Using sso.conf to configure Password Synchronization on the UNIX computer

To change settings and customize how Password Synchronization works on a UNIX-based computer, you change settings in the sso.conf file. For information about installing the sso.conf file, see To install the Password Synchronization daemon.

The following table describes the values you can set in the sso.conf file.

Value Description
CASE_IGNORE_NAME Specifies whether Password Synchronization will ignore differences in uppercase and lowercase letters in user names when it compares Windows and UNIX user names. To allow case-insensitive comparisons, set this entry to 1 (the default). To force Password Synchronization to use case-sensitive comparisons, set this entry to 0.
ENCRYPT_KEY Specifies the default key used to encrypt passwords exchanged with Windows servers. You can use settings in the SYNC_HOSTS value to specify a different encryption key for a specific Windows server. For information on valid encryption keys, see Encryption key requirements.
FILE_PATH Specifies the full path and name of the passwd or shadow file (such as /etc/passwd). This file must contain the encrypted passwords for users, and the type of file (passwd or shadow) must be the same as specified by USE_SHADOW.
IGNORE_PROPAGATION_ERRORS When set to 1, specifies that the Password Synchronization PAM module is to ignore any error that occurs when a Windows password is being changed and to continue synchronization with other hosts specified in SYNC_HOSTS.
NIS_UPDATE_PATH Specifies the full path to the NIS/NIS+ makefile. This value is ignored unless USE_NIS is set to 1.
PORT_NUMBER Specifies the default number of the port on which the Password Synchronization daemon will listen for password changes from Windows servers. You can use settings in the SYNC_HOSTS value to specify a different port number for a specific Windows server.
SYNC_DELAY Specifies the number of seconds the Password Synchronization PAM module will wait between synchronization attempts.
SYNC_HOSTS Specifies the Windows servers or domain controllers with which passwords are to be synchronized. In addition, you can specify a port number or encryption key (or both) for a specific server. Enclose each entry in parentheses and separate items with a blank space. You can have multiple entries on separate lines, each of which cannot exceed 269 characters. The total list of servers or domain controllers is generated by concatenating all entries. For example:

SYNC_HOSTS=(Marketing)

SYNC_HOSTS=(Sales,,ASDFhjkl4321) (Accounting,6678)

SYNC_HOSTS=(Shipping,6678,ASDFhjkl4321)

synchronizes passwords with the Marketing server using the default port and encryption key, with the Sales server using ASDFhjkl4321 as the encryption key, with the Accounting server using 6678 as the port number, and with the Shipping server using 6678 as the port number and ASDFhjkl4321 as the encryption key.

If you use server-specific port number or encryption key settings, you must use the same values to configure Password Synchronization on the Windows server, or the passwords will not be synchronized. For information on configuring Password Synchronization on the Windows server, see Configure Password Synchronization.

SYNC_RETRIES Specifies the number of times that the Password Synchronization PAM module will attempt to synchronize a password change with a Windows server or domain controller.
SYNC_USERS Specifies UNIX users whose passwords are to be synchronized. You can specify ALL to synchronize passwords for all users or NONE to disable password synchronization for users. You can also specify particular users. If you specify one or more users preceded by plus signs (+), only those users will have their passwords synchronized. If you specify one or more users preceded by minus signs (), all users except the specified users will have their passwords synchronized. For example, to allow only users patg and kimr to synchronize their passwords, specify:

SYNC_USERS=+patg +kimr

To prevent only root and patg from having their passwords synchronized, specify:

SYNC_USERS=–root –patg

The minus sign always takes precedence, regardless of the order in which entries appear. For example, the following specifies that the password for user chrisq will not be synchronized:

SYNC_USERS=+chrisq –chrisq +chrisq

TEMP_FILE_PATH Specifies the full path of the directory to be used to hold a temporary file while the passwd or shadow file is updated. This should be the same directory in which the passwd or shadow file is located. For security reasons, only the administrator should have access to this directory.
USE_NIS Set to 0 if Password Synchronization is not synchronizing with an Network Information Service (NIS) domain; set to 1 if Password Synchronization is synchronizing with an NIS domain. If USE_NIS is set to 1, specify a valid path for NIS_UPDATE_PATH.
USE_SHADOW Set to 0 if the passwd file is to be used for synchronization; set to 1 if the shadow file is to be used.