1.. _kdb5_ldap_util(8): 2 3kdb5_ldap_util 4=============== 5 6SYNOPSIS 7-------- 8 9.. _kdb5_ldap_util_synopsis: 10 11**kdb5_ldap_util** 12[**-D** *user_dn* [**-w** *passwd*]] 13[**-H** *ldapuri*] 14**command** 15[*command_options*] 16 17.. _kdb5_ldap_util_synopsis_end: 18 19 20DESCRIPTION 21----------- 22 23kdb5_ldap_util allows an administrator to manage realms, Kerberos 24services and ticket policies. 25 26 27COMMAND-LINE OPTIONS 28-------------------- 29 30.. _kdb5_ldap_util_options: 31 32**-r** *realm* 33 Specifies the realm to be operated on. 34 35**-D** *user_dn* 36 Specifies the Distinguished Name (DN) of the user who has 37 sufficient rights to perform the operation on the LDAP server. 38 39**-w** *passwd* 40 Specifies the password of *user_dn*. This option is not 41 recommended. 42 43**-H** *ldapuri* 44 Specifies the URI of the LDAP server. 45 46By default, kdb5_ldap_util operates on the default realm (as specified 47in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP 48server in the same manner as :ref:kadmind(8)` would given the 49parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. 50 51.. _kdb5_ldap_util_options_end: 52 53 54COMMANDS 55-------- 56 57create 58~~~~~~ 59 60.. _kdb5_ldap_util_create: 61 62 **create** 63 [**-subtrees** *subtree_dn_list*] 64 [**-sscope** *search_scope*] 65 [**-containerref** *container_reference_dn*] 66 [**-k** *mkeytype*] 67 [**-kv** *mkeyVNO*] 68 [**-M** *mkeyname*] 69 [**-m|-P** *password*\|\ **-sf** *stashfilename*] 70 [**-s**] 71 [**-maxtktlife** *max_ticket_life*] 72 [**-maxrenewlife** *max_renewable_ticket_life*] 73 [*ticket_flags*] 74 75Creates realm in directory. Options: 76 77**-subtrees** *subtree_dn_list* 78 Specifies the list of subtrees containing the principals of a 79 realm. The list contains the DNs of the subtree objects separated 80 by colon (``:``). 81 82**-sscope** *search_scope* 83 Specifies the scope for searching the principals under the 84 subtree. The possible values are 1 or one (one level), 2 or sub 85 (subtrees). 86 87**-containerref** *container_reference_dn* 88 Specifies the DN of the container object in which the principals 89 of a realm will be created. If the container reference is not 90 configured for a realm, the principals will be created in the 91 realm container. 92 93**-k** *mkeytype* 94 Specifies the key type of the master key in the database. The 95 default is given by the **master_key_type** variable in 96 :ref:`kdc.conf(5)`. 97 98**-kv** *mkeyVNO* 99 Specifies the version number of the master key in the database; 100 the default is 1. Note that 0 is not allowed. 101 102**-M** *mkeyname* 103 Specifies the principal name for the master key in the database. 104 If not specified, the name is determined by the 105 **master_key_name** variable in :ref:`kdc.conf(5)`. 106 107**-m** 108 Specifies that the master database password should be read from 109 the TTY rather than fetched from a file on the disk. 110 111**-P** *password* 112 Specifies the master database password. This option is not 113 recommended. 114 115**-sf** *stashfilename* 116 Specifies the stash file of the master database password. 117 118**-s** 119 Specifies that the stash file is to be created. 120 121**-maxtktlife** *max_ticket_life* 122 (:ref:`getdate` string) Specifies maximum ticket life for 123 principals in this realm. 124 125**-maxrenewlife** *max_renewable_ticket_life* 126 (:ref:`getdate` string) Specifies maximum renewable life of 127 tickets for principals in this realm. 128 129*ticket_flags* 130 Specifies global ticket flags for the realm. Allowable flags are 131 documented in the description of the **add_principal** command in 132 :ref:`kadmin(1)`. 133 134Example:: 135 136 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu 137 -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB 138 Password for "cn=admin,o=org": 139 Initializing database for realm 'ATHENA.MIT.EDU' 140 You will be prompted for the database Master Password. 141 It is important that you NOT FORGET this password. 142 Enter KDC database master key: 143 Re-enter KDC database master key to verify: 144 145.. _kdb5_ldap_util_create_end: 146 147modify 148~~~~~~ 149 150.. _kdb5_ldap_util_modify: 151 152 **modify** 153 [**-subtrees** *subtree_dn_list*] 154 [**-sscope** *search_scope*] 155 [**-containerref** *container_reference_dn*] 156 [**-maxtktlife** *max_ticket_life*] 157 [**-maxrenewlife** *max_renewable_ticket_life*] 158 [*ticket_flags*] 159 160Modifies the attributes of a realm. Options: 161 162**-subtrees** *subtree_dn_list* 163 Specifies the list of subtrees containing the principals of a 164 realm. The list contains the DNs of the subtree objects separated 165 by colon (``:``). This list replaces the existing list. 166 167**-sscope** *search_scope* 168 Specifies the scope for searching the principals under the 169 subtrees. The possible values are 1 or one (one level), 2 or sub 170 (subtrees). 171 172**-containerref** *container_reference_dn* Specifies the DN of the 173 container object in which the principals of a realm will be 174 created. 175 176**-maxtktlife** *max_ticket_life* 177 (:ref:`getdate` string) Specifies maximum ticket life for 178 principals in this realm. 179 180**-maxrenewlife** *max_renewable_ticket_life* 181 (:ref:`getdate` string) Specifies maximum renewable life of 182 tickets for principals in this realm. 183 184*ticket_flags* 185 Specifies global ticket flags for the realm. Allowable flags are 186 documented in the description of the **add_principal** command in 187 :ref:`kadmin(1)`. 188 189Example:: 190 191 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H 192 ldaps://ldap-server1.mit.edu modify +requires_preauth 193 Password for "cn=admin,o=org": 194 shell% 195 196.. _kdb5_ldap_util_modify_end: 197 198view 199~~~~ 200 201.. _kdb5_ldap_util_view: 202 203 **view** 204 205Displays the attributes of a realm. 206 207Example:: 208 209 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu 210 -r ATHENA.MIT.EDU view 211 Password for "cn=admin,o=org": 212 Realm Name: ATHENA.MIT.EDU 213 Subtree: ou=users,o=org 214 Subtree: ou=servers,o=org 215 SearchScope: ONE 216 Maximum ticket life: 0 days 01:00:00 217 Maximum renewable life: 0 days 10:00:00 218 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE 219 220.. _kdb5_ldap_util_view_end: 221 222destroy 223~~~~~~~ 224 225.. _kdb5_ldap_util_destroy: 226 227 **destroy** [**-f**] 228 229Destroys an existing realm. Options: 230 231**-f** 232 If specified, will not prompt the user for confirmation. 233 234Example:: 235 236 shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H 237 ldaps://ldap-server1.mit.edu destroy 238 Password for "cn=admin,o=org": 239 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? 240 (type 'yes' to confirm)? yes 241 OK, deleting database of 'ATHENA.MIT.EDU'... 242 shell% 243 244.. _kdb5_ldap_util_destroy_end: 245 246list 247~~~~ 248 249.. _kdb5_ldap_util_list: 250 251 **list** 252 253Lists the names of realms under the container. 254 255Example:: 256 257 shell% kdb5_ldap_util -D cn=admin,o=org -H 258 ldaps://ldap-server1.mit.edu list 259 Password for "cn=admin,o=org": 260 ATHENA.MIT.EDU 261 OPENLDAP.MIT.EDU 262 MEDIA-LAB.MIT.EDU 263 shell% 264 265.. _kdb5_ldap_util_list_end: 266 267stashsrvpw 268~~~~~~~~~~ 269 270.. _kdb5_ldap_util_stashsrvpw: 271 272 **stashsrvpw** 273 [**-f** *filename*] 274 *name* 275 276Allows an administrator to store the password for service object in a 277file so that KDC and Administration server can use it to authenticate 278to the LDAP server. Options: 279 280**-f** *filename* 281 Specifies the complete path of the service password file. By 282 default, ``/usr/local/var/service_passwd`` is used. 283 284*name* 285 Specifies the name of the object whose password is to be stored. 286 If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for 287 simple binding, this should be the distinguished name it will 288 use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** 289 variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is 290 configured for SASL binding, this should be the authentication 291 name it will use as given by the **ldap_kdc_sasl_authcid** or 292 **ldap_kadmind_sasl_authcid** variable. 293 294Example:: 295 296 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile 297 cn=service-kdc,o=org 298 Password for "cn=service-kdc,o=org": 299 Re-enter password for "cn=service-kdc,o=org": 300 301.. _kdb5_ldap_util_stashsrvpw_end: 302 303create_policy 304~~~~~~~~~~~~~ 305 306.. _kdb5_ldap_util_create_policy: 307 308 **create_policy** 309 [**-maxtktlife** *max_ticket_life*] 310 [**-maxrenewlife** *max_renewable_ticket_life*] 311 [*ticket_flags*] 312 *policy_name* 313 314Creates a ticket policy in the directory. Options: 315 316**-maxtktlife** *max_ticket_life* 317 (:ref:`getdate` string) Specifies maximum ticket life for 318 principals. 319 320**-maxrenewlife** *max_renewable_ticket_life* 321 (:ref:`getdate` string) Specifies maximum renewable life of 322 tickets for principals. 323 324*ticket_flags* 325 Specifies the ticket flags. If this option is not specified, by 326 default, no restriction will be set by the policy. Allowable 327 flags are documented in the description of the **add_principal** 328 command in :ref:`kadmin(1)`. 329 330*policy_name* 331 Specifies the name of the ticket policy. 332 333Example:: 334 335 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu 336 -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" 337 -maxrenewlife "1 week" -allow_postdated +needchange 338 -allow_forwardable tktpolicy 339 Password for "cn=admin,o=org": 340 341.. _kdb5_ldap_util_create_policy_end: 342 343modify_policy 344~~~~~~~~~~~~~ 345 346.. _kdb5_ldap_util_modify_policy: 347 348 **modify_policy** 349 [**-maxtktlife** *max_ticket_life*] 350 [**-maxrenewlife** *max_renewable_ticket_life*] 351 [*ticket_flags*] 352 *policy_name* 353 354Modifies the attributes of a ticket policy. Options are same as for 355**create_policy**. 356 357Example:: 358 359 kdb5_ldap_util -D cn=admin,o=org -H 360 ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy 361 -maxtktlife "60 minutes" -maxrenewlife "10 hours" 362 +allow_postdated -requires_preauth tktpolicy 363 Password for "cn=admin,o=org": 364 365.. _kdb5_ldap_util_modify_policy_end: 366 367view_policy 368~~~~~~~~~~~ 369 370.. _kdb5_ldap_util_view_policy: 371 372 **view_policy** 373 *policy_name* 374 375Displays the attributes of the named ticket policy. 376 377Example:: 378 379 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu 380 -r ATHENA.MIT.EDU view_policy tktpolicy 381 Password for "cn=admin,o=org": 382 Ticket policy: tktpolicy 383 Maximum ticket life: 0 days 01:00:00 384 Maximum renewable life: 0 days 10:00:00 385 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE 386 387.. _kdb5_ldap_util_view_policy_end: 388 389destroy_policy 390~~~~~~~~~~~~~~ 391 392.. _kdb5_ldap_util_destroy_policy: 393 394 **destroy_policy** 395 [**-force**] 396 *policy_name* 397 398Destroys an existing ticket policy. Options: 399 400**-force** 401 Forces the deletion of the policy object. If not specified, the 402 user will be prompted for confirmation before deleting the policy. 403 404*policy_name* 405 Specifies the name of the ticket policy. 406 407Example:: 408 409 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu 410 -r ATHENA.MIT.EDU destroy_policy tktpolicy 411 Password for "cn=admin,o=org": 412 This will delete the policy object 'tktpolicy', are you sure? 413 (type 'yes' to confirm)? yes 414 ** policy object 'tktpolicy' deleted. 415 416.. _kdb5_ldap_util_destroy_policy_end: 417 418list_policy 419~~~~~~~~~~~ 420 421.. _kdb5_ldap_util_list_policy: 422 423 **list_policy** 424 425Lists ticket policies. 426 427Example:: 428 429 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu 430 -r ATHENA.MIT.EDU list_policy 431 Password for "cn=admin,o=org": 432 tktpolicy 433 tmppolicy 434 userpolicy 435 436.. _kdb5_ldap_util_list_policy_end: 437 438 439ENVIRONMENT 440----------- 441 442See :ref:`kerberos(7)` for a description of Kerberos environment 443variables. 444 445 446SEE ALSO 447-------- 448 449:ref:`kadmin(1)`, :ref:`kerberos(7)` 450