator rulers and other configuration files are stored.
    Default:
    ACInstallDir
    /data
  • auth_login
    Determines the login authority method. Valid values are:
    native -
    login checks the user password against the UNIX passwd or shadow file.
    eTrust
    - when the user does not exist in the Native environment, checks the user password against the 
    Privileged Access Manager
    database.
    PAM
    - when the user does not exist in the Native environment, checks the login through the PAM module. This is only supported on machines where PAM is supported. PAM is used to validate the user for users such as LDAP-defined users.
    Default:
    native
  • auth_module_names
    Defines the language client module that is allowed to authenticate outside of native authentication. The client inside the lca API calls set this token before the authentication. Changing this token can affect other clients authenticating in non-native mode.
    No default.
  • fast_create_db
    Specifies whether the PMDB uses the fast database copy device.
    Valid values are:
    no
    - Use the old device.
    yes
    - Use the fast database copy device.
    Default:
    yes
  • full_year
    Specifies the format for displaying the year using four digits or last two digits.
    For example, setting the token to yes displays 2000 instead of 00.
    The following values are valid:
    yes
    -four digits
    no
    -two digits
    This token influences the output that is produced by secons -tv, dbmgr -d, and the seaudit utility.
    Default:
    yes (four-digit)
  • ldap_base
    Defines the distinguished name of the search base for user data queries in the LDAP Directory Information Tree (DIT) by 
    Privileged Access Manager
    LDAP-enabled utilities (such as sebuildla).
    For example, use the following format, replacing inputs with your own:
    o=organization_name,c=country_name
    Default:
    Token not set
To set up sebuildla and the required LDAP configuration settings, be familiar with LDAP and be able to execute the ldapsearch command. We recommend that you read the man pages for ldap(1), ldapsearch(1), and the information about setting up in the documentation for your LDAP client.
  • ldap_hostname
    Defines a space-separated list of the host names where the LDAP servers are running for 
    Privileged Access Manager
    LDAP-enabled utilities.
    Default:
    Token not set (localhost).
  • ldap_certdb_path
    Defines the directory where the Netscape-style certificate database is located.
    This token is required for sebuildla on platforms that use the Netscape LDAP SDK API for LDAP over SSL (Solaris). For sebuildla to work, a certificate database must contain a valid certificate for the LDAP server.
    sebuildla uses LDAP over SSL with server authentication (that is, no client authentication). Consult your PKI toolkit documentation for details on setting up secure services.
    Default:
    /.netscape
  • ldap_keydb
    Defines the name of the key database file.
    This setting is for AIX only as an AIX key database can have an arbitrary name. In contrast, Netscape security databases have names like certX.db and keyY.db depending on the implementation version, and so only the ldap_certdb_path is required for finding them.
    Default:
    Token not set
  • ldap_method
    Specifies the bind method that 
    Privileged Access Manager
    uses for LDAP-enabled utilities to access the LDAP service.
    By default, sebuildla uses
    simple
    authentication with all security mechanisms. In simple authentication, ldap_userdn and the corresponding credential are passed to the LDAP server. sebuildla stores user credentials in encrypted form in ldapcred.dat at
    ACInstallDir
    /etc. These two parameters approximate the account and password combination that the LDAP server requires.
    For SASL or TLSv.1/SSL, consult your LDAP server documentation. For a particular ldap_method setting to take effect, the corresponding mechanism must be supported and configured in the native LDAP client that is deployed on the computer where sebuildla is executed. That is, with TLS/SSL operations, valid certificates should be installed on the server and client side.
    Valid values are:
    0
    - Standard LDAP
    1
    -SASL (RFC 2222)
    2
    -LDAPS (LDAP over SSL - server authentication only.)
    The method that you use determines how you set up the ldap_userdn token and its corresponding credential (through seldapcred utility).
    Default:
    0
  • ldap_port
    Defines the LDAP server port for 
    Privileged Access Manager
    LDAP-enabled utilities. Change this token if your LDAP server is not using the standard LDAP port (389).
    Default:
    Token not set (389).
  • ldap_query_size
    Defines the maximum number of LDAP entries sebuildla retrieves in each batch query.
    Use this token when you do not want to change the LDAP server-side size limit parameter. Typically, sebuildla attempts to retrieve all data in one instance. If there are numerous user entries, the amount of data might exceed the size limit of the server and might cause the LDAP operation to fail. If you set ldap_query_size, sebuildla need not retrieve all entries for the operation to succeed. If the total number of user entries is greater than either the ldap_query_size or the server-side size limit, the number of entries that are retrieved corresponds with the lower number of these two settings.
    Enabling batch queries can affect sebuildla performance. Consider using this setting only where the LDAP environment has numerous user data (thousands of entries) in the DIT (Directory Information Tree).
    For information about server-side LDAP controls, for example, the OpenLDAP server (slapd) sizelimit parameter, consult your LDAP server documentation.Default: Token not set (empty)
  • ldap_timeout
    Defines the maximum amount of time (in seconds) that 
    Privileged Access Manager
    LDAP-enabled utilities wait when binding to the LDAP service and obtaining LDAP search results, before terminating the connection. The time that it takes to retrieve information from the LDAP service depends on how fast the LDAP service is, and how much user data is stored in the DIT. Use this token to account for these aspects.
    You might also need to adjust server-side LDAP controls to avoid truncated search results. For example, for the OpenLDAP server (slapd) adjust the sizelimit parameter. Consult your LDAP server documentation for more information.
    Default:
    Token not set (15 seconds)
  • ldap_uid_attr
    Defines the name of the attribute that contains the user name in the LDAP DIT. RFC 2307 (An Approach for Using LDAP as a Network Information Service) prescribes
    uid
    as this attribute, which is the default value for this token. Change this token to let 
    Privileged Access Manager
    LDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.
    Default:
    Token not set (uid).
  • ldap_uidNumber_attr
    Defines the name of the attribute that contains the UID number in the LDAP DIT. RFC 2307 prescribes
    uidNumber
    as this attribute, which is the default value for this token. Change this token to let 
    Privileged Access Manager
    LDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.
    Default:
    Token not set (uidNumber).
  • ldap_user_class
    Defines the name of the object class that contains the user data in the LDAP DIT. RFC 2307 prescribes
    posixAccount
    as this object class, which is the default value for this token. Change this token to let 
    Privileged Access Manager
    LDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.
    Default:
    Token not set (posixAccount).
  • ldap_userdn
    Defines the distinguished name (DN) of the LDAP user that 
    Privileged Access Manager
    LDAP-enabled utilities use for retrieving user data from the LDAP DIT. Based on RFC 2307, 
    Privileged Access Manager
    expects to find the user data in the
    uid
    and
    uidNumber
    attributes of the
    ou=People
    level in the DIT. For security reasons, we recommend that this user (ldap_userdn) is given access to this data only.
    If anonymous access to the DIT is permitted, you can keep this token empty. Otherwise, you set this token and run the seldapcred utility for 
    Privileged Access Manager
    LDAP-enabled utilities to authenticate to the LDAP service. Only do this once, as seldapcred stores your encrypted credential in a file for reuse.
    For example, set this token as follows:
    ldap_userdn = uid=user1,ou=People,dc=myCompany,dc=com
    Default:
    Token not set
  • ldap_userinfo_ladb
    Specifies whether to retrieve user information from the LDAP Directory Information Tree (DIT).
    Limits
    : yes, no
    Default
    : no
  • ldap_verbose
    Specifies whether to enable detailed account of LDAP operations that are involved in sebuildla getting user data.
    Use this setting when you set up LDAP data retrieval in sebuildla or when troubleshooting.
    Valid values are
    0
    -disabled; a non-zero integer-enabled.
    Default:
    0
  • locale
    Determines the language for the 
    Privileged Access Manager
    daemons and utilities. 
    Privileged Access Manager
    can function in several languages.
    Supported languages include: C, Japanese, Chinese-s, Chinese-t
    For the complete list of languages, see /etc/ca/localeX/calocmap.txt; on Linux, see
    /opt/CA/SharedComponents/cawin/locale/.
    Default:
    C
  • pam_enabled
    Valid on SOLARIS, HP-UX, and LINUX only.
    Specifies whether the local host enables use of PAM for authentication and password changes in the LDAP database.
    To do that, it checks whether the PAM library can be dynamically loaded (the library must exist on your system).
    Valid values are: 'no', 'yes'.
    Default:
    yes
  • parent_pmd
    Defines a comma-separated list of policy model databases (PMDBs) from which this computer accepts updates. The local 
    Privileged Access Manager
    database rejects updates from any PMDB that is not specified in this list.
    You can also specify a file path that contains a line-separated list of PMDBs.
    Set this token to "_NO_MASTER_" for the local 
    Privileged Access Manager
    database to accept updates from any PMDB.
    If you do not set this token, the local 
    Privileged Access Manager
    database does not accept updates from any PMDB.
    Each PMDB is specified in the following format: pmd_name@hostname
    For example:
    parent_pmd = pmd1@host1,pmd2@host1,pmd3@host2
    parent_pmd = /opt/CA/PAMSC/parent_pmdbs_file
    Default:
    Token is not set (database does not accept updates from any PMDB).
    Note
    : sepass does not support multiple destinations on the parent_pmd token.
  • passwd_pmd
    Specifies the PMDB to which sepass sends password updates.
    If you do not set this token, it inherits the value of the parent_pmd token.
    The format is
    pmd_name
    @
    hostname.
    The parent_pmd and passwd_pmd tokens can have the same value. If the values in the parent_pmd and passwd_pmd tokens are not the same, the passwd_pmd database sends its updates to the parent_pmd database for distribution. Therefore, the parent_pmd database must be a child (subscriber) of the passwd_pmd database.
    No default.
    Note
    : sepass does not support multiple destinations on the passwd_pmd token.
  • ReverseIpLookup
    Controls the way seagent identifies the connecting client.
    The following values are valid:
    yes
    -seagent looks up the IP address of the socket of the open client.
    no
    -seagent uses the host name as received from the client; seagent does not resolve any host names. (The same effect can be achieved by disabling class TERMINAL.)
    Default:
    yes
  • secondary_pmd
    Specifies the PMDB used as the secondary target for password replacement for users who are not defined in the primary target (passwd_pmd).
    The format is
    pmd_name@hostname
    .
    No default.
  • SEOSPATH
    Specifies the directory in which 
    Privileged Access Manager
    is installed.
    You can install 
    Privileged Access Manager
    in any directory,
    if
    it is not
    on
    an NFS-mounted file system.
    Default:
    ACInstallDir
  • SyncUnixFilePerms
    Specifies whether 
    Privileged Access Manager
    synchronizes its ACL permissions with the ACL and other permissions of the native UNIX system, if they exist.
    The following values are valid:
    no
    -Do not synchronize the UNIX file permissions with 
    Privileged Access Manager
    ACLs.
    warn
    -Do not synchronize ACL permissions, but issue a warning if the permissions in 
    Privileged Access Manager
    and UNIX conflict.
    traditional
    -Change rwx permissions for the group and the owner according to 
    Privileged Access Manager
    ACLs, issue a warning in all other cases.
    acl
    -Change native file-system ACLs according to 
    Privileged Access Manager
    ACLs (on platforms that support ACLs).
    force
    -Functions the same as traditional or acl (on platforms that support ACLs), but also forces mapping defaccess to "other" permissions.
    Note:
    On HP-UX and Sun Solaris 2.5 (and above), support is provided for the file system ACLs. On other platforms and operating system versions, only traditional permissions mode of a file are supported.
    Default:
    no
  • TRUEPATH
    Specifies the directory where 
    Privileged Access Manager
    is physically located. The 
    Privileged Access Manager
    directory may be a symbolic link to another physical location. This token points to the actual physical location where 
    Privileged Access Manager
    is installed.
    Default:
    ACInstallDir
  • use_rpc_protocol
    Determines whether the RPC portmapper is required. The presence of the RPC portmapper is required if you want to use the old (1.43) 
    Privileged Access Manager
    protocol. The old protocol is required to support NIS+ password changes.
    This token replaces the old_protocol token.
    The following values are valid:
    yes
    -Use the RPC portmapper to assign the port.
    no
    -Use the port that is specified by the ServicePort token.
    Default:
    no