next up previous contents
Next: kadm5_rename_principal Up: Functions Previous: kadm5_delete_principal   Contents

kadm5_modify_principal

kadm5_ret_t
kadm5_modify_principal(void *server_handle,
                            kadm5_principal_ent_t princ, u_int32 mask);

Modify the attributes of the principal named in kadm5_principal_ent_t. This does not allow the principal to be renamed or for its password to be changed.

AUTHORIZATION REQUIRED: modify

Although a principal's pw_expiration is usually computed based on its policy and the time at which it changes its password, this function also allows it to be specified explicitly. This allows an administrator, for example, to create a principal and assign it to a policy with a pw_max_life of one month, but to declare that the new principal must change its password away from its initial value sometime within the first week.

  1. Return KADM5_UNK_PRINC if the principal does not exist.
  2. Return KADM5_BAD_MASK if the mask is invalid.
  3. If POLICY bit is set but the new policy does not exist, return KADM5_UNK_POLICY.
  4. If either the POLICY or POLICY_CLR bits are set, update the corresponding bits in aux_attributes.

  5. Update policy reference counts.
    1. If the POLICY bit is set, then increment policy count on new policy.
    2. If the POLICY or POLICY_CLR bit is set, and the POLICY bit in aux_attributes is set, decrement policy count on old policy.

  6. Set pw_expiration appropriately. pw_expiration can change if: the POLICY bit is set in mask, so the principal is changing to a policy (either from another policy or no policy); the POLICY_CLR bit is set in mask, so the principal is changing to no policy; or PW_EXPIRATION is set.
    1. If the POLICY bit is set in mask, set pw_expiration to last_pwd_change + pw_max_life if pw_max_life is non-zero, otherwise set pw_expiration to never.
    2. If the POLICY_CLR biti s set in mask, set pw_expiration to never.
    3. If PW_EXPIRATION is set, set pw_expiration to the requested value, overriding the value from the previous two cases. NOTE: This is a change from the original semantics, in which policy expiration was enforced even on administrators. The old semantics are not preserved, even for version 1 callers, because this is a server-specific policy decision; besides, the new semantics are less restrictive, so all previous callers should continue to function properly.

  7. Update the remaining fields specified in the mask.
  8. Update mod_name field to caller and mod_date to now.

RETURN CODES:

KADM5_UNK_PRINC
Entry does not exist.
KADM5_BAD_MASK
The mask is not valid for a modify operation.
KADM5_UNK_POLICY
The POLICY bit is set but the new policy does not exist.
KADM5_BAD_TL_TYPE
The KADM5_TL_DATA bit is set in mask, and the given tl_data list contains an element whose type is less than 256.


next up previous contents
Next: kadm5_rename_principal Up: Functions Previous: kadm5_delete_principal   Contents
Autobuild 2006-06-16