9 .. _kdb5_ldap_util_synopsis:
12 [**-D** *user_dn* [**-w** *passwd*]]
17 .. _kdb5_ldap_util_synopsis_end:
23 kdb5_ldap_util allows an administrator to manage realms, Kerberos
24 services and ticket policies.
30 .. _kdb5_ldap_util_options:
33 Specifies the Distinguished Name (DN) of the user who has
34 sufficient rights to perform the operation on the LDAP server.
37 Specifies the password of *user_dn*. This option is not
41 Specifies the URI of the LDAP server. It is recommended to use
42 ``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
44 .. _kdb5_ldap_util_options_end:
53 .. _kdb5_ldap_util_create:
56 [**-subtrees** *subtree_dn_list*]
57 [**-sscope** *search_scope*]
58 [**-containerref** *container_reference_dn*]
61 [**-m|-P** *password*\|\ **-sf** *stashfilename*]
64 [**-maxtktlife** *max_ticket_life*]
65 [**-maxrenewlife** *max_renewable_ticket_life*]
68 Creates realm in directory. Options:
70 **-subtrees** *subtree_dn_list*
71 Specifies the list of subtrees containing the principals of a
72 realm. The list contains the DNs of the subtree objects separated
75 **-sscope** *search_scope*
76 Specifies the scope for searching the principals under the
77 subtree. The possible values are 1 or one (one level), 2 or sub
80 **-containerref** *container_reference_dn*
81 Specifies the DN of the container object in which the principals
82 of a realm will be created. If the container reference is not
83 configured for a realm, the principals will be created in the
87 Specifies the key type of the master key in the database. The
88 default is given by the **master_key_type** variable in
92 Specifies the version number of the master key in the database;
93 the default is 1. Note that 0 is not allowed.
96 Specifies that the master database password should be read from
97 the TTY rather than fetched from a file on the disk.
100 Specifies the master database password. This option is not
104 Specifies the Kerberos realm of the database.
106 **-sf** *stashfilename*
107 Specifies the stash file of the master database password.
110 Specifies that the stash file is to be created.
112 **-maxtktlife** *max_ticket_life*
113 (:ref:`getdate` string) Specifies maximum ticket life for
114 principals in this realm.
116 **-maxrenewlife** *max_renewable_ticket_life*
117 (:ref:`getdate` string) Specifies maximum renewable life of
118 tickets for principals in this realm.
121 Specifies global ticket flags for the realm. Allowable flags are
122 documented in the description of the **add_principal** command in
127 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
128 create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
129 Password for "cn=admin,o=org":
130 Initializing database for realm 'ATHENA.MIT.EDU'
131 You will be prompted for the database Master Password.
132 It is important that you NOT FORGET this password.
133 Enter KDC database master key:
134 Re-enter KDC database master key to verify:
136 .. _kdb5_ldap_util_create_end:
141 .. _kdb5_ldap_util_modify:
144 [**-subtrees** *subtree_dn_list*]
145 [**-sscope** *search_scope*]
146 [**-containerref** *container_reference_dn*]
148 [**-maxtktlife** *max_ticket_life*]
149 [**-maxrenewlife** *max_renewable_ticket_life*]
152 Modifies the attributes of a realm. Options:
154 **-subtrees** *subtree_dn_list*
155 Specifies the list of subtrees containing the principals of a
156 realm. The list contains the DNs of the subtree objects separated
157 by colon (``:``). This list replaces the existing list.
159 **-sscope** *search_scope*
160 Specifies the scope for searching the principals under the
161 subtrees. The possible values are 1 or one (one level), 2 or sub
164 **-containerref** *container_reference_dn* Specifies the DN of the
165 container object in which the principals of a realm will be
169 Specifies the Kerberos realm of the database.
171 **-maxtktlife** *max_ticket_life*
172 (:ref:`getdate` string) Specifies maximum ticket life for
173 principals in this realm.
175 **-maxrenewlife** *max_renewable_ticket_life*
176 (:ref:`getdate` string) Specifies maximum renewable life of
177 tickets for principals in this realm.
180 Specifies global ticket flags for the realm. Allowable flags are
181 documented in the description of the **add_principal** command in
186 shell% kdb5_ldap_util -D cn=admin,o=org -H
187 ldaps://ldap-server1.mit.edu modify +requires_preauth -r
189 Password for "cn=admin,o=org":
192 .. _kdb5_ldap_util_modify_end:
197 .. _kdb5_ldap_util_view:
199 **view** [**-r** *realm*]
201 Displays the attributes of a realm. Options:
204 Specifies the Kerberos realm of the database.
208 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
209 view -r ATHENA.MIT.EDU
210 Password for "cn=admin,o=org":
211 Realm Name: ATHENA.MIT.EDU
212 Subtree: ou=users,o=org
213 Subtree: ou=servers,o=org
215 Maximum ticket life: 0 days 01:00:00
216 Maximum renewable life: 0 days 10:00:00
217 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
219 .. _kdb5_ldap_util_view_end:
224 .. _kdb5_ldap_util_destroy:
226 **destroy** [**-f**] [**-r** *realm*]
228 Destroys an existing realm. Options:
231 If specified, will not prompt the user for confirmation.
234 Specifies the Kerberos realm of the database.
238 shell% kdb5_ldap_util -D cn=admin,o=org -H
239 ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
240 Password for "cn=admin,o=org":
241 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
242 (type 'yes' to confirm)? yes
243 OK, deleting database of 'ATHENA.MIT.EDU'...
246 .. _kdb5_ldap_util_destroy_end:
251 .. _kdb5_ldap_util_list:
255 Lists the name of realms.
259 shell% kdb5_ldap_util -D cn=admin,o=org -H
260 ldaps://ldap-server1.mit.edu list
261 Password for "cn=admin,o=org":
267 .. _kdb5_ldap_util_list_end:
272 .. _kdb5_ldap_util_stashsrvpw:
278 Allows an administrator to store the password for service object in a
279 file so that KDC and Administration server can use it to authenticate
280 to the LDAP server. Options:
283 Specifies the complete path of the service password file. By
284 default, ``/usr/local/var/service_passwd`` is used.
287 Specifies the name of the object whose password is to be stored.
288 If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for
289 simple binding, this should be the distinguished name it will
290 use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn**
291 variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is
292 configured for SASL binding, this should be the authentication
293 name it will use as given by the **ldap_kdc_sasl_authcid** or
294 **ldap_kadmind_sasl_authcid** variable.
298 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
300 Password for "cn=service-kdc,o=org":
301 Re-enter password for "cn=service-kdc,o=org":
303 .. _kdb5_ldap_util_stashsrvpw_end:
308 .. _kdb5_ldap_util_create_policy:
312 [**-maxtktlife** *max_ticket_life*]
313 [**-maxrenewlife** *max_renewable_ticket_life*]
317 Creates a ticket policy in the directory. Options:
320 Specifies the Kerberos realm of the database.
322 **-maxtktlife** *max_ticket_life*
323 (:ref:`getdate` string) Specifies maximum ticket life for
326 **-maxrenewlife** *max_renewable_ticket_life*
327 (:ref:`getdate` string) Specifies maximum renewable life of
328 tickets for principals.
331 Specifies the ticket flags. If this option is not specified, by
332 default, no restriction will be set by the policy. Allowable
333 flags are documented in the description of the **add_principal**
334 command in :ref:`kadmin(1)`.
337 Specifies the name of the ticket policy.
341 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
342 create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
343 -maxrenewlife "1 week" -allow_postdated +needchange
344 -allow_forwardable tktpolicy
345 Password for "cn=admin,o=org":
347 .. _kdb5_ldap_util_create_policy_end:
352 .. _kdb5_ldap_util_modify_policy:
356 [**-maxtktlife** *max_ticket_life*]
357 [**-maxrenewlife** *max_renewable_ticket_life*]
361 Modifies the attributes of a ticket policy. Options are same as for
366 kdb5_ldap_util -D cn=admin,o=org -H
367 ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
368 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
369 +allow_postdated -requires_preauth tktpolicy
370 Password for "cn=admin,o=org":
372 .. _kdb5_ldap_util_modify_policy_end:
377 .. _kdb5_ldap_util_view_policy:
383 Displays the attributes of a ticket policy. Options:
386 Specifies the name of the ticket policy.
390 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
391 view_policy -r ATHENA.MIT.EDU tktpolicy
392 Password for "cn=admin,o=org":
393 Ticket policy: tktpolicy
394 Maximum ticket life: 0 days 01:00:00
395 Maximum renewable life: 0 days 10:00:00
396 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
398 .. _kdb5_ldap_util_view_policy_end:
403 .. _kdb5_ldap_util_destroy_policy:
410 Destroys an existing ticket policy. Options:
413 Specifies the Kerberos realm of the database.
416 Forces the deletion of the policy object. If not specified, the
417 user will be prompted for confirmation before deleting the policy.
420 Specifies the name of the ticket policy.
424 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
425 destroy_policy -r ATHENA.MIT.EDU tktpolicy
426 Password for "cn=admin,o=org":
427 This will delete the policy object 'tktpolicy', are you sure?
428 (type 'yes' to confirm)? yes
429 ** policy object 'tktpolicy' deleted.
431 .. _kdb5_ldap_util_destroy_policy_end:
436 .. _kdb5_ldap_util_list_policy:
441 Lists the ticket policies in realm if specified or in the default
445 Specifies the Kerberos realm of the database.
449 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
450 list_policy -r ATHENA.MIT.EDU
451 Password for "cn=admin,o=org":
456 .. _kdb5_ldap_util_list_policy_end: