The DCE control program, dcecp, and rgy_edit provide support for password generation based on a principal's password validation type ERA. However, if you want to enhance your own password change program (such as the UNIX passwd program), you will need to use the client-side sec_pwd_mgmt_*( ) API.
This API provides functions that retrieve a principal's password management ERA values and request password strength checking and generation from a password management server.
The sec_pwd_mgmt_*( ) API is defined in the sec_pwd_mgmt.idl file.
The general procedure for using the client-side password management API in a password change program is as follows. Refer to the previous figure as you read the following steps:
1. The client calls sec_pwd_mgmt_setup( ), specifying the login name of the principal whose password is being changed. The registry service returns the pwd_val_type and pwd_mgmt_binding ERAs as well as the registry standard (password) policy for the principal to the client's security runtime, which is stored in a password management handle (an opaque data type).
2. The client calls sec_pwd_mgmt_get_val_type( ), specifying the handle returned by sec_pwd_mgmt_setup( ) in step 1. The value of the principal's pwd_val_type ERA is extracted from the handle and returned to the client.
3. The client analyzes the principal's pwd_val_type ERA to determine whether a generated password is required. If so, it calls sec_pwd_mgmt_gen_pwd( ), specifying the number of passwords needed, and the handle returned by sec_pwd_mgmt_setup. The client security runtime makes an RPC call to the password management server, which generates passwords that adhere to the principal's password policy.
4. The client calls sec_rgy_acct_passwd( ) (or some other form), specifying the new password (either input by the user or generated by sec_pwd_mgmt_gen_pwd( )). If the principal's pwd_val_type ERA mandates it, the registry service makes an RPC call to the password management server, specifying the name of the principal and the password to be strength checked. The password management server checks the format of the password according to the user's password policy and accepts or rejects it.
5. The client calls sec_pwd_mgmt_free_handle( ) to free the memory associated with the password management handle.
Following is an example of a password change program that calls the sec_pwd_mgmt_*( ) API as previously described.
sec_pwd_mgmt_setup(&pwd_mgmt_h, context, login_name,
login_context, NULL, &st);
if (GOOD_STATUS(&st)) {
sec_pwd_mgmt_get_val_type(pwd_mgmt_h, &pwd_val_type, &st);
}
if (GOOD_STATUS(&st)) {
switch (pwd_val_type) {
case 0: /* NONE */
case 1: /* USER_SELECT */
... get password ...
break;
case 2: /* USER_CAN_SELECT */
... if user does not want generated password ... {
... get password ...
break;
}
case 3: /* GENERATION_REQUIRED */
sec_pwd_mgmt_gen_pwd(pwd_mgmt_h, 1, &num_returned,
&passwd, &st);
... display generated password to user - possibly
prompting for confirmation ...
break;
}
}
if (GOOD_STATUS(&st)) {
sec_rgy_acct_passwd(context, &login_name, &caller_key,
&passwd, new_keytype, &new_key_version, &st);
}
sec_pwd_mgmt_free_handle(&pwd_mgmt_h, &st);