Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ organization(8dce) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

organization(8dce)  —  Maintenance

NAME

organization  — A dcecp object that manages an organization in the DCE Security Service

SYNOPSIS

organization add organization_name_list member member_name_list

organization catalog  [cell_name]  [simplename ]

organization create organization_name_list  {attribute extended_rgy_attr_list | attribute value }

organization delete organization_name_list

organization help  [operation | verbose  ]

organization list organization_name_list  [simplename ]

organization modify organization_name_list  {add extended_rgy_attr_list | remove extended_rgy_attr_list | types  | change extended_rgy_attr_list | attribute value }

organization operations

organization remove organization_name_list member member_name_list

organization rename organization_name to new_organization_name

organization show organization_name_list  [all  | policies  | xattrs  ]

Arguments

cell_nameThe name of a cell to contact when processing the catalog  operation.  The name must be a fully qualified cell name, such as /.: or /.../cell_name

operationThe name of the organization  operation for which to display help information. 

organization_name
The name of a single organization to act on. See organization_name_list for the name format. 

organization_name_list
A list of one or more names of organizations to act on. Supply the names as follows:

   •Fully qualified names in the form: /.../cell_name/organization_name or /.:/organization_name

   •Cell-relative names in the form organization_name.  These names refer to an organization in the cell identified in the _s(sec) convenience variable, or if the _s(sec) convenience variable is not set, in the local host’s default cell. 

Do not mix fully qualified names and cell-relative names in a list.  In addition, do not use the names of registry database objects that contain organization information; in other words, do not use names that begin with /.:/sec/org/. 

Description

The organization  object represents registry organizations.  Unless otherwise noted, all organization  operations take the names of the organizations to act on as an argument. 

When this command executes, it attempts to bind to the registry server identified in the _s(sec) variable.  If that server cannot process the request or if the _s(sec) variable is not set, the command binds to either an available slave server or the master registry server, depending on the operation.  Upon completion the command sets the _b(sec) convenience variable to the name of the registry server to which it bound. 

Attributes

The organization  object supports two kinds of attributes: organization and policy. 

   •Organization attributes consist of the organization’s name, Universal Unique Identifier (UUID), and organization identifier.  Organization attributes may or may not have default values.  They assume a default value or a value set by administrators. 

   •Policy attributes regulate such things as account and password lifetimes for all accounts associated with a particular organization.  If you do not set these attributes, they default to the value set for the registry as a whole with the registry modify  command.  Note that if a policy attribute value set for the registry as a whole is stricter than the value you set for an organization, the registry wide value is used. 

Organization Attributes

orgid integer
Used with the create  operation to specify the organization identifier for the organization.  If this attribute is not set when an organization is created, an organization identifier is assigned automatically.  Do not specify the orgid  attribute when creating two or more organizations with the same command.  If you do, the second create  operation will fail, since the organization identifier is already in use after the first is created.  However, the alias and orgid attributes can be specified to create several aliases for an existing organization with one command. 

uuid hexadecimal number
Used with the create  operation to specify the organization’s UUID, a unique internal identifier.  Use the UUID attribute only to adopt an orphaned UUID.  Normally the UUID for a new organization is generated by the registry.  In cases where data exists tagged with a UUID of an organization that has been deleted from the registry, use the create  operation to specify the old UUID for a new organization.  The UUID specified must be an orphan, that is, a UUID for which no name exists in the registry.  An error occurs if you specify a name that is already defined in the registry. 

fullname string
Used with the create  and modify operations to specify the organization’s full name, a name used for information purposes only.  The full name typically describes or expands a primary name to allow easy recognition by users.  For example, an organization could have a primary name of abc and a full name of Advanced Binary Corporation.  The value is a string.  If it contains spaces, it is displayed in quotation marks, on entry, must be enclosed in quotation marks or braces.  The fullname attribute defaults to the null string (that is, blank). 

Policy Attributes

Since organization policy attributes do not exist on an organization unless explicitly defined, they have no default values.  The organization policy attributes are as follows:

acctlife {relative_time | unlimited}
Defines the lifespan of accounts.  Specify the time by using the Distributed Time Service (DTS) relative time format ([-]dd-hh:mm:ss) or the string unlimited. 

pwdalpha {yes | no}
Defines whether passwords can consist entirely of alphanumeric characters.  Its value is either yes or no. 

pwdexpdate {ISO_timestamp | none}
Defines a date on which a password expires.  Specify the date by using an ISO-compliant time format such as CC-MM-DD-hh:mm:ss or the string none, which specifies that the password not expire. 

pwdlife {relative_time | unlimited}
Defines the lifespan of passwords.  Specify the time by using the DTS-relative time format ([-]DD-hh:mm:ss) or the string unlimited. 

pwdminlen integer
Defines the minimum number of characters in a password.  Its value is a positive integer or the integer 0, which means there is no minimum length. 

pwdspaces  {yes | no}
Defines whether or not passwords can consist entirely of spaces.  Its value is either yes or no. 

See the OSF DCE Administration Guide for more information about organization and policy attributes. 

Errors

A representative list of errors that might be returned is not shown here.  Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages. 

Operations

organization add

Adds members to a security organization.  The syntax is as follows:

organization add organization_name_list member  member_name_list

Options

member  member_name_list
Specifies a list of one or more names of principals to be added to each organization in the argument.

The add operation adds members to an organization.  The organization_name_list argument is a list of names of organizations to be added to.  The member_name_list argument of the required member  option is a list of names of principals to be added to each organization in the argument.  If the principals do not exist, the command returns an error.  This operation returns an empty string on success. 

Privileges Required

You must have r (read) and M (Member_list) permissions on the target organization and r (read) permission on the principal being added. 

Examples

dcecp> organization add managers -member W_White
dcecp>

organization catalog

Returns a list of the names of all organizations in the registry.  The syntax is as follows:

organization catalog [cell_name] [simplename ]

Options

simplename
Returns a list of organization names in the registry without prepending the cell name.

The catalog  operation returns a list of the names of all organizations in the local registry in lexical order.  Use the cell_name argument to return a list of organizations in another cell’s registry.  By default, fully qualified names are returned in the form cellname/organization_name.  Use the  simplename  option to return them in the form organization_name. 

Privileges Required

You must have r (read) permission to the /.:/sec/org directory. 

Examples

dcecp> organization catalog /.../my_cell.goodcompany.com/none
/.../my_cell.goodcompany.com/users
/.../my_cell.goodcompany.com/managers
dcecp>
 dcecp> organization catalog -simplename none
users
managers
dcecp>

organization create

Creates a new organization in the registry database.  The syntax is as follows:

organization create organization_name_list {attribute  extended_rgy_attr_list |
-attribute value}

Options

-attribute value
As an alternative to using the attribute  option with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in the Attributes section of this reference page.  You cannot use this option to specify ERAs; it is only for the standard attributes described in Attributes. 

attribute  extended_rgy_attr_list
Allows you to specify attributes, including ERAs, by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:

{{extended_rgy_attr_list value}...{extended_rgy_attr_list value}}

See the OSF DCE Administration Guide for more information on ERAs. 

The create  operation creates a new organization.  The organization_name_list argument is a list of names of organizations to be created.  Options specify the attributes of the newly created organization.  All options are applied to all organizations in the argument list.  This operation returns an empty string on success. 

Privileges Required

You must have i (insert) permission to the directory in which the organization is to be created. 

Examples

dcecp> organization create temps -fullname "Temporary Employees"
dcecp>
dcecp> organization create temps -attribute {fullname "Temporary Employees"}
dcecp>
dcecp> org create dce -fullname {Dist Comp Env} -orgid 101
dcecp>
dcecp> org create dce -fullname {Dist Comp Env} \ > -uuid c2aac790-dc6c-11cc-a6f8-080009251352
dcecp>

organization delete

Deletes organizations from the registry.  The syntax is as follows:

organization delete organization_name_list

The delete  operation deletes organizations from the registry.  The organization_name_list argument is a list of names of organizations to be deleted.  If a named organization does not exist, an error is generated.  This operation returns an empty string on success. 

This operation also deletes any accounts associated with organizations that are deleted.  To preserve accounts, add desired principals to a different organization by using the organization add -member command.  Modify the principals’ accounts to point to the new organization by using the account modify  command.  Then you can delete the organization by using the organization delete  command. 

Privileges Required

You must have d (delete ) permission to the directory in which the target organization exists.  You must have r (read) and D (Delete_object) permissions on the organization to be deleted. 

Examples

dcecp> organization delete temps
dcecp>

organization help

Returns help information about the organization  object and its operations.  The syntax is as follows:

organization help [operation | verbose ]

Options

verboseDisplays information about the organization  object. 

Used without an argument or option, the organization help  command returns brief information about each organization  operation.  The optional operation argument is the name of an operation about which you want detailed information.  Alternatively, you can use the verbose  option for more detailed information about the organization  object itself. 

Privileges Required

No special privileges are needed to use the organization help  command. 

Examples

dcecp> organization help
add                 Adds a member to the named organization.
catalog             Returns a list of all the names of organizations.
create              Creates an organization in the registry.
delete              Deletes an organization from the registry.
list                Returns a list of all the members of an organization.
modify              Changes the information about an organization.
remove              Removes a member from the named organization.
rename              Renames the specified organization.
show                Returns the attributes of an organization.
help                Prints a summary of command-line options.
operations          Returns a list of the valid operations for this command.
dcecp>

organization list

Returns a list of the names of all members of an organization.  The syntax is as follows:

organization list organization_name_list [simplename ]

Options

simplename
Returns a list of member names in the organization without prepending the cell name.

The list  operation returns a list of the names of all members of an organization.  The organization_name_list argument is a list of names of organizations.  By default, fully qualified names are returned in the form cellname/member_name.  If the simplename  option is given, the cell name is not prepended to the member names.  Names are returned in lexical order. 

Privileges Required

You must have r (read) permission to the organization. 

Examples

dcecp> organization list managers
/.../my_cell.goodcompany.com/W_Ward
/.../my_cell.goodcompany.com/L_Jones
/.../my_cell.goodcompany.com/S_Preska
/.../my_cell.goodcompany.com/S_Rohrer
/.../my_cell.goodcompany.com/J_Wanders
/.../my_cell.goodcompany.com/K_Parsons
dcecp>
 dcecp> organization list {managers users}
/.../my_cell.goodcompany.com/W_Ward
/.../my_cell.goodcompany.com/L_Jones
/.../my_cell.goodcompany.com/S_Preska
/.../my_cell.goodcompany.com/S_Rohrer
/.../my_cell.goodcompany.com/J_Wanders
/.../my_cell.goodcompany.com/W_Ross
/.../my_cell.goodcompany.com/J_Severance
/.../my_cell.goodcompany.com/J_Hunter
/.../my_cell.goodcompany.com/B_Carr
/.../my_cell.goodcompany.com/E_Vliet
/.../my_cell.goodcompany.com/J_Egan
/.../my_cell.goodcompany.com/F_Willis
dcecp>

organization modify

Changes attributes and policies of organizations.  The syntax is as follows:

organization modify organization_name_list
 {add  extended_rgy_attr_list | remove  extended_rgy_attr_list [types ] |
change  extended_rgy_attr_list | -attribute value}

Options

-attribute value
As an alternative to using options with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in the Attributes section of this reference page.  You cannot use this option to specify ERAs; it is only for standard group attributes described in Attributes. 

add  extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than individual attribute options.  The format of an attribute list is as follows:

{{extended_rgy_attr_list value}...{extended_rgy_attr_list value}}

change  extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than individual attribute options. See the add  option for the attribute list format. 

remove  extended_rgy_attr_list
Allows you to modify attributes, including ERAs, by using an attribute list rather than using individual attribute options such as fullname , acctlife , and so on. See the add  option for the attribute list format. 

Without the types  option, remove  deletes individual attribute instances attached to the group.  In this case, extended_rgy_attr_list is a list of attribute-value pairs.  With the types  option, remove  deletes attribute types (and all instances of that type) attached to the group.  In this case, extended_rgy_attr_list is a list of attribute types. 

typesUsed with the remove  option to remove attribute types (and all instances of that type) attached to the group. 

See the OSF DCE Administration Guide for more information about ERAs. 

The modify operation changes attributes and policies of organizations.  (To change registrywide policies, use the registry  command.) 

The organization_name_list argument is a list of names of organizations to be operated on.  All modifications are applied to all organizations named in the argument.  Organizations are modified in the order they are listed and all modifications to an individual organization are atomic.  Modifications to multiple organizations are not atomic.  A failure for any one organization generates an error to be generated and aborts the rest of the operation.  This operation returns an empty string on success. 

The change  option can modify the value of any attribute except for orgid and uuid . 

Privileges Required

You must have r (read) permission on the organization to be modified and f (full_name) permission to change the organization’s fullname and/or m (mgmt_info) permission to change the organization’s managment information. 

Examples

dcecp> organization modify temps -acctlife 180-00:00:00 \
> -pwdalpha yes -pwdlife 30-00:00:00  
> -pwdexpdate 1995-12-31-23:59:59 -pwdspaces yes
dcecp>
 dcecp> organization modify temps -add {test_era 101}
dcecp>
 dcecp> organization show temps -all {fullname {}}
{orgid 12}
{uuid 0000000c-03d5-21cf-9802-08000985b5a6}
{test_era 101}
{acctlife +180-00:00:00.000I-----}
{pwdalpha yes}
{pwdexpdate 1995-12-31-23:59:59.000+00:00I-----}
{pwdlife +30-00:00:00.000I-----}
{pwdminlen 0}
{pwdspaces yes}
dcecp>

organization operations

Returns a list of the operations supported by the organization  object.  The syntax is as follows:

organization operations

The list of available operations is in alphabetical order except for help  and operations, which are listed last. 

Privileges Required

No special privileges are needed to use the organization operations  command. 

Examples

dcecp> organization operations
add catalog create delete list modify remove
rename show help operations
dcecp>

organization remove

Removes a member from an organization.  The syntax is as follows:

organization remove organization_name_list member  member_name_list

Options

member  member_name_list
Specifies a list of one or more names of principals to be removed from each organization in the argument.

The remove operation removes members from an organization.  The argument is a list of names of organizations from which to remove members.  The value of the required member  option is a list of names of principals to remove from the organizations listed in the argument.  When a member is removed from an organization, any accounts associated with that principal and group are deleted.  Remember that accounts are associated with a principal, a group, and an organization; therefore, any accounts whose principal name and organization name match those given to this command are removed, but accounts for which only one name matches are untouched.  This operation returns an empty string on success. 

Privileges Required

You must have r (read) and M (Member_list) permissions on the target organizations and r (read) permission on the member to be removed. 

Examples

dcecp> organization remove managers -member J_Wanders
dcecp>
dcecp> organization add rigel -member W_White
dcecp> account modify W_White -organization rigel
dcecp> organization add rigel -member W_Ross
dcecp> account modify W_Ross -organization rigel
dcecp> account show W_Ross
{created /.../my_cell.goodcompany.com/cell_admin 1994-06-30-12:39:48.000+00:00I-----}
{description {}}
{dupkey no}
{expdate none}
{forwardabletkt yes}
{goodsince 1994-06-30-12:39:48.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodcompany.com/cell_admin 1994-06-30-12:39:48.000+00:00I-----}
{organization rigel}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
dcecp>
 dcecp> organization remove gemini -member W_Ross
dcecp>

organization rename

This operation changes the name of a specified organization.  The syntax is as follows:

organization rename organization_name to  new_organization_name

Options

to  new_organization_name
Specifies the new name of the organization.

See Arguments for a description of organization names. 

The rename operation changes the name of a specified organization.  The organization_name argument is a single name of an organization to be renamed.  The required to  option specifies the new name, which cannot be a list.  This operation returns an empty string on success. 

Privileges Required

You must have r (read) and n (name ) permission to the specified organizations. 

Examples

dcecp> organization list rigel
/.../my_cell.goodcompany.com/H_Lewis
/.../my_cell.goodcompany.com/R_Mathews
/.../my_cell.goodcompany.com/K_Doe
/.../my_cell.goodcompany.com/W_Ross
/.../my_cell.goodcompany.com/W_Williams
/.../my_cell.goodcompany.com/D_White
dcecp>
 dcecp> organization rename rigel -to sirus
dcecp>
 dcecp> organization list rigel
Error: Registry object not found
dcecp>
 dcecp> organization list sirus
/.../my_cell.goodcompany.com/H_Lewis
/.../my_cell.goodcompany.com/R_Mathews
/.../my_cell.goodcompany.com/K_Doe
/.../my_cell.goodcompany.com/W_Ross
/.../my_cell.goodcompany.com/W_Williams
/.../my_cell.goodcompany.com/D_White
dcecp>

organization show

Returns registry information for the specified organizations.  The syntax is as follows:

organization show organization_name_list [all  | [policies ] | [xattrs ]]

Options

policiesReturns only the polices of the organization, with no other attributes. 

xattrsReturns only the ERAs of the organization, with no other attributes. 

allReturn the attributes followed by the policies and ERAs. 

The show  operation returns an attribute list describing the specified organizations.  The organization_name_list argument is a list of names of organizations to be operated on.  If more than one organization is given, the attributes are concatenated together. 

Attributes are returned in the following order: fullname, orgid, uuid .  Policies are returned in the following order: acctlife, pwdalpha, pwdexpdate, pwdlife, pwdminlen, and pwdspaces.  If the organization does not have any policies, then nopolicy is returned. 

The policy set for an organization and the policy set for the registry as a whole may differ.  If this is the case, show  displays both policies and tags the registry policy with the label effective.  The actual policy in effect is the stricter of the two displayed policies, regardless of the effective label. 

Privileges Required

You must have r (read) permission on the specified organizations. 

Examples

dcecp> organization show temps
{fullname {Temporary Employees}}
{orgid 103}
{uuid 00000067-9402-21cd-a602-0000c08adf56}
dcecp>
 dcecp> organization show temps -policies
{acctlife +180-00:00:00.000I-----}
{pwdalpha yes}
{pwdexpdate 1995-12-31-23:59:59.000+00:00I-----}
{pwdlife +30-00:00:00.000I-----}
{pwdminlen 0}
{pwdspaces yes}
dcecp>
 dcecp> organization show temps -policies
{acctlife 30 days}
{pwdalpha no}
{pwdexpdate none}
{pwdlife 4 effective 5 days}
{pwdminlen 6}
{pwdspaces no}
dcecp>
 dcecp> organization show temps -all
{fullname {Temporary Employees}}
{orgid 103}
{uuid 00000067-9402-21cd-a602-0000c08adf56}
{acctlife +180-00:00:00.000I-----}
{pwdalpha yes}
{pwdexpdate 1995-12-31-23:59:59.000+00:00I-----}
{pwdlife +30-00:00:00.000I-----}
{pwdminlen 0}
{pwdspaces yes}
dcecp>

Related Information

Commands: account(8dce), dcecp(8dce), group(8dce), principal(8dce), registry(8dce), xattrschema(8dce). 

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026