1KDB5_LDAP_UTIL(8) MIT Kerberos KDB5_LDAP_UTIL(8)
2
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [com‐
10 mand_options]
11
13 kdb5_ldap_util allows an administrator to manage realms, Kerberos ser‐
14 vices and ticket policies.
15
17 -r realm
18 Specifies the realm to be operated on.
19 -D user_dn
21 Specifies the Distinguished Name (DN) of the user who has suffi‐
22 cient rights to perform the operation on the LDAP server.
23 -w passwd
25 Specifies the password of user_dn. This option is not recom‐
26 mended.
27 -H ldapuri
29 Specifies the URI of the LDAP server.
30 By default, kdb5_ldap_util operates on the default realm (as specified
32 in krb5.conf) and connects and authenticates to the LDAP server in the
33 same manner as :ref:kadmind(8)` would given the parameters in
34 [dbdefaults] in kdc.conf.
35
37 create
38 create [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
39 erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO] [-M mkey‐
40 name] [-m|-P password|-sf stashfilename] [-s] [-maxtktlife
41 max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
42 [ticket_flags]
43 Creates realm in directory. Options:
45 -subtrees subtree_dn_list
47 Specifies the list of subtrees containing the principals of a
48 realm. The list contains the DNs of the subtree objects sepa‐
49 rated by colon (:).
50 -sscope search_scope
52 Specifies the scope for searching the principals under the sub‐
53 tree. The possible values are 1 or one (one level), 2 or sub
54 (subtrees).
55 -containerref container_reference_dn
57 Specifies the DN of the container object in which the principals
58 of a realm will be created. If the container reference is not
59 configured for a realm, the principals will be created in the
60 realm container.
61 -k mkeytype
63 Specifies the key type of the master key in the database. The
64 default is given by the master_key_type variable in kdc.conf.
65 -kv mkeyVNO
67 Specifies the version number of the master key in the database;
68 the default is 1. Note that 0 is not allowed.
69 -M mkeyname
71 Specifies the principal name for the master key in the database.
72 If not specified, the name is determined by the master_key_name
73 variable in kdc.conf.
74 -m Specifies that the master database password should be read from
76 the TTY rather than fetched from a file on the disk.
77 -P password
79 Specifies the master database password. This option is not rec‐
80 ommended.
81 -sf stashfilename
83 Specifies the stash file of the master database password.
84 -s Specifies that the stash file is to be created.
86 -maxtktlife max_ticket_life
88 (getdate time string) Specifies maximum ticket life for princi‐
89 pals in this realm.
90 -maxrenewlife max_renewable_ticket_life
92 (getdate time string) Specifies maximum renewable life of tick‐
93 ets for principals in this realm.
94 ticket_flags
96 Specifies global ticket flags for the realm. Allowable flags
97 are documented in the description of the add_principal command
98 in kadmin.
99 Example:
101 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
103 -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
104 Password for "cn=admin,o=org":
105 Initializing database for realm 'ATHENA.MIT.EDU'
106 You will be prompted for the database Master Password.
107 It is important that you NOT FORGET this password.
108 Enter KDC database master key:
109 Re-enter KDC database master key to verify:
110 modify
112 modify [-subtrees subtree_dn_list] [-sscope search_scope] [-contain‐
113 erref container_reference_dn] [-maxtktlife max_ticket_life] [-maxre‐
114 newlife max_renewable_ticket_life] [ticket_flags]
115 Modifies the attributes of a realm. Options:
117 -subtrees subtree_dn_list
119 Specifies the list of subtrees containing the principals of a
120 realm. The list contains the DNs of the subtree objects sepa‐
121 rated by colon (:). This list replaces the existing list.
122 -sscope search_scope
124 Specifies the scope for searching the principals under the sub‐
125 trees. The possible values are 1 or one (one level), 2 or sub
126 (subtrees).
127 -containerref container_reference_dn Specifies the DN of the
129 container object in which the principals of a realm will be cre‐
130 ated.
131 -maxtktlife max_ticket_life
133 (getdate time string) Specifies maximum ticket life for princi‐
134 pals in this realm.
135 -maxrenewlife max_renewable_ticket_life
137 (getdate time string) Specifies maximum renewable life of tick‐
138 ets for principals in this realm.
139 ticket_flags
141 Specifies global ticket flags for the realm. Allowable flags
142 are documented in the description of the add_principal command
143 in kadmin.
144 Example:
146 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
148 ldaps://ldap-server1.mit.edu modify +requires_preauth
149 Password for "cn=admin,o=org":
150 shell%
151 view
153 view
154 Displays the attributes of a realm.
156 Example:
158 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
160 -r ATHENA.MIT.EDU view
161 Password for "cn=admin,o=org":
162 Realm Name: ATHENA.MIT.EDU
163 Subtree: ou=users,o=org
164 Subtree: ou=servers,o=org
165 SearchScope: ONE
166 Maximum ticket life: 0 days 01:00:00
167 Maximum renewable life: 0 days 10:00:00
168 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
169 destroy
171 destroy [-f]
172 Destroys an existing realm. Options:
174 -f If specified, will not prompt the user for confirmation.
176 Example:
178 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
180 ldaps://ldap-server1.mit.edu destroy
181 Password for "cn=admin,o=org":
182 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
183 (type 'yes' to confirm)? yes
184 OK, deleting database of 'ATHENA.MIT.EDU'...
185 shell%
186 list
188 list
189 Lists the names of realms under the container.
191 Example:
193 shell% kdb5_ldap_util -D cn=admin,o=org -H
195 ldaps://ldap-server1.mit.edu list
196 Password for "cn=admin,o=org":
197 ATHENA.MIT.EDU
198 OPENLDAP.MIT.EDU
199 MEDIA-LAB.MIT.EDU
200 shell%
201 stashsrvpw
203 stashsrvpw [-f filename] name
204 Allows an administrator to store the password for service object in a
206 file so that KDC and Administration server can use it to authenticate
207 to the LDAP server. Options:
208 -f filename
210 Specifies the complete path of the service password file. By de‐
211 fault, /usr/local/var/service_passwd is used.
212 name Specifies the name of the object whose password is to be stored.
214 If krb5kdc or kadmind are configured for simple binding, this
215 should be the distinguished name it will use as given by the
216 ldap_kdc_dn or ldap_kadmind_dn variable in kdc.conf. If the KDC
217 or kadmind is configured for SASL binding, this should be the
218 authentication name it will use as given by the
219 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid variable.
220 Example:
222 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
224 cn=service-kdc,o=org
225 Password for "cn=service-kdc,o=org":
226 Re-enter password for "cn=service-kdc,o=org":
227 create_policy
229 create_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
230 newable_ticket_life] [ticket_flags] policy_name
231 Creates a ticket policy in the directory. Options:
233 -maxtktlife max_ticket_life
235 (getdate time string) Specifies maximum ticket life for princi‐
236 pals.
237 -maxrenewlife max_renewable_ticket_life
239 (getdate time string) Specifies maximum renewable life of tick‐
240 ets for principals.
241 ticket_flags
243 Specifies the ticket flags. If this option is not specified, by
244 default, no restriction will be set by the policy. Allowable
245 flags are documented in the description of the add_principal
246 command in kadmin.
247 policy_name
249 Specifies the name of the ticket policy.
250 Example:
252 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
254 -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
255 -maxrenewlife "1 week" -allow_postdated +needchange
256 -allow_forwardable tktpolicy
257 Password for "cn=admin,o=org":
258 modify_policy
260 modify_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_re‐
261 newable_ticket_life] [ticket_flags] policy_name
262 Modifies the attributes of a ticket policy. Options are same as for
264 create_policy.
265 Example:
267 kdb5_ldap_util -D cn=admin,o=org -H
269 ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
270 -maxtktlife "60 minutes" -maxrenewlife "10 hours"
271 +allow_postdated -requires_preauth tktpolicy
272 Password for "cn=admin,o=org":
273 view_policy
275 view_policy policy_name
276 Displays the attributes of the named ticket policy.
278 Example:
280 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
282 -r ATHENA.MIT.EDU view_policy tktpolicy
283 Password for "cn=admin,o=org":
284 Ticket policy: tktpolicy
285 Maximum ticket life: 0 days 01:00:00
286 Maximum renewable life: 0 days 10:00:00
287 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
288 destroy_policy
290 destroy_policy [-force] policy_name
291 Destroys an existing ticket policy. Options:
293 -force Forces the deletion of the policy object. If not specified, the
295 user will be prompted for confirmation before deleting the pol‐
296 icy.
297 policy_name
299 Specifies the name of the ticket policy.
300 Example:
302 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
304 -r ATHENA.MIT.EDU destroy_policy tktpolicy
305 Password for "cn=admin,o=org":
306 This will delete the policy object 'tktpolicy', are you sure?
307 (type 'yes' to confirm)? yes
308 ** policy object 'tktpolicy' deleted.
309 list_policy
311 list_policy
312 Lists ticket policies.
314 Example:
316 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
318 -r ATHENA.MIT.EDU list_policy
319 Password for "cn=admin,o=org":
320 tktpolicy
321 tmppolicy
322 userpolicy
323
325 See kerberos for a description of Kerberos environment variables.
326
328 kadmin, kerberos
329
331 MIT
332
334 1985-2023, MIT
3351.21.2 KDB5_LDAP_UTIL(8)