Compaq DCE for OpenVMS VAX and OpenVMS Alpha

Document revision date: 5 July 2000

Compaq DCE for OpenVMS VAX and OpenVMS Alpha
Reference Guide

Contents

Index

FULL_NAME=string --- An optional string that is used to more fully qualify a primary name. If the name contains spaces, lowercase characters, or any other special characters, enclose the string in quotes. The default is no full name.

NAME=name --- The standard name (primary or alias) that is associated with the DCE account. If the name contains spaces, lowercase characters, or any other special characters, enclose the string in quotes. The default is to take the username from the system authorization file (SYSUAF) record, edit it according to the CASE keyword, and then use this as the principal name.

OBJECT_CREATION_QUOTA=number --- The number of registry objects that can be created by the principal. If you do not specify this keyword, then no quota is established and the principal can create an unlimited number of registry objects.

UNIX_ID=number --- The required UNIX identifier that is associated with the principal. If a primary principal is being created, you can omit the UNIX ID and one is generated automatically. If an alias principal is being created, you must specify the UNIX ID of the corresponding primary principal.

CASE=keyword --- Specifies how the principal name should be formatted. For example, to specify that the principal name should be all lowercase, use /PRINCIPAL=CASE=LOWERCASE.

noedit --- This is the default and indicates that no formatting should be performed.

lowercase[=n1,[n2]] --- Convert the principal name so that the first n1 characters and last n2 are lowercase, and the remainder are uppercase. If you do not specify a value for n1, the entire principal is converted to lowercase. If you do not specify a value for n2, 0 is used.

uppercase[=n1,[n2]] --- Convert the principal name so that the first n1 characters and last n2 are uppercase, and the remainder are lowercase. If you do not specify a value for n1, the entire principal is converted to uppercase. If you do not specify a value for n2, 0 is used.

/RENEWABLE_LIFETIME=hours

Specifies the amount of time, in hours, before a principal's ticket-granting ticket expires and that principal must log in to the system again to reauthenticate and obtain another ticket-granting ticket.

If not specified, the maximum certificate renewable lifetime defined as registry authorization policy is used.

Description

The DCE IMPORT command creates DCE accounts, and optionally principals, based on existing VMS account information. It also creates entries in the DCE$IMPORT exclude file.
The DCE IMPORT function reads the specified record(s) from the OpenVMS system authorization file (SYSUAF) and for each selected account performs the following:

If a DCE$UAF record for this OpenVMS account already exists, the account is not imported. (An existing DCE$UAF record is an indication that this OpenVMS account has already been imported.)
If an entry for this OpenVMS account exists in the IMPORT exclude file, the account is not imported. (An entry in the IMPORT exclude file signifies that this OpenVMS account should not be imported.)
Otherwise, an attempt is made to create the DCE principal and account. If the principal and account are successfully created, then the matching DCE$UAF record is also created.

Although the DCE principal and account are created if they do not already exist, the group and organization entries are not created. This is done purposely to eliminate the risk of creating erroneous groups and organizations.
If either the DCE principal or account already exists, it is treated as a success and the corresponding DCE$UAF entry is created. Use the DCE$UAF utility if you want to create DCE$UAF entries for existing principals and accounts.
DCE IMPORT has two modes, interactive and noninteractive. Refer to the description of the /INTERACTIVE qualifier for details.
If you do not specify /DCE_LOGIN, you are prompted for your principal name and password (nonechoed) before any account processing begins. This is true in interactive and noninteractive mode.

Examples

This section shows the dialog during an interactive IMPORT session. The dialog is very similar to RGY_EDIT create account dialog; the order of questions and the defaults are often the same.
Each question requires input from the user (note that in this context the user is probably the system administrator), and most questions offer a default. Some defaults vary depending upon the answers to previous questions, and some vary depending upon how you answered the same question before. This second feature is known as sticky input and reduces the amount of input the user must type. Some defaults are reset each time you start on a new OpenVMS account while others are carried forward to the next account; this is intra-account sticky input and inter-account sticky input, respectively.
All text comparisons are made case-blind. All nonquoted input obtained from the command line qualifiers is converted to uppercase. Input obtained from interactive questions is not converted to uppercase.
The OpenVMS account details are displayed for the first (or current, or next) account as follows:
OpenVMS Account Details: Username: SMITH Owner: John Smith Account: OVMS c - create DCE account using regular script a - create DCE account using abbreviated script x - add this OpenVMS account to the IMPORT exclude list s - skip this OpenVMS account e - exit IMPORT Enter option (c/a/x/s/e) [c]:)
Default: c
Sticky Input: Inter-Account
Valid Responses: c a x s e
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
The OpenVMS account details are displayed for the first (or current) account and the user is asked which action is required for this account.
If the user enters c or a then the dialog continues from step 2.
If the user enters x then an entry is created in the IMPORT exclude file for this account and the dialog continues from step 1.
If the user enters s then the current OpenVMS account is not processed any further, the next OpenVMS account (if any) is selected and the dialog continues from step 1.
If the user enters e the IMPORT utility terminates.
Enter DCE account details: Principal [smith]:
Default: The username from the current system authorization (SYSUAF) record, converted to lowercase.
Sticky Input: Intra-Account
Valid Responses: Any string, except null
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: No
The user either enters a different principal name for the account or accepts the default.
If the principal is already is use, an error is displayed and the dialog restarts from step 1.
An invalid response causes the dialog to restart from step 1.
The principal "smith" does not exist in the DCE registry. Do you want to create the principal (y/n) [y]:
Default: y
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
If the user enters n then restart from step 1, otherwise continue.
Enter details for DCE Principal "smith": Alias (y/n) [n]:
Default: n
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
UNIX number (-1 means auto-assign) [-1]:
Default: -1
Sticky Input: Intra-Account
Valid Responses: Integer in range -1 through 65535
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Full Name [John Smith]:
Default: The owner from the current system authorization (SYSUAF) record.
Sticky Input: Intra-Account
Valid Responses: Any string, including null string
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: Yes
Object Creation Quota (-1 means unlimited) [-1]:
Default: -1
Sticky Input: Inter-Account
Valid Responses: -1, 0 or Positive Integer.
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
OK to create this principal now (y/n) [y]:
Default: y
Sticky Input: No
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
If the user enters n then the dialog restarts from step 1.
If the user enters y, an attempt is made to create the principal. If the principal creation fails, an error message is displayed and the dialog restarts from step 1. Otherwise, the principal is successfully created and the dialog continues.
Group [none]:
Default: none
Sticky Input: Inter-Account
Valid Responses: Any string, excluding null string
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: Yes
A check is made to see if the group exists. If the group does not exist, then an error message is displayed and the question is repeated.
Organization [none]:
Default: none
Sticky Input: Inter-Account
Valid Responses: Any string, excluding null string
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: Yes
A check is made to see if the organization exists. If the organization does not exist, then an error message is displayed and the question is repeated.
Enter Password (null means no valid password) []:
Default: Null string
Sticky Input: No
Valid Responses: Any string, including null string
Case-Sensitive: No
Invalid Response causes question to be re-asked: No
The response is not echoed as the user enters it.
If a null string is entered, IMPORT does not set a valid password on the DCE account and the account user is only able to log in using his or her OpenVMS password.
Retype password:
Default: No default
Sticky Input: No
Valid Responses: Any string, including null string
Case-Sensitive: No
Invalid Response causes question to be re-asked: No
The user reenters the password for verification. If the verification check fails then an error message is displayed and the dialog continues from step 11.
This question is skipped if a password was not entered in step 11.
If the create abbreviated option was taken in step 1, the dialog now jumps to step 31, assuming that all further questions had been answered with a RETURN to accept their defaults.
Enter misc info []:
Default: Null string
Sticky Input: Inter-Account
Valid Responses: Any string, including null string
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: Yes
User inputs optional miscellaneous data.
Enter home directory [/]:
Default: /
Sticky Input: Intra-Account
Valid Responses: Any string, including null string
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: Yes
Enter shell []:
Default: Null string
Sticky Input: Inter-Account
Valid Responses: Any string, including null string
Case-Sensitive: Yes
Invalid Response causes question to be re-asked: No
Password valid (y/n) [y]:
Default: y
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
This question is omitted if a password was not provided in step 11.
Enter expiration date (standard VMS time format or none) [none]:
Default: none
Sticky Input: Inter-Account
Valid Responses: OpenVMS standard date/time or none
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
If the date/time is in the past then it is considered invalid.
Allow account to be client principal (y/n) [y]:
Default: y
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Account valid for login (y/n) [y]:
Default: If the disuser flag from the current system authorization (SYSUAF) record is set, the default is n; otherwise, the default is y.
Sticky Input: Intra-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Allow account to obtain post-dated certificates (y/n) [n]:
Default: n
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Allow account to obtain forwardable certificates (y/n) [y]:
Default: y
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Allow certificates to this account to be issued via TGT authentication (y/n) [y]:
Default: y
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Allow account to obtain renewable certificates (y/n) [y]:
Default: y
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Allow account to obtain proxiable certificates (y/n) [n]:
Default: n
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Allow account to obtain duplicate session keys (y/n) [n]:
Default: n
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Good since date (standard VMS time) [current-date-time]:
Default: Current date/time
Sticky Input: Intra-Account
Valid Responses: OpenVMS standard date/time
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Create/Change authorization policy for this account (y/n) [n]:
Default: n
Sticky Input: Inter-Account
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
If the user answers n the dialog continues from step 31.
Enter maximum certificate lifetime in hours (0 means forever) [8]:
Default: Taken from registry authorization policy
Sticky Input: Intra-Account
Valid Responses: Positive integer, including 0
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
Enter maximum certificate-renewable lifetime in hours (0 means forever) [168]:
Default: Taken from registry authorization policy
Sticky Input: Intra-Account
Valid Responses: Positive integer, including 0
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
OK to create DCE account based on above (y/n) [y]:
Default: y
Sticky Input: No
Valid Responses: y n
Case-Sensitive: No
Invalid Response causes question to be re-asked: Yes
If /NOCONFIRM was specified, then this question is not asked.
If the /RECAP qualifier was specified, then immediately before this question details of the account about to be created are displayed.
If the user answers n, an account not created message is displayed and the dialog starts again, for the same OpenVMS account, from step 1.
If the user answers y or if /NOCONFIRM was specified, then an attempt is made to create the DCE account. If the account creation succeeds, then a success message is displayed and the dialog starts for the next OpenVMS account from step 1. If the DCE account creation fails, then an error message is displayed and the dialog starts again, for the same OpenVMS account, from step 1.

Following is an example of an interactive IMPORT command:

IMPORT> IMPORT SMITH OpenVMS Account Details: Username: SMITH Owner: John Smith Account: OVMS c - create DCE account using regular script a - create DCE account using abbreviated script x - add this OpenVMS account to the IMPORT exclude list s - skip this OpenVMS account e - exit IMPORT Enter option (c/a/x/s/e) [c]: c Enter DCE account details: Principal [smith]: The principal "smith" does not exist in the DCE registry. Do you want to create the principal (y/n) [y]: Enter details for DCE Principal "smith": Alias (y/n) [n]: UNIX number (-1 means auto-assign) [-1]: Full Name [John Smith]: Object Creation Quota (-1 means unlimited) [-1]: OK to create this principal now (y/n) [y]: Principal "smith" successfully created. Group [none]: DCE Organization [none]: OpenVMS Enter Password (null means no valid password) []: Retype password: Enter misc info []: Enter home directory [/]: Enter shell []: Password valid (y/n) [y]: Enter expiration date (standard VMS time format or none) [none]: Allow account to be server principal (y/n) [y]: Allow account to be client principal (y/n) [y]: Account valid for login (y/n) [y]: Allow account to obtain post-dated certificates (y/n) [n]: Allow account to obtain forwardable certificates (y/n) [y]: Allow certificates to this account to be issued via TGT authentication (y/n) [y]: Allow account to obtain renewable certificates (y/n) [y]: Allow account to obtain proxiable certificates (y/n) [n]: Allow account to obtain duplicate session keys (y/n) [n]: Good since date (standard VMS time) [current-date-time]: Create/Change authorization policy for this account (y/n) [n]: OK to create DCE account based on above (y/n) [y]: DCE Account successfully created. IMPORT>

SHOW/EXCLUDE

Displays OpenVMS usernames in the IMPORT exclude list.

Synopsis

SHOW/EXCLUDE [USERNAME] /ALL /OUTPUT=output

Parameters

USERNAME
Specifies the name of the OpenVMS account to be displayed from the IMPORT exclude list. Full OpenVMS wildcarding is allowed. If you specify a value or values for the USERNAME parameter, you cannot specify the /ALL qualifier.

Qualifiers

/ALL
Specifies that all IMPORT exclude entries are to be displayed. If you do not specify a username, then this qualifier is assumed.
/OUTPUT=output
Specifies the location at which the output is written. The default is SYS$OUTPUT:.

Description

The SHOW/EXCLUDE command displays OpenVMS usernames from the IMPORT exclude list.

Contents

Index

privacy and legal statement

6533_DCE_REF_PRO_002.HTML

Compaq DCE for OpenVMS VAX and OpenVMS AlphaReference Guide

/RENEWABLE_LIFETIME=hours

Description

Examples

SHOW/EXCLUDE

Synopsis

Parameters

USERNAME

Qualifiers

/ALL

/OUTPUT=output

Description

Compaq DCE for OpenVMS VAX and OpenVMS Alpha
Reference Guide