To change settings and customize how Password Synchronization
works on a
The following table describes the values you can set in the sso.conf file.
Value | Description |
---|---|
CASE_IGNORE_NAME | Specifies whether Password Synchronization will ignore differences in uppercase and lowercase letters in user names when it compares Windows and UNIX user names. To allow case-insensitive comparisons, set this entry to 1 (the default). To force Password Synchronization to use case-sensitive comparisons, set this entry to 0. |
ENCRYPT_KEY | Specifies the default key used to encrypt passwords exchanged with Windows servers. You can use settings in the SYNC_HOSTS value to specify a different encryption key for a specific Windows server. For information on valid encryption keys, see Encryption key requirements. |
FILE_PATH | Specifies the full path and name of the passwd or shadow file (such as /etc/passwd). This file must contain the encrypted passwords for users, and the type of file (passwd or shadow) must be the same as specified by USE_SHADOW. |
IGNORE_PROPAGATION_ERRORS | When set to 1, specifies that the Password Synchronization PAM module is to ignore any error that occurs when a Windows password is being changed and to continue synchronization with other hosts specified in SYNC_HOSTS. |
NIS_UPDATE_PATH | Specifies the full path to the NIS/NIS+ makefile. This value is ignored unless USE_NIS is set to 1. |
PORT_NUMBER | Specifies the default number of the port on which the Password Synchronization daemon will listen for password changes from Windows servers. You can use settings in the SYNC_HOSTS value to specify a different port number for a specific Windows server. |
SYNC_DELAY | Specifies the number of seconds the Password Synchronization PAM module will wait between synchronization attempts. |
SYNC_HOSTS | Specifies the Windows servers or domain controllers with which
passwords are to be synchronized. In addition, you can specify a
port number or encryption key (or both) for a specific server.
Enclose each entry in parentheses and separate items with a blank
space. You can have multiple entries on separate lines, each of
which cannot exceed 269 characters. The total list of servers or
domain controllers is generated by concatenating all entries. For
example:
synchronizes passwords with the Marketing server using the default port and encryption key, with the Sales server using ASDFhjkl4321 as the encryption key, with the Accounting server using 6678 as the port number, and with the Shipping server using 6678 as the port number and ASDFhjkl4321 as the encryption key. If you use server-specific port number or encryption key settings, you must use the same values to configure Password Synchronization on the Windows server, or the passwords will not be synchronized. For information on configuring Password Synchronization on the Windows server, see Configure Password Synchronization. |
SYNC_RETRIES | Specifies the number of times that the Password Synchronization PAM module will attempt to synchronize a password change with a Windows server or domain controller. |
SYNC_USERS | Specifies UNIX users whose passwords are to be synchronized.
You can specify ALL to synchronize passwords for all users or NONE
to disable password synchronization for users. You can also specify
particular users. If you specify one or more users preceded by plus
signs (+), only those users will have their passwords
synchronized. If you specify one or more users preceded by minus
signs
To prevent only root and patg from having their passwords synchronized, specify:
The minus sign always takes precedence, regardless of the order in which entries appear. For example, the following specifies that the password for user chrisq will not be synchronized:
|
TEMP_FILE_PATH | Specifies the full path of the directory to be used to hold a temporary file while the passwd or shadow file is updated. This should be the same directory in which the passwd or shadow file is located. For security reasons, only the administrator should have access to this directory. |
USE_NIS | Set to 0 if Password Synchronization is not synchronizing with an Network Information Service (NIS) domain; set to 1 if Password Synchronization is synchronizing with an NIS domain. If USE_NIS is set to 1, specify a valid path for NIS_UPDATE_PATH. |
USE_SHADOW | Set to 0 if the passwd file is to be used for synchronization; set to 1 if the shadow file is to be used. |