.. _kdb5_ldap_util_options:
**-D** *user_dn*
- Specifies the Distinguished name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.
+ Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.
**-w** *passwd*
Specifies the password of *user_dn*. This option is not recommended.
Command options specific to eDirectory
+.. _kdb5_ldap_util_create_edir:
+
**-kdcdn** *kdc_service_list*
Specifies the list of KDC service objects serving the realm.
The list contains the DNs of the KDC service objects separated by colon(\:).
Specifies the list of Administration service objects serving the realm.
The list contains the DNs of the Administration service objects separated by colon(\:).
+.. _kdb5_ldap_util_create_edir_end:
+
EXAMPLE::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
Command options specific to eDirectory
+.. _kdb5_ldap_util_modify_edir:
+
**-kdcdn** *kdc_service_list*
Specifies the list of KDC service objects serving the realm.
The list contains the DNs of the KDC service objects separated by a colon (\:).
Specifies the list of Administration service objects that need to be added to the existing list.
The list contains the DNs of the Administration service objects separated by a colon (:).
+.. _kdb5_ldap_util_modify_edir_end:
+
EXAMPLE::
shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth -r ATHENA.MIT.EDU
Specifies the complete path of the service password file. By default, */usr/local/var/service_passwd* is used.
*servicedn*
- Specifies Distinguished name (DN) of the service object whose password is to be stored in file.
+ Specifies Distinguished Name (DN) of the service object whose password is to be stored in file.
EXAMPLE::
**-r** *realm*
Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+EXAMPLE::
+
+ kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU
+ Password for "cn=admin,o=org":
+ tktpolicy
+ tmppolicy
+ userpolicy
+
+.. _kdb5_ldap_util_list_policy_end:
+
- Commands Specific to eDirectory
+Commands specific to eDirectory
+--------------------------------
+
+setsrvpw
+~~~~~~~~~~~~~~~~~~
+.. _kdb5_ldap_util_setsrvpw:
**setsrvpw**
- [**-randpw\|-fileonly**]
- [**-f** *filename*]
- *service_dn*
+ [**-randpw\|-fileonly**]
+ [**-f** *filename*]
+ *service_dn*
Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file.
The *-fileonly* option stores the password in a file and not in the eDirectory object. Options:
Specifies complete path of the service password file. By default, */usr/local/var/service_passwd* is used.
*service_dn*
- Specifies Distinguished name (DN) of the service object whose password is to be set.
-
-EXAMPLES::
+ Specifies Distinguished Name (DN) of the service object whose password is to be set.
- kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU
- Password for "cn=admin,o=org":
- tktpolicy
- tmppolicy
- userpolicy
+EXAMPLE::
kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org":
Password for "cn=service-kdc,o=org":
Re-enter password for "cn=service-kdc,o=org":
-.. _kdb5_ldap_util_list_policy_end:
+.. _kdb5_ldap_util_setsrvpw_end:
create_service
~~~~~~~~~~~~~~~~~~~
.. _kdb5_ldap_util_create_service:
**create_service**
- {**-kdc\|-admin**}
+ {**-kdc\|-admin\|-pwd**}
[**-servicehost** *service_host_list*]
[**-realm** *realm_list*]
[**-randpw\|-fileonly**]
**-admin**
Specifies the service is a Administration service
+ **-pwd**
+ Specifies the Password service
+
**-servicehost** *service_host_list*
Specifies the list of entries separated by a colon (\:).
Each entry consists of the hostname or IP address of the server hosting the service,
Specifies the complete path of the file where the service object password is stashed.
*service_dn*
- Specifies Distinguished name (DN) of the Kerberos service to be created.
+ Specifies Distinguished Name (DN) of the Kerberos service to be created.
EXAMPLE::
- kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
+ shell% kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org":
File does not exist. Creating the file /home/andrew/conf_keyfile...
+ shell%
.. _kdb5_ldap_util_create_service_end:
The list contains the name of the realms separated by a colon (\:).
*service_dn*
- Specifies Distinguished name (DN) of the Kerberos service to be modified.
+ Specifies Distinguished Name (DN) of the Kerberos service to be modified.
EXAMPLE::
- kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org
+ shell% kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org
Password for "cn=admin,o=org":
Changing rights for the service object. Please wait ... done
+ shell%
.. _kdb5_ldap_util_modify_service_end:
Displays the attributes of a service. Options:
*service_dn*
- Specifies Distinguished name (DN) of the Kerberos service to be viewed.
+ Specifies Distinguished Name (DN) of the Kerberos service to be viewed.
EXAMPLE::
- kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org
+ shell% kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org
Password for "cn=admin,o=org":
Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
+ shell%
.. _kdb5_ldap_util_view_service_end:
to the service_dn needs to be removed.
*service_dn*
- Specifies Distinguished name (DN) of the Kerberos service to be destroyed.
+ Specifies Distinguished Name (DN) of the Kerberos service to be destroyed.
EXAMPLE::
- kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org
+ shell% kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org
Password for "cn=admin,o=org":
This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? yes
** service object 'cn=service-kdc,o=org' deleted.
+ shell%
.. _kdb5_ldap_util_destroy_service_end:
EXAMPLE::
- kdb5_ldap_util -D cn=admin,o=org list_service
+ shell% kdb5_ldap_util -D cn=admin,o=org list_service
Password for "cn=admin,o=org":
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
+ shell%
.. _kdb5_ldap_util_list_service_end:
The following are the eDirectory specific options
-==================================== ==============================================
--kdcdn *kdc_servce_list* Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC service objects separated by colon(:).
--admindn *admin_service_list* Specifies the list of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by colon(:).
-==================================== ==============================================
-
-|
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_create_edir:
+ :end-before: _kdb5_ldap_util_create_edir_end:
+
-For example::
+EXAMPLE::
shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2
-subtree ou=users,dc=example,dc=com -kdcdn cn=krbkdc,dc=example,dc=com -admindn cn=krbadmin,dc=example,dc=com -r ATHENA.MIT.EDU
-
-
Password for "cn=admin,dc=example,dc=com":
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
shell%
+.. _edir_mod_realm_label:
+
+
+eDir: Modifying a Kerberos realm
+=================================
+
+See :ref:`ldap_mod_realm_label`
+
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_modify_edir:
+ :end-before: _kdb5_ldap_util_modify_edir_end:
+
------------
eDir: Creating a Service Object
========================================
-To create a service object in directory and assign appropriate rights on the container holding kerberos data, use the following command::
+To create a service object in eDirectory and assign appropriate rights on the container holding kerberos data, use the :ref:`kdb5_ldap_util(8)` **create_service** command.
- create_service -kdc|-admin|-pwd [-servicehost service_host_list] [-realm realm_list] [-randpw|
- -fileonly] [-filename] service_dn
-
-Options are as follows
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_create_service:
+ :end-before: _kdb5_ldap_util_create_service_end:
-================================================== ============================================
--kdc Specifies the KDC service
--admin Specifies the Administration service
--pwd Specifies the Password service
--servicehost *service_host_list* Specifies the list of entries separated by a colon (:). Each entry consists of the hostname or IP address of the server hosting the service, transport protocol and the port number of the service separated by a pound sign (#). For example *server1#tcp#88:server2#udp#89*.
--realm *realm_list* Specifies the list of realms that are to be associated with this service. The list contains the name of the realms separated by a colon (:).
--randpw Generates and sets a random password. This option is used to set the random password for the service object in directory and also to store it in the file. *-fileonly* option cannot be used with *-randpw* option.
--fileonly Stores the password only in a file and not in directory. The *-randpw* option can not be used when *-fileonly* option is specified.
--f *filename* Specifies the complete path of the file where the service object password is stashed. If this option is not specified, the default file will be */usr/local/var/service_passwd*
-service_dn Specifies the Distinguished Name (DN) of the Kerberos service to be created.
-================================================== ============================================
-For example::
+eDir: Modifying a Service Object
+=================================
- shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu
- create_service -kdc -randpw -f /home/andrew/service_passwd cn=service-kdc,dc=example,dc=com
+To modify the attributes of a service and assign appropriate rights, if realm associations are changed, use the :ref:`kdb5_ldap_util(8)` **modify_service** command.
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_modify_service:
+ :end-before: _kdb5_ldap_util_modify_service_end:
- Password for "cn=admin,dc=example,dc=com":
- File does not exist. Creating the file /home/andrew/service_passwd...
- shell%
-
+eDir: Retrieving Service Object Information
+==============================================================
+
+To display the attributes of a service, use the :ref:`kdb5_ldap_util(8)` **view_service** command.
+
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_view_service:
+ :end-before: _kdb5_ldap_util_view_service_end:
+
+
+eDir: Destroying a Service Object
+===================================
+
+
+The :ref:`kdb5_ldap_util(8)` **destroy_service** command is used to destroy an existing service.
+
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_destroy_service:
+ :end-before: _kdb5_ldap_util_destroy_service_end:
+
+
+eDir: Listing Available Service Objects
+===========================================
+
+The :ref:`kdb5_ldap_util(8)` **list_service** command lists the name of services under a given base in eDirectory.
+
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_list_service:
+ :end-before: _kdb5_ldap_util_list_service_end:
+
+
+eDir: Passwords for Service Objects
+============================================
+
+The command :ref:`kdb5_ldap_util(8)` **setsrvpw** allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file.
+
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_setsrvpw:
+ :end-before: _kdb5_ldap_util_setsrvpw_end:
------------
:maxdepth: 1
edir_create_realm.rst
- edir_mod_realm.rst
edir_create_so.rst
- edir_mod_so.rst
- edir_get_so.rst
- edir_del_so.rst
- edir_so_list.rst
- edir_so_pass.rst
Ticket Policy operations
===========================
-Creating and modifying a Ticket Policy
+Creating a Ticket Policy
------------------------------------------
+To create a new ticket policy in directory , use the :ref:`kdb5_ldap_util(8)` **create_policy** command.
+Ticket policy objects are created under the realm container.
-This command creates a ticket policy in directory::
-
- create_policy [-r realm] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
-
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_create_policy:
+ :end-before: _kdb5_ldap_util_create_policy_end:
-Ticket policy objects are created under the realm container.
-This command modifies a ticket policy in directory::
+Modifying a Ticket Policy
+------------------------------------------
- modify_policy [-r realm] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
+To modify a ticket policy in directory , use the :ref:`kdb5_ldap_util(8)` **modify_policy** command.
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_modify_policy:
+ :end-before: _kdb5_ldap_util_modify_policy_end:
-Options are as follows
-
-=========================================== =========================================================
--r *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
--maxtktlife *max_ticket_life* Specifies maximum ticket life for principals.
--maxrenewlife *max_renewable_ticket_life* Specifies maximum renewable life of tickets for principals.
-ticket_flags Specifies the ticket flags_. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set.
-policy_name Specifies the name of the ticket policy.
-=========================================== =========================================================
-
-.. _flags:
-
-The various **ticket flags** are:
-
- {-\|+}allow_postdated
- -allow_postdated prohibits principals from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.).+allow_postdated clears this flag.
- {-\|+}allow_forwardable
- -allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable clears this flag.
- {-\|+}allow_renewable
- -allow_renewable prohibits principals from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) +allow_renewable clears this flag.
- {-\|+}allow_proxiable
- -allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXABLE flag.) +allow_proxiable clears this flag.
- {-\|+}allow_dup_skey
- -allow_dup_skey Disables user-to-user authentication for principals by prohibiting principals from obtaining a sessions key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.). +allow_dup_skey clears This flag.
- {-\|+}requires_preauth
- +requires_preauth requires principals to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQURES_PRE_AUTH flag.) -requires_preauth clears this flag.
- {-\|+}requires_hwauth
- +requires_hwauth requires principals to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5_KDB_REQURES_HW_AUTH flag.) -requires_hwauth clears this flag.
- {-\|+}allow_svr
- -allow_svr prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears This flag.
- {-\|+}allow_tgs_req
- -allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for principals is not permitted. This option is useless for most things.+allow_tgs_req clears this flag. The default is +allow_tgs_req. In effect, -allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.
- {-\|+}allow_tix
- -allow_tix forbids the issuance of any tickets for principals. +allow_tix clears this flag. The default is +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.
- {-\|+}needchange
- +needchange sets a flag in attributes field to force a password change; -needchange clears it. The default is -needchange. In effect, +needchange sets the KRB5_KDB_REQURES_PWCHANGE flag on principals in the database.
- {-\|+}password_changing_service
- +password_changing_service sets a flag in the attributes field marking principal as a password change service principal (useless for most things). -password_changing_service clears the flag. This flag intentionally has a long name. The default is -password_changing_service. In effect, +password_changing_service sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
-
-
-For example::
-
- shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create_policy
- -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_forwardable usertktpolicy
-
-
- Password for "cn=admin,dc=example,dc=com":
- shell%
-
Retrieving Information About a Ticket Policy
---------------------------------------------
-To display the attributes of a ticket policy, use the following command::
-
- view_policy [-r realm] policy_name
-
-Options are as follows
-
-=============== ==========================
--r *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
-policy_name Specifies the name of the ticket policy
-=============== ==========================
-
-
-For example::
-
- shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu view_policy
- -r ATHENA.MIT.EDU usertktpolicy
+To display the attributes of a ticket policy, use the :ref:`kdb5_ldap_util(8)` **view_policy** command.
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_view_policy:
+ :end-before: _kdb5_ldap_util_view_policy_end:
- Password for "cn=admin,dc=example,dc=com":
- Ticket policy: usertktpolicy
- Maxmum ticket life: 0 days 01:00:00
- Maxmum renewable life: 0 days 10:00:00
- Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
- shell%
Destroying a Ticket Policy
--------------------------------
-To destroy an existing ticket policy, use the following command::
+To destroy an existing ticket policy, use the :ref:`kdb5_ldap_util(8)` **destroy_policy** command.
- destroy_policy [-force] [-r realm] policy_name
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_destroy_policy:
+ :end-before: _kdb5_ldap_util_destroy_policy_end:
-Options are as follows
-
-=============== =========================================================
--force Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. Enter yes to confirm the deletion.
--r *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
-policy_name Specifies the name of the ticket policy.
-=============== =========================================================
-
-
-For example::
-
- shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu
- destroy_policy -r ATHENA.MIT.EDU usertktpolicy
-
-
- Password for "cn=admin,dc=example,dc=com":
- This will delete the policy object 'usertktpolicy', are you sure?
- (type 'yes' to confirm)? Yes
- ** policy object 'usertktpolicy' deleted.
- shell%
-
-
Listing available Ticket Policies
-----------------------------------
-To list the name of ticket policies in a realm, use the fillowing command::
-
- list_policy [-r realm]
-
-Option is as follows:
-
--r *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+To list the name of ticket policies in a realm, use the :ref:`kdb5_ldap_util(8)` **list_policy** command.
+.. include:: ../../admin_commands/kdb5_ldap_util.rst
+ :start-after: _kdb5_ldap_util_destroy_policy:
+ :end-before: _kdb5_ldap_util_destroy_policy_end:
-For example::
- shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU
- Password for "cn=admin,dc=example,dc=com":
- usertktpolicy
- tempusertktpolicy
- krbtktpolicy
- shell%
------------