'\" te .\" This manual page is derived from documentation obtained from The Massachusetts Institute of Technology. .\" Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH KDB5_LDAP_UTIL 8 "June 20, 2021" .SH NAME kdb5_ldap_util \- Kerberos configuration utility .SH SYNOPSIS .nf \fBkdb5_ldap_util\fR [\fB-D\fR \fIuser_dn\fR [\fB-w\fR \fIpasswd\fR]] [\fB-H\fR \fIldap_uri\fR] \fIcommand\fR [\fIcommand_options\fR] .fi .SH DESCRIPTION The \fBkdb5_ldap_util\fR utility allows an administrator to manage realms, Kerberos services, and ticket policies. The utility offers a set of general options, described under OPTIONS, and a set of commands, which, in turn, have their own options. Commands and their options are described in their own subsections, below. .SH OPTIONS \fBkdb5_ldap_util\fR has a small set of general options that apply to the \fBkdb5_ldap_util\fR utility itself and a larger number of options that apply to specific commands. A number of these command-specific options apply to multiple commands and are described in their own section, below. .SS "General Options" The following general options are supported: .sp .ne 2 .na \fB\fB-D\fR \fIuser_dn\fR\fR .ad .sp .6 .RS 4n Specifies the distinguished name (DN) of a user who has sufficient rights to perform the operation on the LDAP server. .RE .sp .ne 2 .na \fB\fB-H\fR \fIldap_uri\fR\fR .ad .sp .6 .RS 4n Specifies the URI of the LDAP server. .RE .sp .ne 2 .na \fB\fB-w\fR \fIpasswd\fR\fR .ad .sp .6 .RS 4n Specifies the password of \fIuser_dn\fR. This option is not recommended. .RE .SS "Common Command-specific Options" The following options apply to a number of \fBkdb5_ldap_util\fR commands. .sp .ne 2 .na \fB\fB-subtrees\fR \fIsubtree_dn_list\fR\fR .ad .sp .6 .RS 4n Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by a colon. .RE .sp .ne 2 .na \fB\fB-sscope\fR \fIsearch_scope\fR\fR .ad .sp .6 .RS 4n Specifies the scope for searching the principals under a subtree. The possible values are 1 or \fBone\fR (one level), 2 or \fBsub\fR (subtrees). .RE .sp .ne 2 .na \fB\fB-containerref\fR \fIcontainer_reference_dn\fR\fR .ad .sp .6 .RS 4n Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. .RE .sp .ne 2 .na \fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR .ad .sp .6 .RS 4n Specifies maximum ticket life for principals in this realm. .RE .sp .ne 2 .na \fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR .ad .sp .6 .RS 4n Specifies maximum renewable life of tickets for principals in this realm. .RE .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n Specifies the Kerberos realm of the database; by default the realm returned by \fBkrb5_default_local_realm\fR(3LIB) is used. .RE .SH \fBkdb5_ldap_util\fR COMMANDS The \fBkdb5_ldap_util\fR utility comprises a set of commands, each with its own set of options. These commands are described in the following subsections. .SS "The \fBcreate\fR Command" The \fBcreate\fR command creates a realm in a directory. The command has the following syntax: .sp .in +2 .nf create \e [-subtrees \fIsubtree_dn_list\fR] [-sscope \fIsearch_scope\fR] [-containerref \fIcontainer_reference_dn\fR] [-k \fImkeytype\fR] [-m|-P \fIpassword\fR| -sf \fIstashfilename\fR] [-s] [-r \fIrealm\fR] [-maxtktlife \fImax_ticket_life\fR] [-kdcdn \fIkdc_service_list\fR] [-admindn \fIadmin_service_list\fR] [-maxrenewlife \fImax_renewable_ticket_life\fR] [\fIticket_flags\fR] .fi .in -2 .sp .sp .LP The \fBcreate\fR command has the following options: .sp .ne 2 .na \fB\fB-subtree\fR \fIsubtree_dn_list\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-sscope\fR \fIsearch_scope\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-containerref\fR \fIcontainer_reference_dn\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-k\fR \fImkeytype\fR\fR .ad .sp .6 .RS 4n Specifies the key type of the master key in the database; the default is that given in \fBkdc.conf\fR(5). .RE .sp .ne 2 .na \fB\fB-m\fR\fR .ad .sp .6 .RS 4n Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. .RE .sp .ne 2 .na \fB\fB-P\fR \fIpassword\fR\fR .ad .sp .6 .RS 4n Specifies the master database password. This option is not recommended. .RE .sp .ne 2 .na \fB\fB-sf\fR \fIstashfilename\fR\fR .ad .sp .6 .RS 4n Specifies the stash file of the master database password. .RE .sp .ne 2 .na \fB\fB-s\fR\fR .ad .sp .6 .RS 4n Specifies that the stash file is to be created. .RE .sp .ne 2 .na \fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fIticket_flags\fR\fR .ad .sp .6 .RS 4n Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. See "Ticket Flags" for a list and descriptions of these flags. .RE .SS "The \fBmodify\fR Command" The \fBmodify\fR command modifies the attributes of a realm. The command has the following syntax: .sp .in +2 .nf modify \e [-subtrees \fIsubtree_dn_list\fR] [-sscope \fIsearch_scope\fR] [-containerref \fIcontainer_reference_dn\fR] [-r \fIrealm\fR] [-maxtktlife \fImax_ticket_life\fR] [-maxrenewlife \fImax_renewable_ticket_life\fR] [\fIticket_flags\fR] .fi .in -2 .sp .sp .LP The \fBmodify\fR command has the following options: .sp .ne 2 .na \fB\fB-subtree\fR \fIsubtree_dn_list\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-sscope\fR \fIsearch_scope\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-containerref\fR \fIcontainer_reference_dn\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fIticket_flags\fR\fR .ad .sp .6 .RS 4n Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. See "Ticket Flags" for a list and descriptions of these flags. .RE .SS "The \fBview\fR Command" The \fBview\fR command displays the attributes of a realm. The command has the following syntax: .sp .in +2 .nf view [-r \fIrealm\fR] .fi .in -2 .sp .sp .LP The \fBview\fR command has the following option: .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .SS "The \fBdestroy\fR Command" The \fBdestroy\fR command destroys a realm, including the master key stash file. The command has the following syntax: .sp .in +2 .nf destroy [-f] [-r \fIrealm\fR] .fi .in -2 .sp .sp .LP The \fBdestroy\fR command has the following options: .sp .ne 2 .na \fB\fB-f\fR\fR .ad .sp .6 .RS 4n If specified, \fBdestroy\fR does not prompt you for confirmation. .RE .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .SS "The \fBlist\fR Command" The \fBlist\fR command displays the names of realms. The command has the following syntax: .sp .in +2 .nf list .fi .in -2 .sp .sp .LP The \fBlist\fR command has no options. .SS "The \fBstashsrvpw\fR Command" The \fBstashsrvpw\fR command enables you to store the password for service object in a file so that a KDC and Administration server can use it to authenticate to the LDAP server. The command has the following syntax: .sp .in +2 .nf stashsrvpw [-f \fIfilename\fR] \fIservicedn\fR .fi .in -2 .sp .sp .LP The \fBstashsrvpw\fR command has the following option and argument: .sp .ne 2 .na \fB\fB-f\fR \fIfilename\fR\fR .ad .sp .6 .RS 4n Specifies the complete path of the service password file. The default is: .sp .in +2 .nf /var/krb5/service_passwd .fi .in -2 .sp .RE .sp .ne 2 .na \fB\fIservicedn\fR\fR .ad .sp .6 .RS 4n Specifies the distinguished name (DN) of the service object whose password is to be stored in file. .RE .SS "The \fBcreate_policy\fR Command" The \fBcreate_policy\fR command creates a ticket policy in a directory. The command has the following syntax: .sp .in +2 .nf create_policy \e [-r \fIrealm\fR] [-maxtktlife \fImax_ticket_life\fR] [-maxrenewlife \fImax_renewable_ticket_life\fR] [\fIticket_flags\fR] \fIpolicy_name\fR .fi .in -2 .sp .sp .LP The \fBcreate_policy\fR command has the following options: .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fIticket_flags\fR\fR .ad .sp .6 .RS 4n Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. See "Ticket Flags" for a list and descriptions of these flags. .RE .sp .ne 2 .na \fB\fIpolicy_name\fR\fR .ad .sp .6 .RS 4n Specifies the name of the ticket policy. .RE .SS "The \fBmodify_policy\fR Command" The \fBmodify_policy\fR command modifies the attributes of a ticket policy. The command has the following syntax: .sp .in +2 .nf modify_policy \e [-r \fIrealm\fR] [-maxtktlife \fImax_ticket_life\fR] [-maxrenewlife \fImax_renewable_ticket_life\fR] [\fIticket_flags\fR] \fIpolicy_name\fR .fi .in -2 .sp .sp .LP The \fBmodify_policy\fR command has the same options and argument as those for the \fBcreate_policy\fR command. .SS "The \fBview_policy\fR Command" The \fBview_policy\fR command displays the attributes of a ticket policy. The command has the following syntax: .sp .in +2 .nf view_policy [-r \fIrealm\fR] \fIpolicy_name\fR .fi .in -2 .sp .sp .LP The \fBview_policy\fR command has the following options: .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fIpolicy_name\fR\fR .ad .sp .6 .RS 4n Specifies the name of the ticket policy. .RE .SS "The \fBdestroy_policy\fR Command" The \fBdestroy_policy\fR command destroys an existing ticket policy. The command has the following syntax: .sp .in +2 .nf destroy_policy [-r \fIrealm\fR] [-force] \fIpolicy_name\fR .fi .in -2 .sp .sp .LP The \fBdestroy_policy\fR command has the following options: .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .sp .ne 2 .na \fB\fB-force\fR\fR .ad .sp .6 .RS 4n Forces the deletion of the policy object. If not specified, you will be prompted for confirmation before the policy is deleted. Enter \fByes\fR to confirm the deletion. .RE .sp .ne 2 .na \fB\fIpolicy_name\fR\fR .ad .sp .6 .RS 4n Specifies the name of the ticket policy. .RE .SS "The \fBlist_policy\fR Command" The \fBlist_policy\fR command lists the ticket policies in the default or a specified realm. The command has the following syntax: .sp .in +2 .nf list_policy [-r \fIrealm\fR] .fi .in -2 .sp .sp .LP The \fBlist_policy\fR command has the following option: .sp .ne 2 .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n See "Common Command-specific Options," above. .RE .SH TICKET FLAGS A number of \fBkdb5_ldap_util\fR commands have \fBticket_flag\fR options. These flags are described as follows: .sp .ne 2 .na \fB\fB{-|+}allow_dup_skey\fR\fR .ad .sp .6 .RS 4n \fB-allow_dup_skey\fR disables user-to-user authentication for principals by prohibiting principals from obtaining a session key for another user. This setting sets the \fBKRB5_KDB_DISALLOW_DUP_SKEY\fR flag. \fB+allow_dup_skey\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}allow_forwardable\fR\fR .ad .sp .6 .RS 4n \fB-allow_forwardable\fR prohibits principals from obtaining forwardable tickets. This setting sets the \fBKRB5_KDB_DISALLOW_FORWARDABLE\fR flag. \fB+allow_forwardable\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}allow_postdated\fR\fR .ad .sp .6 .RS 4n \fB-allow_postdated\fR prohibits principals from obtaining postdated tickets. This setting sets the \fBKRB5_KDB_DISALLOW_POSTDATED\fR flag. \fB+allow_postdated\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}allow_proxiable\fR\fR .ad .sp .6 .RS 4n \fB-allow_proxiable\fR prohibits principals from obtaining proxiable tickets. This setting sets the \fBKRB5_KDB_DISALLOW_PROXIABLE\fR flag. \fB+allow_proxiable\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}allow_renewable\fR\fR .ad .sp .6 .RS 4n \fB-allow_renewable\fR prohibits principals from obtaining renewable tickets. This setting sets the \fBKRB5_KDB_DISALLOW_RENEWABLE\fR flag. \fB+allow_renewable\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}allow_svr\fR\fR .ad .sp .6 .RS 4n \fB-allow_svr\fR prohibits the issuance of service tickets for principals. This setting sets the \fBKRB5_KDB_DISALLOW_SVR\fR flag. \fB+allow_svr\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}allow_tgs_req\fR\fR .ad .sp .6 .RS 4n \fB-allow_tgs_req\fR specifies that a Ticket-Granting Service (TGS) request for a service ticket for principals is not permitted. This option is useless for most purposes. \fB+allow_tgs_req\fR clears this flag. The default is \fB+allow_tgs_req\fR. In effect, \fB-allow_tgs_req\fR sets the \fBKRB5_KDB_DISALLOW_TGT_BASED\fR flag on principals in the database. .RE .sp .ne 2 .na \fB\fB{-|+}allow_tix\fR\fR .ad .sp .6 .RS 4n \fB-allow_tix\fR forbids the issuance of any tickets for principals. \fB+allow_tix\fR clears this flag. The default is \fB+allow_tix\fR. In effect, \fB-allow_tix\fR sets the \fBKRB5_KDB_DISALLOW_ALL_TIX\fR flag on principals in the database. .RE .sp .ne 2 .na \fB\fB{-|+}needchange\fR\fR .ad .sp .6 .RS 4n \fB+needchange\fR sets a flag in the attributes field to force a password change; \fB-needchange\fR clears that flag. The default is \fB-needchange\fR. In effect, \fB+needchange\fR sets the \fBKRB5_KDB_REQUIRES_PWCHANGE\fR flag on principals in the database. .RE .sp .ne 2 .na \fB\fB{-|+}password_changing_service\fR\fR .ad .sp .6 .RS 4n \fB+password_changing_service\fR sets a flag in the attributes field marking a principal as a password-change-service principal (a designation that is most often not useful). \fB-password_changing_service\fR clears the flag. That this flag has a long name is intentional. The default is \fB-password_changing_service\fR. In effect, \fB+password_changing_service\fR sets the \fBKRB5_KDB_PWCHANGE_SERVICE\fR flag on principals in the database. .RE .sp .ne 2 .na \fB\fB{-|+}requires_hwauth\fR\fR .ad .sp .6 .RS 4n \fB+requires_hwauth\fR requires principals to preauthenticate using a hardware device before being allowed to \fBkinit\fR(1). This setting sets the \fBKRB5_KDB_REQUIRES_HW_AUTH\fR flag. \fB-requires_hwauth\fR clears this flag. .RE .sp .ne 2 .na \fB\fB{-|+}requires_preauth\fR\fR .ad .sp .6 .RS 4n +\fBrequires_preauth\fR requires principals to preauthenticate before being allowed to \fBkinit\fR(1). This setting sets the \fBKRB5_KDB_REQUIRES_PRE_AUTH\fR flag. \fB-requires_preauth\fR clears this flag. .RE .SH EXAMPLES \fBExample 1 \fRUsing \fBcreate\fR .sp .LP The following is an example of the use of the \fBcreate\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU\fR Password for "cn=admin,o=org": \fIpassword entered\fR Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: \fImaster key entered\fR Re-enter KDC database master key to verify: \fImaster key re-entered\fR .fi .in -2 .sp .LP \fBExample 2 \fRUsing \fBmodify\fR .sp .LP The following is an example of the use of the \fBmodify\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e modify +requires_preauth -r ATHENA.MIT.EDU\fR Password for "cn=admin,o=org": \fIpassword entered\fR Password for "cn=admin,o=org": \fIpassword entered\fR .fi .in -2 .sp .LP \fBExample 3 \fRUsing \fBview\fR .sp .LP The following is an example of the use of the \fBview\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e view -r ATHENA.MIT.EDU\fR Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .fi .in -2 .sp .LP \fBExample 4 \fRUsing \fBdestroy\fR .sp .LP The following is an example of the use of the \fBdestroy\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e destroy -r ATHENA.MIT.EDU\fR Password for "cn=admin,o=org": \fIpassword entered\fR Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? \fByes\fR OK, deleting database of 'ATHENA.MIT.EDU'... .fi .in -2 .sp .LP \fBExample 5 \fRUsing \fBlist\fR .sp .LP The following is an example of the use of the \fBlist\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list\fR Password for "cn=admin,o=org": \fIpassword entered\fR Re-enter Password for "cn=admin,o=org": \fIpassword re-entered\fR ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU .fi .in -2 .sp .LP \fBExample 6 \fRUsing \fBstashsrvpw\fR .sp .LP The following is an example of the use of the \fBstashsrvpw\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util stashsrvpw -f \e /home/andrew/conf_keyfile cn=service-kdc,o=org\fR Password for "cn=service-kdc,o=org": \fIpassword entered\fR Re-enter password for "cn=service-kdc,o=org": \fIpassword re-entered\fR .fi .in -2 .sp .LP \fBExample 7 \fRUsing \fBcreate_policy\fR .sp .LP The following is an example of the use of the \fBcreate_policy\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e create_policy -r ATHENA.MIT.EDU \e -maxtktlife "1 day" -maxrenewlife "1 week" \e -allow_postdated +needchange -allow_forwardable \fItktpolicy\fR\fR Password for "cn=admin,o=org": \fIpassword entered\fR .fi .in -2 .sp .LP \fBExample 8 \fRUsing \fBmodify_policy\fR .sp .LP The following is an example of the use of the \fBmodify_policy\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e modify_policy -r ATHENA.MIT.EDU \e -maxtktlife "60 minutes" -maxrenewlife "10 hours" \e +allow_postdated -requires_preauth \fItktpolicy\fR\fR Password for "cn=admin,o=org": \fIpassword entered\fR .fi .in -2 .sp .LP \fBExample 9 \fRUsing \fBview_policy\fR .sp .LP The following is an example of the use of the \fBview_policy\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e view_policy -r ATHENA.MIT.EDU \fItktpolicy\fR\fR Password for "cn=admin,o=org": \fIpassword entered\fR Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .fi .in -2 .sp .LP \fBExample 10 \fRUsing \fBdestroy_policy\fR .sp .LP The following is an example of the use of the \fBdestroy_policy\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e destroy_policy -r ATHENA.MIT.EDU \fItktpolicy\fR\fR Password for "cn=admin,o=org": \fIpassword entered\fR This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? \fByes\fR ** policy object '\fItktpolicy\fR' deleted. .fi .in -2 .sp .LP \fBExample 11 \fRUsing \fBlist_policy\fR .sp .LP The following is an example of the use of the \fBlist_policy\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e list_policy -r ATHENA.MIT.EDU\fR Password for "cn=admin,o=org": \fIpassword entered\fR tktpolicy tmppolicy userpolicy .fi .in -2 .sp .LP \fBExample 12 \fRUsing \fBsetsrvpw\fR .sp .LP The following is an example of the use of the \fBsetsrvpw\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \e -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fR Password for "cn=admin,o=org": \fIpassword entered\fR Password for "cn=service-kdc,o=org": \fIpassword entered\fR Re-enter password for "cn=service-kdc,o=org": \fIpassword re-entered\fR .fi .in -2 .sp .LP \fBExample 13 \fRUsing \fBcreate_service\fR .sp .LP The following is an example of the use of the \fBcreate_service\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org create_service \e -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fR Password for "cn=admin,o=org": \fIpassword entered\fR File does not exist. Creating the file /home/andrew/conf_keyfile... .fi .in -2 .sp .LP \fBExample 14 \fRUsing \fBmodify_service\fR .sp .LP The following is an example of the use of the \fBmodify_service\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org modify_service \e -realm ATHENA.MIT.EDU cn=service-kdc,o=org\fR Password for "cn=admin,o=org": \fIpassword entered\fR Changing rights for the service object. Please wait ... done .fi .in -2 .sp .LP \fBExample 15 \fRUsing \fBview_service\fR .sp .LP The following is an example of the use of the \fBview_service\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org view_service \e cn=service-kdc,o=org\fR Password for "cn=admin,o=org": \fIpassword entered\fR Service dn: cn=service-kdc,o=org Service type: kdc Service host list: Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security .fi .in -2 .sp .LP \fBExample 16 \fRUsing \fBdestroy_service\fR .sp .LP The following is an example of the use of the \fBdestroy_service\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org destroy_service \e cn=service-kdc,o=org\fR Password for "cn=admin,o=org": \fIpassword entered\fR This will delete the service object 'cn=service-kdc,o=org', are you sure? (type 'yes' to confirm)? \fByes\fR ** service object 'cn=service-kdc,o=org' deleted. .fi .in -2 .sp .LP \fBExample 17 \fRUsing \fBlist_service\fR .sp .LP The following is an example of the use of the \fBlist_service\fR command. .sp .in +2 .nf # \fBkdb5_ldap_util -D cn=admin,o=org list_service\fR Password for "cn=admin,o=org": \fIpassword entered\fR cn=service-kdc,o=org cn=service-adm,o=org cn=service-pwd,o=org .fi .in -2 .sp .SH ATTRIBUTES See \fBattributes\fR(7) for descriptions of the following attributes: .sp .sp .TS box; c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Interface Stability Volatile .TE .SH SEE ALSO .BR kinit (1), .BR kdc.conf (5), .BR attributes (7), .BR kadmin (8)