1 IMPORT The IMPORT command is used to create DCE accounts based on OpenVMS accounts from an existing System Authorization File (SYSUAF). Format: IMPORT VMS-USERNAME Qualifiers Defaults /[NO]CONFIRM /DCE_LOGIN=(keyword=value,...) /[NO]IMPORT /IMPORT /[NO]EXCLUDE /NOEXCLUDE /[NO]INFORM /INFORM /[NO]INTERACTIVE /INTERACTIVE /MY_PASSWORD=passwd None /OUTPUT[=output] /OUTPUT=SYS$OUTPUT: /[NO]RECAP /NORECAP /[NO]TEST_ONLY /NOTEST_ONLY Data Qualifiers Defaults /[NO]EXPIRATION_DATE=d /NOEXPIRATION_DATE /FLAGS=flags /GOOD_SINCE_DATE=date /GOOD_SINCE_DATE=now /GROUP=group "none" /HOME_DIRECTORY=string None /LIFETIME=hours Taken from registry authorization policy /LOGIN_SHELL=string None /MISCELLANEOUS=string None /ORGANIZATION=organiza "none" /PASSWORD=passwd No valid password /PRINCIPAL=principal /RENEWABLE_LIFETIME=ho Taken from registry authorization policy 2 Parameters vms-username Specifies the name of the OpenVMS account that is to be imported. If an asterisk is specified in place of the vms-username, all accounts from the OpenVMS system authorization file are selected. 2 Qualifiers /CONFIRM /CONFIRM /NOCONFIRM Controls whether the IMPORT command asks for confirmation before creating a DCE principal or account, or both. In interactive mode the default is /CONFIRM. In non- interactive mode the default is /NOCONFIRM. /DCE_LOGIN=(keyword=valud[,...]) /DCE_LOGIN=(keyword=valud[,...]) Provides DCE account details for accounts that are authorized to create pricipals and accounts in the DCE registry. Valid keywords for the DCE_LOGIN qualifier are as follows: Keyword Description PRINCIPAL The principal name to be used for authentication purposes when creating accounts and/or principals in the DCE registry. If you do not specify a principal with this qualifier you are prompted for one interactively. PASSWORD The password associated with the principal name that was specified by the PRINCIPAL keyword. If you do not specify a password with this qualifier you are prompted for one interactively. If you do not specify a principal or password with this qualifier, you are prompted for them interactively, regardless of whether or not you are running in interactive mode. This information need be entered only once per session, on the first IMPORT command. Subsequent IMPORT commands within the same session do not require that you to reenter this information. If you are an interactive user and you do not specify the PASSWORD keyword, IMPORT prompts you for your password. The advantage in this is the password is not echoed and therefore does not appear on your terminal. /EXCLUDE /EXCLUDE /NOEXCLUDE (default) Determines whether or not the OpenVMS account is imported to the DCE registry. If the OpenVMS account is not imported then the DCE account is not created and instead an entry is created in the IMPORT exclude file for the specified OpenVMS account. /INFORM /INFORM (default) /NOINFORM Determines whether or not the user is informed of OpenVMS accounts that would have been selected for import, but are not because they either have already been imported (for example, they have an entry in the DCE$UAF) or they have an entry in the IMPORT exclude file. /INTERACTIVE /INTERACTIVE (default) /NOINTERACTIVE Controls whether an interactive or noninteractive import is performed. In interactive mode, a series of questions is asked and the user's responses are used to determine the account details. This mode is well suited to interactive users. In noninteractive mode, all input is supplied through the data qualifiers, and any missing or conflicting data causes the DCE account to not be created. This mode is well suited to command files and batch jobs. Data qualifiers can be specified in interactive mode. In this case the data they provide is used to provide the default answers to the relevant questions. All questions are still asked. /MY_PASSWORD=passwd /MY_PASSWORD=passwd DCE requires that you specify your current DCE password for authentication purposes. If you do not specify your DCE password with this qualifier you are prompted for it interactively, regardless of if you are running in interactive mode or not. Omitting this qualifier and allowing IMPORT to prompt you for your DCE password has the advantage that in this case the password is not echoed and does therefore not appear on your terminal if you are an interactive user. /OUTPUT[=output] /OUTPUT[=output] Defines where all program output should be written. The default is SYS$OUTPUT:. /RECAP /RECAP /NORECAP (default) If /RECAP is specified details of the DCE account are displayed before it is actually created. When /CONFIRM is also specified the account details are displayed immediately before the confirmation request. /TEST_ONLY /TEST_ONLY /NOTEST_ONLY (default) If /TEST_ONLY is specified, DCE accounts and DCE$UAF entries are not created. All other functions operate normally. 2 Data_Qualifiers /EXPIRATION_DATE=date /EXPIRATION_DATE=date /NOEXPIRATION_DATE (default) Specifies the expiration date for the DCE account. If not specified, or if /NOEXPIRATION_DATE is specified, then the DCE account is created without an expiration date. /FLAGS=([no]keyword[,...]) /FLAGS=([no]keyword[,...]) Specifies several attributes of the DCE account. The keywords you can specify are: Keyword Description ACCOUNT_VALID A flag that is set to determine account validity. An account without this flag set is invalid and cannot log in. The default is ACCOUNT_VALID. CLIENT A flag that is set to indicate whether or not the account is for a principal that can act as a client. The default is CLIENT. DUPLICATE_KEYS A flag that is set to determine if tickets issued to the account's principal can have duplicate keys. The default is NODUPLICATE_KEYS. FORWARDABLE_ A flag that is set to determine whether a CERTIFICATES new ticket-granting ticket with a network address that differs from the present ticket-granting ticket network address can be issued to the account's principal. (The Proxiable Certificate Flag performs the same function for service tickets.) The default is FORWARDABLE_CERTIFICATES. PASSWORD_VALID A flag that is set to determine whether the current password is valid. If this flag is not set, the next time the principal logs in to the DCE account, the system prompts the principal to change his password. The default is PASSWORD_VALID. POSTDATED_ A flag that is set to determine if tickets CERTIFICATES with a start time some time in the future can be issued to the account's principal. The default is NOPOSTDATED_CERTIFICATES. PROXIABLE_ A flag that is set to determine whether or CERTIFICATE not a new ticket with a different network address than the present ticket can be issued to the account's principal. (The Forwardable Certificate Flag performs the same function for ticket-granting tickets.) The default is NOPROXIABLE_CERTIFICATE. RENEWABLE_ A flag that is set to determine if the CERTIFICATE ticket-granting ticket issued to the account's principal can be renewed.If this flag is set the authentication service renews the ticket-granting ticket if its lifetime is valid. The default is RENEWABLE_CERTIFICATE. SERVER A flag that is set to indicate whether or not the account is for a principal that can act as a server. The default is SERVER. TGT_ A flag that is set to determine whether AUTHENTICATION or not tickets issued to the account's principal can use the ticket-granting ticket authentication mechanism. The default is TGT_AUTHENTICATION. /GOOD_SINCE_DATE=date /GOOD_SINCE_DATE=date Specifies the date and time that the account was known to be in an uncompromised state. If not specified, the Good Since Date is set to the current date and time. /GROUP=group /GROUP=group Specifies the name of an existing DCE group that is associated with the account being created. Note that if the group does not exist it is not be created by IMPORT. The default group name is "none". /HOME_DIRECTORY=string /HOME_DIRECTORY=string Specifies the directory in which the principal is placed at login. If not specified the DCE account is created without a Home Directory. /LIFETIME=hours /LIFETIME=hours Specifies the maximum amount of time, in hours, that a ticket can be valid. If not specified the Maximum Certificate Lifetime defined as registry authorization policy is used. /LOGIN_SHELL=string /LOGIN_SHELL=string Specifies the shell that is executed when a principal logs in. If not specified the DCE account is created without a login shell. /MISCELLANEOUS=string /MISCELLANEOUS=string Specifies a text string that is typically used to describe the use of the account. If not specified the DCE account is created without a miscellaneous value. /ORGANIZATION=organization /ORGANIZATION=organization Specifies the name of an existing DCE organization that is associated with the account being created. Note that if the organization does not exist it is not be created by IMPORT. The default organization name is "none". /PASSWORD=passwd /PASSWORD=passwd Specifies the password to be assigned to the DCE account. If not specified the DCE account is created without a valid DCE password. /PRINCIPAL=(keyword[,...]) /PRINCIPAL=(keyword[,...]) Specifies the principal that is associated with the DCE account that is being created. If an existing principal is to be associated with the DCE account being created then you need only specify NAME (and ALIAS if its an alias principal). The other keywords are only used when a new principal is created. The keywords you can specify are: Keyword Description ALIAS Specifies that the principal defined by the NAME keyword is an alias. By default the name is considered a primary principal. CASE=keyword Specifies how the principal name should be Formatted. For example, to specify that the principal name should be all lowercase, use /PRINCIPAL=CASE=LOWERCASE. Possible keywords are: NOEDIT Do not perform any Format:ting. This is the default. LOWERCASE[=n1[,n2]]Convert the principal name so that the first n1 characters and last n2 are lowercase, and the remainder are uppercase. If you do not specify a value for n1 then the entire principal is converted to lowercase. If you do not specify a value for n2 then 0 is used. UPPERCASE[=n1[,n2]]Convert the principal name so that the first n1 characters and last n2 are uppercase, and the remainder are lowercase. If you do not specify a value for n1 then the entire principal is converted to uppercase. If you do not specify a value for n2 then 0 is used. The default is NOEDIT. FULL_ An optional string that is used to more NAME=string fully qualify a primary name. If the name contains spaces, lowercase characters, or any other special characters, enclose the string in quotes. The default is no full name. NAME=name The standard name (primary or alias) that is associated with the DCE account. If the name contains spaces, lowercase characters, or any other special characters, enclose the string in quotes. The default is to take the username from the system authorization file (SYSUAF) record, edit it according to the CASE keyword, and then use this as the principal name. OBJECT_ The number of registry objects that can be CREATION_ created by the principal. QUOTA=number If you do not specify this keyword then no quota is established and the principal can create an unlimited number of registry objects. UNIX_ID=number The required UNIX ID that is associated with the principal. If a primary principal is being created you can omit the UNIX ID and one is generated automatically. If an alias principal is being created you must specify the UNIX ID of the corresponding primary principal. /RENEWABLE_LIFETIME=hours /RENEWABLE_LIFETIME=hours Specifies the amount of time, in hours, before a principal's ticket-granting ticket expires and that principal must log into the system again to reauthenticate and obtain another ticket-granting ticket. If not specified the Maximum Certificate Renewable Lifetime defined as registry authorization policy is used.