diff options
Diffstat (limited to 'src/man/kdb5_ldap_util.8')
-rw-r--r-- | src/man/kdb5_ldap_util.8 | 1108 |
1 files changed, 1108 insertions, 0 deletions
diff --git a/src/man/kdb5_ldap_util.8 b/src/man/kdb5_ldap_util.8 new file mode 100644 index 0000000000..71ae0c8c7b --- /dev/null +++ b/src/man/kdb5_ldap_util.8 @@ -0,0 +1,1108 @@ +.TH "KDB5_LDAP_UTIL" "8" "January 06, 2012" "0.0.1" "MIT Kerberos" +.SH NAME +kdb5_ldap_util \- Kerberos configuration utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.sp +\fBkdb5_ldap_util\fP [\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]] [\fB\-H\fP \fIldapuri\fP] \fBcommand\fP [\fIcommand_options\fP] +.SH DESCRIPTION +.sp +\fIkdb5_ldap_util\fP allows an administrator to manage realms, Kerberos services and ticket policies. +.SH COMMAND-LINE OPTIONS +.INDENT 0.0 +.TP +.B \fB\-D\fP \fIuser_dn\fP +.sp +Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. +.TP +.B \fB\-w\fP \fIpasswd\fP +.sp +Specifies the password of \fIuser_dn\fP. This option is not recommended. +.TP +.B \fB\-H\fP \fIldapuri\fP +.sp +Specifies the URI of the LDAP server. It is recommended to use \fIldapi://\fP or \fIldaps://\fP to connect to the LDAP server. +.UNINDENT +.SH COMMANDS +.SS create +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBcreate\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-k\fP \fImkeytype\fP] +[\fB\-kv\fP \fImkeyVNO\fP] +[\fB\-m|\-P\fP \fIpassword*|*\fP\-sf** \fIstashfilename\fP] +[\fB\-s\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-kdcdn\fP \fIkdc_service_list\fP] +[\fB\-admindn\fP \fIadmin_service_list\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.INDENT 0.0 +.INDENT 3.5 +.sp +Creates realm in directory. Options: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +.sp +Specifies the list of subtrees containing the principals of a realm. +The list contains the DNs of the subtree objects separated by colon(:). +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +.sp +Specifies the scope for searching the principals under the subtree. +The possible values are 1 or one (one level), 2 or sub (subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +.sp +Specifies the DN of the container object in which the principals of a realm will be created. +If the container reference is not configured for a realm, the principals will be created in the realm container. +.TP +.B \fB\-k\fP \fImkeytype\fP +.sp +Specifies the key type of the master key in the database; the default is that given in kdc.conf. +.TP +.B \fB\-kv\fP \fImkeyVNO\fP +.sp +Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. +.TP +.B \fB\-m\fP +.sp +Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. +.TP +.B \fB\-P\fP \fIpassword\fP +.sp +Specifies the master database password. This option is not recommended. +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-sf\fP \fIstashfilename\fP +.sp +Specifies the stash file of the master database password. +.TP +.B \fB\-s\fP +.sp +Specifies that the stash file is to be created. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +.sp +Specifies maximum ticket life for principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +.sp +Specifies maximum renewable life of tickets for principals in this realm. +.TP +.B \fIticket_flags\fP +.INDENT 7.0 +.INDENT 3.5 +.sp +Specifies the ticket flags. +If this option is not specified, by default, none of the flags are set. +This means all the ticket options will be allowed and no restriction will be set. +.UNINDENT +.UNINDENT +.sp +The various flags are: +.INDENT 7.0 +.TP +.B {\-|+}allow_postdated +. +\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets. +(Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) \fI+allow_postdated\fP clears this flag. +.TP +.B {\-|+}allow_forwardable +. +\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets. +(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) +\fI+allow_forwardable\fP clears this flag. +.TP +.B {\-|+}allow_renewable +. +\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. +(Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) +\fI+allow_renewable\fP clears this flag. +.TP +.B {\-|+}allow_proxiable +. +\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets. +(Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) +\fI+allow_proxiable\fP clears this flag. +.TP +.B {\-|+}allow_dup_skey +. +\fI\-allow_dup_skey\fP disables user\-to\-user authentication for principals by prohibiting principals +from obtaining a session key for another user. +(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) +\fI+allow_dup_skey\fP clears this flag. +.TP +.B {\-|+}ok_as_delegate +. ++ok_as_delegate sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service, +which clients may use as a hint that credentials can and should be delegated when authenticating to the service. +(Sets the KRB5_KDB_OK_AS_DELEGATE flag.) +\fI\-ok_as_delegate\fP clears this flag. +.TP +.B {\-|+}requires_preauth +. +\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to \fIkinit\fP. +(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) +\fI\-requires_preauth\fP clears this flag. +.TP +.B {\-|+}requires_hwauth +. +\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to kinit. +(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) +\fI\-requires_hwauth\fP clears this flag. +.TP +.B {\-|+}allow_svr +. +\fI\-allow_svr\fP prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) +\fI+allow_svr\fP clears this flag. +.TP +.B {\-|+}allow_tgs_req +. +\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for principals is not permitted. +This option is useless for most things. +\fI+allow_tgs_req\fP clears this flag. The default is \fI+allow_tgs_req\fP. +In effect, \fI\-allow_tgs_req\fP sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. +.TP +.B {\-|+}allow_tix +. +\fI\-allow_tix\fP forbids the issuance of any tickets for principals. \fI+allow_tix\fP clears this flag. +The default is \fI+allow_tix\fP. +In effect, \fI\-allow_tix\fP sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. +.TP +.B {\-|+}needchange +. +\fI+needchange\fP sets a flag in attributes field to force a password change; \fI\-needchange\fP clears it. +The default is \fI\-needchange\fP. +In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. +.TP +.B {\-|+}password_changing_service +. +\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal +(useless for most things). +\fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. +The default is \fI\-password_changing_service\fP. +In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. +.UNINDENT +.UNINDENT +.sp +Command options specific to eDirectory +.UNINDENT +.UNINDENT +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-kdcdn\fP \fIkdc_service_list\fP +.sp +Specifies the list of KDC service objects serving the realm. +The list contains the DNs of the KDC service objects separated by colon(:). +.TP +.B \fB\-admindn\fP \fIadmin_service_list\fP +.sp +Specifies the list of Administration service objects serving the realm. +The list contains the DNs of the Administration service objects separated by colon(:). +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Initializing database for realm \(aqATHENA.MIT.EDU\(aq +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re\-enter KDC database master key to verify: +.ft P +.fi +.SS modify +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-kdcdn\fP \fIkdc_service_list\fP | [\fB\-clearkdcdn\fP \fIkdc_service_list\fP] [\fB\-addkdcdn\fP \fIkdc_service_list\fP]] +[\fB\-admindn\fP \fIadmin_service_list\fP | [\fB\-clearadmindn\fP \fIadmin_service_list\fP] [\fB\-addadmindn\fP \fIadmin_service_list\fP]] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.INDENT 0.0 +.INDENT 3.5 +.sp +Modifies the attributes of a realm. Options: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +.sp +Specifies the list of subtrees containing the principals of a realm. +The list contains the DNs of the subtree objects separated by colon(:). This list replaces the existing list. +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +.sp +Specifies the scope for searching the principals under the subtrees. +The possible values are 1 or one (one level), 2 or sub (subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +.sp +Specifies the DN of the container object in which the principals of a realm will be created. +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +.sp +Specifies maximum ticket life for principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +.sp +Specifies maximum renewable life of tickets for principals in this realm. +.TP +.B \fIticket_flags\fP +.INDENT 7.0 +.INDENT 3.5 +.sp +Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. +This means all the ticket options will be allowed and no restriction will be set. +.UNINDENT +.UNINDENT +.sp +The various flags are: +.INDENT 7.0 +.TP +.B {\-|+}allow_postdated +. +\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) +\fI+allow_postdated\fP clears this flag. +.TP +.B {\-|+}allow_forwardable +. +\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets. +(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) +\fI+allow_forwardable\fP clears this flag. +.TP +.B {\-|+}allow_renewable +. +\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) +\fI+allow_renewable\fP clears this flag. +.TP +.B {\-|+}allow_proxiable +. +\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) +\fI+allow_proxiable\fP clears this flag. +.TP +.B {\-|+}allow_dup_skey +. +\fI\-allow_dup_skey\fP Disables user\-to\-user authentication for principals by prohibiting principals from +obtaining a session key for another user. +(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) +\fI+allow_dup_skey\fP clears this flag. +.TP +.B {\-|+}requires_preauth +. +\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to kinit. +(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) \fI\-requires_preauth\fP clears this flag. +.TP +.B {\-|+}requires_hwauth +. +\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to kinit. +(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) +\fI\-requires_hwauth\fP clears this flag. +.TP +.B {\-|+}allow_svr +. +\fI\-allow_svr\fP prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) \fI+allow_svr\fP clears this flag. +.TP +.B {\-|+}allow_tgs_req +. +\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for principals is not permitted. +This option is useless for most things. +\fI+allow_tgs_req\fP clears this flag. +The default is \fI+allow_tgs_req\fP. In effect, \fI\-allow_tgs_req\fP sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. +.TP +.B {\-|+}allow_tix +. +\fI\-allow_tix\fP forbids the issuance of any tickets for principals. +\fI+allow_tix\fP clears this flag. The default is \fI+allow_tix\fP. +In effect, \fI\-allow_tix\fP sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. +.TP +.B {\-|+}needchange +. +\fI+needchange\fP sets a flag in attributes field to force a password change; +\fI\-needchange\fP clears it. The default is \fI\-needchange\fP. +In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. +.TP +.B {\-|+}password_changing_service +. +\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal +(useless for most things). \fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. +The default is \fI\-password_changing_service\fP. +In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. +.UNINDENT +.UNINDENT +.sp +Command options specific to eDirectory +.UNINDENT +.UNINDENT +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-kdcdn\fP \fIkdc_service_list\fP +.sp +Specifies the list of KDC service objects serving the realm. +The list contains the DNs of the KDC service objects separated by a colon (:). +This list replaces the existing list. +.TP +.B \fB\-clearkdcdn\fP \fIkdc_service_list\fP +.sp +Specifies the list of KDC service objects that need to be removed from the existing list. +The list contains the DNs of the KDC service objects separated by a colon (:). +.TP +.B \fB\-addkdcdn\fP \fIkdc_service_list\fP +.sp +Specifies the list of KDC service objects that need to be added to the existing list. +The list contains the DNs of the KDC service objects separated by a colon (:). +.TP +.B \fB\-admindn\fP \fIadmin_service_list\fP +.sp +Specifies the list of Administration service objects serving the realm. +The list contains the DNs of the Administration service objects separated by a colon (:). +This list replaces the existing list. +.TP +.B \fB\-clearadmindn\fP \fIadmin_service_list\fP +.sp +Specifies the list of Administration service objects that need to be removed from the existing list. +The list contains the DNs of the Administration service objects separated by a colon (:). +.TP +.B \fB\-addadmindn\fP \fIadmin_service_list\fP +.sp +Specifies the list of Administration service objects that need to be added to the existing list. +The list contains the DNs of the Administration service objects separated by a colon (:). +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +shell% +.ft P +.fi +.SS view +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBview\fP [\fB\-r\fP \fIrealm\fP] +.sp +Displays the attributes of a realm. Options: +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.SS destroy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] +.sp +Destroys an existing realm. Options: +.TP +.B \fB\-f\fP +.sp +If specified, will not prompt the user for confirmation. +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +OK, deleting database of \(aqATHENA.MIT.EDU\(aq... +shell% +.ft P +.fi +.SS list +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBlist\fP +.sp +Lists the name of realms. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list +Password for "cn=admin,o=org": +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA\-LAB.MIT.EDU +shell% +.ft P +.fi +.SS stashsrvpw +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBstashsrvpw\fP [\fB\-f\fP \fIfilename\fP] \fIservicedn\fP +.sp +Allows an administrator to store the password for service object in a file so that KDC and Administration server +can use it to authenticate to the LDAP server. Options: +.TP +.B \fB\-f\fP \fIfilename\fP +.sp +Specifies the complete path of the service password file. By default, \fI/usr/local/var/service_passwd\fP is used. +.TP +.B \fIservicedn\fP +.sp +Specifies Distinguished Name (DN) of the service object whose password is to be stored in file. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org +Password for "cn=service\-kdc,o=org": +Re\-enter password for "cn=service\-kdc,o=org": +.ft P +.fi +.SS create_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBcreate_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP +.sp +Creates a ticket policy in directory. Options: +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +.sp +Specifies maximum ticket life for principals. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +.sp +Specifies maximum renewable life of tickets for principals. +.TP +.B \fIticket_flags\fP +.sp +Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. +This means all the ticket options will be allowed and no restriction will be set. +.sp +The various flags are: +.INDENT 7.0 +.TP +.B {\-|+}allow_postdated +. +\fI\-allow_postdated\fP prohibits principals from obtaining postdated tickets. +(Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) \fI+allow_postdated\fP clears this flag. +.TP +.B {\-|+}allow_forwardable +. +\fI\-allow_forwardable\fP prohibits principals from obtaining forwardable tickets. +(Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) \fI+allow_forwardable\fP clears this flag. +.TP +.B {\-|+}allow_renewable +. +\fI\-allow_renewable\fP prohibits principals from obtaining renewable tickets. +(Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) \fI+allow_renewable\fP clears this flag. +.TP +.B {\-|+}allow_proxiable +. +\fI\-allow_proxiable\fP prohibits principals from obtaining proxiable tickets. +(Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) \fI+allow_proxiable\fP clears this flag. +.TP +.B {\-|+}allow_dup_skey +. +\fI\-allow_dup_skey\fP disables user\-to\-user authentication for principals by prohibiting principals +from obtaining a session key for another user. +(Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) \fI+allow_dup_skey\fP clears this flag. +.TP +.B {\-|+}requires_preauth +. +\fI+requires_preauth\fP requires principals to preauthenticate before being allowed to kinit. +(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) \fI\-requires_preauth\fP clears this flag. +.TP +.B {\-|+}requires_hwauth +. +\fI+requires_hwauth\fP requires principals to preauthenticate using a hardware device before being allowed to \fIkinit\fP. +(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) +\fI\-requires_hwauth\fP clears this flag. +.TP +.B {\-|+}allow_svr +. +\fI\-allow_svr\fP prohibits the issuance of service tickets for principals. +(Sets the KRB5_KDB_DISALLOW_SVR flag.) \fI+allow_svr\fP clears this flag. +.TP +.B {\-|+}allow_tgs_req +. +\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request +for a service ticket for principals is not permitted. +This option is useless for most things. +\fI+allow_tgs_req\fP clears this flag. The default is \fI+allow_tgs_req\fP. +In effect, \fI\-allow_tgs_req sets\fP the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. +.TP +.B {\-|+}allow_tix +. +\fI\-allow_tix\fP forbids the issuance of any tickets for principals. +\fI+allow_tix\fP clears this flag. +The default is \fI+allow_tix\fP. In effect, \fI\-allow_tix sets\fP the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. +.TP +.B {\-|+}needchange +. +\fI+needchange\fP sets a flag in attributes field to force a password change; +\fI\-needchange\fP clears it. The default is \fI\-needchange\fP. +In effect, \fI+needchange\fP sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. +.TP +.B {\-|+}password_changing_service +. +\fI+password_changing_service\fP sets a flag in the attributes field marking principal as a password change service principal +(useless for most things). +\fI\-password_changing_service\fP clears the flag. +This flag intentionally has a long name. The default is \-password_changing_service. +In effect, \fI+password_changing_service\fP sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. +.UNINDENT +.TP +.B \fIpolicy_name\fP +.sp +Specifies the name of the ticket policy. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.INDENT 0.0 +.INDENT 3.5 +.sp +Modifies the attributes of a ticket policy. Options are same as create_policy. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.SS view_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBview_policy\fP [\fB\-r\fP \fIrealm\fP] \fIpolicy_name\fP +.sp +Displays the attributes of a ticket policy. Options: +.TP +.B \fIpolicy_name\fP +.sp +Specifies the name of the ticket policy. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.SS destroy_policy +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBdestroy_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-force\fP] +\fIpolicy_name\fP +.INDENT 0.0 +.INDENT 3.5 +.sp +Destroys an existing ticket policy. Options: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.TP +.B \fB\-force\fP +.sp +Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. +Enter yes to confirm the deletion. +.TP +.B \fIpolicy_name\fP +.sp +Specifies the name of the ticket policy. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +This will delete the policy object \(aqtktpolicy\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +** policy object \(aqtktpolicy\(aq deleted. +.ft P +.fi +.SS list_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBlist_policy\fP [\fB\-r\fP \fIrealm\fP] +.sp +Lists the ticket policies in realm if specified or in the default realm. Options: +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Specifies the Kerberos realm of the database. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list_policy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +tktpolicy +tmppolicy +userpolicy +.ft P +.fi +.SH COMMANDS SPECIFIC TO EDIRECTORY +.SS setsrvpw +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBsetsrvpw\fP +[\fB\-randpw|\-fileonly\fP] +[\fB\-f\fP \fIfilename\fP] +\fIservice_dn\fP +.INDENT 0.0 +.INDENT 3.5 +.sp +Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file. +The \fI\-fileonly\fP option stores the password in a file and not in the eDirectory object. Options: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-randpw\fP +.sp +Generates and sets a random password. +This options can be specified to store the password both in eDirectory and a file. +The \fI\-fileonly\fP option can not be used if \fI\-randpw\fP option is already specified. +.TP +.B \fB\-fileonly\fP +.sp +Stores the password only in a file and not in eDirectory. +The \fI\-randpw\fP option can not be used when \fI\-fileonly\fP options is specified. +.TP +.B \fB\-f\fP \fIfilename\fP +.sp +Specifies complete path of the service password file. By default, \fI/usr/local/var/service_passwd\fP is used. +.TP +.B \fIservice_dn\fP +.sp +Specifies Distinguished Name (DN) of the service object whose password is to be set. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org +Password for "cn=admin,o=org": +Password for "cn=service\-kdc,o=org": +Re\-enter password for "cn=service\-kdc,o=org": +.ft P +.fi +.SS create_service +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBcreate_service\fP +{\fB\-kdc|\-admin|\-pwd\fP} +[\fB\-servicehost\fP \fIservice_host_list\fP] +[\fB\-realm\fP \fIrealm_list\fP] +[\fB\-randpw|\-fileonly\fP] +[\fB\-f\fP \fIfilename\fP] \fIservice_dn\fP +.INDENT 0.0 +.INDENT 3.5 +.sp +Creates a service in directory and assigns appropriate rights. Options: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-kdc\fP +.sp +Specifies the service is a KDC service +.TP +.B \fB\-admin\fP +.sp +Specifies the service is a Administration service +.TP +.B \fB\-pwd\fP +.sp +Specifies the Password service +.TP +.B \fB\-servicehost\fP \fIservice_host_list\fP +.sp +Specifies the list of entries separated by a colon (:). +Each entry consists of the hostname or IP address of the server hosting the service, +transport protocol, and the port number of the service separated by a pound sign (#). +For example, server1#tcp#88:server2#udp#89. +.TP +.B \fB\-realm\fP \fIrealm_list\fP +.sp +Specifies the list of realms that are to be associated with this service. +The list contains the name of the realms separated by a colon (:). +.TP +.B \fB\-randpw\fP +.sp +Generates and sets a random password. This option is used to set the random password for +the service object in directory and also to store it in the file. +The \fI\-fileonly\fP option can not be used if \fI\-randpw\fP option is specified. +.TP +.B \fB\-fileonly\fP +.sp +Stores the password only in a file and not in eDirectory. +The \fI\-randpw\fP option can not be used when \fI\-fileonly\fP option is specified. +.TP +.B \fB\-f\fP \fIfilename\fP +.sp +Specifies the complete path of the file where the service object password is stashed. +.TP +.B \fIservice_dn\fP +.sp +Specifies Distinguished Name (DN) of the Kerberos service to be created. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org +Password for "cn=admin,o=org": +File does not exist. Creating the file /home/andrew/conf_keyfile... +shell% +.ft P +.fi +.SS modify_service +.INDENT 0.0 +.INDENT 3.5 +.sp +\fBmodify_service\fP +[\fB\-servicehost\fP \fIservice_host_list\fP | [\fB\-clearservicehost\fP \fIservice_host_list\fP] [\fB\-addservicehost\fP \fIservice_host_list\fP]] +[\fB\-realm\fP \fIrealm_list\fP | [\fB\-clearrealm\fP \fIrealm_list\fP] [\fB\-addrealm\fP \fIrealm_list\fP]] +\fIservice_dn\fP +.INDENT 0.0 +.INDENT 3.5 +.sp +Modifies the attributes of a service and assigns appropriate rights. Options: +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B \fB\-servicehost\fP \fIservice_host_list\fP +.sp +Specifies the list of entries separated by a colon (:). +Each entry consists of a host name or IP Address of the Server hosting the service, transport protocol, +and port number of the service separated by a pound sign (#). For example: +.sp +.nf +.ft C +server1#tcp#88:server2#udp#89 +.ft P +.fi +.TP +.B \fB\-clearservicehost\fP \fIservice_host_list\fP +.sp +Specifies the list of servicehost entries to be removed from the existing list separated by colon (:). +Each entry consists of a host name or IP Address of +the server hosting the service, transport protocol, and port number of the service separated by a pound sign (#). +.TP +.B \fB\-addservicehost\fP \fIservice_host_list\fP +.sp +Specifies the list of servicehost entries to be added to the existing list separated by colon (:). +Each entry consists of a host name or IP Address of the +server hosting the service, transport protocol, and port number of the service separated by a pound sign (#). +.TP +.B \fB\-realm\fP \fIrealm_list\fP +.sp +Specifies the list of realms that are to be associated with this service. +The list contains the name of the realms separated by a colon (:). +This list replaces the existing list. +.TP +.B \fB\-clearrealm\fP \fIrealm_list\fP +.sp +Specifies the list of realms to be removed from the existing list. +The list contains the name of the realms separated by a colon (:). +.TP +.B \fB\-addrealm\fP \fIrealm_list\fP +.sp +Specifies the list of realms to be added to the existing list. +The list contains the name of the realms separated by a colon (:). +.TP +.B \fIservice_dn\fP +.sp +Specifies Distinguished Name (DN) of the Kerberos service to be modified. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU cn=service\-kdc,o=org +Password for "cn=admin,o=org": +Changing rights for the service object. Please wait ... done +shell% +.ft P +.fi +.SS view_service +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBview_service\fP \fIservice_dn\fP +.sp +Displays the attributes of a service. Options: +.TP +.B \fIservice_dn\fP +.sp +Specifies Distinguished Name (DN) of the Kerberos service to be viewed. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org view_service cn=service\-kdc,o=org +Password for "cn=admin,o=org": +Service dn: cn=service\-kdc,o=org +Service type: kdc +Service host list: +Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security +shell% +.ft P +.fi +.SS destroy_service +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBdestroy_service\fP [\fB\-force\fP] [\fB\-f\fP \fIstashfilename\fP] \fIservice_dn\fP +.sp +Destroys an existing service. Options: +.TP +.B \fB\-force\fP +.sp +If specified, will not prompt for user\(aqs confirmation, instead will force destruction of the service. +.TP +.B \fB\-f\fP \fIstashfilename\fP +.sp +Specifies the complete path of the service password file from where the entry corresponding +to the service_dn needs to be removed. +.TP +.B \fIservice_dn\fP +.sp +Specifies Distinguished Name (DN) of the Kerberos service to be destroyed. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service\-kdc,o=org +Password for "cn=admin,o=org": +This will delete the service object \(aqcn=service\-kdc,o=org\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +** service object \(aqcn=service\-kdc,o=org\(aq deleted. +shell% +.ft P +.fi +.SS list_service +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBlist_service\fP [\fB\-basedn\fP \fIbase_dn\fP] +.sp +Lists the name of services under a given base in directory. Options: +.TP +.B \fB\-basedn\fP \fIbase_dn\fP +.sp +Specifies the base DN for searching the service objects, limiting the search to a particular subtree. +If this option is not provided, LDAP Server specific search base will be used. +For eg, in the case of OpenLDAP, value of defaultsearchbase from \fIslapd.conf\fP file will be used, +where as in the case of eDirectory, the default value for the base DN is Root. +.UNINDENT +.UNINDENT +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org list_service +Password for "cn=admin,o=org": +cn=service\-kdc,o=org +cn=service\-adm,o=org +cn=service\-pwd,o=org +shell% +.ft P +.fi +.SH SEE ALSO +.sp +kadmin(8) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. |