1KDB5_LDAP_UTIL(8) MIT Kerberos KDB5_LDAP_UTIL(8)
2
3
4
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -r realm
18 Specifies the realm to be operated on.
19
20 -D user_dn
21 Specifies the Distinguished Name (DN) of the user who has suffi‐
22 cient rights to perform the operation on the LDAP server.
23
24 -w passwd
25 Specifies the password of user_dn. This option is not recom‐
26 mended.
27
28 -H ldapuri
29 Specifies the URI of the LDAP server.
30
31 By default, kdb5_ldap_util operates on the default realm (as specified
32 in krb5.conf) and connects and authenticates to the LDAP server in the
33 same manner as :ref:kadmind(8)` would given the parameters in
34 [dbdefaults] in kdc.conf.
35
37 create
38 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
39 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-M mkey‐
40 name] [-m|-P password|-sf stashfilename] [-s] [-maxtktlife
41 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
42 [ticket_flags]
43
44 Creates realm in directory. Options:
45
46 -subtrees subtree_dn_list
47 Specifies the list of subtrees containing the principals of a
48 realm. The list contains the DNs of the subtree objects sepa‐
49 rated by colon (:).
50
51 -sscope search_scope
52 Specifies the scope for searching the principals under the sub‐
53 tree. The possible values are 1 or one (one level), 2 or sub
54 (subtrees).
55
56 -containerref container_reference_dn
57 Specifies the DN of the container object in which the principals
58 of a realm will be created. If the container reference is not
59 configured for a realm, the principals will be created in the
60 realm container.
61
62 -k mkeytype
63 Specifies the key type of the master key in the database. The
64 default is given by the master_key_type variable in kdc.conf.
65
66 -kv mkeyVNO
67 Specifies the version number of the master key in the database;
68 the default is 1. Note that 0 is not allowed.
69
70 -M mkeyname
71 Specifies the principal name for the master key in the database.
72 If not specified, the name is determined by the master_key_name
73 variable in kdc.conf.
74
75 -m Specifies that the master database password should be read from
76 the TTY rather than fetched from a file on the disk.
77
78 -P password
79 Specifies the master database password. This option is not rec‐
80 ommended.
81
82 -sf stashfilename
83 Specifies the stash file of the master database password.
84
85 -s Specifies that the stash file is to be created.
86
87 -maxtktlife max_ticket_life
88 (getdate time string) Specifies maximum ticket life for princi‐
89 pals in this realm.
90
91 -maxrenewlife max_renewable_ticket_life
92 (getdate time string) Specifies maximum renewable life of tick‐
93 ets for principals in this realm.
94
95 ticket_flags
96 Specifies global ticket flags for the realm. Allowable flags
97 are documented in the description of the add_principal command
98 in kadmin.
99
100 Example:
101
102 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
103 -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
104 Password for "cn=admin,o=org":
105 Initializing database for realm 'ATHENA.MIT.EDU'
106 You will be prompted for the database Master Password.
107 It is important that you NOT FORGET this password.
108 Enter KDC database master key:
109 Re-enter KDC database master key to verify:
110
111 modify
112 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
113 erref container_reference_dn] [-maxtktlife max_ticket_life] [-maxre‐
114 newlife max_renewable_ticket_life] [ticket_flags]
115
116 Modifies the attributes of a realm. Options:
117
118 -subtrees subtree_dn_list
119 Specifies the list of subtrees containing the principals of a
120 realm. The list contains the DNs of the subtree objects sepa‐
121 rated by colon (:). This list replaces the existing list.
122
123 -sscope search_scope
124 Specifies the scope for searching the principals under the sub‐
125 trees. The possible values are 1 or one (one level), 2 or sub
126 (subtrees).
127
128 -containerref container_reference_dn Specifies the DN of the
129 container object in which the principals of a realm will be cre‐
130 ated.
131
132 -maxtktlife max_ticket_life
133 (getdate time string) Specifies maximum ticket life for princi‐
134 pals in this realm.
135
136 -maxrenewlife max_renewable_ticket_life
137 (getdate time string) Specifies maximum renewable life of tick‐
138 ets for principals in this realm.
139
140 ticket_flags
141 Specifies global ticket flags for the realm. Allowable flags
142 are documented in the description of the add_principal command
143 in kadmin.
144
145 Example:
146
147 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
148 ldaps://ldap-server1.mit.edu modify +requires_preauth
149 Password for "cn=admin,o=org":
150 shell%
151
152 view
153 view
154
155 Displays the attributes of a realm.
156
157 Example:
158
159 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
160 -r ATHENA.MIT.EDU view
161 Password for "cn=admin,o=org":
162 Realm Name: ATHENA.MIT.EDU
163 Subtree: ou=users,o=org
164 Subtree: ou=servers,o=org
165 SearchScope: ONE
166 Maximum ticket life: 0 days 01:00:00
167 Maximum renewable life: 0 days 10:00:00
168 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
169
170 destroy
171 destroy [-f]
172
173 Destroys an existing realm. Options:
174
175 -f If specified, will not prompt the user for confirmation.
176
177 Example:
178
179 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
180 ldaps://ldap-server1.mit.edu destroy
181 Password for "cn=admin,o=org":
182 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
183 (type 'yes' to confirm)? yes
184 OK, deleting database of 'ATHENA.MIT.EDU'...
185 shell%
186
187 list
188 list
189
190 Lists the names of realms under the container.
191
192 Example:
193
194 shell% kdb5_ldap_util -D cn=admin,o=org -H
195 ldaps://ldap-server1.mit.edu list
196 Password for "cn=admin,o=org":
197 ATHENA.MIT.EDU
198 OPENLDAP.MIT.EDU
199 MEDIA-LAB.MIT.EDU
200 shell%
201
202 stashsrvpw
203 stashsrvpw [-f filename] name
204
205 Allows an administrator to store the password for service object in a
206 file so that KDC and Administration server can use it to authenticate
207 to the LDAP server. Options:
208
209 -f filename
210 Specifies the complete path of the service password file. By de‐
211 fault, /usr/local/var/service_passwd is used.
212
213 name Specifies the name of the object whose password is to be stored.
214 If krb5kdc or kadmind are configured for simple binding, this
215 should be the distinguished name it will use as given by the
216 ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf. If the KDC
217 or kadmind is configured for SASL binding, this should be the
218 authentication name it will use as given by the
219 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
220
221 Example:
222
223 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
224 cn=service-kdc,o=org
225 Password for "cn=service-kdc,o=org":
226 Re-enter password for "cn=service-kdc,o=org":
227
228 create_policy
229 create_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
230 newable_ticket_life] [ticket_flags] policy_name
231
232 Creates a ticket policy in the directory. Options:
233
234 -maxtktlife max_ticket_life
235 (getdate time string) Specifies maximum ticket life for princi‐
236 pals.
237
238 -maxrenewlife max_renewable_ticket_life
239 (getdate time string) Specifies maximum renewable life of tick‐
240 ets for principals.
241
242 ticket_flags
243 Specifies the ticket flags. If this option is not specified, by
244 default, no restriction will be set by the policy. Allowable
245 flags are documented in the description of the add_principal
246 command in kadmin.
247
248 policy_name
249 Specifies the name of the ticket policy.
250
251 Example:
252
253 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
254 -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
255 -maxrenewlife "1 week" -allow_postdated +needchange
256 -allow_forwardable tktpolicy
257 Password for "cn=admin,o=org":
258
259 modify_policy
260 modify_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
261 newable_ticket_life] [ticket_flags] policy_name
262
263 Modifies the attributes of a ticket policy. Options are same as for
264 create_policy.
265
266 Example:
267
268 kdb5_ldap_util -D cn=admin,o=org -H
269 ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
270 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
271 +allow_postdated -requires_preauth tktpolicy
272 Password for "cn=admin,o=org":
273
274 view_policy
275 view_policy policy_name
276
277 Displays the attributes of the named ticket policy.
278
279 Example:
280
281 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
282 -r ATHENA.MIT.EDU view_policy tktpolicy
283 Password for "cn=admin,o=org":
284 Ticket policy: tktpolicy
285 Maximum ticket life: 0 days 01:00:00
286 Maximum renewable life: 0 days 10:00:00
287 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
288
289 destroy_policy
290 destroy_policy [-force] policy_name
291
292 Destroys an existing ticket policy. Options:
293
294 -force Forces the deletion of the policy object. If not specified, the
295 user will be prompted for confirmation before deleting the pol‐
296 icy.
297
298 policy_name
299 Specifies the name of the ticket policy.
300
301 Example:
302
303 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
304 -r ATHENA.MIT.EDU destroy_policy tktpolicy
305 Password for "cn=admin,o=org":
306 This will delete the policy object 'tktpolicy', are you sure?
307 (type 'yes' to confirm)? yes
308 ** policy object 'tktpolicy' deleted.
309
310 list_policy
311 list_policy
312
313 Lists ticket policies.
314
315 Example:
316
317 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
318 -r ATHENA.MIT.EDU list_policy
319 Password for "cn=admin,o=org":
320 tktpolicy
321 tmppolicy
322 userpolicy
323
325 See kerberos for a description of Kerberos environment variables.
326
328 kadmin, kerberos
329
331 MIT
332
334 1985-2022, MIT
335
336
337
338
3391.19.2 KDB5_LDAP_UTIL(8)