Provided by:
krb5-kdc-ldap_1.10.1+dfsg-2_i386 
NAME
kdb5_ldap_util - Kerberos Configuration Utility
SYNOPSIS
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command
[command_options]
DESCRIPTION
kdb5_ldap_util allows an administrator to manage realms, Kerberos
services and ticket policies.
COMMAND-LINE OPTIONS
-D user_dn
Specifies the Distinguished name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
-w passwd
Specifies the password of user_dn. This option is not
recommended.
-H ldapuri
Specifies the URI of the LDAP server.
COMMANDS
create [-subtrees subtree_dn_list] [-sscope search_scope]
[-containerref container_reference_dn] [-k mkeytype] [-kv mkeyVNO]
[-m|-P password|-sf stashfilename] [-s] [-r realm]
[-kdcdn kdc_service_list] [-admindn admin_service_list]
[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
Creates realm in directory. Options:
-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals
of a realm. The list contains the DNs of the subtree
objects separated by colon(:).
-sscope search_scope
Specifies the scope for searching the principals under
the subtree. The possible values are 1 or one (one
level), 2 or sub (subtrees).
-containerref container_reference_dn
Specifies the DN of the container object in which the
principals of a realm will be created. If the container
reference is not configured for a realm, the principals
will be created in the realm container.
-k mkeytype
Specifies the key type of the master key in the database;
the default is that given in kdc.conf.
-kv mkeyVNO
Specifies the version number of the master key in the
database; the default is 1. Note that 0 is not allowed.
-m Specifies that the master database password should be
read from the TTY rather than fetched from a file on the
disk.
-P password
Specifies the master database password. This option is
not recommended.
-sf stashfilename
Specifies the stash file of the master database password.
-s Specifies that the stash file is to be created.
-maxtktlife max_ticket_life
Specifies maximum ticket life for principals in this
realm.
-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for
principals in this realm.
ticket_flags
Specifies the ticket flags. If this option is not
specified, by default, none of the flags are set. This
means all the ticket options will be allowed and no
restriction will be set.
The various flags are:
{-|+}allow_postdated
-allow_postdated prohibits principals from obtaining
postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
flag.) +allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining
forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable
clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining
renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
flag.) +allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining
proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
flag.) +allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user authentication for
principals by prohibiting principals from obtaining a
session key for another user. (Sets the
KRB5_KDB_DISALLOW_DUP_SKEY flag.) +allow_dup_skey clears
this flag.
{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate
before being allowed to kinit. (Sets the
KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate
using a hardware device before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
-requires_hwauth clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for
principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
+allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service
(TGS) request for a service ticket for principals is not
permitted. This option is useless for most things.
+allow_tgs_req clears this flag. The default is
+allow_tgs_req. In effect, -allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for
principals. +allow_tix clears this flag. The default is
+allow_tix. In effect, -allow_tix sets the
KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the
database.
{-|+}needchange
+needchange sets a flag in attributes field to force a
password change; -needchange clears it. The default is
-needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
database.
{-|+}password_changing_service
+password_changing_service sets a flag in the attributes
field marking principal as a password change service
principal (useless for most things).
-password_changing_service clears the flag. This flag
intentionally has a long name. The default is
-password_changing_service. In effect,
+password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the
database.
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
Command Options Specific to eDirectory
-kdcdn kdc_service_list
Specifies the list of KDC service objects serving the
realm. The list contains the DNs of the KDC service
objects separated by colon(:).
-admindn admin_service_list
Specifies the list of Administration service objects
serving the realm. The list contains the DNs of the
Administration service objects separated by colon(:).
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu create -subtrees o=org -sscope SUB -r
ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
modify [-subtrees subtree_dn_list] [-sscope search_scope]
[-containerref container_reference_dn] [-r realm]
[-kdcdn kdc_service_list | [-clearkdcdn kdc_service_list]
[-addkdcdn kdc_service_list]] [-admindn admin_service_list |
[-clearadmindn admin_service_list] [-addadmindn admin_service_list]]
[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
Modifies the attributes of a realm. Options:
-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals
of a realm. The list contains the DNs of the subtree
objects separated by colon(:). This list replaces the
existing list.
-sscope search_scope
Specifies the scope for searching the principals under
the subtrees. The possible values are 1 or one (one
level), 2 or sub (subtrees).
-containerref container_reference_dn
Specifies the DN of the container object in which the
principals of a realm will be created.
-maxtktlife max_ticket_life
Specifies maximum ticket life for principals in this
realm.
-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for
principals in this realm.
ticket_flags
Specifies the ticket flags. If this option is not
specified, by default, none of the flags are set. This
means all the ticket options will be allowed and no
restriction will be set.
The various flags are:
{-|+}allow_postdated
-allow_postdated prohibits principals from obtaining
postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
flag.) +allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining
forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable
clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining
renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
flag.) +allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining
proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
flag.) +allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user authentication for
principals by prohibiting principals from obtaining a
session key for another user. (Sets the
KRB5_KDB_DISALLOW_DUP_SKEY flag.) +allow_dup_skey clears
this flag.
{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate
before being allowed to kinit. (Sets the
KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate
using a hardware device before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
-requires_hwauth clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for
principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
+allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service
(TGS) request for a service ticket for principals is not
permitted. This option is useless for most things.
+allow_tgs_req clears this flag. The default is
+allow_tgs_req. In effect, -allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for
principals. +allow_tix clears this flag. The default is
+allow_tix. In effect, -allow_tix sets the
KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the
database.
{-|+}needchange
+needchange sets a flag in attributes field to force a
password change; -needchange clears it. The default is
-needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
database.
{-|+}password_changing_service
+password_changing_service sets a flag in the attributes
field marking principal as a password change service
principal (useless for most things).
-password_changing_service clears the flag. This flag
intentionally has a long name. The default is
-password_changing_service. In effect,
+password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the
database.
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
Command Options Specific to eDirectory
-kdcdn kdc_service_list
Specifies the list of KDC service objects serving the
realm. The list contains the DNs of the KDC service
objects separated by a colon (:). This list replaces the
existing list.
-clearkdcdn kdc_service_list
Specifies the list of KDC service objects that need to be
removed from the existing list. The list contains the DNs
of the KDC service objects separated by a colon (:).
-addkdcdn kdc_service_list
Specifies the list of KDC service objects that need to be
added to the existing list. The list contains the DNs of
the KDC service objects separated by a colon (:).
-admindn admin_service_list
Specifies the list of Administration service objects
serving the realm. The list contains the DNs of the
Administration service objects separated by a colon (:).
This list replaces the existing list.
-clearadmindn admin_service_list
Specifies the list of Administration service objects that
need to be removed from the existing list. The list
contains the DNs of the Administration service objects
separated by a colon (:).
-addadmindn admin_service_list
Specifies the list of Administration service objects that
need to be added to the existing list. The list contains
the DNs of the Administration service objects separated
by a colon (:).
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu modify +requires_preauth -r
ATHENA.MIT.EDU
Password for "cn=admin,o=org":
view [-r realm]
Displays the attributes of a realm. Options:
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy [-f] [-r realm]
Destroys an existing realm. Options:
-f If specified, will not prompt the user for confirmation.
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu destroy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
list
Lists the name of realms.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org":
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
stashsrvpw [-f filename] servicedn
Allows an administrator to store the password for service object
in a file so that KDC and Administration server can use it to
authenticate to the LDAP server. Options:
-f filename
Specifies the complete path of the service password file.
By default, /usr/local/var/service_passwd is used.
servicedn
Specifies Distinguished name (DN) of the service object
whose password is to be stored in file.
EXAMPLE:
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
cn=service-kdc,o=org
Password for "cn=service-kdc,o=org":
Re-enter password for "cn=service-kdc,o=org":
create_policy [-r realm] [-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
Creates a ticket policy in directory. Options:
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
-maxtktlife max_ticket_life
Specifies maximum ticket life for principals.
-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for
principals.
ticket_flags
Specifies the ticket flags. If this option is not
specified, by default, none of the flags are set. This
means all the ticket options will be allowed and no
restriction will be set.
The various flags are:
{-|+}allow_postdated
-allow_postdated prohibits principals from obtaining
postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
flag.) +allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining
forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable
clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining
renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
flag.) +allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining
proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
flag.) +allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user authentication for
principals by prohibiting principals from obtaining a
session key for another user. (Sets the
KRB5_KDB_DISALLOW_DUP_SKEY flag.) +allow_dup_skey clears
this flag.
{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate
before being allowed to kinit. (Sets the
KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate
using a hardware device before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
-requires_hwauth clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for
principals. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
+allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service
(TGS) request for a service ticket for principals is not
permitted. This option is useless for most things.
+allow_tgs_req clears this flag. The default is
+allow_tgs_req. In effect, -allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the
database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for
principals. +allow_tix clears this flag. The default is
+allow_tix. In effect, -allow_tix sets the
KRB5_KDB_DISALLOW_ALL_TIX flag on principals in the
database.
{-|+}needchange
+needchange sets a flag in attributes field to force a
password change; -needchange clears it. The default is
-needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the
database.
{-|+}password_changing_service
+password_changing_service sets a flag in the attributes
field marking principal as a password change service
principal (useless for most things).
-password_changing_service clears the flag. This flag
intentionally has a long name. The default is
-password_changing_service. In effect,
+password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the
database.
policy_name
Specifies the name of the ticket policy.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu create_policy -r ATHENA.MIT.EDU
-maxtktlife "1 day" -maxrenewlife "1 week"
-allow_postdated +needchange -allow_forwardable tktpolicy
Password for "cn=admin,o=org":
modify_policy [-r realm] [-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_name
Modifies the attributes of a ticket policy. Options are same as
create_policy.
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu modify_policy -r ATHENA.MIT.EDU
-maxtktlife "60 minutes" -maxrenewlife "10 hours"
+allow_postdated -requires_preauth tktpolicy
Password for "cn=admin,o=org":
view_policy [-r realm] policy_name
Displays the attributes of a ticket policy. Options:
policy_name
Specifies the name of the ticket policy.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy_policy [-r realm] [-force] policy_name
Destroys an existing ticket policy. Options:
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
-force Forces the deletion of the policy object. If not
specified, will be prompted for confirmation while
deleting the policy. Enter yes to confirm the deletion.
policy_name
Specifies the name of the ticket policy.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu destroy_policy -r ATHENA.MIT.EDU
tktpolicy
Password for "cn=admin,o=org":
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
** policy object 'tktpolicy' deleted.
list_policy [-r realm]
Lists the ticket policies in realm if specified or in the
default realm. Options:
-r realm
Specifies the Kerberos realm of the database; by default
the realm returned by krb5_default_local_realm(3) is
used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-
server1.mit.edu list_policy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
tktpolicy
tmppolicy
userpolicy
SEE ALSO
kadmin(8)
KDB5_LDAP_UTIL(8)