The IMPORT command is used to create DCE accounts based on
OpenVMS accounts from an existing System Authorization File
(SYSUAF).
Format:
IMPORT VMS-USERNAME
Qualifiers Defaults
/[NO]CONFIRM
/DCE_LOGIN=(keyword=value,...)
/[NO]IMPORT /IMPORT
/[NO]EXCLUDE /NOEXCLUDE
/[NO]INFORM /INFORM
/[NO]INTERACTIVE /INTERACTIVE
/MY_PASSWORD=passwd None
/OUTPUT[=output] /OUTPUT=SYS$OUTPUT:
/[NO]RECAP /NORECAP
/[NO]TEST_ONLY /NOTEST_ONLY
Data Qualifiers Defaults
/[NO]EXPIRATION_DATE=d /NOEXPIRATION_DATE
/FLAGS=flags
/GOOD_SINCE_DATE=date /GOOD_SINCE_DATE=now
/GROUP=group "none"
/HOME_DIRECTORY=string None
/LIFETIME=hours Taken from registry authorization policy
/LOGIN_SHELL=string None
/MISCELLANEOUS=string None
/ORGANIZATION=organiza "none"
/PASSWORD=passwd No valid password
/PRINCIPAL=principal
/RENEWABLE_LIFETIME=ho Taken from registry authorization policy
1 – Parameters
vms-username
Specifies the name of the OpenVMS account that is to be
imported.
If an asterisk is specified in place of the vms-username,
all accounts from the OpenVMS system authorization
file are selected.
2 – Qualifiers
2.1 /CONFIRM
/CONFIRM
/NOCONFIRM
Controls whether the IMPORT command asks for confirmation
before creating a DCE principal or account, or both.
In interactive mode the default is /CONFIRM. In non-
interactive mode the default is /NOCONFIRM.
2.2 /DCE_LOGIN=(keyword=valud[,...])
/DCE_LOGIN=(keyword=valud[,...])
Provides DCE account details for accounts that are authorized to
create pricipals and accounts in the DCE registry. Valid keywords for
the DCE_LOGIN qualifier are as follows:
Keyword Description
PRINCIPAL The principal name to be used for authentication
purposes when creating accounts and/or principals
in the DCE registry.
If you do not specify a principal with this qualifier
you are prompted for one interactively.
PASSWORD The password associated with the principal name
that was specified by the PRINCIPAL keyword.
If you do not specify a password with this qualifier
you are prompted for one interactively.
If you do not specify a principal or password with this qualifier,
you are prompted for them interactively, regardless of whether or not
you are running in interactive mode. This information
need be entered only once per session, on the first IMPORT command.
Subsequent IMPORT commands within the same session do not require that
you to reenter this information.
If you are an interactive user and you do not specify the PASSWORD
keyword, IMPORT prompts you for your password. The advantage in this
is the password is not echoed and therefore does not appear on your
terminal.
2.3 /EXCLUDE
/EXCLUDE
/NOEXCLUDE (default)
Determines whether or not the OpenVMS account is imported
to the DCE registry. If the OpenVMS account is not imported
then the DCE account is not created and instead an entry
is created in the IMPORT exclude file for the specified
OpenVMS account.
2.4 /INFORM
/INFORM (default)
/NOINFORM
Determines whether or not the user is informed of OpenVMS
accounts that would have been selected for import, but are
not because they either have already been imported (for example,
they have an entry in the DCE$UAF) or they have an entry in
the IMPORT exclude file.
2.5 /INTERACTIVE
/INTERACTIVE (default)
/NOINTERACTIVE
Controls whether an interactive or noninteractive import
is performed.
In interactive mode, a series of questions is asked and the
user's responses are used to determine the account details.
This mode is well suited to interactive users.
In noninteractive mode, all input is supplied through the data
qualifiers, and any missing or conflicting data causes
the DCE account to not be created. This mode is well suited
to command files and batch jobs.
Data qualifiers can be specified in interactive mode.
In this case the data they provide is used to provide the
default answers to the relevant questions. All questions
are still asked.
2.6 /MY_PASSWORD=passwd
/MY_PASSWORD=passwd
DCE requires that you specify your current DCE password
for authentication purposes. If you do not specify your
DCE password with this qualifier you are prompted for
it interactively, regardless of if you are running in
interactive mode or not.
Omitting this qualifier and allowing IMPORT to prompt you
for your DCE password has the advantage that in this case
the password is not echoed and does therefore not appear on
your terminal if you are an interactive user.
2.7 /OUTPUT[=output]
/OUTPUT[=output]
Defines where all program output should be written.
The default is SYS$OUTPUT:.
2.8 /RECAP
/RECAP
/NORECAP (default)
If /RECAP is specified details of the DCE account are
displayed before it is actually created. When /CONFIRM
is also specified the account details are displayed
immediately before the confirmation request.
2.9 /TEST_ONLY
/TEST_ONLY
/NOTEST_ONLY (default)
If /TEST_ONLY is specified, DCE accounts and DCE$UAF
entries are not created. All other functions operate normally.
3 – Data Qualifiers
3.1 /EXPIRATION_DATE=date
/EXPIRATION_DATE=date
/NOEXPIRATION_DATE (default)
Specifies the expiration date for the DCE account.
If not specified, or if /NOEXPIRATION_DATE is specified,
then the DCE account is created without an expiration date.
3.2 /FLAGS=([no]keyword[,...])
/FLAGS=([no]keyword[,...])
Specifies several attributes of the DCE account. The
keywords you can specify are:
Keyword Description
ACCOUNT_VALID A flag that is set to determine account
validity. An account without this flag set
is invalid and cannot log in.
The default is ACCOUNT_VALID.
CLIENT A flag that is set to indicate whether or
not the account is for a principal that
can act as a client.
The default is CLIENT.
DUPLICATE_KEYS A flag that is set to determine if tickets
issued to the account's principal can have
duplicate keys.
The default is NODUPLICATE_KEYS.
FORWARDABLE_ A flag that is set to determine whether a
CERTIFICATES new ticket-granting ticket with a network
address that differs from the present
ticket-granting ticket network address can
be issued to the account's principal. (The
Proxiable Certificate Flag performs the
same function for service tickets.)
The default is FORWARDABLE_CERTIFICATES.
PASSWORD_VALID A flag that is set to determine whether
the current password is valid. If this
flag is not set, the next time the
principal logs in to the DCE account,
the system prompts the principal to change
his password.
The default is PASSWORD_VALID.
POSTDATED_ A flag that is set to determine if tickets
CERTIFICATES with a start time some time in the future
can be issued to the account's principal.
The default is NOPOSTDATED_CERTIFICATES.
PROXIABLE_ A flag that is set to determine whether or
CERTIFICATE not a new ticket with a different network
address than the present ticket can be
issued to the account's principal. (The
Forwardable Certificate Flag performs
the same function for ticket-granting
tickets.)
The default is NOPROXIABLE_CERTIFICATE.
RENEWABLE_ A flag that is set to determine if the
CERTIFICATE ticket-granting ticket issued to the
account's principal can be renewed.If this
flag is set the authentication service
renews the ticket-granting ticket if its
lifetime is valid.
The default is RENEWABLE_CERTIFICATE.
SERVER A flag that is set to indicate whether or
not the account is for a principal that
can act as a server.
The default is SERVER.
TGT_ A flag that is set to determine whether
AUTHENTICATION or not tickets issued to the account's
principal can use the ticket-granting
ticket authentication mechanism.
The default is TGT_AUTHENTICATION.
3.3 /GOOD_SINCE_DATE=date
/GOOD_SINCE_DATE=date
Specifies the date and time that the account was known to be in an
uncompromised state.
If not specified, the Good Since Date is set to the current date and
time.
3.4 /GROUP=group
/GROUP=group
Specifies the name of an existing DCE group that is
associated with the account being created. Note that if
the group does not exist it is not be created by IMPORT.
The default group name is "none".
3.5 /HOME_DIRECTORY=string
/HOME_DIRECTORY=string
Specifies the directory in which the principal is placed at
login.
If not specified the DCE account is created without a Home
Directory.
3.6 /LIFETIME=hours
/LIFETIME=hours
Specifies the maximum amount of time, in hours, that a
ticket can be valid.
If not specified the Maximum Certificate Lifetime defined
as registry authorization policy is used.
3.7 /LOGIN_SHELL=string
/LOGIN_SHELL=string
Specifies the shell that is executed when a principal logs in.
If not specified the DCE account is created without a login
shell.
3.8 /MISCELLANEOUS=string
/MISCELLANEOUS=string
Specifies a text string that is typically used to describe
the use of the account.
If not specified the DCE account is created without a
miscellaneous value.
3.9 /ORGANIZATION=organization
/ORGANIZATION=organization
Specifies the name of an existing DCE organization that is
associated with the account being created. Note that if the
organization does not exist it is not be created by IMPORT.
The default organization name is "none".
3.10 /PASSWORD=passwd
/PASSWORD=passwd
Specifies the password to be assigned to the DCE account.
If not specified the DCE account is created without a valid
DCE password.
3.11 /PRINCIPAL=(keyword[,...])
/PRINCIPAL=(keyword[,...])
Specifies the principal that is associated with the DCE
account that is being created.
If an existing principal is to be associated with the DCE
account being created then you need only specify NAME (and
ALIAS if its an alias principal). The other keywords are
only used when a new principal is created.
The keywords you can specify are:
Keyword Description
ALIAS Specifies that the principal defined
by the NAME keyword is an alias. By
default the name is considered a primary
principal.
CASE=keyword Specifies how the principal name should be
Formatted. For example, to specify that the
principal name should be all lowercase, use
/PRINCIPAL=CASE=LOWERCASE. Possible keywords are:
NOEDIT Do not perform any
Format:ting. This is the
default.
LOWERCASE[=n1[,n2]]Convert the principal
name so that the first
n1 characters and last
n2 are lowercase, and the
remainder are uppercase.
If you do not specify
a value for n1 then
the entire principal is
converted to lowercase.
If you do not specify a
value for n2 then 0 is
used.
UPPERCASE[=n1[,n2]]Convert the principal
name so that the first
n1 characters and last
n2 are uppercase, and the
remainder are lowercase.
If you do not specify
a value for n1 then
the entire principal is
converted to uppercase.
If you do not specify a
value for n2 then 0 is
used.
The default is NOEDIT.
FULL_ An optional string that is used to more
NAME=string fully qualify a primary name. If the name
contains spaces, lowercase characters, or
any other special characters, enclose the
string in quotes.
The default is no full name.
NAME=name The standard name (primary or alias) that
is associated with the DCE account. If
the name contains spaces, lowercase
characters, or any other special
characters, enclose the string in quotes.
The default is to take the username
from the system authorization file
(SYSUAF) record, edit it according to
the CASE keyword, and then use this as the
principal name.
OBJECT_ The number of registry objects that can be
CREATION_ created by the principal.
QUOTA=number If you do not specify this keyword then
no quota is established and the principal
can create an unlimited number of registry
objects.
UNIX_ID=number The required UNIX ID that is associated
with the principal.
If a primary principal is being created
you can omit the UNIX ID and one is
generated automatically.
If an alias principal is being created
you must specify the UNIX ID of the
corresponding primary principal.
3.12 /RENEWABLE_LIFETIME=hours
/RENEWABLE_LIFETIME=hours
Specifies the amount of time, in hours, before a
principal's ticket-granting ticket expires and that
principal must log into the system again to reauthenticate
and obtain another ticket-granting ticket.
If not specified the Maximum Certificate Renewable Lifetime
defined as registry authorization policy is used.