unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 user(1m)		  Open Software Foundation		    user(1m)




 NAME
      user - A dcecp task object that manipulates user information in a DCE
      cell

 SYNOPSIS
      user create user_name_list -mypwd password -password password
      -group group_name -organization organization_name
      [-force]
      {-attribute attribute_list | -attribute value}

      user delete user_name_list

      user help [operation | -verbose]

      user operations

      user show user_name_list


 ARGUMENTS
      operation The name of the user operation for which to display help
		information.

      user_name_list
		A list of one or more names of principals to act on. Supply
		the names as follows:


		  +  Fully qualified principal names in the form
		     /.:/principal_name, /.../cell_name/principal_name, or
		     principal_name@cell_name.

		  +  Cell-relative principal names in the form
		     principal_name.  These names refer to a principal in
		     the cell identified in the _s(sec) convenience
		     variable, or if the _s(sec) convenience variable is not
		     set, in the local host's default cell.


		Do not mix fully qualified names and cell-relative names in
		a list. In addition, do not use the names of registry
		database objects that contain principal information; in
		other words, do not use names that begin with
		/.:/sec/principal/.


 DESCRIPTION
      The user task object represents all of the data associated with a DCE
      user.  This consists only of registry information in the current
      implementation.  The user task object allows administrators to easily
      create principals and accounts, delete principals and accounts, and



 Hewlett-Packard Company	    - 1 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      view principal and account information.

      When it creates a principal and an account, the user task object adds
      the principal to a group and an organization, if nessesary, and
      creates the group and organization if required.  Only the principal
      and account attributes are considered attributes of the user task
      object, and are the only ones displayed by the show operation.

      This object is implemented as a script to allow it to be manipulated
      and extended on a per-site basis.	 For example, administrators might
      want to add Global Directory Service (GDS) and Distributed File
      Service (DFS) information to the object.	Other possible modifications
      include the following:


	+  Changing the default ACLs placed on the various objects.

	+  Setting certain attributes or policies on all newly created
	   principals and accounts to match the site's policies.

	+  Setting up site specific defaults for passwords (to be changed by
	   the user later), groups, organizations, principal directories,
	   and so on.

	+  Supporting a modify operation.


 ATTRIBUTES
      acctvalid {yes | no}
		A flag set to determine account validity.  Its value is
		either yes or no.  An account with an acctvalid attribute
		set to no is invalid and cannot be logged in to.  The
		default is yes.

      alias value
		Used with the create operation. The value of this attribute
		must be yes or no.  Each principal can have only one name,
		but may have multiple alias names. All these names refer to
		the same principal and, therefore, the same Universal Unique
		Identifier (UUID) and UNIX ID (uid). While aliases refer to
		the same principal, they are separate entries in the
		registry database.  Therefore the name supplied to a user
		command can refer to either the primary name or an alias
		name of a principal.  The value of this attribute determines
		whether the name is a primary name (alias no) or an alias
		name (alias yes).  The default is no.

      client {yes | no}
		A flag set to indicate whether the account is for a
		principal that can act as a client.  The value of this
		attribute must be yes or no.  If you set it to yes, the



 Hewlett-Packard Company	    - 2 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




		principal is able to log in to the account and acquire
		tickets for authentication.  The default is yes.

      description
		A text string (limited to the Portable Character Set or PCS)
		typically used to describe the use of the account. The
		default is the empty string ("").

      dupkey {yes | no}
		A flag set to determine if tickets issued to the account's
		principal can have duplicate keys.  The value of this
		attribute must be yes or no.  The default is no.

		In DCE, this attribute is currently only advisory.  However,
		Kerberos clients and servers will use of it when they
		interact with a DCE Security server.

      expdate  ISO_timestamp
		The date on which the account expires.	To renew the
		account, change the date in this field.	 Specify the time by
		using an ISO compliant time format such as CCYY-MM-DD-
		hh:mm:ss or the string none.  The default is none.

      forwardabletkt {yes | no}
		A flag set to determine whether a new ticket-granting ticket
		with a network address that differs from the present
		ticket-granting ticket network address can be issued to the
		account's principal.  The proxiabletkt attribute performs
		the same function for service tickets. This attribute must
		have a value of yes or no.  The default is yes.

		In DCE, this attribute is currently only advisory.  However,
		Kerberos clients and servers will use it when they interact
		with a DCE Security server.

      fullname string
		Used with the create operation, this attribute specifies the
		full name of the principal.  It is for information purposes
		only.  It typically describes or expands a primary name to
		allow easy recognition by users.  For example, a principal
		could have a primary name of jsbach and a full name of
		Johann S. Bach.	 The value is a string.	 If it contains
		spaces, it is displayed in quotes, and on entry must be in
		quotations or braces (as per Tcl quoting rules).  If not
		entered, the full name defaults to the null string (that is,
		blank).

      goodsince ISO_timestamp
		The date and time the account was last known to be in an
		uncompromised state.  Any tickets granted before this date
		are invalid.  The value is an ISO timestamp.  When the



 Hewlett-Packard Company	    - 3 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




		account is initially created, the goodsince date is set to
		the current date. Control over this date is especially
		useful if you know that an account's password was
		compromised.  Changing the password can prevent the
		unauthorized principal from accessing the system again using
		that password, but the changed password does not prevent the
		principal from accessing the system components for which
		tickets were obtained fraudulently before the password was
		changed.  To eliminate the principal's access to the system,
		the tickets must be cancelled.

		The default is the time the account was created.

      group group_name
		The name of the group associated with the account.  The
		value is a single group name of an existing group in the
		registry.  This attribute must be specified for the user
		create command; it does not have a default value.

		If a group is deleted from the registry, all accounts
		associated with the group are also deleted.

      home directory_name
		The file system directory in which the principal is placed
		in at login. The default is the / directory.

      lastchange principal_name ISO_timestamp
		A list of two items.  The first is the principal name of the
		last modifier of the account; the second is an ISO timestamp
		showing the time of the last modification.  This attribute
		is set by the system whenever the account is modified; it
		cannot be set or modified directly.  The initial value
		consists of the principal name of the creator of the account
		and the time the account was created.

      organization organization_name
		The name of the organization associated with the account.
		The value is a single organization name of an existing
		organization in the registry.  This attribute must be
		specified for the user create command; it does not have a
		default value.

		If an organization is deleted from the registry, all
		accounts associated with the organization are also deleted.

      maxtktlife relative_time
		The maximum amount of time that a ticket can be valid.
		Specify the time by using the Distributed Time Service (DTS)
		relative time format ([-]DD-hh:mm:ss).	When a client
		requests a ticket to a server, the lifetime granted to the
		ticket takes into account the maxtktlife set for both the



 Hewlett-Packard Company	    - 4 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




		server and the client.	In other words, the lifetime cannot
		exceed the shorter of the server's or client's maxtktlife.
		If you do not specify a maxtktlife for an account, the
		maxtktlife defined as registry authorization policy is used.

      maxtktrenew relative_time
		The amount of time before a principal's ticket-granting
		ticket expires and that principal must log in to the system
		again to reauthenticate and obtain another ticket-granting
		ticket.	 Specify the time by using the DTS-relative time
		format ([-]DD-hh:mm:ss).  The lifetime of the principal's
		service tickets can never exceed the lifetime of the
		principal's ticket-granting ticket.  The shorter you make
		maxtktrenew, the greater the security of the system.
		However, since principals must log in again to renew their
		ticket-granting ticket, the time needs to balance user
		convenience against level of security required. If you do
		not specify this attribute for an account, the maxtktrenew
		lifetime defined as registry authorization policy is used.

		This feature is not currently used by DCE; any use of this
		option is unsupported at the present time.

      password password
		The password of the account. This attribute must be
		specified for the user create command; there is no default
		value.	This attribute is not returned by a user show
		command.

      postdatedtkt {yes | no}
		A flag set to determine whether tickets with a start time
		some time in the future can be issued to the account's
		principal. This attribute must have a value of yes or no.
		The default is no.

		In DCE, this attribute is currently only advisory.  However,
		Kerberos clients and servers will use it when they interact
		with a DCE Security server.

      proxiabletkt {yes | no}
		A flag set to determine whether a new ticket with a
		different network address than the present ticket can be
		issued to the account's principal.  The forwardabletkt
		attribute performs the same function for ticket-granting
		tickets.  This attribute must have a value of yes or no.
		The default is no.

		In DCE, this attribute is currently only advisory.  However,
		Kerberos clients and servers will use it when they interact
		with a DCE Security server.




 Hewlett-Packard Company	    - 5 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      pwdvalid {yes | no}
		A flag set to determine whether the current password is
		valid.	If this flag is set to no, the next time a principal
		logs in to the account, the system prompts the principal to
		change the password.  (Note that this flag is separate from
		the pwdexpdate policy, which sets time limits on password
		validity.)  This attribute must have a value of yes or no.
		The default is yes.

      quota {quota | unlimited}
		Used with the create operation to specify the principal's
		object creation quota, which is the total number of registry
		objects that can be created by the principal.  It is either
		a non-negative number or the string unlimited.	A value of 0
		prohibits the principal from creating any registry objects.
		Each time a principal creates a registry object, this value
		is decremented for that principal.

      renewabletkt {yes | no}
		A flag set to determine if the ticket-granting ticket issued
		to the account's principal can be renewed.  If this flag is
		set to yes, the authentication service renews the ticket-
		granting ticket if its lifetime is valid.  This attribute
		must have a value of yes or no.	 The default is yes.

		In DCE, this attribute is currently only advisory.  However,
		Kerberos clients and servers will use it when they interact
		with a DCE Security server.

      reserved {yes | no}
		Indicates whether the principal object is reserved or not.
		The default is no.  This attribute may not be set or
		modified by the user.

      server {yes | no}
		A flag set to indicate whether the account is for a
		principal that can act as a server.  If the account is for a
		server that engages in authenticated communications, set
		this flag to yes.  This attribute must have a value of yes
		or no.	The default is yes.

      shell path_to_shell
		The path of the shell that is executed when a principal logs
		in. The legal value is any shell supported by the home cell.
		The default value is the empty string ("").

      stdtgtauth {yes | no}
		A flag set to determine whether service tickets issued to
		the account's principal use the standard DCE ticket-granting
		ticket authentication mechanism.  This attribute must have a
		value of yes or no.  The default is yes.



 Hewlett-Packard Company	    - 6 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      uid value Used with the create operation, this specifies the UNIX ID
		(uid) for the principal. No two principals can have the same
		uid.  However, aliases can share one uid. It is often called
		the Unix ID and is an integer.	If this attribute is not
		supplied, a UID is assigned to the principal automatically.

      uuid hexadecimal number
		Used with the create operation to specify the internal
		identifier, known as a UUID, for the principal. No two
		principals can have the same UUID, so do not use this option
		when creating more than one principal with a single create
		command.

		This option can also be used to adopt an orphaned UUID.
		Normally, the UUID for a new principal is generated by the
		registry. When data is tagged with a UUID of a principal
		that has been deleted from the registry, this option can be
		used to specify the old UUID for a new principal.  The UUID
		specified must be an orphan (a UUID for which no name exists
		in the registry).  An error occurs if you specify a name or
		UUID that is already defined in the registry.


      See the OSF DCE Administration Guide for more information about
      principal and account attributes.

 OPERATIONS
    user create
      Creates a principal name and an account for one or more DCE users.
      The syntax is as follows:

      user create user_name_list -mypwd password -password password
      -group group_name -organization organization_name
      [-force]
      {-attribute attribute_list | -attribute value}


      Options


      -attribute value
		As an alternative to using the -attribute option with an
		attribute list, you can specify individual attribute options
		by prepending a hyphen (-) to any attributes listed in the
		ATTRIBUTES section of this reference page.

      -attribute attribute_list
		Allows you to specify attributes, including ERAs, by using
		an attribute list rather than individual attribute options.
		The format of an attribute list is as follows:




 Hewlett-Packard Company	    - 7 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




		{{attribute value}...{attribute value}}


      -force	Forces creation of the specified group or organization if
		they do not exist.

      -group group_name
		The name of the group to associate with the account. See
		ATTRIBUTES for the format of a group name.

      -mypwd password
		Your privileged password. You must enter your privileged
		password to create an account.	This check prevents a
		malicious user from using an existing privileged session to
		create unauthorized accounts. You must specify this option
		on the command line; it cannot be supplied in a script.

      -organization organization_name
		The name of the organization to associate with the account.
		See ATTRIBUTES for the format of an organization name.

      -password password
		The account password.  See ATTRIBUTES for the format of a
		password.


      The create operation creates a principal name and an account for one
      or more DCE users.  The user_name_list argument is the name of one or
      more principals to be added to the registry.  This operation returns
      an empty string on success.  If the operation encounters an error, it
      attempts to undo any interim operations that have completed.

      This command creates one or more principals and accounts for them. If
      a principal or account already exists, an error is generated. Each
      principal is then added to the specified group and organization (since
      the principal has just been created, it cannot have been a member of
      any group or organization). If the group or organization does not
      exist, an error is generated unless the -force option is used.

      Attributes and policies for the newly created principal and account
      may be specified with the -attributes option and specifying an
      attribute list as the value, or with attribute options.  This command
      attempts to add any unknown attributes as ERAs on the created
      principal object.	 Policies of the organization may not be specified,
      as they would probably affect more than the created user.	 The
      required group and organization names may be specified either as
      attributes in the -attributes option or via the -group and -
      organization options.  The required password attribute may be provided
      as in the account create command, and the -mypwd option is also
      required.




 Hewlett-Packard Company	    - 8 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      Privileges Required

      Because the user create command performs several operations, you need
      the permissions associated with each operation, as follows:


	+  To create the principal name, you must have i (insert) permission
	   to the directory in which the principal is to be created.

	+  If the specified groups or organizations do not already exist and
	   you use the -force option, you must have i (insert) permission to
	   the directories in which the groups and organizations are to be
	   created.

	+  To create the account, you must have m (mgmt_info), a
	   (auth_info), and u (user_info) permission to the principal named
	   in the account, r (read) permission to the organization named in
	   the account, r (read) permission to the group named in the
	   account, and r (read) permission on the registry policy object.


      Examples

      The following example creates a principal named K_Parsons and adds him
      to a group named users and an organization named users:

      dcecp>&gt&gt> user create K_Parsons -mypwd 3kl_JL2 -password change.me \
      >&gt&gt> -group users -organization users
      dcecp>&gt&gt>

      dcecp>&gt&gt> group list users
      /.../my_cell.goodco.com/W_Ross
      /.../my_cell.goodco.com/J_Severance
      /.../my_cell.goodco.com/J_Hunter
      /.../my_cell.goodco.com/B_Carr
      /.../my_cell.goodco.com/E_Vliet
      /.../my_cell.goodco.com/J_Egan
      /.../my_cell.goodco.com/F_Willis
      /.../my_cell.goodco.com/K_Parsons
      dcecp>&gt&gt>

      dcecp>&gt&gt> principal show K_Parsons
      {name K_Parsons}
      {fullname {}}
      {uid 5129}
      {uuid 00001409-a943-21cd-be00-0000c08adf56}
      {alias no}
      {reserved no}
      {quota unlimited}
      {groups users}
      dcecp>&gt&gt>



 Hewlett-Packard Company	    - 9 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      dcecp>&gt&gt> account show K_Parsons
      {acctvalid yes}
      {client yes}
      {created /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
      {description {}}
      {dupkey no}
      {expdate none}
      {forwardabletkt yes}
      {goodsince 1994-07-27-13:02:51.000+00:00I-----}
      {group users}
      {home /}
      {lastchange /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
      {name K_Parsons}
      {organization users}
      {postdatedtkt no}
      {proxiabletkt no}
      {pwdvalid yes}
      {renewabletkt yes}
      {server yes}
      {shell {}}
      {stdtgtauth yes}
      dcecp>&gt&gt>

      dcecp>&gt&gt> user create jimbo@gumby_cell -mypwd beanie -password change.me \
      >&gt&gt> -group none -organization none
      dcecp>&gt&gt>

    user delete
      Deletes DCE users.  The syntax is as follows:

      user delete user_name_list


      The delete operation deletes the DCE users named in user_name_list.
      To delete a user, the operation procedes as follows:


	+  Deletes the principal from the registry, which also deletes the
	   account and removes the principal from any groups and
	   organizations.

      This operation returns an empty string on success.

      Privileges Required

      Because the user delete command performs several operations, you need
      the permissions associated with each operation:


	+  You must have d (delete) permission to the directory in which the
	   target principal exists.



 Hewlett-Packard Company	   - 10 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




	+  You must have r (read) and D (Delete_object) permission on the
	   principal to be deleted.

	+  You must have r (read) and M (Member_list) permission on the
	   target groups and organizations and r (read) permission on the
	   member to be removed.

	+  To delete the account, you must have r (read), m (mgmt_info), a
	   (auth_info), and u (user_info) permissions for the principal
	   named in the account.


      Examples

      The following example deletes user K_Parsons from the cell:

      dcecp>&gt&gt> user delete K_Parsons
      dcecp>&gt&gt>


    user help
      Returns help information about the user task object and its
      operations.  The syntax is as follows:

      user help [operation | -verbose]


      Options


      -verbose	Displays information about the user task object.


      Used without an argument or option, the user help command returns
      brief information about each user operation. The optional operation
      argument is the name of an operation about which you want detailed
      information. Alternatively, you can use the -verbose option for more
      detailed information about the user task object itself.

      Privileges Required

      No special privileges are needed to use the user help command.

      Examples

      dcecp> user help
      create		  Creates a DCE user.
      delete		  Deletes a DCE user.
      show		  Shows the attributes of a DCE user.
      help		  Prints a summary of command-line options.
      operations	  Returns a list of the valid operations for this command.



 Hewlett-Packard Company	   - 11 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      dcecp>


    user operations
      Returns a list of the operations supported by the user task object.
      The syntax is as follows:

      user operations


      The list of available operations is in alphabetical order except for
      help and operations, which are listed last.

      Privileges Required

      No special privileges are needed to use the user operations command.

      Examples

      cecp> user operations
      create delete show help operations
      dcecp>


    user show
      Returns the attributes of a single DCE user.  The syntax is as
      follows:

      user show user_name_list


      The show operation returns the attributes of the users named in
      user_name_list. The information returned includes principal
      attributes, account attributes, and policies.  The information is
      returned as if the following commands were run in the following order:

      principal show
      account show -all


      Privileges Required

      You must have r (read) permission to the principal named in the
      account.

      Examples

      dcecp> user show K_Parsons
      {name K_Parsons}
      {fullname {}}
      {uid 5129}



 Hewlett-Packard Company	   - 12 -	      OSF DCE 1.1/HP DCE 1.8






 user(1m)		  Open Software Foundation		    user(1m)




      {uuid 00001409-a943-21cd-be00-0000c08adf56}
      {alias no}
      {reserved no}
      {quota unlimited}
      {groups users}
      {acctvalid yes}
      {client yes}
      {created /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
      {description {}}
      {dupkey no}
      {expdate none}
      {forwardabletkt yes}
      {goodsince 1994-07-27-13:02:51.000+00:00I-----}
      {group users}
      {home /}
      {lastchange /.../my_cell.goodco.com/cell_admin 1994-07-27-13:02:51.000+00:00I-----}
      {organization users}
      {postdatedtkt no}
      {proxiabletkt no}
      {pwdvalid yes}
      {renewabletkt yes}
      {server yes}
      {shell {}}
      {stdtgtauth yes}
      nopolicy
      dcecp>


 RELATED INFORMATION
      Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m),
      dcecp_organization(1m), dcecp_principal(1m), dcecp_xattrschema(1m).























 Hewlett-Packard Company	   - 13 -	      OSF DCE 1.1/HP DCE 1.8