KDB5_LDAP_UTIL(8) Maintenance Commands and Procedures KDB5_LDAP_UTIL(8)
NAME
kdb5_ldap_util - Kerberos configuration utility
SYNOPSIS
kdb5_ldap_util [
-D user_dn [
-w passwd]] [
-H ldap_uri]
command [
command_options]
DESCRIPTION
The
kdb5_ldap_util utility allows an administrator to manage realms,
Kerberos services, and ticket policies. The utility offers a set of
general options, described under OPTIONS, and a set of commands,
which, in turn, have their own options. Commands and their options
are described in their own subsections, below.
OPTIONS
kdb5_ldap_util has a small set of general options that apply to the
kdb5_ldap_util utility itself and a larger number of options that
apply to specific commands. A number of these command-specific
options apply to multiple commands and are described in their own
section, below.
General Options
The following general options are supported:
-D user_dn Specifies the distinguished name (DN) of a user who has
sufficient rights to perform the operation on the LDAP server.
-H ldap_uri Specifies the URI of the LDAP server.
-w passwd Specifies the password of
user_dn. This option is not
recommended.
Common Command-specific Options The following options apply to a number of
kdb5_ldap_util commands.
-subtrees subtree_dn_list Specifies the list of subtrees containing the principals of a
realm. The list contains the DNs of the subtree objects separated
by a colon.
-sscope search_scope Specifies the scope for searching the principals under a subtree.
The possible values are 1 or
one (one level), 2 or
sub (subtrees).
-containerref container_reference_dn Specifies the DN of the container object in which the principals
of a realm will be created. If the container reference is not
configured for a realm, the principals will be created in the
realm container.
-maxtktlife max_ticket_life Specifies maximum ticket life for principals in this realm.
-maxrenewlife max_renewable_ticket_life Specifies maximum renewable life of tickets for principals in
this realm.
-r realm Specifies the Kerberos realm of the database; by default the
realm returned by
krb5_default_local_realm(3LIB) is used.
kdb5_ldap_util COMMANDS
The
kdb5_ldap_util utility comprises a set of commands, each with its
own set of options. These commands are described in the following
subsections.
The create Command
The
create command creates a realm in a directory. The command has
the following syntax:
create \
[-subtrees
subtree_dn_list]
[-sscope
search_scope]
[-containerref
container_reference_dn]
[-k
mkeytype]
[-m|-P
password| -sf
stashfilename]
[-s]
[-r
realm]
[-maxtktlife
max_ticket_life]
[-kdcdn
kdc_service_list]
[-admindn
admin_service_list]
[-maxrenewlife
max_renewable_ticket_life]
[
ticket_flags]
The
create command has the following options:
-subtree subtree_dn_list See "Common Command-specific Options," above.
-sscope search_scope See "Common Command-specific Options," above.
-containerref container_reference_dn See "Common Command-specific Options," above.
-k mkeytype Specifies the key type of the master key in the database; the
default is that given in
kdc.conf(5).
-m Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
-P password Specifies the master database password. This option is not
recommended.
-sf stashfilename Specifies the stash file of the master database password.
-s Specifies that the stash file is to be created.
-maxtktlife max_ticket_life See "Common Command-specific Options," above.
-maxrenewlife max_renewable_ticket_life See "Common Command-specific Options," above.
-r realm See "Common Command-specific Options," above.
ticket_flags Specifies the ticket flags. If this option is not specified, by
default, none of the flags are set. This means all the ticket
options will be allowed and no restriction will be set. See
"Ticket Flags" for a list and descriptions of these flags.
The modify Command
The
modify command modifies the attributes of a realm. The command
has the following syntax:
modify \
[-subtrees
subtree_dn_list]
[-sscope
search_scope]
[-containerref
container_reference_dn]
[-r
realm]
[-maxtktlife
max_ticket_life]
[-maxrenewlife
max_renewable_ticket_life]
[
ticket_flags]
The
modify command has the following options:
-subtree subtree_dn_list See "Common Command-specific Options," above.
-sscope search_scope See "Common Command-specific Options," above.
-containerref container_reference_dn See "Common Command-specific Options," above.
-maxtktlife max_ticket_life See "Common Command-specific Options," above.
-maxrenewlife max_renewable_ticket_life See "Common Command-specific Options," above.
-r realm See "Common Command-specific Options," above.
ticket_flags Specifies the ticket flags. If this option is not specified, by
default, none of the flags are set. This means all the ticket
options will be allowed and no restriction will be set. See
"Ticket Flags" for a list and descriptions of these flags.
The view Command
The
view command displays the attributes of a realm. The command has
the following syntax:
view [-r
realm]
The
view command has the following option:
-r realm See "Common Command-specific Options," above.
The destroy Command
The
destroy command destroys a realm, including the master key stash
file. The command has the following syntax:
destroy [-f] [-r
realm]
The
destroy command has the following options:
-f If specified,
destroy does not prompt you for confirmation.
-r realm See "Common Command-specific Options," above.
The list Command
The
list command displays the names of realms. The command has the
following syntax:
list
The
list command has no options.
The stashsrvpw Command
The
stashsrvpw command enables you to store the password for service
object in a file so that a KDC and Administration server can use it
to authenticate to the LDAP server. The command has the following
syntax:
stashsrvpw [-f
filename]
servicedn The
stashsrvpw command has the following option and argument:
-f filename Specifies the complete path of the service password file. The
default is:
/var/krb5/service_passwd
servicedn Specifies the distinguished name (DN) of the service object whose
password is to be stored in file.
The create_policy Command
The
create_policy command creates a ticket policy in a directory. The
command has the following syntax:
create_policy \
[-r
realm]
[-maxtktlife
max_ticket_life]
[-maxrenewlife
max_renewable_ticket_life]
[
ticket_flags]
policy_name The
create_policy command has the following options:
-r realm See "Common Command-specific Options," above.
-maxtktlife max_ticket_life See "Common Command-specific Options," above.
-maxrenewlife max_renewable_ticket_life See "Common Command-specific Options," above.
ticket_flags Specifies the ticket flags. If this option is not specified, by
default, none of the flags are set. This means all the ticket
options will be allowed and no restriction will be set. See
"Ticket Flags" for a list and descriptions of these flags.
policy_name Specifies the name of the ticket policy.
The modify_policy Command
The
modify_policy command modifies the attributes of a ticket policy.
The command has the following syntax:
modify_policy \
[-r
realm]
[-maxtktlife
max_ticket_life]
[-maxrenewlife
max_renewable_ticket_life]
[
ticket_flags]
policy_name The
modify_policy command has the same options and argument as those
for the
create_policy command.
The view_policy Command
The
view_policy command displays the attributes of a ticket policy.
The command has the following syntax:
view_policy [-r
realm]
policy_name The
view_policy command has the following options:
-r realm See "Common Command-specific Options," above.
policy_name Specifies the name of the ticket policy.
The destroy_policy Command
The
destroy_policy command destroys an existing ticket policy. The
command has the following syntax:
destroy_policy [-r
realm] [-force]
policy_name The
destroy_policy command has the following options:
-r realm See "Common Command-specific Options," above.
-force Forces the deletion of the policy object. If not specified, you
will be prompted for confirmation before the policy is deleted.
Enter
yes to confirm the deletion.
policy_name Specifies the name of the ticket policy.
The list_policy Command
The
list_policy command lists the ticket policies in the default or a
specified realm. The command has the following syntax:
list_policy [-r
realm]
The
list_policy command has the following option:
-r realm See "Common Command-specific Options," above.
TICKET FLAGS
A number of
kdb5_ldap_util commands have
ticket_flag options. These
flags are described as follows:
{-|+}allow_dup_skey -allow_dup_skey disables user-to-user authentication for
principals by prohibiting principals from obtaining a session key
for another user. This setting sets the
KRB5_KDB_DISALLOW_DUP_SKEY flag.
+allow_dup_skey clears this
flag.
{-|+}allow_forwardable -allow_forwardable prohibits principals from obtaining
forwardable tickets. This setting sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.
+allow_forwardable clears
this flag.
{-|+}allow_postdated -allow_postdated prohibits principals from obtaining postdated
tickets. This setting sets the
KRB5_KDB_DISALLOW_POSTDATED flag.
+allow_postdated clears this flag.
{-|+}allow_proxiable -allow_proxiable prohibits principals from obtaining proxiable
tickets. This setting sets the
KRB5_KDB_DISALLOW_PROXIABLE flag.
+allow_proxiable clears this flag.
{-|+}allow_renewable -allow_renewable prohibits principals from obtaining renewable
tickets. This setting sets the
KRB5_KDB_DISALLOW_RENEWABLE flag.
+allow_renewable clears this flag.
{-|+}allow_svr -allow_svr prohibits the issuance of service tickets for
principals. This setting sets the
KRB5_KDB_DISALLOW_SVR flag.
+allow_svr clears this flag.
{-|+}allow_tgs_req -allow_tgs_req specifies that a Ticket-Granting Service (TGS)
request for a service ticket for principals is not permitted.
This option is useless for most purposes.
+allow_tgs_req clears
this flag. The default is
+allow_tgs_req. In effect,
-allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on
principals in the database.
{-|+}allow_tix -allow_tix forbids the issuance of any tickets for principals.
+allow_tix clears this flag. The default is
+allow_tix. In
effect,
-allow_tix sets the
KRB5_KDB_DISALLOW_ALL_TIX flag on
principals in the database.
{-|+}needchange +needchange sets a flag in the attributes field to force a
password change;
-needchange clears that flag. The default is
-needchange. In effect,
+needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
{-|+}password_changing_service +password_changing_service sets a flag in the attributes field
marking a principal as a password-change-service principal (a
designation that is most often not useful).
-password_changing_service clears the flag. That this flag has a
long name is intentional. The default is
-password_changing_service. In effect,
+password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the
database.
{-|+}requires_hwauth +requires_hwauth requires principals to preauthenticate using a
hardware device before being allowed to
kinit(1). This setting
sets the
KRB5_KDB_REQUIRES_HW_AUTH flag.
-requires_hwauth clears
this flag.
{-|+}requires_preauth +
requires_preauth requires principals to preauthenticate before
being allowed to
kinit(1). This setting sets the
KRB5_KDB_REQUIRES_PRE_AUTH flag.
-requires_preauth clears this
flag.
EXAMPLES
Example 1: Using create
The following is an example of the use of the
create command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU Password for "cn=admin,o=org":
password entered Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
master key entered Re-enter KDC database master key to verify:
master key re-entered Example 2: Using modify
The following is an example of the use of the
modify command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ modify +requires_preauth -r ATHENA.MIT.EDU Password for "cn=admin,o=org":
password entered Password for "cn=admin,o=org":
password entered Example 3: Using view
The following is an example of the use of the
view command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ view -r ATHENA.MIT.EDU Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Example 4: Using destroy
The following is an example of the use of the
destroy command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ destroy -r ATHENA.MIT.EDU Password for "cn=admin,o=org":
password entered Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)?
yes OK, deleting database of 'ATHENA.MIT.EDU'...
Example 5: Using list
The following is an example of the use of the
list command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org":
password entered Re-enter Password for "cn=admin,o=org":
password re-entered ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
Example 6: Using stashsrvpw
The following is an example of the use of the
stashsrvpw command.
#
kdb5_ldap_util stashsrvpw -f \ /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org":
password entered Re-enter password for "cn=service-kdc,o=org":
password re-entered Example 7: Using create_policy
The following is an example of the use of the
create_policy command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ create_policy -r ATHENA.MIT.EDU \ -maxtktlife "1 day" -maxrenewlife "1 week" \ -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org":
password entered Example 8: Using modify_policy
The following is an example of the use of the
modify_policy command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ modify_policy -r ATHENA.MIT.EDU \ -maxtktlife "60 minutes" -maxrenewlife "10 hours" \ +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org":
password entered Example 9: Using view_policy
The following is an example of the use of the
view_policy command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ view_policy -r ATHENA.MIT.EDU tktpolicy Password for "cn=admin,o=org":
password entered Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Example 10: Using destroy_policy
The following is an example of the use of the
destroy_policy command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ destroy_policy -r ATHENA.MIT.EDU tktpolicy Password for "cn=admin,o=org":
password entered This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)?
yes ** policy object '
tktpolicy' deleted.
Example 11: Using list_policy
The following is an example of the use of the
list_policy command.
#
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \ list_policy -r ATHENA.MIT.EDU Password for "cn=admin,o=org":
password entered tktpolicy
tmppolicy
userpolicy
Example 12: Using setsrvpw
The following is an example of the use of the
setsrvpw command.
#
kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \ -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=admin,o=org":
password entered Password for "cn=service-kdc,o=org":
password entered Re-enter password for "cn=service-kdc,o=org":
password re-entered Example 13: Using create_service
The following is an example of the use of the
create_service command.
#
kdb5_ldap_util -D cn=admin,o=org create_service \ -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=admin,o=org":
password entered File does not exist. Creating the file /home/andrew/conf_keyfile...
Example 14: Using modify_service
The following is an example of the use of the
modify_service command.
#
kdb5_ldap_util -D cn=admin,o=org modify_service \ -realm ATHENA.MIT.EDU cn=service-kdc,o=org Password for "cn=admin,o=org":
password entered Changing rights for the service object. Please wait ... done
Example 15: Using view_service
The following is an example of the use of the
view_service command.
#
kdb5_ldap_util -D cn=admin,o=org view_service \ cn=service-kdc,o=org Password for "cn=admin,o=org":
password entered Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
Example 16: Using destroy_service
The following is an example of the use of the
destroy_service command.
#
kdb5_ldap_util -D cn=admin,o=org destroy_service \ cn=service-kdc,o=org Password for "cn=admin,o=org":
password entered This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)?
yes ** service object 'cn=service-kdc,o=org' deleted.
Example 17: Using list_service
The following is an example of the use of the
list_service command.
#
kdb5_ldap_util -D cn=admin,o=org list_service Password for "cn=admin,o=org":
password entered cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Volatile |
+--------------------+-----------------+
SEE ALSO
kinit(1),
kdc.conf(5),
attributes(7),
kadmin(8) June 20, 2021 KDB5_LDAP_UTIL(8)
