xattrschema(1m) Open Software Foundation xattrschema(1m)
NAME [Toc] [Back]
xattrschema - A dcecp object that manages schema information for ERAs
SYNOPSIS [Toc] [Back]
xattrschema catalog schema_name [-simplename]
xattrschema create schema_entry_name_list
{-attribute attribute_list | -attribute value}
[-ifname residual_schema_name]
xattrschema delete schema_entry_name_list
[-ifname residual_schema_name]
xattrschema help [operation | -verbose]
xattrschema modify schema_entry_name_list
{-change attribute_list | -attribute value}
[-ifname residual_schema_name]
xattrschema operations
xattrschema rename schema_entry_name -to new_schema_entry_name
[-ifname residual_schema_name]
xattrschema show schema_entry_name_list
[-ifname residual_schema_name]
ARGUMENTS [Toc] [Back]
operation The name of the xattrschema operation for which to display
help information.
schema_entry_name
The name of a single schema entry type. See
schema_entry_name_list for more information.
schema_entry_name_list
A list of one or more schema entry types to act on. When
used with the -ifname option, this argument can also be a
single string binding representing the host with which to
communicate.
schema_name
The name of the schema that defines the schema entry types
named in schema_entry_name_list. Two schemas are currently
supported:
/.../cell_name/sec/xattrschema
/.../cell_name/hosts/hostname/config/xattrschema
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
The name can also be a single string binding representing
the host with which to communicate.
DESCRIPTION [Toc] [Back]
The xattrschema object represents the schema information for an
extended registry attribute (ERA). This command manipulates the
schema type that defines ERAs. Schema types are identified by name.
Other dcecp commands manipulate individual instances of ERAs. ERA
instances are an attribute of a given schema type that has been
attached to an object and assigned a value.
You can attach ERAs to principal, group, and organization objects and
to server configuration and server execution objects supported by
dced.
ERA entry types for principal, group, and organization objects have
the following default name:
/.:/sec/xattrschema/schema_entry_name
ERA types for dced server objects have the following name:
/.:/hosts/hostname/config/xattrschema/schema_entry_name
ERA types are defined to be attached to only those objects supported
by specified ACL managers.
The schema name can also be a single string binding representing the
host with which to communicate. For example:
{ncacn_ip_tcp 130.105.1.227}
A string binding is useful when the name service is not operating and
cannot translate the other forms of schema names. With all but the
catalog command, if you supply a single string binding, you must use
the -ifname option to specify the object's residual name.
ATTRIBUTES [Toc] [Back]
aclmgr description
A set that lists the ACL managers that support the object types
on which ERAs of this type can be created. For each ACL manager
type, the permissions required for attribute operations are also
specified. Each ACL manager is described with a list, in the
following format:
{uuid queryset updateset testset deleteset}
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
where the first element is the Universal Unique Identifier (UUID)
of the ACL manager, and the rest are the sets of permissions
(concatenated permission strings as found in an ACL) required to
perform each type of operation. The value of this attribute is
actually a list of these lists. For example:
{8680f026-2642-11cd-9a43-080009251352 r w t D}
{18dbdad2-23df-11cd-82d4-080009251352 r w t mD}
This attribute is modifiable after creation, but only in a
limited way. New ACL managers can be added, but existing ones
cannot be removed or changed. This attribute must be specified on
creation.
annotation string
A comment field used to store information about the schema entry.
It is a Portable Character Set (PCS) string. The default is an
empty string (that is, blank).
applydefs {yes | no}
Indicates that if this ERA does not exist for a given object on
an attribute query, the system-defined default value (if any) for
this attribute will be returned. If set to no, an attribute
query returns an attribute instance only if it exists on the
object named in the query. The value of this attribute must be
yes or no. The default is no.
This attribute is currently only advisory in DCE. Future
versions of DCE will support this functionality.
encoding type
The type of the ERA. This attribute must be specified on
creation, and cannot be modified after creation. Legal values
are one of the following:
any The value of the ERA can take on any encoding. This
encoding type is only legal for the definition of an
ERA in a schema entry. All instances of an ERA must
have an encoding of some other value.
attrset The value of the ERA is a list of attribute type UUIDs
used to retrieve multiple related attributes by
specifying a single attribute type on a query.
binding The value of the ERA contains authentication,
authorization, and binding information suitable for
communicating with a DCE server. The syntax is a list
of two elements.
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
The first element is a list of security information in
which the first element is the authentication type,
either none or dce, followed by information specific
for each type. The type none has no further
information. The type dce is followed by a principal
name, a protection level (default, none, connect, call,
pkt, pktinteg, or pktprivacy), an authentication
service (default, none, or secret), and an
authorization service (none, name, or dce). Examples
of three security information lists are as follows:
{none}
{dce /.:/melman default default dce}
{dce /.:/melman pktprivacy secret dce}
The second element is a list of binding information, in
which binding information can be string bindings or
server entry names. Two examples of binding
information are as follows:
{/.:/hosts/hostnamedce-entity
/.:/subsys/dce/sec/master}
{ncadg_ip_udp:130.105.96.3
ncadg_ip_udp:130.105.96.6}
byte The value of the ERA is a string of bytes. The byte
string is assumed to be pickle or is otherwise a selfdescribing
type.
It is unlikely that attributes of this type will be
entered manually. The format of output is hexadecimal
bytes separated by spaces with 20 bytes per line. For
example, the input attribute name bindata might produce
the following output:
{bindata
{00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13
22 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 12 11 12 13}}
The braces indicate that bindata has one value. On
input all whitespace is compressed so that users can
enter the data as bytes or words or any combination,
whichever is more convenient. Therefore, a user could
enter the following:
{bindata
{00010203 0405 06070809 0a0b 0c0d0e0f 10111213
22212223 2425 26272829 2a2b 2c2d2e2f 12111213}}
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
i18ndata The value of the ERA is a string of bytes with a tag
identifying the (OSF registered) codeset used to encode
the data.
Although it is unlikely that administrators will enter
attributes of this type manually, the DCE control
program does support entering binary data via the
following notations: \ddd where ddd can be one, two, or
three octal digits, and \xhh where hh can be any number
of hexadecimal digits.
integer The value of the ERA is a signed 32-bit integer.
printstring
The value of the ERA is a printable Interface
Definition Language (IDL) character string using PCS.
stringarray
An array of PCS strings; represented as a Tcl list of
strings.
uuid The value of the ERA is a UUID.
void The ERA has no value. It is simply a marker that is
either present or absent.
intercell value
Specifies the action that should be taken by the privilege server
when reading ERAs from a foreign cell. Possible values are as
follows:
accept Accepts ERAs from foreign cells. The only check
applied is uniqueness if indicated by the unique
attribute.
reject Discards ERAs from foreign cells.
evaluate Invokes a trigger function to a server that would
decide whether the ERA should be kept, discarded, or
mapped to another value.
The default is reject.
This attribute is currently only advisory in DCE. Future
versions of DCE will support this functionality.
multivalued {yes | no}
Indicates that ERAs of this type may be multi-valued (that is,
multiple instances of the same attribute type may be attached to
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
a single registry object). The value of this attribute must be
yes or no. This attribute is not modifiable after creation. The
default is no.
reserved {yes | no}
If set, this schema entry may not be deleted through any
interface by any user. The value of this attribute must be yes
or no. The default is no.
scope string
Indicates the name of a security directory or object in the
registry. If it is an object, instances of this ERA can be
attached only to this object. If it is a directory, instances of
this ERA can be attached only to descendants of this directory.
The default is an empty string, which does not limit which
objects ERAs may be attached to. For example, if this attribute
is set to principal/org/dce only principals with a prefix of
org/dce in the name may have this type of ERA. You cannot modify
this attribute after it is created. The default is the empty
string (that is, blank).
This attribute is currently only advisory in DCE. Future
versions of DCE will support this functionality.
trigtype type
Identifies whether there is a trigger and if so what type it is.
The possible values are: none, query, and update. If this
attribute is anything other than none, then trigbind must be set.
This attribute is not modifiable after creation. The default is
none.
trigbind binding
Contains binding information for the server that will support the
trigger operations. This field must be set if trigtype is not
none or if intercell is set to evaluate. The value of this
attribute is of the format described by the binding encoding
type. The default is the empty string (that is, blank).
unique {yes | no}
Indicates that each instance of the ERA must have a unique value
within the cell for a particular object type (for instance,
principal). The value of this attribute must be yes or no. This
attribute is not modifiable after creation. The default is no.
This attribute is currently only advisory in DCE. Future
versions of DCE will support this functionality.
uuid uuid
The internal identifier of the ERA. The value is a UUID. This
attribute is not modifiable after creation. If not specified on
the create operation, a value is generated by the system.
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
See the OSF DCE Administration Guide for more information about
xattrschema attributes.
OPERATIONS [Toc] [Back]
xattrschema catalog
Returns a list of all the schema entry types defined in the specified
schema. The syntax is as follows:
xattrschema catalog schema_name [-simplename]
Options [Toc] [Back]
-simplename
Returns only the residual part of the schema name.
The catalog operation returns a list of the names of all the schema
entry types defined in the named schema. Use the -simplename option
to return only the residual part of the names, instead of the fully
qualified names.
Privileges Required [Toc] [Back]
You must have r (read) permission to the schema container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples [Toc] [Back]
dcecp> xattrschema catalog /.:/sec/xattrschema
/.../my_cell/sec/xattrschema/pre_auth_req
/.../my_cell/sec/xattrschema/pwd_val_type
/.../my_cell/sec/xattrschema/pwd_mgmt_binding
/.../my_cell/sec/xattrschema/X500_DN
/.../my_cell/sec/xattrschema/X500_DSA_Admin
/.../my_cell/sec/xattrschema/disable_time_interval
/.../my_cell/sec/xattrschema/max_invalid_attempts
/.../my_cell/sec/xattrschema/passwd_override
dcecp>
dcecp> xattrschema catalog ncacn_ip_tcp:15.22.45.148
/.../c2-cell/sec/xattrschema/pre_auth_req
/.../c2-cell/sec/xattrschema/pwd_val_type
/.../c2-cell/sec/xattrschema/pwd_mgmt_binding
/.../c2-cell/sec/xattrschema/disable_time_interval
/.../c2-cell/sec/xattrschema/max_invalid_attempts
/.../c2-cell/sec/xattrschema/passwd_override
dcecp>
Hewlett-Packard Company - 7 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
xattrschema create
Creates a new schema entry type. The syntax is as follows:
xattrschema create schema_entry_name_list
{-attribute attribute_list | -attribute value}
[-ifname residual_schema_name]
Options [Toc] [Back]
-attribute value
As an alternative to using the -attribute option with an
attribute list, you can specify individual attribute options
by prepending a hyphen (-) to any attributes listed in the
ATTRIBUTES section of this reference page.
-attribute attribute_list
Allows you to specify attributes by using an attribute list
rather than individual attribute options. The format of an
attribute list is as follows:
{{attribute value}...{attribute value}}
-ifname Specifies the xattrschema object to create.
The create operation creates a new schema entry for an ERA. The
argument is a list of one or more names of schema entry types to be
created. Attributes for the created schema entry types can be
specified via attribute lists or attribute options. If the command
argument contains more than one schema name, you cannot specify a UUID
attribute. All attributes are applied to all entry types to be
created. The -ifname option is used to identify the specific
xattrschema entry to create, but only when the argument is a string
binding representing a host, not a fully qualified xattrschema schema
name. This operation returns an empty string on success.
Privileges Required [Toc] [Back]
You must have i (insert) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples [Toc] [Back]
dcecp> xattrschema create /.:/sec/xattrschema/test_integer \
> -encoding integer -aclmgr {group r r r r}
dcecp>
dcecp> xattrschema create ncacn_ip_tcp:15.22.24.145 -ifname test_integer \
> -encoding integer -aclmgr {{principal r r r r} {group r r r r}}
Hewlett-Packard Company - 8 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
dcecp>
xattrschema delete
Deletes a schema entry type. The syntax is as follows:
xattrschema delete schema_entry_name_list
[-ifname residual_schema_name]
Options [Toc] [Back]
-ifname Specifies the xattrschema object to delete.
The delete operation deletes a schema entry. The argument is a list
of names of schema entry types to be deleted. This command also
deletes all ERA instances of the schema entry. If the entry types do
not exist, an error is generated. The -ifname option is used to
identify the specific xattrschema entry to delete, but only when the
argument is a string binding representing a host, not a fully
qualified xattrschema schema name. This operation returns an empty
string on success.
Privileges Required [Toc] [Back]
You must have d (delete) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples [Toc] [Back]
dcecp> xattrschema delete /.:/sec/xattrschema/test_integer
dcecp>
dcecp> xattrschema delete ncacn_ip_tcp:15.22.24.145 -ifname test_integer
dcecp>
xattrschema help
Returns help information about the xattrschema object and its
operations. The syntax is as follows:
xattrschema help [operation | -verbose]
Options [Toc] [Back]
-verbose Displays information about the xattrschema object.
Hewlett-Packard Company - 9 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
Used without an argument or option, the xattrschema help command
returns brief information about each xattrschema operation. The
optional operation argument is the name of an operation about which
you want detailed information. Alternatively, you can use the -verbose
option for more detailed information about the xattrschema object
itself.
Privileges Required [Toc] [Back]
No special privileges are needed to use the xattrschema help command.
Examples [Toc] [Back]
dcecp> xattrschema help
catalog Returns a list of all entries in a schema.
create Creates a schema entry.
delete Deletes a schema entry.
modify Modifies an existing schema entry.
rename Renames an existing schema entry.
show Returns the attributes of a schema entry.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
xattrschema modify
This operation changes the attributes of a schema entry type. The
syntax is as follows:
xattrschema modify schema_entry_name_list
{-change attribute_list | -attribute value}
[-ifname residual_schema_name]
Options [Toc] [Back]
-attribute value
As an alternative to using the -change option with an
attribute list, you can specify individual attribute options
by prepending a hyphen (-) to any attributes listed in the
ATTRIBUTES section of this reference page.
-change attribute_list
Allows you to modify attributes by using an attribute list
rather than individual attribute options. The format of an
attribute list is as follows:
{{attribute value}...{attribute value}}
Hewlett-Packard Company - 10 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
-ifname Specifies the xattrschema object to modify.
The modify operation changes attributes of schema entry types in the
security service only. The argument is a list of names of schema
entry types to be operated on. All modifications are applied to all
schema entry types named in the argument. Schema entry types are
modified in the order they are listed, and all modifications to an
individual schema entry are atomic. Modifications to multiple schema
entry types are not atomic. A failure for any one schema entry in a
list generates an error and cancels the operation. The -ifname option
is used to identify the specific xattrschema entry to modify, but only
when the argument is a string binding representing a host, not a fully
qualified xattrschema schema name. This operation returns an empty
string on success.
The -change option modifies attributes. Its value is an attribute
list describing the new values for the specified attributes. The
command supports attribute options as well.
Privileges Required [Toc] [Back]
You must have m (mgmt_info) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples [Toc] [Back]
dcecp> xattrschema modify /.:/sec/xattrschema/test_integer \
> -aclmgr {organization r r r r}
dcecp>
dcecp> xattrschema modify ncacn_ip_tcp:15.22.24.145 -ifname test_integer \
> -aclmgr {organization r r r r}
dcecp>
xattrschema operations
Returns a list of the operations supported by the xattrschema object.
The syntax is as follows:
xattrschema operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required [Toc] [Back]
No special privileges are needed to use the xattrschema operations
command.
Hewlett-Packard Company - 11 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
Examples [Toc] [Back]
dcecp> xattrschema operations
catalog create delete modify rename show help operations
dcecp>
xattrschema rename
Changes the name of a specified schema entry type. The syntax is as
follows:
xattrschema rename schema_entry_name -to new_schema_entry_name
[-ifname residual_schema_name]
Options [Toc] [Back]
-to new_schema_entry_name
Specifies the new name. Specify the name in simple format,
without the container-object portion (that is, without
/.:/sec/xattrschema).
-ifname Specifies the xattrschema object to rename.
The rename operation changes the name of the specified ERA. The
argument is a single name of an ERA to be renamed. The
new_schema_entry_name argument to the required -to option specifies
the new name; this argument cannot be a list. The -ifname option is
used to identify the specific xattrschema entry to rename, but only
when the argument is a string binding representing a host, not a fully
qualified xattrschema schema name. This operation returns an empty
string on success.
Privileges Required [Toc] [Back]
You must have m (mgmt_info) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples [Toc] [Back]
dcecp> xattrschema rename /.:/sec/xattrschema/test_integer -to test_int
dcecp>
dcecp> xattrschema rename ncacn_ip_tcp:15.22.24.128 -ifname test_integer -to test_int
dcecp>
xattrschema show
Hewlett-Packard Company - 12 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
Returns an attribute list describing the specified schema entry type.
The syntax is as follows:
xattrschema show schema_entry_name_list
[-ifname residual_schema_name]
Options [Toc] [Back]
-ifname Specifies the xattrschema object to show.
The show operation returns an attribute list describing the specified
schema entry types. The argument is a list of names of schema entry
types to be operated on. If more than one schema entry is given, the
attributes are concatenated. The -ifname option is used to identify
the specific xattrschema entry to show, but only when the argument is
a string binding representing a host, not a fully qualified
xattrschema schema name. Attributes are returned in arbitrary order.
Privileges Required [Toc] [Back]
You must have r (read) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples [Toc] [Back]
dcecp> xattrschema show /.:/sec/xattrschema/test_integer
{name test_integer}
{aclmgr {principal {query r} {update r} {test r} {delete r}}}
{annotation {test_integer: encoding type integer}}
{applydefs yes}
{encoding integer}
{intercell reject}
{multivalued yes}
{reserved no}
{scope {}}
{trigbind {}}
{trigtype none}
{unique no}
{uuid 5f439154-2af1-11cd-8ec3-080009353559}
dcecp>
dcecp> xattrschema show ncacn_ip_tcp:15.22.24.145 -ifname passwd_override
{name passwd_override}
{aclmgr {principal {query m} {update m} {test m} {delete m}}}
{annotation {values: {the ability to not be restricted by passwd expiration}}}
{applydefs no}
{encoding integer}
{intercell reject}
{multivalued no}
Hewlett-Packard Company - 13 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
xattrschema(1m) Open Software Foundation xattrschema(1m)
{reserved yes}
{scope {}}
{trigbind {}}
{trigtype none}
{unique yes}
{uuid bc51691e-dd2d-11cc-9866-080009353559}
dcecp>
RELATED INFORMATION [Toc] [Back]
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m),
dcecp_organization(1m), dcecp_principal(1m).
Hewlett-Packard Company - 14 -�OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |
