Generic FusionDirectory Configurations

All the FD configuration is stored inside the ldap, in configs branch.

If you need to modify something, you can access to FD configuration by the 'Configuration' icon or entry in the 'Addons' section of the main page of FD GUI:

Access to configuration is read-only. If you need to make changes, then you must press the 'Edit' button at the bottom right of the window.

Below you will find an explanation of the different sections.

Look n feel

  • Language: Defines the default language used by FusionDirectory. Normally FusionDirectory autodetects the language from the browser settings. If this is not working or you want to force the language, just modify the language here.
  • Theme: (required) Defines what theme is used to display FusionDirectory pages. You can install some corporate identity like theme and/or modify certain templates to fit your needs within themes.
  • Timezone: (required) Defines the timezone used within FusionDirectory to handle date related tasks, such as password expiration, vacation messages, etc. The timezone value should be a unix conform timezone value like in /etc/timezone.

Schema setup

  • Schema validation: enables or disables schema checking during login. It is recommended to switch this on in order to let FusionDirectory handle object creation more efficiently.

Password settings

  • Password default hash: (required) Defines the default password hash to choose for new accounts.
    Valid values are crypt/standard-des, crypt/enhanced-des, crypt/md5, crypt/blowfish, crypt/sha-256, crypt/sha-512, smd5, md5, sasl, ssha, sha.
    These values will be overridden when using templates.
  • Force default hash: Enable/Disable force the use of the default password hash.
  • Password minimum length: Determines the minimum length of a new password entered to be considered valid. Note that this only affect passwords that are set by the user, not by the admins.
  • Password minimum differs: Determines how many characters that must be different from the previous password. Note that this only affect passwords that are set by the user, not by the admins.
  • Use account expiration: Enables shadow attribute tests during the login to FusionDirectory and forces password renewal or account locking.
  • SASL Realm: Defines the way the kerberos realm is stored in the userPassword attribute.
    Set it to REALM.NET in order to get {sasl}user@REALM.NET.
  • SASL Exop: Defines the attribute to be stored in the userPasword attribute. Set it to uid in order to get the {sasl}uid of the user.

Core settings

  • Display summary in listings: Determines whether a status bar will be shown on the bottom of FusionDirectory generated lists, displaying a short summary of type and number of elements in the list.
  • Edit locking: Enables FusionDirectory to check if a entry currently being edited has been modified from someone else outside FusionDirectory in the meantime. It will display an informative dialog then. It can be set to entryCSN for OpenLDAP based systems or contextCSN for Sun DS based systems.
  • Enable logging: Enables event logging on FusionDirectory side. Setting it to true, FusionDirectory will log every action a user performs via syslog. If you use rsyslog and configure it to mysql logging, you can browse all events within FusionDirectory.
  • LDAP size limit: Tells FusionDirectory to retrieve the specified maximum number of results. The user will get a warning, that not all entries were shown.

Login and session

  • Login attribute: (required) Defines which LDAP attribute is used in Fusiondirectory as the login name during login. It can be set to uid, mail or both.
  • Enforce encrypted connections: Enables PHP security checks to force encrypted access (https) to the web interface.
  • Warn if session is not encrypted: Enables PHP security checks to detect non encrypted access to the web interface. FusionDirectory will display a warning in this case.
  • Session lifetime: (required) Defines when a session will expire in seconds. For Debian systems, this will not work because the sessions will be removed by a cron job instead. Please modify the value inside of your php.ini instead.
  • HTTP authentification: Activate HTTP authentification (basic auth).
  • HTTP Header authentication: Activate HTTP header authentification (default LemonLDAP-NG method)
  • Header name: Define the name of the header you will use for HTTP Header Authentification

Snapshots / Undo

  • Enable snapshots: This enables you to save certain states of entries and restore them later on.
  • Snapshot base: Defines the base where snapshots should be stored inside of the LDAP.


  • Key path: Path of the private key for FusionDirectory on the server.
  • Certificate path: Path of the certifiate for FusionDirectory on the server.
  • CA certificate path: Path of the CA on the server.


  • Enable CAS: Enable CAS activation.
  • CA certificate path: Path of the CA for the CAS server.
  • Host: Host of the CAS Server.
  • Port: Port of the CAS Server.
  • CAS context: CAS context to be used.

People and group storage

:!: Pay attention to the changes in this section of the configuration :!:

  • People DN attribute: (required) Defines the attribute to use at the beginning of users dn. Possible values are uid and cn.
    In the first case FusionDirectory creates uid style DN entries:


    In the second case, FusionDirectory creates cn style DN entries:

     cn=Foo Bar,ou=staff,dc=example,dc=net 

    If you choose “cn” to be your 'People DN attribute' you can decide whether to include the personal title in your dn by selecting 'Include personal title in user DN'.

  • CN pattern: The pattern to use to build the common name field.
  • Strict naming policy: Enables strict checking of uids and group names. If you need characters like . or - inside of your accounts, don't enable this option.
  • GID/UID min id: Defines the minimum assignable user or group id to avoid security leaks with uid 0 accounts. This is used for the traditional method.
  • Next id hook: Defines a script to be called for finding the next free id for users or groups externally.
    The script will receive concerned dn as first argument, and 'uid' or 'gid' as second argument, it should output a single number to use as uidNumber or gidNumber.
  • Number base for people: Defines where to start looking for a new free user id.
    This should be synced with your adduser.conf to avoid overlapping uidNumber values between local and LDAP based lookups.
    The 'Number base for people' can even be dynamic.
  • Number base for groups: defines where to start looking for a new free group id.
    This should be synced with your adduser.conf to avoid overlapping gidNumber values between local and LDAP based lookups.
    The 'Number base for groups' can even be dynamic.
  • Users RDN: (required) Defines the location where new accounts will be created inside of defined departments. The default is ou=people.
  • Groups RDN: (required) Defines the location where new groups will be created inside of defined departments. The default is ou=groups.
  • ACL role RDN: The branch where ACL roles are stored.
  • Id allocation method: Method to allocate user/group ids.
  • Pool user id min: Minimum value for user id when using pool method.
  • Pool user id max: Maximum value for user id when using pool method.
  • Pool group id min: Minimum value for group id when using pool method.
  • Pool group id max: Maximum value for group id when using pool method.
  • Restrict role members: When enabled only users from the same branch or members of groups from the same branch can be added to a role.


  • Display errors: Defines whether to enable the display of PHP errors in the upper part of the screen. This should be disabled in productive deployments, because there might be some passwords in it.
  • Maximum LDAP query time: Tells FusionDirectory to stop LDAP actions if there is no answer within the specified number of seconds.
  • Log LDAP statistics: Tells FusionDirectory to track LDAP timing statistics to the syslog. This may help to find indexing problems or bad search filters.
  • Debug level: Display certains debug informations on each page load.
    Valid values are LDAP, Database, Shell, POST, SESSION, ACL, SI, Mail.
    The different values ​​can also be combined with each other.


  • Hooks: Defines hooks that are called when specific actions happens. Look here for more informations about hooks configuration.
  • Display hook output: Activate to display the hook output.
  • Available shells: Defines the available POSIX shells for FD users.
  • Show ACL tab on all objects: For very specific ACL rights setting where you might need to give right on a single object.
  • Available department categories: Available categories in the departments dropdown.
en/documentation/admin_installation/core_configuration.txt · Last modified: 2017/10/31 10:32 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0