9 .. _kdb5_ldap_util_synopsis:
12 [**-D** *user_dn* [**-w** *passwd*]]
17 .. _kdb5_ldap_util_synopsis_end:
22 kdb5_ldap_util allows an administrator to manage realms, Kerberos
23 services and ticket policies.
28 .. _kdb5_ldap_util_options:
31 Specifies the Distinguished Name (DN) of the user who has
32 sufficient rights to perform the operation on the LDAP server.
35 Specifies the password of *user_dn*. This option is not
39 Specifies the URI of the LDAP server. It is recommended to use
40 ``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
42 .. _kdb5_ldap_util_options_end:
51 .. _kdb5_ldap_util_create:
54 [**-subtrees** *subtree_dn_list*]
55 [**-sscope** *search_scope*]
56 [**-containerref** *container_reference_dn*]
59 [**-m|-P** *password*\|\ **-sf** *stashfilename*]
62 [**-kdcdn** *kdc_service_list*]
63 [**-admindn** *admin_service_list*]
64 [**-maxtktlife** *max_ticket_life*]
65 [**-maxrenewlife** *max_renewable_ticket_life*]
68 Creates realm in directory. Options:
70 **-subtrees** *subtree_dn_list*
71 Specifies the list of subtrees containing the principals of a
72 realm. The list contains the DNs of the subtree objects separated
75 **-sscope** *search_scope*
76 Specifies the scope for searching the principals under the
77 subtree. The possible values are 1 or one (one level), 2 or sub
80 **-containerref** *container_reference_dn*
81 Specifies the DN of the container object in which the principals
82 of a realm will be created. If the container reference is not
83 configured for a realm, the principals will be created in the
87 Specifies the key type of the master key in the database; the
88 default is that given in kdc.conf.
91 Specifies the version number of the master key in the database;
92 the default is 1. Note that 0 is not allowed.
95 Specifies that the master database password should be read from
96 the TTY rather than fetched from a file on the disk.
99 Specifies the master database password. This option is not
103 Specifies the Kerberos realm of the database.
105 **-sf** *stashfilename*
106 Specifies the stash file of the master database password.
109 Specifies that the stash file is to be created.
111 **-maxtktlife** *max_ticket_life*
112 Specifies maximum ticket life for principals in this realm.
114 **-maxrenewlife** *max_renewable_ticket_life*
115 Specifies maximum renewable life of tickets for principals in this
119 Specifies the ticket flags. If this option is not specified, by
120 default, none of the flags are set. This means all the ticket
121 options will be allowed and no restriction will be set.
123 The various flags are:
125 {-\|+}\ **allow_postdated**
126 **-allow_postdated** prohibits this principal from obtaining
127 postdated tickets. (Sets the **KRB5_KDB_DISALLOW_POSTDATED**
128 flag.) **+allow_postdated** clears this flag.
130 {-\|+}\ **allow_forwardable**
131 **-allow_forwardable** prohibits this principal from obtaining
132 forwardable tickets. (Sets the
133 **KRB5_KDB_DISALLOW_FORWARDABLE** flag.)
134 **+allow_forwardable** clears this flag.
136 {-\|+}\ **allow_renewable**
137 **-allow_renewable** prohibits this principal from obtaining
138 renewable tickets. (Sets the **KRB5_KDB_DISALLOW_RENEWABLE**
139 flag.) **+allow_renewable** clears this flag.
141 {-\|+}\ **allow_proxiable**
142 **-allow_proxiable** prohibits this principal from obtaining
143 proxiable tickets. (Sets the **KRB5_KDB_DISALLOW_PROXIABLE**
144 flag.) **+allow_proxiable** clears this flag.
146 {-\|+}\ **allow_dup_skey**
147 **-allow_dup_skey** disables user-to-user authentication for
148 this principal by prohibiting this principal from obtaining a
149 session key for another user. (Sets the
150 **KRB5_KDB_DISALLOW_DUP_SKEY** flag.) **+allow_dup_skey**
153 {-\|+}\ **requires_preauth**
154 **+requires_preauth** requires this principal to
155 preauthenticate before being allowed to kinit. (Sets the
156 **KRB5_KDB_REQUIRES_PRE_AUTH** flag.) **-requires_preauth**
159 {-\|+}\ **requires_hwauth**
160 **+requires_hwauth** requires this principal to
161 preauthenticate using a hardware device before being allowed
162 to kinit. (Sets the **KRB5_KDB_REQUIRES_HW_AUTH** flag.)
163 **-requires_hwauth** clears this flag.
165 {-\|+}\ **allow_svr**
166 **-allow_svr** prohibits the issuance of service tickets for
167 this principal. (Sets the **KRB5_KDB_DISALLOW_SVR** flag.)
168 **+allow_svr** clears this flag.
170 {-\|+}\ **allow_tgs_req**
171 **-allow_tgs_req** specifies that a Ticket-Granting Service
172 (TGS) request for a service ticket for this principal is not
173 permitted. This option is useless for most things.
174 **+allow_tgs_req** clears this flag. The default is
175 +allow_tgs_req. In effect, **-allow_tgs_req sets** the
176 **KRB5_KDB_DISALLOW_TGT_BASED** flag on the principal in the
179 {-\|+}\ **allow_tix**
180 **-allow_tix** forbids the issuance of any tickets for this
181 principal. **+allow_tix** clears this flag. The default is
182 **+allow_tix**. In effect, **-allow_tix** sets the
183 **KRB5_KDB_DISALLOW_ALL_TIX** flag on the principal in the
186 {-\|+}\ **needchange**
187 **+needchange** sets a flag in attributes field to force a
188 password change; **-needchange** clears it. The default is
189 **-needchange**. In effect, **+needchange** sets the
190 **KRB5_KDB_REQUIRES_PWCHANGE** flag on the principal in the
193 {-\|+}\ **password_changing_service**
194 **+password_changing_service** sets a flag in the attributes
195 field marking this as a password change service principal
196 (useless for most things). **-password_changing_service**
197 clears the flag. This flag intentionally has a long name.
198 The default is **-password_changing_service**. In effect,
199 **+password_changing_service** sets the
200 *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the
203 Command options specific to eDirectory:
205 .. _kdb5_ldap_util_create_edir:
207 **-kdcdn** *kdc_service_list*
208 Specifies the list of KDC service objects serving the realm. The
209 list contains the DNs of the KDC service objects separated by
212 **-admindn** *admin_service_list*
213 Specifies the list of Administration service objects serving the
214 realm. The list contains the DNs of the Administration service
215 objects separated by colon (``:``).
217 .. _kdb5_ldap_util_create_edir_end:
221 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
222 Password for "cn=admin,o=org":
223 Initializing database for realm 'ATHENA.MIT.EDU'
224 You will be prompted for the database Master Password.
225 It is important that you NOT FORGET this password.
226 Enter KDC database master key:
227 Re-enter KDC database master key to verify:
229 .. _kdb5_ldap_util_create_end:
234 .. _kdb5_ldap_util_modify:
237 [**-subtrees** *subtree_dn_list*]
238 [**-sscope** *search_scope*]
239 [**-containerref** *container_reference_dn*]
241 [**-kdcdn** *kdc_service_list* | [**-clearkdcdn** *kdc_service_list*] [**-addkdcdn** *kdc_service_list*]]
242 [**-admindn** *admin_service_list* | [**-clearadmindn** *admin_service_list*] [**-addadmindn** *admin_service_list*]]
243 [**-maxtktlife** *max_ticket_life*]
244 [**-maxrenewlife** *max_renewable_ticket_life*]
247 Modifies the attributes of a realm. Options:
249 **-subtrees** *subtree_dn_list*
251 Specifies the list of subtrees containing the principals of a
252 realm. The list contains the DNs of the subtree objects separated
253 by colon (``:``). This list replaces the existing list.
255 **-sscope** *search_scope*
256 Specifies the scope for searching the principals under the
257 subtrees. The possible values are 1 or one (one level), 2 or sub
260 **-containerref** *container_reference_dn* Specifies the DN of the
261 container object in which the principals of a realm will be
265 Specifies the Kerberos realm of the database.
267 **-maxtktlife** *max_ticket_life*
268 Specifies maximum ticket life for principals in this realm.
270 **-maxrenewlife** *max_renewable_ticket_life*
271 Specifies maximum renewable life of tickets for principals in this
275 Specifies the ticket flags. If this option is not specified, by
276 default, none of the flags are set. This means all the ticket
277 options will be allowed and no restriction will be set.
279 The various flags are:
281 {-\|+}\ **allow_postdated**
282 **-allow_postdated** prohibits this principal from obtaining
283 postdated tickets. (Sets the **KRB5_KDB_DISALLOW_POSTDATED**
284 flag.) **+allow_postdated** clears this flag.
286 {-\|+}\ **allow_forwardable**
287 **-allow_forwardable** prohibits this principal from obtaining
288 forwardable tickets. (Sets the
289 **KRB5_KDB_DISALLOW_FORWARDABLE** flag.)
290 **+allow_forwardable** clears this flag.
292 {-\|+}\ **allow_renewable**
293 **-allow_renewable** prohibits this principal from obtaining
294 renewable tickets. (Sets the **KRB5_KDB_DISALLOW_RENEWABLE**
295 flag.) **+allow_renewable** clears this flag.
297 {-\|+}\ **allow_proxiable**
298 **-allow_proxiable** prohibits this principal from obtaining
299 proxiable tickets. (Sets the **KRB5_KDB_DISALLOW_PROXIABLE**
300 flag.) **+allow_proxiable** clears this flag.
302 {-\|+}\ **allow_dup_skey**
303 **-allow_dup_skey** disables user-to-user authentication for
304 this principal by prohibiting this principal from obtaining a
305 session key for another user. (Sets the
306 **KRB5_KDB_DISALLOW_DUP_SKEY** flag.) **+allow_dup_skey**
309 {-\|+}\ **requires_preauth**
310 **+requires_preauth** requires this principal to
311 preauthenticate before being allowed to kinit. (Sets the
312 **KRB5_KDB_REQUIRES_PRE_AUTH** flag.) **-requires_preauth**
315 {-\|+}\ **requires_hwauth**
316 **+requires_hwauth** requires this principal to
317 preauthenticate using a hardware device before being allowed
318 to kinit. (Sets the **KRB5_KDB_REQUIRES_HW_AUTH** flag.)
319 **-requires_hwauth** clears this flag.
321 {-\|+}\ **allow_svr**
322 **-allow_svr** prohibits the issuance of service tickets for
323 this principal. (Sets the **KRB5_KDB_DISALLOW_SVR** flag.)
324 **+allow_svr** clears this flag.
326 {-\|+}\ **allow_tgs_req**
327 **-allow_tgs_req** specifies that a Ticket-Granting Service
328 (TGS) request for a service ticket for this principal is not
329 permitted. This option is useless for most things.
330 **+allow_tgs_req** clears this flag. The default is
331 +allow_tgs_req. In effect, **-allow_tgs_req sets** the
332 **KRB5_KDB_DISALLOW_TGT_BASED** flag on the principal in the
335 {-\|+}\ **allow_tix**
336 **-allow_tix** forbids the issuance of any tickets for this
337 principal. **+allow_tix** clears this flag. The default is
338 **+allow_tix**. In effect, **-allow_tix** sets the
339 **KRB5_KDB_DISALLOW_ALL_TIX** flag on the principal in the
342 {-\|+}\ **needchange**
343 **+needchange** sets a flag in attributes field to force a
344 password change; **-needchange** clears it. The default is
345 **-needchange**. In effect, **+needchange** sets the
346 **KRB5_KDB_REQUIRES_PWCHANGE** flag on the principal in the
349 {-\|+}\ **password_changing_service**
350 **+password_changing_service** sets a flag in the attributes
351 field marking this as a password change service principal
352 (useless for most things). **-password_changing_service**
353 clears the flag. This flag intentionally has a long name.
354 The default is **-password_changing_service**. In effect,
355 **+password_changing_service** sets the
356 *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the
359 Command options specific to eDirectory:
361 .. _kdb5_ldap_util_modify_edir:
363 **-kdcdn** *kdc_service_list*
364 Specifies the list of KDC service objects serving the realm. The
365 list contains the DNs of the KDC service objects separated by a
366 colon (``:``). This list replaces the existing list.
368 **-clearkdcdn** *kdc_service_list*
369 Specifies the list of KDC service objects that need to be removed
370 from the existing list. The list contains the DNs of the KDC
371 service objects separated by a colon (``:``).
373 **-addkdcdn** *kdc_service_list*
374 Specifies the list of KDC service objects that need to be added to
375 the existing list. The list contains the DNs of the KDC service
376 objects separated by a colon (``:``).
378 **-admindn** *admin_service_list*
379 Specifies the list of Administration service objects serving the
380 realm. The list contains the DNs of the Administration service
381 objects separated by a colon (``:``). This list replaces the
384 **-clearadmindn** *admin_service_list*
385 Specifies the list of Administration service objects that need to
386 be removed from the existing list. The list contains the DNs of
387 the Administration service objects separated by a colon (``:``).
389 **-addadmindn** *admin_service_list*
390 Specifies the list of Administration service objects that need to
391 be added to the existing list. The list contains the DNs of the
392 Administration service objects separated by a colon (``:``).
394 .. _kdb5_ldap_util_modify_edir_end:
398 shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth -r ATHENA.MIT.EDU
399 Password for "cn=admin,o=org":
402 .. _kdb5_ldap_util_modify_end:
407 .. _kdb5_ldap_util_view:
409 **view** [**-r** *realm*]
411 Displays the attributes of a realm. Options:
414 Specifies the Kerberos realm of the database.
418 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU
419 Password for "cn=admin,o=org":
420 Realm Name: ATHENA.MIT.EDU
421 Subtree: ou=users,o=org
422 Subtree: ou=servers,o=org
424 Maximum ticket life: 0 days 01:00:00
425 Maximum renewable life: 0 days 10:00:00
426 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
428 .. _kdb5_ldap_util_view_end:
433 .. _kdb5_ldap_util_destroy:
435 **destroy** [**-f**] [**-r** *realm*]
437 Destroys an existing realm. Options:
440 If specified, will not prompt the user for confirmation.
443 Specifies the Kerberos realm of the database.
447 shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
448 Password for "cn=admin,o=org":
449 Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
450 (type 'yes' to confirm)? yes
451 OK, deleting database of 'ATHENA.MIT.EDU'...
454 .. _kdb5_ldap_util_destroy_end:
459 .. _kdb5_ldap_util_list:
463 Lists the name of realms.
467 shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
468 Password for "cn=admin,o=org":
474 .. _kdb5_ldap_util_list_end:
479 .. _kdb5_ldap_util_stashsrvpw:
485 Allows an administrator to store the password for service object in a
486 file so that KDC and Administration server can use it to authenticate
487 to the LDAP server. Options:
490 Specifies the complete path of the service password file. By
491 default, ``/usr/local/var/service_passwd`` is used.
494 Specifies Distinguished Name (DN) of the service object whose
495 password is to be stored in file.
499 kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
500 Password for "cn=service-kdc,o=org":
501 Re-enter password for "cn=service-kdc,o=org":
503 .. _kdb5_ldap_util_stashsrvpw_end:
508 .. _kdb5_ldap_util_create_policy:
512 [**-maxtktlife** *max_ticket_life*]
513 [**-maxrenewlife** *max_renewable_ticket_life*]
517 Creates a ticket policy in directory. Options:
520 Specifies the Kerberos realm of the database.
522 **-maxtktlife** *max_ticket_life*
523 Specifies maximum ticket life for principals.
525 **-maxrenewlife** *max_renewable_ticket_life*
526 Specifies maximum renewable life of tickets for principals.
529 Specifies the ticket flags. If this option is not specified, by
530 default, none of the flags are set. This means all the ticket
531 options will be allowed and no restriction will be set.
533 The various flags are:
535 {-\|+}\ **allow_postdated**
536 **-allow_postdated** prohibits this principal from obtaining
537 postdated tickets. (Sets the **KRB5_KDB_DISALLOW_POSTDATED**
538 flag.) **+allow_postdated** clears this flag.
540 {-\|+}\ **allow_forwardable**
541 **-allow_forwardable** prohibits this principal from obtaining
542 forwardable tickets. (Sets the
543 **KRB5_KDB_DISALLOW_FORWARDABLE** flag.)
544 **+allow_forwardable** clears this flag.
546 {-\|+}\ **allow_renewable**
547 **-allow_renewable** prohibits this principal from obtaining
548 renewable tickets. (Sets the **KRB5_KDB_DISALLOW_RENEWABLE**
549 flag.) **+allow_renewable** clears this flag.
551 {-\|+}\ **allow_proxiable**
552 **-allow_proxiable** prohibits this principal from obtaining
553 proxiable tickets. (Sets the **KRB5_KDB_DISALLOW_PROXIABLE**
554 flag.) **+allow_proxiable** clears this flag.
556 {-\|+}\ **allow_dup_skey**
557 **-allow_dup_skey** disables user-to-user authentication for
558 this principal by prohibiting this principal from obtaining a
559 session key for another user. (Sets the
560 **KRB5_KDB_DISALLOW_DUP_SKEY** flag.) **+allow_dup_skey**
563 {-\|+}\ **requires_preauth**
564 **+requires_preauth** requires this principal to
565 preauthenticate before being allowed to kinit. (Sets the
566 **KRB5_KDB_REQUIRES_PRE_AUTH** flag.) **-requires_preauth**
569 {-\|+}\ **requires_hwauth**
570 **+requires_hwauth** requires this principal to
571 preauthenticate using a hardware device before being allowed
572 to kinit. (Sets the **KRB5_KDB_REQUIRES_HW_AUTH** flag.)
573 **-requires_hwauth** clears this flag.
575 {-\|+}\ **allow_svr**
576 **-allow_svr** prohibits the issuance of service tickets for
577 this principal. (Sets the **KRB5_KDB_DISALLOW_SVR** flag.)
578 **+allow_svr** clears this flag.
580 {-\|+}\ **allow_tgs_req**
581 **-allow_tgs_req** specifies that a Ticket-Granting Service
582 (TGS) request for a service ticket for this principal is not
583 permitted. This option is useless for most things.
584 **+allow_tgs_req** clears this flag. The default is
585 +allow_tgs_req. In effect, **-allow_tgs_req sets** the
586 **KRB5_KDB_DISALLOW_TGT_BASED** flag on the principal in the
589 {-\|+}\ **allow_tix**
590 **-allow_tix** forbids the issuance of any tickets for this
591 principal. **+allow_tix** clears this flag. The default is
592 **+allow_tix**. In effect, **-allow_tix** sets the
593 **KRB5_KDB_DISALLOW_ALL_TIX** flag on the principal in the
596 {-\|+}\ **needchange**
597 **+needchange** sets a flag in attributes field to force a
598 password change; **-needchange** clears it. The default is
599 **-needchange**. In effect, **+needchange** sets the
600 **KRB5_KDB_REQUIRES_PWCHANGE** flag on the principal in the
603 {-\|+}\ **password_changing_service**
604 **+password_changing_service** sets a flag in the attributes
605 field marking this as a password change service principal
606 (useless for most things). **-password_changing_service**
607 clears the flag. This flag intentionally has a long name.
608 The default is **-password_changing_service**. In effect,
609 **+password_changing_service** sets the
610 *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the
614 Specifies the name of the ticket policy.
618 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy
619 Password for "cn=admin,o=org":
621 .. _kdb5_ldap_util_create_policy_end:
626 .. _kdb5_ldap_util_modify_policy:
630 [**-maxtktlife** *max_ticket_life*]
631 [**-maxrenewlife** *max_renewable_ticket_life*]
635 Modifies the attributes of a ticket policy. Options are same as
639 Specifies the Kerberos realm of the database.
643 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy
644 Password for "cn=admin,o=org":
646 .. _kdb5_ldap_util_modify_policy_end:
651 .. _kdb5_ldap_util_view_policy:
657 Displays the attributes of a ticket policy. Options:
660 Specifies the name of the ticket policy.
664 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
665 Password for "cn=admin,o=org":
666 Ticket policy: tktpolicy
667 Maximum ticket life: 0 days 01:00:00
668 Maximum renewable life: 0 days 10:00:00
669 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
671 .. _kdb5_ldap_util_view_policy_end:
676 .. _kdb5_ldap_util_destroy_policy:
683 Destroys an existing ticket policy. Options:
686 Specifies the Kerberos realm of the database.
689 Forces the deletion of the policy object. If not specified, will
690 be prompted for confirmation while deleting the policy. Enter yes
691 to confirm the deletion.
694 Specifies the name of the ticket policy.
698 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy
699 Password for "cn=admin,o=org":
700 This will delete the policy object 'tktpolicy', are you sure?
701 (type 'yes' to confirm)? yes
702 ** policy object 'tktpolicy' deleted.
704 .. _kdb5_ldap_util_destroy_policy_end:
709 .. _kdb5_ldap_util_list_policy:
714 Lists the ticket policies in realm if specified or in the default
718 Specifies the Kerberos realm of the database.
722 kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU
723 Password for "cn=admin,o=org":
728 .. _kdb5_ldap_util_list_policy_end:
731 Commands specific to eDirectory
732 -------------------------------
737 .. _kdb5_ldap_util_setsrvpw:
740 [**-randpw\|-fileonly**]
744 Allows an administrator to set password for service objects such as
745 KDC and Administration server in eDirectory and store them in a file.
746 The **-fileonly** option stores the password in a file and not in the
747 eDirectory object. Options:
750 Generates and sets a random password. This options can be
751 specified to store the password both in eDirectory and a file.
752 The **-fileonly** option can not be used if **-randpw** option is
756 Stores the password only in a file and not in eDirectory. The
757 **-randpw** option can not be used when **-fileonly** options is
761 Specifies complete path of the service password file. By default,
762 ``/usr/local/var/service_passwd`` is used.
765 Specifies Distinguished Name (DN) of the service object whose
766 password is to be set.
770 kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
771 Password for "cn=admin,o=org":
772 Password for "cn=service-kdc,o=org":
773 Re-enter password for "cn=service-kdc,o=org":
775 .. _kdb5_ldap_util_setsrvpw_end:
780 .. _kdb5_ldap_util_create_service:
783 {**-kdc**\|\ **-admin**\|\ **-pwd**}
784 [**-servicehost** *service_host_list*]
785 [**-realm** *realm_list*]
786 [**-randpw**\|\ **-fileonly**]
790 Creates a service in directory and assigns appropriate rights. Options:
793 Specifies the service is a KDC service
796 Specifies the service is a Administration service
799 Specifies the Password service
801 **-servicehost** *service_host_list*
802 Specifies the list of entries separated by a colon (``:``). Each
803 entry consists of the hostname or IP address of the server hosting
804 the service, transport protocol, and the port number of the
805 service separated by a pound sign (``#``). For example,
806 ``server1#tcp#88:server2#udp#89``.
808 **-realm** *realm_list*
809 Specifies the list of realms that are to be associated with this
810 service. The list contains the name of the realms separated by a
814 Generates and sets a random password. This option is used to set
815 the random password for the service object in directory and also
816 to store it in the file. The **-fileonly** option can not be used
817 if **-randpw** option is specified.
820 Stores the password only in a file and not in eDirectory. The
821 **-randpw** option can not be used when **-fileonly** option is
825 Specifies the complete path of the file where the service object
829 Specifies Distinguished Name (DN) of the Kerberos service to be
834 shell% kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
835 Password for "cn=admin,o=org":
836 File does not exist. Creating the file /home/andrew/conf_keyfile...
839 .. _kdb5_ldap_util_create_service_end:
844 .. _kdb5_ldap_util_modify_service:
847 [**-servicehost** *service_host_list* |
848 [**-clearservicehost** *service_host_list*]
849 [**-addservicehost** *service_host_list*]]
850 [**-realm** *realm_list* |
851 [**-clearrealm** *realm_list*]
852 [**-addrealm** *realm_list*]]
855 Modifies the attributes of a service and assigns appropriate
858 **-servicehost** *service_host_list*
859 Specifies the list of entries separated by a colon (``:``). Each
860 entry consists of a host name or IP Address of the Server hosting
861 the service, transport protocol, and port number of the service
862 separated by a pound sign (``#``). For example,
863 ``server1#tcp#88:server2#udp#89``.
865 **-clearservicehost** *service_host_list*
866 Specifies the list of servicehost entries to be removed from the
867 existing list separated by colon (``:``). Each entry consists of
868 a host name or IP Address of the server hosting the service,
869 transport protocol, and port number of the service separated by a
872 **-addservicehost** *service_host_list*
873 Specifies the list of servicehost entries to be added to the
874 existing list separated by colon (``:``). Each entry consists of
875 a host name or IP Address of the server hosting the service,
876 transport protocol, and port number of the service separated by a
879 **-realm** *realm_list*
880 Specifies the list of realms that are to be associated with this
881 service. The list contains the name of the realms separated by a
882 colon (``:``). This list replaces the existing list.
884 **-clearrealm** *realm_list*
885 Specifies the list of realms to be removed from the existing list.
886 The list contains the name of the realms separated by a colon
889 **-addrealm** *realm_list*
890 Specifies the list of realms to be added to the existing list.
891 The list contains the name of the realms separated by a colon
895 Specifies Distinguished Name (DN) of the Kerberos service to be
900 shell% kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org
901 Password for "cn=admin,o=org":
902 Changing rights for the service object. Please wait ... done
905 .. _kdb5_ldap_util_modify_service_end:
910 .. _kdb5_ldap_util_view_service:
912 **view_service** *service_dn*
914 Displays the attributes of a service. Options:
917 Specifies Distinguished Name (DN) of the Kerberos service to be
922 shell% kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org
923 Password for "cn=admin,o=org":
924 Service dn: cn=service-kdc,o=org
927 Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
930 .. _kdb5_ldap_util_view_service_end:
935 .. _kdb5_ldap_util_destroy_service:
939 [**-f** *stashfilename*]
942 Destroys an existing service. Options:
945 If specified, will not prompt for user's confirmation, instead
946 will force destruction of the service.
948 **-f** *stashfilename*
949 Specifies the complete path of the service password file from
950 where the entry corresponding to the service_dn needs to be
954 Specifies Distinguished Name (DN) of the Kerberos service to be
959 shell% kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org
960 Password for "cn=admin,o=org":
961 This will delete the service object 'cn=service-kdc,o=org', are you sure?
962 (type 'yes' to confirm)? yes
963 ** service object 'cn=service-kdc,o=org' deleted.
966 .. _kdb5_ldap_util_destroy_service_end:
971 .. _kdb5_ldap_util_list_service:
973 **list_service** [**-basedn** *base_dn*]
975 Lists the name of services under a given base in directory. Options:
977 **-basedn** *base_dn*
978 Specifies the base DN for searching the service objects, limiting
979 the search to a particular subtree. If this option is not
980 provided, LDAP Server specific search base will be used. For eg,
981 in the case of OpenLDAP, value of defaultsearchbase from
982 slapd.conf file will be used, where as in the case of eDirectory,
983 the default value for the base DN is Root.
987 shell% kdb5_ldap_util -D cn=admin,o=org list_service
988 Password for "cn=admin,o=org":
994 .. _kdb5_ldap_util_list_service_end: