1KDB5_LDAP_UTIL(8)                MIT Kerberos                KDB5_LDAP_UTIL(8)
2
3
4

NAME

6       kdb5_ldap_util - Kerberos configuration utility
7

SYNOPSIS

9       kdb5_ldap_util  [-D  user_dn  [-w  passwd]]  [-H ldapuri] command [com‐
10       mand_options]
11

DESCRIPTION

13       kdb5_ldap_util allows an administrator to manage realms, Kerberos  ser‐
14       vices and ticket policies.
15

COMMAND-LINE OPTIONS

17       -D user_dn
18              Specifies the Distinguished Name (DN) of the user who has suffi‐
19              cient rights to perform the operation on the LDAP server.
20
21       -w passwd
22              Specifies the password of user_dn.  This option  is  not  recom‐
23              mended.
24
25       -H ldapuri
26              Specifies  the URI of the LDAP server.  It is recommended to use
27              ldapi:// or ldaps:// to connect to the LDAP server.
28

COMMANDS

30   create
31          create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
32          erref  container_reference_dn]  [-k  mkeytype]  [-kv mkeyVNO] [-m|-P
33          password|-sf   stashfilename]   [-s]   [-r    realm]    [-maxtktlife
34          max_ticket_life]      [-maxrenewlife      max_renewable_ticket_life]
35          [ticket_flags]
36
37       Creates realm in directory. Options:
38
39       -subtrees subtree_dn_list
40              Specifies the list of subtrees containing the  principals  of  a
41              realm.   The  list contains the DNs of the subtree objects sepa‐
42              rated by colon (:).
43
44       -sscope search_scope
45              Specifies the scope for searching the principals under the  sub‐
46              tree.   The  possible  values are 1 or one (one level), 2 or sub
47              (subtrees).
48
49       -containerref container_reference_dn
50              Specifies the DN of the container object in which the principals
51              of  a  realm will be created.  If the container reference is not
52              configured for a realm, the principals will be  created  in  the
53              realm container.
54
55       -k mkeytype
56              Specifies  the  key type of the master key in the database.  The
57              default is given by the master_key_type variable in kdc.conf(5).
58
59       -kv mkeyVNO
60              Specifies the version number of the master key in the  database;
61              the default is 1.  Note that 0 is not allowed.
62
63       -m     Specifies  that the master database password should be read from
64              the TTY rather than fetched from a file on the disk.
65
66       -P password
67              Specifies the master database password. This option is not  rec‐
68              ommended.
69
70       -r realm
71              Specifies the Kerberos realm of the database.
72
73       -sf stashfilename
74              Specifies the stash file of the master database password.
75
76       -s     Specifies that the stash file is to be created.
77
78       -maxtktlife max_ticket_life
79              (getdate string) Specifies maximum ticket life for principals in
80              this realm.
81
82       -maxrenewlife max_renewable_ticket_life
83              (getdate string) Specifies maximum renewable life of tickets for
84              principals in this realm.
85
86       ticket_flags
87              Specifies  global  ticket  flags for the realm.  Allowable flags
88              are documented in the description of the  add_principal  command
89              in kadmin(1).
90
91       Example:
92
93          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
94              create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
95          Password for "cn=admin,o=org":
96          Initializing database for realm 'ATHENA.MIT.EDU'
97          You will be prompted for the database Master Password.
98          It is important that you NOT FORGET this password.
99          Enter KDC database master key:
100          Re-enter KDC database master key to verify:
101
102   modify
103          modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
104          erref    container_reference_dn]     [-r     realm]     [-maxtktlife
105          max_ticket_life]      [-maxrenewlife      max_renewable_ticket_life]
106          [ticket_flags]
107
108       Modifies the attributes of a realm.  Options:
109
110       -subtrees subtree_dn_list
111              Specifies the list of subtrees containing the  principals  of  a
112              realm.   The  list contains the DNs of the subtree objects sepa‐
113              rated by colon (:).  This list replaces the existing list.
114
115       -sscope search_scope
116              Specifies the scope for searching the principals under the  sub‐
117              trees.   The  possible values are 1 or one (one level), 2 or sub
118              (subtrees).
119
120       -containerref container_reference_dn Specifies the DN of the
121              container object in which the principals of a realm will be cre‐
122              ated.
123
124       -r realm
125              Specifies the Kerberos realm of the database.
126
127       -maxtktlife max_ticket_life
128              (getdate string) Specifies maximum ticket life for principals in
129              this realm.
130
131       -maxrenewlife max_renewable_ticket_life
132              (getdate string) Specifies maximum renewable life of tickets for
133              principals in this realm.
134
135       ticket_flags
136              Specifies  global  ticket  flags for the realm.  Allowable flags
137              are documented in the description of the  add_principal  command
138              in kadmin(1).
139
140       Example:
141
142          shell% kdb5_ldap_util -D cn=admin,o=org -H
143              ldaps://ldap-server1.mit.edu modify +requires_preauth -r
144              ATHENA.MIT.EDU
145          Password for "cn=admin,o=org":
146          shell%
147
148   view
149          view [-r realm]
150
151       Displays the attributes of a realm.  Options:
152
153       -r realm
154              Specifies the Kerberos realm of the database.
155
156       Example:
157
158          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
159              view -r ATHENA.MIT.EDU
160          Password for "cn=admin,o=org":
161          Realm Name: ATHENA.MIT.EDU
162          Subtree: ou=users,o=org
163          Subtree: ou=servers,o=org
164          SearchScope: ONE
165          Maximum ticket life: 0 days 01:00:00
166          Maximum renewable life: 0 days 10:00:00
167          Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
168
169   destroy
170          destroy [-f] [-r realm]
171
172       Destroys an existing realm. Options:
173
174       -f     If specified, will not prompt the user for confirmation.
175
176       -r realm
177              Specifies the Kerberos realm of the database.
178
179       Example:
180
181          shell% kdb5_ldap_util -D cn=admin,o=org -H
182              ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
183          Password for "cn=admin,o=org":
184          Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
185          (type 'yes' to confirm)? yes
186          OK, deleting database of 'ATHENA.MIT.EDU'...
187          shell%
188
189   list
190          list
191
192       Lists the name of realms.
193
194       Example:
195
196          shell% kdb5_ldap_util -D cn=admin,o=org -H
197              ldaps://ldap-server1.mit.edu list
198          Password for "cn=admin,o=org":
199          ATHENA.MIT.EDU
200          OPENLDAP.MIT.EDU
201          MEDIA-LAB.MIT.EDU
202          shell%
203
204   stashsrvpw
205          stashsrvpw [-f filename] name
206
207       Allows  an  administrator to store the password for service object in a
208       file so that KDC and Administration server can use it  to  authenticate
209       to the LDAP server.  Options:
210
211       -f filename
212              Specifies  the  complete  path  of the service password file. By
213              default, /usr/local/var/service_passwd is used.
214
215       name   Specifies the name of the object whose password is to be stored.
216              If  krb5kdc(8)  or kadmind(8) are configured for simple binding,
217              this should be the distinguished name it will use  as  given  by
218              the  ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5).  If
219              the KDC or kadmind is configured for SASL binding,  this  should
220              be  the  authentication  name  it  will  use  as  given  by  the
221              ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
222
223       Example:
224
225          kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
226              cn=service-kdc,o=org
227          Password for "cn=service-kdc,o=org":
228          Re-enter password for "cn=service-kdc,o=org":
229
230   create_policy
231          create_policy  [-r  realm]  [-maxtktlife  max_ticket_life]  [-maxre‐
232          newlife max_renewable_ticket_life] [ticket_flags] policy_name
233
234       Creates a ticket policy in the directory.  Options:
235
236       -r realm
237              Specifies the Kerberos realm of the database.
238
239       -maxtktlife max_ticket_life
240              (getdate string) Specifies maximum ticket life for principals.
241
242       -maxrenewlife max_renewable_ticket_life
243              (getdate string) Specifies maximum renewable life of tickets for
244              principals.
245
246       ticket_flags
247              Specifies the ticket flags.  If this option is not specified, by
248              default,  no  restriction  will be set by the policy.  Allowable
249              flags are documented in the  description  of  the  add_principal
250              command in kadmin(1).
251
252       policy_name
253              Specifies the name of the ticket policy.
254
255       Example:
256
257          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
258              create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
259              -maxrenewlife "1 week" -allow_postdated +needchange
260              -allow_forwardable tktpolicy
261          Password for "cn=admin,o=org":
262
263   modify_policy
264          modify_policy  [-r  realm]  [-maxtktlife  max_ticket_life]  [-maxre‐
265          newlife max_renewable_ticket_life] [ticket_flags] policy_name
266
267       Modifies the attributes of a ticket policy.  Options are  same  as  for
268       create_policy.
269
270       Example:
271
272          kdb5_ldap_util -D cn=admin,o=org -H
273              ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
274              -maxtktlife "60 minutes" -maxrenewlife "10 hours"
275              +allow_postdated -requires_preauth tktpolicy
276          Password for "cn=admin,o=org":
277
278   view_policy
279          view_policy [-r realm] policy_name
280
281       Displays the attributes of a ticket policy.  Options:
282
283       policy_name
284              Specifies the name of the ticket policy.
285
286       Example:
287
288          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
289              view_policy -r ATHENA.MIT.EDU tktpolicy
290          Password for "cn=admin,o=org":
291          Ticket policy: tktpolicy
292          Maximum ticket life: 0 days 01:00:00
293          Maximum renewable life: 0 days 10:00:00
294          Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
295
296   destroy_policy
297          destroy_policy [-r realm] [-force] policy_name
298
299       Destroys an existing ticket policy.  Options:
300
301       -r realm
302              Specifies the Kerberos realm of the database.
303
304       -force Forces the deletion of the policy object.  If not specified, the
305              user will be prompted for confirmation before deleting the  pol‐
306              icy.
307
308       policy_name
309              Specifies the name of the ticket policy.
310
311       Example:
312
313          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
314              destroy_policy -r ATHENA.MIT.EDU tktpolicy
315          Password for "cn=admin,o=org":
316          This will delete the policy object 'tktpolicy', are you sure?
317          (type 'yes' to confirm)? yes
318          ** policy object 'tktpolicy' deleted.
319
320   list_policy
321          list_policy [-r realm]
322
323       Lists  the  ticket  policies  in  realm  if specified or in the default
324       realm.  Options:
325
326       -r realm
327              Specifies the Kerberos realm of the database.
328
329       Example:
330
331          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
332              list_policy -r ATHENA.MIT.EDU
333          Password for "cn=admin,o=org":
334          tktpolicy
335          tmppolicy
336          userpolicy
337

SEE ALSO

339       kadmin(1)
340

AUTHOR

342       MIT
343
345       1985-2018, MIT
346
347
348
349
3501.16.1                                                       KDB5_LDAP_UTIL(8)
Impressum