unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




 NAME
      rgy_edit - Edits the registry database

 SYNOPSIS
      rgy_edit [[[-a | -p | -g | -o] [-s name] [-up[date]]
      [-v [-f] [name | -un[ix__number]] [-nq]] | -l]


 OPTIONS
      The following options are supplied when rgy_edit	is invoked. You can
      specify only one of the options -a, -p, -g, and -o.  If you specify
      the -l option, you can specify no other options.


      -a (default)
		Edits or views accounts.

      -p	Edits or views principals.

      -g	Edits or views groups.

      -o	Edits or views organizations.

      -s	Binds to the registry site specified by name.  The name
		variable is either the fully qualified name of the cell that
		contains the registry to which you want access, or the fully
		qualified name of a specific registry server.

      -up[date] Binds to a read-write registry site in the cell specified by
		the -s option.

      -v	Views the registry entry specified by name or unix_number.
		If no entry is specified, all entries are viewed.

      -f	Displays in full the entry (or entries) selected by the -v
		option.	 The full entry includes all fields except the
		membership list and organization policy.

      -nq	Specifies that delete operations will not be queried.  The
		default is to prompt the user for verification when a delete
		operation is requested.

      -l	Edits or views entries in local registry.


 NOTES
      With the exception of the following subcommands, this command is
      replaced at Revision 1.1 by the dcecp command.  This command may be
      fully replaced by the dcecp command in a future release of DCE, and
      may no longer be supported at that time.




 Hewlett-Packard Company	    - 1 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




	+  defaults

	+  domain

	+  scope

	+  help

	+  quit

	+  exit


	+  delete

	+  purge

	+  view


 DESCRIPTION
      The rgy_edit tool views and edits information in the registry
      database.	 You can invoke rgy_edit from any node.

      You can edit and view principals, groups, organization, accounts, and
      policies in the network registry (the default) or perform a subset of
      those functions on the local registry (using the -l option). Changes
      made by rgy_edit apply only to the registry. They do not apply to the
      local override file or the local password and group files, both of
      which can be edited manually. You can view and change only those
      registry objects to which you are granted the appropriate permissions.

    Invoking rgy_edit
      When you invoke rgy_edit, it displays the following prompt:

      rgy_edit=>&gt&gt>

      At this prompt, you can enter any of the rgy_edit subcommands, and
      rgy_edit will prompt you for the required information.  Alternatively,
      you can enter the subcommand followed by all the options required to
      perform a specific operation. The rgy_edit command may prompt you for
      any required information you do not enter.

 SUBCOMMANDS
      In the rgy_edit subcommands that follow, use two double quotation
      marks with nothing in between to indicate a null fullname, password,
      misc, homedir, or shell. Use double quotation marks to embed spaces,
      or hyphens in fullname, misc, and homedir if you specify the argument
      on the command line.





 Hewlett-Packard Company	    - 2 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




    Principal, Group, and Organization Subcommands
      v[iew] [name | -u unix_number] [-f] [-m] [-po]

      Views registry entries.  Whether name applies to a principal, group,
      or organization depends on the domain in which you run rgy_edit.	Use
      the do[main] subcommand (described in Miscellaneous Commands, later in
      this reference page) to change domains.

      If you specify the -u unix_number option, rgy_edit displays all
      matching entries, including any aliases.

      The -f option displays entries in full (all fields except the
      membership list and organization policy).

      If you are viewing groups or organizations, -m displays the membership
      list.  For principals, -m lists all groups of which the principal is a
      member, including groups that cannot appear in a project list.

      If you are viewing organizations, -po displays policy information. If
      you do not enter the -po option, rgy_edit shows only the
      organization's name and the UNIX number.

      a[dd] [principal_name [unix_number] [-f fullname] [-al] [-q quota]]
      a[dd] [group_name	 [unix_number] [-f fullname [-nl]]] [-al] ls
      a[dd] [organization_name [unix_number] [-f fullname]]

      Create a new name entry.

      If you do not specify principal_name, group_name, or organization-
      name, the add subcommand prompts you for each field in the entry.	 If
      you are adding organizations, the command prompts you for policy
      information as well. If you specify only principal_name, group_name,
      or organization_name and no other arguments, the object's fullname
      defaults to "" (that is, blank), the object's UNIX number is assigned
      automatically, and the object's creation quota defaults to unlimited.

      Use the -al option to create an alias for an existing principal or
      group. No two principals or groups can have the same UNIX number, but
      a principal or group and all its aliases share the same UNIX number.
      The -al option creates an alias name for a principal or group and
      assigns the alias name the same UNIX number as the principal or group.

      The -q option specifies the principal's object creation quota, the
      total number of registry objects that can be created by the principal.
      If you do not specify this option, the object creation quota defaults
      to unlimited.

      For groups, the -nl option indicates that the group is not to be
      included on project lists; omitting this option allows the group to
      appear on project lists.




 Hewlett-Packard Company	    - 3 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      c[hange] [principal_name [-n name] [-f fullname] [-al | -pr] [-q
      quota]]
      c[hange] [group_name [-n name] [-f fullname] [-nl | -l] ] [-al | -pr]
      c[hange] [organization_name [-n name] [-f fullname]]


      Changes a principal, group, or organization.

      Specify the entry to change with principal_name, group_name, or
      organization_name. If you do not specify a principal_name, group_name,
      or organization_name, the change subcommand prompts you for a name.
      If you do not specify any fields, the subcommand prompts you for each
      field in succession. To leave a field unchanged, press <&lt&lt&lt;RETURN>&gt&gt&gt; at the
      prompt.  If you are changing organization entries in the interactive
      mode, the subcommand prompts you for policy information as well.

      Use -n name and -f fullname, to specify a new primary name or
      fullname, respectively.

      For principals and groups, the -al option changes a primary name into
      an alias, and the -pr option changes an alias into a primary name.
      This change can be made only from the command line, not in the
      interactive mode.

      The -q option specifies the total number of registry objects that can
      be created by the principal.

      For group entries, the -nl option disallows the group from appearing
      in project lists, while the -l option allows the group to appear in
      project lists.

      For organization entries, you can change policy information only in
      the interactive mode.

      Changes to a principal name are reflected in membership lists that
      contain the principal name. For example, if the principal ludwig is a
      member of the group composers and the principal name is changed to
      louis, the membership list for composers is automatically changed to
      include louis but not ludwig.

      For reserved names, you can change only fullname.


      m[ember] [group_name | organization_name [-a member_list] [-r
      member_list] ]


      Edits the membership list for a group or organization.

      If you do not specify a group or organization, the member subcommand
      prompts you for names to add or remove.



 Hewlett-Packard Company	    - 4 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      To add names or aliases to a membership list, use the -a option
      followed by the names separated by commas. To delete names from a
      membership list, use the -r option followed by the names separated by
      commas.  If you do not include either the -a or -r option on the
      command line, rgy_edit prompts you for names to add or remove.

      Removing names from the membership list for a group or organization
      has the side effect of deleting the login account for removed member
      (and, of course, eliminating any permissions granted as a result of
      the membership the next time the member's ticket-granting ticket is
      renewed).


      del[ete] name


      Deletes a registry entry.

      If you delete a principal, rgy_edit deletes the principal's account.
      If you delete a group or organization, rgy_edit deletes any accounts
      associated with the group or organization.  You cannot delete reserved
      principals.


      adopt uuid principal_name [-u unix_number] [ -f fullname] [-q quota]
      adopt uuid group_name [-f fullname] [-nl]
      adopt uuid organization_name [-f fullname]


      Creates a principal, group, or organization for the specified UUID.

      The principal, group, or organization is created to adopt an orphan
      object.  Orphans are registry objects that cannot be accessed because
      1) they are owned by UUIDs that are not associated with a principal or
      group and 2) no other principal, group, or organization has access
      rights to the orphaned object.  UUIDs are associated with all registry
      objects when the object is created.  When the registry object is
      deleted, the association between the object and the UUID is also
      deleted.

      The principal_name, group_name, or organization_name you specify must
      be unique in the registry as it must be when you create a principal,
      group, or organization using the add subcommand.	Except for the
      manner in which it is created, the principal, group, or organization
      created by the adopt subcommand is no different from any other
      principal, group, or organization.

      The uuid option specifies the UUID number to be assigned to the
      principal, group, or organization. The UUID supplied must be the one
      that owns the orphaned object. Specify the uuid in RPC print string
      format as 8 hexadecimal digits, a hyphen; 4 hexadecimal digits, a



 Hewlett-Packard Company	    - 5 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      hyphen; 4 hexadecimal digits, a hyphen; 4 hexadecimal digits, a
      hyphen; and 12 hexadecimal digits.  The format follows:

      nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn

      For cell principals only, the -u option specifies the UNIX number to
      be associated with the cell name.	 If you do not enter this option,
      the next sequential UNIX number is supplied as a default. For all
      principals other than cells, the UNIX number is extracted from
      information embedded in the principal's UUID and cannot be specified
      here.

      For principals, the -q option specifies the principal's object
      creation quota.  If you do not enter the option, the object creation
      quota is set to ''unlimited.''

      For groups, the -nl option turns off the project list inclusion
      property so that groups are not included in project lists.  If you do
      not enter this option, the group is included in project lists.

      For principals, groups, and organizations, the -f option supplies the
      object's fullname.  If you do not enter the -f option, fullname
      defaults to blank.

      An error occurs if you specify a name or UNIX number that is already
      defined within the same domain of the database.


      Note that in the current implementation of the DCE, UNIX numbers are
      embedded in UUID numbers. If you try to create a group or organization
      to adopt an orphaned object and fail, it could be because the embedded
      UNIX number is invalid because it does not fall within the range of
      valid UNIX numbers set for the cell as a registry property.  If this
      is the case, you must reset the range of valid UNIX numbers to include
      the UNIX number embedded in the UUID and then try again to adopt the
      object.

    Account Subcommands
      v[iew] [pname [gname [oname]]] [-f]


      Displays login accounts.

      Without the -f option, view displays only the user fields in each
      account entry. These fields include each account's


	+  Principal, group, and organization name

	+  Encrypted password




 Hewlett-Packard Company	    - 6 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




	+  Miscellaneous information

	+  Home directory

	+  Login shell


      With -f, view displays the full entry, including the administrative
      fields as well as the user fields.  Administrative information
      includes:


	+  Who created the account

	+  When the account was created

	+  Who last changed the account

	+  When the account was last changed

	+  When the account expires

	+  Whether the account is valid

	+  Whether the account principal's password is valid

	+  When the account principal's password was last changed


      a[dd] [pname [-g gname -o oname -mp password {-rp | -pw password}
      [-m misc] [-h homedir] [-s shell]
      [-pnv | -pv] [-x account_exp | none] [-anv | -av]
      [ [-ena[ble] option | -dis[able] option]...]
      [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]]]


      Creates a login account.

      If you enter the subcommand only or the subcommand and the optional
      pname argument (principal name), rgy_edit prompts you for all
      information.  If you enter the subcommand, the pname argument, and the
      gname (group name) argument or the the pname, gname and oname
      (organization name) arguments, you must also enter the -mp, and -pw or
      -rp options.  All other options are optional.

      The pname argument specifies the principal for whom the account should
      be created. The -g and -o options specify the account's group and
      organization.  If the principal specified in pname is not already a
      member of the specified group and organization, rgy_edit automatically
      attempts to add the principal to the membership lists.  If you do not
      have the appropriate permissions for the group and organization, the



 Hewlett-Packard Company	    - 7 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      attempt will fail and the account will not be created.

      The -rp option generates a random password for the account. The
      primary use of this option is to create passwords for accounts that
      will not be logged into (since the random password can never be
      supplied.) The -pw option is used to supply a password for the account
      on the command line.

      If you use the -rp option or the -pw option, you must also use the -mp
      option to supply your password so your identity can be validated.

      If you do	 not specify the -rp option or the -pw option, rgy_edit
      prompts for the account's password twice to ensure you did not make a
      typing mistake. Then it prompts for your password to verify your
      identity.

      If the user's password management policy allows the selection of
      generated passwords, specifying "*" as the argument to the -pw option
      or at the account's password prompt automatically generates a
      plaintext password.

      If the user's password management policy requires the selection of
      generated passwords, specifying the -pw option is an error. rgy_edit
      displays a generated password and then prompts for the password for
      confirmation.  The format of  password must adhere to the policy of
      the associated organization or the policy of the registry as a whole,
      whichever is more restrictive.

      The information supplied with the -m option is used to create the
      GECOS field for the account in the /etc/passwd file. If you run the
      passwd_export command, this entry contains the concatenation of the
      principal's full name and the information specified with the -m
      option.

      The -h option specifies the pathname of the principal's home
      directory.  The default homedir is /. The -s option specifies the
      pathname of the principal's login shell.	The default shell is a null
      string.

      The -pnv (password not valid) option specifies that the password has
      expired. Generally, users must change their passwords when the
      passwords expire. However, the policy to handle expired passwords and
      the mechanism by which users change their passwords are defined for
      each platform, usually through the login facility.  The -pv option
      indicates the password is not expired (the default).

      The -x option sets an expiration date for the account in
      yy/mm/dd/hh/mm/ss format. The default is "none," meaning that the
      password will never expire.





 Hewlett-Packard Company	    - 8 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      The -anv (account not valid) option specifies that the account is not
      currently valid for login. The -av option indicates the account is
      currently valid (the default).

      The -enable and -disable options set or clear the following options:


	+  The c[lient] option, if enabled, allows the principal to act as
	   as a client and log in, acquire tickets, and be authenticated.
	   If you disable client, the principal cannot act as a client.	 The
	   default is enabled.

	+  The s[erver] option, if enabled, allows the principal to act as a
	   server and engage in authenticated communication.  If you disable
	   server, the principal cannot act as a server that engages in
	   authenticated communication. The default is enabled.

	+  The po[stdated] option, if enabled, allows tickets with a start
	   time some time in the future to be issued to the account's
	   principal. The default is disabled.

	+  The f[orwardable] option, if enabled, allows a new ticket-
	   granting ticket with a network address that differs from the
	   present ticket-granting ticket address to be issued to the
	   account's principal.	 The default is enabled.

	+  The pr[oxiable] option, if enabled, allows a new ticket with a
	   different network address than the present ticket to be issued to
	   the account's principal.   The default is disabled.

	+  The T[GT_authentication] option, if enabled, specifies that
	   tickets issued to the account's principal can use the ticket-
	   granting-ticket authentication mechanism.  The default is
	   enabled.

	+  The r[enewable] option turns on the Kerberos V5 renewable ticket
	   feature. This feature is not currently used by the DCE; any use
	   of this option is unsupported at the present time.

	+  The dup[_session_key] option allows tickets issued to the
	   account's principal to have duplicate keys.	The default is
	   disabled.


      The -gs (good since date) is the date and time the account was last
      known to be valid. When accounts are created, this date is set to the
      account creation time.  If you change the good since date, any tickets
      issued before the changed date are invalid.  Enter the date in
      yy/mm/dd.hh:mm format.





 Hewlett-Packard Company	    - 9 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      The -mcr (maximum certificate renewable) option is the number of hours
      before a session with the principal's identity expires and the
      principal must log in again to reauthenticate. The default is 4 weeks.

      The -mcl (maximum certificate lifetime) option is the number of hours
      before the Authentication Service must renew a principal's service
      certificates.  This is handled automatically and requires no action on
      the part of the principal. The default is 1 day.

      c[hange] [-p pname] [-g gname] [-o oname]
      [-np pname] [-ng gname] [-no oname]
      [{-rp | -pw password} -mp password]
      [-m misc] [-h homedir] [-s shell]
      [-pnv | -pv] [-x account_exp | none] [-anv | -av]
      [[-ena[ble] option | -dis[able] option]...]
      [-gs date_and_time] [-mcr lifespan] [-mcl lifespan]


      Changes an account.

      The -p, -g, and -o options identify the account to change. The -np, -
      ng, and -no options change the account's, principal, group, and
      organization, respectively.

      If you do not specify all three -p, -g, and -o options, wildcard
      updates can occur.  For example, if you specify only the -g option,
      the changes affect all accounts that are associated with the named
      group.  Note that you cannot use wildcarding to change passwords. To
      change a password, you must enter the -p, -g, and -o options.

      All other options have the same meaning as described in the add
      command for accounts.  Note that the -rp option can be used to change
      the random passwords of the reserved accounts created by sec_create_db
      when the registry database is created.

      del[ete] -p pname [-g gname] [-o oname]


      Deletes the specified account.

      Enter the -p option to delete the specified principal's account.
      Enter the -g or -o option to delete accounts associated with the
      specified group or organization.	If you enter the -g or -o option,
      rgy_edit prompts individually for whether to delete each account
      associated with the group or organization.

      ce[ll] cellname [-ul unix_num] [-uf unix_num] [-gl gname] [-ol oname]
      [-gf gname] [-of oname] [-mp passwd]
      [-fa name] [-fp passwd]
      [-q quota] [-x account_expiration_date | none]




 Hewlett-Packard Company	   - 10 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      Creates a cross-cell authentication account in the local and foreign
      cells.

      This account allows local principals to access objects in the foreign
      cell as authenticated users and vice versa. The administrator in the
      foreign cell must have also set up a standard account, whose ID and
      password the administrator of the foreign cell must supply to you.

      The cellname variable specifies the full pathname of the foreign cell
      with which you will establish the cross-cell authentication account.
      This name is stripped of the path qualifier and prefixed with
      "krbtgt." The resulting name is used as the primary name for the
      cross-cell authentication account. For example, if you enter
      /.../dresden.com, the principal name is krbtgt/dresden.com.

      The -ul option specifies the UNIX number for the local cell's
      principal.  The -uf option specifies the UNIX number for the foreign
      cell's principal.	 If you do not specify these UNIX numbers, they are
      generated automatically.

      The -gl and -ol options specify the local account's group and
      organization. The -gf and -of options specify the foreign account's
      group and organization.

      The -mp option specifies the password of the person who invoked
      rgy_edit.

      The -fa option specifies the name identifying the account in the
      foreign cell, and the -fp option specifies the account's password.

      The -q option specifies the total number of objects that can be
      created in your cell's registry by all foreign users who use the
      cross-cell authentication account to access your cell.  The object
      creation quota defaults to 0 (zero), meaning that principals in the
      foreign cell cannot create objects in the local cell. The object
      creation quota set for your cell's account in the foreign cell places
      the same restriction on the number of objects that your cell's
      principals can create in the foreign cell's registry.

      The -x option specifies the account expiration date for both the local
      and foreign accounts. The default for this option is "none."

      Note that the object creation quota for the local account defaults to
      0 (zero), meaning that principals in the foreign cell cannot create
      objects in the local cell. You can change this with the rgy_edit
      change subcommand.


    Key Management Subcommands
      The key management subcommands must be run in command-line mode.




 Hewlett-Packard Company	   - 11 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      kta[dd] -p principal_name [-pw password] [-a[uto]] [-r[egistry]] [-f
      keyfile]

      Creates a password for a server or machine in the keytab file on the
      local node.

      The -p option specifies the name of the server or machine principal
      for which you are creating a password.

      The -pw option lets you supply the password on the command line.	If
      you do not enter this option or the -auto option, ktadd prompts for
      the password.

      The -a option generates the password randomly.  If you use this
      option, you must also use the -r option.	If you do not specify the -
      auto or the -pw option, you are prompted for a password.

      The -r option updates the principal's password in the registry to
      match the string you enter (or automatically generate) for the
      password in the keytab file.  Use it to ensure that the principal's
      password in the registry and the keytab file are in synch when you
      change a principal's password in the keytab file.	 To use this option,
      a password for the principal must exist in the default keytab file or
      the keytab file named by the -f option.

      The -f option specifies the name of the server keytab file on the
      local node to which you are adding the password. If you do not specify
      a keytab file name, /krb5/v5srvtab is used. Note that you must be root
      to add entries in the default keytab file.

      ktl[ist] [-p principal_name] [-f keyfile]


      Displays principal names and password version numbers in the local
      keytab file.

      The -p option specifies the name of the server or machine principal
      for which you are displaying passwords.

      The -f option specifies the name of the server keytab file on the
      local node for which you want to display entries. If you do not
      specify a keytab file name, /krb5/v5srvtab is used.

      ktd[elete] -p principal_name -v version_number [-f keyfile]


      Deletes a sever or machine principal's password entry from a keytab
      file.

      The -p option specifies the name of the server or machine principal
      for whom you are deleting a password entry.



 Hewlett-Packard Company	   - 12 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      The -v option specifies the version number of the password you want to
      delete.  Version numbers are assigned to a principal's password
      whenever the principal's password is changed.  This allows any servers
      or machines still using tickets granted under the old password to run
      without interruption until the ticket expires naturally.

      The -f option specifies the name of the server keytab file on the
      local node from which you want to delete passwords. If you do not
      specify a keytab file name, /krb5/v5srvtab is used.  Note that you
      must be root to delete entries in the default keytab file.  You must
      have the appropriate access rights to delete entries in other keytab
      files.

    Miscellaneous Commands
      do[main] [p | g | o | a]


      Changes or displays the type of registry information being viewed or
      edited.

      You can specify p for principals, g for groups, o for organizations,
      or a for accounts. If you supply no argument, rgy_edit displays the
      current domain.

      si[te] [[name]] [-u[pdate]]


      Changes or displays the registry site being viewed or edited.

      The name variable is the fully qualified name of the cell that
      contains the registry to which you want access. If you supply no
      argument, rgy_edit displays the current site.

      The -update option indicates you want to talk to an update site in the
      specified cell.

      prop[erties]

      Changes or displays registry properties.

      This command prompts you for changes. Press <&lt&lt&lt;Return>&gt&gt&gt; to leave
      information unchanged.

      po[licy] [organization_name] [-al lifespan | forever] [-pl
      passwd_lifespan | forever]
      [-px passwd_exp_date | none] [-pm passwd_min_length] [-pa | -pna] [-ps
      | -pns]


      Changes or displays registry standard policy or the policy for an
      organization.



 Hewlett-Packard Company	   - 13 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      Enter organization_name to display or change policy for that specific
      organization.  If you do not enter organization_name the subcommand
      affects standard policy for the entire registry.

      The -al option determines the account's lifespan, the period during
      which accounts are valid.	 After this period of time passes, the
      accounts become invalid and must be recreated.   An account's lifespan
      is also controlled by the add and change subcommands -x option.  If
      the two lifespans conflict, the shorter one is used.  Enter the
      lifespan in the following in the following format:

      weekswdaysdhourshminutesm

      For example, 4 weeks and 5 days is entered as w5d.

      If you enter only a number and no weeks, days, or hours designation,
      the designation defaults to hours.  If you end the lifepan with an
      number and no weeks, days, or hours designation, the number with no
      designation defaults to seconds.	For example, 12w30 is assumed to be
      12 weeks thirty seconds.

      The -pl option determines the password lifespan, the period of time
      before account's password expires. Generally, users must change their
      passwords when the passwords expire. However, the policy to handle
      expired passwords and the mechanism by which users change their
      passwords are defined for each platform, usually through the login
      facility.

      Enter passwd_lifespan as a number indicating the number of days.	If
      you define a password lifespan as forever, the password has an
      unlimited lifespan.

      The -px option specifies the password expiration date in
      yy/mm/dd/hh.mm:ss format. Generally, users must change their passwords
      when the passwords expire. However, the policy to handle expired
      passwords and the mechanism by which users change their passwords are
      defined for each platform, usually through the login facility.

      If you define a password expiration date as none, the password has an
      unlimited lifespan.

      The -pm, -ps, -pns, -pa, and -pna options all control the format of
      passwords as follows:


	+  -pm - Specifies the minimum length of passwords in characters.
	   If you enter 0, no password minimum length is in effect.

	+  -ps and -pns - Specify whether passwords can contain all spaces
	   (-ps) or can not be all spaces (-pns).




 Hewlett-Packard Company	   - 14 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




	+  -pa and -pna - Specify whether passwords can consist of all
	   alphanumeric characters (-pn) or must include some non-
	   alphanumeric characters (-pna).


      au[th_policy]


      Changes and/or displays registry authentication policies.

      This command prompts you for changes. Press <&lt&lt&lt;Return>&gt&gt&gt; to leave
      information unchanged.

      def[aults]


      Changes or displays the home directory, login shell, password valid
      option, account expiration date, and account valid option default
      values that rgy_edit uses.

      This command first displays the current defaults.	 It then prompts you
      for whether or not you want to make changes. If you make changes,
      defaults immediately changes the defaults for the current session,
      and it saves the new defaults in ~/.rgy_editrc.  The newly saved
      defaults are used until you change them.

      h[elp] [command


      Displays usage information for rgy_edit.

      If you do not specify a particular command, rgy_edit lists the
      available commands.

      q[uit]


      Exit rgy_edit.

      e[xit]


      Exit rgy_edit.

      l[ogin]


      Lets you establish a new network identity for use during the rgy_edit
      session.





 Hewlett-Packard Company	   - 15 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




      The rgy_edit login command prompts for a principal name and password.

      sc[ope] [name]


      Limits the scope of the information displayed by the view subcommand
      to the directory (specified by name) in the registry database.

    Commands for the Local Registry
      To edit or view the local registry, invoke rgy_edit with the -l option
      while you are logged into the machine whose local registry you want to
      maintain.	 This section lists the commands that are valid for editing
      or viewing the local registry.  When you invoke rgy_edit with the -l
      option, only the subcommands and options listed here can be used.

      v[iew]


      Displays local registry entries.

      del[ete] principal_name


      Deletes the account and credential information for principal_name from
      the local registry.

      pu[rge]


      Purges expired local registry entries.

      This command has no options or arguments.

      The time limit, or lifespan, for which an entry in the local registry
      is valid is set as a property of the local registry with the
      properties subcommand.  When the purge subcommand is run, it deletes
      all expired entries.  The lifespan begins when an entry for the
      principal is added to the local registry (that is, the beginning of
      the lifespan is the last time the principal logged in to the local
      machine.) The lifespan ends after the time limit set as a local
      registry property.

      pr[operties]


      Changes and/or displays local registry properties and policies.

      This command displays the current properties and then prompts for
      whether you want to make changes to them.	 You can change the local
      registry's:




 Hewlett-Packard Company	   - 16 -	      OSF DCE 1.1/HP DCE 1.8






 rgy_edit(1m)		  Open Software Foundation		rgy_edit(1m)




	+  Capacity - A number representing the total number of entries the
	   local registry can contain at any one time. When the capacity is
	   reached, subsequent new entries overwrite the oldest entries.

	+  Account lifespan - The time in which an account in the local
	   registry is valid in the following format:

	   weekswdaysdhourshminutesm

	   For example, 4 weeks and 5 days is entered as w5d.

	   If you enter only a number and no weeks, days, or hours
	   designation, the designation defaults to hours.  If you end the
	   lifepan with an number and no weeks, days, or hours designation,
	   the number with no designation defaults to seconds.	For example,
	   12w30 is assumed to be 12 weeks thirty seconds.






































 Hewlett-Packard Company	   - 17 -	      OSF DCE 1.1/HP DCE 1.8