From c6f1c0ba6e19f266297f16a2267ccb8501b732cd Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Tue, 9 Aug 2011 18:39:37 +0000 Subject: [PATCH] Added kdb5_ldap_util manual page to the Sphinx doc tree git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25078 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/rst_source/conf.py | 1 + .../krb_admins/admin_commands/index.rst | 1 + .../admin_commands/kdb5_ldap_util.rst | 660 ++++++++++++++++++ .../krb_admins/admin_commands/kpropd.rst | 2 +- 4 files changed, 663 insertions(+), 1 deletion(-) create mode 100644 doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst diff --git a/doc/rst_source/conf.py b/doc/rst_source/conf.py index d7719d057..8ab7a2c0f 100644 --- a/doc/rst_source/conf.py +++ b/doc/rst_source/conf.py @@ -235,4 +235,5 @@ man_pages = [ ('krb_admins/admin_commands/ktutil', 'ktutil', u'Kerberos keytab file maintenance utility', [u'MIT'], 1), ('krb_admins/admin_commands/k5srvutil', 'k5srvutil', u'host key table (keytab) manipulation utility', [u'MIT'], 1), ('krb_admins/admin_commands/kadmind', 'kadmind', u'KADM5 administration server', [u'MIT'], 8), + ('krb_admins/admin_commands/kdb5_ldap_util', 'kdb5_ldap_util', u'kdb5_ldap_util - Kerberos configuration utility', [u'MIT'], 8), ] diff --git a/doc/rst_source/krb_admins/admin_commands/index.rst b/doc/rst_source/krb_admins/admin_commands/index.rst index 00f64f73e..10bf4e32f 100644 --- a/doc/rst_source/krb_admins/admin_commands/index.rst +++ b/doc/rst_source/krb_admins/admin_commands/index.rst @@ -16,6 +16,7 @@ Administration programs ktutil.rst k5srvutil.rst kadmind.rst + kdb5_ldap_util.rst ------------ diff --git a/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst new file mode 100644 index 000000000..d0e1d21a4 --- /dev/null +++ b/doc/rst_source/krb_admins/admin_commands/kdb5_ldap_util.rst @@ -0,0 +1,660 @@ +kdb5_ldap_util - Kerberos configuration utility +================================================== + +SYNOPSIS +----------------------- + +**kdb5_ldap_util** [**-D** *user_dn* [**-w** *passwd*]] [**-H** *ldapuri*] **command** [*command_options*] + +DESCRIPTION +----------------------- + +*kdb5_ldap_util* allows an administrator to manage realms, Kerberos services and ticket policies. + +COMMAND-LINE OPTIONS +----------------------- + +**-D** *user_dn* + Specifies the Distinguished name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. + +**-w** *passwd* + Specifies the password of *user_dn*. This option is not recommended. + +**-H** *ldapuri* + Specifies the URI of the LDAP server. + + +COMMANDS +----------------------- + +**create** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-m|-P** *password*|**-sf** *stashfilename*] [**-s**] [**-r** *realm*] [**-kdcdn** *kdc_service_list*] [**-admindn** *admin_service_list*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] + Creates realm in directory. Options: + +**-subtrees** *subtree_dn_list* + Specifies the list of subtrees containing the principals of a realm. + The list contains the DNs of the subtree objects separated by colon(\:). + +**-sscope** *search_scope* + Specifies the scope for searching the principals under the subtree. + The possible values are 1 or one (one level), 2 or sub (subtrees). + +**-containerref** *container_reference_dn* + Specifies the DN of the container object in which the principals of a realm will be created. + If the container reference is not configured for a realm, the principals will be created in the realm container. + +**-k** *mkeytype* + Specifies the key type of the master key in the database; the default is that given in kdc.conf. + +**-kv** *mkeyVNO* + Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. + +**-m** + Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. + +**-P** *password* + Specifies the master database password. This option is not recommended. + +**-sf** *stashfilename* + Specifies the stash file of the master database password. + +**-s** + Specifies that the stash file is to be created. + +**-maxtktlife** *max_ticket_life* + Specifies maximum ticket life for principals in this realm. + +**-maxrenewlife** *max_renewable_ticket_life* + Specifies maximum renewable life of tickets for principals in this realm. + +*ticket_flags* + Specifies the ticket flags. + If this option is not specified, by default, none of the flags are set. + This means all the ticket options will be allowed and no restriction will be set. + + The various flags are: + + {-\|+}allow_postdated + *-allow_postdated* prohibits principals from obtaining postdated tickets. + (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) *+allow_postdated* clears this flag. + + {-\|+}allow_forwardable + *-allow_forwardable* prohibits principals from obtaining forwardable tickets. + (Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) + *+allow_forwardable* clears this flag. + + {-\|+}allow_renewable + *-allow_renewable* prohibits principals from obtaining renewable tickets. + (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) + *+allow_renewable* clears this flag. + + {-\|+}allow_proxiable + *-allow_proxiable* prohibits principals from obtaining proxiable tickets. + (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) + *+allow_proxiable* clears this flag. + + {-\|+}allow_dup_skey + *-allow_dup_skey* disables user-to-user authentication for principals by prohibiting principals + from obtaining a session key for another user. + (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) + *+allow_dup_skey* clears this flag. + + {-\|+}requires_preauth + *+requires_preauth* requires principals to preauthenticate before being allowed to *kinit*. + (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) + *-requires_preauth* clears this flag. + + {-\|+}requires_hwauth + *+requires_hwauth* requires principals to preauthenticate using a hardware device before being allowed to kinit. + (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) + *-requires_hwauth* clears this flag. + + {-\|+}allow_svr + *-allow_svr* prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) + *+allow_svr* clears this flag. + + {-\|+}allow_tgs_req + *-allow_tgs_req* specifies that a Ticket-Granting Service (TGS) request for a service ticket for principals is not permitted. + This option is useless for most things. + *+allow_tgs_req* clears this flag. The default is *+allow_tgs_req*. + In effect, *-allow_tgs_req* sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. + + {-\|+}allow_tix + *-allow_tix* forbids the issuance of any tickets for principals. *+allow_tix* clears this flag. + The default is *+allow_tix*. + In effect, *-allow_tix* sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. + + {-\|+}needchange + *+needchange* sets a flag in attributes field to force a password change; *-needchange* clears it. + The default is *-needchange*. + In effect, *+needchange* sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. + + {-\|+}password_changing_service + *+password_changing_service* sets a flag in the attributes field marking principal as a password change service principal + (useless for most things). + *-password_changing_service* clears the flag. This flag intentionally has a long name. + The default is *-password_changing_service*. + In effect, *+password_changing_service* sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +Command Options Specific to eDirectory + +**-kdcdn** *kdc_service_list* + Specifies the list of KDC service objects serving the realm. + The list contains the DNs of the KDC service objects separated by colon(\:). + +**-admindn** *admin_service_list* + Specifies the list of Administration service objects serving the realm. + The list contains the DNs of the Administration service objects separated by colon(\:). + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU + Password for "cn=admin,o=org": + Initializing database for realm 'ATHENA.MIT.EDU' + You will be prompted for the database Master Password. + It is important that you NOT FORGET this password. + Enter KDC database master key: + Re-enter KDC database master key to verify: + + +**modify** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-r** *realm*] [**-kdcdn** *kdc_service_list* | [**-clearkdcdn** *kdc_service_list*] [**-addkdcdn** *kdc_service_list*]] [**-admindn** *admin_service_list* | [**-clearadmindn** *admin_service_list*] [**-addadmindn** *admin_service_list*]] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] + +Modifies the attributes of a realm. Options: + +**-subtrees** *subtree_dn_list* + Specifies the list of subtrees containing the principals of a realm. + The list contains the DNs of the subtree objects separated by colon(\:). This list replaces the existing list. + +**-sscope** *search_scope* + Specifies the scope for searching the principals under the subtrees. + The possible values are 1 or one (one level), 2 or sub (subtrees). + +**-containerref** *container_reference_dn* + Specifies the DN of the container object in which the principals of a realm will be created. + +**-maxtktlife** *max_ticket_life* + Specifies maximum ticket life for principals in this realm. + +**-maxrenewlife** *max_renewable_ticket_life* + Specifies maximum renewable life of tickets for principals in this realm. + +*ticket_flags* + Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. + This means all the ticket options will be allowed and no restriction will be set. + + The various flags are: + + {-\|+}allow_postdated + *-allow_postdated* prohibits principals from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) + *+allow_postdated* clears this flag. + + {-\|+}allow_forwardable + *-allow_forwardable* prohibits principals from obtaining forwardable tickets. + (Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) + *+allow_forwardable* clears this flag. + + {-\|+}allow_renewable + *-allow_renewable* prohibits principals from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) + *+allow_renewable* clears this flag. + + {-\|+}allow_proxiable + *-allow_proxiable* prohibits principals from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) + *+allow_proxiable* clears this flag. + + {-\|+}allow_dup_skey + *-allow_dup_skey* Disables user-to-user authentication for principals by prohibiting principals from + obtaining a session key for another user. + (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) + *+allow_dup_skey* clears this flag. + + {-\|+}requires_preauth + *+requires_preauth* requires principals to preauthenticate before being allowed to kinit. + (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) *-requires_preauth* clears this flag. + + {-\|+}requires_hwauth + *+requires_hwauth* requires principals to preauthenticate using a hardware device before being allowed to kinit. + (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) + *-requires_hwauth* clears this flag. + + {-\|+}allow_svr + *-allow_svr* prohibits the issuance of service tickets for principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.) + *+allow_svr* clears this flag. + + {-\|+}allow_tgs_req + *-allow_tgs_req* specifies that a Ticket-Granting Service (TGS) request for a service ticket for principals is not permitted. + This option is useless for most things. + *+allow_tgs_req* clears this flag. + The default is *+allow_tgs_req*. In effect, *-allow_tgs_req* sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. + + {-\|+}allow_tix + *-allow_tix* forbids the issuance of any tickets for principals. + *+allow_tix* clears this flag. The default is *+allow_tix*. + In effect, *-allow_tix* sets the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. + + {-\|+}needchange + *+needchange* sets a flag in attributes field to force a password change; + *-needchange* clears it. The default is *-needchange*. + In effect, *+needchange* sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. + + {-\|+}password_changing_service + *+password_changing_service* sets a flag in the attributes field marking principal as a password change service principal + (useless for most things). *-password_changing_service* clears the flag. This flag intentionally has a long name. + The default is *-password_changing_service*. + In effect, *+password_changing_service* sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +Command Options Specific to eDirectory + +**-kdcdn** *kdc_service_list* + Specifies the list of KDC service objects serving the realm. + The list contains the DNs of the KDC service objects separated by a colon (\:). + This list replaces the existing list. + +**-clearkdcdn** *kdc_service_list* + Specifies the list of KDC service objects that need to be removed from the existing list. + The list contains the DNs of the KDC service objects separated by a colon (\:). + +**-addkdcdn** *kdc_service_list* + Specifies the list of KDC service objects that need to be added to the existing list. + The list contains the DNs of the KDC service objects separated by a colon (\:). + +**-admindn** *admin_service_list* + Specifies the list of Administration service objects serving the realm. + The list contains the DNs of the Administration service objects separated by a colon (\:). + This list replaces the existing list. + +**-clearadmindn** *admin_service_list* + Specifies the list of Administration service objects that need to be removed from the existing list. + The list contains the DNs of the Administration service objects separated by a colon (\:). + +**-addadmindn** *admin_service_list* + Specifies the list of Administration service objects that need to be added to the existing list. + The list contains the DNs of the Administration service objects separated by a colon (:). + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth -r ATHENA.MIT.EDU + Password for "cn=admin,o=org": + +**view** [**-r** *realm*] + Displays the attributes of a realm. Options: + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU + Password for "cn=admin,o=org": + Realm Name: ATHENA.MIT.EDU + Subtree: ou=users,o=org + Subtree: ou=servers,o=org + SearchScope: ONE + Maximum ticket life: 0 days 01:00:00 + Maximum renewable life: 0 days 10:00:00 + Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE + +**destroy** [**-f**] [**-r** *realm*] + Destroys an existing realm. Options: + +**-f** + If specified, will not prompt the user for confirmation. + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU + Password for "cn=admin,o=org": + Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? + (type 'yes' to confirm)? yes + OK, deleting database of 'ATHENA.MIT.EDU'... + +**list** + Lists the name of realms. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list + Password for "cn=admin,o=org": + ATHENA.MIT.EDU + OPENLDAP.MIT.EDU + MEDIA-LAB.MIT.EDU + +**stashsrvpw** [**-f** *filename*] *servicedn* + Allows an administrator to store the password for service object in a file so that KDC and Administration server + can use it to authenticate to the LDAP server. Options: + +**-f** *filename* + Specifies the complete path of the service password file. By default, */usr/local/var/service_passwd* is used. + +*servicedn* + Specifies Distinguished name (DN) of the service object whose password is to be stored in file. + +EXAMPLE:: + + kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org + Password for "cn=service-kdc,o=org": + Re-enter password for "cn=service-kdc,o=org": + +**create_policy** [**-r** *realm*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* + Creates a ticket policy in directory. Options: + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +**-maxtktlife** *max_ticket_life* + Specifies maximum ticket life for principals. + +**-maxrenewlife** *max_renewable_ticket_life* + Specifies maximum renewable life of tickets for principals. + +*ticket_flags* + Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. + This means all the ticket options will be allowed and no restriction will be set. + + The various flags are: + + {-\|+}allow_postdated + *-allow_postdated* prohibits principals from obtaining postdated tickets. + (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) *+allow_postdated* clears this flag. + + {-\|+}allow_forwardable + *-allow_forwardable* prohibits principals from obtaining forwardable tickets. + (Sets the KRB5_KDB_DISALLOW_FORWARDABLE flag.) *+allow_forwardable* clears this flag. + + {-\|+}allow_renewable + *-allow_renewable* prohibits principals from obtaining renewable tickets. + (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) *+allow_renewable* clears this flag. + + {-\|+}allow_proxiable + *-allow_proxiable* prohibits principals from obtaining proxiable tickets. + (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) *+allow_proxiable* clears this flag. + + {-\|+}allow_dup_skey + *-allow_dup_skey* disables user-to-user authentication for principals by prohibiting principals + from obtaining a session key for another user. + (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) *+allow_dup_skey* clears this flag. + + {-\|+}requires_preauth + *+requires_preauth* requires principals to preauthenticate before being allowed to kinit. + (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) *-requires_preauth* clears this flag. + + {-\|+}requires_hwauth + *+requires_hwauth* requires principals to preauthenticate using a hardware device before being allowed to *kinit*. + (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) + *-requires_hwauth* clears this flag. + + {-\|+}allow_svr + *-allow_svr* prohibits the issuance of service tickets for principals. + (Sets the KRB5_KDB_DISALLOW_SVR flag.) *+allow_svr* clears this flag. + + {-\|+}allow_tgs_req + *-allow_tgs_req* specifies that a Ticket-Granting Service (TGS) request i + for a service ticket for principals is not permitted. + This option is useless for most things. + *+allow_tgs_req* clears this flag. The default is *+allow_tgs_req*. + In effect, *-allow_tgs_req sets* the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database. + + {-\|+}allow_tix + *-allow_tix* forbids the issuance of any tickets for principals. + *+allow_tix* clears this flag. + The default is *+allow_tix*. In effect, *-allow_tix sets* the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database. + + {-\|+}needchange + *+needchange* sets a flag in attributes field to force a password change; + *-needchange* clears it. The default is *-needchange*. + In effect, *+needchange* sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database. + + {-\|+}password_changing_service + *+password_changing_service* sets a flag in the attributes field marking principal as a password change service principal + (useless for most things). + *-password_changing_service* clears the flag. + This flag intentionally has a long name. The default is -password_changing_service. + In effect, *+password_changing_service* sets the KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database. + +*policy_name* + Specifies the name of the ticket policy. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy + Password for "cn=admin,o=org": + + +**modify_policy** [**-r** *realm*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* + Modifies the attributes of a ticket policy. Options are same as create_policy. + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy + Password for "cn=admin,o=org": + +**view_policy** [**-r** *realm*] *policy_name* + Displays the attributes of a ticket policy. Options: + +*policy_name* + Specifies the name of the ticket policy. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy + Password for "cn=admin,o=org": + Ticket policy: tktpolicy + Maximum ticket life: 0 days 01:00:00 + Maximum renewable life: 0 days 10:00:00 + Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE + +**destroy_policy** [**-r** *realm*] [**-force**] *policy_name* + Destroys an existing ticket policy. Options: + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +**-force** + Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy. + Enter yes to confirm the deletion. + +*policy_name* + Specifies the name of the ticket policy. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy + Password for "cn=admin,o=org": + This will delete the policy object 'tktpolicy', are you sure? + (type 'yes' to confirm)? yes + ** policy object 'tktpolicy' deleted. + +**list_policy** [**-r** *realm*] + Lists the ticket policies in realm if specified or in the default realm. Options: + +**-r** *realm* + Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU + Password for "cn=admin,o=org": + tktpolicy + tmppolicy + userpolicy + + +Commands Specific to eDirectory + +**setsrvpw** [**-randpw\|-fileonly**] [**-f** *filename*] *service_dn* + Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file. + The *-fileonly* option stores the password in a file and not in the eDirectory object. Options: + +**-randpw** + Generates and sets a random password. + This options can be specified to store the password both in eDirectory and a file. + The *-fileonly* option can not be used if *-randpw* option is already specified. + +**-fileonly** + Stores the password only in a file and not in eDirectory. + The *-randpw* option can not be used when *-fileonly* options is specified. + +**-f** *filename* + Specifies complete path of the service password file. By default, */usr/local/var/service_passwd* is used. + +*service_dn* + Specifies Distinguished name (DN) of the service object whose password is to be set. + +EXAMPLE:: + + kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org + Password for "cn=admin,o=org": + Password for "cn=service-kdc,o=org": + Re-enter password for "cn=service-kdc,o=org": + +**create_service** {**-kdc\|-admin**} [**-servicehost** *service_host_list*] [**-realm** *realm_list*] [**-randpw\|-fileonly**] [**-f** *filename*] *service_dn* + Creates a service in directory and assigns appropriate rights. Options: + +**-kdc** + Specifies the service is a KDC service + +**-admin** + Specifies the service is a Administration service + +**-servicehost** *service_host_list* + Specifies the list of entries separated by a colon (\:). + Each entry consists of the hostname or IP address of the server hosting the service, + transport protocol, and the port number of the service separated by a pound sign (#). + For example, server1#tcp#88:server2#udp#89. + +**-realm** *realm_list* + Specifies the list of realms that are to be associated with this service. + The list contains the name of the realms separated by a colon (\:). + +**-randpw** + Generates and sets a random password. This option is used to set the random password for + the service object in directory and also to store it in the file. + The *-fileonly* option can not be used if *-randpw* option is specified. + +**-fileonly** + Stores the password only in a file and not in eDirectory. + The *-randpw* option can not be used when *-fileonly* option is specified. + +**-f** *filename* + Specifies the complete path of the file where the service object password is stashed. + +*service_dn* + Specifies Distinguished name (DN) of the Kerberos service to be created. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org + Password for "cn=admin,o=org": + File does not exist. Creating the file /home/andrew/conf_keyfile... + + +**modify_service** [**-servicehost** *service_host_list* | [**-clearservicehost** *service_host_list*] [**-addservicehost** *service_host_list*]] [**-realm** *realm_list* | [**-clearrealm** *realm_list*] [**-addrealm** *realm_list*]] *service_dn* + Modifies the attributes of a service and assigns appropriate rights. Options: + +**-servicehost** *service_host_list* + Specifies the list of entries separated by a colon (\:). + Each entry consists of a host name or IP Address of the Server hosting the service, transport protocol, + and port number of the service separated by a pound sign (#). For example:: + + server1#tcp#88:server2#udp#89 + +**-clearservicehost** *service_host_list* + Specifies the list of servicehost entries to be removed from the existing list separated by colon (\:). + Each entry consists of a host name or IP Address of + the server hosting the service, transport protocol, and port number of the service separated by a pound sign (#). + +**-addservicehost** *service_host_list* + Specifies the list of servicehost entries to be added to the existing list separated by colon (\:). + Each entry consists of a host name or IP Address of the + server hosting the service, transport protocol, and port number of the service separated by a pound sign (#). + +**-realm** *realm_list* + Specifies the list of realms that are to be associated with this service. + The list contains the name of the realms separated by a colon (\:). + This list replaces the existing list. + +**-clearrealm** *realm_list* + Specifies the list of realms to be removed from the existing list. + The list contains the name of the realms separated by a colon (\:). + +**-addrealm** *realm_list* + Specifies the list of realms to be added to the existing list. + The list contains the name of the realms separated by a colon (\:). + +*service_dn* + Specifies Distinguished name (DN) of the Kerberos service to be modified. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org + Password for "cn=admin,o=org": + Changing rights for the service object. Please wait ... done + +**view_service** *service_dn* + Displays the attributes of a service. Options: + +*service_dn* + Specifies Distinguished name (DN) of the Kerberos service to be viewed. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org + Password for "cn=admin,o=org": + Service dn: cn=service-kdc,o=org + Service type: kdc + Service host list: + Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security + +**destroy_service** [**-force**] [**-f** *stashfilename*] *service_dn* + Destroys an existing service. Options: + +**-force** + If specified, will not prompt for user's confirmation, instead will force destruction of the service. + +**-f** *stashfilename* + Specifies the complete path of the service password file from where the entry corresponding + to the service_dn needs to be removed. + +*service_dn* + Specifies Distinguished name (DN) of the Kerberos service to be destroyed. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org + Password for "cn=admin,o=org": + This will delete the service object 'cn=service-kdc,o=org', are you sure? + (type 'yes' to confirm)? yes + ** service object 'cn=service-kdc,o=org' deleted. + +**list_service** [**-basedn** *base_dn*] + Lists the name of services under a given base in directory. Options: + +**-basedn** *base_dn* + Specifies the base DN for searching the service objects, limiting the search to a particular subtree. + If this option is not provided, LDAP Server specific search base will be used. + For eg, in the case of OpenLDAP, value of defaultsearchbase from *slapd.conf* file will be used, + where as in the case of eDirectory, the default value for the base DN is Root. + +EXAMPLE:: + + kdb5_ldap_util -D cn=admin,o=org list_service + Password for "cn=admin,o=org": + cn=service-kdc,o=org + cn=service-adm,o=org + cn=service-pwd,o=org + +SEE ALSO +----------------------- + +kadmin(8) + diff --git a/doc/rst_source/krb_admins/admin_commands/kpropd.rst b/doc/rst_source/krb_admins/admin_commands/kpropd.rst index 1fc0368ed..bc5fb75f6 100644 --- a/doc/rst_source/krb_admins/admin_commands/kpropd.rst +++ b/doc/rst_source/krb_admins/admin_commands/kpropd.rst @@ -7,7 +7,7 @@ kpropd SYNOPSIS ---------- -***kpropd*** +**kpropd** [ **-r** *realm* ] [ **-f** *slave_dumpfile* ] [ **-F** *principal_database* ] -- 2.26.2