kdb5_ldap_util(8) MIT Kerberos kdb5_ldap_util(8)
NAME
kdb5_ldap_util - Kerberos configuration utility
SYNOPSIS
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com-
mand_options]
DESCRIPTION
kdb5_ldap_util allows an administrator to manage realms, Kerberos ser-
vices and ticket policies.
COMMAND-LINE OPTIONS
-r realm
Specifies the realm to be operated on.
-D user_dn
Specifies the Distinguished Name (DN) of the user who has suffi-
cient rights to perform the operation on the LDAP server.
-w passwd
Specifies the password of user_dn. This option is not recom-
mended.
-H ldapuri
Specifies the URI of the LDAP server.
By default, kdb5_ldap_util operates on the default realm (as specified
in krb5.conf(5)) and connects and authenticates to the LDAP server in
the same manner as :ref:kadmind(8)` would given the parameters in dbde-
faults in kdc.conf(5).
COMMANDS
create
create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain-
erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-M mkey-
name] [-m|-P password|-sf stashfilename] [-s] [-maxtktlife
max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
Creates realm in directory. Options:
-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects sepa-
rated by colon (:).
-sscope search_scope
Specifies the scope for searching the principals under the sub-
tree. The possible values are 1 or one (one level), 2 or sub
(subtrees).
-containerref container_reference_dn
Specifies the DN of the container object in which the principals
of a realm will be created. If the container reference is not
configured for a realm, the principals will be created in the
realm container.
-k mkeytype
Specifies the key type of the master key in the database. The
default is given by the master_key_type variable in kdc.conf(5).
-kv mkeyVNO
Specifies the version number of the master key in the database;
the default is 1. Note that 0 is not allowed.
-M mkeyname
Specifies the principal name for the master key in the database.
If not specified, the name is determined by the master_key_name
variable in kdc.conf(5).
-m Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
-P password
Specifies the master database password. This option is not rec-
ommended.
-sf stashfilename
Specifies the stash file of the master database password.
-s Specifies that the stash file is to be created.
-maxtktlife max_ticket_life
(getdate string) Specifies maximum ticket life for principals in
this realm.
-maxrenewlife max_renewable_ticket_life
(getdate string) Specifies maximum renewable life of tickets for
principals in this realm.
ticket_flags
Specifies global ticket flags for the realm. Allowable flags
are documented in the description of the add_principal command
in kadmin(1).
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
Password for "cn=admin,o=org":
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
modify
modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain-
erref container_reference_dn] [-maxtktlife max_ticket_life] [-maxre-
newlife max_renewable_ticket_life] [ticket_flags]
Modifies the attributes of a realm. Options:
-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects sepa-
rated by colon (:). This list replaces the existing list.
-sscope search_scope
Specifies the scope for searching the principals under the sub-
trees. The possible values are 1 or one (one level), 2 or sub
(subtrees).
-containerref container_reference_dn Specifies the DN of the
container object in which the principals of a realm will be cre-
ated.
-maxtktlife max_ticket_life
(getdate string) Specifies maximum ticket life for principals in
this realm.
-maxrenewlife max_renewable_ticket_life
(getdate string) Specifies maximum renewable life of tickets for
principals in this realm.
ticket_flags
Specifies global ticket flags for the realm. Allowable flags
are documented in the description of the add_principal command
in kadmin(1).
Example:
shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify +requires_preauth
Password for "cn=admin,o=org":
shell%
view
view
Displays the attributes of a realm.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-r ATHENA.MIT.EDU view
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy
destroy [-f]
Destroys an existing realm. Options:
-f If specified, will not prompt the user for confirmation.
Example:
shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu destroy
Password for "cn=admin,o=org":
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
shell%
list
list
Lists the names of realms under the container.
Example:
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org":
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
shell%
stashsrvpw
stashsrvpw [-f filename] name
Allows an administrator to store the password for service object in a
file so that KDC and Administration server can use it to authenticate
to the LDAP server. Options:
-f filename
Specifies the complete path of the service password file. By
default, /usr/local/var/service_passwd is used.
name Specifies the name of the object whose password is to be stored.
If krb5kdc(8) or kadmind(8) are configured for simple binding,
this should be the distinguished name it will use as given by
the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5). If
the KDC or kadmind is configured for SASL binding, this should
be the authentication name it will use as given by the
ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
Example:
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
cn=service-kdc,o=org
Password for "cn=service-kdc,o=org":
Re-enter password for "cn=service-kdc,o=org":
create_policy
create_policy [-maxtktlife max_ticket_life] [-maxrenewlife
max_renewable_ticket_life] [ticket_flags] policy_name
Creates a ticket policy in the directory. Options:
-maxtktlife max_ticket_life
(getdate string) Specifies maximum ticket life for principals.
-maxrenewlife max_renewable_ticket_life
(getdate string) Specifies maximum renewable life of tickets for
principals.
ticket_flags
Specifies the ticket flags. If this option is not specified, by
default, no restriction will be set by the policy. Allowable
flags are documented in the description of the add_principal
command in kadmin(1).
policy_name
Specifies the name of the ticket policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
-maxrenewlife "1 week" -allow_postdated +needchange
-allow_forwardable tktpolicy
Password for "cn=admin,o=org":
modify_policy
modify_policy [-maxtktlife max_ticket_life] [-maxrenewlife
max_renewable_ticket_life] [ticket_flags] policy_name
Modifies the attributes of a ticket policy. Options are same as for
create_policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
-maxtktlife "60 minutes" -maxrenewlife "10 hours"
+allow_postdated -requires_preauth tktpolicy
Password for "cn=admin,o=org":
view_policy
view_policy policy_name
Displays the attributes of the named ticket policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-r ATHENA.MIT.EDU view_policy tktpolicy
Password for "cn=admin,o=org":
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy_policy
destroy_policy [-force] policy_name
Destroys an existing ticket policy. Options:
-force Forces the deletion of the policy object. If not specified, the
user will be prompted for confirmation before deleting the pol-
icy.
policy_name
Specifies the name of the ticket policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-r ATHENA.MIT.EDU destroy_policy tktpolicy
Password for "cn=admin,o=org":
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
** policy object 'tktpolicy' deleted.
list_policy
list_policy
Lists ticket policies.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-r ATHENA.MIT.EDU list_policy
Password for "cn=admin,o=org":
tktpolicy
tmppolicy
userpolicy
ENVIRONMENT
See kerberos(7) for a description of Kerberos environment variables.
SEE ALSO
kadmin(1), kerberos(7)
AUTHOR
MIT
COPYRIGHT
1985-2019, MIT
1.17.1 kdb5_ldap_util(8)
kerberos5 1.17.1 - Generated Sat Jan 4 07:51:14 CST 2020