KDB5_LDAP_UTIL(8) | Maintenance Commands and Procedures | KDB5_LDAP_UTIL(8) |
kdb5_ldap_util - Kerberos configuration utility
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] command
[command_options]
The kdb5_ldap_util utility allows an administrator to manage realms, Kerberos services, and ticket policies. The utility offers a set of general options, described under OPTIONS, and a set of commands, which, in turn, have their own options. Commands and their options are described in their own subsections, below.
kdb5_ldap_util has a small set of general options that apply to the kdb5_ldap_util utility itself and a larger number of options that apply to specific commands. A number of these command-specific options apply to multiple commands and are described in their own section, below.
The following general options are supported:
-D user_dn
-H ldap_uri
-w passwd
The following options apply to a number of kdb5_ldap_util commands.
-subtrees subtree_dn_list
-sscope search_scope
-containerref container_reference_dn
-maxtktlife max_ticket_life
-maxrenewlife max_renewable_ticket_life
-r realm
The kdb5_ldap_util utility comprises a set of commands, each with its own set of options. These commands are described in the following subsections.
The create command creates a realm in a directory. The command has the following syntax:
create \ [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn] [-k mkeytype] [-m|-P password| -sf stashfilename] [-s] [-r realm] [-maxtktlife max_ticket_life] [-kdcdn kdc_service_list] [-admindn admin_service_list] [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
The create command has the following options:
-subtree subtree_dn_list
-sscope search_scope
-containerref container_reference_dn
-k mkeytype
-m
-P password
-sf stashfilename
-s
-maxtktlife max_ticket_life
-maxrenewlife max_renewable_ticket_life
-r realm
ticket_flags
The modify command modifies the attributes of a realm. The command has the following syntax:
modify \ [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn] [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
The modify command has the following options:
-subtree subtree_dn_list
-sscope search_scope
-containerref container_reference_dn
-maxtktlife max_ticket_life
-maxrenewlife max_renewable_ticket_life
-r realm
ticket_flags
The view command displays the attributes of a realm. The command has the following syntax:
view [-r realm]
The view command has the following option:
-r realm
The destroy command destroys a realm, including the master key stash file. The command has the following syntax:
destroy [-f] [-r realm]
The destroy command has the following options:
-f
-r realm
The list command displays the names of realms. The command has the following syntax:
list
The list command has no options.
The stashsrvpw command enables you to store the password for service object in a file so that a KDC and Administration server can use it to authenticate to the LDAP server. The command has the following syntax:
stashsrvpw [-f filename] servicedn
The stashsrvpw command has the following option and argument:
-f filename
/var/krb5/service_passwd
servicedn
The create_policy command creates a ticket policy in a directory. The command has the following syntax:
create_policy \ [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
The create_policy command has the following options:
-r realm
-maxtktlife max_ticket_life
-maxrenewlife max_renewable_ticket_life
ticket_flags
policy_name
The modify_policy command modifies the attributes of a ticket policy. The command has the following syntax:
modify_policy \ [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
The modify_policy command has the same options and argument as those for the create_policy command.
The view_policy command displays the attributes of a ticket policy. The command has the following syntax:
view_policy [-r realm] policy_name
The view_policy command has the following options:
-r realm
policy_name
The destroy_policy command destroys an existing ticket policy. The command has the following syntax:
destroy_policy [-r realm] [-force] policy_name
The destroy_policy command has the following options:
-r realm
-force
policy_name
The list_policy command lists the ticket policies in the default or a specified realm. The command has the following syntax:
list_policy [-r realm]
The list_policy command has the following option:
-r realm
A number of kdb5_ldap_util commands have ticket_flag options. These flags are described as follows:
{-|+}allow_dup_skey
{-|+}allow_forwardable
{-|+}allow_postdated
{-|+}allow_proxiable
{-|+}allow_renewable
{-|+}allow_svr
{-|+}allow_tgs_req
{-|+}allow_tix
{-|+}needchange
{-|+}password_changing_service
{-|+}requires_hwauth
{-|+}requires_preauth
Example 1 Using create
The following is an example of the use of the create command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU Password for "cn=admin,o=org": password entered Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: master key entered Re-enter KDC database master key to verify: master key re-entered
Example 2 Using modify
The following is an example of the use of the modify command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ modify +requires_preauth -r ATHENA.MIT.EDU Password for "cn=admin,o=org": password entered Password for "cn=admin,o=org": password entered
Example 3 Using view
The following is an example of the use of the view command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Example 4 Using destroy
The following is an example of the use of the destroy command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ destroy -r ATHENA.MIT.EDU Password for "cn=admin,o=org": password entered Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'...
Example 5 Using list
The following is an example of the use of the list command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org": password entered Re-enter Password for "cn=admin,o=org": password re-entered ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU
Example 6 Using stashsrvpw
The following is an example of the use of the stashsrvpw command.
# kdb5_ldap_util stashsrvpw -f \ /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org": password entered Re-enter password for "cn=service-kdc,o=org": password re-entered
Example 7 Using create_policy
The following is an example of the use of the create_policy command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ create_policy -r ATHENA.MIT.EDU \ -maxtktlife "1 day" -maxrenewlife "1 week" \ -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org": password entered
Example 8 Using modify_policy
The following is an example of the use of the modify_policy command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ modify_policy -r ATHENA.MIT.EDU \ -maxtktlife "60 minutes" -maxrenewlife "10 hours" \ +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org": password entered
Example 9 Using view_policy
The following is an example of the use of the view_policy command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ view_policy -r ATHENA.MIT.EDU tktpolicy Password for "cn=admin,o=org": password entered
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Example 10 Using destroy_policy
The following is an example of the use of the destroy_policy command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ destroy_policy -r ATHENA.MIT.EDU tktpolicy Password for "cn=admin,o=org": password entered This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted.
Example 11 Using list_policy
The following is an example of the use of the list_policy command.
# kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ list_policy -r ATHENA.MIT.EDU Password for "cn=admin,o=org": password entered tktpolicy tmppolicy userpolicy
Example 12 Using setsrvpw
The following is an example of the use of the setsrvpw command.
# kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \ -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=admin,o=org": password entered Password for "cn=service-kdc,o=org": password entered Re-enter password for "cn=service-kdc,o=org": password re-entered
Example 13 Using create_service
The following is an example of the use of the create_service command.
# kdb5_ldap_util -D cn=admin,o=org create_service \ -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=admin,o=org": password entered File does not exist. Creating the file /home/andrew/conf_keyfile...
Example 14 Using modify_service
The following is an example of the use of the modify_service command.
# kdb5_ldap_util -D cn=admin,o=org modify_service \ -realm ATHENA.MIT.EDU cn=service-kdc,o=org Password for "cn=admin,o=org": password entered Changing rights for the service object. Please wait ... done
Example 15 Using view_service
The following is an example of the use of the view_service command.
# kdb5_ldap_util -D cn=admin,o=org view_service \ cn=service-kdc,o=org Password for "cn=admin,o=org": password entered
Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
Example 16 Using destroy_service
The following is an example of the use of the destroy_service command.
# kdb5_ldap_util -D cn=admin,o=org destroy_service \ cn=service-kdc,o=org Password for "cn=admin,o=org": password entered This will delete the service object 'cn=service-kdc,o=org', are you sure? (type 'yes' to confirm)? yes ** service object 'cn=service-kdc,o=org' deleted.
Example 17 Using list_service
The following is an example of the use of the list_service command.
# kdb5_ldap_util -D cn=admin,o=org list_service Password for "cn=admin,o=org": password entered cn=service-kdc,o=org cn=service-adm,o=org cn=service-pwd,o=org
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | Volatile |
June 20, 2021 | OmniOS |