297 lines
14 KiB
Plaintext
297 lines
14 KiB
Plaintext
// Copyright (c) 2010 DMTF. All rights reserved.
|
|
[Version ( "2.27.0" ),
|
|
UMLPackagePath ( "CIM::User::Account" ),
|
|
Description (
|
|
"CIM_Account is the information held by a SecurityService to "
|
|
"track identity and privileges managed by that service. Common "
|
|
"examples of an Account are the entries in a UNIX /etc/passwd "
|
|
"file. Several kinds of security services use various "
|
|
"information from those entries - the /bin/login program uses "
|
|
"the account name (\'root\') and hashed password to "
|
|
"authenticate users, and the file service, for instance, uses "
|
|
"the UserID field (\'0\') and GroupID field (\'0\') to record "
|
|
"ownership and determine access control privileges on files in "
|
|
"the file system. This class is defined so as to incorporate "
|
|
"commonly-used LDAP attributes to permit implementations to "
|
|
"easily derive this information from LDAP-accessible "
|
|
"directories. \n"
|
|
"\n"
|
|
"The semantics of Account overlap with that of the class, "
|
|
"CIM_Identity. However, aspects of Account - such as its "
|
|
"specific tie to a System - are valuable and have been widely "
|
|
"implemented. For this reason, the Account and Identity classes "
|
|
"are associated using a subclass of LogicalIdentity "
|
|
"(AccountIdentity), instead of deprecating the Account class in "
|
|
"the CIM Schema. When an Account has been authenticated, the "
|
|
"corresponding Identity\'s TrustEstablished Boolean would be "
|
|
"set to TRUE. Then, the Identity class can be used as defined "
|
|
"for authorization purposes." )]
|
|
class CIM_Account : CIM_EnabledLogicalElement {
|
|
|
|
[Key, Description ( "The scoping System\'s CCN." ),
|
|
MaxLen ( 256 ),
|
|
Propagated ( "CIM_System.CreationClassName" )]
|
|
string SystemCreationClassName;
|
|
|
|
[Key, Description ( "The scoping System\'s Name." ),
|
|
MaxLen ( 256 ),
|
|
Propagated ( "CIM_System.Name" )]
|
|
string SystemName;
|
|
|
|
[Key, Description (
|
|
"CreationClassName indicates the name of the class or the "
|
|
"subclass used in the creation of an instance. When used "
|
|
"with the other key properties of this class, this "
|
|
"property allows all instances of this class and its "
|
|
"subclasses to be uniquely identified." ),
|
|
MaxLen ( 256 )]
|
|
string CreationClassName;
|
|
|
|
[Key, Override ( "Name" ),
|
|
Description (
|
|
"The Name property defines the label by which the object "
|
|
"is known. The value of this property may be set to be "
|
|
"the same as that of the UserID property or, in the case "
|
|
"of an LDAP-derived instance, the Name property value may "
|
|
"be set to the distinguishedName of the LDAP-accessed "
|
|
"object instance." ),
|
|
MaxLen ( 1024 )]
|
|
string Name;
|
|
|
|
[Description (
|
|
"UserID is the value used by the SecurityService to "
|
|
"represent identity. For an authentication service, the "
|
|
"UserID may be the name of the user, or for an "
|
|
"authorization service the value which serves as a handle "
|
|
"to a mapping of the identity." ),
|
|
MaxLen ( 256 )]
|
|
string UserID;
|
|
|
|
[Description (
|
|
"In the case of an LDAP-derived instance, the ObjectClass "
|
|
"property value(s) may be set to the objectClass "
|
|
"attribute values." )]
|
|
string ObjectClass[];
|
|
|
|
[Description (
|
|
"The Descriptions property values may contain "
|
|
"human-readable descriptions of the object. In the case "
|
|
"of an LDAP-derived instance, the description attribute "
|
|
"may have multiple values that, therefore, cannot be "
|
|
"placed in the inherited Description property." ),
|
|
MaxLen ( 1024 )]
|
|
string Descriptions[];
|
|
|
|
[Description (
|
|
"Based on RFC1274, the host name of the system(s) for "
|
|
"which the account applies. The host name may be a "
|
|
"fully-qualified DNS name or it may be an unqualified "
|
|
"host name." )]
|
|
string Host[];
|
|
|
|
[Description (
|
|
"This property contains the name of a locality, such as a "
|
|
"city, county or other geographic region." )]
|
|
string LocalityName[];
|
|
|
|
[Required, Description (
|
|
"The name of the organization related to the account." )]
|
|
string OrganizationName[];
|
|
|
|
[Description (
|
|
"The name of an organizational unit related to the account."
|
|
)]
|
|
string OU[];
|
|
|
|
[Description (
|
|
"In the case of an LDAP-derived instance, the SeeAlso "
|
|
"property specifies distinguished name of other Directory "
|
|
"objects which may be other aspects (in some sense) of "
|
|
"the same real world object." )]
|
|
string SeeAlso[];
|
|
|
|
[Description (
|
|
"Based on inetOrgPerson and for directory compatibility, "
|
|
"the UserCertificate property may be used to specify a "
|
|
"public key certificate for the person." ),
|
|
OctetString]
|
|
string UserCertificate[];
|
|
|
|
[Description (
|
|
"In the case of an LDAP-derived instance, the "
|
|
"UserPassword property may contain an encrypted password "
|
|
"used to access the person\'s resources in a directory." ),
|
|
OctetString]
|
|
string UserPassword[];
|
|
|
|
[Description (
|
|
"The encryption algorithm (if any) used by the client to "
|
|
"produce the value in the UserPassword property when "
|
|
"creating or modifying an instance of CIM_Account. The "
|
|
"original password is encrypted using the algorithm "
|
|
"specified in this property, and UserPassword contains "
|
|
"the resulting encrypted value. In response to an "
|
|
"operation request that would return the value of the "
|
|
"UserPassword property to a client, an implementation "
|
|
"shall instead return an array of length zero.\n"
|
|
"The value of UserPasswordEncryptionAlgorithm in an "
|
|
"instance of CIM_Account shall be 0 (\"None\") unless the "
|
|
"SupportedUserPasswordEncryptionAlgorithms[] property in "
|
|
"the CIM_AccountManagementCapabilities instance "
|
|
"associated with the CIM_AccountManagementService "
|
|
"instance associated with the CIM_Account instance "
|
|
"contains a non-null entry other than 0 (\"None\").\n"
|
|
"This property does not prevent the use of encryption at "
|
|
"the transport, network, or data-link layer to protect "
|
|
"communications between a management client and the "
|
|
"server, nor is it meant to encourage communications "
|
|
"without such encryption.\n"
|
|
"The supported values for this property are:\n"
|
|
"- 0 (\"None\"): Indicates that the contents of "
|
|
"UserPassword are not encrypted.\n"
|
|
"- 1 (\"Other\"): Indicates that the contents of "
|
|
"UserPassword are encrypted using an algorithm not "
|
|
"specifically identified in the value map for this "
|
|
"property, and that this algorithm is described in OtherUserPasswordEncryptionAlgorithm.\n"
|
|
"- 2 (\"HTTP Digest MD5(A1)\"): The MD5 hash algorithm, "
|
|
"applied to the string A1 defined in RFC2617 as the "
|
|
"concatenation username-value \":\" realm-value \":\" "
|
|
"passwd, where username-value is provided by the client "
|
|
"as the value of the UserID property. passwd is the "
|
|
"underlying user password. realm-value is the HTTP digest "
|
|
"realm value, and is provided by the server. The "
|
|
"semantics of the HTTP digest realm are specified in RFC "
|
|
"2617. The server may surface the realm-value in the "
|
|
"UserPasswordEncryptionSalt property of "
|
|
"CIM_AccountManagementCapabilities." ),
|
|
ValueMap { "0", "1", "2", ".." },
|
|
Values { "None", "Other", "HTTP Digest MD5(A1)",
|
|
"DMTF Reserved" },
|
|
ModelCorrespondence { "CIM_Account.UserPassword",
|
|
"CIM_Account.OtherUserPasswordEncryptionAlgorithm",
|
|
"CIM_AccountManagementCapabilities.SupportedUserPasswordEncryptionAlgorithms",
|
|
"CIM_AccountManagementCapabilities.UserPasswordEncryptionSalt" }]
|
|
uint16 UserPasswordEncryptionAlgorithm;
|
|
|
|
[Description (
|
|
"If the UserPasswordEncryptionAlgorithm property is set "
|
|
"to 1 (\"Other\") this property contains a free form "
|
|
"string that provides more information about the "
|
|
"encryption algorithm. If UserPasswordEncryptionAlgorithm "
|
|
"is not set to 1 (\"Other\") this property has no "
|
|
"meaning." ),
|
|
ModelCorrespondence {
|
|
"CIM_Account.UserPasswordEncryptionAlgorithm" }]
|
|
string OtherUserPasswordEncryptionAlgorithm;
|
|
|
|
[Description (
|
|
"ComplexPasswordRulesEnforced indicates the rules for "
|
|
"constructing a complex password enforced by the Account.\n"
|
|
"Minimum Length a minimum length is enforced for "
|
|
"passwords for the account.\n"
|
|
"Preclude User ID inclusion precluding the password from "
|
|
"including the user ID is supported. \n"
|
|
"Maximum Repeating Characters a limit will be enforced on "
|
|
"the number of times a character can occur consecutively. \n"
|
|
"Lower Case Alpha at least one lower case alpha character "
|
|
"is required. \n"
|
|
"Upper Case Alpha at least one upper case alpha character "
|
|
"is required. \n"
|
|
"Numeric Character at least one numeric character is "
|
|
"required. \n"
|
|
"Special Character at least one special character is "
|
|
"required." ),
|
|
ValueMap { "2", "3", "4", "5", "6", "7", "8", "..",
|
|
"0x8000..0xFFFF" },
|
|
Values { "Minimum Length", "Preclude User ID Inclusion",
|
|
"Maximum Repeating Characters", "Lower Case Alpha",
|
|
"Upper Case Alpha", "Numeric Character",
|
|
"Special Character", "DMTF Reserved", "Vendor Reserved" }]
|
|
uint16 ComplexPasswordRulesEnforced[];
|
|
|
|
[Description (
|
|
"InactivityTimeout specifies the interval after which if "
|
|
"an account has been inactive, it shall be Disabled. The "
|
|
"value may be expressed in interval format, as an "
|
|
"absolute date-time, or be NULL.\n"
|
|
"An absolute date-time shall indicate when the password "
|
|
"will be disabled due to inactivity.\n"
|
|
"An interval value shall indicate the time remaining "
|
|
"before the password is disabled due to inactivity.\n"
|
|
"A value of NULL shall indicate that the Account will not "
|
|
"be disabled due to inactivity." )]
|
|
datetime InactivityTimeout;
|
|
|
|
[Description (
|
|
"LastLogin shall be an absolute date-time that specifies "
|
|
"the last successful authentication that occurred for "
|
|
"this Account.A value of 99990101000000.000000+000 shall "
|
|
"indicate the Account has never been used. A value of "
|
|
"NULL shall indicate the last successful login is "
|
|
"unknown." )]
|
|
datetime LastLogin;
|
|
|
|
[Description (
|
|
"MaximumSuccessiveLoginFailures indicates the number of "
|
|
"successive failed login attempts that shall result in "
|
|
"the Account being disabled. A value of zero shall "
|
|
"indicate that the Account will not be disabled due to "
|
|
"successive failed login attempts." )]
|
|
uint16 MaximumSuccessiveLoginFailures;
|
|
|
|
[Description (
|
|
"PasswordExpiration indicates the maximum password age "
|
|
"enforced for the Account. The value may be expressed as "
|
|
"an absolute date-time as an interval, or may be NULL.\n"
|
|
"An absolute date-time shall indicate the date and time "
|
|
"when the password will expire.\n"
|
|
"An interval value shall indicate the time remaining "
|
|
"until the password expires.\n"
|
|
"A value of NULL shall indicate the password never "
|
|
"expires." )]
|
|
datetime PasswordExpiration;
|
|
|
|
[Description (
|
|
"PasswordHistoryDepth indicates the number of previous "
|
|
"passwords that shall be maintained for the Account. The "
|
|
"Account shall preclude the selection of a password if it "
|
|
"occurs in the password history. A value of zero shall "
|
|
"indicate that a password history is not maintained." )]
|
|
uint16 PasswordHistoryDepth;
|
|
|
|
[Description (
|
|
"UserPasswordEncoding specifies encoding used for the "
|
|
"UserPassword property.\r\n"
|
|
"\"kbd\" denotes a string in hexadecimal format "
|
|
"containing keyboard scan code input. An example of a "
|
|
"UserPassword structured in this format would be "
|
|
"\"321539191E1F1F11181320\", which is the representation "
|
|
"of \"my password\" in US English keyboard scan codes.\n"
|
|
"\"\rascii\" denotes clear text that complies with the "
|
|
"ASCII character set. An example would be \"my password\".\n"
|
|
"\"pin\" denotes that only numeric input in ASCII text is "
|
|
"allowed for the UserPassword. An example would be \"1234\".\n"
|
|
"\"UTF-8\" denotes that the UserPassword is a Unicode "
|
|
"string that is encoded using UTF-8 character set.\n"
|
|
"\"UTF-16\" denotes that the UserPassword is a Unicode "
|
|
"string that is encoded using UTF-16 character set. The "
|
|
"byte order mark (BOM) shall be the first character of "
|
|
"the string.\n"
|
|
"\"UTF-16LE\" denotes that the UserPassword is a Unicode "
|
|
"string that is encoded using UTF-16 character set in "
|
|
"little-endian byte order.\n"
|
|
"\"UTF-16BE\" denotes that the UserPassword is a Unicode "
|
|
"string that is encoded using UTF-16 character set in "
|
|
"big-endian byte order.\n"
|
|
"\"UCS-2\" denotes that the UserPassword is a Unicode "
|
|
"string that is encoded using UCS-2 character set." ),
|
|
ValueMap { "2", "3", "4", "5", "6", "7", "8", "9", "..",
|
|
"65536..4294967295" },
|
|
Values { "ascii", "kbd", "pin", "UTF-8", "UTF-16",
|
|
"UTF-16LE", "UTF-16BE", "UCS-2", "DMTF Reserved",
|
|
"Vendor Reserved" }]
|
|
uint32 UserPasswordEncoding;
|
|
|
|
|
|
};
|