seos
In the [seos] section, the tokens determine the global settings that are used by .
capamsc141
In the [seos] section, the tokens determine the global settings that are used by
Privileged Access Manager
.- admin_dataSpecifies the directory where thePrivileged Access ManagerSecurity Administrator rulers and other configuration files are stored.Default:ACInstallDir/data
- auth_loginDetermines the login authority method. Valid values are:native -login checks the user password against the UNIX passwd or shadow file.eTrust- when the user does not exist in the Native environment, checks the user password against thePrivileged Access Managerdatabase.PAM- when the user does not exist in the Native environment, checks the login through the PAM module. This is only supported on machines where PAM is supported. PAM is used to validate the user for users such as LDAP-defined users.Default:native
- auth_module_namesDefines the language client module that is allowed to authenticate outside of native authentication. The client inside the lca API calls set this token before the authentication. Changing this token can affect other clients authenticating in non-native mode.No default.
- fast_create_dbSpecifies whether the PMDB uses the fast database copy device.Valid values are:no- Use the old device.yes- Use the fast database copy device.Default:yes
- full_yearSpecifies the format for displaying the year using four digits or last two digits.For example, setting the token to yes displays 2000 instead of 00.The following values are valid:yes-four digitsno-two digitsThis token influences the output that is produced by secons -tv, dbmgr -d, and the seaudit utility.Default:yes (four-digit)
- ldap_baseDefines the distinguished name of the search base for user data queries in the LDAP Directory Information Tree (DIT) byPrivileged Access ManagerLDAP-enabled utilities (such as sebuildla).For example, use the following format, replacing inputs with your own:o=organization_name,c=country_nameDefault:Token not set
To set up sebuildla and the required LDAP configuration settings, be familiar with LDAP and be able to execute the ldapsearch command. We recommend that you read the man pages for ldap(1), ldapsearch(1), and the information about setting up in the documentation for your LDAP client.
- ldap_hostnameDefines a space-separated list of the host names where the LDAP servers are running forPrivileged Access ManagerLDAP-enabled utilities.Default:Token not set (localhost).
- ldap_certdb_pathDefines the directory where the Netscape-style certificate database is located.This token is required for sebuildla on platforms that use the Netscape LDAP SDK API for LDAP over SSL (Solaris). For sebuildla to work, a certificate database must contain a valid certificate for the LDAP server.sebuildla uses LDAP over SSL with server authentication (that is, no client authentication). Consult your PKI toolkit documentation for details on setting up secure services.Default:/.netscape
- ldap_keydbDefines the name of the key database file.This setting is for AIX only as an AIX key database can have an arbitrary name. In contrast, Netscape security databases have names like certX.db and keyY.db depending on the implementation version, and so only the ldap_certdb_path is required for finding them.Default:Token not set
- ldap_methodSpecifies the bind method thatPrivileged Access Manageruses for LDAP-enabled utilities to access the LDAP service.By default, sebuildla usessimpleauthentication with all security mechanisms. In simple authentication, ldap_userdn and the corresponding credential are passed to the LDAP server. sebuildla stores user credentials in encrypted form in ldapcred.dat atACInstallDir/etc. These two parameters approximate the account and password combination that the LDAP server requires.For SASL or TLSv.1/SSL, consult your LDAP server documentation. For a particular ldap_method setting to take effect, the corresponding mechanism must be supported and configured in the native LDAP client that is deployed on the computer where sebuildla is executed. That is, with TLS/SSL operations, valid certificates should be installed on the server and client side.Valid values are:0- Standard LDAP1-SASL (RFC 2222)2-LDAPS (LDAP over SSL - server authentication only.)The method that you use determines how you set up the ldap_userdn token and its corresponding credential (through seldapcred utility).Default:0
- ldap_portDefines the LDAP server port forPrivileged Access ManagerLDAP-enabled utilities. Change this token if your LDAP server is not using the standard LDAP port (389).Default:Token not set (389).
- ldap_query_sizeDefines the maximum number of LDAP entries sebuildla retrieves in each batch query.Use this token when you do not want to change the LDAP server-side size limit parameter. Typically, sebuildla attempts to retrieve all data in one instance. If there are numerous user entries, the amount of data might exceed the size limit of the server and might cause the LDAP operation to fail. If you set ldap_query_size, sebuildla need not retrieve all entries for the operation to succeed. If the total number of user entries is greater than either the ldap_query_size or the server-side size limit, the number of entries that are retrieved corresponds with the lower number of these two settings.Enabling batch queries can affect sebuildla performance. Consider using this setting only where the LDAP environment has numerous user data (thousands of entries) in the DIT (Directory Information Tree).For information about server-side LDAP controls, for example, the OpenLDAP server (slapd) sizelimit parameter, consult your LDAP server documentation.Default: Token not set (empty)
- ldap_timeoutDefines the maximum amount of time (in seconds) thatPrivileged Access ManagerLDAP-enabled utilities wait when binding to the LDAP service and obtaining LDAP search results, before terminating the connection. The time that it takes to retrieve information from the LDAP service depends on how fast the LDAP service is, and how much user data is stored in the DIT. Use this token to account for these aspects.You might also need to adjust server-side LDAP controls to avoid truncated search results. For example, for the OpenLDAP server (slapd) adjust the sizelimit parameter. Consult your LDAP server documentation for more information.Default:Token not set (15 seconds)
- ldap_uid_attrDefines the name of the attribute that contains the user name in the LDAP DIT. RFC 2307 (An Approach for Using LDAP as a Network Information Service) prescribesuidas this attribute, which is the default value for this token. Change this token to letPrivileged Access ManagerLDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.Default:Token not set (uid).
- ldap_uidNumber_attrDefines the name of the attribute that contains the UID number in the LDAP DIT. RFC 2307 prescribesuidNumberas this attribute, which is the default value for this token. Change this token to letPrivileged Access ManagerLDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.Default:Token not set (uidNumber).
- ldap_user_classDefines the name of the object class that contains the user data in the LDAP DIT. RFC 2307 prescribesposixAccountas this object class, which is the default value for this token. Change this token to letPrivileged Access ManagerLDAP-enabled utilities operate against LDAP DITs with nonstandard schemas.Default:Token not set (posixAccount).
- ldap_userdnDefines the distinguished name (DN) of the LDAP user thatPrivileged Access ManagerLDAP-enabled utilities use for retrieving user data from the LDAP DIT. Based on RFC 2307,Privileged Access Managerexpects to find the user data in theuidanduidNumberattributes of theou=Peoplelevel in the DIT. For security reasons, we recommend that this user (ldap_userdn) is given access to this data only.If anonymous access to the DIT is permitted, you can keep this token empty. Otherwise, you set this token and run the seldapcred utility forPrivileged Access ManagerLDAP-enabled utilities to authenticate to the LDAP service. Only do this once, as seldapcred stores your encrypted credential in a file for reuse.For example, set this token as follows:ldap_userdn = uid=user1,ou=People,dc=myCompany,dc=comDefault:Token not set
- ldap_userinfo_ladbSpecifies whether to retrieve user information from the LDAP Directory Information Tree (DIT).Limits: yes, noDefault: no
- ldap_verboseSpecifies whether to enable detailed account of LDAP operations that are involved in sebuildla getting user data.Use this setting when you set up LDAP data retrieval in sebuildla or when troubleshooting.Valid values are0-disabled; a non-zero integer-enabled.Default:0
- localeDetermines the language for thePrivileged Access Managerdaemons and utilities.Privileged Access Managercan function in several languages.Supported languages include: C, Japanese, Chinese-s, Chinese-tFor the complete list of languages, see /etc/ca/localeX/calocmap.txt; on Linux, see/opt/CA/SharedComponents/cawin/locale/.Default:C
- pam_enabledValid on SOLARIS, HP-UX, and LINUX only.Specifies whether the local host enables use of PAM for authentication and password changes in the LDAP database.To do that, it checks whether the PAM library can be dynamically loaded (the library must exist on your system).Valid values are: 'no', 'yes'.Default:yes
- parent_pmdDefines a comma-separated list of policy model databases (PMDBs) from which this computer accepts updates. The localPrivileged Access Managerdatabase rejects updates from any PMDB that is not specified in this list.You can also specify a file path that contains a line-separated list of PMDBs.Set this token to "_NO_MASTER_" for the localPrivileged Access Managerdatabase to accept updates from any PMDB.If you do not set this token, the localPrivileged Access Managerdatabase does not accept updates from any PMDB.Each PMDB is specified in the following format: pmd_name@hostnameFor example:parent_pmd = pmd1@host1,pmd2@host1,pmd3@host2parent_pmd = /opt/CA/PAMSC/parent_pmdbs_fileDefault:Token is not set (database does not accept updates from any PMDB).Note: sepass does not support multiple destinations on the parent_pmd token.
- passwd_pmdSpecifies the PMDB to which sepass sends password updates.If you do not set this token, it inherits the value of the parent_pmd token.The format ispmd_name@hostname.The parent_pmd and passwd_pmd tokens can have the same value. If the values in the parent_pmd and passwd_pmd tokens are not the same, the passwd_pmd database sends its updates to the parent_pmd database for distribution. Therefore, the parent_pmd database must be a child (subscriber) of the passwd_pmd database.No default.Note: sepass does not support multiple destinations on the passwd_pmd token.
- ReverseIpLookupControls the way seagent identifies the connecting client.The following values are valid:yes-seagent looks up the IP address of the socket of the open client.no-seagent uses the host name as received from the client; seagent does not resolve any host names. (The same effect can be achieved by disabling class TERMINAL.)Default:yes
- secondary_pmdSpecifies the PMDB used as the secondary target for password replacement for users who are not defined in the primary target (passwd_pmd).The format ispmd_name@hostname.No default.
- SEOSPATHSpecifies the directory in whichPrivileged Access Manageris installed.You can installPrivileged Access Managerin any directory,ifit is notonan NFS-mounted file system.Default:ACInstallDir
- SyncUnixFilePermsSpecifies whetherPrivileged Access Managersynchronizes its ACL permissions with the ACL and other permissions of the native UNIX system, if they exist.The following values are valid:no-Do not synchronize the UNIX file permissions withPrivileged Access ManagerACLs.warn-Do not synchronize ACL permissions, but issue a warning if the permissions inPrivileged Access Managerand UNIX conflict.traditional-Change rwx permissions for the group and the owner according toPrivileged Access ManagerACLs, issue a warning in all other cases.acl-Change native file-system ACLs according toPrivileged Access ManagerACLs (on platforms that support ACLs).force-Functions the same as traditional or acl (on platforms that support ACLs), but also forces mapping defaccess to "other" permissions.Note:On HP-UX and Sun Solaris 2.5 (and above), support is provided for the file system ACLs. On other platforms and operating system versions, only traditional permissions mode of a file are supported.Default:no
- TRUEPATHSpecifies the directory wherePrivileged Access Manageris physically located. ThePrivileged Access Managerdirectory may be a symbolic link to another physical location. This token points to the actual physical location wherePrivileged Access Manageris installed.Default:ACInstallDir
- use_rpc_protocolDetermines whether the RPC portmapper is required. The presence of the RPC portmapper is required if you want to use the old (1.43)Privileged Access Managerprotocol. The old protocol is required to support NIS+ password changes.This token replaces the old_protocol token.The following values are valid:yes-Use the RPC portmapper to assign the port.no-Use the port that is specified by the ServicePort token.Default:no