9 .. _kdb5_ldap_util_synopsis:
12 [**-D** *user_dn* [**-w** *passwd*]]
17 .. _kdb5_ldap_util_synopsis_end:
22 kdb5_ldap_util allows an administrator to manage realms, Kerberos
23 services and ticket policies.
28 .. _kdb5_ldap_util_options:
31 Specifies the Distinguished Name (DN) of the user who has
32 sufficient rights to perform the operation on the LDAP server.
35 Specifies the password of *user_dn*. This option is not
39 Specifies the URI of the LDAP server. It is recommended to use
40 ``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
42 .. _kdb5_ldap_util_options_end:
51 .. _kdb5_ldap_util_create:
54 [**-subtrees** *subtree_dn_list*]
55 [**-sscope** *search_scope*]
56 [**-containerref** *container_reference_dn*]
59 [**-m|-P** *password*\|\ **-sf** *stashfilename*]
62 [**-kdcdn** *kdc_service_list*]
63 [**-admindn** *admin_service_list*]
64 [**-maxtktlife** *max_ticket_life*]
65 [**-maxrenewlife** *max_renewable_ticket_life*]
68 Creates realm in directory. Options:
70 **-subtrees** *subtree_dn_list*
71 Specifies the list of subtrees containing the principals of a
72 realm. The list contains the DNs of the subtree objects separated
75 **-sscope** *search_scope*
76 Specifies the scope for searching the principals under the
77 subtree. The possible values are 1 or one (one level), 2 or sub
80 **-containerref** *container_reference_dn*
81 Specifies the DN of the container object in which the principals
82 of a realm will be created. If the container reference is not
83 configured for a realm, the principals will be created in the
87 Specifies the key type of the master key in the database; the
88 default is that given in :ref:`kdc.conf(5)`.
91 Specifies the version number of the master key in the database;
92 the default is 1. Note that 0 is not allowed.
95 Specifies that the master database password should be read from
96 the TTY rather than fetched from a file on the disk.
99 Specifies the master database password. This option is not
103 Specifies the Kerberos realm of the database.
105 **-sf** *stashfilename*
106 Specifies the stash file of the master database password.
109 Specifies that the stash file is to be created.
111 **-maxtktlife** *max_ticket_life*
112 Specifies maximum ticket life for principals in this realm.
114 **-maxrenewlife** *max_renewable_ticket_life*
115 Specifies maximum renewable life of tickets for principals in this
119 Specifies the ticket flags. If this option is not specified, by
120 default, none of the flags are set. This means all the ticket
121 options will be allowed and no restriction will be set.
123 The various flags are:
125 {-\|+}\ **allow_postdated**
126 **-allow_postdated** prohibits this principal from obtaining
127 postdated tickets. (Sets the **KRB5_KDB_DISALLOW_POSTDATED**
128 flag.) **+allow_postdated** clears this flag.
130 {-\|+}\ **allow_forwardable**
131 **-allow_forwardable** prohibits this principal from obtaining
132 forwardable tickets. (Sets the
133 **KRB5_KDB_DISALLOW_FORWARDABLE** flag.)
134 **+allow_forwardable** clears this flag.
136 {-\|+}\ **allow_renewable**
137 **-allow_renewable** prohibits this principal from obtaining
138 renewable tickets. (Sets the **KRB5_KDB_DISALLOW_RENEWABLE**
139 flag.) **+allow_renewable** clears this flag.
141 {-\|+}\ **allow_proxiable**
142 **-allow_proxiable** prohibits this principal from obtaining
143 proxiable tickets. (Sets the **KRB5_KDB_DISALLOW_PROXIABLE**
144 flag.) **+allow_proxiable** clears this flag.
146 {-\|+}\ **allow_dup_skey**
147 **-allow_dup_skey** disables user-to-user authentication for
148 this principal by prohibiting this principal from obtaining a
149 session key for another user. (Sets the
150 **KRB5_KDB_DISALLOW_DUP_SKEY** flag.) **+allow_dup_skey**
153 {-\|+}\ **requires_preauth**
154 **+requires_preauth** requires this principal to
155 preauthenticate before being allowed to kinit. (Sets the
156 **KRB5_KDB_REQUIRES_PRE_AUTH** flag.) **-requires_preauth**
159 {-\|+}\ **requires_hwauth**
160 **+requires_hwauth** requires this principal to
161 preauthenticate using a hardware device before being allowed
162 to kinit. (Sets the **KRB5_KDB_REQUIRES_HW_AUTH** flag.)
163 **-requires_hwauth** clears this flag.
165 {-\|+}\ **allow_svr**
166 **-allow_svr** prohibits the issuance of service tickets for
167 this principal. (Sets the **KRB5_KDB_DISALLOW_SVR** flag.)
168 **+allow_svr** clears this flag.
170 {-\|+}\ **allow_tgs_req**
171 **-allow_tgs_req** specifies that a Ticket-Granting Service
172 (TGS) request for a service ticket for this principal is not
173 permitted. This option is useless for most things.
174 **+allow_tgs_req** clears this flag. The default is
175 +allow_tgs_req. In effect, **-allow_tgs_req sets** the
176 **KRB5_KDB_DISALLOW_TGT_BASED** flag on the principal in the
179 {-\|+}\ **allow_tix**
180 **-allow_tix** forbids the issuance of any tickets for this
181 principal. **+allow_tix** clears this flag. The default is
182 **+allow_tix**. In effect, **-allow_tix** sets the
183 **KRB5_KDB_DISALLOW_ALL_TIX** flag on the principal in the
186 {-\|+}\ **needchange**
187 **+needchange** sets a flag in attributes field to force a
188 password change; **-needchange** clears it. The default is
189 **-needchange**. In effect, **+needchange** sets the
190 **KRB5_KDB_REQUIRES_PWCHANGE** flag on the principal in the
193 {-\|+}\ **password_changing_service**
194 **+password_changing_service** sets a flag in the attributes
195 field marking this as a password change service principal
196 (useless for most things). **-password_changing_service**
197 clears the flag. This flag intentionally has a long name.
198 The default is **-password_changing_service**. In effect,
199 **+password_changing_service** sets the
200 *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the
206 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
207 Password for "cn=admin,o=org":
208 Initializing database for realm 'ATHENA.MIT.EDU'
209 You will be prompted for the database Master Password.
210 It is important that you NOT FORGET this password.
211 Enter KDC database master key:
212 Re-enter KDC database master key to verify:
214 .. _kdb5_ldap_util_create_end:
219 .. _kdb5_ldap_util_modify:
222 [**-subtrees** *subtree_dn_list*]
223 [**-sscope** *search_scope*]
224 [**-containerref** *container_reference_dn*]
226 [**-kdcdn** *kdc_service_list* | [**-clearkdcdn** *kdc_service_list*] [**-addkdcdn** *kdc_service_list*]]
227 [**-admindn** *admin_service_list* | [**-clearadmindn** *admin_service_list*] [**-addadmindn** *admin_service_list*]]
228 [**-maxtktlife** *max_ticket_life*]
229 [**-maxrenewlife** *max_renewable_ticket_life*]
232 Modifies the attributes of a realm. Options:
234 **-subtrees** *subtree_dn_list*
236 Specifies the list of subtrees containing the principals of a
237 realm. The list contains the DNs of the subtree objects separated
238 by colon (``:``). This list replaces the existing list.
240 **-sscope** *search_scope*
241 Specifies the scope for searching the principals under the
242 subtrees. The possible values are 1 or one (one level), 2 or sub
245 **-containerref** *container_reference_dn* Specifies the DN of the
246 container object in which the principals of a realm will be
250 Specifies the Kerberos realm of the database.
252 **-maxtktlife** *max_ticket_life*
253 Specifies maximum ticket life for principals in this realm.
255 **-maxrenewlife** *max_renewable_ticket_life*
256 Specifies maximum renewable life of tickets for principals in this
260 Specifies the ticket flags. If this option is not specified, by
261 default, none of the flags are set. This means all the ticket
262 options will be allowed and no restriction will be set.
264 The various flags are:
266 {-\|+}\ **allow_postdated**
267 **-allow_postdated** prohibits this principal from obtaining
268 postdated tickets. (Sets the **KRB5_KDB_DISALLOW_POSTDATED**
269 flag.) **+allow_postdated** clears this flag.
271 {-\|+}\ **allow_forwardable**
272 **-allow_forwardable** prohibits this principal from obtaining
273 forwardable tickets. (Sets the
274 **KRB5_KDB_DISALLOW_FORWARDABLE** flag.)
275 **+allow_forwardable** clears this flag.
277 {-\|+}\ **allow_renewable**
278 **-allow_renewable** prohibits this principal from obtaining
279 renewable tickets. (Sets the **KRB5_KDB_DISALLOW_RENEWABLE**
280 flag.) **+allow_renewable** clears this flag.
282 {-\|+}\ **allow_proxiable**
283 **-allow_proxiable** prohibits this principal from obtaining
284 proxiable tickets. (Sets the **KRB5_KDB_DISALLOW_PROXIABLE**
285 flag.) **+allow_proxiable** clears this flag.
287 {-\|+}\ **allow_dup_skey**
288 **-allow_dup_skey** disables user-to-user authentication for
289 this principal by prohibiting this principal from obtaining a
290 session key for another user. (Sets the
291 **KRB5_KDB_DISALLOW_DUP_SKEY** flag.) **+allow_dup_skey**
294 {-\|+}\ **requires_preauth**
295 **+requires_preauth** requires this principal to
296 preauthenticate before being allowed to kinit. (Sets the
297 **KRB5_KDB_REQUIRES_PRE_AUTH** flag.) **-requires_preauth**
300 {-\|+}\ **requires_hwauth**
301 **+requires_hwauth** requires this principal to
302 preauthenticate using a hardware device before being allowed
303 to kinit. (Sets the **KRB5_KDB_REQUIRES_HW_AUTH** flag.)
304 **-requires_hwauth** clears this flag.
306 {-\|+}\ **allow_svr**
307 **-allow_svr** prohibits the issuance of service tickets for
308 this principal. (Sets the **KRB5_KDB_DISALLOW_SVR** flag.)
309 **+allow_svr** clears this flag.
311 {-\|+}\ **allow_tgs_req**
312 **-allow_tgs_req** specifies that a Ticket-Granting Service
313 (TGS) request for a service ticket for this principal is not
314 permitted. This option is useless for most things.
315 **+allow_tgs_req** clears this flag. The default is
316 +allow_tgs_req. In effect, **-allow_tgs_req sets** the
317 **KRB5_KDB_DISALLOW_TGT_BASED** flag on the principal in the
320 {-\|+}\ **allow_tix**
321 **-allow_tix** forbids the issuance of any tickets for this
322 principal. **+allow_tix** clears this flag. The default is
323 **+allow_tix**. In effect, **-allow_tix** sets the
324 **KRB5_KDB_DISALLOW_ALL_TIX** flag on the principal in the
327 {-\|+}\ **needchange**
328 **+needchange** sets a flag in attributes field to force a
329 password change; **-needchange** clears it. The default is
330 **-needchange**. In effect, **+needchange** sets the
331 **KRB5_KDB_REQUIRES_PWCHANGE** flag on the principal in the
334 {-\|+}\ **password_changing_service**
335 **+password_changing_service** sets a flag in the attributes
336 field marking this as a password change service principal
337 (useless for most things). **-password_changing_service**
338 clears the flag. This flag intentionally has a long name.
339 The default is **-password_changing_service**. In effect,
340 **+password_changing_service** sets the
341 *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the
347 shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth -r ATHENA.MIT.EDU
348 Password for "cn=admin,o=org":
351 .. _kdb5_ldap_util_modify_end:
356 .. _kdb5_ldap_util_view:
358 **view** [**-r** *realm*]
360 Displays the attributes of a realm. Options:
363 Specifies the Kerberos realm of the database.
368 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU
369 Password for "cn=admin,o=org":
370 Realm Name: ATHENA.MIT.EDU
371 Subtree: ou=users,o=org
372 Subtree: ou=servers,o=org
374 Maximum ticket life: 0 days 01:00:00
375 Maximum renewable life: 0 days 10:00:00
376 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
378 .. _kdb5_ldap_util_view_end:
383 .. _kdb5_ldap_util_destroy:
385 **destroy** [**-f**] [**-r** *realm*]
387 Destroys an existing realm. Options:
390 If specified, will not prompt the user for confirmation.
393 Specifies the Kerberos realm of the database.
398 shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
399 Password for "cn=admin,o=org":
400 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
401 (type 'yes' to confirm)? yes
402 OK, deleting database of 'ATHENA.MIT.EDU'...
405 .. _kdb5_ldap_util_destroy_end:
410 .. _kdb5_ldap_util_list:
414 Lists the name of realms.
419 shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
420 Password for "cn=admin,o=org":
426 .. _kdb5_ldap_util_list_end:
431 .. _kdb5_ldap_util_stashsrvpw:
437 Allows an administrator to store the password for service object in a
438 file so that KDC and Administration server can use it to authenticate
439 to the LDAP server. Options:
442 Specifies the complete path of the service password file. By
443 default, ``/usr/local/var/service_passwd`` is used.
446 Specifies Distinguished Name (DN) of the service object whose
447 password is to be stored in file.
452 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
453 Password for "cn=service-kdc,o=org":
454 Re-enter password for "cn=service-kdc,o=org":
456 .. _kdb5_ldap_util_stashsrvpw_end:
461 .. _kdb5_ldap_util_create_policy:
465 [**-maxtktlife** *max_ticket_life*]
466 [**-maxrenewlife** *max_renewable_ticket_life*]
470 Creates a ticket policy in directory. Options:
473 Specifies the Kerberos realm of the database.
475 **-maxtktlife** *max_ticket_life*
476 Specifies maximum ticket life for principals.
478 **-maxrenewlife** *max_renewable_ticket_life*
479 Specifies maximum renewable life of tickets for principals.
482 Specifies the ticket flags. If this option is not specified, by
483 default, none of the flags are set. This means all the ticket
484 options will be allowed and no restriction will be set.
486 The various flags are:
488 {-\|+}\ **allow_postdated**
489 **-allow_postdated** prohibits this principal from obtaining
490 postdated tickets. (Sets the **KRB5_KDB_DISALLOW_POSTDATED**
491 flag.) **+allow_postdated** clears this flag.
493 {-\|+}\ **allow_forwardable**
494 **-allow_forwardable** prohibits this principal from obtaining
495 forwardable tickets. (Sets the
496 **KRB5_KDB_DISALLOW_FORWARDABLE** flag.)
497 **+allow_forwardable** clears this flag.
499 {-\|+}\ **allow_renewable**
500 **-allow_renewable** prohibits this principal from obtaining
501 renewable tickets. (Sets the **KRB5_KDB_DISALLOW_RENEWABLE**
502 flag.) **+allow_renewable** clears this flag.
504 {-\|+}\ **allow_proxiable**
505 **-allow_proxiable** prohibits this principal from obtaining
506 proxiable tickets. (Sets the **KRB5_KDB_DISALLOW_PROXIABLE**
507 flag.) **+allow_proxiable** clears this flag.
509 {-\|+}\ **allow_dup_skey**
510 **-allow_dup_skey** disables user-to-user authentication for
511 this principal by prohibiting this principal from obtaining a
512 session key for another user. (Sets the
513 **KRB5_KDB_DISALLOW_DUP_SKEY** flag.) **+allow_dup_skey**
516 {-\|+}\ **requires_preauth**
517 **+requires_preauth** requires this principal to
518 preauthenticate before being allowed to kinit. (Sets the
519 **KRB5_KDB_REQUIRES_PRE_AUTH** flag.) **-requires_preauth**
522 {-\|+}\ **requires_hwauth**
523 **+requires_hwauth** requires this principal to
524 preauthenticate using a hardware device before being allowed
525 to kinit. (Sets the **KRB5_KDB_REQUIRES_HW_AUTH** flag.)
526 **-requires_hwauth** clears this flag.
528 {-\|+}\ **allow_svr**
529 **-allow_svr** prohibits the issuance of service tickets for
530 this principal. (Sets the **KRB5_KDB_DISALLOW_SVR** flag.)
531 **+allow_svr** clears this flag.
533 {-\|+}\ **allow_tgs_req**
534 **-allow_tgs_req** specifies that a Ticket-Granting Service
535 (TGS) request for a service ticket for this principal is not
536 permitted. This option is useless for most things.
537 **+allow_tgs_req** clears this flag. The default is
538 +allow_tgs_req. In effect, **-allow_tgs_req sets** the
539 **KRB5_KDB_DISALLOW_TGT_BASED** flag on the principal in the
542 {-\|+}\ **allow_tix**
543 **-allow_tix** forbids the issuance of any tickets for this
544 principal. **+allow_tix** clears this flag. The default is
545 **+allow_tix**. In effect, **-allow_tix** sets the
546 **KRB5_KDB_DISALLOW_ALL_TIX** flag on the principal in the
549 {-\|+}\ **needchange**
550 **+needchange** sets a flag in attributes field to force a
551 password change; **-needchange** clears it. The default is
552 **-needchange**. In effect, **+needchange** sets the
553 **KRB5_KDB_REQUIRES_PWCHANGE** flag on the principal in the
556 {-\|+}\ **password_changing_service**
557 **+password_changing_service** sets a flag in the attributes
558 field marking this as a password change service principal
559 (useless for most things). **-password_changing_service**
560 clears the flag. This flag intentionally has a long name.
561 The default is **-password_changing_service**. In effect,
562 **+password_changing_service** sets the
563 *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the
567 Specifies the name of the ticket policy.
572 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy
573 Password for "cn=admin,o=org":
575 .. _kdb5_ldap_util_create_policy_end:
580 .. _kdb5_ldap_util_modify_policy:
584 [**-maxtktlife** *max_ticket_life*]
585 [**-maxrenewlife** *max_renewable_ticket_life*]
589 Modifies the attributes of a ticket policy. Options are same as
593 Specifies the Kerberos realm of the database.
598 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy
599 Password for "cn=admin,o=org":
601 .. _kdb5_ldap_util_modify_policy_end:
606 .. _kdb5_ldap_util_view_policy:
612 Displays the attributes of a ticket policy. Options:
615 Specifies the name of the ticket policy.
620 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
621 Password for "cn=admin,o=org":
622 Ticket policy: tktpolicy
623 Maximum ticket life: 0 days 01:00:00
624 Maximum renewable life: 0 days 10:00:00
625 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
627 .. _kdb5_ldap_util_view_policy_end:
632 .. _kdb5_ldap_util_destroy_policy:
639 Destroys an existing ticket policy. Options:
642 Specifies the Kerberos realm of the database.
645 Forces the deletion of the policy object. If not specified, will
646 be prompted for confirmation while deleting the policy. Enter yes
647 to confirm the deletion.
650 Specifies the name of the ticket policy.
655 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy
656 Password for "cn=admin,o=org":
657 This will delete the policy object 'tktpolicy', are you sure?
658 (type 'yes' to confirm)? yes
659 ** policy object 'tktpolicy' deleted.
661 .. _kdb5_ldap_util_destroy_policy_end:
666 .. _kdb5_ldap_util_list_policy:
671 Lists the ticket policies in realm if specified or in the default
675 Specifies the Kerberos realm of the database.
680 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU
681 Password for "cn=admin,o=org":
686 .. _kdb5_ldap_util_list_policy_end: