xref: /illumos-gate/usr/src/man/man8/kdb5_ldap_util.8 (revision d9be5d44a919e9dbfe9d1e3e7a5557d9208b1de7)
te
This manual page is derived from documentation obtained from The Massachusetts Institute of Technology.
Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
KDB5_LDAP_UTIL 8 "June 20, 2021"
NAME
kdb5_ldap_util - Kerberos configuration utility
SYNOPSIS
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] command
 [command_options]
DESCRIPTION
The kdb5_ldap_util utility allows an administrator to manage realms, Kerberos services, and ticket policies. The utility offers a set of general options, described under OPTIONS, and a set of commands, which, in turn, have their own options. Commands and their options are described in their own subsections, below.
OPTIONS
kdb5_ldap_util has a small set of general options that apply to the kdb5_ldap_util utility itself and a larger number of options that apply to specific commands. A number of these command-specific options apply to multiple commands and are described in their own section, below.
"General Options"
The following general options are supported: -D user_dn

Specifies the distinguished name (DN) of a user who has sufficient rights to perform the operation on the LDAP server.

-H ldap_uri

Specifies the URI of the LDAP server.

-w passwd

Specifies the password of user_dn. This option is not recommended.

"Common Command-specific Options"
The following options apply to a number of kdb5_ldap_util commands. -subtrees subtree_dn_list

Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by a colon.

-sscope search_scope

Specifies the scope for searching the principals under a subtree. The possible values are 1 or one (one level), 2 or sub (subtrees).

-containerref container_reference_dn

Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container.

-maxtktlife max_ticket_life

Specifies maximum ticket life for principals in this realm.

-maxrenewlife max_renewable_ticket_life

Specifies maximum renewable life of tickets for principals in this realm.

-r realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3LIB) is used.

kdb5_ldap_util COMMANDS
The kdb5_ldap_util utility comprises a set of commands, each with its own set of options. These commands are described in the following subsections.
"The create Command"
The create command creates a realm in a directory. The command has the following syntax:
create \e
[-subtrees subtree_dn_list]
[-sscope search_scope]
[-containerref container_reference_dn]
[-k mkeytype]
[-m|-P password| -sf stashfilename]
[-s]
[-r realm]
[-maxtktlife max_ticket_life]
[-kdcdn kdc_service_list]
[-admindn admin_service_list]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]

The create command has the following options: -subtree subtree_dn_list

See "Common Command-specific Options," above.

-sscope search_scope

See "Common Command-specific Options," above.

-containerref container_reference_dn

See "Common Command-specific Options," above.

-k mkeytype

Specifies the key type of the master key in the database; the default is that given in kdc.conf(5).

-m

Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.

-P password

Specifies the master database password. This option is not recommended.

-sf stashfilename

Specifies the stash file of the master database password.

-s

Specifies that the stash file is to be created.

-maxtktlife max_ticket_life

See "Common Command-specific Options," above.

-maxrenewlife max_renewable_ticket_life

See "Common Command-specific Options," above.

-r realm

See "Common Command-specific Options," above.

ticket_flags

Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. See "Ticket Flags" for a list and descriptions of these flags.

"The modify Command"
The modify command modifies the attributes of a realm. The command has the following syntax:
modify \e
[-subtrees subtree_dn_list]
[-sscope search_scope]
[-containerref container_reference_dn]
[-r realm]
[-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]

The modify command has the following options: -subtree subtree_dn_list

See "Common Command-specific Options," above.

-sscope search_scope

See "Common Command-specific Options," above.

-containerref container_reference_dn

See "Common Command-specific Options," above.

-maxtktlife max_ticket_life

See "Common Command-specific Options," above.

-maxrenewlife max_renewable_ticket_life

See "Common Command-specific Options," above.

-r realm

See "Common Command-specific Options," above.

ticket_flags

Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. See "Ticket Flags" for a list and descriptions of these flags.

"The view Command"
The view command displays the attributes of a realm. The command has the following syntax:
view [-r realm]

The view command has the following option: -r realm

See "Common Command-specific Options," above.

"The destroy Command"
The destroy command destroys a realm, including the master key stash file. The command has the following syntax:
destroy [-f] [-r realm]

The destroy command has the following options: -f

If specified, destroy does not prompt you for confirmation.

-r realm

See "Common Command-specific Options," above.

"The list Command"
The list command displays the names of realms. The command has the following syntax:
list

The list command has no options.

"The stashsrvpw Command"
The stashsrvpw command enables you to store the password for service object in a file so that a KDC and Administration server can use it to authenticate to the LDAP server. The command has the following syntax:
stashsrvpw [-f filename] servicedn

The stashsrvpw command has the following option and argument: -f filename

Specifies the complete path of the service password file. The default is:

/var/krb5/service_passwd
servicedn

Specifies the distinguished name (DN) of the service object whose password is to be stored in file.

"The create_policy Command"
The create_policy command creates a ticket policy in a directory. The command has the following syntax:
create_policy \e
[-r realm]
[-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
policy_name

The create_policy command has the following options: -r realm

See "Common Command-specific Options," above.

-maxtktlife max_ticket_life

See "Common Command-specific Options," above.

-maxrenewlife max_renewable_ticket_life

See "Common Command-specific Options," above.

ticket_flags

Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. See "Ticket Flags" for a list and descriptions of these flags.

policy_name

Specifies the name of the ticket policy.

"The modify_policy Command"
The modify_policy command modifies the attributes of a ticket policy. The command has the following syntax:
modify_policy \e
[-r realm]
[-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
policy_name

The modify_policy command has the same options and argument as those for the create_policy command.

"The view_policy Command"
The view_policy command displays the attributes of a ticket policy. The command has the following syntax:
view_policy [-r realm] policy_name

The view_policy command has the following options: -r realm

See "Common Command-specific Options," above.

policy_name

Specifies the name of the ticket policy.

"The destroy_policy Command"
The destroy_policy command destroys an existing ticket policy. The command has the following syntax:
destroy_policy [-r realm] [-force] policy_name

The destroy_policy command has the following options: -r realm

See "Common Command-specific Options," above.

-force

Forces the deletion of the policy object. If not specified, you will be prompted for confirmation before the policy is deleted. Enter yes to confirm the deletion.

policy_name

Specifies the name of the ticket policy.

"The list_policy Command"
The list_policy command lists the ticket policies in the default or a specified realm. The command has the following syntax:
list_policy [-r realm]

The list_policy command has the following option: -r realm

See "Common Command-specific Options," above.

TICKET FLAGS
A number of kdb5_ldap_util commands have ticket_flag options. These flags are described as follows: {-|+}allow_dup_skey

-allow_dup_skey disables user-to-user authentication for principals by prohibiting principals from obtaining a session key for another user. This setting sets the KRB5_KDB_DISALLOW_DUP_SKEY flag. +allow_dup_skey clears this flag.

{-|+}allow_forwardable

-allow_forwardable prohibits principals from obtaining forwardable tickets. This setting sets the KRB5_KDB_DISALLOW_FORWARDABLE flag. +allow_forwardable clears this flag.

{-|+}allow_postdated

-allow_postdated prohibits principals from obtaining postdated tickets. This setting sets the KRB5_KDB_DISALLOW_POSTDATED flag. +allow_postdated clears this flag.

{-|+}allow_proxiable

-allow_proxiable prohibits principals from obtaining proxiable tickets. This setting sets the KRB5_KDB_DISALLOW_PROXIABLE flag. +allow_proxiable clears this flag.

{-|+}allow_renewable

-allow_renewable prohibits principals from obtaining renewable tickets. This setting sets the KRB5_KDB_DISALLOW_RENEWABLE flag. +allow_renewable clears this flag.

{-|+}allow_svr

-allow_svr prohibits the issuance of service tickets for principals. This setting sets the KRB5_KDB_DISALLOW_SVR flag. +allow_svr clears this flag.

{-|+}allow_tgs_req

-allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for principals is not permitted. This option is useless for most purposes. +allow_tgs_req clears this flag. The default is +allow_tgs_req. In effect, -allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.

{-|+}allow_tix

-allow_tix forbids the issuance of any tickets for principals. +allow_tix clears this flag. The default is +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.

{-|+}needchange

+needchange sets a flag in the attributes field to force a password change; -needchange clears that flag. The default is -needchange. In effect, +needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.

{-|+}password_changing_service

+password_changing_service sets a flag in the attributes field marking a principal as a password-change-service principal (a designation that is most often not useful). -password_changing_service clears the flag. That this flag has a long name is intentional. The default is -password_changing_service. In effect, +password_changing_service sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.

{-|+}requires_hwauth

+requires_hwauth requires principals to preauthenticate using a hardware device before being allowed to kinit(1). This setting sets the KRB5_KDB_REQUIRES_HW_AUTH flag. -requires_hwauth clears this flag.

{-|+}requires_preauth

+requires_preauth requires principals to preauthenticate before being allowed to kinit(1). This setting sets the KRB5_KDB_REQUIRES_PRE_AUTH flag. -requires_preauth clears this flag.

EXAMPLES
Example 1 Using create

The following is an example of the use of the create command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: master key entered
Re-enter KDC database master key to verify: master key re-entered

Example 2 Using modify

The following is an example of the use of the modify command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
modify +requires_preauth -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
Password for "cn=admin,o=org": password entered

Example 3 Using view

The following is an example of the use of the view command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
view -r ATHENA.MIT.EDU
 Password for "cn=admin,o=org":
 Realm Name: ATHENA.MIT.EDU
 Subtree: ou=users,o=org
 Subtree: ou=servers,o=org
 SearchScope: ONE
 Maximum ticket life: 0 days 01:00:00
 Maximum renewable life: 0 days 10:00:00
 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

Example 4 Using destroy

The following is an example of the use of the destroy command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
destroy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...

Example 5 Using list

The following is an example of the use of the list command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org": password entered
Re-enter Password for "cn=admin,o=org": password re-entered
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU

Example 6 Using stashsrvpw

The following is an example of the use of the stashsrvpw command.

# kdb5_ldap_util stashsrvpw -f \e
/home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=service-kdc,o=org": password entered
Re-enter password for "cn=service-kdc,o=org": password re-entered

Example 7 Using create_policy

The following is an example of the use of the create_policy command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
create_policy -r ATHENA.MIT.EDU \e
-maxtktlife "1 day" -maxrenewlife "1 week" \e
-allow_postdated +needchange -allow_forwardable tktpolicy
Password for "cn=admin,o=org": password entered

Example 8 Using modify_policy

The following is an example of the use of the modify_policy command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
modify_policy -r ATHENA.MIT.EDU \e
-maxtktlife "60 minutes" -maxrenewlife "10 hours" \e
+allow_postdated -requires_preauth tktpolicy
Password for "cn=admin,o=org": password entered

Example 9 Using view_policy

The following is an example of the use of the view_policy command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
view_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org": password entered
 Ticket policy: tktpolicy
 Maximum ticket life: 0 days 01:00:00
 Maximum renewable life: 0 days 10:00:00
 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

Example 10 Using destroy_policy

The following is an example of the use of the destroy_policy command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
destroy_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org": password entered
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
** policy object 'tktpolicy' deleted.

Example 11 Using list_policy

The following is an example of the use of the list_policy command.

# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
list_policy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
tktpolicy
tmppolicy
userpolicy

Example 12 Using setsrvpw

The following is an example of the use of the setsrvpw command.

# kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \e
-fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
Password for "cn=service-kdc,o=org": password entered
Re-enter password for "cn=service-kdc,o=org": password re-entered

Example 13 Using create_service

The following is an example of the use of the create_service command.

# kdb5_ldap_util -D cn=admin,o=org create_service \e
-kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
File does not exist. Creating the file /home/andrew/conf_keyfile...

Example 14 Using modify_service

The following is an example of the use of the modify_service command.

# kdb5_ldap_util -D cn=admin,o=org modify_service \e
-realm ATHENA.MIT.EDU cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
Changing rights for the service object. Please wait ... done

Example 15 Using view_service

The following is an example of the use of the view_service command.

# kdb5_ldap_util -D cn=admin,o=org view_service \e
cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
 Service dn: cn=service-kdc,o=org
 Service type: kdc
 Service host list:
 Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security

Example 16 Using destroy_service

The following is an example of the use of the destroy_service command.

# kdb5_ldap_util -D cn=admin,o=org destroy_service \e
cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? yes
** service object 'cn=service-kdc,o=org' deleted.

Example 17 Using list_service

The following is an example of the use of the list_service command.

# kdb5_ldap_util -D cn=admin,o=org list_service
Password for "cn=admin,o=org": password entered
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Volatile
SEE ALSO
kinit (1), kdc.conf (5), attributes (7), kadmin (8)