Provided by: krb5-kdc-ldap_1.10+dfsg~beta1-2_amd64 bug

NAME

       kdb5_ldap_util - Kerberos Configuration Utility

SYNOPSIS

       kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [command_options]

DESCRIPTION

       kdb5_ldap_util  allows  an  administrator  to  manage realms, Kerberos services and ticket
       policies.

COMMAND-LINE OPTIONS

       -D user_dn
              Specifies the Distinguished name (DN) of the user  who  has  sufficient  rights  to
              perform the operation on the LDAP server.

       -w passwd
              Specifies the password of user_dn.  This option is not recommended.

       -H ldapuri
              Specifies the URI of the LDAP server.

COMMANDS

       create                  [-subtrees subtree_dn_list]                 [-sscope search_scope]
       [-containerref container_reference_dn]             [-k mkeytype]             [-kv mkeyVNO]
       [-m|-P password|-sf stashfilename]      [-s]      [-r realm]     [-kdcdn kdc_service_list]
       [-admindn admin_service_list]                                [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
              Creates realm in directory. Options:

              -subtrees subtree_dn_list
                     Specifies  the  list  of  subtrees containing the principals of a realm. The
                     list contains the DNs of the subtree objects separated by colon(:).

              -sscope search_scope
                     Specifies the scope for searching the principals  under  the  subtree.   The
                     possible values are 1 or one (one level), 2 or sub (subtrees).

              -containerref container_reference_dn
                     Specifies  the DN of the container object in which the principals of a realm
                     will be created.  If the container reference is not configured for a  realm,
                     the principals will be created in the realm container.

              -k mkeytype
                     Specifies  the  key  type  of the master key in the database; the default is
                     that given in kdc.conf.

              -kv mkeyVNO
                     Specifies the version number of the master key in the database; the  default
                     is 1. Note that 0 is not allowed.

              -m     Specifies  that  the  master  database  password should be read from the TTY
                     rather than fetched from a file on the disk.

              -P password
                     Specifies the master database password. This option is not recommended.

              -sf stashfilename
                     Specifies the stash file of the master database password.

              -s     Specifies that the stash file is to be created.

              -maxtktlife max_ticket_life
                     Specifies maximum ticket life for principals in this realm.

              -maxrenewlife max_renewable_ticket_life
                     Specifies maximum renewable life of tickets for principals in this realm.

              ticket_flags
                     Specifies the ticket flags. If this option is  not  specified,  by  default,
                     none of the flags are set. This means all the ticket options will be allowed
                     and no restriction will be set.

                     The various flags are:

              {-|+}allow_postdated
                     -allow_postdated prohibits  principals  from  obtaining  postdated  tickets.
                     (Sets  the  KRB5_KDB_DISALLOW_POSTDATED flag.)  +allow_postdated clears this
                     flag.

              {-|+}allow_forwardable
                     -allow_forwardable prohibits principals from obtaining forwardable  tickets.
                     (Sets  the  KRB5_KDB_DISALLOW_FORWARDABLE  flag.)  +allow_forwardable clears
                     this flag.

              {-|+}allow_renewable
                     -allow_renewable prohibits  principals  from  obtaining  renewable  tickets.
                     (Sets  the  KRB5_KDB_DISALLOW_RENEWABLE flag.)  +allow_renewable clears this
                     flag.

              {-|+}allow_proxiable
                     -allow_proxiable prohibits  principals  from  obtaining  proxiable  tickets.
                     (Sets  the  KRB5_KDB_DISALLOW_PROXIABLE flag.)  +allow_proxiable clears this
                     flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey  Disables  user-to-user  authentication  for  principals  by
                     prohibiting  principals from obtaining a session key for another user. (Sets
                     the KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears this flag.

              {-|+}requires_preauth
                     +requires_preauth  requires  principals  to  preauthenticate  before   being
                     allowed    to    kinit.    (Sets   the   KRB5_KDB_REQUIRES_PRE_AUTH   flag.)
                     -requires_preauth clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth requires principals to  preauthenticate  using  a  hardware
                     device  before  being allowed to kinit.  (Sets the KRB5_KDB_REQUIRES_HW_AUTH
                     flag.)  -requires_hwauth clears this flag.

              {-|+}allow_svr
                     -allow_svr prohibits the issuance of service tickets for principals.   (Sets
                     the KRB5_KDB_DISALLOW_SVR flag.)  +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req  specifies that a Ticket-Granting Service (TGS) request for a
                     service ticket for principals is not permitted.  This option is useless  for
                     most   things.    +allow_tgs_req   clears   this   flag.    The  default  is
                     +allow_tgs_req.       In      effect,      -allow_tgs_req      sets      the
                     KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.

              {-|+}allow_tix
                     -allow_tix  forbids  the issuance of any tickets for principals.  +allow_tix
                     clears this flag.  The default is +allow_tix.  In  effect,  -allow_tix  sets
                     the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.

              {-|+}needchange
                     +needchange  sets  a  flag  in  attributes field to force a password change;
                     -needchange clears it. The default is -needchange.  In  effect,  +needchange
                     sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.

              {-|+}password_changing_service
                     +password_changing_service  sets  a  flag  in  the  attributes field marking
                     principal as a password change service principal (useless for most  things).
                     -password_changing_service  clears  the  flag. This flag intentionally has a
                     long  name.  The  default   is   -password_changing_service.    In   effect,
                     +password_changing_service   sets   the  KRB5_KDB_PWCHANGE_SERVICE  flag  on
                     principals in the database.

              -r realm
                     Specifies the Kerberos realm of the database; by default the realm  returned
                     by krb5_default_local_realm(3) is used.

              Command Options Specific to eDirectory

              -kdcdn kdc_service_list
                     Specifies  the  list  of  KDC  service  objects  serving the realm. The list
                     contains the DNs of the KDC service objects separated by colon(:).

              -admindn admin_service_list
                     Specifies the list of Administration service objects serving the realm.  The
                     list  contains  the  DNs  of the Administration service objects separated by
                     colon(:).

              EXAMPLE:
                     kdb5_ldap_util  -D  cn=admin,o=org  -H  ldaps://ldap-server1.mit.edu  create
                     -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                     Initializing database for realm 'ATHENA.MIT.EDU'
                     You will be prompted for the database Master Password.
                     It is important that you NOT FORGET this password.
                     Enter KDC database master key:
                     Re-enter KDC database master key to verify:

       modify                  [-subtrees subtree_dn_list]                 [-sscope search_scope]
       [-containerref container_reference_dn]     [-r realm]      [-kdcdn kdc_service_list      |
       [-clearkdcdn kdc_service_list]  [-addkdcdn kdc_service_list]] [-admindn admin_service_list
       |           [-clearadmindn admin_service_list]           [-addadmindn admin_service_list]]
       [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags]

              Modifies the attributes of a realm. Options:

              -subtrees subtree_dn_list
                     Specifies  the  list  of subtrees containing the principals of a realm.  The
                     list contains the DNs of the subtree objects  separated  by  colon(:).  This
                     list replaces the existing list.

              -sscope search_scope
                     Specifies  the  scope  for searching the principals under the subtrees.  The
                     possible values are 1 or one (one level), 2 or sub (subtrees).

              -containerref container_reference_dn
                     Specifies the DN of the container object in which the principals of a  realm
                     will be created.

              -maxtktlife max_ticket_life
                     Specifies maximum ticket life for principals in this realm.

              -maxrenewlife max_renewable_ticket_life
                     Specifies maximum renewable life of tickets for principals in this realm.

              ticket_flags
                     Specifies  the  ticket  flags.  If this option is not specified, by default,
                     none of the flags are set. This means all the ticket options will be allowed
                     and no restriction will be set.

                     The various flags are:

              {-|+}allow_postdated
                     -allow_postdated  prohibits  principals  from  obtaining  postdated tickets.
                     (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)  +allow_postdated  clears  this
                     flag.

              {-|+}allow_forwardable
                     -allow_forwardable  prohibits principals from obtaining forwardable tickets.
                     (Sets the KRB5_KDB_DISALLOW_FORWARDABLE  flag.)   +allow_forwardable  clears
                     this flag.

              {-|+}allow_renewable
                     -allow_renewable  prohibits  principals  from  obtaining  renewable tickets.
                     (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)  +allow_renewable  clears  this
                     flag.

              {-|+}allow_proxiable
                     -allow_proxiable  prohibits  principals  from  obtaining  proxiable tickets.
                     (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)  +allow_proxiable  clears  this
                     flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey  Disables  user-to-user  authentication  for  principals  by
                     prohibiting principals from obtaining a session key for another user.  (Sets
                     the KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears this flag.

              {-|+}requires_preauth
                     +requires_preauth   requires  principals  to  preauthenticate  before  being
                     allowed   to   kinit.    (Sets   the    KRB5_KDB_REQUIRES_PRE_AUTH    flag.)
                     -requires_preauth clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth  requires  principals  to  preauthenticate using a hardware
                     device before being allowed to kinit.  (Sets  the  KRB5_KDB_REQUIRES_HW_AUTH
                     flag.)  -requires_hwauth clears this flag.

              {-|+}allow_svr
                     -allow_svr  prohibits the issuance of service tickets for principals.  (Sets
                     the KRB5_KDB_DISALLOW_SVR flag.)  +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for  a
                     service  ticket for principals is not permitted.  This option is useless for
                     most  things.   +allow_tgs_req   clears   this   flag.    The   default   is
                     +allow_tgs_req.       In      effect,      -allow_tgs_req      sets      the
                     KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.

              {-|+}allow_tix
                     -allow_tix forbids the issuance of any tickets for  principals.   +allow_tix
                     clears  this  flag.   The default is +allow_tix.  In effect, -allow_tix sets
                     the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.

              {-|+}needchange
                     +needchange sets a flag in attributes field  to  force  a  password  change;
                     -needchange  clears  it. The default is -needchange.  In effect, +needchange
                     sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.

              {-|+}password_changing_service
                     +password_changing_service sets a  flag  in  the  attributes  field  marking
                     principal  as a password change service principal (useless for most things).
                     -password_changing_service clears the flag. This flag  intentionally  has  a
                     long   name.   The   default   is  -password_changing_service.   In  effect,
                     +password_changing_service  sets  the  KRB5_KDB_PWCHANGE_SERVICE   flag   on
                     principals in the database.

              -r realm
                     Specifies  the Kerberos realm of the database; by default the realm returned
                     by krb5_default_local_realm(3) is used.

              Command Options Specific to eDirectory

              -kdcdn kdc_service_list
                     Specifies the list of KDC  service  objects  serving  the  realm.  The  list
                     contains  the  DNs of the KDC service objects separated by a colon (:). This
                     list replaces the existing list.

              -clearkdcdn kdc_service_list
                     Specifies the list of KDC service objects that need to be removed  from  the
                     existing  list.  The  list  contains  the  DNs  of  the  KDC service objects
                     separated by a colon (:).

              -addkdcdn kdc_service_list
                     Specifies the list of KDC service objects that  need  to  be  added  to  the
                     existing  list.  The  list  contains  the  DNs  of  the  KDC service objects
                     separated by a colon (:).

              -admindn admin_service_list
                     Specifies the list of Administration service objects serving the realm.  The
                     list  contains  the DNs of the Administration service objects separated by a
                     colon (:). This list replaces the existing list.

              -clearadmindn admin_service_list
                     Specifies the list of Administration service objects that need to be removed
                     from  the  existing  list.  The  list contains the DNs of the Administration
                     service objects separated by a colon (:).

              -addadmindn admin_service_list
                     Specifies the list of Administration service objects that need to  be  added
                     to  the  existing  list.  The  list  contains  the DNs of the Administration
                     service objects separated by a colon (:).

              EXAMPLE:
                     kdb5_ldap_util  -D  cn=admin,o=org  -H  ldaps://ldap-server1.mit.edu  modify
                     +requires_preauth -r ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":

       view [-r realm]
              Displays the attributes of a realm.  Options:

              -r realm
                     Specifies  the Kerberos realm of the database; by default the realm returned
                     by krb5_default_local_realm(3) is used.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org  -H  ldaps://ldap-server1.mit.edu  view  -r
                     ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                                    Realm Name: ATHENA.MIT.EDU
                                       Subtree: ou=users,o=org
                                       Subtree: ou=servers,o=org
                                   SearchScope: ONE
                           Maximum ticket life: 0 days 01:00:00
                        Maximum renewable life: 0 days 10:00:00
                                  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

       destroy [-f] [-r realm]
              Destroys an existing realm. Options:

              -f     If specified, will not prompt the user for confirmation.

              -r realm
                     Specifies  the Kerberos realm of the database; by default the realm returned
                     by krb5_default_local_realm(3) is used.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy  -r
                     ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                     Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
                     (type 'yes' to confirm)? yes
                     OK, deleting database of 'ATHENA.MIT.EDU'...

       list

              Lists the name of realms.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
                     Password for "cn=admin,o=org":
                     ATHENA.MIT.EDU
                     OPENLDAP.MIT.EDU
                     MEDIA-LAB.MIT.EDU

       stashsrvpw [-f filename] servicedn
              Allows  an administrator to store the password for service object in a file so that
              KDC and Administration server can use  it  to  authenticate  to  the  LDAP  server.
              Options:

              -f filename
                     Specifies  the  complete  path  of  the  service  password file. By default,
                     /usr/local/var/service_passwd is used.

              servicedn
                     Specifies Distinguished name (DN) of the service object whose password is to
                     be stored in file.

              EXAMPLE:
                     kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
                     Password for "cn=service-kdc,o=org":
                     Re-enter password for "cn=service-kdc,o=org":

       create_policy                   [-r realm]                   [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
              Creates a ticket policy in directory. Options:

              -r realm
                     Specifies the Kerberos realm of the database; by default the realm  returned
                     by krb5_default_local_realm(3) is used.

              -maxtktlife max_ticket_life
                     Specifies maximum ticket life for principals.

              -maxrenewlife max_renewable_ticket_life
                     Specifies maximum renewable life of tickets for principals.

              ticket_flags
                     Specifies  the  ticket  flags.  If this option is not specified, by default,
                     none of the flags are set. This means all the ticket options will be allowed
                     and no restriction will be set.

                     The various flags are:

              {-|+}allow_postdated
                     -allow_postdated  prohibits  principals  from  obtaining  postdated tickets.
                     (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)  +allow_postdated  clears  this
                     flag.

              {-|+}allow_forwardable
                     -allow_forwardable  prohibits principals from obtaining forwardable tickets.
                     (Sets the KRB5_KDB_DISALLOW_FORWARDABLE  flag.)   +allow_forwardable  clears
                     this flag.

              {-|+}allow_renewable
                     -allow_renewable  prohibits  principals  from  obtaining  renewable tickets.
                     (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)  +allow_renewable  clears  this
                     flag.

              {-|+}allow_proxiable
                     -allow_proxiable  prohibits  principals  from  obtaining  proxiable tickets.
                     (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)  +allow_proxiable  clears  this
                     flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey  Disables  user-to-user  authentication  for  principals  by
                     prohibiting principals from obtaining a session key for another user.  (Sets
                     the KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears this flag.

              {-|+}requires_preauth
                     +requires_preauth   requires  principals  to  preauthenticate  before  being
                     allowed   to   kinit.    (Sets   the    KRB5_KDB_REQUIRES_PRE_AUTH    flag.)
                     -requires_preauth clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth  requires  principals  to  preauthenticate using a hardware
                     device before being allowed to kinit.  (Sets  the  KRB5_KDB_REQUIRES_HW_AUTH
                     flag.)  -requires_hwauth clears this flag.

              {-|+}allow_svr
                     -allow_svr  prohibits the issuance of service tickets for principals.  (Sets
                     the KRB5_KDB_DISALLOW_SVR flag.)  +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for  a
                     service  ticket for principals is not permitted.  This option is useless for
                     most  things.   +allow_tgs_req   clears   this   flag.    The   default   is
                     +allow_tgs_req.       In      effect,      -allow_tgs_req      sets      the
                     KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.

              {-|+}allow_tix
                     -allow_tix forbids the issuance of any tickets for  principals.   +allow_tix
                     clears  this  flag.   The default is +allow_tix.  In effect, -allow_tix sets
                     the KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the database.

              {-|+}needchange
                     +needchange sets a flag in attributes field  to  force  a  password  change;
                     -needchange  clears  it. The default is -needchange.  In effect, +needchange
                     sets the KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.

              {-|+}password_changing_service
                     +password_changing_service sets a  flag  in  the  attributes  field  marking
                     principal  as a password change service principal (useless for most things).
                     -password_changing_service clears the flag. This flag  intentionally  has  a
                     long   name.   The   default   is  -password_changing_service.   In  effect,
                     +password_changing_service  sets  the  KRB5_KDB_PWCHANGE_SERVICE   flag   on
                     principals in the database.

              policy_name
                     Specifies the name of the ticket policy.

              EXAMPLE:
                     kdb5_ldap_util    -D    cn=admin,o=org    -H    ldaps://ldap-server1.mit.edu
                     create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife  "1  week"
                     -allow_postdated +needchange -allow_forwardable tktpolicy
                     Password for "cn=admin,o=org":

       modify_policy                   [-r realm]                   [-maxtktlife max_ticket_life]
       [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
              Modifies the attributes of a ticket policy. Options are same as create_policy.

              -r realm
                     Specifies the Kerberos realm of the database; by default the realm  returned
                     by krb5_default_local_realm(3) is used.

              EXAMPLE:
                     kdb5_ldap_util    -D    cn=admin,o=org    -H    ldaps://ldap-server1.mit.edu
                     modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes"  -maxrenewlife  "10
                     hours" +allow_postdated -requires_preauth tktpolicy
                     Password for "cn=admin,o=org":

       view_policy [-r realm] policy_name
              Displays the attributes of a ticket policy. Options:

              policy_name
                     Specifies the name of the ticket policy.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy
                     -r ATHENA.MIT.EDU tktpolicy
                     Password for "cn=admin,o=org":
                                 Ticket policy: tktpolicy
                           Maximum ticket life: 0 days 01:00:00
                        Maximum renewable life: 0 days 10:00:00
                                  Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

       destroy_policy [-r realm] [-force] policy_name
              Destroys an existing ticket policy. Options:

              -r realm
                     Specifies the Kerberos realm of the database; by default the realm  returned
                     by krb5_default_local_realm(3) is used.

              -force Forces the deletion of the policy object. If not specified, will be prompted
                     for confirmation while  deleting  the  policy.  Enter  yes  to  confirm  the
                     deletion.

              policy_name
                     Specifies the name of the ticket policy.

              EXAMPLE:
                     kdb5_ldap_util    -D    cn=admin,o=org    -H    ldaps://ldap-server1.mit.edu
                     destroy_policy -r ATHENA.MIT.EDU tktpolicy
                     Password for "cn=admin,o=org":
                     This will delete the policy object 'tktpolicy', are you sure?
                     (type 'yes' to confirm)? yes
                     ** policy object 'tktpolicy' deleted.

       list_policy [-r realm]
              Lists the ticket policies in realm if specified or in the default realm.  Options:

              -r realm
                     Specifies the Kerberos realm of the database; by default the realm  returned
                     by krb5_default_local_realm(3) is used.

              EXAMPLE:
                     kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy
                     -r ATHENA.MIT.EDU
                     Password for "cn=admin,o=org":
                     tktpolicy
                     tmppolicy
                     userpolicy

SEE ALSO

       kadmin(8)

                                                                                KDB5_LDAP_UTIL(8)