xattrschema(1m)xattrschema(1m)NAME
xattrschema - A dcecp object that manages schema information for ERAs
SYNOPSIS
xattrschema catalog schema_name [-simplename]
xattrschema create schema_entry_name_list {-attribute attribute_list |
-attribute value} [-ifname residual_schema_name]
xattrschema delete schema_entry_name_list [-ifname resid‐
ual_schema_name]
xattrschema help [operation | -verbose]
xattrschema modify schema_entry_name_list {-change attribute_list |
-attribute value} [-ifname residual_schema_name]
xattrschema operations
xattrschema rename schema_entry_name -to new_schema_entry_name [-ifname
residual_schema_name]
xattrschema show schema_entry_name_list [-ifname residual_schema_name]
ARGUMENTS
The name of the xattrschema operation for which to display help infor‐
mation. The name of a single schema entry type. See
schema_entry_name_list for more information. A list of one or more
schema entry types to act on. When used with the -ifname option, this
argument can also be a single string binding representing the host with
which to communicate. The name of the schema that defines the schema
entry types named in schema_entry_name_list. Two schemas are currently
supported: /.../cell_name/sec/xattrschema /.../cell_name/hosts/host‐
name/config/xattrschema
The name can also be a single string binding representing the host with
which to communicate.
DESCRIPTION
The xattrschema object represents the schema information for an
extended registry attribute (ERA). This command manipulates the schema
type that defines ERAs. Schema types are identified by name. Other
dcecp commands manipulate individual instances of ERAs. ERA instances
are an attribute of a given schema type that has been attached to an
object and assigned a value.
You can attach ERAs to principal, group, and organization objects and
to server configuration and server execution objects supported by dced.
ERA entry types for principal, group, and organization objects have the
following default name: /.:/sec/xattrschema/schema_entry_name
ERA types for dced server objects have the following name:
/.:/hosts/hostname/config/xattrschema/schema_entry_name
ERA types are defined to be attached to only those objects supported by
specified ACL managers.
The schema name can also be a single string binding representing the
host with which to communicate. For example: {ncacn_ip_tcp
130.105.1.227}
A string binding is useful when the name service is not operating and
cannot translate the other forms of schema names. With all but the
catalog command, if you supply a single string binding, you must use
the -ifname option to specify the object's residual name.
ATTRIBUTES
A set that lists the ACL managers that support the object types on
which ERAs of this type can be created. For each ACL manager type, the
permissions required for attribute operations are also specified. Each
ACL manager is described with a list, in the following format: {uuid
queryset updateset testset deleteset}
where the first element is the Universal Unique Identifier (UUID) of
the ACL manager, and the rest are the sets of permissions (concatenated
permission strings as found in an ACL) required to perform each type of
operation. The value of this attribute is actually a list of these
lists. For example: {8680f026-2642-11cd-9a43-080009251352 r w t D}
{18dbdad2-23df-11cd-82d4-080009251352 r w t mD}
This attribute is modifiable after creation, but only in a limited way.
New ACL managers can be added, but existing ones cannot be removed or
changed. This attribute must be specified on creation. A comment
field used to store information about the schema entry. It is a Porta‐
ble Character Set (PCS) string. The default is an empty string (that
is, blank). Indicates that if this ERA does not exist for a given
object on an attribute query, the system-defined default value (if any)
for this attribute will be returned. If set to no, an attribute query
returns an attribute instance only if it exists on the object named in
the query. The value of this attribute must be yes or no. The default
is no.
This attribute is currently only advisory in DCE. Future versions of
DCE will support this functionality. The type of the ERA. This
attribute must be specified on creation, and cannot be modified after
creation. Legal values are one of the following: The value of the ERA
can take on any encoding. This encoding type is only legal for the
definition of an ERA in a schema entry. All instances of an ERA must
have an encoding of some other value. The value of the ERA is a list
of attribute type UUIDs used to retrieve multiple related attributes by
specifying a single attribute type on a query. The value of the ERA
contains authentication, authorization, and binding information suit‐
able for communicating with a DCE server. The syntax is a list of two
elements.
The first element is a list of security information in which the first
element is the authentication type, either none or dce, followed by
information specific for each type. The type none has no further
information. The type dce is followed by a principal name, a protec‐
tion level (default, none, connect, call, pkt, pktinteg, or pktpri‐
vacy), an authentication service (default, none, or secret), and an
authorization service (none, name, or dce). Examples of three security
information lists are as follows: {none} {dce /.:/melman default
default dce} {dce /.:/melman pktprivacy secret dce}
The second element is a list of binding information, in which binding
information can be string bindings or server entry names. Two examples
of binding information are as follows: {/.:/hosts/hostname/dce-entity
/.:/subsys/dce/sec/master} {ncadg_ip_udp:130.105.96.3
ncadg_ip_udp:130.105.96.6} The value of the ERA is a string of bytes.
The byte string is assumed to be pickle or is otherwise a self-describ‐
ing type.
It is unlikely that attributes of this type will be entered manually.
The format of output is hexadecimal bytes separated by spaces with 20
bytes per line. For example, the input attribute name bindata might
produce the following output: {bindata {00 01 02 03 04 05 06 07 08 09
0a 0b 0c 0d 0e 0f 10 11 12 13 22 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d
2e 2f 12 11 12 13}} The braces indicate that bindata has one value. On
input all whitespace is compressed so that users can enter the data as
bytes or words or any combination, whichever is more convenient.
Therefore, a user could enter the following: {bindata {00010203 0405
06070809 0a0b 0c0d0e0f 10111213 22212223 2425 26272829 2a2b 2c2d2e2f
12111213}} The value of the ERA is a string of bytes with a tag identi‐
fying the (OSF registered) codeset used to encode the data.
Although it is unlikely that administrators will enter attributes of
this type manually, the DCE control program does support entering
binary data via the following notations: \ddd where ddd can be one,
two, or three octal digits, and \xhh where hh can be any number of
hexadecimal digits. The value of the ERA is a signed 32-bit integer.
The value of the ERA is a printable Interface Definition Language (IDL)
character string using PCS. An array of PCS strings; represented as a
Tcl list of strings. The value of the ERA is a UUID. The ERA has no
value. It is simply a marker that is either present or absent. Speci‐
fies the action that should be taken by the privilege server when read‐
ing ERAs from a foreign cell. Possible values are as follows: Accepts
ERAs from foreign cells. The only check applied is uniqueness if indi‐
cated by the unique attribute. Discards ERAs from foreign cells.
Invokes a trigger function to a server that would decide whether the
ERA should be kept, discarded, or mapped to another value. The default
is reject.
This attribute is currently only advisory in DCE. Future versions of
DCE will support this functionality. Indicates that ERAs of this type
may be multi-valued (that is, multiple instances of the same attribute
type may be attached to a single registry object). The value of this
attribute must be yes or no. This attribute is not modifiable after
creation. The default is no. If set, this schema entry may not be
deleted through any interface by any user. The value of this attribute
must be yes or no. The default is no. Indicates the name of a secu‐
rity directory or object in the registry. If it is an object,
instances of this ERA can be attached only to this object. If it is a
directory, instances of this ERA can be attached only to descendants of
this directory. The default is an empty string, which does not limit
which objects ERAs may be attached to. For example, if this attribute
is set to principal/org/dce only principals with a prefix of org/dce in
the name may have this type of ERA. You cannot modify this attribute
after it is created. The default is the empty string (that is, blank).
This attribute is currently only advisory in DCE. Future versions of
DCE will support this functionality. Identifies whether there is a
trigger and if so what type it is. The possible values are: none,
query, and update. If this attribute is anything other than none, then
trigbind must be set. This attribute is not modifiable after creation.
The default is none. Contains binding information for the server that
will support the trigger operations. This field must be set if trig‐
type is not none or if intercell is set to evaluate. The value of this
attribute is of the format described by the binding encoding type. The
default is the empty string (that is, blank). Indicates that each
instance of the ERA must have a unique value within the cell for a par‐
ticular object type (for instance, principal). The value of this
attribute must be yes or no. This attribute is not modifiable after
creation. The default is no.
This attribute is currently only advisory in DCE. Future versions of
DCE will support this functionality. The internal identifier of the
ERA. The value is a UUID. This attribute is not modifiable after cre‐
ation. If not specified on the create operation, a value is generated
by the system.
See the OSF DCE Administration Guide for more information about xat‐
trschema attributes.
OPERATIONS
xattrschema catalog
Returns a list of all the schema entry types defined in the specified
schema. The syntax is as follows: xattrschema catalog schema_name
[-simplename]
Options Returns only the residual part of the schema name.
The catalog operation returns a list of the names of all the schema
entry types defined in the named schema. Use the -simplename option to
return only the residual part of the names, instead of the fully quali‐
fied names.
Privileges Required
You must have r (read) permission to the schema container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples
dcecp> xattrschema catalog /.:/sec/xattrschema /.../my_cell/sec/xat‐
trschema/pre_auth_req /.../my_cell/sec/xattrschema/pwd_val_type
/.../my_cell/sec/xattrschema/pwd_mgmt_binding /.../my_cell/sec/xat‐
trschema/X500_DN /.../my_cell/sec/xattrschema/X500_DSA_Admin
/.../my_cell/sec/xattrschema/disable_time_interval
/.../my_cell/sec/xattrschema/max_invalid_attempts /.../my_cell/sec/xat‐
trschema/passwd_override dcecp>
dcecp> xattrschema catalog ncacn_ip_tcp:15.22.45.148
/.../c2-cell/sec/xattrschema/pre_auth_req /.../c2-cell/sec/xat‐
trschema/pwd_val_type /.../c2-cell/sec/xattrschema/pwd_mgmt_binding
/.../c2-cell/sec/xattrschema/disable_time_interval
/.../c2-cell/sec/xattrschema/max_invalid_attempts /.../c2-cell/sec/xat‐
trschema/passwd_override dcecp>
xattrschema create
Creates a new schema entry type. The syntax is as follows: xattrschema
create schema_entry_name_list {-attribute attribute_list | -attribute
value} [-ifname residual_schema_name]
Options
As an alternative to using the -attribute option with an attribute
list, you can specify individual attribute options by prepending a
hyphen (-) to any attributes listed in the ATTRIBUTES section of this
reference page. Allows you to specify attributes by using an attribute
list rather than individual attribute options. The format of an
attribute list is as follows: {{attribute value}...{attribute value}}
Specifies the xattrschema object to create.
The create operation creates a new schema entry for an ERA. The argu‐
ment is a list of one or more names of schema entry types to be cre‐
ated. Attributes for the created schema entry types can be specified
via attribute lists or attribute options. If the command argument con‐
tains more than one schema name, you cannot specify a UUID attribute.
All attributes are applied to all entry types to be created. The
-ifname option is used to identify the specific xattrschema entry to
create, but only when the argument is a string binding representing a
host, not a fully qualified xattrschema schema name. This operation
returns an empty string on success.
Privileges Required
You must have i (insert) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples
dcecp> xattrschema create /.:/sec/xattrschema/test_integer \ > -encod‐
ing integer -aclmgr {group r r r r} dcecp>
dcecp> xattrschema create ncacn_ip_tcp:15.22.24.145 -ifname test_inte‐
ger \ > -encoding integer -aclmgr {{principal r r r r} {group r r r r}}
dcecp>
xattrschema delete
Deletes a schema entry type. The syntax is as follows: xattrschema
delete schema_entry_name_list [-ifname residual_schema_name]
Options
Specifies the xattrschema object to delete.
The delete operation deletes a schema entry. The argument is a list of
names of schema entry types to be deleted. This command also deletes
all ERA instances of the schema entry. If the entry types do not
exist, an error is generated. The -ifname option is used to identify
the specific xattrschema entry to delete, but only when the argument is
a string binding representing a host, not a fully qualified xattrschema
schema name. This operation returns an empty string on success.
Privileges Required
You must have d (delete) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples
dcecp> xattrschema delete /.:/sec/xattrschema/test_integer dcecp>
dcecp> xattrschema delete ncacn_ip_tcp:15.22.24.145 -ifname test_inte‐
ger dcecp>
xattrschema help
Returns help information about the xattrschema object and its opera‐
tions. The syntax is as follows: xattrschema help [operation | -ver‐
bose]
Options Displays information about the xattrschema object.
Used without an argument or option, the xattrschema help command
returns brief information about each xattrschema operation. The
optional operation argument is the name of an operation about which you
want detailed information. Alternatively, you can use the -verbose
option for more detailed information about the xattrschema object
itself.
Privileges Required
No special privileges are needed to use the xattrschema help command.
Examples dcecp> xattrschema help catalog Returns a list of
all entries in a schema. create Creates a schema entry.
delete Deletes a schema entry. modify Modi‐
fies an existing schema entry. rename Renames an existing
schema entry. show Returns the attributes of a schema
entry. help Prints a summary of command-line options.
operations Returns a list of the valid operations for this
command. dcecp>
xattrschema modify
This operation changes the attributes of a schema entry type. The syn‐
tax is as follows: xattrschema modify schema_entry_name_list {-change
attribute_list | -attribute value} [-ifname residual_schema_name]
Options
As an alternative to using the -change option with an attribute list,
you can specify individual attribute options by prepending a hyphen (-)
to any attributes listed in the ATTRIBUTES section of this reference
page. Allows you to modify attributes by using an attribute list
rather than individual attribute options. The format of an attribute
list is as follows: {{attribute value}...{attribute value}} Specifies
the xattrschema object to modify.
The modify operation changes attributes of schema entry types in the
security service only. The argument is a list of names of schema entry
types to be operated on. All modifications are applied to all schema
entry types named in the argument. Schema entry types are modified in
the order they are listed, and all modifications to an individual
schema entry are atomic. Modifications to multiple schema entry types
are not atomic. A failure for any one schema entry in a list generates
an error and cancels the operation. The -ifname option is used to
identify the specific xattrschema entry to modify, but only when the
argument is a string binding representing a host, not a fully qualified
xattrschema schema name. This operation returns an empty string on
success.
The -change option modifies attributes. Its value is an attribute list
describing the new values for the specified attributes. The command
supports attribute options as well.
Privileges Required
You must have m (mgmt_info) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples
dcecp> xattrschema modify /.:/sec/xattrschema/test_integer \ > -aclmgr
{organization r r r r} dcecp>
dcecp> xattrschema modify ncacn_ip_tcp:15.22.24.145 -ifname test_inte‐
ger \ > -aclmgr {organization r r r r} dcecp>
xattrschema operations
Returns a list of the operations supported by the xattrschema object.
The syntax is as follows: xattrschema operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the xattrschema operations com‐
mand.
Examples
dcecp> xattrschema operations catalog create delete modify rename show
help operations dcecp>
xattrschema rename
Changes the name of a specified schema entry type. The syntax is as
follows: xattrschema rename schema_entry_name -to new_schema_entry_name
[-ifname residual_schema_name]
Options Specifies the new name. Specify the name in simple format,
without the container-object portion (that is, without /.:/sec/xat‐
trschema). Specifies the xattrschema object to rename.
The rename operation changes the name of the specified ERA. The argu‐
ment is a single name of an ERA to be renamed. The
new_schema_entry_name argument to the required -to option specifies the
new name; this argument cannot be a list. The -ifname option is used
to identify the specific xattrschema entry to rename, but only when the
argument is a string binding representing a host, not a fully qualified
xattrschema schema name. This operation returns an empty string on
success.
Privileges Required
You must have m (mgmt_info) permission to the container object
(/.:/sec/xattrschema or /.:/hosts/hostname/config/xattrschema).
Examples
dcecp> xattrschema rename /.:/sec/xattrschema/test_integer -to test_int
dcecp>
dcecp> xattrschema rename ncacn_ip_tcp:15.22.24.128 -ifname test_inte‐
ger -to test_int dcecp>
xattrschema show
Returns an attribute list describing the specified schema entry type.
The syntax is as follows: xattrschema show schema_entry_name_list
[-ifname residual_schema_name]
Options
Specifies the xattrschema object to show.
The show operation returns an attribute list describing the specified
schema entry types. The argument is a list of names of schema entry
types to be operated on. If more than one schema entry is given, the
attributes are concatenated. The -ifname option is used to identify
the specific xattrschema entry to show, but only when the argument is a
string binding representing a host, not a fully qualified xattrschema
schema name. Attributes are returned in arbitrary order.
Privileges Required
You must have r (read) permission to the container object (/.:/sec/xat‐
trschema or /.:/hosts/hostname/config/xattrschema).
Examples
dcecp> xattrschema show /.:/sec/xattrschema/test_integer {name
test_integer} {aclmgr {principal {query r} {update r} {test r} {delete
r}}} {annotation {test_integer: encoding type integer}} {applydefs yes}
{encoding integer} {intercell reject} {multivalued yes} {reserved no}
{scope {}} {trigbind {}} {trigtype none} {unique no} {uuid
5f439154-2af1-11cd-8ec3-080009353559} dcecp>
dcecp> xattrschema show ncacn_ip_tcp:15.22.24.145 -ifname passwd_over‐
ride {name passwd_override} {aclmgr {principal {query m} {update m}
{test m} {delete m}}} {annotation {values: {the ability to not be
restricted by passwd expiration}}} {applydefs no} {encoding integer}
{intercell reject} {multivalued no} {reserved yes} {scope {}} {trigbind
{}} {trigtype none} {unique yes} {uuid bc51691e-
dd2d-11cc-9866-080009353559} dcecp>
RELATED INFORMATION
Commands: dcecp(1m), dcecp_account(1m), dcecp_group(1m), dcecp_organi‐
zation(1m), dcecp_principal(1m).
xattrschema(1m)
