/sys$common/syshlp/HELPLIB.HLB  —  PMDF  PASSWORD
    Set password for remote authentication, e.g., POP client (APOP),
    IMAP client (CRAM), or mailbox filter authentication.

    Syntax

      PMDF PASSWORD  [password]

    Command Qualifiers             Defaults

    /CONVERT                       /CREATE
    /CREATE                        /CREATE
    /DELETE                        /CREATE
    /SERVICE=keyword               /SERVICE=DEFAULT
    /SHOW                          /CREATE
    /TEST                          /CREATE
    /USER=username                 See text

1  –  Restrictions 

    All operations other than setting or verifying one's own
    password, or showing one's own password database entries, require
    privileges.

2  –  Prompts 

    New password: password

3  –  Parameters 

 password

    The password to set. Note that APOP passwords are case sensitive.

4  –  Description 

    The PMDF PASSWORD utility is used to create and modify PMDF
    password database entries. This database may be used by POP
    clients issuing the APOP command, by IMAP clients using the CRAM-
    MD5 authentication mechanism, or possibly by users authenticating
    themselves to modify their personal mailbox filters.

    Note that in general, just which source of password
    authentication information is used-whether the PMDF password
    database, or some other source-is controlled by the PMDF security
    configuration file; see That is, a connection comes in (POP,
    IMAP, or mailbox filtering) and is mapped to a security rule
    set; the security rule set in the PMDF security configuration
    then controls where and how authentication is performed for that
    connection.

    For instance, the DEFAULT security rule set in PMDF's
    implicit security configuration (which applies if no security
    configuration file exists) checks first for a PMDF user profile
    password (PMDF MessageStore or PMDF popstore profile password),
    next for a PMDF password database entry, and finally falls
    through to checking for a system password entry.

    Note that APOP and CRAM-MD5 passwords cannot be stored in the
    system password file. Therefore, in order to support use of the
    POP protocol's APOP command or AUTH command with CRAM-MD5, or
    the IMAP protocol's authenticate command with CRAM-MD5, the user
    must have a password entry stored in an authentication source
    other than (or in addition to) the system password file. The PMDF
    password database can be that additional authentication source.

    Thus for instance, for a POP or IMAP connection handled by
    the DEFAULT security rule set, a user must either be a PMDF
    MessageStore user or a PMDF popstore user (in which case their
    PMDF user profile password is normally sufficient for remote
    authentication), or if they are a legacy message store (VMS
    MAIL) user then they must have a PMDF password database entry
    in addition to their system password file entry.

    For mailbox filter connections handled by the DEFAULT
    security rule set of PMDF's implicit security configuration,
    authentication will be performed preferentially against the PMDF
    user profile, if the user has a PMDF user profile entry (that
    is, a PMDF MessageStore or PMDF popstore profile entry), if not
    then against the PMDF password database, if the user has an entry
    in it, and finally, only if the user has neither sort of entry,
    against the system password file.

    The above discussion regards whether the PMDF password
    database will actually be used as the source of authentication
    information. When the PMDF password database is used as the
    source of authentication information, then an additional issue
    can arise, namely which of a user's possibly multiple entries
    will be checked for the authentication. That is, a user can have
    multiple entries in the PMDF password database, one for each
    allowed /SERVICE value. The sort of connection (assuming that
    the PMDF password database is even checked) will control which
    /SERVICE entry is preferentially checked. Note that the sort
    of /SERVICE checked has nothing to do with the PMDF security
    configuration (which instead controlled whether or not the PMDF
    password database was queried at all); the sort of /SERVICE entry
    checked when the PMDF password database is queried has entirely
    to do with which component of PMDF is doing the querying (what
    sort of connection this regards).

    Queries by the POP server will first check a user's /SERVICE=POP
    entry, but if such an entry does not exist will fall through
    to the user's /SERVICE=DEFAULT entry. Queries by the IMAP
    server will first check a user's /SERVICE=IMAP entry, but if
    such an entry does not exist will fall through to the user's
    /SERVICE=DEFAULT entry.

    Queries for mailbox filtering will check which channel a user
    matches. For a user matching a msgstore channel, the mailbox
    filter query will preferentially use the user's /SERVICE=IMAP
    entry, but if such an entry does not exist will fall through to
    the user's /SERVICE=DEFAULT entry. For a user matching a popstore
    channel, the mailbox filter query will preferentially use the
    user's /SERVICE=POP entry, but if such an entry does not exist
    will fall through to the user's /SERVICE=DEFAULT entry. For a
    user matching the local channel, the mailbox filter query will
    use the user's /SERVICE=DEFAULT entry.

    Most sites and users will not want to use /SERVICE specific
    password database entries. Then each user has one entry, their
    /SERVICE=DEFAULT entry, used whenever the PMDF password database
    is queried.

    But for sites and users who do want to use /SERVICE specific
    password database entries, while the above description of
    /SERVICE specific probes may sound complicated, the goal is
    simply to query the "natural" password entry for each case.

5  –  Command Qualifiers

5.1    /CONVERT 

    The format of the PMDF password database changed in PMDF V5.1
    from that used previously. This qualifier is used to convert a
    PMDF V5.0 password database to the PMDF V5.1 and later format.

5.2    /CREATE 

    Create a PMDF password database entry. This qualifier is the
    default.

5.3    /DELETE 

    Delete a user/password entry pair from the PMDF password
    database.

5.4    /SERVICE 

       /SERVICE=keyword

    Specify for what service a particular password method and
    password value apply. The default service keyword is DEFAULT;
    POP and IMAP are other possible keywords.

5.5    /SHOW 

    Show a user/service/password-method entry in the PMDF password
    database. Note that this commmand does not show the password
    value.

5.6    /TEST 

    Compare a specified password against a password stored in the
    PMDF password database.

5.7    /USER 

       /USER=username

    Set or show a password entry in the PMDF password database
    for the specified user. To show all users' entries specify the
    asterisk as a value.

6  –  Examples 

      To add a user JSMITH with password SeCrEt to the database, use
      the command

        $ PMDF PASSWORD/USER=JSMITH "SeCrEt"

      The user JSMITH may change his own password, with prompting
      so that the password is not printed on the screen, using the
      command

        $ PMDF PASSWORD
        Password:

      To list all usernames that have an entry in the PMDF password
      database, use the following command:

        $ PMDF PASSWORD/SHOW/USER=*

7  –  Error messages 

  %PMDF-E-
 CANOPNPASS, Password file does not exist or cannot be opened

      The PMDF password database does not exist, or could not be
      opened.

  %SYSTEM-F-NOWORLD, operation requires WORLD privilege

      Must have WORLD privilege to use the PMDF PASSWORD/CONVERT
      command, or to specify an entry for a user other than oneself.
Close Help