PMDF System Manager's Guide

Among other things, the PMDF security configuration can be used to cause users' authentication verifiers (passwords)---for instance, the password used when "logging in" during a POP or IMAP connection, or used for authentication between a SASL-enabled client and a SASL-enabled server---to be migrated from one authentication source to another. This is particularly likely to be relevant when users are being automatically migrated from one message store to another---say from the legacy (native) message store to the PMDF MessageStore or to the PMDF popstore. But it also has other applications: for instance, a SASL-enabled client can tell the server to change the storage of the user's password from one mechanism to another; or a site can choose to migrate users' authentication verifiers from a source on the PMDF system (whether system password file, PMDF password database, or PMDF user profiles for PMDF MessageStore and PMDF popstore users) to an external server, such as a RADIUS server.

Such transitioning is controlled via the various TRANSITION_* PMDF security configuration file options, described individually in Section 14.2.2 above. As transitioning involves additional considerations beyond the usual security configuration file considerations, this section presents an additional brief description of transitioning and the use of the TRANSITION_* options in combination.

The TRANSITION_CRITERIA option specifies if and when to transition users' authentication verifiers. The TRANSITION_ADD and TRANSITION_DELETE options control what storage mechanisms to add and delete when transitioning is performed. TRANSITION_DELETE actually deletes that mechanism's storage of the authentication verifier (password); for instance, if one is transitioning away from the PMDF password database, the PMDF password database entry for that mechanism for the user's authentication verifier is actually removed from the database. The TRANSITION_DISABLE option is less drastic than TRANSITION_DELETE: it marks that password as not usable, but does not actually delete the password. For instance, when the system password file is used, TRANSITION_DISABLE on OpenVMS marks the account as DISUSERed. In other words, TRANSITION_DELETE is not normally reversible, other than by manually reentering the password entry back in, whereas TRANSITION_DISABLE is more easily reversible. The TRANSITION_RETAIN_USERS option specifies particular users, typically users such as root or SYSTEM, who are exempt from the TRANSITION_DISABLE and TRANSITION_DELETE options. This would typically be used when you want to force migration of authentication verifiers for normal users, but not for the special privileged accounts. Finally, the TRANSITION_FROM option specifies a list of additional authentication sources to check when transitioning.