nss.user.override.userlist

This configuration parameter enables you to specify an audit level for a list of users that will bypass Active Directory. In most cases, the auditing service connects to Active Directory to get user profile and audit level information. You can use this parameter to bypass Active Directory, for example, to specify local user accounts that do not have a corresponding user account in Active Directory, but for which you want to audit session activity. This parameter replaces the deprecated user.ignore parameter.

You can specify the parameter value by typing individual entries using the format user_name[:audit_level], separated by spaces, or by using the file: keyword and a file location.

You can set the audit_level to one of the following valid values:

  • use_sysrights
  • audit_if_possible
  • no_audit
  • audit_required

The use_sysrights setting indicates that you want to use the audit level information associated with the user’s role. If you don’t specify an audit level for a user with this parameter, the default audit level is to the audit level you specify for the nss.user.override.auditlevel parameter. For example, you can set the value using individual user name entries like this:

nss.user.override.userlist: maya:use_sysrights tai:no_audit carlos

Alternatively, you can using the file: keyword and a file that has one user_name[:audit_level] per line. For example:

nss.user.override.userlist: file:/etc/centrifyda/user_auditing_classiczones

Be sure to run the dareload command after modifying the configuration file to have the changes take effect.

Note that this parameter is most commonly used to specify the audit level for local user accounts. However, you can use it to specify both local and Active Directory users, if needed. To include Active Directory users in the list of users specified with this parameter, you must specify the Active Directory user’s UNIX login name as a parameter value in the user list you define with this parameter.

Note:   For computers that have only the Centrify Client for Linux installed, there is a sample file that you can use to specify users outside of Active Directory. The sample file is /etc/centrifyda/nss.user.override.userlist.sample. To point the client to this sample file, include the following line in your centrifyda.conf file:
nss.user.override.userlist: /etc/centrifyda/nss.user.override.userlist.sample