1KDB5_LDAP_UTIL(8)                MIT Kerberos                KDB5_LDAP_UTIL(8)
2
3
4

NAME

6       kdb5_ldap_util - Kerberos configuration utility
7

SYNOPSIS

9       kdb5_ldap_util  [-D  user_dn  [-w  passwd]]  [-H ldapuri] command [com‐
10       mand_options]
11

DESCRIPTION

13       kdb5_ldap_util allows an administrator to manage realms, Kerberos  ser‐
14       vices and ticket policies.
15

COMMAND-LINE OPTIONS

17       -r realm
18              Specifies the realm to be operated on.
19
20       -D user_dn
21              Specifies the Distinguished Name (DN) of the user who has suffi‐
22              cient rights to perform the operation on the LDAP server.
23
24       -w passwd
25              Specifies the password of user_dn.  This option  is  not  recom‐
26              mended.
27
28       -H ldapuri
29              Specifies the URI of the LDAP server.
30
31       By  default, kdb5_ldap_util operates on the default realm (as specified
32       in krb5.conf(5)) and connects and authenticates to the LDAP  server  in
33       the same manner as :ref:kadmind(8)` would given the parameters in dbde‐
34       faults in kdc.conf(5).
35

COMMANDS

37   create
38          create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
39          erref  container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-M mkey‐
40          name]   [-m|-P   password|-sf   stashfilename]   [-s]   [-maxtktlife
41          max_ticket_life]      [-maxrenewlife      max_renewable_ticket_life]
42          [ticket_flags]
43
44       Creates realm in directory. Options:
45
46       -subtrees subtree_dn_list
47              Specifies the list of subtrees containing the  principals  of  a
48              realm.   The  list contains the DNs of the subtree objects sepa‐
49              rated by colon (:).
50
51       -sscope search_scope
52              Specifies the scope for searching the principals under the  sub‐
53              tree.   The  possible  values are 1 or one (one level), 2 or sub
54              (subtrees).
55
56       -containerref container_reference_dn
57              Specifies the DN of the container object in which the principals
58              of  a  realm will be created.  If the container reference is not
59              configured for a realm, the principals will be  created  in  the
60              realm container.
61
62       -k mkeytype
63              Specifies  the  key type of the master key in the database.  The
64              default is given by the master_key_type variable in kdc.conf(5).
65
66       -kv mkeyVNO
67              Specifies the version number of the master key in the  database;
68              the default is 1.  Note that 0 is not allowed.
69
70       -M mkeyname
71              Specifies the principal name for the master key in the database.
72              If not specified, the name is determined by the  master_key_name
73              variable in kdc.conf(5).
74
75       -m     Specifies  that the master database password should be read from
76              the TTY rather than fetched from a file on the disk.
77
78       -P password
79              Specifies the master database password. This option is not  rec‐
80              ommended.
81
82       -sf stashfilename
83              Specifies the stash file of the master database password.
84
85       -s     Specifies that the stash file is to be created.
86
87       -maxtktlife max_ticket_life
88              (getdate string) Specifies maximum ticket life for principals in
89              this realm.
90
91       -maxrenewlife max_renewable_ticket_life
92              (getdate string) Specifies maximum renewable life of tickets for
93              principals in this realm.
94
95       ticket_flags
96              Specifies  global  ticket  flags for the realm.  Allowable flags
97              are documented in the description of the  add_principal  command
98              in kadmin(1).
99
100       Example:
101
102          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
103              -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
104          Password for "cn=admin,o=org":
105          Initializing database for realm 'ATHENA.MIT.EDU'
106          You will be prompted for the database Master Password.
107          It is important that you NOT FORGET this password.
108          Enter KDC database master key:
109          Re-enter KDC database master key to verify:
110
111   modify
112          modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
113          erref container_reference_dn] [-maxtktlife max_ticket_life] [-maxre‐
114          newlife max_renewable_ticket_life] [ticket_flags]
115
116       Modifies the attributes of a realm.  Options:
117
118       -subtrees subtree_dn_list
119              Specifies  the  list  of subtrees containing the principals of a
120              realm.  The list contains the DNs of the subtree  objects  sepa‐
121              rated by colon (:).  This list replaces the existing list.
122
123       -sscope search_scope
124              Specifies  the scope for searching the principals under the sub‐
125              trees.  The possible values are 1 or one (one level), 2  or  sub
126              (subtrees).
127
128       -containerref container_reference_dn Specifies the DN of the
129              container object in which the principals of a realm will be cre‐
130              ated.
131
132       -maxtktlife max_ticket_life
133              (getdate string) Specifies maximum ticket life for principals in
134              this realm.
135
136       -maxrenewlife max_renewable_ticket_life
137              (getdate string) Specifies maximum renewable life of tickets for
138              principals in this realm.
139
140       ticket_flags
141              Specifies global ticket flags for the  realm.   Allowable  flags
142              are  documented  in the description of the add_principal command
143              in kadmin(1).
144
145       Example:
146
147          shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
148              ldaps://ldap-server1.mit.edu modify +requires_preauth
149          Password for "cn=admin,o=org":
150          shell%
151
152   view
153          view
154
155       Displays the attributes of a realm.
156
157       Example:
158
159          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
160              -r ATHENA.MIT.EDU view
161          Password for "cn=admin,o=org":
162          Realm Name: ATHENA.MIT.EDU
163          Subtree: ou=users,o=org
164          Subtree: ou=servers,o=org
165          SearchScope: ONE
166          Maximum ticket life: 0 days 01:00:00
167          Maximum renewable life: 0 days 10:00:00
168          Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
169
170   destroy
171          destroy [-f]
172
173       Destroys an existing realm. Options:
174
175       -f     If specified, will not prompt the user for confirmation.
176
177       Example:
178
179          shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
180              ldaps://ldap-server1.mit.edu destroy
181          Password for "cn=admin,o=org":
182          Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
183          (type 'yes' to confirm)? yes
184          OK, deleting database of 'ATHENA.MIT.EDU'...
185          shell%
186
187   list
188          list
189
190       Lists the names of realms under the container.
191
192       Example:
193
194          shell% kdb5_ldap_util -D cn=admin,o=org -H
195              ldaps://ldap-server1.mit.edu list
196          Password for "cn=admin,o=org":
197          ATHENA.MIT.EDU
198          OPENLDAP.MIT.EDU
199          MEDIA-LAB.MIT.EDU
200          shell%
201
202   stashsrvpw
203          stashsrvpw [-f filename] name
204
205       Allows an administrator to store the password for service object  in  a
206       file  so  that KDC and Administration server can use it to authenticate
207       to the LDAP server.  Options:
208
209       -f filename
210              Specifies the complete path of the service password file. By de‐
211              fault, /usr/local/var/service_passwd is used.
212
213       name   Specifies the name of the object whose password is to be stored.
214              If krb5kdc(8) or kadmind(8) are configured for  simple  binding,
215              this  should  be  the distinguished name it will use as given by
216              the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5).   If
217              the  KDC  or kadmind is configured for SASL binding, this should
218              be  the  authentication  name  it  will  use  as  given  by  the
219              ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
220
221       Example:
222
223          kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
224              cn=service-kdc,o=org
225          Password for "cn=service-kdc,o=org":
226          Re-enter password for "cn=service-kdc,o=org":
227
228   create_policy
229          create_policy  [-maxtktlife  max_ticket_life] [-maxrenewlife max_re‐
230          newable_ticket_life] [ticket_flags] policy_name
231
232       Creates a ticket policy in the directory.  Options:
233
234       -maxtktlife max_ticket_life
235              (getdate string) Specifies maximum ticket life for principals.
236
237       -maxrenewlife max_renewable_ticket_life
238              (getdate string) Specifies maximum renewable life of tickets for
239              principals.
240
241       ticket_flags
242              Specifies the ticket flags.  If this option is not specified, by
243              default, no restriction will be set by  the  policy.   Allowable
244              flags  are  documented  in  the description of the add_principal
245              command in kadmin(1).
246
247       policy_name
248              Specifies the name of the ticket policy.
249
250       Example:
251
252          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
253              -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
254              -maxrenewlife "1 week" -allow_postdated +needchange
255              -allow_forwardable tktpolicy
256          Password for "cn=admin,o=org":
257
258   modify_policy
259          modify_policy [-maxtktlife max_ticket_life]  [-maxrenewlife  max_re‐
260          newable_ticket_life] [ticket_flags] policy_name
261
262       Modifies  the  attributes  of a ticket policy.  Options are same as for
263       create_policy.
264
265       Example:
266
267          kdb5_ldap_util -D cn=admin,o=org -H
268              ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
269              -maxtktlife "60 minutes" -maxrenewlife "10 hours"
270              +allow_postdated -requires_preauth tktpolicy
271          Password for "cn=admin,o=org":
272
273   view_policy
274          view_policy policy_name
275
276       Displays the attributes of the named ticket policy.
277
278       Example:
279
280          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
281              -r ATHENA.MIT.EDU view_policy tktpolicy
282          Password for "cn=admin,o=org":
283          Ticket policy: tktpolicy
284          Maximum ticket life: 0 days 01:00:00
285          Maximum renewable life: 0 days 10:00:00
286          Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
287
288   destroy_policy
289          destroy_policy [-force] policy_name
290
291       Destroys an existing ticket policy.  Options:
292
293       -force Forces the deletion of the policy object.  If not specified, the
294              user  will be prompted for confirmation before deleting the pol‐
295              icy.
296
297       policy_name
298              Specifies the name of the ticket policy.
299
300       Example:
301
302          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
303              -r ATHENA.MIT.EDU destroy_policy tktpolicy
304          Password for "cn=admin,o=org":
305          This will delete the policy object 'tktpolicy', are you sure?
306          (type 'yes' to confirm)? yes
307          ** policy object 'tktpolicy' deleted.
308
309   list_policy
310          list_policy
311
312       Lists ticket policies.
313
314       Example:
315
316          kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
317              -r ATHENA.MIT.EDU list_policy
318          Password for "cn=admin,o=org":
319          tktpolicy
320          tmppolicy
321          userpolicy
322

ENVIRONMENT

324       See kerberos(7) for a description of Kerberos environment variables.
325

SEE ALSO

327       kadmin(1), kerberos(7)
328

AUTHOR

330       MIT
331
333       1985-2021, MIT
334
335
336
337
3381.19.1                                                       KDB5_LDAP_UTIL(8)
Impressum