Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

kdb5_ldap_util


NAME
     kdb5_ldap_util - Kerberos configuration utility

SYNOPSIS
     kdb5_ldap_util  [-D user_dn [-w passwd]] [-H ldap_uri] command
         [command_options]


DESCRIPTION
     The kdb5_ldap_util utility allows an administrator to manage
     realms,  Kerberos services, and ticket policies. The utility
     offers a set of general options,  described  under  OPTIONS,
     and  a  set  of  commands,  which,  in  turn, have their own
     options. Commands and their options are described  in  their
     own subsections, below.

OPTIONS
     kdb5_ldap_util has a small set of general options that apply
     to  the kdb5_ldap_util utility itself and a larger number of
     options that apply to specific commands. A number  of  these
     command-specific  options apply to multiple commands and are
     described in their own section, below.

  General Options
     The following general options are supported:

     -D user_dn

         Specifies the distinguished name (DN) of a user who  has
         sufficient  rights  to perform the operation on the LDAP
         server.


     -H ldap_uri

         Specifies the URI of the LDAP server.


     -w passwd

         Specifies the password of user_dn. This  option  is  not
         recommended.


  Common Command-specific Options
     The following options apply to a  number  of  kdb5_ldap_util
     commands.

     -subtrees subtree_dn_list

         Specifies the list of subtrees containing the principals
         of  a  realm.  The  list contains the DNs of the subtree
         objects separated by a colon.


     -sscope search_scope

         Specifies the scope for searching the principals under a
         subtree. The possible values are 1 or one (one level), 2
         or sub (subtrees).


     -containerref container_reference_dn

         Specifies the DN of the container object  in  which  the
         principals  of a realm will be created. If the container
         reference is not configured for a realm, the  principals
         will be created in the realm container.


     -maxtktlife max_ticket_life

         Specifies maximum ticket life  for  principals  in  this
         realm.


     -maxrenewlife max_renewable_ticket_life

         Specifies maximum renewable life of tickets for  princi-
         pals in this realm.


     -r realm

         Specifies the Kerberos realm of the database; by default
         the  realm  returned  by  krb5_default_local_realm(3) is
         used.


kdb5_ldap_util COMMANDS
     The kdb5_ldap_util utility comprises a set of commands, each
     with its own set of options. These commands are described in
     the following subsections.

  The create Command
     The create command creates a realm in a directory. The  com-
     mand has the following syntax:

       create \
       [-subtrees subtree_dn_list]
       [-sscope search_scope]
       [-containerref container_reference_dn]
       [-k mkeytype]
       [-m|-P password| -sf stashfilename]
       [-s]
       [-r realm]
       [-maxtktlife max_ticket_life]
       [-kdcdn kdc_service_list]
       [-admindn admin_service_list]
       [-maxrenewlife max_renewable_ticket_life]
       [ticket_flags]




     The create command has the following options:

     -subtree subtree_dn_list

         See "Common Command-specific Options," above.


     -sscope search_scope

         See "Common Command-specific Options," above.


     -containerref container_reference_dn

         See "Common Command-specific Options," above.


     -k mkeytype

         Specifies the key type of the master key  in  the  data-
         base; the default is that given in kdc.conf(4).


     -m

         Specifies that the master database  password  should  be
         read from the TTY rather than fetched from a file on the
         disk.


     -P password

         Specifies the master database password. This  option  is
         not recommended.


     -sf stashfilename

         Specifies the stash file of the  master  database  pass-
         word.

     -s

         Specifies that the stash file is to be created.


     -maxtktlife max_ticket_life

         See "Common Command-specific Options," above.


     -maxrenewlife max_renewable_ticket_life

         See "Common Command-specific Options," above.


     -r realm

         See "Common Command-specific Options," above.


     ticket_flags

         Specifies the ticket flags. If this option is not speci-
         fied,  by default, none of the flags are set. This means
         all the ticket options will be allowed and  no  restric-
         tion  will  be  set.  See  "Ticket Flags" for a list and
         descriptions of these flags.


  The modify Command
     The modify command modifies the attributes of a  realm.  The
     command has the following syntax:

       modify \
       [-subtrees subtree_dn_list]
       [-sscope search_scope]
       [-containerref container_reference_dn]
       [-r realm]
       [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life]
       [ticket_flags]




     The modify command has the following options:

     -subtree subtree_dn_list

         See "Common Command-specific Options," above.


     -sscope search_scope

         See "Common Command-specific Options," above.


     -containerref container_reference_dn

         See "Common Command-specific Options," above.


     -maxtktlife max_ticket_life

         See "Common Command-specific Options," above.


     -maxrenewlife max_renewable_ticket_life

         See "Common Command-specific Options," above.


     -r realm

         See "Common Command-specific Options," above.


     ticket_flags

         Specifies the ticket flags. If this option is not speci-
         fied,  by default, none of the flags are set. This means
         all the ticket options will be allowed and  no  restric-
         tion  will  be  set.  See  "Ticket Flags" for a list and
         descriptions of these flags.


  The view Command
     The view command displays the attributes  of  a  realm.  The
     command has the following syntax:

       view [-r realm]




     The view command has the following option:

     -r realm

         See "Common Command-specific Options," above.


  The destroy Command

     The destroy command destroys a realm, including  the  master
     key stash file. The command has the following syntax:

       destroy [-f] [-r realm]




     The destroy command has the following options:

     -f

         If specified, destroy does not prompt you for  confirma-
         tion.


     -r realm

         See "Common Command-specific Options," above.


  The list Command
     The list command displays the names of realms.  The  command
     has the following syntax:

       list




     The list command has no options.

  The stashsrvpw Command
     The stashsrvpw command enables you to store the password for
     service  object  in a  file so that a KDC and Administration
     server can use it to authenticate to the  LDAP  server.  The
     command has the following syntax:

       stashsrvpw [-f filename] servicedn




     The stashsrvpw command has the following  option  and  argu-
     ment:

     -f filename

         Specifies the complete  path  of  the  service  password
         file. The default is:

           /var/krb5/service_passwd

     servicedn

         Specifies the distinguished name  (DN)  of  the  service
         object whose password is to be stored in file.


  The create_policy Command
     The create_policy command  creates  a  ticket  policy  in  a
     directory. The command has the following syntax:

       create_policy \
       [-r realm]
       [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life]
       [ticket_flags]
       policy_name




     The create_policy command has the following options:

     -r realm

         See "Common Command-specific Options," above.


     -maxtktlife max_ticket_life

         See "Common Command-specific Options," above.


     -maxrenewlife max_renewable_ticket_life

         See "Common Command-specific Options," above.


     ticket_flags

         Specifies the ticket flags. If this option is not speci-
         fied,  by default, none of the flags are set. This means
         all the ticket options will be allowed and  no  restric-
         tion  will  be  set.  See  "Ticket Flags" for a list and
         descriptions of these flags.


     policy_name

         Specifies the name of the ticket policy.



  The modify_policy Command
     The modify_policy  command  modifies  the  attributes  of  a
     ticket policy. The command has the following syntax:

       modify_policy \
       [-r realm]
       [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life]
       [ticket_flags]
       policy_name




     The modify_policy command has the same options and  argument
     as those for the create_policy command.

  The view_policy Command
     The view_policy command displays the attributes of a  ticket
     policy. The command has the following syntax:

       view_policy [-r realm] policy_name




     The view_policy command has the following options:

     -r realm

         See "Common Command-specific Options," above.


     policy_name

         Specifies the name of the ticket policy.


  The destroy_policy Command
     The destroy_policy command destroys an existing ticket  pol-
     icy. The command has the following syntax:

       destroy_policy [-r realm] [-force] policy_name




     The destroy_policy command has the following options:

     -r realm

         See "Common Command-specific Options," above.

     -force

         Forces the deletion of the policy object. If not  speci-
         fied,  you  will be prompted for confirmation before the
         policy is deleted. Enter yes to confirm the deletion.


     policy_name

         Specifies the name of the ticket policy.


  The list_policy Command
     The list_policy command lists the  ticket  policies  in  the
     default  or a specified realm. The command has the following
     syntax:

       list_policy [-r realm]




     The list_policy command has the following option:

     -r realm

         See "Common Command-specific Options," above.


TICKET FLAGS
     A  number  of  kdb5_ldap_util  commands   have   ticket_flag
     options. These flags are described as follows:

     {-|+}allow_dup_skey

         -allow_dup_skey disables user-to-user authentication for
         principals  by  prohibiting  principals from obtaining a
         session key for another  user.  This  setting  sets  the
         KRB5_KDB_DISALLOW_DUP_SKEY  flag. +allow_dup_skey clears
         this flag.


     {-|+}allow_forwardable

         -allow_forwardable prohibits principals  from  obtaining
         forwardable    tickets.    This    setting    sets   the
         KRB5_KDB_DISALLOW_FORWARDABLE  flag.  +allow_forwardable
         clears this flag.


     {-|+}allow_postdated

         -allow_postdated  prohibits  principals  from  obtaining
         postdated     tickets.    This    setting    sets    the
         KRB5_KDB_DISALLOW_POSTDATED    flag.    +allow_postdated
         clears this flag.


     {-|+}allow_proxiable

         -allow_proxiable  prohibits  principals  from  obtaining
         proxiable     tickets.    This    setting    sets    the
         KRB5_KDB_DISALLOW_PROXIABLE    flag.    +allow_proxiable
         clears this flag.


     {-|+}allow_renewable

         -allow_renewable  prohibits  principals  from  obtaining
         renewable     tickets.    This    setting    sets    the
         KRB5_KDB_DISALLOW_RENEWABLE    flag.    +allow_renewable
         clears this flag.


     {-|+}allow_svr

         -allow_svr prohibits the issuance of service tickets for
         principals.  This setting sets the KRB5_KDB_DISALLOW_SVR
         flag.  +allow_svr clears this flag.


     {-|+}allow_tgs_req

         -allow_tgs_req specifies that a Ticket-Granting  Service
         (TGS) request for a service ticket for principals is not
         permitted. This option is  useless  for  most  purposes.
         +allow_tgs_req   clears   this   flag.  The  default  is
         +allow_tgs_req.  In   effect,  -allow_tgs_req  sets  the
         KRB5_KDB_DISALLOW_TGT_BASED  flag  on  principals in the
         database.


     {-|+}allow_tix

         -allow_tix forbids the issuance of any tickets for prin-
         cipals.  +allow_tix  clears  this  flag.  The default is
         +allow_tix.   In    effect,    -allow_tix    sets    the
         KRB5_KDB_DISALLOW_ALL_TIX  flag  on  principals  in  the
         database.


     {-|+}needchange

         +needchange sets a flag in the attributes field to force
         a  password  change;  -needchange  clears that flag. The
         default is -needchange. In effect, +needchange sets  the
         KRB5_KDB_REQUIRES_PWCHANGE  flag  on  principals  in the
         database.


     {-|+}password_changing_service

         +password_changing_service sets a flag in the attributes
         field  marking  a principal as a password-change-service
         principal (a designation that is most often not useful).
         -password_changing_service  clears  the  flag. That this
         flag has a long name  is  intentional.  The  default  is
         -password_changing_service.          In          effect,
         +password_changing_service           sets            the
         KRB5_KDB_PWCHANGE_SERVICE  flag  on  principals  in  the
         database.


     {-|+}requires_hwauth

         +requires_hwauth requires principals to  preauthenticate
         using   a   hardware  device  before  being  allowed  to
         kinit(1).        This       setting       sets       the
         KRB5_KDB_REQUIRES_HW_AUTH  flag. -requires_hwauth clears
         this flag.


     {-|+}requires_preauth

         +requires_preauth requires principals to preauthenticate
         before  being allowed to kinit(1). This setting sets the
         KRB5_KDB_REQUIRES_PRE_AUTH    flag.    -requires_preauth
         clears this flag.


EXAMPLES
     Example 1 Using create


     The following is an example of the use of  the  create  com-
     mand.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
       Password for "cn=admin,o=org":  password entered
       Initializing database for realm 'ATHENA.MIT.EDU'
       You will be prompted for the database Master Password.
       It is important that you NOT FORGET this password.
       Enter KDC database master key: master key entered
       Re-enter KDC database master key to verify: master key re-enteredjjjjjj

     Example 2 Using modify


     The following is an example of the use of  the  modify  com-
     mand.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       modify +requires_preauth -r ATHENA.MIT.EDU
       Password for "cn=admin,o=org":  password entered
       Password for "cn=admin,o=org":  password entered



     Example 3 Using view


     The following is an example of the use of the view command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       view -r ATHENA.MIT.EDU
                 Password for "cn=admin,o=org":
                                    Realm Name: ATHENA.MIT.EDU
                                       Subtree: ou=users,o=org
                                       Subtree: ou=servers,o=org
                                   SearchScope: ONE
                           Maximum ticket life: 0 days 01:00:00
                        Maximum renewable life: 0 days 10:00:00
                                  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE



     Example 4 Using destroy


     The following is an example of the use of the  destroy  com-
     mand.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       destroy -r ATHENA.MIT.EDU
       Password for "cn=admin,o=org": password entered
       Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
       (type 'yes' to confirm)? yes
       OK, deleting database of 'ATHENA.MIT.EDU'...



     Example 5 Using list


     The following is an example of the use of the list command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
       Password for "cn=admin,o=org": password entered
       Re-enter Password for "cn=admin,o=org": password re-entered
       ATHENA.MIT.EDU
       OPENLDAP.MIT.EDU
       MEDIA-LAB.MIT.EDU



     Example 6 Using stashsrvpw


     The following is an example of the  use  of  the  stashsrvpw
     command.


       # kdb5_ldap_util stashsrvpw -f \
       /home/andrew/conf_keyfile cn=service-kdc,o=org
       Password for "cn=service-kdc,o=org": password entered
       Re-enter password for "cn=service-kdc,o=org": password re-entered



     Example 7 Using create_policy


     The following is an example of the use of the  create_policy
     command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       create_policy -r ATHENA.MIT.EDU \
       -maxtktlife "1  day" -maxrenewlife "1 week" \
       -allow_postdated +needchange -allow_forwardable tktpolicy
       Password for "cn=admin,o=org": password entered



     Example 8 Using modify_policy


     The following is an example of the use of the  modify_policy
     command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       modify_policy -r ATHENA.MIT.EDU \
       -maxtktlife "60 minutes" -maxrenewlife "10 hours" \
       +allow_postdated -requires_preauth tktpolicy
       Password for "cn=admin,o=org": password entered



     Example 9 Using view_policy


     The following is an example of the use  of  the  view_policy
     command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       view_policy -r ATHENA.MIT.EDU tktpolicy
       Password for "cn=admin,o=org": password entered
                  Ticket policy: tktpolicy
            Maximum ticket life: 0 days 01:00:00
         Maximum renewable life: 0 days 10:00:00
                   Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE



     Example 10 Using destroy_policy


     The following is an example of the use of the destroy_policy
     command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       destroy_policy -r ATHENA.MIT.EDU tktpolicy
       Password for "cn=admin,o=org": password entered
       This will delete the policy object 'tktpolicy', are you sure?
       (type 'yes' to confirm)? yes
       ** policy object 'tktpolicy' deleted.



     Example 11 Using list_policy


     The following is an example of the use  of  the  list_policy
     command.


       # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
       list_policy -r ATHENA.MIT.EDU
       Password for "cn=admin,o=org": password entered
       tktpolicy
       tmppolicy
       userpolicy


     Example 12 Using setsrvpw


     The following is an example of the use of the setsrvpw  com-
     mand.


       # kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \
       -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
       Password for "cn=admin,o=org": password entered
       Password for "cn=service-kdc,o=org": password entered
       Re-enter password for "cn=service-kdc,o=org": password re-entered



     Example 13 Using create_service


     The following is an example of the use of the create_service
     command.


       # kdb5_ldap_util -D cn=admin,o=org create_service \
       -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
       Password for "cn=admin,o=org": password entered
       File does not exist. Creating the file /home/andrew/conf_keyfile...



     Example 14 Using modify_service


     The following is an example of the use of the modify_service
     command.


       # kdb5_ldap_util -D cn=admin,o=org modify_service \
       -realm ATHENA.MIT.EDU cn=service-kdc,o=org
       Password for "cn=admin,o=org": password entered
       Changing rights for the service object. Please wait ... done



     Example 15 Using view_service


     The following is an example of the use of  the  view_service
     command.


       # kdb5_ldap_util -D cn=admin,o=org view_service \
       cn=service-kdc,o=org
       Password for "cn=admin,o=org": password entered
                             Service dn: cn=service-kdc,o=org
                           Service type: kdc
                      Service host list:
                          Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security



     Example 16 Using destroy_service


     The  following  is  an   example   of   the   use   of   the
     destroy_service command.


       # kdb5_ldap_util -D cn=admin,o=org destroy_service \
       cn=service-kdc,o=org
       Password for "cn=admin,o=org": password entered
       This will delete the service object 'cn=service-kdc,o=org', are you sure?
       (type 'yes' to confirm)? yes
       ** service object 'cn=service-kdc,o=org' deleted.



     Example 17 Using list_service


     The following is an example of the use of  the  list_service
     command.


       # kdb5_ldap_util -D cn=admin,o=org list_service
       Password for "cn=admin,o=org": password entered
       cn=service-kdc,o=org
       cn=service-adm,o=org
       cn=service-pwd,o=org



ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:









     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWkrbu                    |
    |_____________________________|_____________________________|
    | Interface Stability         | Volatile                    |
    |_____________________________|_____________________________|


SEE ALSO
     kinit(1), kadmin(1M), kdc.conf(4), attributes(5)










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments