1 .\" Man page generated from reStructuredText.
3 .TH "KDB5_LDAP_UTIL" "8" " " "1.15.2" "MIT Kerberos"
5 kdb5_ldap_util \- Kerberos configuration utility
7 .nr rst2man-indent-level 0
11 level \\n[rst2man-indent-level]
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
19 .\" .rstReportMargin pre:
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
22 . nr rst2man-indent-level +1
23 .\" .rstReportMargin post:
27 .\" indent \\n[an-margin]
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .nr rst2man-indent-level -1
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
36 [\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]]
37 [\fB\-H\fP \fIldapuri\fP]
39 [\fIcommand_options\fP]
42 kdb5_ldap_util allows an administrator to manage realms, Kerberos
43 services and ticket policies.
44 .SH COMMAND-LINE OPTIONS
47 .B \fB\-D\fP \fIuser_dn\fP
48 Specifies the Distinguished Name (DN) of the user who has
49 sufficient rights to perform the operation on the LDAP server.
51 .B \fB\-w\fP \fIpasswd\fP
52 Specifies the password of \fIuser_dn\fP\&. This option is not
55 .B \fB\-H\fP \fIldapuri\fP
56 Specifies the URI of the LDAP server. It is recommended to use
57 \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
64 [\fB\-subtrees\fP \fIsubtree_dn_list\fP]
65 [\fB\-sscope\fP \fIsearch_scope\fP]
66 [\fB\-containerref\fP \fIcontainer_reference_dn\fP]
67 [\fB\-k\fP \fImkeytype\fP]
68 [\fB\-kv\fP \fImkeyVNO\fP]
69 [\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
71 [\fB\-r\fP \fIrealm\fP]
72 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
73 [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
78 Creates realm in directory. Options:
81 .B \fB\-subtrees\fP \fIsubtree_dn_list\fP
82 Specifies the list of subtrees containing the principals of a
83 realm. The list contains the DNs of the subtree objects separated
86 .B \fB\-sscope\fP \fIsearch_scope\fP
87 Specifies the scope for searching the principals under the
88 subtree. The possible values are 1 or one (one level), 2 or sub
91 .B \fB\-containerref\fP \fIcontainer_reference_dn\fP
92 Specifies the DN of the container object in which the principals
93 of a realm will be created. If the container reference is not
94 configured for a realm, the principals will be created in the
97 .B \fB\-k\fP \fImkeytype\fP
98 Specifies the key type of the master key in the database. The
99 default is given by the \fBmaster_key_type\fP variable in
102 .B \fB\-kv\fP \fImkeyVNO\fP
103 Specifies the version number of the master key in the database;
104 the default is 1. Note that 0 is not allowed.
107 Specifies that the master database password should be read from
108 the TTY rather than fetched from a file on the disk.
110 .B \fB\-P\fP \fIpassword\fP
111 Specifies the master database password. This option is not
114 .B \fB\-r\fP \fIrealm\fP
115 Specifies the Kerberos realm of the database.
117 .B \fB\-sf\fP \fIstashfilename\fP
118 Specifies the stash file of the master database password.
121 Specifies that the stash file is to be created.
123 .B \fB\-maxtktlife\fP \fImax_ticket_life\fP
124 (\fIgetdate\fP string) Specifies maximum ticket life for
125 principals in this realm.
127 .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
128 (\fIgetdate\fP string) Specifies maximum renewable life of
129 tickets for principals in this realm.
131 .B \fIticket_flags\fP
132 Specifies global ticket flags for the realm. Allowable flags are
133 documented in the description of the \fBadd_principal\fP command in
143 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
144 create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU
145 Password for "cn=admin,o=org":
146 Initializing database for realm \(aqATHENA.MIT.EDU\(aq
147 You will be prompted for the database Master Password.
148 It is important that you NOT FORGET this password.
149 Enter KDC database master key:
150 Re\-enter KDC database master key to verify:
159 [\fB\-subtrees\fP \fIsubtree_dn_list\fP]
160 [\fB\-sscope\fP \fIsearch_scope\fP]
161 [\fB\-containerref\fP \fIcontainer_reference_dn\fP]
162 [\fB\-r\fP \fIrealm\fP]
163 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
164 [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
169 Modifies the attributes of a realm. Options:
172 .B \fB\-subtrees\fP \fIsubtree_dn_list\fP
173 Specifies the list of subtrees containing the principals of a
174 realm. The list contains the DNs of the subtree objects separated
175 by colon (\fB:\fP). This list replaces the existing list.
177 .B \fB\-sscope\fP \fIsearch_scope\fP
178 Specifies the scope for searching the principals under the
179 subtrees. The possible values are 1 or one (one level), 2 or sub
182 .B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
183 container object in which the principals of a realm will be
186 .B \fB\-r\fP \fIrealm\fP
187 Specifies the Kerberos realm of the database.
189 .B \fB\-maxtktlife\fP \fImax_ticket_life\fP
190 (\fIgetdate\fP string) Specifies maximum ticket life for
191 principals in this realm.
193 .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
194 (\fIgetdate\fP string) Specifies maximum renewable life of
195 tickets for principals in this realm.
197 .B \fIticket_flags\fP
198 Specifies global ticket flags for the realm. Allowable flags are
199 documented in the description of the \fBadd_principal\fP command in
209 shell% kdb5_ldap_util \-D cn=admin,o=org \-H
210 ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r
212 Password for "cn=admin,o=org":
221 \fBview\fP [\fB\-r\fP \fIrealm\fP]
225 Displays the attributes of a realm. Options:
228 .B \fB\-r\fP \fIrealm\fP
229 Specifies the Kerberos realm of the database.
238 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
239 view \-r ATHENA.MIT.EDU
240 Password for "cn=admin,o=org":
241 Realm Name: ATHENA.MIT.EDU
242 Subtree: ou=users,o=org
243 Subtree: ou=servers,o=org
245 Maximum ticket life: 0 days 01:00:00
246 Maximum renewable life: 0 days 10:00:00
247 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
255 \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP]
259 Destroys an existing realm. Options:
263 If specified, will not prompt the user for confirmation.
265 .B \fB\-r\fP \fIrealm\fP
266 Specifies the Kerberos realm of the database.
275 shell% kdb5_ldap_util \-D cn=admin,o=org \-H
276 ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU
277 Password for "cn=admin,o=org":
278 Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
279 (type \(aqyes\(aq to confirm)? yes
280 OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
293 Lists the name of realms.
301 shell% kdb5_ldap_util \-D cn=admin,o=org \-H
302 ldaps://ldap\-server1.mit.edu list
303 Password for "cn=admin,o=org":
316 [\fB\-f\fP \fIfilename\fP]
321 Allows an administrator to store the password for service object in a
322 file so that KDC and Administration server can use it to authenticate
323 to the LDAP server. Options:
326 .B \fB\-f\fP \fIfilename\fP
327 Specifies the complete path of the service password file. By
328 default, \fB/usr/local/var/service_passwd\fP is used.
331 Specifies the name of the object whose password is to be stored.
332 If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for
333 simple binding, this should be the distinguished name it will
334 use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
335 variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is
336 configured for SASL binding, this should be the authentication
337 name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
338 \fBldap_kadmind_sasl_authcid\fP variable.
347 kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile
348 cn=service\-kdc,o=org
349 Password for "cn=service\-kdc,o=org":
350 Re\-enter password for "cn=service\-kdc,o=org":
359 [\fB\-r\fP \fIrealm\fP]
360 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
361 [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
367 Creates a ticket policy in the directory. Options:
370 .B \fB\-r\fP \fIrealm\fP
371 Specifies the Kerberos realm of the database.
373 .B \fB\-maxtktlife\fP \fImax_ticket_life\fP
374 (\fIgetdate\fP string) Specifies maximum ticket life for
377 .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
378 (\fIgetdate\fP string) Specifies maximum renewable life of
379 tickets for principals.
381 .B \fIticket_flags\fP
382 Specifies the ticket flags. If this option is not specified, by
383 default, no restriction will be set by the policy. Allowable
384 flags are documented in the description of the \fBadd_principal\fP
385 command in \fIkadmin(1)\fP\&.
388 Specifies the name of the ticket policy.
397 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
398 create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day"
399 \-maxrenewlife "1 week" \-allow_postdated +needchange
400 \-allow_forwardable tktpolicy
401 Password for "cn=admin,o=org":
410 [\fB\-r\fP \fIrealm\fP]
411 [\fB\-maxtktlife\fP \fImax_ticket_life\fP]
412 [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
418 Modifies the attributes of a ticket policy. Options are same as for
419 \fBcreate_policy\fP\&.
427 kdb5_ldap_util \-D cn=admin,o=org \-H
428 ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU
429 \-maxtktlife "60 minutes" \-maxrenewlife "10 hours"
430 +allow_postdated \-requires_preauth tktpolicy
431 Password for "cn=admin,o=org":
440 [\fB\-r\fP \fIrealm\fP]
445 Displays the attributes of a ticket policy. Options:
449 Specifies the name of the ticket policy.
458 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
459 view_policy \-r ATHENA.MIT.EDU tktpolicy
460 Password for "cn=admin,o=org":
461 Ticket policy: tktpolicy
462 Maximum ticket life: 0 days 01:00:00
463 Maximum renewable life: 0 days 10:00:00
464 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
473 [\fB\-r\fP \fIrealm\fP]
479 Destroys an existing ticket policy. Options:
482 .B \fB\-r\fP \fIrealm\fP
483 Specifies the Kerberos realm of the database.
486 Forces the deletion of the policy object. If not specified, the
487 user will be prompted for confirmation before deleting the policy.
490 Specifies the name of the ticket policy.
499 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
500 destroy_policy \-r ATHENA.MIT.EDU tktpolicy
501 Password for "cn=admin,o=org":
502 This will delete the policy object \(aqtktpolicy\(aq, are you sure?
503 (type \(aqyes\(aq to confirm)? yes
504 ** policy object \(aqtktpolicy\(aq deleted.
513 [\fB\-r\fP \fIrealm\fP]
517 Lists the ticket policies in realm if specified or in the default
521 .B \fB\-r\fP \fIrealm\fP
522 Specifies the Kerberos realm of the database.
531 kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
532 list_policy \-r ATHENA.MIT.EDU
533 Password for "cn=admin,o=org":
548 .\" Generated by docutils manpage writer.