Next: , Previous: Shishi Configuration, Up: Reference Manual


4.5 Shisa Configuration

The configuration file for Shisa is typically stored in /usr/local/etc/shishi/shisa.conf. If the first non white space character of a line is a '#', the line is ignored. Empty lines are also ignored.

4.5.1 ‘db

Currently the only configuration options available is the db token that define the databases to use. The syntax is:

     db [OPTIONS] <TYPE> [LOCATION] [PARAMETERS ...]

Specify the data sources for Kerberos 5 data. Multiple entries, even of the same data source type, are allowed. The data sources are accessed in the same sequence as they are defined here. If an entry is found in one data source, it will be used for the operations, without searching the remaining data sources. Valid OPTIONS include:

     --read-only       No data is written to this data source.
     --ignore-errors   Ignore failures in this backend.

The default (when the configuration file is empty) uses one "file" data source (see below), but for a larger installation you may want to combine several data sources. Here is an example.

     db --read-only file /var/local/master
     db --ignore-errors ldap kdc.example.org ca=/etc/shisa/kdc-ca.pem
     db --read-only file /var/cache/ldap-copy

This demonstrate how you can store critical principals on local disk (the first entry, /var/local/master) that will always be found without looking in the LDAP directory. The critical principals could be, e.g., krbtgt/EXAMPLE.ORG. The second entry denote a LDAP server that could hold user principals. As you can see, Shisa will not let the caller know about errors with the LDAP source (they will be logged, however). Instead, if for instance the LDAP server has crashed, Shisa would continue and read from the /var/cache/ldap-copy file source. That file source may have been set up to contain a copy of the data in the LDAP server, perhaps made on an hourly basis, so that your server will be able to serve recent data even in case of a crash. Any updates or passwords change requests will however not be possible while the LDAP server is inaccessible, to reduce the problem of synchronizing data back into the LDAP server once it is online again.

Currently only the "file" data source is supported, and denote a data source that use the standard file system for storage.

Valid syntaxes for the "file" database:

     db file PATH

Examples:

     db file /var/shishi
     db file /usr/share/shishi read-only

If no ‘db’ tokens are present, the default will be:

     db file /usr/local/var/shishi