kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies. .SH COMMAND-LINE OPTIONS .INDENT 0.0 .TP .B \fB\-D\fP \fIuser_dn\fP Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. .TP .B \fB\-w\fP \fIpasswd\fP Specifies the password of \fIuser_dn\fP. This option is not recommended. .TP .B \fB\-H\fP \fIldapuri\fP Specifies the URI of the LDAP server. It is recommended to use \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. .UNINDENT .SH COMMANDS .SS create .INDENT 0.0 .INDENT 3.5 \fBcreate\fP [\fB\-subtrees\fP \fIsubtree_dn_list\fP] [\fB\-sscope\fP \fIsearch_scope\fP] [\fB\-containerref\fP \fIcontainer_reference_dn\fP] [\fB\-k\fP \fImkeytype\fP] [\fB\-kv\fP \fImkeyVNO\fP] [\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP] [\fB\-s\fP] [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] .UNINDENT .UNINDENT .sp Creates realm in directory. Options: .INDENT 0.0 .TP .B \fB\-subtrees\fP \fIsubtree_dn_list\fP Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). .TP .B \fB\-sscope\fP \fIsearch_scope\fP Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP .B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. .TP .B \fB\-k\fP \fImkeytype\fP Specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in \fIkdc.conf(5)\fP. .TP .B \fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP .B \fB\-m\fP Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. .TP .B \fB\-P\fP \fIpassword\fP Specifies the master database password. This option is not recommended. .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP .B \fB\-sf\fP \fIstashfilename\fP Specifies the stash file of the master database password. .TP .B \fB\-s\fP Specifies that the stash file is to be created. .TP .B \fB\-maxtktlife\fP \fImax_ticket_life\fP (\fIgetdate\fP string) Specifies maximum ticket life for principals in this realm. .TP .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP (\fIgetdate\fP string) Specifies maximum renewable life of tickets for principals in this realm. .TP .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in \fIkadmin(1)\fP. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU Password for "cn=admin,o=org": Initializing database for realm \(aqATHENA.MIT.EDU\(aq You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re\-enter KDC database master key to verify: .ft P .fi .UNINDENT .UNINDENT .SS modify .INDENT 0.0 .INDENT 3.5 \fBmodify\fP [\fB\-subtrees\fP \fIsubtree_dn_list\fP] [\fB\-sscope\fP \fIsearch_scope\fP] [\fB\-containerref\fP \fIcontainer_reference_dn\fP] [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] .UNINDENT .UNINDENT .sp Modifies the attributes of a realm. Options: .INDENT 0.0 .TP .B \fB\-subtrees\fP \fIsubtree_dn_list\fP Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). This list replaces the existing list. .TP .B \fB\-sscope\fP \fIsearch_scope\fP Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP .B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the container object in which the principals of a realm will be created. .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP .B \fB\-maxtktlife\fP \fImax_ticket_life\fP (\fIgetdate\fP string) Specifies maximum ticket life for principals in this realm. .TP .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP (\fIgetdate\fP string) Specifies maximum renewable life of tickets for principals in this realm. .TP .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in \fIkadmin(1)\fP. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r ATHENA.MIT.EDU Password for "cn=admin,o=org": shell% .ft P .fi .UNINDENT .UNINDENT .SS view .INDENT 0.0 .INDENT 3.5 \fBview\fP [\fB\-r\fP \fIrealm\fP] .UNINDENT .UNINDENT .sp Displays the attributes of a realm. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view \-r ATHENA.MIT.EDU Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .ft P .fi .UNINDENT .UNINDENT .SS destroy .INDENT 0.0 .INDENT 3.5 \fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] .UNINDENT .UNINDENT .sp Destroys an existing realm. Options: .INDENT 0.0 .TP .B \fB\-f\fP If specified, will not prompt the user for confirmation. .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU Password for "cn=admin,o=org": Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure? (type \(aqyes\(aq to confirm)? yes OK, deleting database of \(aqATHENA.MIT.EDU\(aq... shell% .ft P .fi .UNINDENT .UNINDENT .SS list .INDENT 0.0 .INDENT 3.5 \fBlist\fP .UNINDENT .UNINDENT .sp Lists the name of realms. .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C shell% kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA\-LAB.MIT.EDU shell% .ft P .fi .UNINDENT .UNINDENT .SS stashsrvpw .INDENT 0.0 .INDENT 3.5 \fBstashsrvpw\fP [\fB\-f\fP \fIfilename\fP] \fIservicedn\fP .UNINDENT .UNINDENT .sp Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: .INDENT 0.0 .TP .B \fB\-f\fP \fIfilename\fP Specifies the complete path of the service password file. By default, \fB/usr/local/var/service_passwd\fP is used. .TP .B \fIservicedn\fP Specifies Distinguished Name (DN) of the service object whose password is to be stored in file. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service\-kdc,o=org Password for "cn=service\-kdc,o=org": Re\-enter password for "cn=service\-kdc,o=org": .ft P .fi .UNINDENT .UNINDENT .SS create_policy .INDENT 0.0 .INDENT 3.5 \fBcreate_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP .UNINDENT .UNINDENT .sp Creates a ticket policy in the directory. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP .B \fB\-maxtktlife\fP \fImax_ticket_life\fP (\fIgetdate\fP string) Specifies maximum ticket life for principals. .TP .B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP (\fIgetdate\fP string) Specifies maximum renewable life of tickets for principals. .TP .B \fIticket_flags\fP Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \fBadd_principal\fP command in \fIkadmin(1)\fP. .TP .B \fIpolicy_name\fP Specifies the name of the ticket policy. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy Password for "cn=admin,o=org": .ft P .fi .UNINDENT .UNINDENT .SS modify_policy .INDENT 0.0 .INDENT 3.5 \fBmodify_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-maxtktlife\fP \fImax_ticket_life\fP] [\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] [\fIticket_flags\fP] \fIpolicy_name\fP .UNINDENT .UNINDENT .sp Modifies the attributes of a ticket policy. Options are same as for \fBcreate_policy\fP. .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy Password for "cn=admin,o=org": .ft P .fi .UNINDENT .UNINDENT .SS view_policy .INDENT 0.0 .INDENT 3.5 \fBview_policy\fP [\fB\-r\fP \fIrealm\fP] \fIpolicy_name\fP .UNINDENT .UNINDENT .sp Displays the attributes of a ticket policy. Options: .INDENT 0.0 .TP .B \fIpolicy_name\fP Specifies the name of the ticket policy. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .ft P .fi .UNINDENT .UNINDENT .SS destroy_policy .INDENT 0.0 .INDENT 3.5 \fBdestroy_policy\fP [\fB\-r\fP \fIrealm\fP] [\fB\-force\fP] \fIpolicy_name\fP .UNINDENT .UNINDENT .sp Destroys an existing ticket policy. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP .B \fB\-force\fP Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. .TP .B \fIpolicy_name\fP Specifies the name of the ticket policy. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy Password for "cn=admin,o=org": This will delete the policy object \(aqtktpolicy\(aq, are you sure? (type \(aqyes\(aq to confirm)? yes ** policy object \(aqtktpolicy\(aq deleted. .ft P .fi .UNINDENT .UNINDENT .SS list_policy .INDENT 0.0 .INDENT 3.5 \fBlist_policy\fP [\fB\-r\fP \fIrealm\fP] .UNINDENT .UNINDENT .sp Lists the ticket policies in realm if specified or in the default realm. Lists the ticket policies in realm if specified or in the default realm. Options: .INDENT 0.0 .TP .B \fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp Example: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu list_policy \-r ATHENA.MIT.EDU Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy .ft P .fi .UNINDENT .UNINDENT