The Authenticator Modify Command
The I2A2 authenticator DBM will make changes to an existing PUID's information via modification command requests.
The authenticator DBM supports modifications to PUID, alias and common name
as documented here. It also supports modifications to
authentication realm records,
as documented below.
The authenticator modify command is a restricted command. Modifications to
authentication realm record fields are
restricted by realm-wide and per-user ACLs.
Symbol
The puidnetd.h symbol for the lookup command is PUIDNETD_CMD_MODIFY.
Keys
These keys may be used to identify a PUID whose information is to be modified. The field identifier symbols come from puidnetd.h
- a -- alias (PUIDNETD_DATA_AKA); do an exact match on the alias field value.
- p -- PUID (PUIDNETD_DATA_PUID); do an exact match on the PUID field value.
Reply
A positive acknowledgement
(ACK) reflector reply message signifies
the modification was made.
A negative acknowledgement (NAK) reply
will contain these fields.
- e -- an error code (PUIDNETD_DATA_ERRC); it accompanies a NAK reply.
- M -- a message (PUIDNETD_DATA_MSG); it accompanies a NAK reply.
Modification Values
Authentication realm record modifications do not use the
modification
field record. Instead, they should include a
realm record containing the new fields,
which replace the existing ones.
The following authentication realm record
fields may be modified:
- PUIDNETD_DATA_AUTHC_CERT ('B') -- X.509 certificate
- PUIDNETD_DATA_AUTHC_CBA ('}') -- Cumulative bad authentications counter
- PUIDNETD_DATA_AUTHC_CGA ('{')-- Cumulative good authentications counter
- PUIDNETD_DATA_AUTHC_BA ('`') -- Consecutive bad attempts since last good authentication counter
- PUIDNETD_DATA_AUTHC_PWD ('P') -- Password
- PUIDNETD_DATA_AUTHC_ACLR ('!') -- Per-user ACLs (add, modify, delete)
- PUIDNETD_DATA_ATTR ('i') -- Realm attributes (unused)
Examples
The following examples assume a realm named Purdue, and a user whose PUID is 18 and whose alias is foobar33.
-
Set the cumulative bad authentications counter to 0 (zero).
m\tafoobar33\t@Rpurdue\t}0\t@
-
Set a New Password The password ("secret0") is passed as base-64 encoded clear-text. The authenticator net daemon
determines which encryption method is used by the Purdue realm, encrypts the password and sends it to the
authentication DBM. N.B.: because the password is sent as clear-text, password modification requests must
use an SSL connection to the authentication network daemon.
m\tp18\t@Rpurdue\tPc2VjcmV0MA==\t@\t
-
Add an ACL Entry to allow foobar33 to change his own password.
m\tp18\t@Rpurdue\t!a\tp18\t#0x1\t!\t@\t
-
Modify the ACL Entry just created to add permission for foobar33 to modify his certificate.
m\tp18\t@Rpurdue\t!m\tp18\t#0x3\t!\t@\t
-
Delete the ACL Entry just created for foobar33, leaving him with no permission to modify any
of his authentication realm fields
m\tp18\t@Rpurdue\t!d\tp18\t!\t@\t