Manual Pages for UNIX Darwin command on man sso

Manual Pages for UNIX Darwin command on man sso_util

ssoutil(8) BSD System Manager's Manual ssoutil(8)

NAME

ssssoouuttiill - Kerberos - Open Directory Single Sign On

SYNOPSIS

ssssoouuttiill command [-aarrggss]

DESCRIPTION

ssssoouuttiill is a tool for setting up, interrogating and removing Kerberos configurations within the Apple Single Sign On environment. This tool can configure services, create and consume encrypted config records and tear down Kerberos installations Commands for ssssoouuttiill :

info [-p] [-g | -l | -L | -r dirnodepath | -s [-R recordname] [-a]

[dirnodepath]] Returns information about the current Single Sign On environment info command arguments:

-pp Returns the data in XML format

-gg Returns the default Kerberos realm name

-ll Returns a list of the services ssoutil knows how to

Kerberize

-LL Returns the default Kerberos log file paths

-rr dirnodepath

Returns whether or not the given node has a Kerberos record associated with it. If it does, it returns the default realm name. If dirnodepath is '.' (default) it also returns all the realm names available on the search path

-ss Returns information relating to the secure config

record attached to a given computer record in the directory

-RR Provides the name of the computer record that contains

the secure config record information

-aa Requests all available information on the secure config

record dirnodepath specifies the directory node in which to search for the computer record

remove [-k [-a adminname [-p password]] [-d] -r REALM

Tears down a Kerberos KDC remove command arguments:

-kk removes both the krb5kdc and kadmind processes, and

their attendant data and config information

-aa If the admin name is present, ssssoouuttiill will attempt to

remove the kdc from the list of KDCs in the Ker-

berosClient config record in the default directory node

-dd Removes the kadmind process. It does not alter any

other data

-rr Kerberos realm name to remove

configure -r REALM -a adminname [-p password] service

Configures Kerberized services on the local machine for the given realm configure command arguments:

-rr REALM

Kerberos realm for the service principals

-aa adminname

Account name of an administrator authorized to make changes in the Kerberos database

-pp password

Password for the above administrator. The password can also be stored in file and the path to the file can be

passed as an environment variable - SSOPASSWDPATH.

service Service can be any number of afp, ftp, imap, pop, smtp, ssh, fcsvr, or all

generateconfig [-u] -r REALM -R recordname -f dirnodepath -U userlist

-a adminname [-p password] service

Creates a secure config record and attaches it to a computer record in the given directory configure command arguments:

-rr REALM

Kerberos realm for the service principals

-RR recordname

Name of the Computer record to attach the secure config record to

-ff dirnodepath

specifies the directory node in which to find the given computer record

-UU userlist

Comma separated list of users authorized to use the secure config record. The users must be in the same password server as the administrator.

-aa adminname

Account name of an administrator authorized to make changes in the Kerberos database and also authorized to

make changes in the directory node specified by -f

-pp password

Password for the above administrator. The password can also be stored in file and the path to the file can be

passed as an environment variable - SSOPASSWDPATH.

service Service can be any number of afp, ftp, imap, pop, smtp, ssh, fcsvr, or all

useconfig [-u] [-R recordname] [-f dirnodepath] -a adminname [-p

password] Uses a secure config record to configure a server for Kerberos configure command arguments:

-uu Forces the update, ignoring that the update may already

have been installed

-RR recordname

Name of the Computer record containing the secure con-

fig record

-ff dirnodepath

Specifies the directory node in which to find the given computer record

-aa adminname

Account name of an user authorized to use the secure config record (see generateconfig)

-pp password

Password for the above user. The password can also be stored in file and the path to the file can be passed

as an environment variable - SSOPASSWDPATH.

EEXXAAMMPPLLEESS

To configure a server in realm FOO.COM when you have the Kerberos admin-

istrator's password

ssoutil configure -r FOO.COM -a kerberosadmin -p password all

To create a secure config record to allow the delegated administrators, Fred and Barney, to configure a server named fred.foo.com in realm FOO.COM (using an existing computer record). The Open Directory Master

for foo.com is odmaster.foo.com. This can be run on any server and nei-

ther Fred nor Barney need to have the Kerberos administrator's password

ssoutil generateconfig -r FOO.COM -R fred.foo.com -f /LDAPv3/odmas-

ter.foo.com -U Fred,Barney -a kerberosadmin -p password all

To use the secure config record to allow Barney to configure the server named fred.foo.com

ssoutil useconfig -R fred.foo.com -f /LDAPv3/odmaster.foo.com -a Barney

-p barneyspassword

FILES /etc/krb5.keytab The configure and useconfig commands create or modify the krb5.keytab file. DIAGNOSTICS

You can add -v debuglevel to any of the ssssoouuttiill commands. Debug level 1

provides status information, higher levels add progressively more levels of detail. The maximum is level 7. NNOOTTEESS The ssssoouuttiill tool is used by the Apple Single Sign On system to set up

Kerberized services integrated with the rest of the Single Sign On compo-

nents.