next up previous contents
Next: kadm5_delete_principal Up: Functions Previous: kadm5_destroy   Contents

kadm5_create_principal

kadm5_ret_t
kadm5_create_principal(void *server_handle,
                            kadm5_principal_ent_t princ, u_int32 mask,
                            char *pw);

AUTHORIZATION REQUIRED: add

  1. Return KADM5_BAD_MASK if the mask is invalid.
  2. If the named principal exists, return KADM5_DUP.
  3. If the POLICY bit is set and the named policy does not exist, return KADM5_UNK_POLICY.
  4. If KADM5_POLICY bit is set in aux_attributes check to see if the password does not meets quality standards, return the appropriate KADM5_PASS_Q_* error code if it fails.
  5. Store the principal, set the key; see section 4.4.
  6. If the POLICY bit is set, increment the named policy's reference count by one.

  7. Set the pw_expiration field.
    1. If the POLICY bit is set in mask, then if pw_max_life is non-zero, set pw_expiration to now + pw_maxlife, otherwise set pw_max_life to never.
    2. If the PW_EXPIRATION bit is set in mask, set pw_expiration to the requested value, overriding the value set above.
    NOTE: This is a change from the original semantics, in which policy expiration was enforced even on administrators. The old semantics are not preserved, even for version 1 callers, because this is a server-specific policy decision; besides, the new semantics are less restrictive, so all previous callers should continue to function properly.

  8. Set mod_date to now and set mod_name to caller.
  9. Set last_pwd_change to now.

RETURN CODES:

KADM5_BAD_MASK
The field mask is invalid for a create operation.
KADM5_DUP
Principal already exists.
KADM5_UNK_POLICY
Policy named in entry does not exist.
KADM5_PASS_Q_*
Specified password does not meet policy standards.


next up previous contents
Next: kadm5_delete_principal Up: Functions Previous: kadm5_destroy   Contents
Autobuild 2006-06-16