Next: kadm5_rename_principal
Up: Functions
Previous: kadm5_delete_principal
Contents
kadm5_ret_t
kadm5_modify_principal(void *server_handle,
kadm5_principal_ent_t princ, u_int32 mask);
Modify the attributes of the principal named in
kadm5_principal_ent_t. This does not allow the principal to be
renamed or for its password to be changed.
AUTHORIZATION REQUIRED: modify
Although a principal's pw_expiration is usually computed based on its
policy and the time at which it changes its password, this function
also allows it to be specified explicitly. This allows an
administrator, for example, to create a principal and assign it to a
policy with a pw_max_life of one month, but to declare that the new
principal must change its password away from its initial value
sometime within the first week.
- Return KADM5_UNK_PRINC if the principal does not exist.
- Return KADM5_BAD_MASK if the mask is invalid.
- If POLICY bit is set but the new policy does not exist, return
KADM5_UNK_POLICY.
- If either the POLICY or POLICY_CLR bits are set, update the
corresponding bits in aux_attributes.
- Update policy reference counts.
- If the POLICY bit is set, then increment policy count on new
policy.
- If the POLICY or POLICY_CLR bit is set, and the POLICY bit in
aux_attributes is set, decrement policy count on old policy.
- Set pw_expiration appropriately. pw_expiration can change if:
the POLICY bit is set in mask, so the principal is changing to a
policy (either from another policy or no policy); the POLICY_CLR bit
is set in mask, so the principal is changing to no policy; or
PW_EXPIRATION is set.
- If the POLICY bit is set in mask, set pw_expiration to
last_pwd_change + pw_max_life if pw_max_life is non-zero, otherwise
set pw_expiration to never.
- If the POLICY_CLR biti s set in mask, set pw_expiration to
never.
- If PW_EXPIRATION is set, set pw_expiration to the requested
value, overriding the value from the previous two cases. NOTE: This
is a change from the original semantics, in which policy expiration
was enforced even on administrators. The old semantics are not
preserved, even for version 1 callers, because this is a
server-specific policy decision; besides, the new semantics are less
restrictive, so all previous callers should continue to function
properly.
- Update the remaining fields specified in the mask.
- Update mod_name field to caller and mod_date to now.
RETURN CODES:
- KADM5_UNK_PRINC
- Entry does not exist.
- KADM5_BAD_MASK
- The mask is not valid for a modify
operation.
- KADM5_UNK_POLICY
- The POLICY bit is set but the new
policy does not exist.
- KADM5_BAD_TL_TYPE
- The KADM5_TL_DATA bit is set in mask, and the
given tl_data list contains an element whose type is less than 256.
Next: kadm5_rename_principal
Up: Functions
Previous: kadm5_delete_principal
Contents
Autobuild
2009-09-05