1KDB5_LDAP_UTIL(8) MIT Kerberos KDB5_LDAP_UTIL(8)
2
3
4
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -D user_dn
18 Specifies the Distinguished Name (DN) of the user who has suffi‐
19 cient rights to perform the operation on the LDAP server.
20
21 -w passwd
22 Specifies the password of user_dn. This option is not recom‐
23 mended.
24
25 -H ldapuri
26 Specifies the URI of the LDAP server. It is recommended to use
27 ldapi:// or ldaps:// to connect to the LDAP server.
28
30 create
31 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
32 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-m|-P
33 password|-sf stashfilename] [-s] [-r realm] [-maxtktlife
34 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
35 [ticket_flags]
36
37 Creates realm in directory. Options:
38
39 -subtrees subtree_dn_list
40 Specifies the list of subtrees containing the principals of a
41 realm. The list contains the DNs of the subtree objects sepa‐
42 rated by colon (:).
43
44 -sscope search_scope
45 Specifies the scope for searching the principals under the sub‐
46 tree. The possible values are 1 or one (one level), 2 or sub
47 (subtrees).
48
49 -containerref container_reference_dn
50 Specifies the DN of the container object in which the principals
51 of a realm will be created. If the container reference is not
52 configured for a realm, the principals will be created in the
53 realm container.
54
55 -k mkeytype
56 Specifies the key type of the master key in the database. The
57 default is given by the master_key_type variable in kdc.conf(5).
58
59 -kv mkeyVNO
60 Specifies the version number of the master key in the database;
61 the default is 1. Note that 0 is not allowed.
62
63 -m Specifies that the master database password should be read from
64 the TTY rather than fetched from a file on the disk.
65
66 -P password
67 Specifies the master database password. This option is not rec‐
68 ommended.
69
70 -r realm
71 Specifies the Kerberos realm of the database.
72
73 -sf stashfilename
74 Specifies the stash file of the master database password.
75
76 -s Specifies that the stash file is to be created.
77
78 -maxtktlife max_ticket_life
79 (getdate string) Specifies maximum ticket life for principals in
80 this realm.
81
82 -maxrenewlife max_renewable_ticket_life
83 (getdate string) Specifies maximum renewable life of tickets for
84 principals in this realm.
85
86 ticket_flags
87 Specifies global ticket flags for the realm. Allowable flags
88 are documented in the description of the add_principal command
89 in kadmin(1).
90
91 Example:
92
93 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
94 create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
95 Password for "cn=admin,o=org":
96 Initializing database for realm 'ATHENA.MIT.EDU'
97 You will be prompted for the database Master Password.
98 It is important that you NOT FORGET this password.
99 Enter KDC database master key:
100 Re-enter KDC database master key to verify:
101
102 modify
103 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
104 erref container_reference_dn] [-r realm] [-maxtktlife
105 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
106 [ticket_flags]
107
108 Modifies the attributes of a realm. Options:
109
110 -subtrees subtree_dn_list
111 Specifies the list of subtrees containing the principals of a
112 realm. The list contains the DNs of the subtree objects sepa‐
113 rated by colon (:). This list replaces the existing list.
114
115 -sscope search_scope
116 Specifies the scope for searching the principals under the sub‐
117 trees. The possible values are 1 or one (one level), 2 or sub
118 (subtrees).
119
120 -containerref container_reference_dn Specifies the DN of the
121 container object in which the principals of a realm will be cre‐
122 ated.
123
124 -r realm
125 Specifies the Kerberos realm of the database.
126
127 -maxtktlife max_ticket_life
128 (getdate string) Specifies maximum ticket life for principals in
129 this realm.
130
131 -maxrenewlife max_renewable_ticket_life
132 (getdate string) Specifies maximum renewable life of tickets for
133 principals in this realm.
134
135 ticket_flags
136 Specifies global ticket flags for the realm. Allowable flags
137 are documented in the description of the add_principal command
138 in kadmin(1).
139
140 Example:
141
142 shell% kdb5_ldap_util -D cn=admin,o=org -H
143 ldaps://ldap-server1.mit.edu modify +requires_preauth -r
144 ATHENA.MIT.EDU
145 Password for "cn=admin,o=org":
146 shell%
147
148 view
149 view [-r realm]
150
151 Displays the attributes of a realm. Options:
152
153 -r realm
154 Specifies the Kerberos realm of the database.
155
156 Example:
157
158 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
159 view -r ATHENA.MIT.EDU
160 Password for "cn=admin,o=org":
161 Realm Name: ATHENA.MIT.EDU
162 Subtree: ou=users,o=org
163 Subtree: ou=servers,o=org
164 SearchScope: ONE
165 Maximum ticket life: 0 days 01:00:00
166 Maximum renewable life: 0 days 10:00:00
167 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
168
169 destroy
170 destroy [-f] [-r realm]
171
172 Destroys an existing realm. Options:
173
174 -f If specified, will not prompt the user for confirmation.
175
176 -r realm
177 Specifies the Kerberos realm of the database.
178
179 Example:
180
181 shell% kdb5_ldap_util -D cn=admin,o=org -H
182 ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
183 Password for "cn=admin,o=org":
184 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
185 (type 'yes' to confirm)? yes
186 OK, deleting database of 'ATHENA.MIT.EDU'...
187 shell%
188
189 list
190 list
191
192 Lists the name of realms.
193
194 Example:
195
196 shell% kdb5_ldap_util -D cn=admin,o=org -H
197 ldaps://ldap-server1.mit.edu list
198 Password for "cn=admin,o=org":
199 ATHENA.MIT.EDU
200 OPENLDAP.MIT.EDU
201 MEDIA-LAB.MIT.EDU
202 shell%
203
204 stashsrvpw
205 stashsrvpw [-f filename] name
206
207 Allows an administrator to store the password for service object in a
208 file so that KDC and Administration server can use it to authenticate
209 to the LDAP server. Options:
210
211 -f filename
212 Specifies the complete path of the service password file. By
213 default, /usr/local/var/service_passwd is used.
214
215 name Specifies the name of the object whose password is to be stored.
216 If krb5kdc(8) or kadmind(8) are configured for simple binding,
217 this should be the distinguished name it will use as given by
218 the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5). If
219 the KDC or kadmind is configured for SASL binding, this should
220 be the authentication name it will use as given by the
221 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
222
223 Example:
224
225 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
226 cn=service-kdc,o=org
227 Password for "cn=service-kdc,o=org":
228 Re-enter password for "cn=service-kdc,o=org":
229
230 create_policy
231 create_policy [-r realm] [-maxtktlife max_ticket_life] [-maxre‐
232 newlife max_renewable_ticket_life] [ticket_flags] policy_name
233
234 Creates a ticket policy in the directory. Options:
235
236 -r realm
237 Specifies the Kerberos realm of the database.
238
239 -maxtktlife max_ticket_life
240 (getdate string) Specifies maximum ticket life for principals.
241
242 -maxrenewlife max_renewable_ticket_life
243 (getdate string) Specifies maximum renewable life of tickets for
244 principals.
245
246 ticket_flags
247 Specifies the ticket flags. If this option is not specified, by
248 default, no restriction will be set by the policy. Allowable
249 flags are documented in the description of the add_principal
250 command in kadmin(1).
251
252 policy_name
253 Specifies the name of the ticket policy.
254
255 Example:
256
257 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
258 create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
259 -maxrenewlife "1 week" -allow_postdated +needchange
260 -allow_forwardable tktpolicy
261 Password for "cn=admin,o=org":
262
263 modify_policy
264 modify_policy [-r realm] [-maxtktlife max_ticket_life] [-maxre‐
265 newlife max_renewable_ticket_life] [ticket_flags] policy_name
266
267 Modifies the attributes of a ticket policy. Options are same as for
268 create_policy.
269
270 Example:
271
272 kdb5_ldap_util -D cn=admin,o=org -H
273 ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
274 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
275 +allow_postdated -requires_preauth tktpolicy
276 Password for "cn=admin,o=org":
277
278 view_policy
279 view_policy [-r realm] policy_name
280
281 Displays the attributes of a ticket policy. Options:
282
283 policy_name
284 Specifies the name of the ticket policy.
285
286 Example:
287
288 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
289 view_policy -r ATHENA.MIT.EDU tktpolicy
290 Password for "cn=admin,o=org":
291 Ticket policy: tktpolicy
292 Maximum ticket life: 0 days 01:00:00
293 Maximum renewable life: 0 days 10:00:00
294 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
295
296 destroy_policy
297 destroy_policy [-r realm] [-force] policy_name
298
299 Destroys an existing ticket policy. Options:
300
301 -r realm
302 Specifies the Kerberos realm of the database.
303
304 -force Forces the deletion of the policy object. If not specified, the
305 user will be prompted for confirmation before deleting the pol‐
306 icy.
307
308 policy_name
309 Specifies the name of the ticket policy.
310
311 Example:
312
313 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
314 destroy_policy -r ATHENA.MIT.EDU tktpolicy
315 Password for "cn=admin,o=org":
316 This will delete the policy object 'tktpolicy', are you sure?
317 (type 'yes' to confirm)? yes
318 ** policy object 'tktpolicy' deleted.
319
320 list_policy
321 list_policy [-r realm]
322
323 Lists the ticket policies in realm if specified or in the default
324 realm. Options:
325
326 -r realm
327 Specifies the Kerberos realm of the database.
328
329 Example:
330
331 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
332 list_policy -r ATHENA.MIT.EDU
333 Password for "cn=admin,o=org":
334 tktpolicy
335 tmppolicy
336 userpolicy
337
339 kadmin(1)
340
342 MIT
343
345 1985-2018, MIT
346
347
348
349
3501.16.1 KDB5_LDAP_UTIL(8)