1KDB5_LDAP_UTIL(8) MIT Kerberos KDB5_LDAP_UTIL(8)
2
3
4
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -r realm
18 Specifies the realm to be operated on.
19
20 -D user_dn
21 Specifies the Distinguished Name (DN) of the user who has suffi‐
22 cient rights to perform the operation on the LDAP server.
23
24 -w passwd
25 Specifies the password of user_dn. This option is not recom‐
26 mended.
27
28 -H ldapuri
29 Specifies the URI of the LDAP server.
30
31 By default, kdb5_ldap_util operates on the default realm (as specified
32 in krb5.conf(5)) and connects and authenticates to the LDAP server in
33 the same manner as :ref:kadmind(8)` would given the parameters in dbde‐
34 faults in kdc.conf(5).
35
37 create
38 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
39 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-M mkey‐
40 name] [-m|-P password|-sf stashfilename] [-s] [-maxtktlife
41 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
42 [ticket_flags]
43
44 Creates realm in directory. Options:
45
46 -subtrees subtree_dn_list
47 Specifies the list of subtrees containing the principals of a
48 realm. The list contains the DNs of the subtree objects sepa‐
49 rated by colon (:).
50
51 -sscope search_scope
52 Specifies the scope for searching the principals under the sub‐
53 tree. The possible values are 1 or one (one level), 2 or sub
54 (subtrees).
55
56 -containerref container_reference_dn
57 Specifies the DN of the container object in which the principals
58 of a realm will be created. If the container reference is not
59 configured for a realm, the principals will be created in the
60 realm container.
61
62 -k mkeytype
63 Specifies the key type of the master key in the database. The
64 default is given by the master_key_type variable in kdc.conf(5).
65
66 -kv mkeyVNO
67 Specifies the version number of the master key in the database;
68 the default is 1. Note that 0 is not allowed.
69
70 -M mkeyname
71 Specifies the principal name for the master key in the database.
72 If not specified, the name is determined by the master_key_name
73 variable in kdc.conf(5).
74
75 -m Specifies that the master database password should be read from
76 the TTY rather than fetched from a file on the disk.
77
78 -P password
79 Specifies the master database password. This option is not rec‐
80 ommended.
81
82 -sf stashfilename
83 Specifies the stash file of the master database password.
84
85 -s Specifies that the stash file is to be created.
86
87 -maxtktlife max_ticket_life
88 (getdate string) Specifies maximum ticket life for principals in
89 this realm.
90
91 -maxrenewlife max_renewable_ticket_life
92 (getdate string) Specifies maximum renewable life of tickets for
93 principals in this realm.
94
95 ticket_flags
96 Specifies global ticket flags for the realm. Allowable flags
97 are documented in the description of the add_principal command
98 in kadmin(1).
99
100 Example:
101
102 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
103 -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
104 Password for "cn=admin,o=org":
105 Initializing database for realm 'ATHENA.MIT.EDU'
106 You will be prompted for the database Master Password.
107 It is important that you NOT FORGET this password.
108 Enter KDC database master key:
109 Re-enter KDC database master key to verify:
110
111 modify
112 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
113 erref container_reference_dn] [-maxtktlife max_ticket_life] [-maxre‐
114 newlife max_renewable_ticket_life] [ticket_flags]
115
116 Modifies the attributes of a realm. Options:
117
118 -subtrees subtree_dn_list
119 Specifies the list of subtrees containing the principals of a
120 realm. The list contains the DNs of the subtree objects sepa‐
121 rated by colon (:). This list replaces the existing list.
122
123 -sscope search_scope
124 Specifies the scope for searching the principals under the sub‐
125 trees. The possible values are 1 or one (one level), 2 or sub
126 (subtrees).
127
128 -containerref container_reference_dn Specifies the DN of the
129 container object in which the principals of a realm will be cre‐
130 ated.
131
132 -maxtktlife max_ticket_life
133 (getdate string) Specifies maximum ticket life for principals in
134 this realm.
135
136 -maxrenewlife max_renewable_ticket_life
137 (getdate string) Specifies maximum renewable life of tickets for
138 principals in this realm.
139
140 ticket_flags
141 Specifies global ticket flags for the realm. Allowable flags
142 are documented in the description of the add_principal command
143 in kadmin(1).
144
145 Example:
146
147 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
148 ldaps://ldap-server1.mit.edu modify +requires_preauth
149 Password for "cn=admin,o=org":
150 shell%
151
152 view
153 view
154
155 Displays the attributes of a realm.
156
157 Example:
158
159 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
160 -r ATHENA.MIT.EDU view
161 Password for "cn=admin,o=org":
162 Realm Name: ATHENA.MIT.EDU
163 Subtree: ou=users,o=org
164 Subtree: ou=servers,o=org
165 SearchScope: ONE
166 Maximum ticket life: 0 days 01:00:00
167 Maximum renewable life: 0 days 10:00:00
168 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
169
170 destroy
171 destroy [-f]
172
173 Destroys an existing realm. Options:
174
175 -f If specified, will not prompt the user for confirmation.
176
177 Example:
178
179 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
180 ldaps://ldap-server1.mit.edu destroy
181 Password for "cn=admin,o=org":
182 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
183 (type 'yes' to confirm)? yes
184 OK, deleting database of 'ATHENA.MIT.EDU'...
185 shell%
186
187 list
188 list
189
190 Lists the names of realms under the container.
191
192 Example:
193
194 shell% kdb5_ldap_util -D cn=admin,o=org -H
195 ldaps://ldap-server1.mit.edu list
196 Password for "cn=admin,o=org":
197 ATHENA.MIT.EDU
198 OPENLDAP.MIT.EDU
199 MEDIA-LAB.MIT.EDU
200 shell%
201
202 stashsrvpw
203 stashsrvpw [-f filename] name
204
205 Allows an administrator to store the password for service object in a
206 file so that KDC and Administration server can use it to authenticate
207 to the LDAP server. Options:
208
209 -f filename
210 Specifies the complete path of the service password file. By de‐
211 fault, /usr/local/var/service_passwd is used.
212
213 name Specifies the name of the object whose password is to be stored.
214 If krb5kdc(8) or kadmind(8) are configured for simple binding,
215 this should be the distinguished name it will use as given by
216 the ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf(5). If
217 the KDC or kadmind is configured for SASL binding, this should
218 be the authentication name it will use as given by the
219 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
220
221 Example:
222
223 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
224 cn=service-kdc,o=org
225 Password for "cn=service-kdc,o=org":
226 Re-enter password for "cn=service-kdc,o=org":
227
228 create_policy
229 create_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
230 newable_ticket_life] [ticket_flags] policy_name
231
232 Creates a ticket policy in the directory. Options:
233
234 -maxtktlife max_ticket_life
235 (getdate string) Specifies maximum ticket life for principals.
236
237 -maxrenewlife max_renewable_ticket_life
238 (getdate string) Specifies maximum renewable life of tickets for
239 principals.
240
241 ticket_flags
242 Specifies the ticket flags. If this option is not specified, by
243 default, no restriction will be set by the policy. Allowable
244 flags are documented in the description of the add_principal
245 command in kadmin(1).
246
247 policy_name
248 Specifies the name of the ticket policy.
249
250 Example:
251
252 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
253 -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
254 -maxrenewlife "1 week" -allow_postdated +needchange
255 -allow_forwardable tktpolicy
256 Password for "cn=admin,o=org":
257
258 modify_policy
259 modify_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
260 newable_ticket_life] [ticket_flags] policy_name
261
262 Modifies the attributes of a ticket policy. Options are same as for
263 create_policy.
264
265 Example:
266
267 kdb5_ldap_util -D cn=admin,o=org -H
268 ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
269 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
270 +allow_postdated -requires_preauth tktpolicy
271 Password for "cn=admin,o=org":
272
273 view_policy
274 view_policy policy_name
275
276 Displays the attributes of the named ticket policy.
277
278 Example:
279
280 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
281 -r ATHENA.MIT.EDU view_policy tktpolicy
282 Password for "cn=admin,o=org":
283 Ticket policy: tktpolicy
284 Maximum ticket life: 0 days 01:00:00
285 Maximum renewable life: 0 days 10:00:00
286 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
287
288 destroy_policy
289 destroy_policy [-force] policy_name
290
291 Destroys an existing ticket policy. Options:
292
293 -force Forces the deletion of the policy object. If not specified, the
294 user will be prompted for confirmation before deleting the pol‐
295 icy.
296
297 policy_name
298 Specifies the name of the ticket policy.
299
300 Example:
301
302 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
303 -r ATHENA.MIT.EDU destroy_policy tktpolicy
304 Password for "cn=admin,o=org":
305 This will delete the policy object 'tktpolicy', are you sure?
306 (type 'yes' to confirm)? yes
307 ** policy object 'tktpolicy' deleted.
308
309 list_policy
310 list_policy
311
312 Lists ticket policies.
313
314 Example:
315
316 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
317 -r ATHENA.MIT.EDU list_policy
318 Password for "cn=admin,o=org":
319 tktpolicy
320 tmppolicy
321 userpolicy
322
324 See kerberos(7) for a description of Kerberos environment variables.
325
327 kadmin(1), kerberos(7)
328
330 MIT
331
333 1985-2021, MIT
334
335
336
337
3381.19.2 KDB5_LDAP_UTIL(8)