NAME
gosa.conf - GOsa configuration file
DESCRIPTION
The gosa.conf file contains configuration information for GOsa, a
powerful GPL'ed framework for managing accounts and systems in LDAP
databases.
The gosa.conf file is a XML style configuration file. It is parsed by
the GOsa web application during log in. The file may contain extra
tabs and newlines for formatting purposes. Tag keywords in the file
are case-insensitive. Comments should be placed outside of XML tags and
should be encapsulated inside of <!-- --> tags.
The gosa.conf file can be used to configure the look and feel,
behaviour and access control of the GOsa webinterface.
Configuration layout
The configuration has to be specified inside of the <conf> tags. It
basically consists of three main parts: menu definition, definition of
subdialogs (tabbed dialogs) and the main configuration - including
information about several locations.
Layout example:
<?xml version="1.0"?>
<conf configVersion="...." >
<!-- Menu definition -->
<menu>
...
</menu>
<!-- Tabbed dialog definitions -->
...
<!-- Global setup -->
<main>
<!-- Location specific setups -->
<location name="">
...
</location>
</main>
</conf>
Menu definition
This tag defines the side and icon menu inside the interface. Defining
an entry here is no guarantie to get it shown, though. Only entries
with matching ACL's get shown.
There are two types of entries inside of the menu: section and plugin
Defining a section
Open a <section> tag including a name attribute. This will show up in
the menu as a new section later on. Own entries are not handled via
I18N by default. Close the </section> tag after your plugin
definitions.
Defining a plugin
Open a <plugin> tag including a class attribute. The class should be
present inside your GOsa setup - the entry will be ignored if it is
not.
Plugins should have an acl entry, that allows GOsa to decide wether a
user is allowed to see a plugin or not. The acl string matches with an
ACL definition done inside of GOsa.
You can override an icon by specifying the icon attribute.
For every plugin, you can provide at least four additional hooks:
postcreate, postremove, postmodify and check. These can be used to
perform special actions when a plugins gets a create, delete, modify or
check request. As a parameter, these keywords get a shell script or
program to the task.
The create / delete / modify keywords
These keywords take a full executable path of a script. You can provide
certain parameters in form of LDAP attributes. '%uid' will pass the
current user id, '%dn' the current object dn, etc.
The script gets executed after create, delete or modify tasks.
The check keyword
This keyword takes a full executable path of a script. Check is
triggered after you press the -I "Apply" or -I "OK" button. The
complete LDAP entry as it will be written to the LDAP is passed to your
script. If parts of the entry do not match some logic of your script,
just print an error message to STDOUT. GOsa will show this message and
abort the current process of saving the entry to the LDAP.
Example menu definition:
<menu>
<section name="My account">
<plugin acl="users/user:self" class="user" check="/usr/local/bin/test_user.sh" />
<plugin acl="users/samba:self" class="sambaAccount" postcreate="/usr/local/bin/create_share '%uid'" />
</section>
</menu>
Tabbed dialog definitions
Tab definitions define the sub plugins which get included for certain
tabbed dialogs. If you change something here, never (!) remove the
primary (the first) "tab" tag which is defined. Most tabbed dialogs
need a primary plugin.
*tab should be looked for by a defined plugin. This one will take every
tab defined class and will show it inside of a tabbed dialog with the
header defined in name .
Example tabbed dialog definition:
<grouptabs>
<tab class="group" name="Generic" />
<tab class="environment" name="Environment" />
<tab class="appgroup" name="Applications" />
<tab class="mailgroup" name="Mail" />
</grouptabs>
Main section
The main section defines global settings, which might be overridden by
each location definition inside of this global definition.
Example layout:
<main default="Example Net"
listSummary="false"
... >
<location name="Example Net"
hash="md5"
accountPrimaryAttribute="cn"
...
<referral uri="ldaps://ldap.example.net:636/dc=example,dc=net"
admin="cn=gosa-admin,dc=example,dc=net"
password="secret" />
</location>
</main>
Generic options
forceGlobals bool
The forceGlobals statement enables PHP security checks to force
register_global settings to be switched off.
forceSSL bool
The forceSSL statement enables PHP security checks to force encrypted
access to the web interface. GOsa will try to redirect to the same URL
- just with https://.
warnSSL bool
The warnSSL statement enables PHP security checks to detect non
encrypted access to the web interface. GOsa will display a warning in
this case.
modificationDetectionAttribute string
The modificationDetectionAttribute statement enables GOsa to check if a
entry currently being edited has been modified from someone else
outside GOsa in the meantime. It will display an informative dialog
then. It can be set to entryCSN for OpenLDAP based systems or
contextCSN for Sun DS based systems.
logging string
The logging statement enables event logging on GOsa side. Setting it to
true, GOsa will log every action a user performs via syslog. If you use
rsyslog and configure it to mysql logging, you can browse all events
within GOsa.
GOsa will not log anything, if the logging value is empty or set to
false.
loginAttribute string
The loginAttribute statement tells GOsa which LDAP attribute is used as
the login name during login. It can be set to uid, mail or both.
copyPaste bool
The copyPaste statement enables copy and paste for LDAP entries managed
with GOsa.
snapshots bool
The snapshots statement enables a snapshot mechaism in GOsa. This
enables you to save certain states of entries and restore them later
on.
snapshotBase dn
The snapshotBase statement defines the base where snapshots should be
stored inside of the LDAP.
snapshotURI uri
The snapshotURI variable defines the LDAP URI for the server which is
used to do object snapshots.
snapshotAdminDn dn
The snapshotAdminDn variable defines the user which is used to
authenticate when connecting to snapshotURI.
snapshotAdminPassword string
The snapshotAdminPassword variable defines the credentials which are
used in combination with snapshotAdminDn and snapshotURI in order to
authenticate.
config dn
The config statement defines the LDAP base, where GOsa stores
management information, such as site wide locking and user
notifications.
templateCompileDirectory path
The templateCompileDirectory statements defines the path, where the PHP
templating engins smarty should store its compiled GOsa templates for
improved speed. This path needs to be writeable by the user your
webserver is running with.
timezone string
The timezone statements defines the timezone used inside of GOsa to
handle date related tasks, such as password expiery, vacation messages,
etc. The timezone value should be a unix conform timezone value like
in /etc/timezone.
honourIvbbAttributes bool
The honourIvbbAttributes statement enables the IVBB mode inside of
GOsa. You need the ivbb.schema file from used by german authorities.
strictNamingRules bool
The strictNamingRules statement enables strict checking of uids and
group names. If you need characters like . or - inside of your
accounts, set this to false.
honourUnitTags bool
The honourUnitTags statement enables checking of unitTag attributes
when using administrative units. If this is set to true GOsa can only
see objects inside the administrative unit a user is logged into.
rfc2307bis bool
The rfc2307bis statement enables rfc2307bis style groups in GOsa. You
can use member attributes instead of memberUid in this case. To make it
work on unix systems, you've to adjust your NSS configuration to use
rfc2307bis style groups, too.
ppdPath path
The ppdPath variable defines where to store PPD files for the GOto
environment plugins.
resolutions path
The resolutions variable defines a plain text file which contains
additional resolutions to be shown in the environment and system
plugins.
htaccessAuthentication bool
The htaccessAuthentication variable tells GOsa to use either htaccess
authentication or LDAP authentication. This can be used if you want to
use i.e. kerberos to authenticate the users.
gosaSupportURI URI
The gosaSupportURI defines the major gosa-si server host and the
password for GOsa to connect to it. can be used if you want to use
i.e. kerberos to authenticate the users.
The format is:
credentials@host:port
Browser and display options
listSummary true/false
The listSummary statement determines whether a status bar will be shown
on the bottom of GOsa generated lists, displaying a short summary of
type and number of elements in the list.
iconsize size value
The iconsize statement sets the icon size in the main menu. Its value
should be something like 48x48.
sendCompressedOutput true/false
The sendCompressedOutput statement determines whether PHP should send
compressed HTML pages to browsers or not. This may increase or decrease
the performance, depending on your network.
storeFilterSettings true/false
The storeFilterSettings statement determines whether GOsa should store
filter and plugin settings inside of a cookie.
language string
The language statement defines the default language used by GOsa.
Normally GOsa autodetects the language from the browser settings. If
this is not working or you want to force the language, just add the
language code (i.e. de for german) here.
theme string
The theme statement defines what theme is used to display GOsa pages.
You can install some corporate identity like theme and/or modify
certain templates to fit your needs within themes. Take a look at the
GOsa FAQ for more information.
sessionLifetime int
The sessionLifetime value defines when a session will expire in
seconds. For Debian systems, this will not work because the sessions
will be removed by a cron job instead. Please modify the value inside
of your php.ini instead.
primaryGroupFilter bool
The primaryGroupFilter variable enables or disables the group filter to
show primary user groups. It is time consuming to evaluate which groups
are primary and which are not. So you may want to set it to true if
your group plugin is slow.
iePngWorkaround bool
The iePngWorkaround variable enables or disables a workaround for IE <
7 in order to display transparent PNG files correctly. This drastically
slows down browsing. Please use Firefox or Opera instead.
Password options
passwordMinLength integer
The passwordMinLength statement determines whether a newly entered
password has to be of a minimum length.
passwordMinDiffer integer
The passwordMinDiffer statement determines whether a newly entered
password has to be checked to have at least n different characters.
passwordHook path
The passwordHook can specify an external script to handle password
settings at some other location besides the LDAP. It will be called
this way:
/path/to/your/script "username" "oldpassword" "newpassword"
handleExpiredAccounts bool
The handleExpiredAccounts statement enables shadow attribute tests
during the login to the GOsa web interface and forces password renewal
or account lockout.
useSaslForKerberos bool
The useSaslForKerberos statement defines the way the kerberos realm is
stored in the userPassword attribute. Set it to true in order to get
{sasl}user@REALM.NET, or to false to get {kerberos}user@REALM.NET. The
latter is outdated, but may be needed from time to time.
LDAP options
ldapMaxQueryTime integer
The ldapMaxQueryTime statement tells GOsa to stop LDAP actions if there
is no answer within the specified number of seconds.
schemaCheck bool
The schemaCheck statement enables or disables schema checking during
login. It is recommended to switch this on in order to let GOsa handle
object creation more efficient.
ldapTLS bool
The ldapTLS statement enables or disables TLS operating on LDAP
connections.
accountPrimaryAttribute cn/uid
The accountPrimaryAttribute option tells GOsa how to create new
accounts. Possible values are uid and cn. In the first case GOsa
creates uid style DN entries:
uid=superuser,ou=staff,dc=example,dc=net
In the second case, GOsa creates cn style DN entries:
cn=Foo Bar,ou=staff,dc=example,dc=net
If you choose "cn" to be your accountPrimaryAttribute you can decide
whether to include the personal title in your dn by selecting
personalTitleInDN.
accountRDN pattern
The accountRDN option tells GOsa to use a placeholder pattern for
generating account RDNs. A pattern can include attribute names prefaced
by a % and normal text:
accountRDN="cn=%sn %givenName"
This will generate a RDN consisting of cn=.... filled with surname and
given name of the edited account. This option disables the use of
accountPrimaryAttribute and personalTitleInDn in your config. The
latter attributes are maintained for compatibility.
personalTitleInDN bool
The personalTitleInDN option tells GOsa to include the personal title
in user DNs when accountPrimaryAttribute is set to "cn".
userRDN string
The userRDN statement defines the location where new accounts will be
created inside of defined departments. The default is ou=people.
groupsRDN string
The groupsRDN statement defines the location where new groups will be
created inside of defined departments. The default is ou=groups.
sudoRDN string
The sudoRDN statement defines the location where new groups will be
created inside of defined departments. The default is ou=groups.
sambaMachineAccountRDN string
This statement defines the location where GOsa looks for new samba
workstations.
ogroupRDN string
This statement defines the location where GOsa creates new object
groups inside of defined departments. Default is ou=groups.
serverRDN string
This statement defines the location where GOsa creates new servers
inside of defined departments. Default is ou=servers.
terminalRDN string
This statement defines the location where GOsa creates new terminals
inside of defined departments. Default is ou=terminals.
workstationRDN string
This statement defines the location where GOsa creates new workstations
inside of defined departments. Default is ou=workstations.
printerRDN string
This statement defines the location where GOsa creates new printers
inside of defined departments. Default is ou=printers.
componentRDN string
This statement defines the location where GOsa creates new network
components inside of defined departments. Default is ou=components.
phoneRDN string
This statement defines the location where GOsa creates new phones
inside of defined departments. Default is ou=phones.
phoneConferenceRDN string
This statement defines the location where GOsa creates new phone
conferences inside of defined departments. Default is ou=conferences.
faxBlocklistRDN string
This statement defines the location where GOsa creates new fax
blocklists inside of defined departments. Default is ou=blocklists.
systemIncomingRDN string
This statement defines the location where GOsa looks for new systems to
be joined to the LDAP. Default is ou=incoming.
systemRDN string
This statement defines the base location for servers, workstations,
terminals, phones and components. Default is ou=systems.
ogroupRDN string
This statement defines the location where GOsa looks for object groups.
Default is ou=groups.
aclRoleRDN string
This statement defines the location where GOsa stores ACL role
definitions. Default is ou=aclroles.
phoneMacroRDN string
This statement defines the location where GOsa stores phone macros for
use with the Asterisk phone server. Default is
ou=macros,ou=asterisk,ou=configs,ou=systems.
faiBaseRDN string
This statement defines the location where GOsa looks for FAI settings.
Default is ou=fai,ou=configs,ou=systems.
faiScriptRDN, faiHookRDN, faiTemplateRDN, faiVariableRDN,
faiProfileRDN, faiPackageRDN, faiPartitionRDN string
These statement define the location where GOsa stores FAI classes. The
complete base for the corresponding class is an additive of faiBaseRDN
an and this value.
deviceRDN string
This statement defines the location where GOsa looks for devices.
Default is ou=devices.
mimetypeRDN string
This statement defines the location where GOsa stores mime type
definitions. Default is ou=mimetypes.
applicationRDN string
This statement defines the location where GOsa stores application
definitions. Default is ou=apps.
ldapFilterNestingLimit integer
The ldapFilterNestingLimit statement can be used to speed up group
handling for groups with several hundreds of members. The default
behaviour is, that GOsa will resolv the memberUid values in a group to
real names. To achieve this, it writes a single filter to minimize
searches. Some LDAP servers (namely Sun DS) simply crash when the
filter gets too big. You can set a member limit, where GOsa will stop
to do these lookups.
ldapSizelimit integer
The ldapSizelimit statement tells GOsa to retrieve the specified
maximum number of results. The user will get a warning, that not all
entries were shown.
ldapFollowReferrals bool
The ldapFollowReferrals statement tells GOsa to follow LDAP referrals.
Account creation options
uidNumberBase integer
The uidNumberBase statement defines where to start looking for a new
free user id. This should be synced with your adduser.conf to avoid
overlapping uidNumber values between local and LDAP based lookups. The
uidNumberBase can even be dynamic. Take a look at the baseIdHook
definition below.
gidNumberBase integer
The gidNumberBase statement defines where to start looking for a new
free group id. This should be synced with your adduser.conf to avoid
overlapping gidNumber values between local and LDAP based lookups. The
gidNumberBase can even be dynamic. Take a look at the nextIdHook
definition below.
idAllocationMethod traditional/pool
The idAllocationMethod statement defines how GOsa generates numeric
user and group id values. If it is set to traditional GOsa will do
create a lock and perform a search for the next free ID. The lock will
be removed after the procedure completes. pool will use the
sambaUnixIdPool objectclass settings inside your LDAP. This one is
unsafe, because it does not check for concurrent LDAP access and
already used IDs in this range. On the other hand it is much faster.
minId integer
The minId statement defines the minimum assignable user or group id to
avoid security leaks with uid 0 accounts. This is used for the
traditional method
uidNumberPoolMin/gidNumberPoolMin integer
The uidNumberPoolMin/gidNumberPoolMin statement defines the minimum
assignable user/group id for use with the pool method.
uidNumberPoolMax/gidNumberPoolMax integer
The uidNumberPoolMin/gidNumberPoolMin statement defines the highest
assignable user/group id for use with the pool method.
nextIdHook path
The nextIdHook statement defines a script to be called for finding the
next free id for users or groups externaly. It gets called with the
current entry "dn" and the attribute to be ID'd. It should return an
integer value.
hash string
The hash statement defines the default password hash to choose for new
accounts. Valid values are crypt/standard-des, crypt/md5,
crypt/enhanced-des, crypt/blowfish, md5, sha, ssha, smd5, clear and
sasl. These values will be overridden when using templates.
idGenerator string
The idGenerator statement describes an automatic way to generate new
user ids. There are two basic functions supported - which can be
combined:
a) using attributes
You can specify LDAP attributes (currently only sn and givenName)
in
braces {} and add a percent sign befor it. Optionally you can strip
it
down to a number of characters, specified in []. I.e.
idGenerator="{%sn}-{%givenName[2-4]}"
will generate an ID using the full surename, adding a dash, and
adding at
least the first two characters of givenName. If this ID is used,
it'll
use up to four characters. If no automatic generation is possible,
a
input box is shown.
b) using automatic id's
I.e. specifying
idGenerator="acct{id:3}"
will generate a three digits id with the next free entry appended
to
"acct".
idGenerator="acct{id!1}"
will generate a one digit id with the next free entry appended to
"acct" - if needed.
idGenerator="ext{id#3}"
will generate a three digits random number appended to "ext".
Samba options
sambaSID string
The sambaSID statement defines a samba SID if not available inside of
the LDAP. You can retrieve the current sid by net getlocalsid.
sambaRidBase integer
The sambaRidBase statement defines the base id to add to ordinary sid
calculations - if not available inside of the LDAP.
sambaHashHook path
The sambaHashHook statement contains an executable to generate samba
hash values. This is required for password synchronization, but not
required if you apply gosa-si services. If you don't have mkntpasswd
from the samba distribution installed, you can use perl to generate the
hash:
perl -MCrypt::SmbHash -e "print join(q[:], ntlmgen \$ARGV[0]), $/;"
sambaidmapping
bool
The
sambaidmapping
statement tells GOsa to maintain sambaIdmapEntry objects. Depending on your
setup this can drastically improve the windows login performance.
Asterisk options
ctiHook
path
The
ctiHook
statement defines a script to be executed if someone clicks on a phone number
inside of the addressbook plugin. It gets called with two parameters:
ctiHook $source_number $destination_number
This script can be used to do automatted dialing from the addressbook.
Mail options
mailMethod Cyrus/SendmailCyrus/Kolab/Kolab22
The mailMethod statement tells GOsa which mail method the setup should
use to communicate with a possible mail server. Leave this undefined if
your mail method does not match the predefined ones.
Cyrus maintains accounts and sieve scripts in cyrus servers.
Kolab/Kolab22 is like cyrus, but lets the kolab daemon maintain the
accounts. SendmailCyrus is based on sendmail LDAP attributes.
cyrusUseSlashes bool
The cyrusUseSlashes statement determines if GOsa should use "foo/bar"
or "foo.bar" namespaces in IMAP. Unix style is with slashes.
cyrusDeleteMailbox bool
The cyrusDeleteMailbox statement determines if GOsa should remove the
mailbox from your IMAP server or keep it after the account is deleted
in LDAP.
cyrusAutocreateFolders string
The cyrusAutocreateFolders statement contains a comma separated list of
personal IMAP folders that should be created along initial account
creation.
postfixRestrictionFilters path
The postfixRestrictionFilters statement defines a file to include for
the postfix module in order to display user defined restriction
filters.
postfixProtocols path
The postfixProtocols statement defines a file to include for the
postfix module in order to display user defined protocols.
mailAttribute mail/uid
The mailAttribute statement determines which attribute GOsa will use to
create accounts. Valid values are mail and uid.
imapTimeout Integer (default 10)
The imapTimeout statement sets the connection timeout for imap actions.
mailFolderCreation Every mail method has its own way to create mail
accounts like share/development or shared.development@example.com which
is used to identify the accounts, set quotas or add acls.
To override the methods default account creation syntax, you can set
the mailFolderCreation option.
Examples
mailFolderCreation="%prefix%%cn%" => "shared.development"
mailFolderCreation="my-prefix.%cn%%domain%" => "my-prefix.development@example.com">
Placeholders
%prefix% The methods default prefix. (Depends on cyrusUseSlashes=FALSE/TRUE)
%cn% The groups/users cn.
%uid% The users uid.
%mail% The objects mail attribute.
%domain% The domain part of the objects mail attribute.
%mailpart% The user address part of the mail address.
%uattrib% Depends on mailAttribute="uid/mail".
mailUserCreation This attribute allows to override the user account
creation syntax, see the mailFolderCreation description for more
details.
Examples
mailUserCreation="%prefix%%uid%" => "user.foobar"
mailUserCreation=my-prefix.%uid%%domain%" => "my-prefix.foobar@example.com"
vacationTemplateDirectory path
The vacationTemplateDirectory statement sets the path where GOsa will
look for vacation message templates. Default is /etc/gosa/vacation.
Example template /etc/gosa/vacation/business.txt:
DESC:Away from desk
Hi, I'm currently away from my desk. You can contact me on
my cell phone via %mobile.
Greetings,
%givenName %sn
Debug options
displayerrors bool
The displayerrors statement tells GOsa to show PHP errors in the upper
part of the screen. This should be disabled in productive deployments,
because there might be some important passwords arround.
ldapstats bool
The ldapstats statement tells GOsa to track LDAP timing statistics to
the syslog. This may help to find indexing problems or bad search
filters.
ignoreAcl dn
The ignoreAcl value tells GOsa to ignore complete ACL sets for the
given DN. Add your DN here and you'll be able to restore accidently
dropped ACLs.
debuglevel integer
The debuglevel value tells GOsa to display certain information on each
page load. Value is an AND combination of the following byte values:
DEBUG_TRACE = 1
DEBUG_LDAP = 2
DEBUG_MYSQL = 4
DEBUG_SHELL = 8
DEBUG_POST = 16
DEBUG_SESSION = 32
DEBUG_CONFIG = 64
DEBUG_ACL = 128
DEBUG_SI = 256
DEBUG_MAIL = 512
LDAP resource definition
For every location you define inside your gosa.conf, you need at least
one entry of the type referral. These entries define the way how to
connect to some directory service.
Example:
<referral uri="ldap://ldap.example.net/dc=example,dc=net"
admin="cn=gosa-admin,dc=example,dc=net"
password="secret" />
uri is a valid LDAP uri extendet by the base this referral is
responsible for. admin is the DN which has the permission to write
LDAP entries. And password is the corresponding password for this DN.
You can define a set of referrals if you have several server to connect
to.
Settings for the environment plugin
In order to make full use of the environment plugin, you may want to
define the location where kiosk profiles will be stored on the servers
harddisk.
This is done by the kioskPath keyword defined within the environment
class definition inside your gosa.conf.
Example:
<plugin acl="users/environment"
class="environment"
kioskPath="/var/spool/kiosk"/>
Make sure, that this path is writeable by GOsa.
Settings for the FAI plugin
The FAI plugin can be used in a way that it generates branched or
freezed releases inside your repository. Specifying the postcreate and
postmodify keywords in the servrepository definition, calls the
provided script as a hook when adding or removing branches. This script
should do the rest inside of your repository.
Example:
<tab class="servrepository"
repositoryBranchHook="/opt/dak/bin/get_extra_repos"
postcreate="/opt/dak/bin/handle_repository '%lock_dn' '%lock_name' '%lock_type' />
%lock_dn keeps the base DN of the source branch, %lock_name the name of
the new branch and %lock_type is either "freeze" or "branch".
The repositoryBranchHook outputs additional releases, that are not
retrieveable with the standard GOsa/FAI methods.
If you have only one release, or want to define a default release to be
shown by GOsa, define the
defaultFaiRelease="ou=sarge,ou=fai,ou=configs,ou=syst..." within the
faiManagement class definition
Settings for the addressbook plugin
The addressbook plugin can be configured to store the addressbook data
on a special location. Use the addressbookBaseDN keyword within the
addressbook class definition inside your gosa.conf to configure this
location.
Default: ou=addressbook.
Settings for system plugins
For the workstationStartup and terminalStartup classes, you can define
the systemKernelsHook keyword. It can load additional kernels that are
not retrieveable by standard GOsa/FAI mechanisms.
In order to make use of SNMP information, you can set the snmpCommunity
in the terminfo class definition.
To enable the burn CD image function, you can specify the systemIsoHook
in the workgeneric class. You will get a CD symbol in the systems list
- which calls the hook if pressed.
AUTHOR
gosa.conf(5) was written by Cajus Pollmeier for the GOsa project (
http://www.gosa-project.org ).