Next: kadm5_chpass_principal_util
Up: Functions
Previous: kadm5_rename_principal
Contents
kadm5_ret_t
kadm5_chpass_principal(void *server_handle, krb5_principal princ,
char *pw);
AUTHORIZATION REQUIRED: changepw, or the calling principal being the
same as the princ argument. If the request is authenticated to the
kadmin/changepw service, the changepw privilege is disregarded.
Change a principal's password. See section 4.4 for a
description of how the keys are determined.
This function enforces password policy and dictionary checks. If the new
password specified is in the password dictionary, and the policy bit is set
KADM5_PASS_DICT is returned. If the principal's POLICY bit is set in
aux_attributes, compliance with each of the named policy fields is verified
and an appropriate error code is returned if verification fails.
Note that the policy checks are only be performed if the POLICY bit is
set in the principal's aux_attributes field.
- Make sure principal exists, if not return KADM5_UNK_PRINC error.
- If caller does not have modify privilege, (now - last_pwd_change)
pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the
principal's attributes, return KADM5_PASS_TOOSOON.
- If the principal your are trying to change is kadmin/history
return KADM5_PROTECT_PRINCIPAL.
- If the password does not meet the quality
standards, return the appropriate KADM5_PASS_Q_* error code.
- Convert password to key; see section 4.4.
- If the new key is in the principal's password history, return
KADM5_PASS_REUSE.
- Store old key in history.
- Update principal to have new key.
- Increment principal's key version number by one.
- If the POLICY bit is set, set pw_expiration to now +
max_pw_life. If the POLICY bit is not set, set pw_expiration to
never.
- If the KRB5_KDB_REQUIRES_PWCHANGE bit is set in the principal's
attributes, clear it.
- Update last_pwd_change and mod_date to now, update mod_name to
caller.
RETURN CODES:
- KADM5_UNK_PRINC
- Principal does not exist.
- KADM5_PASS_Q_*
- Requested password does not meet quality
standards.
- KADM5_PASS_REUSE
- Requested password is in user's
password history.
- KADM5_PASS_TOOSOON
- Current password has not reached minimum life
- KADM5_PROTECT_PRINCIPAL
- Cannot change the password of a special principal
Next: kadm5_chpass_principal_util
Up: Functions
Previous: kadm5_rename_principal
Contents
Autobuild
2006-06-16