System Administration Commands kdb5ldaputil(1M)
NAME
kdb5ldaputil - Kerberos configuration utility
SYNOPSIS
kdb5ldaputil [-D userdn [-w passwd] [-H ldapuri] command
[commandoptions]
DESCRIPTION
The kdb5ldaputil utility allows an administrator to manage
realms, Kerberos services, and ticket policies. The utility
offers a set of general options, described under OPTIONS,
and a set of commands, which, in turn, have their own
options. Commands and their options are described in their
own subsections, below.
OPTIONS
kdb5ldaputil has a small set of general options that apply
to the kdb5ldaputil utility itself and a larger number of
options that apply to specific commands. A number of these
command-specific options apply to multiple commands and are
described in their own section, below.
General Options
The following general options are supported:
-D userdn
Specifies the distinguished name (DN) of a user who has
sufficient rights to perform the operation on the LDAP
server.
-H ldapuri
Specifies the URI of the LDAP server.
-w passwd
Specifies the password of userdn. This option is not
recommended.
Common Command-specific Options
The following options apply to a number of kdb5ldaputil
commands.
-subtrees subtreednlist
Specifies the list of subtrees containing the principals
of a realm. The list contains the DNs of the subtree
SunOS 5.11 Last change: 28 Aug 2007 1
System Administration Commands kdb5ldaputil(1M)
objects separated by a colon.
-sscope searchscope
Specifies the scope for searching the principals under a
subtree. The possible values are 1 or one (one level), 2
or sub (subtrees).
-containerref containerreferencedn
Specifies the DN of the container object in which the
principals of a realm will be created. If the container
reference is not configured for a realm, the principals
will be created in the realm container.
-maxtktlife maxticketlife
Specifies maximum ticket life for principals in this
realm.
-maxrenewlife maxrenewableticketlife
Specifies maximum renewable life of tickets for princi-
pals in this realm.
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5defaultlocalrealm(3) is
used.
kdb5ldaputil COMANDS
The kdb5ldaputil utility comprises a set of commands, each
with its own set of options. These commands are described in
the following subsections.
The create Command
The create command creates a realm in a directory. The com-
mand has the following syntax:
create \
[-subtrees subtreednlist]
[-sscope searchscope]
[-containerref containerreferencedn]
[-k mkeytype]
[-m-P password -sf stashfilename]
SunOS 5.11 Last change: 28 Aug 2007 2
System Administration Commands kdb5ldaputil(1M)
[-s]
[-r realm]
[-maxtktlife maxticketlife]
[-kdcdn kdcservicelist]
[-admindn adminservicelist]
[-maxrenewlife maxrenewableticketlife]
[ticketflags]
The create command has the following options:
-subtree subtreednlist
See "Common Command-specific Options," above.
-sscope searchscope
See "Common Command-specific Options," above.
-containerref containerreferencedn
See "Common Command-specific Options," above.
-k mkeytype
Specifies the key type of the master key in the data-
base; the default is that given in kdc.conf(4).
-m
Specifies that the master database password should be
read from the TY rather than fetched from a file on the
disk.
-P password
Specifies the master database password. This option is
not recommended.
-sf stashfilename
Specifies the stash file of the master database pass-
word.
SunOS 5.11 Last change: 28 Aug 2007 3
System Administration Commands kdb5ldaputil(1M)
-s
Specifies that the stash file is to be created.
-maxtktlife maxticketlife
See "Common Command-specific Options," above.
-maxrenewlife maxrenewableticketlife
See "Common Command-specific Options," above.
-r realm
See "Common Command-specific Options," above.
ticketflags
Specifies the ticket flags. If this option is not speci-
fied, by default, none of the flags are set. This means
all the ticket options will be allowed and no restric-
tion will be set. See "Ticket Flags" for a list and
descriptions of these flags.
The modify Command
The modify command modifies the attributes of a realm. The
command has the following syntax:
modify \
[-subtrees subtreednlist]
[-sscope searchscope]
[-containerref containerreferencedn]
[-r realm]
[-maxtktlife maxticketlife]
[-maxrenewlife maxrenewableticketlife]
[ticketflags]
The modify command has the following options:
-subtree subtreednlist
See "Common Command-specific Options," above.
SunOS 5.11 Last change: 28 Aug 2007 4
System Administration Commands kdb5ldaputil(1M)
-sscope searchscope
See "Common Command-specific Options," above.
-containerref containerreferencedn
See "Common Command-specific Options," above.
-maxtktlife maxticketlife
See "Common Command-specific Options," above.
-maxrenewlife maxrenewableticketlife
See "Common Command-specific Options," above.
-r realm
See "Common Command-specific Options," above.
ticketflags
Specifies the ticket flags. If this option is not speci-
fied, by default, none of the flags are set. This means
all the ticket options will be allowed and no restric-
tion will be set. See "Ticket Flags" for a list and
descriptions of these flags.
The view Command
The view command displays the attributes of a realm. The
command has the following syntax:
view [-r realm]
The view command has the following option:
-r realm
See "Common Command-specific Options," above.
The destroy Command
SunOS 5.11 Last change: 28 Aug 2007 5
System Administration Commands kdb5ldaputil(1M)
The destroy command destroys a realm, including the master
key stash file. The command has the following syntax:
destroy [-f] [-r realm]
The destroy command has the following options:
-f
If specified, destroy does not prompt you for confirma-
tion.
-r realm
See "Common Command-specific Options," above.
The list Command
The list command displays the names of realms. The command
has the following syntax:
list
The list command has no options.
The stashsrvpw Command
The stashsrvpw command enables you to store the password for
service object in a file so that a KDC and Administration
server can use it to authenticate to the LDAP server. The
command has the following syntax:
stashsrvpw [-f filename] servicedn
The stashsrvpw command has the following option and argu-
ment:
-f filename
Specifies the complete path of the service password
file. The default is:
/var/krb5/servicepasswd
SunOS 5.11 Last change: 28 Aug 2007 6
System Administration Commands kdb5ldaputil(1M)
servicedn
Specifies the distinguished name (DN) of the service
object whose password is to be stored in file.
The createpolicy Command
The createpolicy command creates a ticket policy in a
directory. The command has the following syntax:
createpolicy \
[-r realm]
[-maxtktlife maxticketlife]
[-maxrenewlife maxrenewableticketlife]
[ticketflags]
policyname
The createpolicy command has the following options:
-r realm
See "Common Command-specific Options," above.
-maxtktlife maxticketlife
See "Common Command-specific Options," above.
-maxrenewlife maxrenewableticketlife
See "Common Command-specific Options," above.
ticketflags
Specifies the ticket flags. If this option is not speci-
fied, by default, none of the flags are set. This means
all the ticket options will be allowed and no restric-
tion will be set. See "Ticket Flags" for a list and
descriptions of these flags.
policyname
Specifies the name of the ticket policy.
SunOS 5.11 Last change: 28 Aug 2007 7
System Administration Commands kdb5ldaputil(1M)
The modifypolicy Command
The modifypolicy command modifies the attributes of a
ticket policy. The command has the following syntax:
modifypolicy \
[-r realm]
[-maxtktlife maxticketlife]
[-maxrenewlife maxrenewableticketlife]
[ticketflags]
policyname
The modifypolicy command has the same options and argument
as those for the createpolicy command.
The viewpolicy Command
The viewpolicy command displays the attributes of a ticket
policy. The command has the following syntax:
viewpolicy [-r realm] policyname
The viewpolicy command has the following options:
-r realm
See "Common Command-specific Options," above.
policyname
Specifies the name of the ticket policy.
The destroypolicy Command
The destroypolicy command destroys an existing ticket pol-
icy. The command has the following syntax:
destroypolicy [-r realm] [-force] policyname
The destroypolicy command has the following options:
-r realm
See "Common Command-specific Options," above.
SunOS 5.11 Last change: 28 Aug 2007 8
System Administration Commands kdb5ldaputil(1M)
-force
Forces the deletion of the policy object. If not speci-
fied, you will be prompted for confirmation before the
policy is deleted. Enter yes to confirm the deletion.
policyname
Specifies the name of the ticket policy.
The listpolicy Command
The listpolicy command lists the ticket policies in the
default or a specified realm. The command has the following
syntax:
listpolicy [-r realm]
The listpolicy command has the following option:
-r realm
See "Common Command-specific Options," above.
TICKET FLAGS
A number of kdb5ldaputil commands have ticketflag
options. These flags are described as follows:
{-]}allowdupskey
-allowdupskey disables user-to-user authentication for
principals by prohibiting principals from obtaining a
session key for another user. This setting sets the
KRB5KDBDISALOWDUPSKEY flag. ]allowdupskey clears
this flag.
{-]}allowforwardable
-allowforwardable prohibits principals from obtaining
forwardable tickets. This setting sets the
KRB5KDBDISALOWFORWARDABLE flag. ]allowforwardable
clears this flag.
{-]}allowpostdated
SunOS 5.11 Last change: 28 Aug 2007 9
System Administration Commands kdb5ldaputil(1M)
-allowpostdated prohibits principals from obtaining
postdated tickets. This setting sets the
KRB5KDBDISALOWPOSTDATED flag. ]allowpostdated
clears this flag.
{-]}allowproxiable
-allowproxiable prohibits principals from obtaining
proxiable tickets. This setting sets the
KRB5KDBDISALOWPROXIABLE flag. ]allowproxiable
clears this flag.
{-]}allowrenewable
-allowrenewable prohibits principals from obtaining
renewable tickets. This setting sets the
KRB5KDBDISALOWRENEWABLE flag. ]allowrenewable
clears this flag.
{-]}allowsvr
-allowsvr prohibits the issuance of service tickets for
principals. This setting sets the KRB5KDBDISALOWSVR
flag. ]allowsvr clears this flag.
{-]}allowtgsreq
-allowtgsreq specifies that a Ticket-Granting Service
(TGS) request for a service ticket for principals is not
permitted. This option is useless for most purposes.
]allowtgsreq clears this flag. The default is
]allowtgsreq. In effect, -allowtgsreq sets the
KRB5KDBDISALOWTGTBASED flag on principals in the
database.
{-]}allowtix
-allowtix forbids the issuance of any tickets for prin-
cipals. ]allowtix clears this flag. The default is
]allowtix. In effect, -allowtix sets the
KRB5KDBDISALOWALTIX flag on principals in the
database.
{-]}needchange
]needchange sets a flag in the attributes field to force
SunOS 5.11 Last change: 28 Aug 2007 10
System Administration Commands kdb5ldaputil(1M)
a password change; -needchange clears that flag. The
default is -needchange. In effect, ]needchange sets the
KRB5KDBREQUIRESPWCHANGE flag on principals in the
database.
{-]}passwordchangingservice
]passwordchangingservice sets a flag in the attributes
field marking a principal as a password-change-service
principal (a designation that is most often not useful).
-passwordchangingservice clears the flag. That this
flag has a long name is intentional. The default is
-passwordchangingservice. In effect,
]passwordchangingservice sets the
KRB5KDBPWCHANGESERVICE flag on principals in the
database.
{-]}requireshwauth
]requireshwauth requires principals to preauthenticate
using a hardware device before being allowed to
kinit(1). This setting sets the
KRB5KDBREQUIRESHWAUTH flag. -requireshwauth clears
this flag.
{-]}requirespreauth
]requirespreauth requires principals to preauthenticate
before being allowed to kinit(1). This setting sets the
KRB5KDBREQUIRESPREAUTH flag. -requirespreauth
clears this flag.
EXAMPLES
Example 1 Using create
The following is an example of the use of the create com-
mand.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: master key entered
Re-enter KDC database master key to verify: master key re-enteredjjjjjj
SunOS 5.11 Last change: 28 Aug 2007 11
System Administration Commands kdb5ldaputil(1M)
Example 2 Using modify
The following is an example of the use of the modify com-
mand.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
modify ]requirespreauth -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
Password for "cn=admin,o=org": password entered
Example 3 Using view
The following is an example of the use of the view command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALOWFORWARDABLE REQUIRESPWCHANGE
Example 4 Using destroy
The following is an example of the use of the destroy com-
mand.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
destroy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
Example 5 Using list
SunOS 5.11 Last change: 28 Aug 2007 12
System Administration Commands kdb5ldaputil(1M)
The following is an example of the use of the list command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu list
Password for "cn=admin,o=org": password entered
Re-enter Password for "cn=admin,o=org": password re-entered
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
Example 6 Using stashsrvpw
The following is an example of the use of the stashsrvpw
command.
# kdb5ldaputil stashsrvpw -f \
/home/andrew/confkeyfile cn=service-kdc,o=org
Password for "cn=service-kdc,o=org": password entered
Re-enter password for "cn=service-kdc,o=org": password re-entered
Example 7 Using createpolicy
The following is an example of the use of the createpolicy
command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
createpolicy -r ATHENA.MIT.EDU \
-maxtktlife "1 day" -maxrenewlife "1 week" \
-allowpostdated ]needchange -allowforwardable tktpolicy
Password for "cn=admin,o=org": password entered
Example 8 Using modifypolicy
The following is an example of the use of the modifypolicy
command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
modifypolicy -r ATHENA.MIT.EDU \
-maxtktlife "60 minutes" -maxrenewlife "10 hours" \
]allowpostdated -requirespreauth tktpolicy
SunOS 5.11 Last change: 28 Aug 2007 13
System Administration Commands kdb5ldaputil(1M)
Password for "cn=admin,o=org": password entered
Example 9 Using viewpolicy
The following is an example of the use of the viewpolicy
command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
viewpolicy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org": password entered
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALOWFORWARDABLE REQUIRESPWCHANGE
Example 10 Using destroypolicy
The following is an example of the use of the destroypolicy
command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
destroypolicy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org": password entered
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
** policy object 'tktpolicy' deleted.
Example 11 Using listpolicy
The following is an example of the use of the listpolicy
command.
# kdb5ldaputil -D cn=admin,o=org -H ldaps:/ldap-server1.mit.edu \
listpolicy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org": password entered
tktpolicy
tmppolicy
userpolicy
SunOS 5.11 Last change: 28 Aug 2007 14
System Administration Commands kdb5ldaputil(1M)
Example 12 Using setsrvpw
The following is an example of the use of the setsrvpw com-
mand.
# kdb5ldaputil setsrvpw -D cn=admin,o=org setsrvpw \
-fileonly -f /home/andrew/confkeyfile cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
Password for "cn=service-kdc,o=org": password entered
Re-enter password for "cn=service-kdc,o=org": password re-entered
Example 13 Using createservice
The following is an example of the use of the createservice
command.
# kdb5ldaputil -D cn=admin,o=org createservice \
-kdc -randpw -f /home/andrew/confkeyfile cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
File does not exist. Creating the file /home/andrew/confkeyfile...
Example 14 Using modifyservice
The following is an example of the use of the modifyservice
command.
# kdb5ldaputil -D cn=admin,o=org modifyservice \
-realm ATHENA.MIT.EDU cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
Changing rights for the service object. Please wait ... done
Example 15 Using viewservice
The following is an example of the use of the viewservice
command.
# kdb5ldaputil -D cn=admin,o=org viewservice \
cn=service-kdc,o=org
SunOS 5.11 Last change: 28 Aug 2007 15
System Administration Commands kdb5ldaputil(1M)
Password for "cn=admin,o=org": password entered
Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
Example 16 Using destroyservice
The following is an example of the use of the
destroyservice command.
# kdb5ldaputil -D cn=admin,o=org destroyservice \
cn=service-kdc,o=org
Password for "cn=admin,o=org": password entered
This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? yes
** service object 'cn=service-kdc,o=org' deleted.
Example 17 Using listservice
The following is an example of the use of the listservice
command.
# kdb5ldaputil -D cn=admin,o=org listservice
Password for "cn=admin,o=org": password entered
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 28 Aug 2007 16
System Administration Commands kdb5ldaputil(1M)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWkrbu
Interface Stability Volatile
SEE ALSO
kinit(1), kadmin(1M), kdc.conf(4), attributes(5)
SunOS 5.11 Last change: 28 Aug 2007 17
|
