next up previous contents
Next: kadm5_chpass_principal_util Up: Functions Previous: kadm5_rename_principal   Contents

kadm5_chpass_principal

kadm5_ret_t
kadm5_chpass_principal(void *server_handle, krb5_principal princ,
                            char *pw);

AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded.

Change a principal's password. See section 4.4 for a description of how the keys are determined.

This function enforces password policy and dictionary checks. If the new password specified is in the password dictionary, and the policy bit is set KADM5_PASS_DICT is returned. If the principal's POLICY bit is set in aux_attributes, compliance with each of the named policy fields is verified and an appropriate error code is returned if verification fails.

Note that the policy checks are only be performed if the POLICY bit is set in the principal's aux_attributes field.

  1. Make sure principal exists, if not return KADM5_UNK_PRINC error.
  2. If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return KADM5_PASS_TOOSOON.
  3. If the principal your are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL.
  4. If the password does not meet the quality standards, return the appropriate KADM5_PASS_Q_* error code.
  5. Convert password to key; see section 4.4.
  6. If the new key is in the principal's password history, return KADM5_PASS_REUSE.
  7. Store old key in history.
  8. Update principal to have new key.
  9. Increment principal's key version number by one.
  10. If the POLICY bit is set, set pw_expiration to now + max_pw_life. If the POLICY bit is not set, set pw_expiration to never.
  11. If the KRB5_KDB_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it.
  12. Update last_pwd_change and mod_date to now, update mod_name to caller.

RETURN CODES:

KADM5_UNK_PRINC
Principal does not exist.
KADM5_PASS_Q_*
Requested password does not meet quality standards.
KADM5_PASS_REUSE
Requested password is in user's password history.
KADM5_PASS_TOOSOON
Current password has not reached minimum life
KADM5_PROTECT_PRINCIPAL
Cannot change the password of a special principal


next up previous contents
Next: kadm5_chpass_principal_util Up: Functions Previous: kadm5_rename_principal   Contents
Autobuild 2009-09-05