1KDB5_LDAP_UTIL(8) MIT Kerberos KDB5_LDAP_UTIL(8)
2
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -r realm
18 Specifies the realm to be operated on.
19 -D user_dn
21 Specifies the Distinguished Name (DN) of the user who has suffi‐
22 cient rights to perform the operation on the LDAP server.
23 -w passwd
25 Specifies the password of user_dn. This option is not recom‐
26 mended.
27 -H ldapuri
29 Specifies the URI of the LDAP server.
30 By default, kdb5_ldap_util operates on the default realm (as specified
32 in krb5.conf(5)) and connects and authenticates to the LDAP server in
33 the same manner as :ref:kadmind(8)` would given the parameters in dbde‐
34 faults in kdc.conf(5).
35
37 create
38 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
39 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-M mkey‐
40 name] [-m|-P password|-sf stashfilename] [-s] [-maxtktlife
41 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
42 [ticket_flags]
43 Creates realm in directory. Options:
45 -subtrees subtree_dn_list
47 Specifies the list of subtrees containing the principals of a
48 realm. The list contains the DNs of the subtree objects sepa‐
49 rated by colon (:).
50 -sscope search_scope
52 Specifies the scope for searching the principals under the sub‐
53 tree. The possible values are 1 or one (one level), 2 or sub
54 (subtrees).
55 -containerref container_reference_dn
57 Specifies the DN of the container object in which the principals
58 of a realm will be created. If the container reference is not
59 configured for a realm, the principals will be created in the
60 realm container.
61 -k mkeytype
63 Specifies the key type of the master key in the database. The
64 default is given by the master_key_type variable in kdc.conf(5).
65 -kv mkeyVNO
67 Specifies the version number of the master key in the database;
68 the default is 1. Note that 0 is not allowed.
69 -M mkeyname
71 Specifies the principal name for the master key in the database.
72 If not specified, the name is determined by the master_key_name
73 variable in kdc.conf(5).
74 -m Specifies that the master database password should be read from
76 the TTY rather than fetched from a file on the disk.
77 -P password
79 Specifies the master database password. This option is not rec‐
80 ommended.
81 -sf stashfilename
83 Specifies the stash file of the master database password.
84 -s Specifies that the stash file is to be created.
86 -maxtktlife max_ticket_life
88 (getdate string) Specifies maximum ticket life for principals in
89 this realm.
90 -maxrenewlife max_renewable_ticket_life
92 (getdate string) Specifies maximum renewable life of tickets for
93 principals in this realm.
94 ticket_flags
96 Specifies global ticket flags for the realm. Allowable flags
97 are documented in the description of the add_principal command
98 in kadmin(1).
99 Example:
101 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
103 -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
104 Password for "cn=admin,o=org":
105 Initializing database for realm 'ATHENA.MIT.EDU'
106 You will be prompted for the database Master Password.
107 It is important that you NOT FORGET this password.
108 Enter KDC database master key:
109 Re-enter KDC database master key to verify:
110 modify
112 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
113 erref container_reference_dn] [-maxtktlife max_ticket_life] [-maxre‐
114 newlife max_renewable_ticket_life] [ticket_flags]
115 Modifies the attributes of a realm. Options:
117 -subtrees subtree_dn_list
119 Specifies the list of subtrees containing the principals of a
120 realm. The list contains the DNs of the subtree objects sepa‐
121 rated by colon (:). This list replaces the existing list.
122 -sscope search_scope
124 Specifies the scope for searching the principals under the sub‐
125 trees. The possible values are 1 or one (one level), 2 or sub
126 (subtrees).
127 -containerref container_reference_dn Specifies the DN of the
129 container object in which the principals of a realm will be cre‐
130 ated.
131 -maxtktlife max_ticket_life
133 (getdate string) Specifies maximum ticket life for principals in
134 this realm.
135 -maxrenewlife max_renewable_ticket_life
137 (getdate string) Specifies maximum renewable life of tickets for
138 principals in this realm.
139 ticket_flags
141 Specifies global ticket flags for the realm. Allowable flags
142 are documented in the description of the add_principal command
143 in kadmin(1).
144 Example:
146 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
148 ldaps://ldap-server1.mit.edu modify +requires_preauth
149 Password for "cn=admin,o=org":
150 shell%
151 view
153 view
154 Displays the attributes of a realm.
156 Example:
158 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
160 -r ATHENA.MIT.EDU view
161 Password for "cn=admin,o=org":
162 Realm Name: ATHENA.MIT.EDU
163 Subtree: ou=users,o=org
164 Subtree: ou=servers,o=org
165 SearchScope: ONE
166 Maximum ticket life: 0 days 01:00:00
167 Maximum renewable life: 0 days 10:00:00
168 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
169 destroy
171 destroy [-f]
172 Destroys an existing realm. Options:
174 -f If specified, will not prompt the user for confirmation.
176 Example:
178 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
180 ldaps://ldap-server1.mit.edu destroy
181 Password for "cn=admin,o=org":
182 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
183 (type 'yes' to confirm)? yes
184 OK, deleting database of 'ATHENA.MIT.EDU'...
185 shell%
186 list
188 list
189 Lists the names of realms under the container.
191 Example:
193 shell% kdb5_ldap_util -D cn=admin,o=org -H
195 ldaps://ldap-server1.mit.edu list
196 Password for "cn=admin,o=org":
197 ATHENA.MIT.EDU
198 OPENLDAP.MIT.EDU
199 MEDIA-LAB.MIT.EDU
200 shell%
201 stashsrvpw
203 stashsrvpw [-f filename] name
204 Allows an administrator to store the password for service object in a
206 file so that KDC and Administration server can use it to authenticate
207 to the LDAP server. Options:
208 -f filename
210 Specifies the complete path of the service password file. By de‐
211 fault, /usr/local/var/service_passwd is used.
212 name Specifies the name of the object whose password is to be stored.
214 If krb5kdc(8) or kadmind(8) are configured for simple binding,
215 this should be the distinguished name it will use as given by
216 the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5). If
217 the KDC or kadmind is configured for SASL binding, this should
218 be the authentication name it will use as given by the
219 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
220 Example:
222 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
224 cn=service-kdc,o=org
225 Password for "cn=service-kdc,o=org":
226 Re-enter password for "cn=service-kdc,o=org":
227 create_policy
229 create_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
230 newable_ticket_life] [ticket_flags] policy_name
231 Creates a ticket policy in the directory. Options:
233 -maxtktlife max_ticket_life
235 (getdate string) Specifies maximum ticket life for principals.
236 -maxrenewlife max_renewable_ticket_life
238 (getdate string) Specifies maximum renewable life of tickets for
239 principals.
240 ticket_flags
242 Specifies the ticket flags. If this option is not specified, by
243 default, no restriction will be set by the policy. Allowable
244 flags are documented in the description of the add_principal
245 command in kadmin(1).
246 policy_name
248 Specifies the name of the ticket policy.
249 Example:
251 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
253 -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
254 -maxrenewlife "1 week" -allow_postdated +needchange
255 -allow_forwardable tktpolicy
256 Password for "cn=admin,o=org":
257 modify_policy
259 modify_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
260 newable_ticket_life] [ticket_flags] policy_name
261 Modifies the attributes of a ticket policy. Options are same as for
263 create_policy.
264 Example:
266 kdb5_ldap_util -D cn=admin,o=org -H
268 ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
269 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
270 +allow_postdated -requires_preauth tktpolicy
271 Password for "cn=admin,o=org":
272 view_policy
274 view_policy policy_name
275 Displays the attributes of the named ticket policy.
277 Example:
279 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
281 -r ATHENA.MIT.EDU view_policy tktpolicy
282 Password for "cn=admin,o=org":
283 Ticket policy: tktpolicy
284 Maximum ticket life: 0 days 01:00:00
285 Maximum renewable life: 0 days 10:00:00
286 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
287 destroy_policy
289 destroy_policy [-force] policy_name
290 Destroys an existing ticket policy. Options:
292 -force Forces the deletion of the policy object. If not specified, the
294 user will be prompted for confirmation before deleting the pol‐
295 icy.
296 policy_name
298 Specifies the name of the ticket policy.
299 Example:
301 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
303 -r ATHENA.MIT.EDU destroy_policy tktpolicy
304 Password for "cn=admin,o=org":
305 This will delete the policy object 'tktpolicy', are you sure?
306 (type 'yes' to confirm)? yes
307 ** policy object 'tktpolicy' deleted.
308 list_policy
310 list_policy
311 Lists ticket policies.
313 Example:
315 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
317 -r ATHENA.MIT.EDU list_policy
318 Password for "cn=admin,o=org":
319 tktpolicy
320 tmppolicy
321 userpolicy
322
324 See kerberos(7) for a description of Kerberos environment variables.
325
327 kadmin(1), kerberos(7)
328
330 MIT
331
333 1985-2021, MIT
3341.19.1 KDB5_LDAP_UTIL(8)