[platform/upstream/krb5.git] / src / man / kdb5_ldap_util.man

.\" Man page generated from reStructuredText.
.
.TH "KDB5_LDAP_UTIL" "8" " " "1.15.2" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.sp
\fBkdb5_ldap_util\fP
[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]]
[\fB\-H\fP \fIldapuri\fP]
\fBcommand\fP
[\fIcommand_options\fP]
.SH DESCRIPTION
.sp
kdb5_ldap_util allows an administrator to manage realms, Kerberos
services and ticket policies.
.SH COMMAND-LINE OPTIONS
.INDENT 0.0
.TP
.B \fB\-D\fP \fIuser_dn\fP
Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
.TP
.B \fB\-w\fP \fIpasswd\fP
Specifies the password of \fIuser_dn\fP\&.  This option is not
recommended.
.TP
.B \fB\-H\fP \fIldapuri\fP
Specifies the URI of the LDAP server.  It is recommended to use
\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server.
.UNINDENT
.SH COMMANDS
.SS create
.INDENT 0.0
.INDENT 3.5
\fBcreate\fP
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
[\fB\-sscope\fP \fIsearch_scope\fP]
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
[\fB\-k\fP \fImkeytype\fP]
[\fB\-kv\fP \fImkeyVNO\fP]
[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
[\fB\-s\fP]
[\fB\-r\fP \fIrealm\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
.UNINDENT
.UNINDENT
.sp
Creates realm in directory. Options:
.INDENT 0.0
.TP
.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
Specifies the list of subtrees containing the principals of a
realm.  The list contains the DNs of the subtree objects separated
by colon (\fB:\fP).
.TP
.B \fB\-sscope\fP \fIsearch_scope\fP
Specifies the scope for searching the principals under the
subtree.  The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
.B \fB\-containerref\fP \fIcontainer_reference_dn\fP
Specifies the DN of the container object in which the principals
of a realm will be created.  If the container reference is not
configured for a realm, the principals will be created in the
realm container.
.TP
.B \fB\-k\fP \fImkeytype\fP
Specifies the key type of the master key in the database.  The
default is given by the \fBmaster_key_type\fP variable in
\fIkdc.conf(5)\fP\&.
.TP
.B \fB\-kv\fP \fImkeyVNO\fP
Specifies the version number of the master key in the database;
the default is 1.  Note that 0 is not allowed.
.TP
.B \fB\-m\fP
Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
.TP
.B \fB\-P\fP \fIpassword\fP
Specifies the master database password. This option is not
recommended.
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
.B \fB\-sf\fP \fIstashfilename\fP
Specifies the stash file of the master database password.
.TP
.B \fB\-s\fP
Specifies that the stash file is to be created.
.TP
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
(\fIgetdate\fP string) Specifies maximum ticket life for
principals in this realm.
.TP
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
(\fIgetdate\fP string) Specifies maximum renewable life of
tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
Specifies global ticket flags for the realm.  Allowable flags are
documented in the description of the \fBadd_principal\fP command in
\fIkadmin(1)\fP\&.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Initializing database for realm \(aqATHENA.MIT.EDU\(aq
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re\-enter KDC database master key to verify:
.ft P
.fi
.UNINDENT
.UNINDENT
.SS modify
.INDENT 0.0
.INDENT 3.5
\fBmodify\fP
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
[\fB\-sscope\fP \fIsearch_scope\fP]
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
[\fB\-r\fP \fIrealm\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
.UNINDENT
.UNINDENT
.sp
Modifies the attributes of a realm.  Options:
.INDENT 0.0
.TP
.B \fB\-subtrees\fP \fIsubtree_dn_list\fP
Specifies the list of subtrees containing the principals of a
realm.  The list contains the DNs of the subtree objects separated
by colon (\fB:\fP).  This list replaces the existing list.
.TP
.B \fB\-sscope\fP \fIsearch_scope\fP
Specifies the scope for searching the principals under the
subtrees.  The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
container object in which the principals of a realm will be
created.
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
(\fIgetdate\fP string) Specifies maximum ticket life for
principals in this realm.
.TP
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
(\fIgetdate\fP string) Specifies maximum renewable life of
tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
Specifies global ticket flags for the realm.  Allowable flags are
documented in the description of the \fBadd_principal\fP command in
\fIkadmin(1)\fP\&.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r
    ATHENA.MIT.EDU
Password for "cn=admin,o=org":
shell%
.ft P
.fi
.UNINDENT
.UNINDENT
.SS view
.INDENT 0.0
.INDENT 3.5
\fBview\fP [\fB\-r\fP \fIrealm\fP]
.UNINDENT
.UNINDENT
.sp
Displays the attributes of a realm.  Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    view \-r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.ft P
.fi
.UNINDENT
.UNINDENT
.SS destroy
.INDENT 0.0
.INDENT 3.5
\fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP]
.UNINDENT
.UNINDENT
.sp
Destroys an existing realm. Options:
.INDENT 0.0
.TP
.B \fB\-f\fP
If specified, will not prompt the user for confirmation.
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
(type \(aqyes\(aq to confirm)? yes
OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
shell%
.ft P
.fi
.UNINDENT
.UNINDENT
.SS list
.INDENT 0.0
.INDENT 3.5
\fBlist\fP
.UNINDENT
.UNINDENT
.sp
Lists the name of realms.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu list
Password for "cn=admin,o=org":
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA\-LAB.MIT.EDU
shell%
.ft P
.fi
.UNINDENT
.UNINDENT
.SS stashsrvpw
.INDENT 0.0
.INDENT 3.5
\fBstashsrvpw\fP
[\fB\-f\fP \fIfilename\fP]
\fIname\fP
.UNINDENT
.UNINDENT
.sp
Allows an administrator to store the password for service object in a
file so that KDC and Administration server can use it to authenticate
to the LDAP server.  Options:
.INDENT 0.0
.TP
.B \fB\-f\fP \fIfilename\fP
Specifies the complete path of the service password file. By
default, \fB/usr/local/var/service_passwd\fP is used.
.TP
.B \fIname\fP
Specifies the name of the object whose password is to be stored.
If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for
simple binding, this should be the distinguished name it will
use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
variable in \fIkdc.conf(5)\fP\&.  If the KDC or kadmind is
configured for SASL binding, this should be the authentication
name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
\fBldap_kadmind_sasl_authcid\fP variable.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile
    cn=service\-kdc,o=org
Password for "cn=service\-kdc,o=org":
Re\-enter password for "cn=service\-kdc,o=org":
.ft P
.fi
.UNINDENT
.UNINDENT
.SS create_policy
.INDENT 0.0
.INDENT 3.5
\fBcreate_policy\fP
[\fB\-r\fP \fIrealm\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Creates a ticket policy in the directory.  Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
.B \fB\-maxtktlife\fP \fImax_ticket_life\fP
(\fIgetdate\fP string) Specifies maximum ticket life for
principals.
.TP
.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
(\fIgetdate\fP string) Specifies maximum renewable life of
tickets for principals.
.TP
.B \fIticket_flags\fP
Specifies the ticket flags.  If this option is not specified, by
default, no restriction will be set by the policy.  Allowable
flags are documented in the description of the \fBadd_principal\fP
command in \fIkadmin(1)\fP\&.
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day"
    \-maxrenewlife "1 week" \-allow_postdated +needchange
    \-allow_forwardable tktpolicy
Password for "cn=admin,o=org":
.ft P
.fi
.UNINDENT
.UNINDENT
.SS modify_policy
.INDENT 0.0
.INDENT 3.5
\fBmodify_policy\fP
[\fB\-r\fP \fIrealm\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Modifies the attributes of a ticket policy.  Options are same as for
\fBcreate_policy\fP\&.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU
    \-maxtktlife "60 minutes" \-maxrenewlife "10 hours"
    +allow_postdated \-requires_preauth tktpolicy
Password for "cn=admin,o=org":
.ft P
.fi
.UNINDENT
.UNINDENT
.SS view_policy
.INDENT 0.0
.INDENT 3.5
\fBview_policy\fP
[\fB\-r\fP \fIrealm\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Displays the attributes of a ticket policy.  Options:
.INDENT 0.0
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    view_policy \-r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.ft P
.fi
.UNINDENT
.UNINDENT
.SS destroy_policy
.INDENT 0.0
.INDENT 3.5
\fBdestroy_policy\fP
[\fB\-r\fP \fIrealm\fP]
[\fB\-force\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Destroys an existing ticket policy.  Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.TP
.B \fB\-force\fP
Forces the deletion of the policy object.  If not specified, the
user will be prompted for confirmation before deleting the policy.
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    destroy_policy \-r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
This will delete the policy object \(aqtktpolicy\(aq, are you sure?
(type \(aqyes\(aq to confirm)? yes
** policy object \(aqtktpolicy\(aq deleted.
.ft P
.fi
.UNINDENT
.UNINDENT
.SS list_policy
.INDENT 0.0
.INDENT 3.5
\fBlist_policy\fP
[\fB\-r\fP \fIrealm\fP]
.UNINDENT
.UNINDENT
.sp
Lists the ticket policies in realm if specified or in the default
realm.  Options:
.INDENT 0.0
.TP
.B \fB\-r\fP \fIrealm\fP
Specifies the Kerberos realm of the database.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    list_policy \-r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
tktpolicy
tmppolicy
userpolicy
.ft P
.fi
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
\fIkadmin(1)\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
1985-2017, MIT
.\" Generated by docutils manpage writer.
.