OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

381

382

383

384

385

386

387

388

389

390

Creating and Maintaining Principals, Groups, and Organizations

You do this by attaching instances of two ERAs (max_invalid_attempts and

disable_time_interval) to the principal. Specify values for these ERAs as follows:

max_invalid_attempts Speciﬁes an integer indicating the number of successive

invalid login attempts the security server should accept

before marking the principal’s account as disabled.

disable_time_interval Speciﬁes an integer indicating the number of minutes the

principal’s account should be disabled from login attempts.

The following is an example of a dcecp command to create a principal and attach

max_invalid_attempts and disable_time_interval ERAs:

dcecp> principal create smitty -attribute {{max_invalid_attempts 7} \

{disable_time_interval 60}}

Note: At DCE Version 1.1, the invalid login handling functionality accurately

tracks login activity in a cell with one master and no replicas, but does not

keep accurate counts in replicated cells. This is because

• Login attempts in a replicated cell are randomly assigned to either a

master or replica.

• There is at present no mechanism for replicas to communicate to the

the master and, therefore, no way for the master to maintain an

accurate count.

For further information on how to use dcecp to attach ERAs to principals, see Chapter

32.

30.6.3 Managing Password Strength and Password Generation

The DCE password format policy described in Chapter 35 enables you to control the

following characteristics of user passwords:

• Minimum password length

• Whether a password can be all spaces

• Whether a password can consist of alphanumeric characters only

You can extend these password strength policies in your cell by creating a password

management server to perform customized password checking and generation. DCE

provides an example password validation/generation server, pwd_strengthd(8sec),

which you can use as the basis for a password management server that suits your cell’s

requirements. DCE also provides a Password Management API that application

developers can use to acquire information about the principal’s password management

policy, and to request generated passwords from the password management server. See

the for information on the Password Management API.

Having created this server, you can then constrain a principal’s password to be

validated by this server when it is created and whenever it is changed. You do this by

attaching instances of the pwd_val_type and pwd_mgmt_binding ERAs to the principal

124243 Tandem Computers Incorporated 30− 11