Manpages - kdb5_ldap_util.8
Table of Contents
NAME
kdb5_ldap_util - Kerberos configuration utility
SYNOPSIS
kdb5_ldap_util [*-D* user_dn [*-w* /passwd/]] [*-H* /ldapuri/] command [/command_options/]
DESCRIPTION
kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies.
COMMAND-LINE OPTIONS
- -r realm
- Specifies the realm to be operated on.
- -D user_dn
- Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.
- -w passwd
- Specifies the password of user_dn. This option is not recommended.
- -H ldapuri
- Specifies the URI of the LDAP server.
By default, kdb5_ldap_util operates on the default realm (as specified in krb5.conf(5)) and connects and authenticates to the LDAP server in the same manner as :ref:kadmind(8)` would given the parameters in dbdefaults in kdc.conf(5).
COMMANDS
create
#+begin_quote create [*-subtrees* /subtree_dn_list/] [*-sscope* /search_scope/] [*-containerref* /container_reference_dn/] [*-k* /mkeytype/] [*-kv* /mkeyVNO/] [*-M* /mkeyname/] [*-m|-P* /password/|*-sf* /stashfilename/] [*-s*] [*-maxtktlife* /max_ticket_life/] [*-maxrenewlife* /max_renewable_ticket_life/] [/ticket_flags/]
#+end_quote
Creates realm in directory. Options:
- -subtrees subtree_dn_list
- Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (:).
- -sscope search_scope
- Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees).
- -containerref container_reference_dn
- Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container.
- -k mkeytype
- Specifies the key type of the master key in the database. The default is given by the master_key_type variable in kdc.conf(5).
- -kv mkeyVNO
- Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.
- -M mkeyname
- Specifies the principal name for the master key in the database. If not specified, the name is determined by the master_key_name variable in kdc.conf(5).
- -m
- Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.
- -P password
- Specifies the master database password. This option is not recommended.
- -sf stashfilename
- Specifies the stash file of the master database password.
- -s
- Specifies that the stash file is to be created.
- -maxtktlife max_ticket_life
- (getdate string) Specifies maximum ticket life for principals in this realm.
- -maxrenewlife max_renewable_ticket_life
- (getdate string) Specifies maximum renewable life of tickets for principals in this realm.
- ticket_flags
- Specifies global ticket flags for the realm. Allowable flags are documented in the description of the add_principal command in kadmin(1).
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
#+end_quote
modify
#+begin_quote modify [*-subtrees* /subtree_dn_list/] [*-sscope* /search_scope/] [*-containerref* /container_reference_dn/] [*-maxtktlife* /max_ticket_life/] [*-maxrenewlife* /max_renewable_ticket_life/] [/ticket_flags/]
#+end_quote
Modifies the attributes of a realm. Options:
- -subtrees subtree_dn_list
- Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (:). This list replaces the existing list.
- -sscope search_scope
- Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees).
- (no term)
- -containerref container_reference_dn Specifies the DN of the :: container object in which the principals of a realm will be created.
- -maxtktlife max_ticket_life
- (getdate string) Specifies maximum ticket life for principals in this realm.
- -maxrenewlife max_renewable_ticket_life
- (getdate string) Specifies maximum renewable life of tickets for principals in this realm.
- ticket_flags
- Specifies global ticket flags for the realm. Allowable flags are documented in the description of the add_principal command in kadmin(1).
Example:
#+begin_quote
shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth Password for "cn=admin,o=org": shell%
#+end_quote
view
#+begin_quote view
#+end_quote
Displays the attributes of a realm.
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
#+end_quote
destroy
#+begin_quote destroy [*-f*]
#+end_quote
Destroys an existing realm. Options:
- -f
- If specified, will not prompt the user for confirmation.
Example:
#+begin_quote
shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... shell%
#+end_quote
list
#+begin_quote list
#+end_quote
Lists the names of realms under the container.
Example:
#+begin_quote
shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU shell%
#+end_quote
stashsrvpw
#+begin_quote stashsrvpw [*-f* filename/] /name
#+end_quote
Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options:
- -f filename
- Specifies the complete path of the service password file. By default, /usr/local/var/service_passwd is used.
- name
- Specifies the name of the object whose password is to be stored. If krb5kdc(8) or kadmind(8) are configured for simple binding, this should be the distinguished name it will use as given by the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5). If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
Example:
#+begin_quote
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org":
#+end_quote
create_policy
#+begin_quote create_policy [*-maxtktlife* max_ticket_life/] [*-maxrenewlife* /max_renewable_ticket_life/] [/ticket_flags/] /policy_name
#+end_quote
Creates a ticket policy in the directory. Options:
- -maxtktlife max_ticket_life
- (getdate string) Specifies maximum ticket life for principals.
- -maxrenewlife max_renewable_ticket_life
- (getdate string) Specifies maximum renewable life of tickets for principals.
- ticket_flags
- Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the add_principal command in kadmin(1).
- policy_name
- Specifies the name of the ticket policy.
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org":
#+end_quote
modify_policy
#+begin_quote modify_policy [*-maxtktlife* max_ticket_life/] [*-maxrenewlife* /max_renewable_ticket_life/] [/ticket_flags/] /policy_name
#+end_quote
Modifies the attributes of a ticket policy. Options are same as for create_policy.
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org":
#+end_quote
view_policy
#+begin_quote view_policy policy_name
#+end_quote
Displays the attributes of the named ticket policy.
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view_policy tktpolicy Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
#+end_quote
destroy_policy
#+begin_quote destroy_policy [*-force*] policy_name
#+end_quote
Destroys an existing ticket policy. Options:
- -force
- Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy.
- policy_name
- Specifies the name of the ticket policy.
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted.
#+end_quote
list_policy
#+begin_quote list_policy
#+end_quote
Lists ticket policies.
Example:
#+begin_quote
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU list_policy Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy
#+end_quote
ENVIRONMENT
See kerberos(7) for a description of Kerberos environment variables.
SEE ALSO
kadmin(1), kerberos(7)
AUTHOR
MIT
COPYRIGHT
1985-2021, MIT