gosa.conf - GOsa configuration file

gosa.conf(5) was written by Cajus Pollmeier for the GOsa project ( http://www.gosa-project.org ). GOsa v2.6 2008-04-07 gosa.conf(5)

The configuration has to be specified inside of the <conf> tags. It basically consists of three main parts: menu definition, definition of subdialogs (tabbed dialogs) and the main configuration - including information about several locations. Layoutexample: <?xml version="1.0"?> <conf configVersion="...." > <!-- Menu definition --> <menu> ... </menu> <!-- Tabbed dialog definitions --> ... <!-- Global setup --> <main> <!-- Location specific setups --> <location name=""> ... </location> </main> </conf>

The gosa.conf file contains configuration information for GOsa, a powerful GPL'ed framework for managing accounts and systems in LDAP databases. The gosa.conf file is a XML style configuration file. It is parsed by the GOsa web application during log in. The file may contain extra tabs and newlines for formatting purposes. Tag keywords in the file are case-insensitive. Comments should be placed outside of XML tags and should be encapsulated inside of <!-- --> tags. The gosa.conf file can be used to configure the look and feel, behaviour and access control of the GOsa webinterface.

For every location you define inside your gosa.conf, you need at least one entry of the type referral. These entries define the way how to connect to some directory service. Example: <referral uri="ldap://ldap.example.net/dc=example,dc=net" admin="cn=gosa-admin,dc=example,dc=net" password="secret" /> uri is a valid LDAP uri extendet by the base this referral is responsible for. admin is the DN which has the permission to write LDAP entries. And password is the corresponding password for this DN. You can define a set of referrals if you have several server to connect to.

The main section defines global settings, which might be overridden by each location definition inside of this global definition. Examplelayout: <main default="Example Net" listSummary="false" ... > <location name="Example Net" hash="md5" accountPrimaryAttribute="cn" ... <referral uri="ldaps://ldap.example.net:636/dc=example,dc=net" admin="cn=gosa-admin,dc=example,dc=net" password="secret" /> </location> </main> GenericoptionsforceGlobalsbool The forceGlobals statement enables PHP security checks to force register_global settings to be switched off. forceSSLbool The forceSSL statement enables PHP security checks to force encrypted access to the web interface. GOsa will try to redirect to the same URL - just with https://.warnSSLbool The warnSSL statement enables PHP security checks to detect non encrypted access to the web interface. GOsa will display a warning in this case. modificationDetectionAttributestring The modificationDetectionAttribute statement enables GOsa to check if a entry currently being edited has been modified from someone else outside GOsa in the meantime. It will display an informative dialog then. It can be set to entryCSN for OpenLDAP based systems or contextCSN for Sun DS based systems. loggingstring The logging statement enables event logging on GOsa side. Setting it to true, GOsa will log every action a user performs via syslog. If you use rsyslog and configure it to mysql logging, you can browse all events within GOsa. GOsa will not log anything, if the logging value is empty or set to false. loginAttributestring The loginAttribute statement tells GOsa which LDAP attribute is used as the login name during login. It can be set to uid,mail or both.copyPastebool The copyPaste statement enables copy and paste for LDAP entries managed with GOsa. enableSnapshotsbool The enableSnapshots statement enables a snapshot mechaism in GOsa. This enables you to save certain states of entries and restore them later on. snapshotBasedn The snapshotBase statement defines the base where snapshots should be stored inside of the LDAP. snapshotURIuri The snapshotURI variable defines the LDAP URI for the server which is used to do object snapshots. snapshotAdminDndn The snapshotAdminDn variable defines the user which is used to authenticate when connecting to snapshotURI.snapshotAdminPasswordstring The snapshotAdminPassword variable defines the credentials which are used in combination with snapshotAdminDn and snapshotURI in order to authenticate. configdn The config statement defines the LDAP base, where GOsa stores management information, such as site wide locking and user notifications. templateCompileDirectorypath The templateCompileDirectory statements defines the path, where the PHP templating engins smarty should store its compiled GOsa templates for improved speed. This path needs to be writeable by the user your webserver is running with. timezonestring The timezone statements defines the timezone used inside of GOsa to handle date related tasks, such as password expiery, vacation messages, etc. The timezone value should be a unix conform timezone value like in /etc/timezone. honourIvbbAttributesbool The honourIvbbAttributes statement enables the IVBB mode inside of GOsa. You need the ivbb.schema file from used by german authorities. strictNamingRulesbool The strictNamingRules statement enables strict checking of uids and group names. If you need characters like . or - inside of your accounts, set this to false.allowUidProposalModificationbool The allowUidProposalModification statement enables the abilitiy to modify uid proposals when creating a new user from a template. honourUnitTagsbool The honourUnitTags statement enables checking of unitTag attributes when using administrative units. If this is set to true GOsa can only see objects inside the administrative unit a user is logged into. rfc2307bisbool The rfc2307bis statement enables rfc2307bis style groups in GOsa. You can use member attributes instead of memberUid in this case. To make it work on unix systems, you've to adjust your NSS configuration to use rfc2307bis style groups, too. ppdPathpath The ppdPath variable defines where to store PPD files for the GOto environment plugins. ppdGzipbool The ppdGzip variable enables PPD file compression. resolutionspath The resolutions variable defines a plain text file which contains additional resolutions to be shown in the environment and system plugins. htaccessAuthenticationbool The htaccessAuthentication variable tells GOsa to use either htaccess authentication or LDAP authentication. This can be used if you want to use i.e. kerberos to authenticate the users. gosaSupportURIURI The gosaSupportURI defines the major gosa-si server host and the password for GOsa to connect to it. can be used if you want to use i.e. kerberos to authenticate the users. The format is: credentials@host:port gosaSupportTimeoutinteger The gosaSupportTimeout sets a connection timeout for all gosa-si actions. See gosaSupportURI for details. BrowseranddisplayoptionslistSummarytrue/false The listSummary statement determines whether a status bar will be shown on the bottom of GOsa generated lists, displaying a short summary of type and number of elements in the list. sendCompressedOutputtrue/false The sendCompressedOutput statement determines whether PHP should send compressed HTML pages to browsers or not. This may increase or decrease the performance, depending on your network. storeFilterSettingstrue/false The storeFilterSettings statement determines whether GOsa should store filter and plugin settings inside of a cookie. languagestring The language statement defines the default language used by GOsa. Normally GOsa autodetects the language from the browser settings. If this is not working or you want to force the language, just add the language code (i.e. de for german) here. themestring The theme statement defines what theme is used to display GOsa pages. You can install some corporate identity like theme and/or modify certain templates to fit your needs within themes. Take a look at the GOsa FAQ for more information. sessionLifetimeint The sessionLifetime value defines when a session will expire in seconds. For Debian systems, this will not work because the sessions will be removed by a cron job instead. Please modify the value inside of your php.ini instead. PasswordoptionspasswordMinLengthinteger The passwordMinLength statement determines whether a newly entered password has to be of a minimum length. passwordMinDifferinteger The passwordMinDiffer statement determines whether a newly entered password has to be checked to have at least n different characters. passwordProposalHookcommand The passwordProposalHook can be used to let GOsa generate password proposals for you. Whenever you change a password, you can then decide whether to use the proposal or to manually specify a password. /usr/bin/apg -n1 strictPasswordRulesbool The strictPasswordRules tells GOsa to check for UTF-8 characters in the supplied password. These Characters can lead to non working authentications if UTF-8 and none UTF-8 systems locales get mixed. The default is "true". handleExpiredAccountsbool The handleExpiredAccounts statement enables shadow attribute tests during the login to the GOsa web interface and forces password renewal or account lockout. useSaslForKerberosbool The useSaslForKerberos statement defines the way the kerberos realm is stored in the userPassword attribute. Set it to true in order to get {sasl}user@REALM.NET, or to false to get {kerberos}user@REALM.NET. The latter is outdated, but may be needed from time to time. LDAPoptionsldapMaxQueryTimeinteger The ldapMaxQueryTime statement tells GOsa to stop LDAP actions if there is no answer within the specified number of seconds. schemaCheckbool The schemaCheck statement enables or disables schema checking during login. It is recommended to switch this on in order to let GOsa handle object creation more efficient. ldapTLSbool The ldapTLS statement enables or disables TLS operating on LDAP connections. accountPrimaryAttributecn/uid The accountPrimaryAttribute option tells GOsa how to create new accounts. Possible values are uid and cn. In the first case GOsa creates uid style DN entries: uid=superuser,ou=staff,dc=example,dc=net In the second case, GOsa creates cn style DN entries: cn=Foo Bar,ou=staff,dc=example,dc=net If you choose "cn" to be your accountPrimaryAttribute you can decide whether to include the personal title in your dn by selecting personalTitleInDN.accountRDNpattern The accountRDN option tells GOsa to use a placeholder pattern for generating account RDNs. A pattern can include attribute names prefaced by a % and normal text: accountRDN="cn=%sn %givenName" This will generate a RDN consisting of cn=.... filled with surname and given name of the edited account. This option disables the use of accountPrimaryAttribute and personalTitleInDn in your config. The latter attributes are maintained for compatibility. personalTitleInDNbool The personalTitleInDN option tells GOsa to include the personal title in user DNs when accountPrimaryAttribute is set to "cn". userRDNstring The userRDN statement defines the location where new accounts will be created inside of defined departments. The default is ou=people.groupsRDNstring The groupsRDN statement defines the location where new groups will be created inside of defined departments. The default is ou=groups.sudoRDNstring The sudoRDN statement defines the location where new groups will be created inside of defined departments. The default is ou=groups.sambaMachineAccountRDNstring This statement defines the location where GOsa looks for new samba workstations. ogroupRDNstring This statement defines the location where GOsa creates new object groups inside of defined departments. Default is ou=groups.serverRDNstring This statement defines the location where GOsa creates new servers inside of defined departments. Default is ou=servers.terminalRDNstring This statement defines the location where GOsa creates new terminals inside of defined departments. Default is ou=terminals.workstationRDNstring This statement defines the location where GOsa creates new workstations inside of defined departments. Default is ou=workstations.printerRDNstring This statement defines the location where GOsa creates new printers inside of defined departments. Default is ou=printers.componentRDNstring This statement defines the location where GOsa creates new network components inside of defined departments. Default is ou=components.phoneRDNstring This statement defines the location where GOsa creates new phones inside of defined departments. Default is ou=phones.phoneConferenceRDNstring This statement defines the location where GOsa creates new phone conferences inside of defined departments. Default is ou=conferences.faxBlocklistRDNstring This statement defines the location where GOsa creates new fax blocklists inside of defined departments. Default is ou=blocklists.systemIncomingRDNstring This statement defines the location where GOsa looks for new systems to be joined to the LDAP. Default is ou=incoming.systemRDNstring This statement defines the base location for servers, workstations, terminals, phones and components. Default is ou=systems.ogroupRDNstring This statement defines the location where GOsa looks for object groups. Default is ou=groups.aclRoleRDNstring This statement defines the location where GOsa stores ACL role definitions. Default is ou=aclroles.phoneMacroRDNstring This statement defines the location where GOsa stores phone macros for use with the Asterisk phone server. Default is ou=macros,ou=asterisk,ou=configs,ou=systems.faiBaseRDNstring This statement defines the location where GOsa looks for FAI settings. Default is ou=fai,ou=configs,ou=systems.faiScriptRDN,faiHookRDN,faiTemplateRDN,faiVariableRDN,faiProfileRDN,faiPackageRDN,faiPartitionRDNstring These statement define the location where GOsa stores FAI classes. The complete base for the corresponding class is an additive of faiBaseRDN an and this value. deviceRDNstring This statement defines the location where GOsa looks for devices. Default is ou=devices.mimetypeRDNstring This statement defines the location where GOsa stores mime type definitions. Default is ou=mimetypes.applicationRDNstring This statement defines the location where GOsa stores application definitions. Default is ou=apps.ldapFilterNestingLimitinteger The ldapFilterNestingLimit statement can be used to speed up group handling for groups with several hundreds of members. The default behaviour is, that GOsa will resolv the memberUid values in a group to real names. To achieve this, it writes a single filter to minimize searches. Some LDAP servers (namely Sun DS) simply crash when the filter gets too big. You can set a member limit, where GOsa will stop to do these lookups. ldapSizelimitinteger The ldapSizelimit statement tells GOsa to retrieve the specified maximum number of results. The user will get a warning, that not all entries were shown. ldapFollowReferralsbool The ldapFollowReferrals statement tells GOsa to follow LDAP referrals. AccountcreationoptionsuidNumberBaseinteger The uidNumberBase statement defines where to start looking for a new free user id. This should be synced with your adduser.conf to avoid overlapping uidNumber values between local and LDAP based lookups. The uidNumberBase can even be dynamic. Take a look at the baseIdHook definition below. gidNumberBaseinteger The gidNumberBase statement defines where to start looking for a new free group id. This should be synced with your adduser.conf to avoid overlapping gidNumber values between local and LDAP based lookups. The gidNumberBase can even be dynamic. Take a look at the nextIdHook definition below. idAllocationMethodtraditional/pool The idAllocationMethod statement defines how GOsa generates numeric user and group id values. If it is set to traditional GOsa will do create a lock and perform a search for the next free ID. The lock will be removed after the procedure completes. pool will use the sambaUnixIdPool objectclass settings inside your LDAP. This one is unsafe, because it does not check for concurrent LDAP access and already used IDs in this range. On the other hand it is much faster. minIdinteger The minId statement defines the minimum assignable user or group id to avoid security leaks with uid 0 accounts. This is used for the traditional method uidNumberPoolMin/gidNumberPoolMininteger The uidNumberPoolMin/gidNumberPoolMin statement defines the minimum assignable user/group id for use with the pool method. uidNumberPoolMax/gidNumberPoolMaxinteger The uidNumberPoolMax/gidNumberPoolMax statement defines the highest assignable user/group id for use with the pool method. nextIdHookpath The nextIdHook statement defines a script to be called for finding the next free id for users or groups externaly. It gets called with the current entry "dn" and the attribute to be ID'd. It should return an integer value. useAutoCompletebool The useAutoComplete statement allows you to enable/disable the auto-completion mode when searching for LDAP objects in a given container. Enable it, if you encounter long typing delays in GOsa²'s search field. passwordDefaultHashstring The passwordDefaultHash statement defines the default password hash to choose for new accounts. Valid values are crypt/standard-des,crypt/md5,crypt/enhanced-des,crypt/blowfish,crypt/sha256,crypt/sha512,md5,sha,ssha,smd5,clear and sasl. The complete list is displayed in the "Password storage" pull-down menu in each user's "Generic/Personal Information" view. These values will be overridden when using templates. idGeneratorstring The idGenerator statement describes an automatic way to generate new user ids. There are two basic functions supported - which can be combined: a) using attributes You can specify LDAP attributes (currently only sn and givenName) in braces {} and add a percent sign before it. Optionally you can strip it down to a number of characters, specified in []. I.e. idGenerator="{%sn}-{%givenName[2-4]}" will generate an ID using the full surname, adding a dash, and adding at least the first two characters of givenName. If this ID is used, it'll use up to four characters. If no automatic generation is possible, a input box is shown. b) using automatic id's I.e. specifying idGenerator="acct{id:3}" will generate a three digits id with the next free entry appended to "acct". idGenerator="acct{id!1}" will generate a one digit id with the next free entry appended to "acct" - if needed. idGenerator="ext{id#3}" will generate a three digits random number appended to "ext". SambaoptionssambaSIDstring The sambaSID statement defines a samba SID if not available inside of the LDAP. You can retrieve the current sid by netgetlocalsid.sambaRidBaseinteger The sambaRidBase statement defines the base id to add to ordinary sid calculations - if not available inside of the LDAP. sambaHashHookstring The sambaHashHook Field, if blank, samba passwords are not generated or manipulated. If not blank, Gosa will generate an NTLM hash when a user's password is set, and will lock/unlock this when the account is locked/unlocked using internal functions. LM hashing is intentionally broken (sets the LM hash to a non- valid string) as the method is ancient, broken, and rainbow tables exist for all passwords to it. IFF it is needed, set this field to "NTLM+LM" and a valid LM hash will be set along side the NTLM one. Note that Gosa does not use this to specify an actual Hook command, it only cares if its empty, not empty, or contains "NTLM+LM". Safe default: "NTLM" or leave blank. sambaIdmappingbool The sambaIdMapping statement tells GOsa to maintain sambaIdmapEntry objects. Depending on your setup this can drastically improve the windows login performance. AsteriskoptionsctiHookpath The ctiHook statement defines a script to be executed if someone clicks on a phone number inside of the addressbook plugin. It gets called with two parameters: ctiHook $source_number $destination_number This script can be used to do automatted dialing from the addressbook. MailoptionsmailMethodCyrus/SendmailCyrus/Kolab/Kolab22 The mailMethod statement tells GOsa which mail method the setup should use to communicate with a possible mail server. Leave this undefined if your mail method does not match the predefined ones. Cyrus maintains accounts and sieve scripts in cyrus servers. Kolab/Kolab22 is like cyrus, but lets the kolab daemon maintain the accounts. SendmailCyrusisbasedonsendmailLDAPattributes.cyrusUseSlashesbool The cyrusUseSlashes statement determines if GOsa should use "foo/bar" or "foo.bar" namespaces in IMAP. Unix style is with slashes. cyrusDeleteMailboxbool The cyrusDeleteMailbox statement determines if GOsa should remove the mailbox from your IMAP server or keep it after the account is deleted in LDAP. cyrusAutocreateFoldersstring The cyrusAutocreateFolders statement contains a comma separated list of personal IMAP folders that should be created along initial account creation. postfixRestrictionFilterspath The postfixRestrictionFilters statement defines a file to include for the postfix module in order to display user defined restriction filters. postfixProtocolspath The postfixProtocols statement defines a file to include for the postfix module in order to display user defined protocols. mailAttributemail/uid The mailAttribute statement determines which attribute GOsa will use to create accounts. Valid values are mail and uid.imapTimeoutInteger(default10) The imapTimeout statement sets the connection timeout for imap actions. mailFolderCreation Every mail method has its own way to create mail accounts like share/development or shared.development@example.com which is used to identify the accounts, set quotas or add acls. To override the methods default account creation syntax, you can set the mailFolderCreation option. Examples mailFolderCreation="%prefix%%cn%" => "shared.development" mailFolderCreation="my-prefix.%cn%%domain%" => "my-prefix.development@example.com"> Placeholders %prefix% The methods default prefix. (Depends on cyrusUseSlashes=FALSE/TRUE) %cn% The groups/users cn. %uid% The users uid. %mail% The objects mail attribute. %domain% The domain part of the objects mail attribute. %mailpart% The user address part of the mail address. %uattrib% Depends on mailAttribute="uid/mail". mailUserCreation This attribute allows one to override the user account creation syntax, see the mailFolderCreation description for more details. Examples mailUserCreation="%prefix%%uid%" => "user.foobar" mailUserCreation=my-prefix.%uid%%domain%" => "my-prefix.foobar@example.com" vacationTemplateDirectorypath The vacationTemplateDirectory statement sets the path where GOsa will look for vacation message templates. Default is /etc/gosa/vacation. Example template /etc/gosa/vacation/business.txt: DESC:Away from desk Hi, I'm currently away from my desk. You can contact me on my cell phone via %mobile. Greetings, %givenName %sn DebugoptionsdisplayErrorsbool The displayErrors statement tells GOsa to show PHP errors in the upper part of the screen. This should be disabled in productive deployments, because there might be some important passwords around. ldapstatsbool The ldapstats statement tells GOsa to track LDAP timing statistics to the syslog. This may help to find indexing problems or bad search filters. ignoreAcldn The ignoreAcl value tells GOsa to ignore complete ACL sets for the given DN. Add your DN here and you'll be able to restore accidentally dropped ACLs. debugLevelinteger The debugLevel value tells GOsa to display certain information on each page load. Value is an AND combination of the following byte values: DEBUG_TRACE = 1 DEBUG_LDAP = 2 DEBUG_MYSQL = 4 DEBUG_SHELL = 8 DEBUG_POST = 16 DEBUG_SESSION = 32 DEBUG_CONFIG = 64 DEBUG_ACL = 128 DEBUG_SI = 256 DEBUG_MAIL = 512

This tag defines the side and icon menu inside the interface. Defining an entry here is no guarantie to get it shown, though. Only entries with matching ACL's get shown. There are two types of entries inside of the menu: section and plugin Definingasection Open a <section> tag including a name attribute. This will show up in the menu as a new section later on. Own entries are not handled via I18N by default. Close the </section> tag after your plugin definitions. Definingaplugin Open a <plugin> tag including a class attribute. The class should be present inside your GOsa setup - the entry will be ignored if it is not. Plugins should have an acl entry, that allows GOsa to decide whether a user is allowed to see a plugin or not. The acl string matches with an ACL definition done inside of GOsa. You can override an icon by specifying the icon attribute. For every plugin, you can provide at least seven additional hooks: precreate,preremove,premodifypostcreate,postremove,postmodify and check. These can be used to perform special actions when a plugins gets a create, delete, modify or check request. As a parameter, these keywords get a shell script or program to the task. NOTE: Any hook call using data input from users (ie: passwords) should take measures to prevent shell injection attacks that could lead to RCE. Specifically with Passwords, Gosa has been updated to base64 encode new_password and current_password used for all hook calls to mitigate this risk. All other values get escapeShellArg() escaped only, which can be exploited in certain conditions. Any hook using a password value needs to base64 decode the value before using it. Examplepasswordhook: to run a single command, like gam, to update passwords, in User Password premodify: /usr/local/bin/gam update user %uid password $(echo %new_password|base64 -d) Thecreate/delete/modifykeywords These keywords take a full executable path of a script. You can provide certain parameters in form of LDAP attributes. '%uid' will pass the current user id, '%dn' the current object dn, etc. The script gets executed before(pre) and after(post) create, delete or modify tasks. Thecheckkeyword This keyword takes a full executable path of a script. Check is triggered after you press the -I "Apply" or -I "OK" button. The complete LDAP entry as it will be written to the LDAP is passed to your script. If parts of the entry do not match some logic of your script, just print an error message to STDOUT. GOsa will show this message and abort the current process of saving the entry to the LDAP. Examplemenudefinition: <menu> <section name="My account"> <plugin acl="users/user:self" class="user" check="/usr/local/bin/test_user.sh" /> <plugin acl="users/samba:self" class="sambaAccount" postcreate="/usr/local/bin/create_share '%uid'" /> </section> </menu>

gosa.conf - GOsa configuration file

For the workstationStartup and terminalStartup classes, you can define the systemKernelsHook keyword. It can load additional kernels that are not retrieveable by standard GOsa/FAI mechanisms. In order to make use of SNMP information, you can set the snmpCommunity in the terminfo class definition. To enable the burn CD image function, you can specify the systemIsoHook in the workgeneric class. You will get a CD symbol in the systems list - which calls the hook if pressed.

The addressbook plugin can be configured to store the addressbook data on a special location. Use the addressbookBaseDN keyword within the addressbook class definition inside your gosa.conf to configure this location. Default: ou=addressbook.

In order to make full use of the environment plugin, you may want to define the location where kiosk profiles will be stored on the servers harddisk. This is done by the kioskPath keyword defined within the environment class definition inside your gosa.conf. Example: <plugin acl="users/environment" class="environment" kioskPath="/var/spool/kiosk"/> Make sure, that this path is writeable by GOsa.

The FAI plugin can be used in a way that it generates branched or freezed releases inside your repository. Specifying the postcreate and postmodify keywords in the servrepository definition, calls the provided script as a hook when adding or removing branches. This script should do the rest inside of your repository. Example: <tab class="servrepository" repositoryBranchHook="/opt/dak/bin/get_extra_repos" postcreate="/opt/dak/bin/handle_repository '%lock_dn' '%lock_name' '%lock_type' /> %lock_dn keeps the base DN of the source branch, %lock_name the name of the new branch and %lock_type is either "freeze" or "branch". The repositoryBranchHook outputs additional releases, that are not retrieveable with the standard GOsa/FAI methods. If you have only one release, or want to define a default release to be shown by GOsa, define the defaultFaiRelease="ou=sarge,ou=fai,ou=configs,ou=syst..." within the faiManagement class definition

Tab definitions define the sub plugins which get included for certain tabbed dialogs. If you change something here, never (!) remove the primary (the first) "tab" tag which is defined. Most tabbed dialogs need a primary plugin. *tab should be looked for by a defined plugin. This one will take every tab defined class and will show it inside of a tabbed dialog with the header defined in name.Exampletabbeddialogdefinition: <grouptabs> <tab class="group" name="Generic" /> <tab class="environment" name="Environment" /> <tab class="appgroup" name="Applications" /> <tab class="mailgroup" name="Mail" /> </grouptabs>