1KDB5_LDAP_UTIL(8) MIT Kerberos KDB5_LDAP_UTIL(8)
2
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -D user_dn
18 Specifies the Distinguished Name (DN) of the user who has suffi‐
19 cient rights to perform the operation on the LDAP server.
20 -w passwd
22 Specifies the password of user_dn. This option is not recom‐
23 mended.
24 -H ldapuri
26 Specifies the URI of the LDAP server. It is recommended to use
27 ldapi:// or ldaps:// to connect to the LDAP server.
28
30 create
31 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
32 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-m|-P
33 password|-sf stashfilename] [-s] [-r realm] [-maxtktlife
34 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
35 [ticket_flags]
36 Creates realm in directory. Options:
38 -subtrees subtree_dn_list
40 Specifies the list of subtrees containing the principals of a
41 realm. The list contains the DNs of the subtree objects sepa‐
42 rated by colon (:).
43 -sscope search_scope
45 Specifies the scope for searching the principals under the sub‐
46 tree. The possible values are 1 or one (one level), 2 or sub
47 (subtrees).
48 -containerref container_reference_dn
50 Specifies the DN of the container object in which the principals
51 of a realm will be created. If the container reference is not
52 configured for a realm, the principals will be created in the
53 realm container.
54 -k mkeytype
56 Specifies the key type of the master key in the database. The
57 default is given by the master_key_type variable in kdc.conf(5).
58 -kv mkeyVNO
60 Specifies the version number of the master key in the database;
61 the default is 1. Note that 0 is not allowed.
62 -m Specifies that the master database password should be read from
64 the TTY rather than fetched from a file on the disk.
65 -P password
67 Specifies the master database password. This option is not rec‐
68 ommended.
69 -r realm
71 Specifies the Kerberos realm of the database.
72 -sf stashfilename
74 Specifies the stash file of the master database password.
75 -s Specifies that the stash file is to be created.
77 -maxtktlife max_ticket_life
79 (getdate string) Specifies maximum ticket life for principals in
80 this realm.
81 -maxrenewlife max_renewable_ticket_life
83 (getdate string) Specifies maximum renewable life of tickets for
84 principals in this realm.
85 ticket_flags
87 Specifies global ticket flags for the realm. Allowable flags
88 are documented in the description of the add_principal command
89 in kadmin(1).
90 Example:
92 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
94 create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
95 Password for "cn=admin,o=org":
96 Initializing database for realm 'ATHENA.MIT.EDU'
97 You will be prompted for the database Master Password.
98 It is important that you NOT FORGET this password.
99 Enter KDC database master key:
100 Re-enter KDC database master key to verify:
101 modify
103 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
104 erref container_reference_dn] [-r realm] [-maxtktlife
105 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
106 [ticket_flags]
107 Modifies the attributes of a realm. Options:
109 -subtrees subtree_dn_list
111 Specifies the list of subtrees containing the principals of a
112 realm. The list contains the DNs of the subtree objects sepa‐
113 rated by colon (:). This list replaces the existing list.
114 -sscope search_scope
116 Specifies the scope for searching the principals under the sub‐
117 trees. The possible values are 1 or one (one level), 2 or sub
118 (subtrees).
119 -containerref container_reference_dn Specifies the DN of the
121 container object in which the principals of a realm will be cre‐
122 ated.
123 -r realm
125 Specifies the Kerberos realm of the database.
126 -maxtktlife max_ticket_life
128 (getdate string) Specifies maximum ticket life for principals in
129 this realm.
130 -maxrenewlife max_renewable_ticket_life
132 (getdate string) Specifies maximum renewable life of tickets for
133 principals in this realm.
134 ticket_flags
136 Specifies global ticket flags for the realm. Allowable flags
137 are documented in the description of the add_principal command
138 in kadmin(1).
139 Example:
141 shell% kdb5_ldap_util -D cn=admin,o=org -H
143 ldaps://ldap-server1.mit.edu modify +requires_preauth -r
144 ATHENA.MIT.EDU
145 Password for "cn=admin,o=org":
146 shell%
147 view
149 view [-r realm]
150 Displays the attributes of a realm. Options:
152 -r realm
154 Specifies the Kerberos realm of the database.
155 Example:
157 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
159 view -r ATHENA.MIT.EDU
160 Password for "cn=admin,o=org":
161 Realm Name: ATHENA.MIT.EDU
162 Subtree: ou=users,o=org
163 Subtree: ou=servers,o=org
164 SearchScope: ONE
165 Maximum ticket life: 0 days 01:00:00
166 Maximum renewable life: 0 days 10:00:00
167 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
168 destroy
170 destroy [-f] [-r realm]
171 Destroys an existing realm. Options:
173 -f If specified, will not prompt the user for confirmation.
175 -r realm
177 Specifies the Kerberos realm of the database.
178 Example:
180 shell% kdb5_ldap_util -D cn=admin,o=org -H
182 ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
183 Password for "cn=admin,o=org":
184 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
185 (type 'yes' to confirm)? yes
186 OK, deleting database of 'ATHENA.MIT.EDU'...
187 shell%
188 list
190 list
191 Lists the name of realms.
193 Example:
195 shell% kdb5_ldap_util -D cn=admin,o=org -H
197 ldaps://ldap-server1.mit.edu list
198 Password for "cn=admin,o=org":
199 ATHENA.MIT.EDU
200 OPENLDAP.MIT.EDU
201 MEDIA-LAB.MIT.EDU
202 shell%
203 stashsrvpw
205 stashsrvpw [-f filename] name
206 Allows an administrator to store the password for service object in a
208 file so that KDC and Administration server can use it to authenticate
209 to the LDAP server. Options:
210 -f filename
212 Specifies the complete path of the service password file. By
213 default, /usr/local/var/service_passwd is used.
214 name Specifies the name of the object whose password is to be stored.
216 If krb5kdc(8) or kadmind(8) are configured for simple binding,
217 this should be the distinguished name it will use as given by
218 the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5). If
219 the KDC or kadmind is configured for SASL binding, this should
220 be the authentication name it will use as given by the
221 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
222 Example:
224 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
226 cn=service-kdc,o=org
227 Password for "cn=service-kdc,o=org":
228 Re-enter password for "cn=service-kdc,o=org":
229 create_policy
231 create_policy [-r realm] [-maxtktlife max_ticket_life] [-maxre‐
232 newlife max_renewable_ticket_life] [ticket_flags] policy_name
233 Creates a ticket policy in the directory. Options:
235 -r realm
237 Specifies the Kerberos realm of the database.
238 -maxtktlife max_ticket_life
240 (getdate string) Specifies maximum ticket life for principals.
241 -maxrenewlife max_renewable_ticket_life
243 (getdate string) Specifies maximum renewable life of tickets for
244 principals.
245 ticket_flags
247 Specifies the ticket flags. If this option is not specified, by
248 default, no restriction will be set by the policy. Allowable
249 flags are documented in the description of the add_principal
250 command in kadmin(1).
251 policy_name
253 Specifies the name of the ticket policy.
254 Example:
256 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
258 create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
259 -maxrenewlife "1 week" -allow_postdated +needchange
260 -allow_forwardable tktpolicy
261 Password for "cn=admin,o=org":
262 modify_policy
264 modify_policy [-r realm] [-maxtktlife max_ticket_life] [-maxre‐
265 newlife max_renewable_ticket_life] [ticket_flags] policy_name
266 Modifies the attributes of a ticket policy. Options are same as for
268 create_policy.
269 Example:
271 kdb5_ldap_util -D cn=admin,o=org -H
273 ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
274 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
275 +allow_postdated -requires_preauth tktpolicy
276 Password for "cn=admin,o=org":
277 view_policy
279 view_policy [-r realm] policy_name
280 Displays the attributes of a ticket policy. Options:
282 policy_name
284 Specifies the name of the ticket policy.
285 Example:
287 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
289 view_policy -r ATHENA.MIT.EDU tktpolicy
290 Password for "cn=admin,o=org":
291 Ticket policy: tktpolicy
292 Maximum ticket life: 0 days 01:00:00
293 Maximum renewable life: 0 days 10:00:00
294 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
295 destroy_policy
297 destroy_policy [-r realm] [-force] policy_name
298 Destroys an existing ticket policy. Options:
300 -r realm
302 Specifies the Kerberos realm of the database.
303 -force Forces the deletion of the policy object. If not specified, the
305 user will be prompted for confirmation before deleting the pol‐
306 icy.
307 policy_name
309 Specifies the name of the ticket policy.
310 Example:
312 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
314 destroy_policy -r ATHENA.MIT.EDU tktpolicy
315 Password for "cn=admin,o=org":
316 This will delete the policy object 'tktpolicy', are you sure?
317 (type 'yes' to confirm)? yes
318 ** policy object 'tktpolicy' deleted.
319 list_policy
321 list_policy [-r realm]
322 Lists the ticket policies in realm if specified or in the default
324 realm. Options:
325 -r realm
327 Specifies the Kerberos realm of the database.
328 Example:
330 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
332 list_policy -r ATHENA.MIT.EDU
333 Password for "cn=admin,o=org":
334 tktpolicy
335 tmppolicy
336 userpolicy
337
339 See kerberos(7) for a description of Kerberos environment variables.
340
342 kadmin(1), kerberos(7)
343
345 MIT
346
348 1985-2019, MIT
3491.17 KDB5_LDAP_UTIL(8)