kdb5_ldap_util¶
SYNOPSIS¶
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [command_options]
DESCRIPTION¶
kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies.
COMMAND-LINE OPTIONS¶
- -D user_dn
- Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.
- -w passwd
- Specifies the password of user_dn. This option is not recommended.
- -H ldapuri
- Specifies the URI of the LDAP server. It is recommended to use ldapi:// or ldaps:// to connect to the LDAP server.
COMMANDS¶
create¶
create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-m|-P password|-sf stashfilename] [-s] [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
Creates realm in directory. Options:
- -subtrees subtree_dn_list
- Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (:).
- -sscope search_scope
- Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees).
- -containerref container_reference_dn
- Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container.
- -k mkeytype
- Specifies the key type of the master key in the database. The default is given by the master_key_type variable in kdc.conf.
- -kv mkeyVNO
- Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.
- -m
- Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.
- -P password
- Specifies the master database password. This option is not recommended.
- -r realm
- Specifies the Kerberos realm of the database.
- -sf stashfilename
- Specifies the stash file of the master database password.
- -s
- Specifies that the stash file is to be created.
- -maxtktlife max_ticket_life
- (getdate time string) Specifies maximum ticket life for principals in this realm.
- -maxrenewlife max_renewable_ticket_life
- (getdate time string) Specifies maximum renewable life of tickets for principals in this realm.
- ticket_flags
- Specifies global ticket flags for the realm. Allowable flags are documented in the description of the add_principal command in kadmin.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
modify¶
modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn] [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
Modifies the attributes of a realm. Options:
- -subtrees subtree_dn_list
- Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (:). This list replaces the existing list.
- -sscope search_scope
- Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees).
- -containerref container_reference_dn Specifies the DN of the
- container object in which the principals of a realm will be created.
- -r realm
- Specifies the Kerberos realm of the database.
- -maxtktlife max_ticket_life
- (getdate time string) Specifies maximum ticket life for principals in this realm.
- -maxrenewlife max_renewable_ticket_life
- (getdate time string) Specifies maximum renewable life of tickets for principals in this realm.
- ticket_flags
- Specifies global ticket flags for the realm. Allowable flags are documented in the description of the add_principal command in kadmin.
Example:
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify +requires_preauth -r
ATHENA.MIT.EDU
Password for "cn=admin,o=org":
shell%
view¶
view [-r realm]
Displays the attributes of a realm. Options:
- -r realm
- Specifies the Kerberos realm of the database.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy¶
destroy [-f] [-r realm]
Destroys an existing realm. Options:
- -f
- If specified, will not prompt the user for confirmation.
- -r realm
- Specifies the Kerberos realm of the database.
Example:
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
shell%
list¶
list
Lists the name of realms.
Example:
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org":
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
shell%
stashsrvpw¶
stashsrvpw [-f filename] servicedn
Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options:
- -f filename
- Specifies the complete path of the service password file. By default, /usr/local/var/service_passwd is used.
- servicedn
- Specifies Distinguished Name (DN) of the service object whose password is to be stored in file.
Example:
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
cn=service-kdc,o=org
Password for "cn=service-kdc,o=org":
Re-enter password for "cn=service-kdc,o=org":
create_policy¶
create_policy [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
Creates a ticket policy in the directory. Options:
- -r realm
- Specifies the Kerberos realm of the database.
- -maxtktlife max_ticket_life
- (getdate time string) Specifies maximum ticket life for principals.
- -maxrenewlife max_renewable_ticket_life
- (getdate time string) Specifies maximum renewable life of tickets for principals.
- ticket_flags
- Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the add_principal command in kadmin.
- policy_name
- Specifies the name of the ticket policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
-maxrenewlife "1 week" -allow_postdated +needchange
-allow_forwardable tktpolicy
Password for "cn=admin,o=org":
modify_policy¶
modify_policy [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
Modifies the attributes of a ticket policy. Options are same as for create_policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
-maxtktlife "60 minutes" -maxrenewlife "10 hours"
+allow_postdated -requires_preauth tktpolicy
Password for "cn=admin,o=org":
view_policy¶
view_policy [-r realm] policy_name
Displays the attributes of a ticket policy. Options:
- policy_name
- Specifies the name of the ticket policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
view_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy_policy¶
destroy_policy [-r realm] [-force] policy_name
Destroys an existing ticket policy. Options:
- -r realm
- Specifies the Kerberos realm of the database.
- -force
- Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy.
- policy_name
- Specifies the name of the ticket policy.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
destroy_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
** policy object 'tktpolicy' deleted.
list_policy¶
list_policy [-r realm]
Lists the ticket policies in realm if specified or in the default realm. Options:
- -r realm
- Specifies the Kerberos realm of the database.
Example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
list_policy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
tktpolicy
tmppolicy
userpolicy