From ad25940f24d226cfa74e884c7b0932ebd181ca6f Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Tue, 23 Aug 2011 15:45:29 +0000 Subject: [PATCH] Updated "Ticket Policy operations" and eDir sections in "Operations on the LDAP database" documentation to reference kdb5_ldap_util subtopics git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25111 dc483132-0cff-0310-8789-dd5450dbe970 --- .../admin_commands/kdb5_ldap_util.rst | 75 ++++++--- .../ldap_operations/edir_create_realm.rst | 26 ++-- .../ldap_operations/edir_create_so.rst | 72 ++++++--- .../database/ldap_operations/index.rst | 6 - .../database/ldap_operations/ldap_tkt_pol.rst | 142 +++--------------- 5 files changed, 140 insertions(+), 181 deletions(-) diff --git a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst index 1038ee9b1..2613affb0 100644 --- a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst +++ b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst @@ -23,7 +23,7 @@ COMMAND-LINE OPTIONS .. _kdb5_ldap_util_options: **-D** *user_dn* - Specifies the Distinguished name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. + Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. **-w** *passwd* Specifies the password of *user_dn*. This option is not recommended. @@ -175,6 +175,8 @@ create Command options specific to eDirectory +.. _kdb5_ldap_util_create_edir: + **-kdcdn** *kdc_service_list* Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC service objects separated by colon(\:). @@ -183,6 +185,8 @@ create Specifies the list of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by colon(\:). +.. _kdb5_ldap_util_create_edir_end: + EXAMPLE:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU @@ -300,6 +304,8 @@ modify Command options specific to eDirectory +.. _kdb5_ldap_util_modify_edir: + **-kdcdn** *kdc_service_list* Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC service objects separated by a colon (\:). @@ -326,6 +332,8 @@ modify Specifies the list of Administration service objects that need to be added to the existing list. The list contains the DNs of the Administration service objects separated by a colon (:). +.. _kdb5_ldap_util_modify_edir_end: + EXAMPLE:: shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth -r ATHENA.MIT.EDU @@ -417,7 +425,7 @@ stashsrvpw Specifies the complete path of the service password file. By default, */usr/local/var/service_passwd* is used. *servicedn* - Specifies Distinguished name (DN) of the service object whose password is to be stored in file. + Specifies Distinguished Name (DN) of the service object whose password is to be stored in file. EXAMPLE:: @@ -608,13 +616,28 @@ list_policy **-r** *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU + Password for "cn=admin,o=org": + tktpolicy + tmppolicy + userpolicy + +.. _kdb5_ldap_util_list_policy_end: + - Commands Specific to eDirectory +Commands specific to eDirectory +-------------------------------- + +setsrvpw +~~~~~~~~~~~~~~~~~~ +.. _kdb5_ldap_util_setsrvpw: **setsrvpw** - [**-randpw\|-fileonly**] - [**-f** *filename*] - *service_dn* + [**-randpw\|-fileonly**] + [**-f** *filename*] + *service_dn* Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file. The *-fileonly* option stores the password in a file and not in the eDirectory object. Options: @@ -632,22 +655,16 @@ list_policy Specifies complete path of the service password file. By default, */usr/local/var/service_passwd* is used. *service_dn* - Specifies Distinguished name (DN) of the service object whose password is to be set. - -EXAMPLES:: + Specifies Distinguished Name (DN) of the service object whose password is to be set. - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU - Password for "cn=admin,o=org": - tktpolicy - tmppolicy - userpolicy +EXAMPLE:: kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=admin,o=org": Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org": -.. _kdb5_ldap_util_list_policy_end: +.. _kdb5_ldap_util_setsrvpw_end: create_service ~~~~~~~~~~~~~~~~~~~ @@ -655,7 +672,7 @@ create_service .. _kdb5_ldap_util_create_service: **create_service** - {**-kdc\|-admin**} + {**-kdc\|-admin\|-pwd**} [**-servicehost** *service_host_list*] [**-realm** *realm_list*] [**-randpw\|-fileonly**] @@ -669,6 +686,9 @@ create_service **-admin** Specifies the service is a Administration service + **-pwd** + Specifies the Password service + **-servicehost** *service_host_list* Specifies the list of entries separated by a colon (\:). Each entry consists of the hostname or IP address of the server hosting the service, @@ -692,13 +712,14 @@ create_service Specifies the complete path of the file where the service object password is stashed. *service_dn* - Specifies Distinguished name (DN) of the Kerberos service to be created. + Specifies Distinguished Name (DN) of the Kerberos service to be created. EXAMPLE:: - kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org + shell% kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=admin,o=org": File does not exist. Creating the file /home/andrew/conf_keyfile... + shell% .. _kdb5_ldap_util_create_service_end: @@ -746,13 +767,14 @@ modify_service The list contains the name of the realms separated by a colon (\:). *service_dn* - Specifies Distinguished name (DN) of the Kerberos service to be modified. + Specifies Distinguished Name (DN) of the Kerberos service to be modified. EXAMPLE:: - kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org + shell% kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org Password for "cn=admin,o=org": Changing rights for the service object. Please wait ... done + shell% .. _kdb5_ldap_util_modify_service_end: @@ -765,16 +787,17 @@ view_service Displays the attributes of a service. Options: *service_dn* - Specifies Distinguished name (DN) of the Kerberos service to be viewed. + Specifies Distinguished Name (DN) of the Kerberos service to be viewed. EXAMPLE:: - kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org + shell% kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org Password for "cn=admin,o=org": Service dn: cn=service-kdc,o=org Service type: kdc Service host list: Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security + shell% .. _kdb5_ldap_util_view_service_end: @@ -794,15 +817,16 @@ destroy_service to the service_dn needs to be removed. *service_dn* - Specifies Distinguished name (DN) of the Kerberos service to be destroyed. + Specifies Distinguished Name (DN) of the Kerberos service to be destroyed. EXAMPLE:: - kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org + shell% kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org Password for "cn=admin,o=org": This will delete the service object 'cn=service-kdc,o=org', are you sure? (type 'yes' to confirm)? yes ** service object 'cn=service-kdc,o=org' deleted. + shell% .. _kdb5_ldap_util_destroy_service_end: @@ -822,11 +846,12 @@ list_service EXAMPLE:: - kdb5_ldap_util -D cn=admin,o=org list_service + shell% kdb5_ldap_util -D cn=admin,o=org list_service Password for "cn=admin,o=org": cn=service-kdc,o=org cn=service-adm,o=org cn=service-pwd,o=org + shell% .. _kdb5_ldap_util_list_service_end: diff --git a/doc/rst_source/krb_admins/database/ldap_operations/edir_create_realm.rst b/doc/rst_source/krb_admins/database/ldap_operations/edir_create_realm.rst index a3736d8f6..7d527a770 100644 --- a/doc/rst_source/krb_admins/database/ldap_operations/edir_create_realm.rst +++ b/doc/rst_source/krb_admins/database/ldap_operations/edir_create_realm.rst @@ -8,20 +8,16 @@ See :ref:`ldap_create_realm_label` The following are the eDirectory specific options -==================================== ============================================== --kdcdn *kdc_servce_list* Specifies the list of KDC service objects serving the realm. The list contains the DNs of the KDC service objects separated by colon(:). --admindn *admin_service_list* Specifies the list of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by colon(:). -==================================== ============================================== - -| +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_create_edir: + :end-before: _kdb5_ldap_util_create_edir_end: + -For example:: +EXAMPLE:: shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2 -subtree ou=users,dc=example,dc=com -kdcdn cn=krbkdc,dc=example,dc=com -admindn cn=krbadmin,dc=example,dc=com -r ATHENA.MIT.EDU - - Password for "cn=admin,dc=example,dc=com": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. @@ -31,6 +27,18 @@ For example:: shell% +.. _edir_mod_realm_label: + + +eDir: Modifying a Kerberos realm +================================= + +See :ref:`ldap_mod_realm_label` + +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_modify_edir: + :end-before: _kdb5_ldap_util_modify_edir_end: + ------------ diff --git a/doc/rst_source/krb_admins/database/ldap_operations/edir_create_so.rst b/doc/rst_source/krb_admins/database/ldap_operations/edir_create_so.rst index 133639bf1..ca78136ee 100644 --- a/doc/rst_source/krb_admins/database/ldap_operations/edir_create_so.rst +++ b/doc/rst_source/krb_admins/database/ldap_operations/edir_create_so.rst @@ -1,36 +1,62 @@ eDir: Creating a Service Object ======================================== -To create a service object in directory and assign appropriate rights on the container holding kerberos data, use the following command:: +To create a service object in eDirectory and assign appropriate rights on the container holding kerberos data, use the :ref:`kdb5_ldap_util(8)` **create_service** command. - create_service -kdc|-admin|-pwd [-servicehost service_host_list] [-realm realm_list] [-randpw| - -fileonly] [-filename] service_dn - -Options are as follows +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_create_service: + :end-before: _kdb5_ldap_util_create_service_end: -================================================== ============================================ --kdc Specifies the KDC service --admin Specifies the Administration service --pwd Specifies the Password service --servicehost *service_host_list* Specifies the list of entries separated by a colon (:). Each entry consists of the hostname or IP address of the server hosting the service, transport protocol and the port number of the service separated by a pound sign (#). For example *server1#tcp#88:server2#udp#89*. --realm *realm_list* Specifies the list of realms that are to be associated with this service. The list contains the name of the realms separated by a colon (:). --randpw Generates and sets a random password. This option is used to set the random password for the service object in directory and also to store it in the file. *-fileonly* option cannot be used with *-randpw* option. --fileonly Stores the password only in a file and not in directory. The *-randpw* option can not be used when *-fileonly* option is specified. --f *filename* Specifies the complete path of the file where the service object password is stashed. If this option is not specified, the default file will be */usr/local/var/service_passwd* -service_dn Specifies the Distinguished Name (DN) of the Kerberos service to be created. -================================================== ============================================ -For example:: +eDir: Modifying a Service Object +================================= - shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu - create_service -kdc -randpw -f /home/andrew/service_passwd cn=service-kdc,dc=example,dc=com +To modify the attributes of a service and assign appropriate rights, if realm associations are changed, use the :ref:`kdb5_ldap_util(8)` **modify_service** command. +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_modify_service: + :end-before: _kdb5_ldap_util_modify_service_end: - Password for "cn=admin,dc=example,dc=com": - File does not exist. Creating the file /home/andrew/service_passwd... - shell% - +eDir: Retrieving Service Object Information +============================================================== + +To display the attributes of a service, use the :ref:`kdb5_ldap_util(8)` **view_service** command. + +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_view_service: + :end-before: _kdb5_ldap_util_view_service_end: + + +eDir: Destroying a Service Object +=================================== + + +The :ref:`kdb5_ldap_util(8)` **destroy_service** command is used to destroy an existing service. + +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_destroy_service: + :end-before: _kdb5_ldap_util_destroy_service_end: + + +eDir: Listing Available Service Objects +=========================================== + +The :ref:`kdb5_ldap_util(8)` **list_service** command lists the name of services under a given base in eDirectory. + +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_list_service: + :end-before: _kdb5_ldap_util_list_service_end: + + +eDir: Passwords for Service Objects +============================================ + +The command :ref:`kdb5_ldap_util(8)` **setsrvpw** allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file. + +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_setsrvpw: + :end-before: _kdb5_ldap_util_setsrvpw_end: ------------ diff --git a/doc/rst_source/krb_admins/database/ldap_operations/index.rst b/doc/rst_source/krb_admins/database/ldap_operations/index.rst index 3f36b7b6e..2beb6dcc1 100644 --- a/doc/rst_source/krb_admins/database/ldap_operations/index.rst +++ b/doc/rst_source/krb_admins/database/ldap_operations/index.rst @@ -40,12 +40,6 @@ eDirectory :maxdepth: 1 edir_create_realm.rst - edir_mod_realm.rst edir_create_so.rst - edir_mod_so.rst - edir_get_so.rst - edir_del_so.rst - edir_so_list.rst - edir_so_pass.rst diff --git a/doc/rst_source/krb_admins/database/ldap_operations/ldap_tkt_pol.rst b/doc/rst_source/krb_admins/database/ldap_operations/ldap_tkt_pol.rst index eb0705faf..b58098166 100644 --- a/doc/rst_source/krb_admins/database/ldap_operations/ldap_tkt_pol.rst +++ b/doc/rst_source/krb_admins/database/ldap_operations/ldap_tkt_pol.rst @@ -1,155 +1,61 @@ Ticket Policy operations =========================== -Creating and modifying a Ticket Policy +Creating a Ticket Policy ------------------------------------------ +To create a new ticket policy in directory , use the :ref:`kdb5_ldap_util(8)` **create_policy** command. +Ticket policy objects are created under the realm container. -This command creates a ticket policy in directory:: - - create_policy [-r realm] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name - +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_create_policy: + :end-before: _kdb5_ldap_util_create_policy_end: -Ticket policy objects are created under the realm container. -This command modifies a ticket policy in directory:: +Modifying a Ticket Policy +------------------------------------------ - modify_policy [-r realm] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name +To modify a ticket policy in directory , use the :ref:`kdb5_ldap_util(8)` **modify_policy** command. +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_modify_policy: + :end-before: _kdb5_ldap_util_modify_policy_end: -Options are as follows - -=========================================== ========================================================= --r *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. --maxtktlife *max_ticket_life* Specifies maximum ticket life for principals. --maxrenewlife *max_renewable_ticket_life* Specifies maximum renewable life of tickets for principals. -ticket_flags Specifies the ticket flags_. If this option is not specified, by default, none of the flags are set. This means all the ticket options will be allowed and no restriction will be set. -policy_name Specifies the name of the ticket policy. -=========================================== ========================================================= - -.. _flags: - -The various **ticket flags** are: - - {-\|+}allow_postdated - -allow_postdated prohibits principals from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.).+allow_postdated clears this flag. - {-\|+}allow_forwardable - -allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable clears this flag. - {-\|+}allow_renewable - -allow_renewable prohibits principals from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) +allow_renewable clears this flag. - {-\|+}allow_proxiable - -allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXABLE flag.) +allow_proxiable clears this flag. - {-\|+}allow_dup_skey - -allow_dup_skey Disables user-to-user authentication for principals by prohibiting principals from obtaining a sessions key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.). +allow_dup_skey clears This flag. - {-\|+}requires_preauth - +requires_preauth requires principals to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQURES_PRE_AUTH flag.) -requires_preauth clears this flag. - {-\|+}requires_hwauth - +requires_hwauth requires principals to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5_KDB_REQURES_HW_AUTH flag.) -requires_hwauth clears this flag. - {-\|+}allow_svr - -allow_svr prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears This flag. - {-\|+}allow_tgs_req - -allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for principals is not permitted. This option is useless for most things.+allow_tgs_req clears this flag. The default is +allow_tgs_req. In effect, -allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. - {-\|+}allow_tix - -allow_tix forbids the issuance of any tickets for principals. +allow_tix clears this flag. The default is +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. - {-\|+}needchange - +needchange sets a flag in attributes field to force a password change; -needchange clears it. The default is -needchange. In effect, +needchange sets the KRB5_KDB_REQURES_PWCHANGE flag on principals in the database. - {-\|+}password_changing_service - +password_changing_service sets a flag in the attributes field marking principal as a password change service principal (useless for most things). -password_changing_service clears the flag. This flag intentionally has a long name. The default is -password_changing_service. In effect, +password_changing_service sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. - - -For example:: - - shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create_policy - -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_forwardable usertktpolicy - - - Password for "cn=admin,dc=example,dc=com": - shell% - Retrieving Information About a Ticket Policy --------------------------------------------- -To display the attributes of a ticket policy, use the following command:: - - view_policy [-r realm] policy_name - -Options are as follows - -=============== ========================== --r *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. -policy_name Specifies the name of the ticket policy -=============== ========================== - - -For example:: - - shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu view_policy - -r ATHENA.MIT.EDU usertktpolicy +To display the attributes of a ticket policy, use the :ref:`kdb5_ldap_util(8)` **view_policy** command. +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_view_policy: + :end-before: _kdb5_ldap_util_view_policy_end: - Password for "cn=admin,dc=example,dc=com": - Ticket policy: usertktpolicy - Maxmum ticket life: 0 days 01:00:00 - Maxmum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - shell% Destroying a Ticket Policy -------------------------------- -To destroy an existing ticket policy, use the following command:: +To destroy an existing ticket policy, use the :ref:`kdb5_ldap_util(8)` **destroy_policy** command. - destroy_policy [-force] [-r realm] policy_name +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_destroy_policy: + :end-before: _kdb5_ldap_util_destroy_policy_end: -Options are as follows - -=============== ========================================================= --force Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. Enter yes to confirm the deletion. --r *realm* Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. -policy_name Specifies the name of the ticket policy. -=============== ========================================================= - - -For example:: - - shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu - destroy_policy -r ATHENA.MIT.EDU usertktpolicy - - - Password for "cn=admin,dc=example,dc=com": - This will delete the policy object 'usertktpolicy', are you sure? - (type 'yes' to confirm)? Yes - ** policy object 'usertktpolicy' deleted. - shell% - - Listing available Ticket Policies ----------------------------------- -To list the name of ticket policies in a realm, use the fillowing command:: - - list_policy [-r realm] - -Option is as follows: - --r *realm* - Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. +To list the name of ticket policies in a realm, use the :ref:`kdb5_ldap_util(8)` **list_policy** command. +.. include:: ../../admin_commands/kdb5_ldap_util.rst + :start-after: _kdb5_ldap_util_destroy_policy: + :end-before: _kdb5_ldap_util_destroy_policy_end: -For example:: - shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU - Password for "cn=admin,dc=example,dc=com": - usertktpolicy - tempusertktpolicy - krbtktpolicy - shell% ------------ -- 2.26.2