16.1. Univention Configuration Registry Variables

This appendix lists the Univention Configuration Registry Variables mentioned in the document.

auth/faillog

Configures the automatic locking of users after failed login attempts in the PAM stack. To activate, set the value to yes. For more information, see PAM-Stack.

auth/faillog/limit

Configures the upper limit of failed login attempts for a user account lockout. For more information, see PAM-Stack.

auth/faillog/lock_global

Configure on Primary Directory Node and Backup Directory Node to create a failed login account lockout globally and store it in the LDAP directory. For more information, see PAM-Stack.

auth/faillog/root

To make the user account root subject of the PAM stack account lockout, set the value to yes. It defaults to no. For more information, see PAM-Stack.

auth/faillog/unlock_time

Configure a time interval to unlock an account lockout. The value is defined in seconds. The value 0 resets the lock immediately. For more information, see PAM-Stack.

auth/sshd/user/root

To prohibit SSH login for the user root completely, set the value no. For more information, see SSH login to systems.

backup/clean/max_age

Defines how long a UCS system keeps old backup files of the LDAP data. Allowed values are integer numbers and they define days. The system doesn’t delete backup files when the variable is not set. See Daily backup of LDAP data.

connector/ad/ldap/binddn

Configures the LDAP DN of a privileged replication user. For more information, see UCS as a member of an Active Directory domain and Changing the AD access password.

connector/ad/ldap/bindpw

Configures the password of a privileged replication user. For more information, see UCS as a member of an Active Directory domain and Changing the AD access password.

connector/ad/ldap/ssl

To deactivate encrypted communication between the UCS system and Active Directory set the value to no. For more information, see Importing the SSL certificate of the Active Directory.

connector/ad/mapping/group/language

Configures the mapping for group name conversion in anglophone AD domains. For more information, see Groups.

connector/ad/mapping/user/ignorefilter

Defines a filter for usernames so that the AD Connector excepts matching users from the synchronization. For more information, see Details on preconfigured synchronization:

connector/ad/mapping/user/ignorelist

Configures a list of usernames that the AD Connector excludes from synchronization. For more information, see Details on preconfigured synchronization.

connector/ad/poll/sleep

Configures the interval to poll for changes in the AD domain. The default is 5 seconds. For more information, see Setup of the UCS AD connector.

connector/ad/retryrejected

Configures the number of cycles that the UCS AD Connector attempts to synchronize an object from the AD domain when it can’t be synchronized. The default value is 10 cycles. For more information, see Setup of the UCS AD connector.

cups/cups-pdf/anonymous

Configures the target directory for the Generic CUPS-PDF Printer for anonymous print jobs. It defaults to the value /var/spool/cups-pdf/. For more information, see Generating PDF documents from print jobs.

cups/cups-pdf/cleanup/enabled

To cleanup outdated print jobs of the Generic CUPS-PDF Printer, set the value to true. For the storage time, see cups/cups-pdf/cleanup/keep. For more information, see Generating PDF documents from print jobs.

cups/cups-pdf/cleanup/keep

Configures the storage time in days for PDF files from the Generic CUPS-PDF Printer. For more information, see Generating PDF documents from print jobs.

cups/cups-pdf/directory

Configures the target directory for the Generic CUPS-PDF Printer. It defaults to the value /var/spool/cups-pdf/%U and uses a different directory for each user. For more information, see Generating PDF documents from print jobs.

cups/errorpolicy

To automatically retry unsuccessful print jobs every 30 seconds, set the value to retry-job. For more information, see Setting the local configuration properties of a print server.

cups/include/local

To include configuration from /etc/cups/cupsd.local.conf, set the value to true. For more information, see Setting the local configuration properties of a print server.

cups/server

Defines the print server to be used by a UCS system. For more information, see Configuration of the print server in use.

directory/manager/blocklist/cleanup/cron

This variable determines how often UDM searches and removes the expired block list entries. The value follows the cron syntax for the time definition. The default value is daily at 8:00 in the morning. For more information, see Expired block list entries.

directory/manager/blocklist/enabled

Activates the management of block list entries in UDM. Default value is false. For information about how to activate, see Activate block lists.

directory/manager/templates/alphanum/whitelist

Define an allowlist of characters that are not removed by the :alphanum option for the value definition in user templates. For more information, see User templates.

directory/manager/user_group/uniqueness

Controls if UCS prevents users with the same username as existing groups. To deactivate the check for uniqueness, set the value to false. For more information see Table 6.1.

directory/manager/web/modules/computers/computer/wizard/disabled

To disable the simplified wizard for computer management, set this variable to true. For more information, see Management of computer accounts via Univention Management Console module.

directory/manager/web/modules/groups/group/checks/circular_dependency

Controls the check for circular dependencies regarding nested groups. To disable, set the value to no. For more information, see Group nesting with groups in groups.

directory/manager/web/modules/users/user/wizard/disabled

Deactivates the simplified wizard to create users when the value is set to true. In the default setting the wizard is activated. For more information see User management via Univention Management Console module.

directory/reports/logo

Defines the path and name to an image file for usage as logo in a Univention Directory report PDF file. For more information see Adjustment/expansion of Univention Directory Reports.

dns/allow/transfer

To deactivate the DNS zone transfer when using the OpenLDAP backend, set the value to none. For more information, see Configuration of zone transfers.

dns/backend

Configures the DNS backend. For more information, see Configuration of the data backend.

dns/debug/level

Configures the debug level for BIND. For more information, see Configuration of BIND debug output.

dns/dlz/debug/level

Configures the debug level for the Samba DNS backend. For more information, see Configuration of BIND debug output.

dns/forwarder1

Defines the first external DNS server. For more information, see Configuring the name servers.

dns/forwarder2

Defines the second external DNS server. For more information, see Configuring the name servers.

dns/forwarder3

Defines the third external DNS server. For more information, see Configuring the name servers.

fetchmail/autostart

Controls the automatic start of Fetchmail. To disable Fetchmail, set the value to false. For more information, see Integration of Fetchmail for retrieving mail from external mailboxes.

freeradius/auth/helper/ntlm/debug

Configures the debug level or verbosity for logging messages of FreeRADIUS. For more information, see Debugging.

freeradius/conf/allow-mac-address-authentication

Configures if Radius allows the MAC address as username and password for 802.1X authentication. Default value is false. For more information, see MAC Authentication Bypass with computer objects.

freeradius/vlan-id

Configures the fallback value for VLAN ID for users that aren’t member of a group with a VLAN ID. For more information, see VLAN IDs.

gateway

Configures the IPv4 network gateway. For more information, see Configuration of IPv4 addresses.

google-apps/attributes/anonymize

Configures the LDAP attributes of a user account that Google Apps for Work Connector synchronizes, but fills with random data. The value is a comma-separated list of LDAP attributes. For more information, see Configuration.

google-apps/attributes/mapping/.*

Defines a mapping of UCS LDAP attributes of a user account for synchronization to Google Apps attributes. The default settings usually suffice most environment needs. For more information, see Configuration.

google-apps/attributes/never

Configures the LDAP attributes of a user account that the Google Apps for Work Connector never synchronizes, even if mentioned in google-apps/attributes/mapping/.* or google-apps/attributes/anonymize. The value is a comma-separated list of LDAP attributes. For more information, see Configuration.

google-apps/debug/werror

Configure additional debug error messages for the Google Apps for Work. For more information, see Troubleshooting/Debugging.

google-apps/groups/sync

Enables the synchronization of groups of the Google Apps for Work user groups with the value yes. For more information, see Configuration.

groups/default/domainadmins

Configures the default group name for the domain administrator group. The value might be changed during an AD Takeover. For more information, see Domain migration.

grub/append

Defines Linux kernel boot options that the GRUB boot loader passes to the Linux kernel for system boot. For more information, see GRUB boot manager.

grub/bootsplash

To deactivate the splash screen during system boot, set the value to nosplash. For more information, see GRUB boot manager.

grub/gfxmode

Defines screen size and color depth for the GRUB boot menu. For more information, see GRUB boot manager.

grub/timeout

Defines the waiting period in seconds in the GRUB boot menu. During this waiting time alternative boot menu entries can be selected. The default value is 5 seconds. For more information, see GRUB boot manager.

grub/xenhopt

Defines options that are passed to the Xen hypervisor. For more information, see GRUB boot manager.

interfaces/ethX/address

Defines the network IPv4 address for the interface ethX. Replace X with the actual value for the interface. For more information, see Configuration of IPv4 addresses.

interfaces/ethX/netmask

Defines the network mask for the interface ethX. Replace X with the actual value for the interface. For more information, see Configuration of IPv4 addresses.

interfaces/ethX/type

Defines the network interface type for the interface ethX. Replace X with the actual value for the interface. For more information, see Configuration of IPv4 addresses.

interfaces/ethX_Y/setting

Defines an additional virtual interface. Replace X and Y with the actual value for the interface. For more information, see Configuration of IPv4 addresses.

interfaces/ethX/ipv6/address

Defines the network IPv6 address for the interface ethX. Replace X with the actual value for the interface. For more information, see Configuration of IPv6 addresses.

interfaces/ethX/ipv6/prefix

Defines the network IPv6 prefix for the interface ethX. Replace X with the actual value for the interface. For more information, see Configuration of IPv6 addresses.

interfaces/ethX/ipv6/acceptRA

Activates stateless address autoconfiguration (SLAAC) for the interface ethX. Replace X with the actual value for the interface. For more information, see Configuration of IPv6 addresses.

ipv6/gateway

Configures the IPv4 network gateway. For more information, see Configuration of IPv6 addresses.

kerberos/adminserver

Defines the system that provides the Kerberos admin server. See Kerberos admin server.

kerberos/kdc

Contains the reference to the KDC. Typically, a UCS system selects the KDC to be used from a DNS service record. With this variable administrators can configure an alternative KDC.

kerberos/realm

Contains the name of the Kerberos realm. See Kerberos.

kernel/blacklist

Defines additional Linux kernel modules that need to be loaded during system boot. Single items must be separated with a semicolon (;). For more information, see Hardware drivers / kernel modules.

kernel/modules

Defines Linux kernel modules that must not be loaded during system boot. Single items must be separated with a semicolon (;). For more information, see Hardware drivers / kernel modules.

ldap/database/internal/acl/blocklists/groups/read

List of group distinguished names (DN) that have read access to all objects under the container cn=blocklists in the internal database. For more information, see LDAP ACLs for block lists.

ldap/database/internal/acl/blocklists/groups/write

List of group distinguished names (DN) that have write access to all objects under the container cn=blocklists in the internal database. For more information, see LDAP ACLs for block lists.

ldap/acl/read/anonymous

Controls if the LDAP server allows anonymous access to the LDAP directory. In the default configuration the LDAP server doesn’t allow anonymous access to the LDAP directory.

ldap/acl/read/ips

A list of IP addresses for which the LDAP server allows anonymous access. See Access control for the LDAP directory.

ldap/acl/nestedgroups

Controls if nested groups are allowed. Per default nested groups are activated. See Access control for the LDAP directory.

ldap/acl/user/passwordreset/accesslist/groups/dn

Use a different group from the default User Password Admins group to reset user passwords. The value is a distinguished name (DN) to a user group. See Delegation of the privilege to reset user passwords.

ldap/acl/user/passwordreset/attributes

If users that are allowed to change other users’ passwords need access to additional LDAP attributes needed for the password change, configure them in this variable. For more information, see Delegation of the privilege to reset user passwords.

ldap/acl/user/passwordreset/protected/uid

Configures users with their user id to exclude them from user password resets by administrators allowed to change user passwords. Separate multiple values with a comma. For more information, see Delegation of the privilege to reset user passwords.

ldap/acl/user/passwordreset/protected/gid

Configures groups with their group id to exclude them from user password resets by administrators allowed to change user passwords. Separate multiple values with a comma. For more information, see Delegation of the privilege to reset user passwords.

ldap/idletimeout

Configures a time period in seconds after which the LDAP connection is cut off on the server side. See Timeout for inactive LDAP connections.

ldap/logging/exclude1

Exclude individual areas of the directory service from logging. See Audit-proof logging of LDAP changes.

ldap/logging/excludeN

See ldap/logging/exclude1.

ldap/logging/id-prefix

Adds the transaction ID of an entry to the directory log. Possible values are the default yes and no. See Audit-proof logging of LDAP changes.

ldap/master

Contains the FQDN of the domain’s Primary Directory Node system.

ldap/overlay/lastbind

To activate the lastbind overlay module for the LDAP server, set the value to yes. For more information, see Overlay module for recording an account’s last successful LDAP bind.

ldap/overlay/lastbind/precision

Configures the time in seconds that has to pass before the authTimestamp is updated again by the lastbind overlay. For more information, see Overlay module for recording an account’s last successful LDAP bind.

ldap/overlay/memberof/memberof

Configures the attribute at user objects that shows the group membership. Default value is memberOf. For more information, see Overlay module for displaying the group information on user objects.

ldap/policy/cron

Time interval to write profile based UCR variables to a UCS system. The default value is one hour. For more information, see Policy-based configuration of UCR variables.

ldap/ppolicy

To enable automatic account locking, set the value to yes. Also set ldap/ppolicy/enabled. For more information, see OpenLDAP.

ldap/ppolicy/enabled

To enable automatic account locking, set the value to yes. Also set ldap/ppolicy. For more information, see OpenLDAP.

ldap/pw-bcrypt

Activates bcrypt as password hashing method when set to true. See Password hashes in the directory service.

ldap/server/addition

Additional LDAP server a UCS system can query for information in the directory service.

ldap/server/name

The LDAP server the system queries for information in the directory service.

listener/debug/level

Defines the detail level for log messages of the listener to /var/log/univention/listener.log. The possible values are from 0 (only error messages) to 4 (all status messages). Once the debug level has been changed, the Univention Directory Listener must be restarted.

listener/shares/rename

Contents of existing share directories are moved, when the path to a share is modified and the value is set to yes. For more information, see Table 12.1 in Shares UMC module - General tab.

local/repository

Activates and deactivates the local repository. For more information see Creating and updating a local repository.

logrotate/compress

Controls, if rotated log files are zipped with gzip. For more information, see Log files.

log/rotate/weeks

Configures the log file rotation interval on a UCS system in weeks. The default value is 12 weeks. For more information, see Log files.

logrotate/rotates

Configures the log file rotation according to the file size, for example size 50M. For more information, see Log files.

machine/password/length

Define the length for the computer password, also called machin secret. Default value is 20. For more information, see Management of computer accounts via Univention Management Console module.

mail/antispam/bodysizelimit

Configures the size of emails that are scanned for Spam by SpamAssassin. The default value is 300 kilobytes. For more information, see Spam detection and filtering.

mail/antispam/learndaily

Configures the evaluation of ham emails in the ham folder for daily evaluation. The evaluation is activate per default. For more information, see Spam detection and filtering.

mail/antispam/requiredhits

Configures the threshold in points when an email is classified as spam. The default value is 5. For more information, see Spam detection and filtering.

mail/antivir

To deactivate virus and malware detection for incoming and outgoing emails, set the value to no. For more information, see Identification of viruses and malware.

mail/antivir/spam

Configures, if spam filtering is running. To deactivate spam filtering, set the value to no. For more information, see Identification of viruses and malware.

mail/archivefolder

Configures Postfix to send all incoming and outgoing emails as blind copy to this email address for archive purposes. The variable isn’t set per default. For more information, see Configuration of a blind carbon copy for mail archiving solutions.

mail/dovecot/auth/cache_ttl

Configures the expiration time of the authentication cache in Dovecot for the mail service. For more information, see Assignment of email addresses to users.

mail/dovecot/auth/cache_negative_ttl

Configures the expiration time of the authentication cache in Dovecot for the mail service. For more information, see Assignment of email addresses to users.

mail/dovecot/folder/ham

Configures the name of the folder for emails that SpamAssissin considers as ham. The default value is Ham. For more information, see Spam detection and filtering.

mail/dovecot/folder/Spam

Configures the name of the folder where SpamAssissin moves emails classified as spam. The default value is Spam. For more information, see Spam detection and filtering.

mail/dovecot/imap

Controls the IMAP protocol service in the Dovecot IMAP service. To deactivate access to emails through IMAP, set the value to no. For more information, see Mail services.

mail/dovecot/limits

Configures different connection limits for the Dovecot service. For more information, see Connection limits.

mail/dovecot/location/separate_index

Configures the Dovecot service to use an index separated from the email message storage location. To activate the separate index, set the value to yes. Dovecot writes the index to /var/lib/dovecot/index/. For more information, see Mail storage on NFS.

mail/dovecot/mailbox/rename

Configures how the Dovecot services reacts on changes of the primary email address. The default value is yes and it changes the name of the user’s IMAP mailbox. For more information about the values, see Handling of mailboxes during email changes and the deletion of user accounts.

Shared folders are not renamed. For more information, see Management of shared IMAP folders.

mail/dovecot/mailbox/delete

Configures the deletion of an IMAP mailbox. The default value is no and keeps the mailbox. For more information, see Handling of mailboxes during email changes and the deletion of user accounts.

The value also affects shared IMAP folders. For more information, see Management of shared IMAP folders.

mail/dovecot/pop3

Controls the POP3 protocol service in the Dovecot IMAP service. To deactivate access to emails through POP3, set the value to no. For more information, see Mail services.

mail/dovecot/process/lock_method

Controls the lock method for lockd. For more information, see Mail storage on NFS.

mail/dovecot/process/mail_nfs_index

Configures the Dovecot service to flush NFS caches after writing index files when set to yes. For more information, see Mail storage on NFS.

mail/dovecot/process/mail_nfs_storage

Configures the Dovecot service to flush NFS caches when set to yes. For more information, see Mail storage on NFS.

mail/dovecot/process/mmap_disable

Allows mail storage on NFS. For more information, see Mail storage on NFS.

mail/dovecot/process/dotlock_use_excl

Allows mail storage on NFS. For more information, see Mail storage on NFS.

mail/dovecot/process/mail_fsync

Allows mail storage on NFS. For more information, see Mail storage on NFS.

mail/dovecot/quota/warning/subject

Configures the subject for the email to the user that exceeds the configured quota limit. For more information, see Mail quota.

mail/dovecot/quota/warning/text

Configures the email text body for the email to the user that exceeds the configured quota limit. Percentage values can have different texts. For example, to configure a text for 50% of the quota, set mail/dovecot/quota/warning/text/50=your text.

For more information, see Mail quota.

mail/hosteddomains

Configures the mail domains managed by UCS. For more information, see Management of mail domains.

mail/messagesizelimit

Configures the maximum size of an email in bytes for incoming and outgoing emails. The default setting is 10240000 bytes. For more information, see Configuration of the maximum mail size.

mail/postfix/mastercf/options/smtp/smtpd_sasl_auth_enable

To enable authentication for the submission of emails on port 25, set the value to yes. For more information, see Configuration of SMTP ports.

mail/postfix/policy/listfilter

To restrict the circle of persons who can send emails to mailing lists, set the value to yes and restart the Postfix service. For more information, see Management of mailing lists and Management of mail groups.

mail/postfix/postscreen/

A prefix of variables to configure postscreen. For more information, see Configuration of additional checks.

mail/postfix/postscreen/enabled

To activate postscreen for eligibility checks on incoming emails, set the value to yes. For more information, see Configuration of additional checks.

mail/postfix/smtpd/restrictions/recipient

Configures DNS-based Blackhole List (DNSBL) for Postfix in the format mail/postfix/smtpd/restrictions/recipient/SEQUENCE=RULE.

For example:

mail/postfix/smtpd/restrictions/recipient/80="reject_rbl_client ix.dnsbl.manitu.net".

For more information, see Identification of Spam sources with DNS-based Blackhole Lists.

mail/postfix/softbounce

To never return emails after a mail bounce, set the value to yes. For more information, see Configuration of soft bounces.

mail/postfix/tls/client/level

For more information, see Configuration of a relay host for sending the emails.

mail/relayauth

If authentication for the mail relay is needed, set the value to yes and add the credentials to /etc/postfix/smtp_auth. For more information, see Configuration of a relay host for sending the emails.

mail/relayhost

Configures the fully qualified domain name (FQDN) of a mail relay server. For more information, see Configuration of a relay host for sending the emails.

nameserver1

Defines the first Domain DNS Server. For more information, see Configuring the name servers.

nameserver2

Defines the second Domain DNS Server. For more information, see Configuring the name servers.

nameserver3

Defines the third Domain DNS Server. For more information, see Configuring the name servers.

notifier/debug/level

Defines the detail level for log messages of the notifier to /var/log/univention/notifier.log. The possible values are from 0 (only error messages) to 4 (all status messages). Once the debug level has been changed, the Univention Directory Notifier must be restarted.

nscd/debug/level

Defines the detail level for log messages of the NSCD. For more information, see Name service cache daemon.

nscd/group/maxdbsize

Configures the hash table size of the NSCD for groups. For more information, see Name service cache daemon.

nscd/group/positive_time_to_live

Configures the time that a resolved group is kept in the cache of NSCD. The default is one hour in seconds (3600). For more information, see Name service cache daemon.

nscd/hosts/maxdbsize

Configures the hash table size of the NSCD for hosts. The default value is 6007. For more information, see Name service cache daemon.

nscd/hosts/positive_time_to_live

Configures the time that a resolved hostname is kept in the cache of NSCD. The default is one hour in seconds (3600). For more information, see Name service cache daemon.

nscd/passwd/maxdbsize

Configures the hash table size of the NSCD for usernames. The default value is 6007. For more information, see Name service cache daemon.

nscd/passwd/positive_time_to_live

Configures the time that a resolved username is kept in the cache of NSCD. The default is ten minutes in seconds (600). For more information, see Name service cache daemon.

nscd/threads

Configures the number of threads that NSCD uses. Default value is 5. For more information, see Name service cache daemon.

nss/group/cachefile/check_member

When activated with true, the cron job script for exporting the local group cache also checks, if the group members are still present in the LDAP directory. For more information, see Local group cache.

nss/group/cachefile/invalidate_interval

Defines the invalidation interval to control when the local group cache is considered invalid and a new export is run. For more information, see Local group cache.

nss/group/cachefile/invalidate_on_changes

Activates or deactivates the listener to invalidate the local group cache. To activate the listener, set the value to true. Else, set it to false. For more information, see Local group cache.

nssldap/bindpolicy

Controls the measures that the UCS system takes when the LDAP server cannot be reached. See Name Service Switch / LDAP NSS module.

ntp/signed

The NTP server replies with requests that are signed by Samba/AD when the value is set to yes. For more information, see Configuring the time zone / time synchronization.

office365/adconnection/wizard

Defines the Azure AD connection alias that is used by the next run of the Microsoft 365 Configuration Wizard. For more information, see Synchronization of Users in multiple Azure Active Directories.

office365/attributes/anonymize

Configures the LDAP attributes of a user account that the Microsoft 365 connector synchronizes, but fills with random data. The value is a comma-separated list of LDAP attributes. For more information, see Users.

office365/attributes/mapping/.*

Defines a mapping of UCS LDAP attributes of a user account for synchronization to Azure attributes. The default settings usually suffice most environment needs. For more information, see Users.

office365/attributes/never

Configures the LDAP attributes of a user account that the Microsoft 365 connector never synchronizes, even if mentioned in office365/attributes/sync or office365/attributes/anonymize. The value is a comma-separated list of LDAP attributes. For more information, see Users.

office365/attributes/static/.*

Configures LDAP attributes for synchronization with predefined values. For more information, see Users.

office365/attributes/sync

Configures the LDAP attributes of a user account that the Microsoft 365 connector synchronizes. The value is a comma-separated list of LDAP attributes. For more information, see Users.

office365/attributes/usageLocation

Configures the default country for the user in Microsoft 365. Values are 2-character abbreviations for countries. For more information, see Users.

office365/debug/werror

Configure additional debug error for the Microsoft 365 connector. For more information, see Troubleshooting/Debugging.

office365/defaultalias

Configures the default connection alias for Microsoft 365 enabled users and groups. For more information, see Synchronization of Users in multiple Azure Active Directories.

office365/groups/sync

Enables the synchronization of groups of the Microsoft 365 users. To use teams, set the value to yes. For more information, see Teams.

password/hashing/bcrypt

Activates bcrypt as password hashing method when set to true. See Password hashes in the directory service.

password/hashing/bcrypt/cost_factor

Defines the bcrypt cost factor and defaults to 12. See Password hashes in the directory service.

password/hashing/bcrypt/prefix

Defines the bcrypt prefix and defaults to 2b. See Password hashes in the directory service.

password/hashing/method

Defines the hashing method for the password hashes. The default is SHA-512. See Password hashes in the directory service.

password/quality/credit/digits

Defines the minimum number of digits for a new password. For more information, see User password management.

password/quality/credit/lower

Defines the minimum number of lowercase letters in the new password. For more information, see User password management.

password/quality/credit/other

Defines the minimum number of characters in the new password which are neither letters nor digits. For more information, see User password management.

password/quality/credit/upper

Defines the minimum number of uppercase letters in the new password. For more information, see User password management.

password/quality/forbidden/chars

Defines the characters and digits that are not allowed for passwords. For more information, see User password management.

password/quality/length/min

Sets the minimum length default for a password on a per UCS system basis for users not subject to a UDM password policy. The value yes applies checks from the python-cracklib. The value sufficient does not include python-cracklib checks. For more information, see User password management.

password/quality/mspolicy

Defines the standard Microsoft password complexity criteria. For more information, see User password management.

password/quality/required/chars

Defines individual characters/figures that are compulsory for passwords. For more information, see User password management.

pkgdb/scan

Controls if a UCS system stores installation processes in the software monitor. To turn it off, set the value no. For more information see Central monitoring of software installation statuses with the software monitor.

portal/auth-mode

Defines the authentication mode for the UCS portal. Set it to saml, if you want to activate SAML for single sign-on login. For more information see Login.

portal/default-dn

Defines the LDAP DN of the portal object that holds the data for the portal. After changing the variable value, run univention-portal update. For more information, see UCS portal page.

proxy/http

Defines the HTTP proxy server on the UCS host system. For more information, see Proxy access configuration.

proxy/https

Defines the HTTPS proxy server on the UCS host system. For more information, see Proxy access configuration.

proxy/no_proxy

Defines a list of domains that are not used over a HTTP proxy. Entries are separated by commas. For more information, see Proxy access configuration.

quota/logfile

To log the activation of quotas to a file, specify the file in this variable. For more information, see Evaluation of quota during login.

quota/userdefault

To disable the evaluation of user quota during login, set the value to no. For more information, see Evaluation of quota during login.

radius/mac/whitelisting

To only allow specific network devices access to a network through RADIUS, set the value to true. For more information, see MAC filtering.

radius/use-service-specific-password

To use a dedicated user password for RADIUS instead of the domain password, set the value to true. For more information, see Service specific password.

repository/mirror/server

Defines another repository server as source for the local mirror. Default value: updates.software-univention.de. For more information see Creating and updating a local repository.

repository/online/component/.*/unmaintained

DEPRECATED! Defines how to deal with unmaintained packages from additional repositories. To activate, set the value to yes. For more information see Configuration of the repository server for updates and package installations.

repository/online/server

The repository server used to check for updates and download packages. Default value: updates.software-univention.de. For more information see Configuration via Univention Configuration Registry.

samba/enable-msdfs

To enable Microsoft Distributed File System (MSDFS), set the value to yes and restart Samba. For more information, see Support for MSDFS.

samba/max/protocol

Configures the file service protocol that Samba uses on UCS. The allowed values NT1, SMB2, and SMB3. For more information, see File services.

samba/spoolss/architecture

Defines the system architecture for the print spooler in Samba. Set the values to Windows x64 when your environment contains 64-bit version of Microsoft Windows. For more information, see Mounting of print shares in Windows clients.

samba4/sysvol/sync/cron

Configures the synchronization time interval between Samba/AD domain controllers for the SYSVOL share. Default value is five minutes. For more information, see Synchronization of the SYSVOL share.

saml/idp/authsource

Allows Kerberos authentication at the SAML identity provider. Change to univention-negotiate to activate. The default is univention-ldap. For more information, see SAML identity provider.

saml/idp/entityID/supplement/[identifier]

Activates additional local identity providers for SAML on a UCS system serving as UCS Identity provider. To activate set the value to true. For more information see Extended Configuration.

saml/idp/negotiate/filter-subnets

Allows to restrict the Kerberos authentication at the SAML identity provider to certain IP subnetworks in the CIDR notation, for example 127.0.0.0/16,192.168.0.0/16. For more information, see SAML identity provider.

saml/idp/selfservice/account-verification/error-descr

Configures the error message description text for the Self Service. The text shows up for users that login through SSO with an unverified and self registered user account. For more information, see Account verification.

saml/idp/selfservice/account-verification/error-title

Configures the error message title for the Self Service. The title shows up for users that login through SSO with an unverified and self registered user account. For more information, see Account verification.

saml/idp/selfservice/check_email_verification

Controls if the SSO login denies logins from unverified and self registered user accounts. For more information, see Account verification.

security/packetfilter/disabled

To disable Univention firewall, set the value to true. For more information, see Packet filter with Univention Firewall.

self-service/backend-server

Defines the UCS system where the backend of the Self Service app is installed. For more information, see Password management via Self Service app.

server/password/change

Enables or disables the password rotation on a UCS system. Per default the password rotation is activated. For more information, see Management of computer accounts via Univention Management Console module.

server/password/interval

Defines the interval in days to regenerate the computer account password. The default is set to 21 days. For more information, see Management of computer accounts via Univention Management Console module.

server/role

Contains the name of the UCS system’s server role. For more information, see UCS system roles.

squid/auth/allowed_groups

To limit the access to the Squid web proxy, define a list of group names separated by semicolon (;). For more information, see User authentication on the proxy.

squid/allowfrom

Configures additional networks to allow access to the Squid web proxy. Separate the entries with blank spaces and use the CIDR notation, for example 192.0.2.0/24. For more information, see Restriction of access to permitted networks.

squid/basicauth

To activate direct authentication for the Squid web proxy against the LDAP server, set the value to yes and restart Squid. For more information, see User authentication on the proxy.

squid/cache

To deactivate the caching function of the Squid web proxy, set the value to no. For more information, see Caching of web content.

squid/httpport

Configures the port for Squid web proxy, where the daemon listens for incoming connections. The default value is 3128. For more information, see Access port.

squid/krb5auth

To activate authentication through Kerberos for the Squid web proxy, set the value to yes and restart Squid. For more information, see User authentication on the proxy.

squid/ntlmauth

To activate authentication for the Squid web proxy against the NTLM interface, set the value to yes and restart Squid. For more information, see User authentication on the proxy.

squid/ntlmauth/keepalive

To deactivate further NTML authentication for subsequent HTML requests to the same website, set the value to yes. For more information, see User authentication on the proxy.

squid/webports

Configures the list of permitted ports for the Squid web proxy. Separate entries with blank spaces. For more information, see Permitted ports.

sshd/permitroot

Configures how the SSH daemon permits login for the user root. The value without-password does not ask for the password interactively. The login requires the public SSH key. For more information, see SSH login to systems.

sshd/port

Configure the port that the SSH daemon uses to listen for connection. The default value is 22. For more information, see SSH login to systems.

sshd/xforwarding

Configures, if the SSH daemon allows X11 forwarding. Valid values are yes and no. For more information, see SSH login to systems.

ssl/validity/host

Records the expiry date of the local computer certificate on each UCS system. The value reflects the number of days since the 1970-01-01.

ssl/validity/root

Records the expiry date of the root certificate on each UCS system. The value reflects the number of days since the 1970-01-01.

ssl/validity/warning

Defines the warning period for the expiration check of the SSL/TLS root certificate. The default value is 30 days. See SSL certificate management.

system/stats

Enables or disables the logging of the system status. The default value is yes. For more information, see Logging the system status.

system/stats/cron

Configures the run times when univention-system-stats is run. The value follows the cron syntax. For more information, see Logging the system status.

timeserver

Configures the first external NTP timeserver. For more information, see Configuring the time zone / time synchronization.

timeserver2

Configures the second external NTP timeserver. For more information, see Configuring the time zone / time synchronization.

timeserver3

Configures the third external NTP timeserver. For more information, see Configuring the time zone / time synchronization.

ucr/check/type

If this option is yes, the correctness of type definitions and the type compatibility of values are always checked in Univention Configuration Registry. The setting of the value is aborted for unsuccessful checks. Default is no. For more information, see Setting UCR variables.

ucs/web/theme

Select the theme for UCS web interface. The value corresponds to a CSS file under /usr/share/univention-web/themes/ with the same name without filename extension.

umc/self-service/account-deregistration/enabled

To activate the Self Service deregistration, set the variable to True. For more information, see Self deregistration.

umc/self-service/account-verification/backend/enabled

Enables or disables the account verification and request of new verification tokens for the Self Service. For more information, see Account verification.

users/default/administrator

Configures the default user name for the domain administrator. The value might be changed during an AD Takeover. For more information, see Domain migration.

umc/http/session/timeout

Configures the time out period in seconds for the browser session after which the UCS management system requires a renewed sign in. The default value is 28800 seconds for 8 hours.

umc/web/oidc/enabled

If activated with true, the UMC first tries a single sign-on login through OpenID Connect before using the regular login. For more information, refer to Login.

umc/web/sso/enabled

If activated with true, the UMC first tries a single sign-on login through SAML before using the regular login. For more information, refer to Login.