kdb5_ldap_util man page on Scientific

Man page or keyword search:  
man Server   26626 pages
apropos Keyword Search (all sections)
Output format
Scientific logo
[printable version]

KDB5_LDAP_UTIL(8)					     KDB5_LDAP_UTIL(8)

NAME
       kdb5_ldap_util - Kerberos Configuration Utility

SYNOPSIS
       kdb5_ldap_util  [-D user_dn  [-w passwd]]  [-H ldapuri]	command	 [com‐
       mand_options]

DESCRIPTION
       kdb5_ldap_util allows an administrator to manage realms, Kerberos  ser‐
       vices and ticket policies.

COMMAND-LINE OPTIONS
       -D user_dn
	      Specifies the Distinguished name (DN) of the user who has suffi‐
	      cient rights to perform the operation on the LDAP server.

       -w passwd
	      Specifies the password of user_dn.  This option  is  not	recom‐
	      mended.

       -H ldapuri
	      Specifies the URI of the LDAP server.

COMMANDS
       create  [-subtrees subtree_dn_list]  [-sscope search_scope]  [-contain‐
       erref container_reference_dn] [-k mkeytype] [-kv mkeyVNO]  [-m|-P pass‐
       word|-sf stashfilename]	 [-s]	[-r realm]   [-kdcdn kdc_service_list]
       [-admindn admin_service_list]  [-maxtktlife max_ticket_life]   [-maxre‐
       newlife max_renewable_ticket_life] [ticket_flags]
	      Creates realm in directory. Options:

	      -subtrees subtree_dn_list
		     Specifies	the list of subtrees containing the principals
		     of a realm. The list contains  the	 DNs  of  the  subtree
		     objects separated by colon(:).

	      -sscope search_scope
		     Specifies	the  scope  for searching the principals under
		     the subtree.  The possible	 values	 are  1	 or  one  (one
		     level), 2 or sub (subtrees).

	      -containerref container_reference_dn
		     Specifies	the  DN	 of  the container object in which the
		     principals of a realm will be created.  If the  container
		     reference	is  not configured for a realm, the principals
		     will be created in the realm container.

	      -k mkeytype
		     Specifies the key type of the master key in the database;
		     the default is that given in kdc.conf.

	      -kv mkeyVNO
		     Specifies	the  version  number  of the master key in the
		     database; the default is 1. Note that 0 is not allowed.

	      -m     Specifies that the master	database  password  should  be
		     read  from the TTY rather than fetched from a file on the
		     disk.

	      -P password
		     Specifies the master database password.  This  option  is
		     not recommended.

	      -sf stashfilename
		     Specifies the stash file of the master database password.

	      -s     Specifies that the stash file is to be created.

	      -maxtktlife max_ticket_life
		     Specifies	maximum	 ticket	 life  for  principals in this
		     realm.

	      -maxrenewlife max_renewable_ticket_life
		     Specifies maximum renewable life of tickets  for  princi‐
		     pals in this realm.

	      ticket_flags
		     Specifies	the ticket flags. If this option is not speci‐
		     fied, by default, none of the flags are set.  This	 means
		     all the ticket options will be allowed and no restriction
		     will be set.

		     The various flags are:

	      {-|+}allow_postdated
		     -allow_postdated  prohibits  principals  from   obtaining
		     postdated tickets.	 (Sets the KRB5_KDB_DISALLOW_POSTDATED
		     flag.)  +allow_postdated clears this flag.

	      {-|+}allow_forwardable
		     -allow_forwardable prohibits  principals  from  obtaining
		     forwardable  tickets.   (Sets  the KRB5_KDB_DISALLOW_FOR‐
		     WARDABLE flag.)  +allow_forwardable clears this flag.

	      {-|+}allow_renewable
		     -allow_renewable  prohibits  principals  from   obtaining
		     renewable	tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
		     flag.)  +allow_renewable clears this flag.

	      {-|+}allow_proxiable
		     -allow_proxiable  prohibits  principals  from   obtaining
		     proxiable tickets.	 (Sets the KRB5_KDB_DISALLOW_PROXIABLE
		     flag.)  +allow_proxiable clears this flag.

	      {-|+}allow_dup_skey
		     -allow_dup_skey Disables user-to-user authentication  for
		     principals	 by  prohibiting  principals  from obtaining a
		     session key for another user. (Sets  the  KRB5_KDB_DISAL‐
		     LOW_DUP_SKEY flag.)  +allow_dup_skey clears this flag.

	      {-|+}requires_preauth
		     +requires_preauth	requires principals to preauthenticate
		     before   being   allowed	 to    kinit.	  (Sets	   the
		     KRB5_KDB_REQUIRES_PRE_AUTH	   flag.)    -requires_preauth
		     clears this flag.

	      {-|+}requires_hwauth
		     +requires_hwauth requires principals  to  preauthenticate
		     using  a  hardware	 device before being allowed to kinit.
		     (Sets	the	 KRB5_KDB_REQUIRES_HW_AUTH	flag.)
		     -requires_hwauth clears this flag.

	      {-|+}allow_svr
		     -allow_svr	 prohibits the issuance of service tickets for
		     principals.   (Sets  the	KRB5_KDB_DISALLOW_SVR	flag.)
		     +allow_svr clears this flag.

	      {-|+}allow_tgs_req
		     -allow_tgs_req  specifies	that a Ticket-Granting Service
		     (TGS) request for a service ticket for principals is  not
		     permitted.	  This	option	is  useless  for  most things.
		     +allow_tgs_req  clears  this  flag.    The	  default   is
		     +allow_tgs_req.	In  effect,  -allow_tgs_req  sets  the
		     KRB5_KDB_DISALLOW_TGT_BASED flag  on  principals  in  the
		     database.

	      {-|+}allow_tix
		     -allow_tix	 forbids the issuance of any tickets for prin‐
		     cipals.  +allow_tix clears this  flag.   The  default  is
		     +allow_tix.  In effect, -allow_tix sets the KRB5_KDB_DIS‐
		     ALLOW_ALL_TIX flag on principals in the database.

	      {-|+}needchange
		     +needchange sets a flag in attributes field  to  force  a
		     password  change;	-needchange  clears it. The default is
		     -needchange.    In	  effect,   +needchange	   sets	   the
		     KRB5_KDB_REQUIRES_PWCHANGE	 flag  on  principals  in  the
		     database.

	      {-|+}password_changing_service
		     +password_changing_service sets a flag in the  attributes
		     field  marking  principal	as  a  password change service
		     principal (useless for  most  things).   -password_chang‐
		     ing_service  clears the flag. This flag intentionally has
		     a long name. The default  is  -password_changing_service.
		     In	   effect,    +password_changing_service    sets   the
		     KRB5_KDB_PWCHANGE_SERVICE flag on principals in the data‐
		     base.

	      -r realm
		     Specifies	the Kerberos realm of the database; by default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      Command Options Specific to eDirectory

	      -kdcdn kdc_service_list
		     Specifies	the  list  of  KDC service objects serving the
		     realm. The list contains  the  DNs	 of  the  KDC  service
		     objects separated by colon(:).

	      -admindn admin_service_list
		     Specifies	the  list  of  Administration  service objects
		     serving the realm. The  list  contains  the  DNs  of  the
		     Administration service objects separated by colon(:).

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu create -subtrees  o=org  -sscope  SUB  -r
		     ATHENA.MIT.EDU
		     Password for "cn=admin,o=org":
		     Initializing database for realm 'ATHENA.MIT.EDU'
		     You will be prompted for the database Master Password.
		     It is important that you NOT FORGET this password.
		     Enter KDC database master key:
		     Re-enter KDC database master key to verify:

       modify  [-subtrees subtree_dn_list]  [-sscope search_scope]  [-contain‐
       erref container_reference_dn]  [-r realm]  [-kdcdn kdc_service_list   |
       [-clearkdcdn kdc_service_list]		 [-addkdcdn kdc_service_list]]
       [-admindn admin_service_list    |    [-clearadmindn admin_service_list]
       [-addadmindn admin_service_list]]	 [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life] [ticket_flags]

	      Modifies the attributes of a realm. Options:

	      -subtrees subtree_dn_list
		     Specifies the list of subtrees containing the  principals
		     of	 a  realm.   The  list contains the DNs of the subtree
		     objects separated by colon(:).  This  list	 replaces  the
		     existing list.

	      -sscope search_scope
		     Specifies	the  scope  for searching the principals under
		     the subtrees.  The possible values	 are  1	 or  one  (one
		     level), 2 or sub (subtrees).

	      -containerref container_reference_dn
		     Specifies	the  DN	 of  the container object in which the
		     principals of a realm will be created.

	      -maxtktlife max_ticket_life
		     Specifies maximum ticket  life  for  principals  in  this
		     realm.

	      -maxrenewlife max_renewable_ticket_life
		     Specifies	maximum	 renewable life of tickets for princi‐
		     pals in this realm.

	      ticket_flags
		     Specifies the ticket flags. If this option is not	speci‐
		     fied,  by	default, none of the flags are set. This means
		     all the ticket options will be allowed and no restriction
		     will be set.

		     The various flags are:

	      {-|+}allow_postdated
		     -allow_postdated	prohibits  principals  from  obtaining
		     postdated tickets.	 (Sets the KRB5_KDB_DISALLOW_POSTDATED
		     flag.)  +allow_postdated clears this flag.

	      {-|+}allow_forwardable
		     -allow_forwardable	 prohibits  principals	from obtaining
		     forwardable tickets.   (Sets  the	KRB5_KDB_DISALLOW_FOR‐
		     WARDABLE flag.)  +allow_forwardable clears this flag.

	      {-|+}allow_renewable
		     -allow_renewable	prohibits  principals  from  obtaining
		     renewable tickets. (Sets the  KRB5_KDB_DISALLOW_RENEWABLE
		     flag.)  +allow_renewable clears this flag.

	      {-|+}allow_proxiable
		     -allow_proxiable	prohibits  principals  from  obtaining
		     proxiable tickets.	 (Sets the KRB5_KDB_DISALLOW_PROXIABLE
		     flag.)  +allow_proxiable clears this flag.

	      {-|+}allow_dup_skey
		     -allow_dup_skey  Disables user-to-user authentication for
		     principals by prohibiting	principals  from  obtaining  a
		     session  key  for another user. (Sets the KRB5_KDB_DISAL‐
		     LOW_DUP_SKEY flag.)  +allow_dup_skey clears this flag.

	      {-|+}requires_preauth
		     +requires_preauth requires principals to  preauthenticate
		     before    being	allowed	   to	 kinit.	   (Sets   the
		     KRB5_KDB_REQUIRES_PRE_AUTH	  flag.)     -requires_preauth
		     clears this flag.

	      {-|+}requires_hwauth
		     +requires_hwauth  requires	 principals to preauthenticate
		     using a hardware device before being  allowed  to	kinit.
		     (Sets	the	 KRB5_KDB_REQUIRES_HW_AUTH	flag.)
		     -requires_hwauth clears this flag.

	      {-|+}allow_svr
		     -allow_svr prohibits the issuance of service tickets  for
		     principals.    (Sets   the	 KRB5_KDB_DISALLOW_SVR	flag.)
		     +allow_svr clears this flag.

	      {-|+}allow_tgs_req
		     -allow_tgs_req specifies that a  Ticket-Granting  Service
		     (TGS)  request for a service ticket for principals is not
		     permitted.	 This  option  is  useless  for	 most  things.
		     +allow_tgs_req   clears   this   flag.   The  default  is
		     +allow_tgs_req.   In  effect,  -allow_tgs_req  sets   the
		     KRB5_KDB_DISALLOW_TGT_BASED  flag	on  principals	in the
		     database.

	      {-|+}allow_tix
		     -allow_tix forbids the issuance of any tickets for	 prin‐
		     cipals.   +allow_tix  clears  this	 flag.	The default is
		     +allow_tix.  In effect, -allow_tix sets the KRB5_KDB_DIS‐
		     ALLOW_ALL_TIX flag on principals in the database.

	      {-|+}needchange
		     +needchange  sets	a  flag in attributes field to force a
		     password change; -needchange clears it.  The  default  is
		     -needchange.     In    effect,   +needchange   sets   the
		     KRB5_KDB_REQUIRES_PWCHANGE	 flag  on  principals  in  the
		     database.

	      {-|+}password_changing_service
		     +password_changing_service	 sets a flag in the attributes
		     field marking principal  as  a  password  change  service
		     principal	(useless  for  most things).  -password_chang‐
		     ing_service clears the flag. This flag intentionally  has
		     a	long  name. The default is -password_changing_service.
		     In	  effect,    +password_changing_service	   sets	   the
		     KRB5_KDB_PWCHANGE_SERVICE flag on principals in the data‐
		     base.

	      -r realm
		     Specifies the Kerberos realm of the database; by  default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      Command Options Specific to eDirectory

	      -kdcdn kdc_service_list
		     Specifies the list of KDC	service	 objects  serving  the
		     realm.  The  list	contains  the  DNs  of the KDC service
		     objects separated by a colon (:). This list replaces  the
		     existing list.

	      -clearkdcdn kdc_service_list
		     Specifies the list of KDC service objects that need to be
		     removed from the existing list. The list contains the DNs
		     of the KDC service objects separated by a colon (:).

	      -addkdcdn kdc_service_list
		     Specifies the list of KDC service objects that need to be
		     added to the existing list. The list contains the DNs  of
		     the KDC service objects separated by a colon (:).

	      -admindn admin_service_list
		     Specifies	the  list  of  Administration  service objects
		     serving the realm. The  list  contains  the  DNs  of  the
		     Administration  service objects separated by a colon (:).
		     This list replaces the existing list.

	      -clearadmindn admin_service_list
		     Specifies the list of Administration service objects that
		     need  to be removed from the existing list. The list con‐
		     tains the DNs of the Administration service objects sepa‐
		     rated by a colon (:).

	      -addadmindn admin_service_list
		     Specifies the list of Administration service objects that
		     need to be added to the existing list. The list  contains
		     the  DNs  of the Administration service objects separated
		     by a colon (:).

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu	  modify      +requires_preauth	    -r
		     ATHENA.MIT.EDU
		     Password for "cn=admin,o=org":

       view [-r realm]
	      Displays the attributes of a realm.  Options:

	      -r realm
		     Specifies the Kerberos realm of the database; by  default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu view -r ATHENA.MIT.EDU
		     Password for "cn=admin,o=org":
				    Realm Name: ATHENA.MIT.EDU
				       Subtree: ou=users,o=org
				       Subtree: ou=servers,o=org
				   SearchScope: ONE
			   Maximum ticket life: 0 days 01:00:00
			Maximum renewable life: 0 days 10:00:00
				  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

       destroy [-f] [-r realm]
	      Destroys an existing realm. Options:

	      -f     If specified, will not prompt the user for confirmation.

	      -r realm
		     Specifies	the Kerberos realm of the database; by default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu destroy -r ATHENA.MIT.EDU
		     Password for "cn=admin,o=org":
		     Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
		     (type 'yes' to confirm)? yes
		     OK, deleting database of 'ATHENA.MIT.EDU'...

       list

	      Lists the name of realms.

	      EXAMPLE:
		     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
		     Password for "cn=admin,o=org":
		     ATHENA.MIT.EDU
		     OPENLDAP.MIT.EDU
		     MEDIA-LAB.MIT.EDU

       stashsrvpw [-f filename] servicedn
	      Allows an administrator to store the password for service object
	      in  a  file  so that KDC and Administration server can use it to
	      authenticate to the LDAP server. Options:

	      -f filename
		     Specifies the complete path of the service password file.
		     By default, /usr/local/var/service_passwd is used.

	      servicedn
		     Specifies	Distinguished  name (DN) of the service object
		     whose password is to be stored in file.

	      EXAMPLE:
		     kdb5_ldap_util  stashsrvpw	 -f  /home/andrew/conf_keyfile
		     cn=service-kdc,o=org
		     Password for "cn=service-kdc,o=org":
		     Re-enter password for "cn=service-kdc,o=org":

       create_policy	[-r realm]    [-maxtktlife max_ticket_life]   [-maxre‐
       newlife max_renewable_ticket_life] [ticket_flags] policy_name
	      Creates a ticket policy in directory. Options:

	      -r realm
		     Specifies the Kerberos realm of the database; by  default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      -maxtktlife max_ticket_life
		     Specifies maximum ticket life for principals.

	      -maxrenewlife max_renewable_ticket_life
		     Specifies maximum renewable life of tickets  for  princi‐
		     pals.

	      ticket_flags
		     Specifies	the ticket flags. If this option is not speci‐
		     fied, by default, none of the flags are set.  This	 means
		     all the ticket options will be allowed and no restriction
		     will be set.

		     The various flags are:

	      {-|+}allow_postdated
		     -allow_postdated  prohibits  principals  from   obtaining
		     postdated tickets.	 (Sets the KRB5_KDB_DISALLOW_POSTDATED
		     flag.)  +allow_postdated clears this flag.

	      {-|+}allow_forwardable
		     -allow_forwardable prohibits  principals  from  obtaining
		     forwardable  tickets.   (Sets  the KRB5_KDB_DISALLOW_FOR‐
		     WARDABLE flag.)  +allow_forwardable clears this flag.

	      {-|+}allow_renewable
		     -allow_renewable  prohibits  principals  from   obtaining
		     renewable	tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
		     flag.)  +allow_renewable clears this flag.

	      {-|+}allow_proxiable
		     -allow_proxiable  prohibits  principals  from   obtaining
		     proxiable tickets.	 (Sets the KRB5_KDB_DISALLOW_PROXIABLE
		     flag.)  +allow_proxiable clears this flag.

	      {-|+}allow_dup_skey
		     -allow_dup_skey Disables user-to-user authentication  for
		     principals	 by  prohibiting  principals  from obtaining a
		     session key for another user. (Sets  the  KRB5_KDB_DISAL‐
		     LOW_DUP_SKEY flag.)  +allow_dup_skey clears this flag.

	      {-|+}requires_preauth
		     +requires_preauth	requires principals to preauthenticate
		     before   being   allowed	 to    kinit.	  (Sets	   the
		     KRB5_KDB_REQUIRES_PRE_AUTH	   flag.)    -requires_preauth
		     clears this flag.

	      {-|+}requires_hwauth
		     +requires_hwauth requires principals  to  preauthenticate
		     using  a  hardware	 device before being allowed to kinit.
		     (Sets	the	 KRB5_KDB_REQUIRES_HW_AUTH	flag.)
		     -requires_hwauth clears this flag.

	      {-|+}allow_svr
		     -allow_svr	 prohibits the issuance of service tickets for
		     principals.   (Sets  the	KRB5_KDB_DISALLOW_SVR	flag.)
		     +allow_svr clears this flag.

	      {-|+}allow_tgs_req
		     -allow_tgs_req  specifies	that a Ticket-Granting Service
		     (TGS) request for a service ticket for principals is  not
		     permitted.	  This	option	is  useless  for  most things.
		     +allow_tgs_req  clears  this  flag.    The	  default   is
		     +allow_tgs_req.	In  effect,  -allow_tgs_req  sets  the
		     KRB5_KDB_DISALLOW_TGT_BASED flag  on  principals  in  the
		     database.

	      {-|+}allow_tix
		     -allow_tix	 forbids the issuance of any tickets for prin‐
		     cipals.  +allow_tix clears this  flag.   The  default  is
		     +allow_tix.  In effect, -allow_tix sets the KRB5_KDB_DIS‐
		     ALLOW_ALL_TIX flag on principals in the database.

	      {-|+}needchange
		     +needchange sets a flag in attributes field  to  force  a
		     password  change;	-needchange  clears it. The default is
		     -needchange.    In	  effect,   +needchange	   sets	   the
		     KRB5_KDB_REQUIRES_PWCHANGE	 flag  on  principals  in  the
		     database.

	      {-|+}password_changing_service
		     +password_changing_service sets a flag in the  attributes
		     field  marking  principal	as  a  password change service
		     principal (useless for  most  things).   -password_chang‐
		     ing_service  clears the flag. This flag intentionally has
		     a long name. The default  is  -password_changing_service.
		     In	   effect,    +password_changing_service    sets   the
		     KRB5_KDB_PWCHANGE_SERVICE flag on principals in the data‐
		     base.

	      policy_name
		     Specifies the name of the ticket policy.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu create_policy -r  ATHENA.MIT.EDU  -maxtk‐
		     tlife  "1	day"  -maxrenewlife  "1 week" -allow_postdated
		     +needchange -allow_forwardable tktpolicy
		     Password for "cn=admin,o=org":

       modify_policy   [-r realm]    [-maxtktlife max_ticket_life]    [-maxre‐
       newlife max_renewable_ticket_life] [ticket_flags] policy_name
	      Modifies	the attributes of a ticket policy. Options are same as
	      create_policy.

	      -r realm
		     Specifies the Kerberos realm of the database; by  default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu  modify_policy  -r ATHENA.MIT.EDU -maxtk‐
		     tlife "60 minutes" -maxrenewlife "10 hours"  +allow_post‐
		     dated -requires_preauth tktpolicy
		     Password for "cn=admin,o=org":

       view_policy [-r realm] policy_name
	      Displays the attributes of a ticket policy. Options:

	      policy_name
		     Specifies the name of the ticket policy.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
		     Password for "cn=admin,o=org":
				 Ticket policy: tktpolicy
			   Maximum ticket life: 0 days 01:00:00
			Maximum renewable life: 0 days 10:00:00
				  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

       destroy_policy [-r realm] [-force] policy_name
	      Destroys an existing ticket policy. Options:

	      -r realm
		     Specifies the Kerberos realm of the database; by  default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      -force Forces the deletion of the policy object. If  not	speci‐
		     fied,  will  be  prompted for confirmation while deleting
		     the policy. Enter yes to confirm the deletion.

	      policy_name
		     Specifies the name of the ticket policy.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu  destroy_policy -r ATHENA.MIT.EDU tktpol‐
		     icy
		     Password for "cn=admin,o=org":
		     This will delete the policy object 'tktpolicy', are you sure?
		     (type 'yes' to confirm)? yes
		     ** policy object 'tktpolicy' deleted.

       list_policy [-r realm]
	      Lists the ticket policies	 in  realm  if	specified  or  in  the
	      default realm.  Options:

	      -r realm
		     Specifies	the Kerberos realm of the database; by default
		     the  realm	 returned  by  krb5_default_local_realm(3)  is
		     used.

	      EXAMPLE:
		     kdb5_ldap_util   -D   cn=admin,o=org   -H	 ldaps://ldap-
		     server1.mit.edu list_policy -r ATHENA.MIT.EDU
		     Password for "cn=admin,o=org":
		     tktpolicy
		     tmppolicy
		     userpolicy

       Commands Specific to eDirectory

       setsrvpw [-randpw|-fileonly] [-f filename] service_dn
	      Allows an administrator to set password for service objects such
	      as KDC and Administration server in eDirectory and store them in
	      a file. The -fileonly option stores the password in a  file  and
	      not in the eDirectory object. Options:

	      -randpw
		     Generates and sets a random password. This options can be
		     specified to store the password both in eDirectory and  a
		     file.  The	 -fileonly  option  can not be used if -randpw
		     option is already specified.

	      -fileonly
		     Stores the password only in a file and not in eDirectory.
		     The -randpw option can not be used when -fileonly options
		     is specified.

	      -f filename
		     Specifies complete path of the service password file.  By
		     default, /usr/local/var/service_passwd is used.

	      service_dn
		     Specifies	Distinguished  name (DN) of the service object
		     whose password is to be set.

	      EXAMPLE:
		     kdb5_ldap_util  setsrvpw	-D   cn=admin,o=org   setsrvpw
		     -fileonly	  -f   /home/andrew/conf_keyfile   cn=service-
		     kdc,o=org
		     Password for "cn=admin,o=org":
		     Password for "cn=service-kdc,o=org":
		     Re-enter password for "cn=service-kdc,o=org":

       create_service	   {-kdc|-admin}      [-servicehost service_host_list]
       [-realm realm_list] [-randpw|-fileonly] [-f filename] service_dn
	      Creates  a  service in directory and assigns appropriate rights.
	      Options:

	      -kdc   Specifies the service is a KDC service

	      -admin Specifies the service is a Administration service

	      -servicehost service_host_list
		     Specifies the list of entries separated by a  colon  (:).
		     Each  entry consists of the hostname or IP address of the
		     server hosting the service, transport protocol,  and  the
		     port number of the service separated by a pound sign (#).
		     For example, server1#tcp#88:server2#udp#89.

	      -realm realm_list
		     Specifies the list of realms that are  to	be  associated
		     with  this	 service.  The	list  contains the name of the
		     realms separated by a colon (:).

	      -randpw
		     Generates and sets a random password. This option is used
		     to	 set  the  random  password  for the service object in
		     directory and also to store it in the file. The -fileonly
		     option can not be used if -randpw option is specified.

	      -fileonly
		     Stores the password only in a file and not in eDirectory.
		     The -randpw option can not be used when -fileonly	option
		     is specified.

	      -f filename
		     Specifies the complete path of the file where the service
		     object password is stashed.

	      service_dn
		     Specifies Distinguished name (DN) of the Kerberos service
		     to be created.

	      EXAMPLE:
		     kdb5_ldap_util   -D  cn=admin,o=org  create_service  -kdc
		     -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
		     Password for "cn=admin,o=org":
		     File does not exist. Creating the file /home/andrew/conf_keyfile...

       modify_service	[-servicehost service_host_list	  |    [-clearservice‐
       host service_host_list]		  [-addservicehost service_host_list]]
       [-realm realm_list |  [-clearrealm realm_list]  [-addrealm realm_list]]
       service_dn
	      Modifies	the  attributes	 of  a service and assigns appropriate
	      rights. Options:

	      -servicehost service_host_list
		     Specifies the list of entries separated by a  colon  (:).
		     Each  entry  consists of a host name or IP Address of the
		     Server hosting the service, transport protocol, and  port
		     number of the service separated by a pound sign (#).  For
		     example, server1#tcp#88:server2#udp#89

	      -clearservicehost service_host_list
		     Specifies the list of servicehost entries to  be  removed
		     from the existing list separated by colon (:). Each entry
		     consists of a host name or IP Address of the server host‐
		     ing  the  service, transport protocol, and port number of
		     the service separated by a pound sign (#).

	      -addservicehost service_host_list
		     Specifies the list of servicehost entries to be added  to
		     the existing list separated by colon (:). Each entry con‐
		     sists of a host name or IP Address of the server  hosting
		     the  service,  transport protocol, and port number of the
		     service separated by a pound sign (#).

	      -realm realm_list
		     Specifies the list of realms that are  to	be  associated
		     with  this	 service.  The	list  contains the name of the
		     realms separated by a colon (:). This list	 replaces  the
		     existing list.

	      -clearrealm realm_list
		     Specifies	the  list  of  realms  to  be removed from the
		     existing list. The list contains the name of  the	realms
		     separated by a colon (:).

	      -addrealm realm_list
		     Specifies	the list of realms to be added to the existing
		     list. The list contains the name of the realms  separated
		     by a colon (:).

	      service_dn
		     Specifies Distinguished name (DN) of the Kerberos service
		     to be modified.

	      EXAMPLE:
		     kdb5_ldap_util -D	cn=admin,o=org	modify_service	-realm
		     ATHENA.MIT.EDU cn=service-kdc,o=org
		     Password for "cn=admin,o=org":
		     Changing rights for the service object. Please wait ... done

       view_service service_dn
	      Displays the attributes of a service.  Options:

	      service_dn
		     Specifies Distinguished name (DN) of the Kerberos service
		     to be viewed.

	      EXAMPLE:
		     kdb5_ldap_util -D cn=admin,o=org view_service cn=service-
		     kdc,o=org
		     Password for "cn=admin,o=org":
			     Service dn: cn=service-kdc,o=org
			   Service type: kdc
		      Service host list:
			  Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security

       destroy_service [-force] [-f stashfilename] service_dn
	      Destroys an existing service. Options:

	      -force If	 specified,  will  not prompt for user's confirmation,
		     instead will force destruction of the service.

	      -f stashfilename
		     Specifies the complete path of the service password  file
		     from  where  the  entry  corresponding  to the service_dn
		     needs to be removed.

	      service_dn
		     Specifies Distinguished name (DN) of the Kerberos service
		     to be destroyed.

	      EXAMPLE:
		     kdb5_ldap_util  -D cn=admin,o=org destroy_service cn=ser‐
		     vice-kdc,o=org
		     Password for "cn=admin,o=org":
		     This will delete the service object 'cn=service-kdc,o=org', are you sure?
		     (type 'yes' to confirm)? yes
		     ** service object 'cn=service-kdc,o=org' deleted.

       list_service [-basedn base_dn]
	      Lists the name of services under	a  given  base	in  directory.
	      Options:

	      -basedn base_dn
		     Specifies	the base DN for searching the service objects,
		     limiting the search to  a	particular  subtree.  If  this
		     option  is not provided, LDAP Server specific search base
		     will be used.  For eg, in the case of OpenLDAP, value  of
		     defaultsearchbase	from  slapd.conf  file	will  be used,
		     where as in the case of eDirectory, the default value for
		     the base DN is Root.

	      EXAMPLE:
		     kdb5_ldap_util -D cn=admin,o=org list_service
		     Password for "cn=admin,o=org":
		     cn=service-kdc,o=org
		     cn=service-adm,o=org
		     cn=service-pwd,o=org

SEE ALSO
       kadmin(8)

							     KDB5_LDAP_UTIL(8)
[top]

List of man pages available for Scientific

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net