System Administration Commands kdb5_ldap_util(1M)
NAME
kdb5_ldap_util - Kerberos configuration utility
SYNOPSIS
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] command
[command_options]
DESCRIPTION
The kdb5_ldap_util utility allows an administrator to manage
realms, Kerberos services, and ticket policies. The utility offers a set of general options, described under OPTIONS, and a set of commands, which, in turn, have their own options. Commands and their options are described in their own subsections, below. OPTIONSkdb5_ldap_util has a small set of general options that apply
to the kdb5_ldap_util utility itself and a larger number of
options that apply to specific commands. A number of thesecommand-specific options apply to multiple commands and are
described in their own section, below. General Options The following general options are supported:-D user_dn
Specifies the distinguished name (DN) of a user who has sufficient rights to perform the operation on the LDAP server.-H ldap_uri
Specifies the URI of the LDAP server.-w passwd
Specifies the password of user_dn. This option is not
recommended.Common Command-specific Options
The following options apply to a number of kdb5_ldap_util
commands.-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtreeSunOS 5.11 Last change: 28 Aug 2007 1
System Administration Commands kdb5_ldap_util(1M)
objects separated by a colon.-sscope search_scope
Specifies the scope for searching the principals under a subtree. The possible values are 1 or one (one level), 2 or sub (subtrees).-containerref container_reference_dn
Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container.-maxtktlife max_ticket_life
Specifies maximum ticket life for principals in this realm.-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for princi-
pals in this realm.-r realm
Specifies the Kerberos realm of the database; by defaultthe realm returned by krb5_default_local_realm(3) is
used.kdb5_ldap_util COMMANDS
The kdb5_ldap_util utility comprises a set of commands, each
with its own set of options. These commands are described in the following subsections. The create CommandThe create command creates a realm in a directory. The com-
mand has the following syntax: create \[-subtrees subtree_dn_list]
[-sscope search_scope]
[-containerref container_reference_dn]
[-k mkeytype]
[-m|-P password| -sf stashfilename]
SunOS 5.11 Last change: 28 Aug 2007 2
System Administration Commands kdb5_ldap_util(1M)
[-s]
[-r realm]
[-maxtktlife max_ticket_life]
[-kdcdn kdc_service_list]
[-admindn admin_service_list]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
The create command has the following options:-subtree subtree_dn_list
See "Common Command-specific Options," above.
-sscope search_scope
See "Common Command-specific Options," above.
-containerref container_reference_dn
See "Common Command-specific Options," above.
-k mkeytype
Specifies the key type of the master key in the data-
base; the default is that given in kdc.conf(4).-m
Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.-P password
Specifies the master database password. This option is not recommended.-sf stashfilename
Specifies the stash file of the master database pass-
word.SunOS 5.11 Last change: 28 Aug 2007 3
System Administration Commands kdb5_ldap_util(1M)
-s
Specifies that the stash file is to be created.-maxtktlife max_ticket_life
See "Common Command-specific Options," above.
-maxrenewlife max_renewable_ticket_life
See "Common Command-specific Options," above.
-r realm
See "Common Command-specific Options," above.
ticket_flags
Specifies the ticket flags. If this option is not speci-
fied, by default, none of the flags are set. This meansall the ticket options will be allowed and no restric-
tion will be set. See "Ticket Flags" for a list and descriptions of these flags. The modify Command The modify command modifies the attributes of a realm. The command has the following syntax: modify \[-subtrees subtree_dn_list]
[-sscope search_scope]
[-containerref container_reference_dn]
[-r realm]
[-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
The modify command has the following options:-subtree subtree_dn_list
See "Common Command-specific Options," above.
SunOS 5.11 Last change: 28 Aug 2007 4
System Administration Commands kdb5_ldap_util(1M)
-sscope search_scope
See "Common Command-specific Options," above.
-containerref container_reference_dn
See "Common Command-specific Options," above.
-maxtktlife max_ticket_life
See "Common Command-specific Options," above.
-maxrenewlife max_renewable_ticket_life
See "Common Command-specific Options," above.
-r realm
See "Common Command-specific Options," above.
ticket_flags
Specifies the ticket flags. If this option is not speci-
fied, by default, none of the flags are set. This meansall the ticket options will be allowed and no restric-
tion will be set. See "Ticket Flags" for a list and descriptions of these flags. The view Command The view command displays the attributes of a realm. The command has the following syntax:view [-r realm]
The view command has the following option:-r realm
See "Common Command-specific Options," above.
The destroy CommandSunOS 5.11 Last change: 28 Aug 2007 5
System Administration Commands kdb5_ldap_util(1M)
The destroy command destroys a realm, including the master key stash file. The command has the following syntax:destroy [-f] [-r realm]
The destroy command has the following options:-f
If specified, destroy does not prompt you for confirma-
tion.-r realm
See "Common Command-specific Options," above.
The list Command The list command displays the names of realms. The command has the following syntax: list The list command has no options. The stashsrvpw Command The stashsrvpw command enables you to store the password for service object in a file so that a KDC and Administration server can use it to authenticate to the LDAP server. The command has the following syntax:stashsrvpw [-f filename] servicedn
The stashsrvpw command has the following option and argu-
ment:-f filename
Specifies the complete path of the service password file. The default is:/var/krb5/service_passwd
SunOS 5.11 Last change: 28 Aug 2007 6
System Administration Commands kdb5_ldap_util(1M)
servicedn Specifies the distinguished name (DN) of the service object whose password is to be stored in file.The create_policy Command
The create_policy command creates a ticket policy in a
directory. The command has the following syntax:create_policy \
[-r realm]
[-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
policy_name
The create_policy command has the following options:
-r realm
See "Common Command-specific Options," above.
-maxtktlife max_ticket_life
See "Common Command-specific Options," above.
-maxrenewlife max_renewable_ticket_life
See "Common Command-specific Options," above.
ticket_flags
Specifies the ticket flags. If this option is not speci-
fied, by default, none of the flags are set. This meansall the ticket options will be allowed and no restric-
tion will be set. See "Ticket Flags" for a list and descriptions of these flags.policy_name
Specifies the name of the ticket policy.SunOS 5.11 Last change: 28 Aug 2007 7
System Administration Commands kdb5_ldap_util(1M)
The modify_policy Command
The modify_policy command modifies the attributes of a
ticket policy. The command has the following syntax:modify_policy \
[-r realm]
[-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
policy_name
The modify_policy command has the same options and argument
as those for the create_policy command.
The view_policy Command
The view_policy command displays the attributes of a ticket
policy. The command has the following syntax:view_policy [-r realm] policy_name
The view_policy command has the following options:
-r realm
See "Common Command-specific Options," above.
policy_name
Specifies the name of the ticket policy.The destroy_policy Command
The destroy_policy command destroys an existing ticket pol-
icy. The command has the following syntax:destroy_policy [-r realm] [-force] policy_name
The destroy_policy command has the following options:
-r realm
See "Common Command-specific Options," above.
SunOS 5.11 Last change: 28 Aug 2007 8
System Administration Commands kdb5_ldap_util(1M)
-force
Forces the deletion of the policy object. If not speci-
fied, you will be prompted for confirmation before the policy is deleted. Enter yes to confirm the deletion.policy_name
Specifies the name of the ticket policy.The list_policy Command
The list_policy command lists the ticket policies in the
default or a specified realm. The command has the following syntax:list_policy [-r realm]
The list_policy command has the following option:
-r realm
See "Common Command-specific Options," above.
TICKET FLAGSA number of kdb5_ldap_util commands have ticket_flag
options. These flags are described as follows:{-|+}allow_dup_skey
-allow_dup_skey disables user-to-user authentication for
principals by prohibiting principals from obtaining a session key for another user. This setting sets theKRB5_KDB_DISALLOW_DUP_SKEY flag. +allow_dup_skey clears
this flag.{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining
forwardable tickets. This setting sets theKRB5_KDB_DISALLOW_FORWARDABLE flag. +allow_forwardable
clears this flag.{-|+}allow_postdated
SunOS 5.11 Last change: 28 Aug 2007 9
System Administration Commands kdb5_ldap_util(1M)
-allow_postdated prohibits principals from obtaining
postdated tickets. This setting sets theKRB5_KDB_DISALLOW_POSTDATED flag. +allow_postdated
clears this flag.{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining
proxiable tickets. This setting sets theKRB5_KDB_DISALLOW_PROXIABLE flag. +allow_proxiable
clears this flag.{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining
renewable tickets. This setting sets theKRB5_KDB_DISALLOW_RENEWABLE flag. +allow_renewable
clears this flag.{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for
principals. This setting sets the KRB5_KDB_DISALLOW_SVR
flag. +allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service
(TGS) request for a service ticket for principals is not permitted. This option is useless for most purposes.+allow_tgs_req clears this flag. The default is
+allow_tgs_req. In effect, -allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
database.{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for prin-
cipals. +allow_tix clears this flag. The default is
+allow_tix. In effect, -allow_tix sets the
KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the
database.{-|+}needchange
+needchange sets a flag in the attributes field to forceSunOS 5.11 Last change: 28 Aug 2007 10
System Administration Commands kdb5_ldap_util(1M)
a password change; -needchange clears that flag. The
default is -needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
database.{-|+}password_changing_service
+password_changing_service sets a flag in the attributes
field marking a principal as a password-change-service
principal (a designation that is most often not useful).-password_changing_service clears the flag. That this
flag has a long name is intentional. The default is-password_changing_service. In effect,
+password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the
database.{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate
using a hardware device before being allowed to kinit(1). This setting sets theKRB5_KDB_REQUIRES_HW_AUTH flag. -requires_hwauth clears
this flag.{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate
before being allowed to kinit(1). This setting sets theKRB5_KDB_REQUIRES_PRE_AUTH flag. -requires_preauth
clears this flag.EXAMPLES
Example 1 Using createThe following is an example of the use of the create com-
mand.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: master key enteredRe-enter KDC database master key to verify: master key re-enteredjjjjjj
SunOS 5.11 Last change: 28 Aug 2007 11
System Administration Commands kdb5_ldap_util(1M)
Example 2 Using modifyThe following is an example of the use of the modify com-
mand.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
modify +requires_preauth -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered Password for "cn=admin,o=org": password entered Example 3 Using view The following is an example of the use of the view command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Example 4 Using destroyThe following is an example of the use of the destroy com-
mand.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
destroy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... Example 5 Using listSunOS 5.11 Last change: 28 Aug 2007 12
System Administration Commands kdb5_ldap_util(1M)
The following is an example of the use of the list command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org": password enteredRe-enter Password for "cn=admin,o=org": password re-entered
ATHENA.MIT.EDU OPENLDAP.MIT.EDUMEDIA-LAB.MIT.EDU
Example 6 Using stashsrvpw The following is an example of the use of the stashsrvpw command.# kdb5_ldap_util stashsrvpw -f \
/home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=service-kdc,o=org": password entered
Re-enter password for "cn=service-kdc,o=org": password re-entered
Example 7 Using create_policy
The following is an example of the use of the create_policy
command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
create_policy -r ATHENA.MIT.EDU \
-maxtktlife "1 day" -maxrenewlife "1 week" \
-allow_postdated +needchange -allow_forwardable tktpolicy
Password for "cn=admin,o=org": password enteredExample 8 Using modify_policy
The following is an example of the use of the modify_policy
command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
modify_policy -r ATHENA.MIT.EDU \
-maxtktlife "60 minutes" -maxrenewlife "10 hours" \
+allow_postdated -requires_preauth tktpolicy
SunOS 5.11 Last change: 28 Aug 2007 13
System Administration Commands kdb5_ldap_util(1M)
Password for "cn=admin,o=org": password enteredExample 9 Using view_policy
The following is an example of the use of the view_policy
command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
view_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org": password entered Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Example 10 Using destroy_policy
The following is an example of the use of the destroy_policy
command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
destroy_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org": password entered This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted.Example 11 Using list_policy
The following is an example of the use of the list_policy
command.# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \
list_policy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered tktpolicy tmppolicy userpolicySunOS 5.11 Last change: 28 Aug 2007 14
System Administration Commands kdb5_ldap_util(1M)
Example 12 Using setsrvpwThe following is an example of the use of the setsrvpw com-
mand.# kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \
-fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org": password enteredPassword for "cn=service-kdc,o=org": password entered
Re-enter password for "cn=service-kdc,o=org": password re-entered
Example 13 Using create_service
The following is an example of the use of the create_service
command.# kdb5_ldap_util -D cn=admin,o=org create_service \
-kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org": password enteredFile does not exist. Creating the file /home/andrew/conf_keyfile...
Example 14 Using modify_service
The following is an example of the use of the modify_service
command.# kdb5_ldap_util -D cn=admin,o=org modify_service \
-realm ATHENA.MIT.EDU cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered Changing rights for the service object. Please wait ... doneExample 15 Using view_service
The following is an example of the use of the view_service
command.# kdb5_ldap_util -D cn=admin,o=org view_service \
cn=service-kdc,o=org
SunOS 5.11 Last change: 28 Aug 2007 15
System Administration Commands kdb5_ldap_util(1M)
Password for "cn=admin,o=org": password enteredService dn: cn=service-kdc,o=org
Service type: kdc Service host list: Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=SecurityExample 16 Using destroy_service
The following is an example of the use of thedestroy_service command.
# kdb5_ldap_util -D cn=admin,o=org destroy_service \
cn=service-kdc,o=org
Password for "cn=admin,o=org": password enteredThis will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? yes** service object 'cn=service-kdc,o=org' deleted.
Example 17 Using list_service
The following is an example of the use of the list_service
command.# kdb5_ldap_util -D cn=admin,o=org list_service
Password for "cn=admin,o=org": password enteredcn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 28 Aug 2007 16
System Administration Commands kdb5_ldap_util(1M)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | service/security/kerberos-5 |
|_____________________________|_____________________________|
| Interface Stability | Volatile ||_____________________________|_____________________________|
SEE ALSO
kinit(1), kadmin(1M), kdc.conf(4), attributes(5)SunOS 5.11 Last change: 28 Aug 2007 17