Provided by: krb5-kdc-ldap_1.8.1+dfsg-2_i386 bug

NAME

       kdb5_ldap_util - Kerberos Configuration Utility

SYNOPSIS

       kdb5_ldap_util    [-D user_dn    [-w passwd]]    [-H ldapuri]   command
       [command_options]

DESCRIPTION

       kdb5_ldap_util allows  an  administrator  to  manage  realms,  Kerberos
       services and ticket policies.

COMMAND-LINE OPTIONS

       -D user_dn
              Specifies  the  Distinguished  name  (DN)  of  the  user who has
              sufficient rights to perform the operation on the LDAP server.

       -w passwd
              Specifies  the  password  of  user_dn.   This  option   is   not
              recommended.

       -H ldapuri
              Specifies the URI of the LDAP server.

COMMANDS

       create        [-subtrees subtree_dn_list]        [-sscope search_scope]
       [-containerref container_reference_dn]   [-k mkeytype]    [-kv mkeyVNO]
       [-m|-P password|-sf stashfilename]            [-s]           [-r realm]
       [-kdcdn kdc_service_list]                 [-admindn admin_service_list]
       [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
       [ticket_flags]
              Creates realm in directory. Options:

              -subtrees subtree_dn_list
                     Specifies  the list of subtrees containing the principals
                     of a realm. The list contains  the  DNs  of  the  subtree
                     objects separated by colon(:).

              -sscope search_scope
                     Specifies  the  scope  for searching the principals under
                     the subtree.  The possible  values  are  1  or  one  (one
                     level), 2 or sub (subtrees).

              -containerref container_reference_dn
                     Specifies  the  DN  of  the container object in which the
                     principals of a realm will be created.  If the  container
                     reference  is  not configured for a realm, the principals
                     will be created in the realm container.

              -k mkeytype
                     Specifies the key type of the master key in the database;
                     the default is that given in kdc.conf.

              -kv mkeyVNO
                     Specifies  the  version  number  of the master key in the
                     database; the default is 1. Note that 0 is not allowed.

              -m     Specifies that the master  database  password  should  be
                     read  from the TTY rather than fetched from a file on the
                     disk.

              -P password
                     Specifies the master database password.  This  option  is
                     not recommended.

              -sf stashfilename
                     Specifies the stash file of the master database password.

              -s     Specifies that the stash file is to be created.

              -maxtktlife max_ticket_life
                     Specifies maximum ticket  life  for  principals  in  this
                     realm.

              -maxrenewlife max_renewable_ticket_life
                     Specifies   maximum   renewable   life   of  tickets  for
                     principals in this realm.

              ticket_flags
                     Specifies  the  ticket  flags.  If  this  option  is  not
                     specified,  by  default,  none of the flags are set. This
                     means all the ticket  options  will  be  allowed  and  no
                     restriction will be set.

                     The various flags are:

              {-|+}allow_postdated
                     -allow_postdated   prohibits  principals  from  obtaining
                     postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED
                     flag.)  +allow_postdated clears this flag.

              {-|+}allow_forwardable
                     -allow_forwardable  prohibits  principals  from obtaining
                     forwardable         tickets.           (Sets          the
                     KRB5_KDB_DISALLOW_FORWARDABLE  flag.)  +allow_forwardable
                     clears this flag.

              {-|+}allow_renewable
                     -allow_renewable  prohibits  principals  from   obtaining
                     renewable  tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
                     flag.)  +allow_renewable clears this flag.

              {-|+}allow_proxiable
                     -allow_proxiable  prohibits  principals  from   obtaining
                     proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE
                     flag.)  +allow_proxiable clears this flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey Disables user-to-user authentication  for
                     principals  by  prohibiting  principals  from obtaining a
                     session    key    for    another    user.    (Sets    the
                     KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears
                     this flag.

              {-|+}requires_preauth
                     +requires_preauth requires principals to  preauthenticate
                     before    being    allowed    to    kinit.    (Sets   the
                     KRB5_KDB_REQUIRES_PRE_AUTH   flag.)     -requires_preauth
                     clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth  requires  principals to preauthenticate
                     using a hardware device before being  allowed  to  kinit.
                     (Sets      the      KRB5_KDB_REQUIRES_HW_AUTH      flag.)
                     -requires_hwauth clears this flag.

              {-|+}allow_svr
                     -allow_svr prohibits the issuance of service tickets  for
                     principals.    (Sets   the  KRB5_KDB_DISALLOW_SVR  flag.)
                     +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req specifies that a  Ticket-Granting  Service
                     (TGS)  request for a service ticket for principals is not
                     permitted.  This  option  is  useless  for  most  things.
                     +allow_tgs_req   clears   this   flag.   The  default  is
                     +allow_tgs_req.   In  effect,  -allow_tgs_req  sets   the
                     KRB5_KDB_DISALLOW_TGT_BASED  flag  on  principals  in the
                     database.

              {-|+}allow_tix
                     -allow_tix  forbids  the  issuance  of  any  tickets  for
                     principals.  +allow_tix clears this flag.  The default is
                     +allow_tix.    In    effect,    -allow_tix    sets    the
                     KRB5_KDB_DISALLOW_ALL_TIX   flag  on  principals  in  the
                     database.

              {-|+}needchange
                     +needchange sets a flag in attributes field  to  force  a
                     password  change;  -needchange  clears it. The default is
                     -needchange.    In   effect,   +needchange    sets    the
                     KRB5_KDB_REQUIRES_PWCHANGE  flag  on  principals  in  the
                     database.

              {-|+}password_changing_service
                     +password_changing_service sets a flag in the  attributes
                     field  marking  principal  as  a  password change service
                     principal      (useless      for      most       things).
                     -password_changing_service  clears  the  flag.  This flag
                     intentionally  has  a   long   name.   The   default   is
                     -password_changing_service.           In          effect,
                     +password_changing_service            sets            the
                     KRB5_KDB_PWCHANGE_SERVICE   flag  on  principals  in  the
                     database.

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              Command Options Specific to eDirectory

              -kdcdn kdc_service_list
                     Specifies the list of KDC  service  objects  serving  the
                     realm.  The  list  contains  the  DNs  of the KDC service
                     objects separated by colon(:).

              -admindn admin_service_list
                     Specifies the  list  of  Administration  service  objects
                     serving  the  realm.  The  list  contains  the DNs of the
                     Administration service objects separated by colon(:).

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu  create  -subtrees  o=org  -sscope SUB -r
                     ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                     Initializing database for realm ’ATHENA.MIT.EDU’
                     You will be prompted for the database Master Password.
                     It is important that you NOT FORGET this password.
                     Enter KDC database master key:
                     Re-enter KDC database master key to verify:

       modify        [-subtrees subtree_dn_list]        [-sscope search_scope]
       [-containerref container_reference_dn]                       [-r realm]
       [-kdcdn kdc_service_list        |        [-clearkdcdn kdc_service_list]
       [-addkdcdn kdc_service_list]]       [-admindn admin_service_list      |
       [-clearadmindn admin_service_list]    [-addadmindn admin_service_list]]
       [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
       [ticket_flags]

              Modifies the attributes of a realm. Options:

              -subtrees subtree_dn_list
                     Specifies the list of subtrees containing the  principals
                     of  a  realm.   The  list contains the DNs of the subtree
                     objects separated by colon(:).  This  list  replaces  the
                     existing list.

              -sscope search_scope
                     Specifies  the  scope  for searching the principals under
                     the subtrees.  The possible values  are  1  or  one  (one
                     level), 2 or sub (subtrees).

              -containerref container_reference_dn
                     Specifies  the  DN  of  the container object in which the
                     principals of a realm will be created.

              -maxtktlife max_ticket_life
                     Specifies maximum ticket  life  for  principals  in  this
                     realm.

              -maxrenewlife max_renewable_ticket_life
                     Specifies   maximum   renewable   life   of  tickets  for
                     principals in this realm.

              ticket_flags
                     Specifies  the  ticket  flags.  If  this  option  is  not
                     specified,  by  default,  none of the flags are set. This
                     means all the ticket  options  will  be  allowed  and  no
                     restriction will be set.

                     The various flags are:

              {-|+}allow_postdated
                     -allow_postdated   prohibits  principals  from  obtaining
                     postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED
                     flag.)  +allow_postdated clears this flag.

              {-|+}allow_forwardable
                     -allow_forwardable  prohibits  principals  from obtaining
                     forwardable         tickets.           (Sets          the
                     KRB5_KDB_DISALLOW_FORWARDABLE  flag.)  +allow_forwardable
                     clears this flag.

              {-|+}allow_renewable
                     -allow_renewable  prohibits  principals  from   obtaining
                     renewable  tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
                     flag.)  +allow_renewable clears this flag.

              {-|+}allow_proxiable
                     -allow_proxiable  prohibits  principals  from   obtaining
                     proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE
                     flag.)  +allow_proxiable clears this flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey Disables user-to-user authentication  for
                     principals  by  prohibiting  principals  from obtaining a
                     session    key    for    another    user.    (Sets    the
                     KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears
                     this flag.

              {-|+}requires_preauth
                     +requires_preauth requires principals to  preauthenticate
                     before    being    allowed    to    kinit.    (Sets   the
                     KRB5_KDB_REQUIRES_PRE_AUTH   flag.)     -requires_preauth
                     clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth  requires  principals to preauthenticate
                     using a hardware device before being  allowed  to  kinit.
                     (Sets      the      KRB5_KDB_REQUIRES_HW_AUTH      flag.)
                     -requires_hwauth clears this flag.

              {-|+}allow_svr
                     -allow_svr prohibits the issuance of service tickets  for
                     principals.    (Sets   the  KRB5_KDB_DISALLOW_SVR  flag.)
                     +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req specifies that a  Ticket-Granting  Service
                     (TGS)  request for a service ticket for principals is not
                     permitted.  This  option  is  useless  for  most  things.
                     +allow_tgs_req   clears   this   flag.   The  default  is
                     +allow_tgs_req.   In  effect,  -allow_tgs_req  sets   the
                     KRB5_KDB_DISALLOW_TGT_BASED  flag  on  principals  in the
                     database.

              {-|+}allow_tix
                     -allow_tix  forbids  the  issuance  of  any  tickets  for
                     principals.  +allow_tix clears this flag.  The default is
                     +allow_tix.    In    effect,    -allow_tix    sets    the
                     KRB5_KDB_DISALLOW_ALL_TIX   flag  on  principals  in  the
                     database.

              {-|+}needchange
                     +needchange sets a flag in attributes field  to  force  a
                     password  change;  -needchange  clears it. The default is
                     -needchange.    In   effect,   +needchange    sets    the
                     KRB5_KDB_REQUIRES_PWCHANGE  flag  on  principals  in  the
                     database.

              {-|+}password_changing_service
                     +password_changing_service sets a flag in the  attributes
                     field  marking  principal  as  a  password change service
                     principal      (useless      for      most       things).
                     -password_changing_service  clears  the  flag.  This flag
                     intentionally  has  a   long   name.   The   default   is
                     -password_changing_service.           In          effect,
                     +password_changing_service            sets            the
                     KRB5_KDB_PWCHANGE_SERVICE   flag  on  principals  in  the
                     database.

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              Command Options Specific to eDirectory

              -kdcdn kdc_service_list
                     Specifies the list of KDC  service  objects  serving  the
                     realm.  The  list  contains  the  DNs  of the KDC service
                     objects separated by a colon (:). This list replaces  the
                     existing list.

              -clearkdcdn kdc_service_list
                     Specifies the list of KDC service objects that need to be
                     removed from the existing list. The list contains the DNs
                     of the KDC service objects separated by a colon (:).

              -addkdcdn kdc_service_list
                     Specifies the list of KDC service objects that need to be
                     added to the existing list. The list contains the DNs  of
                     the KDC service objects separated by a colon (:).

              -admindn admin_service_list
                     Specifies  the  list  of  Administration  service objects
                     serving the realm. The  list  contains  the  DNs  of  the
                     Administration  service objects separated by a colon (:).
                     This list replaces the existing list.

              -clearadmindn admin_service_list
                     Specifies the list of Administration service objects that
                     need  to  be  removed  from  the  existing list. The list
                     contains the DNs of the  Administration  service  objects
                     separated by a colon (:).

              -addadmindn admin_service_list
                     Specifies the list of Administration service objects that
                     need to be added to the existing list. The list  contains
                     the  DNs  of the Administration service objects separated
                     by a colon (:).

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu      modify      +requires_preauth     -r
                     ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":

       view [-r realm]
              Displays the attributes of a realm.  Options:

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu view -r ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                                    Realm Name: ATHENA.MIT.EDU
                                       Subtree: ou=users,o=org
                                       Subtree: ou=servers,o=org
                                   SearchScope: ONE
                           Maximum ticket life: 0 days 01:00:00
                        Maximum renewable life: 0 days 10:00:00
                                  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

       destroy [-f] [-r realm]
              Destroys an existing realm. Options:

              -f     If  specified, will not prompt the user for confirmation.

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu destroy -r ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                     Deleting KDC database of ’ATHENA.MIT.EDU’, are you sure?
                     (type ’yes’ to confirm)? yes
                     OK, deleting database of ’ATHENA.MIT.EDU’...

       list    Lists the name of realms.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
                     Password for "cn=admin,o=org":
                     ATHENA.MIT.EDU
                     OPENLDAP.MIT.EDU
                     MEDIA-LAB.MIT.EDU

       stashsrvpw [-f filename] servicedn
              Allows an administrator to store the password for service object
              in a file so that KDC and Administration server can  use  it  to
              authenticate to the LDAP server. Options:

              -f filename
                     Specifies the complete path of the service password file.
                     By default, /usr/local/var/service_passwd is used.

              servicedn
                     Specifies Distinguished name (DN) of the  service  object
                     whose password is to be stored in file.

              EXAMPLE:
                     kdb5_ldap_util  stashsrvpw  -f  /home/andrew/conf_keyfile
                     cn=service-kdc,o=org
                     Password for "cn=service-kdc,o=org":
                     Re-enter password for "cn=service-kdc,o=org":

       create_policy         [-r realm]          [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
              Creates a ticket policy in directory. Options:

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              -maxtktlife max_ticket_life
                     Specifies maximum ticket life for principals.

              -maxrenewlife max_renewable_ticket_life
                     Specifies  maximum  renewable   life   of   tickets   for
                     principals.

              ticket_flags
                     Specifies  the  ticket  flags.  If  this  option  is  not
                     specified, by default, none of the flags  are  set.  This
                     means  all  the  ticket  options  will  be allowed and no
                     restriction will be set.

                     The various flags are:

              {-|+}allow_postdated
                     -allow_postdated  prohibits  principals  from   obtaining
                     postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED
                     flag.)  +allow_postdated clears this flag.

              {-|+}allow_forwardable
                     -allow_forwardable prohibits  principals  from  obtaining
                     forwardable          tickets.           (Sets         the
                     KRB5_KDB_DISALLOW_FORWARDABLE flag.)   +allow_forwardable
                     clears this flag.

              {-|+}allow_renewable
                     -allow_renewable   prohibits  principals  from  obtaining
                     renewable tickets. (Sets the  KRB5_KDB_DISALLOW_RENEWABLE
                     flag.)  +allow_renewable clears this flag.

              {-|+}allow_proxiable
                     -allow_proxiable   prohibits  principals  from  obtaining
                     proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE
                     flag.)  +allow_proxiable clears this flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey  Disables user-to-user authentication for
                     principals by prohibiting  principals  from  obtaining  a
                     session    key    for    another    user.    (Sets    the
                     KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears
                     this flag.

              {-|+}requires_preauth
                     +requires_preauth  requires principals to preauthenticate
                     before   being   allowed    to    kinit.     (Sets    the
                     KRB5_KDB_REQUIRES_PRE_AUTH    flag.)    -requires_preauth
                     clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth requires principals  to  preauthenticate
                     using  a  hardware  device before being allowed to kinit.
                     (Sets      the      KRB5_KDB_REQUIRES_HW_AUTH      flag.)
                     -requires_hwauth clears this flag.

              {-|+}allow_svr
                     -allow_svr  prohibits the issuance of service tickets for
                     principals.   (Sets  the   KRB5_KDB_DISALLOW_SVR   flag.)
                     +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req  specifies  that a Ticket-Granting Service
                     (TGS) request for a service ticket for principals is  not
                     permitted.   This  option  is  useless  for  most things.
                     +allow_tgs_req  clears  this  flag.    The   default   is
                     +allow_tgs_req.    In  effect,  -allow_tgs_req  sets  the
                     KRB5_KDB_DISALLOW_TGT_BASED flag  on  principals  in  the
                     database.

              {-|+}allow_tix
                     -allow_tix  forbids  the  issuance  of  any  tickets  for
                     principals.  +allow_tix clears this flag.  The default is
                     +allow_tix.     In    effect,    -allow_tix    sets   the
                     KRB5_KDB_DISALLOW_ALL_TIX  flag  on  principals  in   the
                     database.

              {-|+}needchange
                     +needchange  sets  a  flag in attributes field to force a
                     password change; -needchange clears it.  The  default  is
                     -needchange.     In    effect,   +needchange   sets   the
                     KRB5_KDB_REQUIRES_PWCHANGE  flag  on  principals  in  the
                     database.

              {-|+}password_changing_service
                     +password_changing_service  sets a flag in the attributes
                     field marking principal  as  a  password  change  service
                     principal       (useless      for      most      things).
                     -password_changing_service clears  the  flag.  This  flag
                     intentionally   has   a   long   name.   The  default  is
                     -password_changing_service.           In          effect,
                     +password_changing_service            sets            the
                     KRB5_KDB_PWCHANGE_SERVICE  flag  on  principals  in   the
                     database.

              policy_name
                     Specifies the name of the ticket policy.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu    create_policy    -r     ATHENA.MIT.EDU
                     -maxtktlife    "1    day"    -maxrenewlife    "1    week"
                     -allow_postdated +needchange -allow_forwardable tktpolicy
                     Password for "cn=admin,o=org":

       modify_policy          [-r realm]         [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
              Modifies  the attributes of a ticket policy. Options are same as
              create_policy.

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu     modify_policy    -r    ATHENA.MIT.EDU
                     -maxtktlife  "60  minutes"   -maxrenewlife   "10   hours"
                     +allow_postdated -requires_preauth tktpolicy
                     Password for "cn=admin,o=org":

       view_policy [-r realm] policy_name
              Displays the attributes of a ticket policy. Options:

              policy_name
                     Specifies the name of the ticket policy.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
                     Password for "cn=admin,o=org":
                                 Ticket policy: tktpolicy
                           Maximum ticket life: 0 days 01:00:00
                        Maximum renewable life: 0 days 10:00:00
                                  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

       destroy_policy [-r realm] [-force] policy_name
              Destroys an existing ticket policy. Options:

              -r realm
                     Specifies the Kerberos realm of the database; by  default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              -force Forces  the  deletion  of  the  policy  object.  If   not
                     specified,   will  be  prompted  for  confirmation  while
                     deleting the policy. Enter yes to confirm the deletion.

              policy_name
                     Specifies the name of the ticket policy.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu    destroy_policy    -r    ATHENA.MIT.EDU
                     tktpolicy
                     Password for "cn=admin,o=org":
                     This will delete the policy object ’tktpolicy’, are you sure?
                     (type ’yes’ to confirm)? yes
                     ** policy object ’tktpolicy’ deleted.

       list_policy [-r realm]
              Lists the ticket policies  in  realm  if  specified  or  in  the
              default realm.  Options:

              -r realm
                     Specifies  the Kerberos realm of the database; by default
                     the  realm  returned  by  krb5_default_local_realm(3)  is
                     used.

              EXAMPLE:
                     kdb5_ldap_util   -D   cn=admin,o=org   -H   ldaps://ldap-
                     server1.mit.edu list_policy -r ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                     tktpolicy
                     tmppolicy
                     userpolicy

       Commands Specific to eDirectory

       setsrvpw [-randpw|-fileonly] [-f filename] service_dn
              Allows an administrator to set password for service objects such
              as KDC and Administration server in eDirectory and store them in
              a file. The -fileonly option stores the password in a  file  and
              not in the eDirectory object. Options:

              -randpw
                     Generates and sets a random password. This options can be
                     specified to store the password both in eDirectory and  a
                     file.  The  -fileonly  option  can not be used if -randpw
                     option is already specified.

              -fileonly
                     Stores the password only in a file and not in eDirectory.
                     The -randpw option can not be used when -fileonly options
                     is specified.

              -f filename
                     Specifies complete path of the service password file.  By
                     default, /usr/local/var/service_passwd is used.

              service_dn
                     Specifies  Distinguished  name (DN) of the service object
                     whose password is to be set.

              EXAMPLE:
                     kdb5_ldap_util  setsrvpw   -D   cn=admin,o=org   setsrvpw
                     -fileonly    -f   /home/andrew/conf_keyfile   cn=service-
                     kdc,o=org
                     Password for "cn=admin,o=org":
                     Password for "cn=service-kdc,o=org":
                     Re-enter password for "cn=service-kdc,o=org":

       create_service      {-kdc|-admin}      [-servicehost service_host_list]
       [-realm realm_list] [-randpw|-fileonly] [-f filename] service_dn
              Creates a service in directory and assigns  appropriate  rights.
              Options:

              -kdc   Specifies the service is a KDC service

              -admin Specifies the service is a Administration service

              -servicehost service_host_list
                     Specifies  the  list of entries separated by a colon (:).
                     Each entry consists of the hostname or IP address of  the
                     server  hosting  the service, transport protocol, and the
                     port number of the service separated by a pound sign (#).
                     For example, server1#tcp#88:server2#udp#89.

              -realm realm_list
                     Specifies  the  list  of realms that are to be associated
                     with this service. The list  contains  the  name  of  the
                     realms separated by a colon (:).

              -randpw
                     Generates and sets a random password. This option is used
                     to set the random password  for  the  service  object  in
                     directory and also to store it in the file. The -fileonly
                     option can not be used if -randpw option is specified.

              -fileonly
                     Stores the password only in a file and not in eDirectory.
                     The  -randpw option can not be used when -fileonly option
                     is specified.

              -f filename
                     Specifies the complete path of the file where the service
                     object password is stashed.

              service_dn
                     Specifies Distinguished name (DN) of the Kerberos service
                     to be created.

              EXAMPLE:
                     kdb5_ldap_util  -D  cn=admin,o=org  create_service   -kdc
                     -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
                     Password for "cn=admin,o=org":
                     File does not exist. Creating the file /home/andrew/conf_keyfile...

       modify_service            [-servicehost service_host_list             |
       [-clearservicehost service_host_list]
       [-addservicehost service_host_list]]        [-realm realm_list        |
       [-clearrealm realm_list] [-addrealm realm_list]] service_dn
              Modifies the attributes of a  service  and  assigns  appropriate
              rights. Options:

              -servicehost service_host_list
                     Specifies  the  list of entries separated by a colon (:).
                     Each entry consists of a host name or IP Address  of  the
                     Server  hosting the service, transport protocol, and port
                     number of the service separated by a pound sign (#).  For
                     example, server1#tcp#88:server2#udp#89

              -clearservicehost service_host_list
                     Specifies  the  list of servicehost entries to be removed
                     from the existing list separated by colon (:). Each entry
                     consists  of  a  host  name  or  IP Address of the server
                     hosting the service, transport protocol, and port  number
                     of the service separated by a pound sign (#).

              -addservicehost service_host_list
                     Specifies  the list of servicehost entries to be added to
                     the existing list separated  by  colon  (:).  Each  entry
                     consists  of  a  host  name  or  IP Address of the server
                     hosting the service, transport protocol, and port  number
                     of the service separated by a pound sign (#).

              -realm realm_list
                     Specifies  the  list  of realms that are to be associated
                     with this service. The list  contains  the  name  of  the
                     realms  separated  by a colon (:). This list replaces the
                     existing list.

              -clearrealm realm_list
                     Specifies the list of  realms  to  be  removed  from  the
                     existing  list.  The list contains the name of the realms
                     separated by a colon (:).

              -addrealm realm_list
                     Specifies the list of realms to be added to the  existing
                     list.  The list contains the name of the realms separated
                     by a colon (:).

              service_dn
                     Specifies Distinguished name (DN) of the Kerberos service
                     to be modified.

              EXAMPLE:
                     kdb5_ldap_util  -D  cn=admin,o=org  modify_service -realm
                     ATHENA.MIT.EDU cn=service-kdc,o=org
                     Password for "cn=admin,o=org":
                     Changing rights for the service object. Please wait ... done

       view_service service_dn
              Displays the attributes of a service.  Options:

              service_dn
                     Specifies Distinguished name (DN) of the Kerberos service
                     to be viewed.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org view_service cn=service-
                     kdc,o=org
                     Password for "cn=admin,o=org":
                             Service dn: cn=service-kdc,o=org
                           Service type: kdc
                      Service host list:
                          Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security

       destroy_service [-force] [-f stashfilename] service_dn
              Destroys an existing service. Options:

              -force If specified, will not prompt  for  user’s  confirmation,
                     instead will force destruction of the service.

              -f stashfilename
                     Specifies  the complete path of the service password file
                     from where the  entry  corresponding  to  the  service_dn
                     needs to be removed.

              service_dn
                     Specifies Distinguished name (DN) of the Kerberos service
                     to be destroyed.

              EXAMPLE:
                     kdb5_ldap_util    -D    cn=admin,o=org    destroy_service
                     cn=service-kdc,o=org
                     Password for "cn=admin,o=org":
                     This will delete the service object ’cn=service-kdc,o=org’, are you sure?
                     (type ’yes’ to confirm)? yes
                     ** service object ’cn=service-kdc,o=org’ deleted.

       list_service [-basedn base_dn]
              Lists  the  name  of  services  under a given base in directory.
              Options:

              -basedn base_dn
                     Specifies the base DN for searching the service  objects,
                     limiting  the  search  to  a  particular subtree. If this
                     option is not provided, LDAP Server specific search  base
                     will  be used.  For eg, in the case of OpenLDAP, value of
                     defaultsearchbase from  slapd.conf  file  will  be  used,
                     where as in the case of eDirectory, the default value for
                     the base DN is Root.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org list_service
                     Password for "cn=admin,o=org":
                     cn=service-kdc,o=org
                     cn=service-adm,o=org
                     cn=service-pwd,o=org

SEE ALSO

       kadmin(8)

                                                             KDB5_LDAP_UTIL(8)