Customizing Centrify Client parameters

You can control client operations or default behavior through the following configuration parameters that you set:

You can modify these parameters by using the cedit command. For details, see Using Centrify Client commands.

Linux NSS-related parameters

The following are user query or NSS parameters that you can set on Linux systems:

Parameter name Description Default value

nss.group.ignore

Names of groups to ignore

File:/etc/centrifycc/group.ignore

nss.user.ignore

Names of users to ignore

File:/etc/centrifycc/user.ignore

agent.nss.program.ignore

Programs where CentrifyCC NSS library should not process NSS calls. Must be careful about this as cloud users will not be processed. This is renamed in 19.6 due to conflict with DirectAudit configuration parameters

kcm

nss.group.skip.members

List of programs that do not care about group members when getgrXXX() APIs are called

ls,chown,find,ps,chgrp,dtaction,dtwm,pt_chmod,adid,ll,id

nss.programs.force.grouplist.backend

List of process names that will get the list of all available groups from backend

none

nss.programs.get.allmembers

List of process names that gets group member list from backend, resulting in all members are returned.

Note: This will slow down system performance. DO NOT set this unless absolutely necessary.

none

nss.getgrouplist.interval

How frequent to get the list of available groups from backend.

4 hours

nss.prefetch.users

List of users that the cloud client will retrieve from the Cloud service before the system requests it.

none

nss.programs.getusergroups

List of process names such that getpwnam/getpwuid calls by such process will also get the list of groups that the user belongs to.

nscd,su,login,sshd,sudo,groups,id,getent

nss.refresh.prefetch.users.interval

nss.refresh.prefetch.users.interval

1 hour

 

nss.group.members.async.refresh

whether group membership lists are refreshed asynchronously when expired information is encountered.

Note: DO NOT USE. Does not make sense in new group membership architecture as group membership is acquired from local cache.

false

 

Linux PAM-related parameters

The following are Linux user login parameters for:

Parameter name Brief description Default value

pam.homedir.create

 

Create home directory if it does not exist on the local machine.

True

pam.homedir.create.mesg

 

Message displayed when a user's home directory is created.

Created home directory

pam.ignore.users

 

Name of users that will be authenticated locally.

file:/etc/centrifycc/user.ignor

pam.mfa.disabled

 

Specify whether to disable multi-factor authentication (MFA) user login on this machine.

False

pam.mfa.program.ignore

 

Specify a list of programs that ignore MFA.

ftpd profiled vsftpd java http cdc_chkpwd kdm unix2_chkpwd

pam.mfa.oob.max.count

 

Maximum number of retries for MFA for out of band mechanisms.

An "out of band" mechanism is an authentication mechanism that requires additional interaction from the user, such as clicking a link in an email or SMS message.

300

pam.password.enter.mesg

Message displayed when prompting for a user's password.

Password

 

Other configuration parameters

The following are other parameters that you can configure; these apply to Windows, Linux, or both:

Parameter name Brief description Default value Applicable platforms

agent.tcp.connect.timeout

Specifies when TCP CONNECT should timeout.

30 seconds

All

agent cert.validate

Specifies whether to validate the certificate when connecting to the platform

true

All

agent.http.timeout

Generic HTTP timeout

The value that you specify must be parsable into a time duration value.

2 minutes

All

agent.online.status.refresh

Determines how often the client connects to the platform to update connection status.

1 minute

All

agent.ping.timeout

Maximum time to wait for a response from the platform when updating connection status. The client will switch to offline mode after the timeout limit.

The value that you specify must be parsable into a time duration value.

20 seconds

All

agent.update.interval

Determines how often the client updates the platform with its operating system and client version information.

24 hours

All

agent.web.proxy.global

 

The proxy URL to use when connecting to the platform.

See Additional notes below.

(none)

All

agent.web.proxy.order

 

 

The web proxy order to use when connecting to the platform.

See Additional notes below.

Global, Direct

All

audittrail.targets

Audit trail targets (1 - DirectAudit, 0 - not sent to DirectAudit).

See Additional notes below.

1

All

cclient.cache.cleanup.interval

How often the client cleans up the cache.

10 minutes

Linux only

cclient.cache.expires

Amount of time until a generic object is checked in to the platform for changes.

1 hour

Linux only

cclient.cache.member.refresh

Amount of time that must pass before a group membership object is expired.

30 seconds

Linux only

cclient.cache.negative.expires

Lifetime of a negative object in cache.

5 seconds

Linux only

cclient.cache.password.hash

Specifies whether to store the password hash for client-based login.

True

Linux only

cclient.cache.refresh

Amount of time that must pass before an object is refreshed from the platform.

5 minutes

Linux only

cenroll.agent.wait.time

Determines how long the cenroll command should wait for the client to create its LRPC socket and serve requests before it runs the post-enroll script and exits.

The value that you specify must be parsable into a time duration value.

10 seconds

All

cenroll.http.timeout

HTTP timeout for enroll and unenroll commands.

The value that you specify must be parsable into a time duration value.

5 minutes

All

cli.hook.cenroll

The path to the post-enrollment script, if you've configured one.

none

All

LogLevel

Log level (used for client log only).

The best practice is to create a varying parameter or LogLevel that shows the log level for all items, with the exception of Linux user query or Linux user login.

Info

All

log.rest

If this is set to true, the client will log REST API calls and return values as INFO level messages.

If this is set to false, the client logs these operations as DEBUG level messages.

false

All

log.script

Perl script logging level.

Info

Linux only

log.script.autoedit.pl

Perl script logging level for autoedit.

Info

Linux only

lrpc2.client.connect.timeout

LRPC2 client (other than Centrify client) connection timeout

5 seconds

All

lrpc2.client.receive.timeout

Amount of time that lrpc2 client will wait for reply from the Centrify client

5 minutes

All

lrpc2.client.send.timeout

Amount of time that lrpc2 will wait for the Centrify client to receive the LRPC2 client request

1 minute

All

print_log_to_stdout.script

Perl script logging redirect to stdout

1

Linux only

recurring.intervale.deviation.percentage

The maximum percentage deviation (=/e) allowed for adding randomness to the interval between runs in a recurring job.

5

All

Additional notes

For proxy settings, review the following in the Centrify Client:

  • If the setting proxy is empty, all REST API calls are sent directly to the platform.

  • If the setting proxy is non-empty, it is used as the proxy for all REST API (including enrollment).

  • The user can specify which proxy to use in the cenroll command. The parameter impacts the proxy setting.

  • The upgrade process handles agent.web.proxy.order and agent.web.proxy.global as follows:

    • If the first value of agent.web.proxy.order is direct, set proxy setting to empty. This applies only to direct connection.
    • Otherwise, import the value of agent.web.proxy to proxy parameter in settings package.
  • If direct connection fails, there is no proxy support.