1
.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos"
3
kdb5_ldap_util \- Kerberos configuration utility
5
.nr rst2man-indent-level 0
9
level \\n[rst2man-indent-level]
10
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
17
.\" .rstReportMargin pre:
19
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
20
. nr rst2man-indent-level +1
21
.\" .rstReportMargin post:
25
.\" indent \\n[an-margin]
26
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
27
.nr rst2man-indent-level -1
28
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
29
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
31
.\" Man page generated from reStructuredText.
36
[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]]
37
[\fB\-H\fP \fIldapuri\fP]
39
[\fIcommand_options\fP]
42
kdb5_ldap_util allows an administrator to manage realms, Kerberos
43
services and ticket policies.
44
.SH COMMAND-LINE OPTIONS
47
.B \fB\-D\fP \fIuser_dn\fP
48
Specifies the Distinguished Name (DN) of the user who has
49
sufficient rights to perform the operation on the LDAP server.
51
.B \fB\-w\fP \fIpasswd\fP
52
Specifies the password of \fIuser_dn\fP. This option is not
55
.B \fB\-H\fP \fIldapuri\fP
56
Specifies the URI of the LDAP server. It is recommended to use
57
\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
64
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
65
[\fB\-sscope\fP \fIsearch_scope\fP]
66
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
67
[\fB\-k\fP \fImkeytype\fP]
68
[\fB\-kv\fP \fImkeyVNO\fP]
69
[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
71
[\fB\-r\fP \fIrealm\fP]
72
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
73
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
78
Creates realm in directory. Options:
81
.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
82
Specifies the list of subtrees containing the principals of a
83
realm. The list contains the DNs of the subtree objects separated
86
.B \fB\-sscope\fP \fIsearch_scope\fP
87
Specifies the scope for searching the principals under the
88
subtree. The possible values are 1 or one (one level), 2 or sub
91
.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
92
Specifies the DN of the container object in which the principals
93
of a realm will be created. If the container reference is not
94
configured for a realm, the principals will be created in the
97
.B \fB\-k\fP \fImkeytype\fP
98
Specifies the key type of the master key in the database. The
99
default is given by the \fBmaster_key_type\fP variable in
102
.B \fB\-kv\fP \fImkeyVNO\fP
103
Specifies the version number of the master key in the database;
104
the default is 1. Note that 0 is not allowed.
107
Specifies that the master database password should be read from
108
the TTY rather than fetched from a file on the disk.
110
.B \fB\-P\fP \fIpassword\fP
111
Specifies the master database password. This option is not
114
.B \fB\-r\fP \fIrealm\fP
115
Specifies the Kerberos realm of the database.
117
.B \fB\-sf\fP \fIstashfilename\fP
118
Specifies the stash file of the master database password.
121
Specifies that the stash file is to be created.
123
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
124
(\fIgetdate\fP string) Specifies maximum ticket life for
125
principals in this realm.
127
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
128
(\fIgetdate\fP string) Specifies maximum renewable life of
129
tickets for principals in this realm.
131
.B \fIticket_flags\fP
132
Specifies global ticket flags for the realm. Allowable flags are
133
documented in the description of the \fBadd_principal\fP command in
143
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
144
create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU
145
Password for "cn=admin,o=org":
146
Initializing database for realm \(aqATHENA.MIT.EDU\(aq
147
You will be prompted for the database Master Password.
148
It is important that you NOT FORGET this password.
149
Enter KDC database master key:
150
Re\-enter KDC database master key to verify:
159
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
160
[\fB\-sscope\fP \fIsearch_scope\fP]
161
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
162
[\fB\-r\fP \fIrealm\fP]
163
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
164
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
169
Modifies the attributes of a realm. Options:
172
.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
173
Specifies the list of subtrees containing the principals of a
174
realm. The list contains the DNs of the subtree objects separated
175
by colon (\fB:\fP). This list replaces the existing list.
177
.B \fB\-sscope\fP \fIsearch_scope\fP
178
Specifies the scope for searching the principals under the
179
subtrees. The possible values are 1 or one (one level), 2 or sub
182
.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
183
container object in which the principals of a realm will be
186
.B \fB\-r\fP \fIrealm\fP
187
Specifies the Kerberos realm of the database.
189
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
190
(\fIgetdate\fP string) Specifies maximum ticket life for
191
principals in this realm.
193
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
194
(\fIgetdate\fP string) Specifies maximum renewable life of
195
tickets for principals in this realm.
197
.B \fIticket_flags\fP
198
Specifies global ticket flags for the realm. Allowable flags are
199
documented in the description of the \fBadd_principal\fP command in
209
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
210
ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r
212
Password for "cn=admin,o=org":
221
\fBview\fP [\fB\-r\fP \fIrealm\fP]
225
Displays the attributes of a realm. Options:
228
.B \fB\-r\fP \fIrealm\fP
229
Specifies the Kerberos realm of the database.
238
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
239
view \-r ATHENA.MIT.EDU
240
Password for "cn=admin,o=org":
241
Realm Name: ATHENA.MIT.EDU
242
Subtree: ou=users,o=org
243
Subtree: ou=servers,o=org
245
Maximum ticket life: 0 days 01:00:00
246
Maximum renewable life: 0 days 10:00:00
247
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
255
\fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP]
259
Destroys an existing realm. Options:
263
If specified, will not prompt the user for confirmation.
265
.B \fB\-r\fP \fIrealm\fP
266
Specifies the Kerberos realm of the database.
275
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
276
ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU
277
Password for "cn=admin,o=org":
278
Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
279
(type \(aqyes\(aq to confirm)? yes
280
OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
293
Lists the name of realms.
301
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
302
ldaps://ldap\-server1.mit.edu list
303
Password for "cn=admin,o=org":
316
[\fB\-f\fP \fIfilename\fP]
321
Allows an administrator to store the password for service object in a
322
file so that KDC and Administration server can use it to authenticate
323
to the LDAP server. Options:
326
.B \fB\-f\fP \fIfilename\fP
327
Specifies the complete path of the service password file. By
328
default, \fB/usr/local/var/service_passwd\fP is used.
331
Specifies Distinguished Name (DN) of the service object whose
332
password is to be stored in file.
341
kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile
342
cn=service\-kdc,o=org
343
Password for "cn=service\-kdc,o=org":
344
Re\-enter password for "cn=service\-kdc,o=org":
353
[\fB\-r\fP \fIrealm\fP]
354
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
355
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
361
Creates a ticket policy in the directory. Options:
364
.B \fB\-r\fP \fIrealm\fP
365
Specifies the Kerberos realm of the database.
367
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
368
(\fIgetdate\fP string) Specifies maximum ticket life for
371
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
372
(\fIgetdate\fP string) Specifies maximum renewable life of
373
tickets for principals.
375
.B \fIticket_flags\fP
376
Specifies the ticket flags. If this option is not specified, by
377
default, no restriction will be set by the policy. Allowable
378
flags are documented in the description of the \fBadd_principal\fP
379
command in \fIkadmin(1)\fP.
382
Specifies the name of the ticket policy.
391
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
392
create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day"
393
\-maxrenewlife "1 week" \-allow_postdated +needchange
394
\-allow_forwardable tktpolicy
395
Password for "cn=admin,o=org":
404
[\fB\-r\fP \fIrealm\fP]
405
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
406
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
412
Modifies the attributes of a ticket policy. Options are same as for
421
kdb5_ldap_util \-D cn=admin,o=org \-H
422
ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU
423
\-maxtktlife "60 minutes" \-maxrenewlife "10 hours"
424
+allow_postdated \-requires_preauth tktpolicy
425
Password for "cn=admin,o=org":
434
[\fB\-r\fP \fIrealm\fP]
439
Displays the attributes of a ticket policy. Options:
443
Specifies the name of the ticket policy.
452
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
453
view_policy \-r ATHENA.MIT.EDU tktpolicy
454
Password for "cn=admin,o=org":
455
Ticket policy: tktpolicy
456
Maximum ticket life: 0 days 01:00:00
457
Maximum renewable life: 0 days 10:00:00
458
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
467
[\fB\-r\fP \fIrealm\fP]
473
Destroys an existing ticket policy. Options:
476
.B \fB\-r\fP \fIrealm\fP
477
Specifies the Kerberos realm of the database.
480
Forces the deletion of the policy object. If not specified, the
481
user will be prompted for confirmation before deleting the policy.
484
Specifies the name of the ticket policy.
493
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
494
destroy_policy \-r ATHENA.MIT.EDU tktpolicy
495
Password for "cn=admin,o=org":
496
This will delete the policy object \(aqtktpolicy\(aq, are you sure?
497
(type \(aqyes\(aq to confirm)? yes
498
** policy object \(aqtktpolicy\(aq deleted.
507
[\fB\-r\fP \fIrealm\fP]
511
Lists the ticket policies in realm if specified or in the default
515
.B \fB\-r\fP \fIrealm\fP
516
Specifies the Kerberos realm of the database.
525
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
526
list_policy \-r ATHENA.MIT.EDU
527
Password for "cn=admin,o=org":
542
.\" Generated by docutils manpage writer.