OSF DCE Application Development Guide--Core Components

OSF DCE Application Development Guide—Core Components

RPC

Security Client

Security Server

Password Management

Server

(Enforcepassword validation policy in

password change/add program...)

sec_pwd_mgmt...() showgrestorepsbpse242 155 :M( )S244 155 :Mpsbpsegsave360 rotate()

sec_rgy_acct_passwd

rsec_pwd_mgmt_

gen_pwd( )

rsec_pwd_mgmt_

str_chk( )

rs_pwd_mgmt_setup

rs_acct_passwd

RPC

For information on how to administer password generation and strength-checking, see

the .

35.1 The Client-Side API

The DCE control program, dcecp, and rgy_edit provide support for password generation

based on a principal’s password validation type ERA. However, if you want to enhance

your own password change program (such as the UNIX passwd program), you will need

to use the client-side sec_pwd_mgmt_*()API.

This API provides functions that retrieve a principal’s password management ERA

values and request password strength checking and generation from a password

management server.

The sec_pwd_mgmt_*()API is deﬁned in the sec_pwd_mgmt.idl ﬁle.

The general procedure for using the client-side password management API in a password

change program is as follows. Refer to Figure 35-1 as you read the following steps:

1. The client calls sec_pwd_mgmt_setup(), specifying the login name of the

principal whose password is being changed. The registry service returns the

pwd_val_type and pwd_mgmt_binding ERAs as well as the registry standard

(password) policy for the principal to the client’s security runtime, which is stored

in a password management handle (an opaque data type).

35−2 Tandem Computers Incorporated 124245