Manual Pages for UNIX Darwin command on man kdb5_ldap

Manual Pages for UNIX Darwin command on man kdb5_ldap_util

KDB5LDAPUTIL(8) KDB5LDAPUTIL(8)

NAME

kdb5ldaputil - Kerberos Configuration Utility

SYNOPSIS

kkddbb55llddaappuuttiill [-DD userdn [-ww passwd]] [-HH ldapuri] command [com-

mandoptions]

DESCRIPTION

kkddbb55llddaappuuttiill allows an administrator to manage realms, Kerberos ser-

vices and ticket policies.

CCOOMMMMAANNDD-LLIINNEE OOPPTTIIOONNSS

-DD userdn

Specifies the Distinguished name (DN) of the user who has suffi-

cient rights to perform the operation on the LDAP server.

-ww passwd

Specifies the password of userdn. This option is not recom-

mended.

-HH ldapuri

Specifies the URI of the LDAP server. CCOOMMMMAANNDDSS

ccrreeaattee [-ssuubbttrreeeess subtreednlist] [-ssssccooppee searchscope] [-ccoonnttaaiinn-

eerrrreeff containerreferencedn] [-kk mkeytype] [-mm|-PP password|-ssff stash-

filename] [-ss] [-rr realm] [-kkddccddnn kdcservicelist]

[-aaddmmiinnddnn adminservicelist] [-mmaaxxttkkttlliiffee maxticketlife] [-mmaaxxrree-

nneewwlliiffee maxrenewableticketlife] [ticketflags] Creates realm in directory. Options:

-ssuubbttrreeeess subtreednlist

Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon(:).

-ssssccooppee searchscope

Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees).

-ccoonnttaaiinneerrrreeff containerreferencedn

Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container.

-kk mkeytype

Specifies the key type of the master key in the database; the default is that given in kdc.conf.

-mm Specifies that the master database password should be

read from the TTY rather than fetched from a file on the disk.

-PP password

Specifies the master database password. This option is not recommended.

-ssff stashfilename

Specifies the stash file of the master database password.

-ss Specifies that the stash file is to be created.

-mmaaxxttkkttlliiffee maxticketlife

Specifies maximum ticket life for principals in this realm.

-mmaaxxrreenneewwlliiffee maxrenewableticketlife

Specifies maximum renewable life of tickets for princi-

pals in this realm. ticketflags

Specifies the ticket flags. If this option is not speci-

fied, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. The various flags are:

{-|++}aalllloowwppoossttddaatteedd

-aalllloowwppoossttddaatteedd prohibits principals from obtaining

postdated tickets. (Sets the KRB5KDBDISALLOWPOSTDATED flag.) ++aalllloowwppoossttddaatteedd clears this flag.

{-|++}aalllloowwffoorrwwaarrddaabbllee

-aalllloowwffoorrwwaarrddaabbllee prohibits principals from obtaining

forwardable tickets. (Sets the KRB5KDBDISALLOWFOR-

WARDABLE flag.) ++aalllloowwffoorrwwaarrddaabbllee clears this flag.

{-|++}aalllloowwrreenneewwaabbllee

-aalllloowwrreenneewwaabbllee prohibits principals from obtaining

renewable tickets. (Sets the KRB5KDBDISALLOWRENEWABLE flag.) ++aalllloowwrreenneewwaabbllee clears this flag.

{-|++}aalllloowwpprrooxxiiaabbllee

-aalllloowwpprrooxxiiaabbllee prohibits principals from obtaining

proxiable tickets. (Sets the KRB5KDBDISALLOWPROXIABLE flag.) ++aalllloowwpprrooxxiiaabbllee clears this flag.

{-|++}aalllloowwdduuppsskkeeyy

-aalllloowwdduuppsskkeeyy Disables user-to-user authentication for

principals by prohibiting principals from obtaining a

session key for another user. (Sets the KRB5KDBDISAL-

LOWDUPSKEY flag.) ++aalllloowwdduuppsskkeeyy clears this flag.

{-|++}rreeqquuiirreesspprreeaauutthh

++rreeqquuiirreesspprreeaauutthh requires principals to preauthenticate before being allowed to kinit. (Sets the

KRB5KDBREQUIRESPREAUTH flag.) -rreeqquuiirreesspprreeaauutthh

clears this flag.

{-|++}rreeqquuiirreesshhwwaauutthh

++rreeqquuiirreesshhwwaauutthh requires principals to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5KDBREQUIRESHWAUTH flag.)

-rreeqquuiirreesshhwwaauutthh clears this flag.

{-|++}aalllloowwssvvrr

-aalllloowwssvvrr prohibits the issuance of service tickets for

principals. (Sets the KRB5KDBDISALLOWSVR flag.) ++aalllloowwssvvrr clears this flag.

{-|++}aalllloowwttggssrreeqq

-aalllloowwttggssrreeqq specifies that a Ticket-Granting Service

(TGS) request for a service ticket for principals is not permitted. This option is useless for most things. ++aalllloowwttggssrreeqq clears this flag. The default is

++aalllloowwttggssrreeqq. In effect, -aalllloowwttggssrreeqq sets the

KRB5KDBDISALLOWTGTBASED flag on principals in the database.

{-|++}aalllloowwttiixx

-aalllloowwttiixx forbids the issuance of any tickets for prin-

cipals. ++aalllloowwttiixx clears this flag. The default is

++aalllloowwttiixx. In effect, -aalllloowwttiixx sets the KRB5KDBDIS-

ALLOWALLTIX flag on principals in the database.

{-|++}nneeeeddcchhaannggee

++nneeeeddcchhaannggee sets a flag in attributes field to force a

password change; -nneeeeddcchhaannggee clears it. The default is

-nneeeeddcchhaannggee. In effect, ++nneeeeddcchhaannggee sets the

KRB5KDBREQUIRESPWCHANGE flag on principals in the database.

{-|++}ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee

++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets a flag in the attributes field marking principal as a password change service

principal (useless for most things). -ppaasssswwoorrddcchhaanngg-

iinnggsseerrvviiccee clears the flag. This flag intentionally has

a long name. The default is -ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee.

In effect, ++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets the

KRB5KDBPWCHANGESERVICE flag on principals in the data-

base.

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used. Command Options Specific to eDirectory

-kkddccddnn kdcservicelist

Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC service objects separated by colon(:).

-aaddmmiinnddnn adminservicelist

Specifies the list of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by colon(:).

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu ccrreeaattee -ssuubbttrreeeess oo==oorrgg -ssssccooppee SSUUBB -rr

AATTHHEENNAA..MMIITT..EEDDUU Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:

Re-enter KDC database master key to verify:

mmooddiiffyy [-ssuubbttrreeeess subtreednlist] [-ssssccooppee searchscope] [-ccoonnttaaiinn-

eerrrreeff containerreferencedn] [-rr realm] [-kkddccddnn kdcservicelist |

[-cclleeaarrkkddccddnn kdcservicelist] [-aaddddkkddccddnn kdcservicelist]]

[-aaddmmiinnddnn adminservicelist | [-cclleeaarraaddmmiinnddnn adminservicelist]

[-aaddddaaddmmiinnddnn adminservicelist]] [-mmaaxxttkkttlliiffee maxticketlife]

[-mmaaxxrreenneewwlliiffee maxrenewableticketlife] [ticketflags]

Modifies the attributes of a realm. Options:

-ssuubbttrreeeess subtreednlist

Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon(:). This list replaces the existing list.

-ssssccooppee searchscope

Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees).

-ccoonnttaaiinneerrrreeff containerreferencedn

Specifies the DN of the container object in which the principals of a realm will be created.

-mmaaxxttkkttlliiffee maxticketlife

Specifies maximum ticket life for principals in this realm.

-mmaaxxrreenneewwlliiffee maxrenewableticketlife

Specifies maximum renewable life of tickets for princi-

pals in this realm. ticketflags

Specifies the ticket flags. If this option is not speci-

fied, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. The various flags are:

{-|++}aalllloowwppoossttddaatteedd

-aalllloowwppoossttddaatteedd prohibits principals from obtaining

postdated tickets. (Sets the KRB5KDBDISALLOWPOSTDATED flag.) ++aalllloowwppoossttddaatteedd clears this flag.

{-|++}aalllloowwffoorrwwaarrddaabbllee

-aalllloowwffoorrwwaarrddaabbllee prohibits principals from obtaining

forwardable tickets. (Sets the KRB5KDBDISALLOWFOR-

WARDABLE flag.) ++aalllloowwffoorrwwaarrddaabbllee clears this flag.

{-|++}aalllloowwrreenneewwaabbllee

-aalllloowwrreenneewwaabbllee prohibits principals from obtaining

renewable tickets. (Sets the KRB5KDBDISALLOWRENEWABLE flag.) ++aalllloowwrreenneewwaabbllee clears this flag.

{-|++}aalllloowwpprrooxxiiaabbllee

-aalllloowwpprrooxxiiaabbllee prohibits principals from obtaining

proxiable tickets. (Sets the KRB5KDBDISALLOWPROXIABLE flag.) ++aalllloowwpprrooxxiiaabbllee clears this flag.

{-|++}aalllloowwdduuppsskkeeyy

-aalllloowwdduuppsskkeeyy Disables user-to-user authentication for

principals by prohibiting principals from obtaining a

session key for another user. (Sets the KRB5KDBDISAL-

LOWDUPSKEY flag.) ++aalllloowwdduuppsskkeeyy clears this flag.

{-|++}rreeqquuiirreesspprreeaauutthh

++rreeqquuiirreesspprreeaauutthh requires principals to preauthenticate before being allowed to kinit. (Sets the

KRB5KDBREQUIRESPREAUTH flag.) -rreeqquuiirreesspprreeaauutthh

clears this flag.

{-|++}rreeqquuiirreesshhwwaauutthh

++rreeqquuiirreesshhwwaauutthh requires principals to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5KDBREQUIRESHWAUTH flag.)

-rreeqquuiirreesshhwwaauutthh clears this flag.

{-|++}aalllloowwssvvrr

-aalllloowwssvvrr prohibits the issuance of service tickets for

principals. (Sets the KRB5KDBDISALLOWSVR flag.) ++aalllloowwssvvrr clears this flag.

{-|++}aalllloowwttggssrreeqq

-aalllloowwttggssrreeqq specifies that a Ticket-Granting Service

(TGS) request for a service ticket for principals is not permitted. This option is useless for most things. ++aalllloowwttggssrreeqq clears this flag. The default is

++aalllloowwttggssrreeqq. In effect, -aalllloowwttggssrreeqq sets the

KRB5KDBDISALLOWTGTBASED flag on principals in the database.

{-|++}aalllloowwttiixx

-aalllloowwttiixx forbids the issuance of any tickets for prin-

cipals. ++aalllloowwttiixx clears this flag. The default is

++aalllloowwttiixx. In effect, -aalllloowwttiixx sets the KRB5KDBDIS-

ALLOWALLTIX flag on principals in the database.

{-|++}nneeeeddcchhaannggee

++nneeeeddcchhaannggee sets a flag in attributes field to force a

password change; -nneeeeddcchhaannggee clears it. The default is

-nneeeeddcchhaannggee. In effect, ++nneeeeddcchhaannggee sets the

KRB5KDBREQUIRESPWCHANGE flag on principals in the database.

{-|++}ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee

++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets a flag in the attributes field marking principal as a password change service

principal (useless for most things). -ppaasssswwoorrddcchhaanngg-

iinnggsseerrvviiccee clears the flag. This flag intentionally has

a long name. The default is -ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee.

In effect, ++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets the

KRB5KDBPWCHANGESERVICE flag on principals in the data-

base.

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used. Command Options Specific to eDirectory

-kkddccddnn kdcservicelist

Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC service objects separated by a colon (:). This list replaces the existing list.

-cclleeaarrkkddccddnn kdcservicelist

Specifies the list of KDC service objects that need to be removed from the existing list. The list contains the DNs of the KDC service objects separated by a colon (:).

-aaddddkkddccddnn kdcservicelist

Specifies the list of KDC service objects that need to be added to the existing list. The list contains the DNs of the KDC service objects separated by a colon (:).

-aaddmmiinnddnn adminservicelist

Specifies the list of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by a colon (:). This list replaces the existing list.

-cclleeaarraaddmmiinnddnn adminservicelist

Specifies the list of Administration service objects that

need to be removed from the existing list. The list con-

tains the DNs of the Administration service objects sepa-

rated by a colon (:).

-aaddddaaddmmiinnddnn adminservicelist

Specifies the list of Administration service objects that need to be added to the existing list. The list contains the DNs of the Administration service objects separated by a colon (:).

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu mmooddiiffyy ++rreeqquuiirreesspprreeaauutthh -rr

AATTHHEENNAA..MMIITT..EEDDUU Password for "cn=admin,o=org":

vviieeww [-rr realm]

Displays the attributes of a realm. Options:

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu vviieeww -rr AATTHHEENNAA..MMIITT..EEDDUU

Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOWFORWARDABLE REQUIRESPWCHANGE

ddeessttrrooyy [-ff] [-rr realm]

Destroys an existing realm. Options:

-ff If specified, will not prompt the user for confirmation.

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu ddeessttrrooyy -rr AATTHHEENNAA..MMIITT..EEDDUU

Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... lliisstt Lists the name of realms.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-sseerrvveerr11..mmiitt..eedduu lliisstt

Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU

MEDIA-LAB.MIT.EDU

ssttaasshhssrrvvppww [-ff filename] servicedn

Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options:

-ff filename

Specifies the complete path of the service password file. By default, /usr/local/var/servicepasswd is used. servicedn Specifies Distinguished name (DN) of the service object whose password is to be stored in file.

EXAMPLE:

kkddbb55llddaappuuttiill ssttaasshhssrrvvppww -ff //hhoommee//aannddrreeww//ccoonnffkkeeyyffiillee

ccnn==sseerrvviiccee-kkddcc,,oo==oorrgg

Password for "cn=service-kdc,o=org":

Re-enter password for "cn=service-kdc,o=org":

ccrreeaatteeppoolliiccyy [-rr realm] [-mmaaxxttkkttlliiffee maxticketlife] [-mmaaxxrree-

nneewwlliiffee maxrenewableticketlife] [ticketflags] policyname Creates a ticket policy in directory. Options:

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.

-mmaaxxttkkttlliiffee maxticketlife

Specifies maximum ticket life for principals.

-mmaaxxrreenneewwlliiffee maxrenewableticketlife

Specifies maximum renewable life of tickets for princi-

pals. ticketflags

Specifies the ticket flags. If this option is not speci-

fied, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. The various flags are:

{-|++}aalllloowwppoossttddaatteedd

-aalllloowwppoossttddaatteedd prohibits principals from obtaining

postdated tickets. (Sets the KRB5KDBDISALLOWPOSTDATED flag.) ++aalllloowwppoossttddaatteedd clears this flag.

{-|++}aalllloowwffoorrwwaarrddaabbllee

-aalllloowwffoorrwwaarrddaabbllee prohibits principals from obtaining

forwardable tickets. (Sets the KRB5KDBDISALLOWFOR-

WARDABLE flag.) ++aalllloowwffoorrwwaarrddaabbllee clears this flag.

{-|++}aalllloowwrreenneewwaabbllee

-aalllloowwrreenneewwaabbllee prohibits principals from obtaining

renewable tickets. (Sets the KRB5KDBDISALLOWRENEWABLE flag.) ++aalllloowwrreenneewwaabbllee clears this flag.

{-|++}aalllloowwpprrooxxiiaabbllee

-aalllloowwpprrooxxiiaabbllee prohibits principals from obtaining

proxiable tickets. (Sets the KRB5KDBDISALLOWPROXIABLE flag.) ++aalllloowwpprrooxxiiaabbllee clears this flag.

{-|++}aalllloowwdduuppsskkeeyy

-aalllloowwdduuppsskkeeyy Disables user-to-user authentication for

principals by prohibiting principals from obtaining a

session key for another user. (Sets the KRB5KDBDISAL-

LOWDUPSKEY flag.) ++aalllloowwdduuppsskkeeyy clears this flag.

{-|++}rreeqquuiirreesspprreeaauutthh

++rreeqquuiirreesspprreeaauutthh requires principals to preauthenticate before being allowed to kinit. (Sets the

KRB5KDBREQUIRESPREAUTH flag.) -rreeqquuiirreesspprreeaauutthh

clears this flag.

{-|++}rreeqquuiirreesshhwwaauutthh

++rreeqquuiirreesshhwwaauutthh requires principals to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5KDBREQUIRESHWAUTH flag.)

-rreeqquuiirreesshhwwaauutthh clears this flag.

{-|++}aalllloowwssvvrr

-aalllloowwssvvrr prohibits the issuance of service tickets for

principals. (Sets the KRB5KDBDISALLOWSVR flag.) ++aalllloowwssvvrr clears this flag.

{-|++}aalllloowwttggssrreeqq

-aalllloowwttggssrreeqq specifies that a Ticket-Granting Service

(TGS) request for a service ticket for principals is not permitted. This option is useless for most things. ++aalllloowwttggssrreeqq clears this flag. The default is

++aalllloowwttggssrreeqq. In effect, -aalllloowwttggssrreeqq sets the

KRB5KDBDISALLOWTGTBASED flag on principals in the database.

{-|++}aalllloowwttiixx

-aalllloowwttiixx forbids the issuance of any tickets for prin-

cipals. ++aalllloowwttiixx clears this flag. The default is

++aalllloowwttiixx. In effect, -aalllloowwttiixx sets the KRB5KDBDIS-

ALLOWALLTIX flag on principals in the database.

{-|++}nneeeeddcchhaannggee

++nneeeeddcchhaannggee sets a flag in attributes field to force a

password change; -nneeeeddcchhaannggee clears it. The default is

-nneeeeddcchhaannggee. In effect, ++nneeeeddcchhaannggee sets the

KRB5KDBREQUIRESPWCHANGE flag on principals in the database.

{-|++}ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee

++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets a flag in the attributes field marking principal as a password change service

principal (useless for most things). -ppaasssswwoorrddcchhaanngg-

iinnggsseerrvviiccee clears the flag. This flag intentionally has

a long name. The default is -ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee.

In effect, ++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets the

KRB5KDBPWCHANGESERVICE flag on principals in the data-

base. policyname Specifies the name of the ticket policy.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu ccrreeaatteeppoolliiccyy -rr AATTHHEENNAA..MMIITT..EEDDUU -mmaaxxttkk-

ttlliiffee ""11 ddaayy"" -mmaaxxrreenneewwlliiffee ""11 wweeeekk"" -aalllloowwppoossttddaatteedd

++nneeeeddcchhaannggee -aalllloowwffoorrwwaarrddaabbllee ttkkttppoolliiccyy

Password for "cn=admin,o=org":

mmooddiiffyyppoolliiccyy [-rr realm] [-mmaaxxttkkttlliiffee maxticketlife] [-mmaaxxrree-

nneewwlliiffee maxrenewableticketlife] [ticketflags] policyname Modifies the attributes of a ticket policy. Options are same as ccrreeaatteeppoolliiccyy..

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu mmooddiiffyyppoolliiccyy -rr AATTHHEENNAA..MMIITT..EEDDUU -mmaaxxttkk-

ttlliiffee ""6600 mmiinnuutteess"" -mmaaxxrreenneewwlliiffee ""1100 hhoouurrss"" ++aalllloowwppoosstt-

ddaatteedd -rreeqquuiirreesspprreeaauutthh ttkkttppoolliiccyy

Password for "cn=admin,o=org":

vviieewwppoolliiccyy [-rr realm] policyname

Displays the attributes of a ticket policy. Options: policyname Specifies the name of the ticket policy.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu vviieewwppoolliiccyy -rr AATTHHEENNAA..MMIITT..EEDDUU ttkkttppoolliiccyy

Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOWFORWARDABLE REQUIRESPWCHANGE

ddeessttrrooyyppoolliiccyy [-rr realm] [-ffoorrccee] policyname

Destroys an existing ticket policy. Options:

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.

-ffoorrccee Forces the deletion of the policy object. If not speci-

fied, will be prompted for confirmation while deleting the policy. Enter yyeess to confirm the deletion. policyname Specifies the name of the ticket policy.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu ddeessttrrooyyppoolliiccyy -rr AATTHHEENNAA..MMIITT..EEDDUU ttkkttppooll-

iiccyy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted.

lliissttppoolliiccyy [-rr realm]

Lists the ticket policies in realm if specified or in the default realm. Options:

-rr realm

Specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg -HH llddaappss::////llddaapp-

sseerrvveerr11..mmiitt..eedduu lliissttppoolliiccyy -rr AATTHHEENNAA..MMIITT..EEDDUU

Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy CCoommmmaannddss SSppeecciiffiicc ttoo eeDDiirreeccttoorryy

sseettssrrvvppww [-rraannddppww|-ffiilleeoonnllyy] [-ff filename] servicedn

Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in

a file. The -fileonly option stores the password in a file and

not in the eDirectory object. Options:

-rraannddppww

Generates and sets a random password. This options can be specified to store the password both in eDirectory and a

file. The -fileonly option can not be used if -randpw

option is already specified.

-ffiilleeoonnllyy

Stores the password only in a file and not in eDirectory.

The -randpw option can not be used when -fileonly options

is specified.

-ff filename

Specifies complete path of the service password file. By default, /usr/local/var/servicepasswd is used. servicedn Specifies Distinguished name (DN) of the service object whose password is to be set.

EXAMPLE:

kkddbb55llddaappuuttiill sseettssrrvvppww -DD ccnn==aaddmmiinn,,oo==oorrgg sseettssrrvvppww

-ffiilleeoonnllyy -ff //hhoommee//aannddrreeww//ccoonnffkkeeyyffiillee ccnn==sseerrvviiccee-

kkddcc,,oo==oorrgg Password for "cn=admin,o=org":

Password for "cn=service-kdc,o=org":

Re-enter password for "cn=service-kdc,o=org":

ccrreeaatteesseerrvviiccee {-kkddcc||-aaddmmiinn} [-sseerrvviicceehhoosstt servicehostlist]

[-rreeaallmm realmlist] [-rraannddppww||-ffiilleeoonnllyy] [-ff filename] servicedn

Creates a service in directory and assigns appropriate rights. Options:

-kkddcc Specifies the service is a KDC service

-aaddmmiinn Specifies the service is a Administration service

-sseerrvviicceehhoosstt servicehostlist

Specifies the list of entries separated by a colon (:). Each entry consists of the hostname or IP address of the server hosting the service, transport protocol, and the

port number of the service separated by a pound sign (#).

For example, server1#tcp#88:server2#udp#89.

-rreeaallmm realmlist

Specifies the list of realms that are to be associated with this service. The list contains the name of the realms separated by a colon (:).

-rraannddppww

Generates and sets a random password. This option is used to set the random password for the service object in

directory and also to store it in the file. The -fileonly

option can not be used if -randpw option is specified.

-ffiilleeoonnllyy

Stores the password only in a file and not in eDirectory.

The -randpw option can not be used when -fileonly option

is specified.

-ff filename

Specifies the complete path of the file where the service object password is stashed. servicedn Specifies Distinguished name (DN) of the Kerberos service to be created.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg ccrreeaatteesseerrvviiccee -kkddcc

-rraannddppww -ff //hhoommee//aannddrreeww//ccoonnffkkeeyyffiillee ccnn==sseerrvviiccee-kkddcc,,oo==oorrgg

Password for "cn=admin,o=org": File does not exist. Creating the file /home/andrew/confkeyfile...

mmooddiiffyysseerrvviiccee [-sseerrvviicceehhoosstt servicehostlist | [-cclleeaarrsseerrvviiccee-

hhoosstt servicehostlist] [-aaddddsseerrvviicceehhoosstt servicehostlist]]

[-rreeaallmm realmlist | [-cclleeaarrrreeaallmm realmlist] [-aaddddrreeaallmm realmlist]]

servicedn Modifies the attributes of a service and assigns appropriate rights. Options:

-sseerrvviicceehhoosstt servicehostlist

Specifies the list of entries separated by a colon (:). Each entry consists of a host name or IP Address of the Server hosting the service, transport protocol, and port

number of the service separated by a pound sign (#). For

example, server1#tcp#88:server2#udp#89

-cclleeaarrsseerrvviicceehhoosstt servicehostlist

Specifies the list of servicehost entries to be removed from the existing list separated by colon (:). Each entry

consists of a host name or IP Address of the server host-

ing the service, transport protocol, and port number of

the service separated by a pound sign (#).

-aaddddsseerrvviicceehhoosstt servicehostlist

Specifies the list of servicehost entries to be added to

the existing list separated by colon (:). Each entry con-

sists of a host name or IP Address of the server hosting the service, transport protocol, and port number of the

service separated by a pound sign (#).

-rreeaallmm realmlist

Specifies the list of realms that are to be associated with this service. The list contains the name of the realms separated by a colon (:). This list replaces the existing list.

-cclleeaarrrreeaallmm realmlist

Specifies the list of realms to be removed from the existing list. The list contains the name of the realms separated by a colon (:).

-aaddddrreeaallmm realmlist

Specifies the list of realms to be added to the existing list. The list contains the name of the realms separated by a colon (:). servicedn Specifies Distinguished name (DN) of the Kerberos service to be modified.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg mmooddiiffyysseerrvviiccee -rreeaallmm

AATTHHEENNAA..MMIITT..EEDDUU ccnn==sseerrvviiccee-kkddcc,,oo==oorrgg

Password for "cn=admin,o=org": Changing rights for the service object. Please wait ... done vviieewwsseerrvviiccee servicedn Displays the attributes of a service. Options: servicedn Specifies Distinguished name (DN) of the Kerberos service to be viewed.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg vviieewwsseerrvviiccee ccnn==sseerrvviiccee-

kkddcc,,oo==oorrgg Password for "cn=admin,o=org":

Service dn: cn=service-kdc,o=org

Service type: kdc Service host list: Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security

ddeessttrrooyysseerrvviiccee [-ffoorrccee] [-ff stashfilename] servicedn

Destroys an existing service. Options:

-ffoorrccee If specified, will not prompt for user's confirmation,

instead will force destruction of the service.

-ff stashfilename

Specifies the complete path of the service password file from where the entry corresponding to the servicedn needs to be removed. servicedn Specifies Distinguished name (DN) of the Kerberos service to be destroyed.

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg ddeessttrrooyysseerrvviiccee ccnn==sseerr-

vviiccee-kkddcc,,oo==oorrgg

Password for "cn=admin,o=org":

This will delete the service object 'cn=service-kdc,o=org', are you sure?

(type 'yes' to confirm)? yes

** service object 'cn=service-kdc,o=org' deleted.

lliissttsseerrvviiccee [-bbaasseeddnn basedn]

Lists the name of services under a given base in directory. Options:

-bbaasseeddnn basedn

Specifies the base DN for searching the service objects, limiting the search to a particular subtree. If this option is not provided, LDAP Server specific search base will be used. For eg, in the case of OpenLDAP, value of ddeeffaauullttsseeaarrcchhbbaassee from slapd.conf file will be used, where as in the case of eDirectory, the default value for the base DN is RRoooott..

EXAMPLE:

kkddbb55llddaappuuttiill -DD ccnn==aaddmmiinn,,oo==oorrgg lliissttsseerrvviiccee

Password for "cn=admin,o=org":

cn=service-kdc,o=org

cn=service-adm,o=org

cn=service-pwd,o=org