OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

OSF DCE Administration Guide—Core Components

reference page.

Typically, a security group’s name is included in access control lists (ACLs) that

regulate user access to various server and data objects in the DCE environment. A

security organization maintains policies that are applied to all the principals that

are members of that organization. Policies control things like the lifespan of

accounts, whether or when account passwords expire, or whether passwords can

contain nonalphanumeric characters. You can read more about administering

principals, groups, and organizations in Chapter 30.

2. The user create operation creates an account for the principal and creates the

user’s password. The account attributes assume default values but you can specify

other attributes if necessary. All of the attributes are listed in the user(8dce)

reference page.

A principal’s account contains information about the principal such as group and

organization names, account creation and expiration information, and information

about tickets (which identify principals to resources in a DCE environment). You

can read more about administering accounts in Chapter 31.

3. Finally, the user create operation adds a directory called /.:/users/principalname

to CDS. This directory can store user-speciﬁc application location information.

The operation also adds an ACL entry to the default ACL which gives the user

rwtci permissions on the directory. These permissions allow users to insert objects

and links, but they cannot delete the directory or administer replication on the

directory. Furthermore, users cannot create additional directories unless you give

them w (write) access to the clearinghouse. You can read more about the purpose

and use of CDS directories in Chapter 18. You can read more about ACLs and

CDS directories in Chapter 16.

You generally need numerous permissions to create new users in your DCE cell, so you

should log into the cell administrator’s account (or a similar privileged account). The

user(8dce) reference page lists the required permissions.

To create a new user in a DCE cell, invoke a user create operation. The following

example creates a principal name P_Pestana and an account with the same name. The

create operation requires your password to prevent someone else from using an

unattended session to create an unauthorized account. You must also provide the

-password option to specify a password for the user. The required -group and

-organization options add principal P_Pestana to the named group and organization.

The optional -fullname option creates a fullname to help other human users recognize

the principal.

dcecp> user create P_Pestana -fullname {Patricia Pestana} \

-mypwd mxyzptlk -password change.me -group users \

-organization managers

You can create multiple users by specifying a list of user names as an argument to the

user create operation. This method poses some limitations, however. All created users

will have the same initial password, group name, and organization name. Furthermore,

you cannot specify the fullname and uid attributes since these are unique for each user.

The following example creates several users with a password change.me, a group name

of users, and an organization named staff:

8− 2 Tandem Computers Incorporated 124243