message or an empty string to indicate success.
Some operations require root privileges. Other operations are
-unprivileged if no login name present, or if it matches the UID
-of the requesting user.
+unprivileged if no login name present, or if the correct "auth-passwd"
+is provided and target user has allowed administration of their
+account using a password authentication. Only regular password can be
+used for such authentication, tokens are not accepted.
# No operation (unprivileged)
{
{
"cmd": "create-token",
"login": "login name",
+ "auth-passwd": "current password",
"zone": "auth zone",
"comment": "optional comment"
}
{
"cmd": "delete-token",
"login": "login name",
+ "auth-passwd": "current password",
"zone": "auth zone",
"ident": "token id" # "*" for all tokens for the login+zone
}
{
"cmd": "change-token"
"login": "login name",
+ "auth-passwd": "current password",
"zone": "auth zone",
"ident": "token id",
"comment": "new comment" # optional
{
"cmd": "set-passwd",
"login": "login name",
+ "auth-passwd": "current password",
"zone": "auth zone",
"passwd": "new password"
}
{
"cmd": "delete-passwd",
"login": "login name",
+ "auth-passwd": "current password",
"zone": "auth zone"
}
{
"cmd": "create-temp",
"login": "login name",
+ "auth-passwd": "current password",
"zone": "auth zone",
"validity": seconds # Requested token validity
}
"passwd": "password or token"
}
+# Allow/disallow management of selected account using password
+{
+ "cmd": "allow-passwd-auth",
+ "login": "login name",
+ "auth-passwd": "current password",
+ "zone": "auth zone",
+ "allow": integer
+}
+
# List user's accounts and tokens
{
"cmd": "list-accts",
"accounts": [
{
"zone": "auth zone",
+ "allow-passwd-auth": integer, # Can anybody manage this account using its password?
"tokens": [
{
"type": "token type", # passwd/token
"desc": "human-readable description",
"allow-passwd": integer, # Does the zone support passwords?
"allow-tokens": integer, # Does the zone support auth tokens?
+ "allow-passwd-auth": integer, # Does the zone support password authentication for account management?
"max-temp-validity": seconds # Maximum validity of temp tokens
# (if no temp tokens supported)
}