summaryrefslogtreecommitdiffstats
path: root/src/kadmin/server/kadmind.M
diff options
context:
space:
mode:
Diffstat (limited to 'src/kadmin/server/kadmind.M')
-rw-r--r--src/kadmin/server/kadmind.M281
1 files changed, 0 insertions, 281 deletions
diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M
deleted file mode 100644
index 83c67ec3eb..0000000000
--- a/src/kadmin/server/kadmind.M
+++ /dev/null
@@ -1,281 +0,0 @@
-.TH KADMIND 8
-.SH NAME
-kadmind \- KADM5 administration server
-.SH SYNOPSIS
-.B kadmind
-[\fB\-x\fP \fIdb_args\fP] [\fB-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP
-\fIport-number\fP]
- [\fB\-P\fP \fIpid_file\fP]
-.SH DESCRIPTION
-This command starts the KADM5 administration server. If the database is db2,
-the administration server runs on the master Kerberos server, which stores the KDC
-principal database and the KADM5 policy database. If the database is LDAP,
-the administration server and the KDC server need not run on the same machine.
-.B Kadmind
-accepts remote requests to administer the information in these
-databases. Remote requests are sent, for example, by
-.IR kadmin (8)
-and the
-.IR kpasswd (1)
-command, both of which are clients of
-.BR kadmind .
-.PP
-.B kadmind
-requires a number of configuration files to be set up in order
-for it to work:
-.TP "\w'kdc.conf\ \ 'u"
-kdc.conf
-The KDC configuration file contains configuration information for the KDC
-and the KADM5 system.
-.B Kadmind
-understands a number of variable settings in this file, some of which are
-mandatory and some of which are optional. See the CONFIGURATION VALUES
-section below.
-.TP
-ACL file
-.BR Kadmind 's
-ACL (access control list) tells it which principals are allowed to
-perform KADM5 administration actions. The path of the ACL file is
-specified via the acl_file configuration variable (see CONFIGURATION
-VALUES). The syntax of the ACL file is specified in the ACL FILE SYNTAX
-section below.
-.PP
-After the server begins running, it puts itself in the background and
-disassociates itself from its controlling terminal.
-.PP
-kadmind can be configured for incremental database propagation.
-Incremental propagation allows slave KDC servers to receive principal
-and policy updates incrementally instead of receiving full dumps of
-the database. This facility can be enabled in the
-.I kdc.conf
-file with the
-.I iprop_enable
-option. See the
-.I kdc.conf
-documentation for other options for tuning incremental propagation
-parameters. Incremental propagation requires the principal
-"kiprop/MASTER@REALM" (where MASTER is the master KDC's canonical host
-name, and REALM the realm name) to be registered in the database.
-
-.SH OPTIONS
-.TP
-\fB\-x\fP \fIdb_args\fP
-specifies the database specific arguments.
-
-Options supported for LDAP database are:
-.sp
-.nf
-.RS 12
-\-x nconns=<number_of_connections>
-.fi
-specifies the number of connections to be maintained per LDAP server.
-
-.nf
-\-x host=<ldapuri>
-specifies the LDAP server to connect to by a LDAP URI.
-
-\-x binddn=<binddn>
-.fi
-specifies the DN of the object used by the administration server to bind to the LDAP server.
-This object should have the read and write rights on the realm container, principal container
-and the subtree that is referenced by the realm.
-
-\-x bindpwd=<bind_password>
-.fi
-specifies the password for the above mentioned binddn. It is recommended not to use this option.
-Instead, the password can be stashed using the stashsrvpw command of kdb5_ldap_util.
-.RE
-.fi
-.TP
-\fB\-r\fP \fIrealm\fP
-specifies the default realm that kadmind will serve; if it is not
-specified, the default realm of the host is used.
-.B kadmind
-will answer requests for any realm that exists in the local KDC database
-and for which the appropriate principals are in its keytab.
-.TP
-.B \-m
-specifies that the master database password should be fetched from the
-keyboard rather than from a file on disk. Note that the server gets the
-password prior to putting itself in the background; in combination with
-the -nofork option, you must place it in the background by hand.
-.TP
-.B \-nofork
-specifies that the server does not put itself in the background and does
-not disassociate itself from the terminal. In normal operation, you
-should always allow the server place itself in the background.
-.TP
-\fB\-port\fP \fIport-number\fB
-specifies the port on which the administration server listens for
-connections. The default is is controlled by the
-.I kadmind_port
-configuration variable (see below).
-.TP
-\fB\-P\fP \fIpid_file\fP
-specifies the file to which the PID of
-.B kadmind
-process should be written to after it starts up. This can be used to
-identify whether
-.B kadmind
-is still running and to allow init scripts to stop the correct process.
-.SH CONFIGURATION VALUES
-.PP
-In addition to the relations defined in kdc.conf(5), kadmind
-understands the following relations, all of which should
-appear in the [realms] section:
-.TP
-acl_file
-The path of kadmind's ACL file. Mandatory. No default.
-.TP
-dict_file
-The path of kadmind's password dictionary. A principal with any
-password policy will not be allowed to select any password in the
-dictionary. Optional. No default.
-.TP
-kadmind_port
-The
-.SM TCP
-port on which
-.B kadmind
-will listen. The default is 749.
-.SH ACL FILE SYNTAX
-.PP
-The ACL file controls which principals can or cannot perform which
-administrative functions. For operations that affect principals, the
-ACL file also controls which principals can operate on which other
-principals. This file can contain comment lines, null lines or lines
-which contain ACL entries. Comment lines start with the sharp sign
-(\fB\&#\fP) and continue until the end of the line. Lines containing ACL
-entries have the format of
-.B principal
-.I whitespace
-.B operation-mask
-[\fIwhitespace\fP \fBoperation-target\fP]
-.PP
-Ordering is important. The first matching entry is the one which will
-control access for a particular principal on a particular principal.
-.PP
-.IP principal
-may specify a partially or fully qualified Kerberos version 5
-principal name. Each component of the name may be wildcarded using
-the asterisk (
-.B *
-) character.
-.IP operation-target
-[Optional] may specify a partially or fully qualified Kerberos version 5
-principal name. Each component of the name may be wildcarded using the
-asterisk (
-.B *
-) character.
-.IP operation-mask
-Specifies what operations may or may not be performed by a principal
-matching a particular entry. This is a string of one or more of the
-following list of characters or their upper-case counterparts. If the
-character is upper-case, then the operation is disallowed. If the
-character is lower-case, then the operation is permitted.
-.RS
-.TP 5
-.B a
-[Dis]allows the addition of principals or policies in the database.
-.sp -1v
-.TP
-.B d
-[Dis]allows the deletion of principals or policies in the database.
-.sp -1v
-.TP
-.B m
-[Dis]allows the modification of principals or policies in the database.
-.sp -1v
-.TP
-.B c
-[Dis]allows the changing of passwords for principals in the database.
-.sp -1v
-.TP
-.B i
-[Dis]allows inquiries to the database.
-.sp -1v
-.TP
-.B l
-[Dis]allows the listing of principals or policies in the database.
-.sp -1v
-.TP
-.B p
-[Dis]allows the propagation of the principal database.
-.sp -1v
-.TP
-.B x
-Short for
-.IR admcil .
-.sp -1v
-.TP
-.B \&*
-Same as
-.BR x .
-.RE
-Some examples of valid entries here are:
-.TP
-.I user/instance@realm adm
-A standard fully qualified name. The
-.B operation-mask
-only applies to this principal and specifies that [s]he may add,
-delete or modify principals and policies, but not change anybody
-else's password.
-.TP
-.I user/instance@realm cim service/instance@realm
-A standard fully qualified name and a standard fully qualified target. The
-.B operation-mask
-only applies to this principal operating on this target and specifies that
-[s]he may change the target's password, request information about the
-target and modify it.
-.TP
-.I user/*@realm ac
-A wildcarded name. The
-.B operation-mask
-applies to all principals in realm "realm" whose first component is
-"user" and specifies that [s]he may add principals and change
-anybody's password.
-.TP
-.I user/*@realm i */instance@realm
-A wildcarded name and target. The
-.B operation-mask
-applies to all principals in realm "realm" whose first component is
-"user" and specifies that [s]he may perform
-inquiries on principals whose second component is "instance" and realm
-is "realm".
-.SH FILES
-.TP "\w'<dbname>.kadm5.lock\ 'u"
-principal.db
-default name for Kerberos principal database
-.TP
-<dbname>.kadm5
-KADM5 administrative database. (This would be "principal.kadm5", if you
-use the default database name.) Contains policy information.
-.TP
-<dbname>.kadm5.lock
-lock file for the KADM5 administrative database. This file works
-backwards from most other lock files. I.e.,
-.B kadmin
-will exit with an error if this file does
-.I not
-exist.
-.TP
-.B Note:
-The above three files are specific to db2 database.
-.TP
-kadm5.acl
-file containing list of principals and their
-.B kadmin
-administrative privileges. See above for a description.
-.TP
-kadm5.keytab
-keytab file for
-.I kadmin/admin
-principal.
-.TP
-kadm5.dict
-file containing dictionary of strings explicitly disallowed as
-passwords.
-.SH SEE ALSO
-kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8),
-kdb5_ldap_util(8)
-
generated by cgit (git 2.34.1) at 2024-06-18 06:13:16 +0000