1kdb5_ldap_util(1M) System Administration Commands kdb5_ldap_util(1M)
2
6 kdb5_ldap_util - Kerberos configuration utility
7
9 kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] command
10 [command_options]
11
14 The kdb5_ldap_util utility allows an administrator to manage realms,
15 Kerberos services, and ticket policies. The utility offers a set of
16 general options, described under OPTIONS, and a set of commands, which,
17 in turn, have their own options. Commands and their options are
18 described in their own subsections, below.
19
21 kdb5_ldap_util has a small set of general options that apply to the
22 kdb5_ldap_util utility itself and a larger number of options that apply
23 to specific commands. A number of these command-specific options apply
24 to multiple commands and are described in their own section, below.
25 General Options
27 The following general options are supported:
28 -D user_dn
30 Specifies the distinguished name (DN) of a user who has sufficient
32 rights to perform the operation on the LDAP server.
33 -H ldap_uri
36 Specifies the URI of the LDAP server.
38 -w passwd
41 Specifies the password of user_dn. This option is not recommended.
43 Common Command-specific Options
46 The following options apply to a number of kdb5_ldap_util commands.
47 -subtrees subtree_dn_list
49 Specifies the list of subtrees containing the principals of a
51 realm. The list contains the DNs of the subtree objects separated
52 by a colon.
53 -sscope search_scope
56 Specifies the scope for searching the principals under a subtree.
58 The possible values are 1 or one (one level), 2 or sub (subtrees).
59 -containerref container_reference_dn
62 Specifies the DN of the container object in which the principals of
64 a realm will be created. If the container reference is not config‐
65 ured for a realm, the principals will be created in the realm con‐
66 tainer.
67 -maxtktlife max_ticket_life
70 Specifies maximum ticket life for principals in this realm.
72 -maxrenewlife max_renewable_ticket_life
75 Specifies maximum renewable life of tickets for principals in this
77 realm.
78 -r realm
81 Specifies the Kerberos realm of the database; by default the realm
83 returned by krb5_default_local_realm(3) is used.
84
87 The kdb5_ldap_util utility comprises a set of commands, each with its
88 own set of options. These commands are described in the following sub‐
89 sections.
90 The create Command
92 The create command creates a realm in a directory. The command has the
93 following syntax:
94 create \
96 [-subtrees subtree_dn_list]
97 [-sscope search_scope]
98 [-containerref container_reference_dn]
99 [-k mkeytype]
100 [-m|-P password| -sf stashfilename]
101 [-s]
102 [-r realm]
103 [-maxtktlife max_ticket_life]
104 [-kdcdn kdc_service_list]
105 [-admindn admin_service_list]
106 [-maxrenewlife max_renewable_ticket_life]
107 [ticket_flags]
108 The create command has the following options:
113 -subtree subtree_dn_list
115 See "Common Command-specific Options," above.
117 -sscope search_scope
120 See "Common Command-specific Options," above.
122 -containerref container_reference_dn
125 See "Common Command-specific Options," above.
127 -k mkeytype
130 Specifies the key type of the master key in the database; the
132 default is that given in kdc.conf(4).
133 -m
136 Specifies that the master database password should be read from the
138 TTY rather than fetched from a file on the disk.
139 -P password
142 Specifies the master database password. This option is not recom‐
144 mended.
145 -sf stashfilename
148 Specifies the stash file of the master database password.
150 -s
153 Specifies that the stash file is to be created.
155 -maxtktlife max_ticket_life
158 See "Common Command-specific Options," above.
160 -maxrenewlife max_renewable_ticket_life
163 See "Common Command-specific Options," above.
165 -r realm
168 See "Common Command-specific Options," above.
170 ticket_flags
173 Specifies the ticket flags. If this option is not specified, by
175 default, none of the flags are set. This means all the ticket
176 options will be allowed and no restriction will be set. See "Ticket
177 Flags" for a list and descriptions of these flags.
178 The modify Command
181 The modify command modifies the attributes of a realm. The command has
182 the following syntax:
183 modify \
185 [-subtrees subtree_dn_list]
186 [-sscope search_scope]
187 [-containerref container_reference_dn]
188 [-r realm]
189 [-maxtktlife max_ticket_life]
190 [-maxrenewlife max_renewable_ticket_life]
191 [ticket_flags]
192 The modify command has the following options:
197 -subtree subtree_dn_list
199 See "Common Command-specific Options," above.
201 -sscope search_scope
204 See "Common Command-specific Options," above.
206 -containerref container_reference_dn
209 See "Common Command-specific Options," above.
211 -maxtktlife max_ticket_life
214 See "Common Command-specific Options," above.
216 -maxrenewlife max_renewable_ticket_life
219 See "Common Command-specific Options," above.
221 -r realm
224 See "Common Command-specific Options," above.
226 ticket_flags
229 Specifies the ticket flags. If this option is not specified, by
231 default, none of the flags are set. This means all the ticket
232 options will be allowed and no restriction will be set. See "Ticket
233 Flags" for a list and descriptions of these flags.
234 The view Command
237 The view command displays the attributes of a realm. The command has
238 the following syntax:
239 view [-r realm]
241 The view command has the following option:
246 -r realm
248 See "Common Command-specific Options," above.
250 The destroy Command
253 The destroy command destroys a realm, including the master key stash
254 file. The command has the following syntax:
255 destroy [-f] [-r realm]
257 The destroy command has the following options:
262 -f
264 If specified, destroy does not prompt you for confirmation.
266 -r realm
269 See "Common Command-specific Options," above.
271 The list Command
274 The list command displays the names of realms. The command has the fol‐
275 lowing syntax:
276 list
278 The list command has no options.
283 The stashsrvpw Command
285 The stashsrvpw command enables you to store the password for service
286 object in a file so that a KDC and Administration server can use it to
287 authenticate to the LDAP server. The command has the following syntax:
288 stashsrvpw [-f filename] servicedn
290 The stashsrvpw command has the following option and argument:
295 -f filename
297 Specifies the complete path of the service password file. The
299 default is:
300 /var/krb5/service_passwd
302 servicedn
307 Specifies the distinguished name (DN) of the service object whose
309 password is to be stored in file.
310 The create_policy Command
313 The create_policy command creates a ticket policy in a directory. The
314 command has the following syntax:
315 create_policy \
317 [-r realm]
318 [-maxtktlife max_ticket_life]
319 [-maxrenewlife max_renewable_ticket_life]
320 [ticket_flags]
321 policy_name
322 The create_policy command has the following options:
327 -r realm
329 See "Common Command-specific Options," above.
331 -maxtktlife max_ticket_life
334 See "Common Command-specific Options," above.
336 -maxrenewlife max_renewable_ticket_life
339 See "Common Command-specific Options," above.
341 ticket_flags
344 Specifies the ticket flags. If this option is not specified, by
346 default, none of the flags are set. This means all the ticket
347 options will be allowed and no restriction will be set. See "Ticket
348 Flags" for a list and descriptions of these flags.
349 policy_name
352 Specifies the name of the ticket policy.
354 The modify_policy Command
357 The modify_policy command modifies the attributes of a ticket policy.
358 The command has the following syntax:
359 modify_policy \
361 [-r realm]
362 [-maxtktlife max_ticket_life]
363 [-maxrenewlife max_renewable_ticket_life]
364 [ticket_flags]
365 policy_name
366 The modify_policy command has the same options and argument as those
371 for the create_policy command.
372 The view_policy Command
374 The view_policy command displays the attributes of a ticket policy. The
375 command has the following syntax:
376 view_policy [-r realm] policy_name
378 The view_policy command has the following options:
383 -r realm
385 See "Common Command-specific Options," above.
387 policy_name
390 Specifies the name of the ticket policy.
392 The destroy_policy Command
395 The destroy_policy command destroys an existing ticket policy. The com‐
396 mand has the following syntax:
397 destroy_policy [-r realm] [-force] policy_name
399 The destroy_policy command has the following options:
404 -r realm
406 See "Common Command-specific Options," above.
408 -force
411 Forces the deletion of the policy object. If not specified, you
413 will be prompted for confirmation before the policy is deleted.
414 Enter yes to confirm the deletion.
415 policy_name
418 Specifies the name of the ticket policy.
420 The list_policy Command
423 The list_policy command lists the ticket policies in the default or a
424 specified realm. The command has the following syntax:
425 list_policy [-r realm]
427 The list_policy command has the following option:
432 -r realm
434 See "Common Command-specific Options," above.
436
439 A number of kdb5_ldap_util commands have ticket_flag options. These
440 flags are described as follows:
441 {-|+}allow_dup_skey
443 -allow_dup_skey disables user-to-user authentication for principals
445 by prohibiting principals from obtaining a session key for another
446 user. This setting sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.
447 +allow_dup_skey clears this flag.
448 {-|+}allow_forwardable
451 -allow_forwardable prohibits principals from obtaining forwardable
453 tickets. This setting sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.
454 +allow_forwardable clears this flag.
455 {-|+}allow_postdated
458 -allow_postdated prohibits principals from obtaining postdated
460 tickets. This setting sets the KRB5_KDB_DISALLOW_POSTDATED flag.
461 +allow_postdated clears this flag.
462 {-|+}allow_proxiable
465 -allow_proxiable prohibits principals from obtaining proxiable
467 tickets. This setting sets the KRB5_KDB_DISALLOW_PROXIABLE flag.
468 +allow_proxiable clears this flag.
469 {-|+}allow_renewable
472 -allow_renewable prohibits principals from obtaining renewable
474 tickets. This setting sets the KRB5_KDB_DISALLOW_RENEWABLE flag.
475 +allow_renewable clears this flag.
476 {-|+}allow_svr
479 -allow_svr prohibits the issuance of service tickets for princi‐
481 pals. This setting sets the KRB5_KDB_DISALLOW_SVR flag. +allow_svr
482 clears this flag.
483 {-|+}allow_tgs_req
486 -allow_tgs_req specifies that a Ticket-Granting Service (TGS)
488 request for a service ticket for principals is not permitted. This
489 option is useless for most purposes. +allow_tgs_req clears this
490 flag. The default is +allow_tgs_req. In effect, -allow_tgs_req
491 sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
492 database.
493 {-|+}allow_tix
496 -allow_tix forbids the issuance of any tickets for principals.
498 +allow_tix clears this flag. The default is +allow_tix. In effect,
499 -allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in
500 the database.
501 {-|+}needchange
504 +needchange sets a flag in the attributes field to force a password
506 change; -needchange clears that flag. The default is -needchange.
507 In effect, +needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on
508 principals in the database.
509 {-|+}password_changing_service
512 +password_changing_service sets a flag in the attributes field
514 marking a principal as a password-change-service principal (a des‐
515 ignation that is most often not useful). -password_changing_service
516 clears the flag. That this flag has a long name is intentional. The
517 default is -password_changing_service. In effect, +password_chang‐
518 ing_service sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals
519 in the database.
520 {-|+}requires_hwauth
523 +requires_hwauth requires principals to preauthenticate using a
525 hardware device before being allowed to kinit(1). This setting
526 sets the KRB5_KDB_REQUIRES_HW_AUTH flag. -requires_hwauth clears
527 this flag.
528 {-|+}requires_preauth
531 +requires_preauth requires principals to preauthenticate before
533 being allowed to kinit(1). This setting sets the
534 KRB5_KDB_REQUIRES_PRE_AUTH flag. -requires_preauth clears this
535 flag.
536
539 Example 1 Using create
540 The following is an example of the use of the create command.
543 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
546 create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
547 Password for "cn=admin,o=org": password entered
548 Initializing database for realm 'ATHENA.MIT.EDU'
549 You will be prompted for the database Master Password.
550 It is important that you NOT FORGET this password.
551 Enter KDC database master key: master key entered
552 Re-enter KDC database master key to verify: master key re-enteredjjjjjj
553 Example 2 Using modify
557 The following is an example of the use of the modify command.
560 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
563 modify +requires_preauth -r ATHENA.MIT.EDU
564 Password for "cn=admin,o=org": password entered
565 Password for "cn=admin,o=org": password entered
566 Example 3 Using view
570 The following is an example of the use of the view command.
573 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
576 view -r ATHENA.MIT.EDU
577 Password for "cn=admin,o=org":
578 Realm Name: ATHENA.MIT.EDU
579 Subtree: ou=users,o=org
580 Subtree: ou=servers,o=org
581 SearchScope: ONE
582 Maximum ticket life: 0 days 01:00:00
583 Maximum renewable life: 0 days 10:00:00
584 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
585 Example 4 Using destroy
589 The following is an example of the use of the destroy command.
592 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
595 destroy -r ATHENA.MIT.EDU
596 Password for "cn=admin,o=org": password entered
597 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
598 (type 'yes' to confirm)? yes
599 OK, deleting database of 'ATHENA.MIT.EDU'...
600 Example 5 Using list
604 The following is an example of the use of the list command.
607 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
610 Password for "cn=admin,o=org": password entered
611 Re-enter Password for "cn=admin,o=org": password re-entered
612 ATHENA.MIT.EDU
613 OPENLDAP.MIT.EDU
614 MEDIA-LAB.MIT.EDU
615 Example 6 Using stashsrvpw
619 The following is an example of the use of the stashsrvpw command.
622 # kdb5_ldap_util stashsrvpw -f \
625 /home/andrew/conf_keyfile cn=service-kdc,o=org
626 Password for "cn=service-kdc,o=org": password entered
627 Re-enter password for "cn=service-kdc,o=org": password re-entered
628 Example 7 Using create_policy
632 The following is an example of the use of the create_policy command.
635 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
638 create_policy -r ATHENA.MIT.EDU \
639 -maxtktlife "1 day" -maxrenewlife "1 week" \
640 -allow_postdated +needchange -allow_forwardable tktpolicy
641 Password for "cn=admin,o=org": password entered
642 Example 8 Using modify_policy
646 The following is an example of the use of the modify_policy command.
649 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
652 modify_policy -r ATHENA.MIT.EDU \
653 -maxtktlife "60 minutes" -maxrenewlife "10 hours" \
654 +allow_postdated -requires_preauth tktpolicy
655 Password for "cn=admin,o=org": password entered
656 Example 9 Using view_policy
660 The following is an example of the use of the view_policy command.
663 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
666 view_policy -r ATHENA.MIT.EDU tktpolicy
667 Password for "cn=admin,o=org": password entered
668 Ticket policy: tktpolicy
669 Maximum ticket life: 0 days 01:00:00
670 Maximum renewable life: 0 days 10:00:00
671 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
672 Example 10 Using destroy_policy
676 The following is an example of the use of the destroy_policy command.
679 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
682 destroy_policy -r ATHENA.MIT.EDU tktpolicy
683 Password for "cn=admin,o=org": password entered
684 This will delete the policy object 'tktpolicy', are you sure?
685 (type 'yes' to confirm)? yes
686 ** policy object 'tktpolicy' deleted.
687 Example 11 Using list_policy
691 The following is an example of the use of the list_policy command.
694 # kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
697 list_policy -r ATHENA.MIT.EDU
698 Password for "cn=admin,o=org": password entered
699 tktpolicy
700 tmppolicy
701 userpolicy
702 Example 12 Using setsrvpw
706 The following is an example of the use of the setsrvpw command.
709 # kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \
712 -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
713 Password for "cn=admin,o=org": password entered
714 Password for "cn=service-kdc,o=org": password entered
715 Re-enter password for "cn=service-kdc,o=org": password re-entered
716 Example 13 Using create_service
720 The following is an example of the use of the create_service command.
723 # kdb5_ldap_util -D cn=admin,o=org create_service \
726 -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
727 Password for "cn=admin,o=org": password entered
728 File does not exist. Creating the file /home/andrew/conf_keyfile...
729 Example 14 Using modify_service
733 The following is an example of the use of the modify_service command.
736 # kdb5_ldap_util -D cn=admin,o=org modify_service \
739 -realm ATHENA.MIT.EDU cn=service-kdc,o=org
740 Password for "cn=admin,o=org": password entered
741 Changing rights for the service object. Please wait ... done
742 Example 15 Using view_service
746 The following is an example of the use of the view_service command.
749 # kdb5_ldap_util -D cn=admin,o=org view_service \
752 cn=service-kdc,o=org
753 Password for "cn=admin,o=org": password entered
754 Service dn: cn=service-kdc,o=org
755 Service type: kdc
756 Service host list:
757 Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
758 Example 16 Using destroy_service
762 The following is an example of the use of the destroy_service command.
765 # kdb5_ldap_util -D cn=admin,o=org destroy_service \
768 cn=service-kdc,o=org
769 Password for "cn=admin,o=org": password entered
770 This will delete the service object 'cn=service-kdc,o=org', are you sure?
771 (type 'yes' to confirm)? yes
772 ** service object 'cn=service-kdc,o=org' deleted.
773 Example 17 Using list_service
777 The following is an example of the use of the list_service command.
780 # kdb5_ldap_util -D cn=admin,o=org list_service
783 Password for "cn=admin,o=org": password entered
784 cn=service-kdc,o=org
785 cn=service-adm,o=org
786 cn=service-pwd,o=org
787
791 See attributes(5) for descriptions of the following attributes:
792 ┌─────────────────────────────┬─────────────────────────────┐
797 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
798 ├─────────────────────────────┼─────────────────────────────┤
799 │Availability │SUNWkrbu │
800 ├─────────────────────────────┼─────────────────────────────┤
801 │Interface Stability │Volatile │
802 └─────────────────────────────┴─────────────────────────────┘
803
805 kinit(1), kadmin(1M), kdc.conf(4), attributes(5)
806SunOS 5.11 28 Aug 2007 kdb5_ldap_util(1M)