1KDB5_LDAP_UTIL(8) System Manager's Manual KDB5_LDAP_UTIL(8)
2
6 kdb5_ldap_util - Kerberos Configuration Utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -D user_dn
18 Specifies the Distinguished name (DN) of the user who has suffi‐
19 cient rights to perform the operation on the LDAP server.
20 -w passwd
22 Specifies the password of user_dn. This option is not recom‐
23 mended.
24 -H ldapuri
26 Specifies the URI of the LDAP server.
27
29 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
30 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-m|-P pass‐
31 word|-sf stashfilename] [-s] [-r realm] [-kdcdn kdc_service_list]
32 [-admindn admin_service_list] [-maxtktlife max_ticket_life] [-maxre‐
33 newlife max_renewable_ticket_life] [ticket_flags]
34 Creates realm in directory. Options:
35 -subtrees subtree_dn_list
37 Specifies the list of subtrees containing the principals
38 of a realm. The list contains the DNs of the subtree
39 objects separated by colon(:).
40 -sscope search_scope
42 Specifies the scope for searching the principals under
43 the subtree. The possible values are 1 or one (one
44 level), 2 or sub (subtrees).
45 -containerref container_reference_dn
47 Specifies the DN of the container object in which the
48 principals of a realm will be created. If the container
49 reference is not configured for a realm, the principals
50 will be created in the realm container.
51 -k mkeytype
53 Specifies the key type of the master key in the database;
54 the default is that given in kdc.conf.
55 -kv mkeyVNO
57 Specifies the version number of the master key in the
58 database; the default is 1. Note that 0 is not allowed.
59 -m Specifies that the master database password should be
61 read from the TTY rather than fetched from a file on the
62 disk.
63 -P password
65 Specifies the master database password. This option is
66 not recommended.
67 -sf stashfilename
69 Specifies the stash file of the master database password.
70 -s Specifies that the stash file is to be created.
72 -maxtktlife max_ticket_life
74 Specifies maximum ticket life for principals in this
75 realm.
76 -maxrenewlife max_renewable_ticket_life
78 Specifies maximum renewable life of tickets for princi‐
79 pals in this realm.
80 ticket_flags
82 Specifies the ticket flags. If this option is not speci‐
83 fied, by default, none of the flags are set. This means
84 all the ticket options will be allowed and no restriction
85 will be set.
86 The various flags are:
88 {-|+}allow_postdated
90 -allow_postdated prohibits principals from obtaining
91 postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
92 flag.) +allow_postdated clears this flag.
93 {-|+}allow_forwardable
95 -allow_forwardable prohibits principals from obtaining
96 forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FOR‐
97 WARDABLE flag.) +allow_forwardable clears this flag.
98 {-|+}allow_renewable
100 -allow_renewable prohibits principals from obtaining
101 renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
102 flag.) +allow_renewable clears this flag.
103 {-|+}allow_proxiable
105 -allow_proxiable prohibits principals from obtaining
106 proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
107 flag.) +allow_proxiable clears this flag.
108 {-|+}allow_dup_skey
110 -allow_dup_skey Disables user-to-user authentication for
111 principals by prohibiting principals from obtaining a
112 session key for another user. (Sets the KRB5_KDB_DISAL‐
113 LOW_DUP_SKEY flag.) +allow_dup_skey clears this flag.
114 {-|+}requires_preauth
116 +requires_preauth requires principals to preauthenticate
117 before being allowed to kinit. (Sets the
118 KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
119 clears this flag.
120 {-|+}requires_hwauth
122 +requires_hwauth requires principals to preauthenticate
123 using a hardware device before being allowed to kinit.
124 (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
125 -requires_hwauth clears this flag.
126 {-|+}allow_svr
128 -allow_svr prohibits the issuance of service tickets for
129 principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
130 +allow_svr clears this flag.
131 {-|+}allow_tgs_req
133 -allow_tgs_req specifies that a Ticket-Granting Service
134 (TGS) request for a service ticket for principals is not
135 permitted. This option is useless for most things.
136 +allow_tgs_req clears this flag. The default is
137 +allow_tgs_req. In effect, -allow_tgs_req sets the
138 KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
139 database.
140 {-|+}allow_tix
142 -allow_tix forbids the issuance of any tickets for prin‐
143 cipals. +allow_tix clears this flag. The default is
144 +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DIS‐
145 ALLOW_ALL_TIX flag on principals in the database.
146 {-|+}needchange
148 +needchange sets a flag in attributes field to force a
149 password change; -needchange clears it. The default is
150 -needchange. In effect, +needchange sets the
151 KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
152 database.
153 {-|+}password_changing_service
155 +password_changing_service sets a flag in the attributes
156 field marking principal as a password change service
157 principal (useless for most things). -password_chang‐
158 ing_service clears the flag. This flag intentionally has
159 a long name. The default is -password_changing_service.
160 In effect, +password_changing_service sets the
161 KRB5_KDB_PWCHANGE_SERVICE flag on principals in the data‐
162 base.
163 -r realm
165 Specifies the Kerberos realm of the database; by default
166 the realm returned by krb5_default_local_realm(3) is
167 used.
168 Command Options Specific to eDirectory
170 -kdcdn kdc_service_list
172 Specifies the list of KDC service objects serving the
173 realm. The list contains the DNs of the KDC service
174 objects separated by colon(:).
175 -admindn admin_service_list
177 Specifies the list of Administration service objects
178 serving the realm. The list contains the DNs of the
179 Administration service objects separated by colon(:).
180 EXAMPLE:
182 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
183 server1.mit.edu create -subtrees o=org -sscope SUB -r
184 ATHENA.MIT.EDU
185 Password for "cn=admin,o=org":
186 Initializing database for realm 'ATHENA.MIT.EDU'
187 You will be prompted for the database Master Password.
188 It is important that you NOT FORGET this password.
189 Enter KDC database master key:
190 Re-enter KDC database master key to verify:
191 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
194 erref container_reference_dn] [-r realm] [-kdcdn kdc_service_list |
195 [-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]
196 [-admindn admin_service_list | [-clearadmindn admin_service_list]
197 [-addadmindn admin_service_list]] [-maxtktlife max_ticket_life]
198 [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
199 Modifies the attributes of a realm. Options:
201 -subtrees subtree_dn_list
203 Specifies the list of subtrees containing the principals
204 of a realm. The list contains the DNs of the subtree
205 objects separated by colon(:). This list replaces the
206 existing list.
207 -sscope search_scope
209 Specifies the scope for searching the principals under
210 the subtrees. The possible values are 1 or one (one
211 level), 2 or sub (subtrees).
212 -containerref container_reference_dn
214 Specifies the DN of the container object in which the
215 principals of a realm will be created.
216 -maxtktlife max_ticket_life
218 Specifies maximum ticket life for principals in this
219 realm.
220 -maxrenewlife max_renewable_ticket_life
222 Specifies maximum renewable life of tickets for princi‐
223 pals in this realm.
224 ticket_flags
226 Specifies the ticket flags. If this option is not speci‐
227 fied, by default, none of the flags are set. This means
228 all the ticket options will be allowed and no restriction
229 will be set.
230 The various flags are:
232 {-|+}allow_postdated
234 -allow_postdated prohibits principals from obtaining
235 postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
236 flag.) +allow_postdated clears this flag.
237 {-|+}allow_forwardable
239 -allow_forwardable prohibits principals from obtaining
240 forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FOR‐
241 WARDABLE flag.) +allow_forwardable clears this flag.
242 {-|+}allow_renewable
244 -allow_renewable prohibits principals from obtaining
245 renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
246 flag.) +allow_renewable clears this flag.
247 {-|+}allow_proxiable
249 -allow_proxiable prohibits principals from obtaining
250 proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
251 flag.) +allow_proxiable clears this flag.
252 {-|+}allow_dup_skey
254 -allow_dup_skey Disables user-to-user authentication for
255 principals by prohibiting principals from obtaining a
256 session key for another user. (Sets the KRB5_KDB_DISAL‐
257 LOW_DUP_SKEY flag.) +allow_dup_skey clears this flag.
258 {-|+}requires_preauth
260 +requires_preauth requires principals to preauthenticate
261 before being allowed to kinit. (Sets the
262 KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
263 clears this flag.
264 {-|+}requires_hwauth
266 +requires_hwauth requires principals to preauthenticate
267 using a hardware device before being allowed to kinit.
268 (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
269 -requires_hwauth clears this flag.
270 {-|+}allow_svr
272 -allow_svr prohibits the issuance of service tickets for
273 principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
274 +allow_svr clears this flag.
275 {-|+}allow_tgs_req
277 -allow_tgs_req specifies that a Ticket-Granting Service
278 (TGS) request for a service ticket for principals is not
279 permitted. This option is useless for most things.
280 +allow_tgs_req clears this flag. The default is
281 +allow_tgs_req. In effect, -allow_tgs_req sets the
282 KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
283 database.
284 {-|+}allow_tix
286 -allow_tix forbids the issuance of any tickets for prin‐
287 cipals. +allow_tix clears this flag. The default is
288 +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DIS‐
289 ALLOW_ALL_TIX flag on principals in the database.
290 {-|+}needchange
292 +needchange sets a flag in attributes field to force a
293 password change; -needchange clears it. The default is
294 -needchange. In effect, +needchange sets the
295 KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
296 database.
297 {-|+}password_changing_service
299 +password_changing_service sets a flag in the attributes
300 field marking principal as a password change service
301 principal (useless for most things). -password_chang‐
302 ing_service clears the flag. This flag intentionally has
303 a long name. The default is -password_changing_service.
304 In effect, +password_changing_service sets the
305 KRB5_KDB_PWCHANGE_SERVICE flag on principals in the data‐
306 base.
307 -r realm
309 Specifies the Kerberos realm of the database; by default
310 the realm returned by krb5_default_local_realm(3) is
311 used.
312 Command Options Specific to eDirectory
314 -kdcdn kdc_service_list
316 Specifies the list of KDC service objects serving the
317 realm. The list contains the DNs of the KDC service
318 objects separated by a colon (:). This list replaces the
319 existing list.
320 -clearkdcdn kdc_service_list
322 Specifies the list of KDC service objects that need to be
323 removed from the existing list. The list contains the DNs
324 of the KDC service objects separated by a colon (:).
325 -addkdcdn kdc_service_list
327 Specifies the list of KDC service objects that need to be
328 added to the existing list. The list contains the DNs of
329 the KDC service objects separated by a colon (:).
330 -admindn admin_service_list
332 Specifies the list of Administration service objects
333 serving the realm. The list contains the DNs of the
334 Administration service objects separated by a colon (:).
335 This list replaces the existing list.
336 -clearadmindn admin_service_list
338 Specifies the list of Administration service objects that
339 need to be removed from the existing list. The list con‐
340 tains the DNs of the Administration service objects sepa‐
341 rated by a colon (:).
342 -addadmindn admin_service_list
344 Specifies the list of Administration service objects that
345 need to be added to the existing list. The list contains
346 the DNs of the Administration service objects separated
347 by a colon (:).
348 EXAMPLE:
350 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
351 server1.mit.edu modify +requires_preauth -r
352 ATHENA.MIT.EDU
353 Password for "cn=admin,o=org":
354 view [-r realm]
356 Displays the attributes of a realm. Options:
357 -r realm
359 Specifies the Kerberos realm of the database; by default
360 the realm returned by krb5_default_local_realm(3) is
361 used.
362 EXAMPLE:
364 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
365 server1.mit.edu view -r ATHENA.MIT.EDU
366 Password for "cn=admin,o=org":
367 Realm Name: ATHENA.MIT.EDU
368 Subtree: ou=users,o=org
369 Subtree: ou=servers,o=org
370 SearchScope: ONE
371 Maximum ticket life: 0 days 01:00:00
372 Maximum renewable life: 0 days 10:00:00
373 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
374 destroy [-f] [-r realm]
376 Destroys an existing realm. Options:
377 -f If specified, will not prompt the user for confirmation.
379 -r realm
381 Specifies the Kerberos realm of the database; by default
382 the realm returned by krb5_default_local_realm(3) is
383 used.
384 EXAMPLE:
386 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
387 server1.mit.edu destroy -r ATHENA.MIT.EDU
388 Password for "cn=admin,o=org":
389 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
390 (type 'yes' to confirm)? yes
391 OK, deleting database of 'ATHENA.MIT.EDU'...
392 list
394 Lists the name of realms.
396 EXAMPLE:
398 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
399 Password for "cn=admin,o=org":
400 ATHENA.MIT.EDU
401 OPENLDAP.MIT.EDU
402 MEDIA-LAB.MIT.EDU
403 stashsrvpw [-f filename] servicedn
405 Allows an administrator to store the password for service object
406 in a file so that KDC and Administration server can use it to
407 authenticate to the LDAP server. Options:
408 -f filename
410 Specifies the complete path of the service password file.
411 By default, /usr/local/var/service_passwd is used.
412 servicedn
414 Specifies Distinguished name (DN) of the service object
415 whose password is to be stored in file.
416 EXAMPLE:
418 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
419 cn=service-kdc,o=org
420 Password for "cn=service-kdc,o=org":
421 Re-enter password for "cn=service-kdc,o=org":
422 create_policy [-r realm] [-maxtktlife max_ticket_life] [-maxre‐
424 newlife max_renewable_ticket_life] [ticket_flags] policy_name
425 Creates a ticket policy in directory. Options:
426 -r realm
428 Specifies the Kerberos realm of the database; by default
429 the realm returned by krb5_default_local_realm(3) is
430 used.
431 -maxtktlife max_ticket_life
433 Specifies maximum ticket life for principals.
434 -maxrenewlife max_renewable_ticket_life
436 Specifies maximum renewable life of tickets for princi‐
437 pals.
438 ticket_flags
440 Specifies the ticket flags. If this option is not speci‐
441 fied, by default, none of the flags are set. This means
442 all the ticket options will be allowed and no restriction
443 will be set.
444 The various flags are:
446 {-|+}allow_postdated
448 -allow_postdated prohibits principals from obtaining
449 postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
450 flag.) +allow_postdated clears this flag.
451 {-|+}allow_forwardable
453 -allow_forwardable prohibits principals from obtaining
454 forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FOR‐
455 WARDABLE flag.) +allow_forwardable clears this flag.
456 {-|+}allow_renewable
458 -allow_renewable prohibits principals from obtaining
459 renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
460 flag.) +allow_renewable clears this flag.
461 {-|+}allow_proxiable
463 -allow_proxiable prohibits principals from obtaining
464 proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
465 flag.) +allow_proxiable clears this flag.
466 {-|+}allow_dup_skey
468 -allow_dup_skey Disables user-to-user authentication for
469 principals by prohibiting principals from obtaining a
470 session key for another user. (Sets the KRB5_KDB_DISAL‐
471 LOW_DUP_SKEY flag.) +allow_dup_skey clears this flag.
472 {-|+}requires_preauth
474 +requires_preauth requires principals to preauthenticate
475 before being allowed to kinit. (Sets the
476 KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
477 clears this flag.
478 {-|+}requires_hwauth
480 +requires_hwauth requires principals to preauthenticate
481 using a hardware device before being allowed to kinit.
482 (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
483 -requires_hwauth clears this flag.
484 {-|+}allow_svr
486 -allow_svr prohibits the issuance of service tickets for
487 principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
488 +allow_svr clears this flag.
489 {-|+}allow_tgs_req
491 -allow_tgs_req specifies that a Ticket-Granting Service
492 (TGS) request for a service ticket for principals is not
493 permitted. This option is useless for most things.
494 +allow_tgs_req clears this flag. The default is
495 +allow_tgs_req. In effect, -allow_tgs_req sets the
496 KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
497 database.
498 {-|+}allow_tix
500 -allow_tix forbids the issuance of any tickets for prin‐
501 cipals. +allow_tix clears this flag. The default is
502 +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DIS‐
503 ALLOW_ALL_TIX flag on principals in the database.
504 {-|+}needchange
506 +needchange sets a flag in attributes field to force a
507 password change; -needchange clears it. The default is
508 -needchange. In effect, +needchange sets the
509 KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
510 database.
511 {-|+}password_changing_service
513 +password_changing_service sets a flag in the attributes
514 field marking principal as a password change service
515 principal (useless for most things). -password_chang‐
516 ing_service clears the flag. This flag intentionally has
517 a long name. The default is -password_changing_service.
518 In effect, +password_changing_service sets the
519 KRB5_KDB_PWCHANGE_SERVICE flag on principals in the data‐
520 base.
521 policy_name
523 Specifies the name of the ticket policy.
524 EXAMPLE:
526 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
527 server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtk‐
528 tlife "1 day" -maxrenewlife "1 week" -allow_postdated
529 +needchange -allow_forwardable tktpolicy
530 Password for "cn=admin,o=org":
531 modify_policy [-r realm] [-maxtktlife max_ticket_life] [-maxre‐
533 newlife max_renewable_ticket_life] [ticket_flags] policy_name
534 Modifies the attributes of a ticket policy. Options are same as
535 create_policy.
536 -r realm
538 Specifies the Kerberos realm of the database; by default
539 the realm returned by krb5_default_local_realm(3) is
540 used.
541 EXAMPLE:
543 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
544 server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtk‐
545 tlife "60 minutes" -maxrenewlife "10 hours" +allow_post‐
546 dated -requires_preauth tktpolicy
547 Password for "cn=admin,o=org":
548 view_policy [-r realm] policy_name
550 Displays the attributes of a ticket policy. Options:
551 policy_name
553 Specifies the name of the ticket policy.
554 EXAMPLE:
556 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
557 server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
558 Password for "cn=admin,o=org":
559 Ticket policy: tktpolicy
560 Maximum ticket life: 0 days 01:00:00
561 Maximum renewable life: 0 days 10:00:00
562 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
563 destroy_policy [-r realm] [-force] policy_name
565 Destroys an existing ticket policy. Options:
566 -r realm
568 Specifies the Kerberos realm of the database; by default
569 the realm returned by krb5_default_local_realm(3) is
570 used.
571 -force Forces the deletion of the policy object. If not speci‐
573 fied, will be prompted for confirmation while deleting
574 the policy. Enter yes to confirm the deletion.
575 policy_name
577 Specifies the name of the ticket policy.
578 EXAMPLE:
580 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
581 server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpol‐
582 icy
583 Password for "cn=admin,o=org":
584 This will delete the policy object 'tktpolicy', are you sure?
585 (type 'yes' to confirm)? yes
586 ** policy object 'tktpolicy' deleted.
587 list_policy [-r realm]
589 Lists the ticket policies in realm if specified or in the
590 default realm. Options:
591 -r realm
593 Specifies the Kerberos realm of the database; by default
594 the realm returned by krb5_default_local_realm(3) is
595 used.
596 EXAMPLE:
598 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
599 server1.mit.edu list_policy -r ATHENA.MIT.EDU
600 Password for "cn=admin,o=org":
601 tktpolicy
602 tmppolicy
603 userpolicy
604 Commands Specific to eDirectory
607 setsrvpw [-randpw|-fileonly] [-f filename] service_dn
609 Allows an administrator to set password for service objects such
610 as KDC and Administration server in eDirectory and store them in
611 a file. The -fileonly option stores the password in a file and
612 not in the eDirectory object. Options:
613 -randpw
615 Generates and sets a random password. This options can be
616 specified to store the password both in eDirectory and a
617 file. The -fileonly option can not be used if -randpw
618 option is already specified.
619 -fileonly
621 Stores the password only in a file and not in eDirectory.
622 The -randpw option can not be used when -fileonly options
623 is specified.
624 -f filename
626 Specifies complete path of the service password file. By
627 default, /usr/local/var/service_passwd is used.
628 service_dn
630 Specifies Distinguished name (DN) of the service object
631 whose password is to be set.
632 EXAMPLE:
634 kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw
635 -fileonly -f /home/andrew/conf_keyfile cn=service-
636 kdc,o=org
637 Password for "cn=admin,o=org":
638 Password for "cn=service-kdc,o=org":
639 Re-enter password for "cn=service-kdc,o=org":
640 create_service {-kdc|-admin} [-servicehost service_host_list]
642 [-realm realm_list] [-randpw|-fileonly] [-f filename] service_dn
643 Creates a service in directory and assigns appropriate rights.
644 Options:
645 -kdc Specifies the service is a KDC service
647 -admin Specifies the service is a Administration service
649 -servicehost service_host_list
651 Specifies the list of entries separated by a colon (:).
652 Each entry consists of the hostname or IP address of the
653 server hosting the service, transport protocol, and the
654 port number of the service separated by a pound sign (#).
655 For example, server1#tcp#88:server2#udp#89.
656 -realm realm_list
658 Specifies the list of realms that are to be associated
659 with this service. The list contains the name of the
660 realms separated by a colon (:).
661 -randpw
663 Generates and sets a random password. This option is used
664 to set the random password for the service object in
665 directory and also to store it in the file. The -fileonly
666 option can not be used if -randpw option is specified.
667 -fileonly
669 Stores the password only in a file and not in eDirectory.
670 The -randpw option can not be used when -fileonly option
671 is specified.
672 -f filename
674 Specifies the complete path of the file where the service
675 object password is stashed.
676 service_dn
678 Specifies Distinguished name (DN) of the Kerberos service
679 to be created.
680 EXAMPLE:
682 kdb5_ldap_util -D cn=admin,o=org create_service -kdc
683 -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
684 Password for "cn=admin,o=org":
685 File does not exist. Creating the file /home/andrew/conf_keyfile...
686 modify_service [-servicehost service_host_list | [-clearservice‐
688 host service_host_list] [-addservicehost service_host_list]]
689 [-realm realm_list | [-clearrealm realm_list] [-addrealm realm_list]]
690 service_dn
691 Modifies the attributes of a service and assigns appropriate
692 rights. Options:
693 -servicehost service_host_list
695 Specifies the list of entries separated by a colon (:).
696 Each entry consists of a host name or IP Address of the
697 Server hosting the service, transport protocol, and port
698 number of the service separated by a pound sign (#). For
699 example, server1#tcp#88:server2#udp#89
700 -clearservicehost service_host_list
702 Specifies the list of servicehost entries to be removed
703 from the existing list separated by colon (:). Each entry
704 consists of a host name or IP Address of the server host‐
705 ing the service, transport protocol, and port number of
706 the service separated by a pound sign (#).
707 -addservicehost service_host_list
709 Specifies the list of servicehost entries to be added to
710 the existing list separated by colon (:). Each entry con‐
711 sists of a host name or IP Address of the server hosting
712 the service, transport protocol, and port number of the
713 service separated by a pound sign (#).
714 -realm realm_list
716 Specifies the list of realms that are to be associated
717 with this service. The list contains the name of the
718 realms separated by a colon (:). This list replaces the
719 existing list.
720 -clearrealm realm_list
722 Specifies the list of realms to be removed from the
723 existing list. The list contains the name of the realms
724 separated by a colon (:).
725 -addrealm realm_list
727 Specifies the list of realms to be added to the existing
728 list. The list contains the name of the realms separated
729 by a colon (:).
730 service_dn
732 Specifies Distinguished name (DN) of the Kerberos service
733 to be modified.
734 EXAMPLE:
736 kdb5_ldap_util -D cn=admin,o=org modify_service -realm
737 ATHENA.MIT.EDU cn=service-kdc,o=org
738 Password for "cn=admin,o=org":
739 Changing rights for the service object. Please wait ... done
740 view_service service_dn
742 Displays the attributes of a service. Options:
743 service_dn
745 Specifies Distinguished name (DN) of the Kerberos service
746 to be viewed.
747 EXAMPLE:
749 kdb5_ldap_util -D cn=admin,o=org view_service cn=service-
750 kdc,o=org
751 Password for "cn=admin,o=org":
752 Service dn: cn=service-kdc,o=org
753 Service type: kdc
754 Service host list:
755 Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
756 destroy_service [-force] [-f stashfilename] service_dn
758 Destroys an existing service. Options:
759 -force If specified, will not prompt for user's confirmation,
761 instead will force destruction of the service.
762 -f stashfilename
764 Specifies the complete path of the service password file
765 from where the entry corresponding to the service_dn
766 needs to be removed.
767 service_dn
769 Specifies Distinguished name (DN) of the Kerberos service
770 to be destroyed.
771 EXAMPLE:
773 kdb5_ldap_util -D cn=admin,o=org destroy_service cn=ser‐
774 vice-kdc,o=org
775 Password for "cn=admin,o=org":
776 This will delete the service object 'cn=service-kdc,o=org', are you sure?
777 (type 'yes' to confirm)? yes
778 ** service object 'cn=service-kdc,o=org' deleted.
779 list_service [-basedn base_dn]
781 Lists the name of services under a given base in directory.
782 Options:
783 -basedn base_dn
785 Specifies the base DN for searching the service objects,
786 limiting the search to a particular subtree. If this
787 option is not provided, LDAP Server specific search base
788 will be used. For eg, in the case of OpenLDAP, value of
789 defaultsearchbase from slapd.conf file will be used,
790 where as in the case of eDirectory, the default value for
791 the base DN is Root.
792 EXAMPLE:
794 kdb5_ldap_util -D cn=admin,o=org list_service
795 Password for "cn=admin,o=org":
796 cn=service-kdc,o=org
797 cn=service-adm,o=org
798 cn=service-pwd,o=org
799
801 kadmin(8)
802 KDB5_LDAP_UTIL(8)