Attributes
alias value Used with the create operation, the value of this attribute is either yes or no. Each principal can have only one
name, but can have one or more alias names. All these names refer to the same principal, and therefore, the same Universal Unique Identifier (UUID) and UNIX ID (uid). While aliases refer to the
same principal they are separate entries in the registry database. Therefore, the name supplied to a user command can refer to either the primary name or an alias name of a principal. The
value of this attribute determines whether the name is a primary name (alias no) or an alias name (alias yes). The default is no.
client {yes | no} A flag set to indicate whether the account is for a principal that can act as a client. Possible values are either yes or no. If
you set this flag to yes, the principal is able to log in to the account and acquire tickets for authentication. The default is yes.
description A text string (limited to PCS) typically used to describe the use of the user's account. The default is the empty string (" ").
dupkey {yes | no} A flag set to determine if tickets issued to the account's principal can have duplicate keys. The value of this attribute must be yes or
no. The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers will use it when they interact with a DCE security server.
expdate ISO_timestamp The date on which the account expires. To renew the account, change the date in this field. Specify the time using an ISO compliant time format
such as CCYY-MM-DD-hh:mm:ss or the string none. The default is none.
forwardabletkt {yes | no} A flag set to determine whether a new ticket-granting ticket with a network address that differs from the present ticket-granting ticket
network address can be issued to the account's principal. The proxiabletkt attribute performs the same function for service tickets. This attribute must have a value of yes or
no. The default is yes.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers will use it when they interact with a DCE security server.
fullname string Used with the create operation, this attribute specifies the full name of the principal, it is for information purposes only. It typically
describes or expands a primary name to allow easy recognition by users. For example, a principal could have a primary name of jsbach and a fullname of Johann S. Bach. The value
is a string, if it contains spaces, it is displayed in quotes, and on entry must be in quotes or braces following dcecp syntax rules. If not entered, fullname defaults to the null
string (that is, blank).
force Forces creation of group or organization if it does not exist.
group group_name The name of the group associated with the account. The value is a single group name of an existing group in the registry. This attribute must be
specified on the user create command; it does not have a default value. If this group is deleted from the registry, then the account is deleted as well.
home directory_name The file system directory in which the principal is placed in at login.
organization organization_name The name of the organization associated with the account. The value is a single organization name of an existing organization in the
registry. This attribute must be specified on the user create command; it does not have a default value. If this organization is deleted from the registry, then the account is deleted as
well.
maxtktlife relative_time The maximum amount of time that a ticket can be valid. Specify the time using the DTS relative time format
([-]DD-hh:mm:ss). When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife set for both the server and the
client. In other words, the lifetime, cannot exceed the shorter of the server's or client's maxtktlife. If you do not specify a maxtktlife for an account, the maxtktlife
defined as registry authorization policy is used.
maxtktrenew relative_time The amount of time before a principal's ticket-granting ticket expires and that principal must log in to the system again to reauthenticate
and obtain another ticket-granting ticket. Specify the time by using the DTS relative time format ([-]DD-hh:mm:ss). The lifetime of the principal's service tickets can never
exceed the lifetime of the principal's ticket-granting ticket. The shorter you make maxtktrenew, the greater the security of the system. However, since principals must log in again to
renew their ticket-granting ticket, the time needs to balance user convenience against level of security required. If you do not specify this attribute for an account, the maxtktrenew
lifetime defined as registry authorization policy is used. This feature is not currently used by DCE; any use of this option is unsupported at the present time.
mypwd password Lets you enter your password. You must enter your password to create an account. This check prevents a malicious user from using an existing privileged
session to create unauthorized accounts.
password password You must create a password for the account. You can use the -password option or you can create it using the password attribute with
the -attribute option and an attribute_list.
postdatedtkt {yes | no} A flag set to determine if tickets with a start time some time in the future can be issued to the account's principal. This attribute must have
a value of yes or no. The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers will use it when they interact with a DCE security server.
proxiabletkt {yes | no} A flag set to determine whether a new ticket with a different network address than the present ticket can be issued to the account's principal.
The forwardabletkt attribute performs the same function for ticket-granting tickets. This attribute must have a value of yes or no. The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers will use it when they interact with a DCE security server.
pwdvalid {yes | no} A flag set to determine whether the current password is valid. If this flag is set to no, the next time a principal logs in to the
account, the system prompts the principal to change the password. (Note that this flag is separate from the pwdexpdate policy, which sets time limits on password validity.) Possible values
are either yes or no. The default is yes.
renewabletkt {yes | no} A flag set to determine whether the ticket-granting ticket issued to the account's principal can be renewed. If this flag is set to
yes, the Authentication service renews the ticket-granting ticket if its lifetime is valid. This attribute must have a value of yes or no. The default is yes.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers will use it when they interact with a DCE security server.
server {yes | no} A flag set to indicate whether the account is for a principal that can act as a server. If the account is for a server that engages in authenticated
communications, set this flag to yes. Possible values are either yes or no. The default is yes.
shell path_to_shell The path of the shell that is executed when a principal logs in.
stdtgtauth {yes | no} A flag set to determine whether service tickets issued to the account's principal use the standard DCE ticket-granting ticket authentication
mechanism. Possible values are either yes or no. The default is yes.
uid value Used with the create operation, this attribute specifies the User Identifier for the principal. No two principals can have the same uid.
However, aliases can share the same uid. It is often called the UNIX ID and is an integer.
See the OSF DCE Administration Guide - Core Components for more information about attributes.
|