Use sso.conf to configure Password Synchronization on the UNIX-based computer

To change settings and customize how Password Synchronization works on a UNIX-based computer, you change settings in the sso.conf file. For information about installing the sso.conf file, see Install the Password Synchronization daemon on UNIX-based computers.

The following table describes the values you can set in the sso.conf file.

Value Description

CASE_IGNORE_NAME

Specifies whether Password Synchronization will ignore differences in uppercase and lowercase letters in user names when it compares Windows and UNIX user names. To allow case-insensitive comparisons, set this entry to 1 (the default). To force Password Synchronization to use case-sensitive comparisons, set this entry to 0.

ENCRYPT_KEY

Specifies the default key used to encrypt passwords exchanged with Windows servers. You can use settings in the SYNC_HOSTS value to specify a different encryption key for a specific Windows server.

FILE_PATH

Specifies the full path and name of the passwd or shadow file (such as /etc/passwd). This file must contain the encrypted passwords for users, and the type of file (passwd or shadow) must be the same as specified by USE_SHADOW. On AIX systems, the path and name of the shadow file is /etc/security/passwd.

IGNORE_PROPAGATION_ERRORS

When set to 1, specifies that the Password Synchronization PAM module is to ignore any error that occurs when a Windows password is being changed and to continue synchronization with other hosts specified in SYNC_HOSTS.

NIS_UPDATE_PATH

Specifies the full path to the NIS makefile. This value is ignored unless USE_NIS is set to 1.

PORT_NUMBER

Specifies the default number of the port on which the Password Synchronization daemon will listen for password changes from Windows servers. You can use settings in the SYNC_HOSTS value to specify a different port number for a specific Windows server.

SYNC_DELAY

Specifies the number of seconds the Password Synchronization PAM module will wait between synchronization attempts.

SYNC_HOSTS

Specifies the Windows servers or domain controllers with which passwords are to be synchronized. In addition, you can specify a port number or encryption key (or both) for a specific server. Enclose each entry in parentheses and separate items with a blank space. You can have multiple entries on separate lines, each of which cannot exceed 269 characters. The total list of servers or domain controllers is generated by concatenating all entries. For example:

SYNC_HOSTS=(Marketing) 
SYNC_HOSTS=(Sales,ASDFhjkl4321ZyXw) (Accounting,6678) 
SYNC_HOSTS=(Shipping,6678,ASDFhjkl4321ZyXw)

synchronizes passwords with the Marketing server using the default port and encryption key, with the Sales server using ASDFhjkl4321ZyXw as the encryption key, with the Accounting server using 6678 as the port number, and with the Shipping server using 6678 as the port number and ASDFhjkl4321ZyXw as the encryption key.

If you use server-specific port number or encryption key settings, you must use the same values to configure Password Synchronization on the Windows server, or the passwords will not be synchronized.

SYNC_RETRIES

Specifies the number of times that the Password Synchronization PAM module will attempt to synchronize a password change with a Windows server or domain controller.

SYNC_USERS

Specifies UNIX users whose passwords are to be synchronized. You can specify ALL to synchronize passwords for all users or NONE to disable password synchronization for users. You can also specify particular users. If you specify one or more users preceded by plus signs (+), only those users will have their passwords synchronized. If you specify one or more users preceded by minus signs (), all users except the specified users will have their passwords synchronized. For example, to allow only users bobg and kimr to synchronize their passwords, specify:

SYNC_USERS=+bobg +kimr

To prevent only root and bobg from having their passwords synchronized, specify:

SYNC_USERS=–root –bobg

The minus sign always takes precedence, regardless of the order in which entries appear. For example, the following specifies that the password for user chrisa will not be synchronized:

SYNC_USERS=+chrisa –chrisa +chrisa

TEMP_FILE_PATH

Specifies the full path of the directory to be used to hold a temporary file while the passwd or shadow file is updated. This should be the same directory in which the passwd or shadow file is located. For security reasons, only the administrator should have access to this directory.

USE_NIS

Set to 0 if Password Synchronization is not synchronizing with an Network Information Service (NIS) domain; set to 1 if Password Synchronization is synchronizing with an NIS domain. If USE_NIS is set to 1, specify a valid path for NIS_UPDATE_PATH.

USE_SHADOW

Set to 0 if the passwd file is to be used for synchronization; set to 1 if the shadow file is to be used.