Previous | Contents | Index |
Exits the DCE$UAF utility.
EXIT
The EXIT command allows you to leave the DCE$UAF utility and return to DCL. You can also exit DCE$UAF by entering Ctrl/Z.
Modifies an existing record in the DCE Authorization file (DCE$UAF).
MODIFY USERNAME [DCE-NAME] /FLAGS=flags /[NO]LOG
USERNAME
DCE$UAF record to be modified.DCE-NAME
New DCE principal name to be associated with USERNAME. If the principal exists in a different DCE cell from the current DCE cell, specify the DCE name in the format principal@cell.If the DCE name contains lowercase characters, spaces, or other special characters, enclose the entire string in quotes. If this argument is not specified, the DCE principal is not changed.
/FLAGS=([NO]keyword[,...])
Changes the special attributes that are stored with the DCE$UAF record. The keywords you can specify are documented in the ADD command.Only those flags that are specified are changed; all other flags remain unchanged. To remove a flag, use the negated form.
If you specify the dce flag, you must specify a DCE name for this entry in DCE-NAME.
/LOG (default)
/NOLOG
Controls whether or not a message is displayed after a record has been modified.
The MODIFY command modifies existing records in the DCE authorization file (DCE$UAF).
Removes entries from the DCE Authorization file (DCE$UAF) that do not have a matching entry in the System Authorization file (SYSUAF).
PURGE /[NO]CONFIRM /[NO]LOG /[NO]WARNING
/CONFIRM
/NOCONFIRM (default)
Controls whether or not the user is asked for confirmation before a DCE$UAF record is deleted./LOG (default)
/NOLOG
Controls whether or not a message is displayed after each record has been deleted./WARNING (default)
/NOWARNING
Controls whether or not the user is asked the following:
Do you really want to delete entries from the DCE$UAF file?
The PURGE command removes entries from the DCE Authorization file (DCE$UAF) that do not have a matching entry in the System Authorization file (SYSUAF).Note that the ANALYZE/DCEUAF command lists the records that are candidates for purging.
Deletes a record from the DCE Authorization file (DCE$UAF).
REMOVE USERNAME /[NO]CONFIRM /[NO]LOG
USERNAME
OpenVMS username of the DCE$UAF record that is to be deleted. Full OpenVMS wildcarding is supported.
/CONFIRM
/NOCONFIRM (default)
Controls whether or not the user is asked for confirmation before the deletion occurs./LOG (default)
/NOLOG
Controls whether or not a message is displayed after the record has been deleted.
The REMOVE command deletes a record from the DCE Authorization file (DCE$UAF). Full OpenVMS wildcarding is supported. After calling this command, the specified user can no longer use Integrated Login.
Controls whether command lines in command procedures are displayed at the terminal or are printed in a batch job log.
SET [NO]VERIFY
The SET VERIFY command controls whether command lines in command procedures are displayed at the terminal or are printed in a batch job log. The information displayed by the SET VERIFY command can help you in debugging command procedures.
Displays records from the DCE Authorization file (DCE$UAF).
SHOW NAME /DCENAME /FORMAT=ADD_COMMAND /FORMAT=REMOVE_COMMAND /OUTPUT=output /VMSNAME /[NO]WILD
NAME
OpenVMS username or the DCE name of the DCE$UAF record(s) that is to be displayed. Full OpenVMS wildcarding is allowed.By default, the name is assumed to be an OpenVMS username. If NAME is to be interpreted as a DCE name, specify /DCENAME. If the DCE name contains lowercase characters, spaces, or other special characters, enclose the entire string in quotes.
/DCENAME
Specifies that NAME is to be interpreted as a DCE name./FORMAT=ADD_COMMAND
When used with the /OUTPUT=output qualifier, produces output that can later be entered into DCE$UAF as valid ADD commands. See the Example section for more information./FORMAT=REMOVE_COMMAND
When used with the /OUTPUT=output qualifier, produces output that can later be entered into DCE$UAF as valid REMOVE commands.You can use this qualifier and a command procedure to remove wildcarded entries from the DCE$UAF file. (The REMOVE command does not support wildcards.) For example, to delete all of the entries that belong to server accounts in your DCE$UAF file, enter the following:
DCE$UAF> SHOW *SERVER* /FORMAT=REMOVE_COMMAND /OUTPUT=REM.COM DCE$UAF> @REMSee the Example section for more information.
/OUTPUT=output
Determines where the output is written.The default is SYS$OUTPUT:.
/VMSNAME (default)
Specifies that NAME is to be interpreted as an OpenVMS account name. This is the default./WILD (default)
/NOWILD
Specifies whether or not standard OpenVMS wildcarding is to be applied to NAME. The default is /WILD which means a NAME of "SM*" is interpreted as meaning "match any name starting SM". If /NOWILD is specified the NAME "SM*" is searched for.
The SHOW command displays the DCE$UAF record for the specified user(s).
DCE$UAF> SHOW S* SMITH "smith@/.../othercell.dce.dec.com" SILVER "silver@/.../othercell.dce.dec.com" DCE$UAF> SHOW S* /FORMAT=ADD_COMMAND ADD SMITH "smith@/.../othercell.dce.dec.com" ADD SILVER "silver@/.../othercell.dce.dec.com" DCE$UAF> SHOW S* /FORMAT=REMOVE_COMMAND REMOVE SMITH ! "smith@/.../othercell.dce.dec.com" REMOVE SILVER ! "silver@/.../othercell.dce.dec.com" DCE$UAF> |
Displays the key definitions created with the DEFINE/KEY command.
SHOW/KEY [KEY-NAME] /ALL /[NO]BRIEF /DIRECTORY /[NO]FULL /[NO]STATE
KEY-NAME
Specifies the name of the key whose definition you want displayed. For a list of valid key names, see the DEFINE/KEY command.
/ALL
Displays all key definitions in the current state (or the state specified with the /STATE qualifier). If you use the /ALL qualifier, do not specify a key name./BRIEF (default)
/NOBRIEF
Displays only the key definition and state. The /BRIEF and /NOFULL qualifiers are equivalent./DIRECTORY
Displays the names of all states for which keys have been defined. If you have not specified a state with a key definition, the SHOW/KEY/DIRECTORY command displays DEFAULT for the state.You cannot use the /DIRECTORY qualifier with any of the other SHOW/KEY qualifiers.
/FULL
/NOFULL (default)
Displays all qualifiers associated with a definition. By default, only the state of the definition and the definition itself are displayed. The /NOFULL and /BRIEF qualifiers are equivalent./STATE=(state-name[,...])
/NOSTATE
Displays the key definitions for the specified state. If you specify only one state name, you can omit the parentheses. State names can be any appropriate alphanumeric string. State names are created with the DEFINE/KEY command.If you omit the /STATE qualifier or use the /NOSTATE) qualifier, key definitions in the current state are displayed.
The SHOW/KEY command displays the key definitions created with the DEFINE/KEY command.
Displays the version number of the DCE$UAF utility.
SHOW/VERSION
The SHOW/VERSION command displays the version number of the DCE$UAF utility.
Creates a subprocess of the current process.
SPAWN [COMMAND-STRING] /[NO]CARRIAGE_CONTROL /[NO]CLI /INPUT /[NO]KEYPAD /[NO]LOG /[NO]LOGICAL_NAMES /[NO]NOTIFY /OUTPUT /PROCESS /PROMPT /[NO]SYMBOLS /TABLE /[NO]WAIT
COMMAND-STRING
Specifies a DCL command string of less than 132 characters that is to be executed in the context of the created subprocess. When the command completes execution, the subprocess terminates and control returns to the parent process. If both a command string and the /INPUT qualifier are specified, the specified command string executes before additional commands are obtained from the /INPUT qualifier.
/CARRIAGE_CONTROL
/NOCARRIAGE_CONTROL
Determines whether carriage-return and line-feed characters are prefixed to the subprocess's prompt string. By default, SPAWN copies the current setting of the parent process./CLI=cli-filespec
/NOCLI
Specifies the name of a command language interpreter (CLI) to be used by the subprocess. The default CLI is the same as the parent process (defined in SYSUAF). If you specify the /CLI qualifier, the attributes of the parent process are copied to the subprocess.The CLI you specify must be located in SYS$SYSTEM and have the file type EXE.
/INPUT=filespec
Specifies an input file containing one or more DCL commands to be executed by the spawned subprocess. File type defaults to COM and no wildcards are allowed in the file specification. Once processing of the input file is complete, the subprocess is terminated. If both a command string and the /INPUT qualifier are specified, the specified command string executes before additional commands are obtained from the /INPUT qualifier. If neither is specified, SYS$INPUT is assumed (in which case a SPAWN/NOWAIT command is aborted if Ctrl/Y is pressed to abort something running in your parent process).You cannot explicitly specify non-record-oriented, process-permanent files (NRO PPFs) with the /INPUT qualifier. The system displays an error message when it encounters such a file as the value for the /INPUT qualifier.
If SYS$INPUT is a terminal, it cannot have an associated terminal mailbox.
/KEYPAD (default)
/NOKEYPAD
Copies keypad key definitions and the current keypad state from the parent process. By default, if you have established key definitions or states with the DEFINE/KEY or the SET/KEY command, these settings are copied to the subprocess. Use the /NOKEYPAD qualifier if you do not want the key settings to be copied./LOG (default)
/NOLOG
Displays the assigned subprocess name and any messages indicating transfer of control between processes./LOGICAL_NAMES (default)
/NOLOGICAL_NAMES
Copies process logical names and logical name tables to the subprocess. By default, all process logical names and logical name tables are copied to the subprocess except those explicitly marked CONFINE or created in executive or kernel mode./NOTIFY
/NONOTIFY (default)
Controls whether a message is broadcast to your terminal notifying you that your subprocess has completed or aborted. This qualifier should not be used unless you specify the /NOWAIT qualifier. The /NOTIFY qualifier cannot be specified when the SPAWN command is executed from within a noninteractive process.Note that messages broadcast as a result of using the /NOTIFY qualifier are considered to be DCL messages. Therefore, if SET BROADCAST=NODCL is in effect, all such notification messages are suppressed.
/OUTPUT=filespec
Specifies the output file to which the results of the SPAWN operation are written. No wildcards can be used in the file specification. (Do not specify SYS$COMMAND as a file specification for the /OUTPUT qualifier when using the /NOWAIT qualifier; both parent and subprocess output will be displayed simultaneously on your terminal.)You cannot explicitly specify non-record-oriented, process-permanent files (NRO PPFs) with the /OUTPUT qualifier. The system displays an error message when it encounters such a file as the value for the /OUTPUT qualifier.
If you omit the /OUTPUT qualifier, output is written to the current SYS$OUTPUT device.
/PROCESS=subprocess-name
Specifies the name of the subprocess to be created. If you omit the /PROCESS qualifier, a unique process name is assigned with the same base name as the parent process and a unique number. The default subprocess name format is username_n. If you specify a process name that already exists, an error message is displayed. If the /LOG qualifier has been specified, the assigned name of the subprocess is displayed./PROMPT=string
Specifies the prompt string for DCL to use in the subprocess. The default is the prompt of the parent process.The string can consist of more than one character. All valid ASCII characters can be used in the string. The string must be enclosed in quotation marks (" ") if it contains spaces, special characters, or lowercase characters. Otherwise, letters are automatically converted to uppercase, and leading and trailing spaces are removed.
If no string is specified, the DCL default prompt string " $ " is used for the subprocess.
/SYMBOLS (default)
/NOSYMBOLS
Determines whether global and local symbols (except $RESTART, $SEVERITY, and $STATUS) are passed to the subprocess. $RESTART, $SEVERITY, and $STATUS symbols are never passed to the subprocess./TABLE=command-table
Specifies the name of an alternate command table to be used by the subprocess./WAIT (default)
/NOWAIT
Requires that you wait for the subprocess to terminate before you enter another DCL command. The /NOWAIT qualifier allows you to enter new commands while the subprocess is running. (Use the /OUTPUT qualifier with the /NOWAIT qualifier to avoid displaying both parent and subprocess output on the terminal simultaneously.)
Note that specifying the /NOWAIT qualifier causes both input and output to be shared with the parent process. If the input device is a terminal, control characters, such as Ctrl/T or Ctrl/Y, also affect all subprocesses sharing the input device. The Ctrl/Y control character, for example, interrupts all such subprocesses. This problem may be avoided by specifying /INPUT=NL:.
The SPAWN command creates a subprocess of the current process. The context of the subprocess is copied from the current process. You can use the SPAWN command to leave the DCE$UAF temporarily, perform other functions (such as displaying a directory listing or printing a file), and then return to the DCE$UAF utility.
Verifies that DCE accounts referenced by the DCE Authorization file (DCE$UAF) still exist in the DCE registry.
VERIFY NAME /DCENAME /OUTPUT=output /VMSNAME /[NO]WILD
NAME
OpenVMS username or the DCE name of the DCE$UAF record(s) that is to be verified. Full OpenVMS wildcarding is allowed.By default the name is assumed to be an OpenVMS username. If NAME is to be interpreted as a DCE name, specify /DCENAME. If the DCE name contains lowercase characters, spaces, or other special characters, enclose the entire string in quotes.
/DCENAME
Specifies that NAME is to be interpreted as a DCE name./OUTPUT=output
Determines where the output is written./VMSNAME (default)
Specifies that NAME is to be interpreted as an OpenVMS account name./WILD (default)
/NOWILD
Specifies whether or not standard VMS wildcarding is to be applied to NAME. The default is /WILD which means a NAME of "SM*" is interpreted as meaning "match any name starting SM". If /NOWILD is specified, the NAME "SM*" is searched for.
The VERIFY command verifies that DCE accounts referenced by the DCE Authorization file (DCE$UAF) still exist in the DCE registry.
This chapter contains reference information on the Integrated Login
IMPORT commands discussed in the Digital DCE for OpenVMS VAX and
OpenVMS Alpha Product Guide.
2.1 Running the DCE Registry IMPORT Utility
Integrated Login provides two methods of running the DCE IMPORT utility, as follows:
$ DCE$IMPORT IMPORT> |
$ DCE IMPORT command $ |
$ DCE$IMPORT :== $SYS$SYSTEM:DCE$IMPORT |
$ RUN SYS$SYSTEM:DCE$IMPORT |
Adds an OpenVMS username to the IMPORT exclude list.
ADD/EXCLUDE [USERNAME]
USERNAME
Specifies the name of the OpenVMS account to be added to the IMPORT exclude list.
The ADD/EXCLUDE command adds an OpenVMS username to the IMPORT exclude list. This command performs the same function as IMPORT/EXCLUDE.
Deletes an OpenVMS username from the IMPORT exclude list.
DELETE/EXCLUDE [USERNAME]
USERNAME
Specifies the name of the OpenVMS account to be deleted from the IMPORT exclude list.
The DELETE/EXCLUDE command deletes an OpenVMS username from the IMPORT exclude list.
EXIT
Exits the IMPORT utility.
The EXIT command exits the IMPORT utility and returns you to DCL. You can also exit IMPORT by pressing Ctrl/Z.
Creates DCE accounts based on OpenVMS accounts from an existing System Authorization File (SYSUAF).
IMPORT [VMS-USERNAME] /[NO]CONFIRM /DCE_LOGIN /[NO]EXCLUDE /[NO]INFORM /[NO]INTERACTIVE /OUTPUT=output /[NO]RECAP /[NO]TEST_ONLY
/[NO]EXPIRATION_DATE=date /FLAGS=flags /GOOD_SINCE_DATE=date /GROUP=group /HOME_DIRECTORY=string /LIFETIME=hours /LOGIN_SHELL=string /MISCELLANEOUS=string /ORGANIZATION=organization /PASSWORD=passwd /PRINCIPAL=principal /RENEWABLE_LIFETIME=hours
VMS-USERNAME
Specifies the name of the OpenVMS account to be imported.If an asterisk is specified in place of VMS-USERNAME, all accounts from the OpenVMS system authorization file are selected.
/CONFIRM
/NOCONFIRM
Controls whether the IMPORT command asks for confirmation before creating a DCE principal or account, or both.In interactive mode the default is /CONFIRM. In noninteractive mode the default is /NOCONFIRM.
/DCE_LOGIN=(keyword=value[,...])
Provides account details of a DCE account authorized to create principals and accounts in the DCE registry. Valid keywords for the DCE_LOGIN qualifier are:PRINCIPAL --- The principal name to be used for authentication purposes when creating accounts and/or principals in the DCE registry. If you do not specify a principal using this qualifier, you are prompted for one interactively.
PASSWORD --- The password associated with the principal name that was specified by the PRINCIPAL keyword. If you do not specify a password with this qualifier, you are prompted for one interactively. If you are an interactive user, if you do not specify the PASSWORD keyword and allow IMPORT to prompt you, the password is not echoed and does not appear on your terminal.
/EXCLUDE
/NOEXCLUDE (default)
Determines whether the OpenVMS account is imported to the DCE registry. If the OpenVMS account is not imported then the DCE account is not created. Instead, an entry is created in the IMPORT exclude file for the specified OpenVMS account. IMPORT/EXCLUDE performs the same function as ADD/EXCLUDE./INFORM
/NOINFORM (default)
Determines whether the user is informed of OpenVMS accounts that would have been selected for import, but are not selected because they have already been imported (they have an entry in the DCE$UAF) or they have an entry in the IMPORT exclude file./INTERACTIVE (default)
/NOINTERACTIVE
Controls whether an interactive or noninteractive import is performed.In interactive mode, a series of questions is asked and the user's responses are used to determine the account details. This mode is well suited to interactive users.
In noninteractive mode, all input is supplied through the data qualifiers, and any missing or conflicting data causes the DCE account not to be created. This mode is well suited to command files and batch jobs.
Data qualifiers can be specified in interactive mode. In this case the data they provide is used to provide the default answers to the relevant questions. All questions are asked.
/OUTPUT=output
Specifies the location at which all program output is written. The default is SYS$OUTPUT:./RECAP
/NORECAP (default)
If you specify /RECAP, details of the DCE account are displayed before it is actually created. When /CONFIRM is also specified, the account details are displayed immediately before the confirmation request./TEST_ONLY
/NOTEST_ONLY (default)
If you specify /TEST_ONLY, DCE accounts and DCE$UAF entries are not actually created.
/EXPIRATION_DATE=date
/NOEXPIRATION_DATE (default)
Specifies the expiration date for the DCE account. If this qualifier is not specified, or if /NOEXPIRATION_DATE is specified, then the DCE account is created without an expiration date./FLAGS=([no]keyword[,...])
Specifies attributes of the DCE account. The keywords you can specify are as follows:ACCOUNT_VALID --- Determines account validity. An account without this flag set is invalid and cannot log in. The default is ACCOUNT_VALID.
CLIENT --- Indicates whether the account is for a principal that can act as a client. The default is CLIENT.
DUPLICATE_KEYS --- Determines if tickets issued to the account's principal can have duplicate keys. The default is NODUPLICATE_KEYS.
FORWARDABLE_CERTIFICATES --- Determines whether a new ticket-granting ticket with a network address that differs from the present ticket-granting ticket network address can be issued to the account's principal. (The PROXIABLE CERTIFICATE flag performs the same function for service tickets.) The default is FORWARDABLE_CERTIFICATES.
PASSWORD_VALID --- Determines whether the current password is valid. If this flag is not set, the next time the principal logs in to the DCE account, the system prompts the principal to change his or her password. The default is PASSWORD_VALID.
POSTDATED_CERTIFICATES --- Determines if tickets with a future start time can be issued to the account's principal. The default is NOPOSTDATED_CERTIFICATES.
PROXIABLE_CERTIFICATE --- Determines whether a new ticket with a different network address than the present ticket can be issued to the account's principal. (The FORWARDABLE CERTIFICATE flag performs the same function for ticket-granting tickets.) The default is NOPROXIABLE_CERTIFICATE.
RENEWABLE_CERTIFICATE --- Determines if the ticket-granting ticket issued to the account's principal can be renewed. If this flag is set, the authentication service renews the ticket-granting ticket if its lifetime is valid. The default is RENEWABLE_CERTIFICATE.
SERVER --- Indicates whether the account is for a principal that can act as a server. The default is SERVER.
TGT_AUTHENTICATION --- Determines whether tickets issued to the account's principal can use the ticket-granting ticket authentication mechanism. The default is TGT_AUTHENTICATION.
/GOOD_SINCE_DATE=date
Specifies the date and time that the account was known to be in an uncompromised state. If not specified, this date is set to the current date and time./GROUP=group
Specifies the name of an existing DCE group that is associated with the account being created. If the group does not exist, it is not created by IMPORT. The default group name is "none"./HOME_DIRECTORY=string
Specifies the directory in which the principal is placed at login. If not specified, the DCE account is created without a home directory./LIFETIME=hours
Specifies the maximum amount of time, in hours, that a ticket can be valid. If not specified, the maximum certificate lifetime defined as registry authorization policy is used./LOGIN_SHELL=string
Specifies the shell that is executed when a principal logs in. If not specified, the DCE account is created without a login shell./MISCELLANEOUS=string
Specifies a text string that is typically used to describe the use of the account. If not specified, the DCE account is created without a miscellaneous value./ORGANIZATION=organization
Specifies the name of an existing DCE organization that is associated with the account being created. If the organization does not exist, it is not created by IMPORT. The default organization name is none./PASSWORD=passwd
Specifies the password to be assigned to the DCE account. If not specified, the DCE account is created without a valid DCE password./PRINCIPAL=(keyword[,...])
Specifies the principal that is associated with the DCE account that is being created. The keywords you can specify are as follows:
Previous Next Contents Index