|
Packit |
fd8b60 |
.\" Man page generated from reStructuredText.
|
|
Packit |
fd8b60 |
.
|
|
Packit |
fd8b60 |
.TH "KDB5_LDAP_UTIL" "8" " " "1.18.2" "MIT Kerberos"
|
|
Packit |
fd8b60 |
.SH NAME
|
|
Packit |
fd8b60 |
kdb5_ldap_util \- Kerberos configuration utility
|
|
Packit |
fd8b60 |
.
|
|
Packit |
fd8b60 |
.nr rst2man-indent-level 0
|
|
Packit |
fd8b60 |
.
|
|
Packit |
fd8b60 |
.de1 rstReportMargin
|
|
Packit |
fd8b60 |
\\$1 \\n[an-margin]
|
|
Packit |
fd8b60 |
level \\n[rst2man-indent-level]
|
|
Packit |
fd8b60 |
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
Packit |
fd8b60 |
-
|
|
Packit |
fd8b60 |
\\n[rst2man-indent0]
|
|
Packit |
fd8b60 |
\\n[rst2man-indent1]
|
|
Packit |
fd8b60 |
\\n[rst2man-indent2]
|
|
Packit |
fd8b60 |
..
|
|
Packit |
fd8b60 |
.de1 INDENT
|
|
Packit |
fd8b60 |
.\" .rstReportMargin pre:
|
|
Packit |
fd8b60 |
. RS \\$1
|
|
Packit |
fd8b60 |
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
Packit |
fd8b60 |
. nr rst2man-indent-level +1
|
|
Packit |
fd8b60 |
.\" .rstReportMargin post:
|
|
Packit |
fd8b60 |
..
|
|
Packit |
fd8b60 |
.de UNINDENT
|
|
Packit |
fd8b60 |
. RE
|
|
Packit |
fd8b60 |
.\" indent \\n[an-margin]
|
|
Packit |
fd8b60 |
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
Packit |
fd8b60 |
.nr rst2man-indent-level -1
|
|
Packit |
fd8b60 |
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
Packit |
fd8b60 |
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
Packit |
fd8b60 |
..
|
|
Packit |
fd8b60 |
.SH SYNOPSIS
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
\fBkdb5_ldap_util\fP
|
|
Packit |
fd8b60 |
[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]]
|
|
Packit |
fd8b60 |
[\fB\-H\fP \fIldapuri\fP]
|
|
Packit |
fd8b60 |
\fBcommand\fP
|
|
Packit |
fd8b60 |
[\fIcommand_options\fP]
|
|
Packit |
fd8b60 |
.SH DESCRIPTION
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
kdb5_ldap_util allows an administrator to manage realms, Kerberos
|
|
Packit |
fd8b60 |
services and ticket policies.
|
|
Packit |
fd8b60 |
.SH COMMAND-LINE OPTIONS
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-r\fP \fIrealm\fP
|
|
Packit |
fd8b60 |
Specifies the realm to be operated on.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-D\fP \fIuser_dn\fP
|
|
Packit |
fd8b60 |
Specifies the Distinguished Name (DN) of the user who has
|
|
Packit |
fd8b60 |
sufficient rights to perform the operation on the LDAP server.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-w\fP \fIpasswd\fP
|
|
Packit |
fd8b60 |
Specifies the password of \fIuser_dn\fP\&. This option is not
|
|
Packit |
fd8b60 |
recommended.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-H\fP \fIldapuri\fP
|
|
Packit |
fd8b60 |
Specifies the URI of the LDAP server.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
By default, kdb5_ldap_util operates on the default realm (as specified
|
|
Packit |
fd8b60 |
in krb5.conf(5)) and connects and authenticates to the LDAP
|
|
Packit |
fd8b60 |
server in the same manner as :ref:kadmind(8)\(ga would given the
|
|
Packit |
fd8b60 |
parameters in dbdefaults in kdc.conf(5)\&.
|
|
Packit |
fd8b60 |
.SH COMMANDS
|
|
Packit |
fd8b60 |
.SS create
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBcreate\fP
|
|
Packit |
fd8b60 |
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
|
|
Packit |
fd8b60 |
[\fB\-sscope\fP \fIsearch_scope\fP]
|
|
Packit |
fd8b60 |
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
|
|
Packit |
fd8b60 |
[\fB\-k\fP \fImkeytype\fP]
|
|
Packit |
fd8b60 |
[\fB\-kv\fP \fImkeyVNO\fP]
|
|
Packit |
fd8b60 |
[\fB\-M\fP \fImkeyname\fP]
|
|
Packit |
fd8b60 |
[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
|
|
Packit |
fd8b60 |
[\fB\-s\fP]
|
|
Packit |
fd8b60 |
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fIticket_flags\fP]
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Creates realm in directory. Options:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-subtrees\fP \fIsubtree_dn_list\fP
|
|
Packit |
fd8b60 |
Specifies the list of subtrees containing the principals of a
|
|
Packit |
fd8b60 |
realm. The list contains the DNs of the subtree objects separated
|
|
Packit |
fd8b60 |
by colon (\fB:\fP).
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-sscope\fP \fIsearch_scope\fP
|
|
Packit |
fd8b60 |
Specifies the scope for searching the principals under the
|
|
Packit |
fd8b60 |
subtree. The possible values are 1 or one (one level), 2 or sub
|
|
Packit |
fd8b60 |
(subtrees).
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-containerref\fP \fIcontainer_reference_dn\fP
|
|
Packit |
fd8b60 |
Specifies the DN of the container object in which the principals
|
|
Packit |
fd8b60 |
of a realm will be created. If the container reference is not
|
|
Packit |
fd8b60 |
configured for a realm, the principals will be created in the
|
|
Packit |
fd8b60 |
realm container.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-k\fP \fImkeytype\fP
|
|
Packit |
fd8b60 |
Specifies the key type of the master key in the database. The
|
|
Packit |
fd8b60 |
default is given by the \fBmaster_key_type\fP variable in
|
|
Packit |
fd8b60 |
kdc.conf(5)\&.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-kv\fP \fImkeyVNO\fP
|
|
Packit |
fd8b60 |
Specifies the version number of the master key in the database;
|
|
Packit |
fd8b60 |
the default is 1. Note that 0 is not allowed.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-M\fP \fImkeyname\fP
|
|
Packit |
fd8b60 |
Specifies the principal name for the master key in the database.
|
|
Packit |
fd8b60 |
If not specified, the name is determined by the
|
|
Packit |
fd8b60 |
\fBmaster_key_name\fP variable in kdc.conf(5)\&.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-m\fP
|
|
Packit |
fd8b60 |
Specifies that the master database password should be read from
|
|
Packit |
fd8b60 |
the TTY rather than fetched from a file on the disk.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-P\fP \fIpassword\fP
|
|
Packit |
fd8b60 |
Specifies the master database password. This option is not
|
|
Packit |
fd8b60 |
recommended.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-sf\fP \fIstashfilename\fP
|
|
Packit |
fd8b60 |
Specifies the stash file of the master database password.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-s\fP
|
|
Packit |
fd8b60 |
Specifies that the stash file is to be created.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-maxtktlife\fP \fImax_ticket_life\fP
|
|
Packit |
fd8b60 |
(getdate string) Specifies maximum ticket life for
|
|
Packit |
fd8b60 |
principals in this realm.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
|
|
Packit |
fd8b60 |
(getdate string) Specifies maximum renewable life of
|
|
Packit |
fd8b60 |
tickets for principals in this realm.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
.B \fIticket_flags\fP
|
|
Packit |
fd8b60 |
Specifies global ticket flags for the realm. Allowable flags are
|
|
Packit |
fd8b60 |
documented in the description of the \fBadd_principal\fP command in
|
|
Packit |
fd8b60 |
kadmin(1)\&.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
|
|
Packit |
fd8b60 |
\-r ATHENA.MIT.EDU create \-subtrees o=org \-sscope SUB
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
Initializing database for realm \(aqATHENA.MIT.EDU\(aq
|
|
Packit |
fd8b60 |
You will be prompted for the database Master Password.
|
|
Packit |
fd8b60 |
It is important that you NOT FORGET this password.
|
|
Packit |
fd8b60 |
Enter KDC database master key:
|
|
Packit |
fd8b60 |
Re\-enter KDC database master key to verify:
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS modify
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBmodify\fP
|
|
Packit |
fd8b60 |
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
|
|
Packit |
fd8b60 |
[\fB\-sscope\fP \fIsearch_scope\fP]
|
|
Packit |
fd8b60 |
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
|
|
Packit |
fd8b60 |
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fIticket_flags\fP]
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Modifies the attributes of a realm. Options:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-subtrees\fP \fIsubtree_dn_list\fP
|
|
Packit |
fd8b60 |
Specifies the list of subtrees containing the principals of a
|
|
Packit |
fd8b60 |
realm. The list contains the DNs of the subtree objects separated
|
|
Packit |
fd8b60 |
by colon (\fB:\fP). This list replaces the existing list.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-sscope\fP \fIsearch_scope\fP
|
|
Packit |
fd8b60 |
Specifies the scope for searching the principals under the
|
|
Packit |
fd8b60 |
subtrees. The possible values are 1 or one (one level), 2 or sub
|
|
Packit |
fd8b60 |
(subtrees).
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
|
|
Packit |
fd8b60 |
container object in which the principals of a realm will be
|
|
Packit |
fd8b60 |
created.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-maxtktlife\fP \fImax_ticket_life\fP
|
|
Packit |
fd8b60 |
(getdate string) Specifies maximum ticket life for
|
|
Packit |
fd8b60 |
principals in this realm.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
|
|
Packit |
fd8b60 |
(getdate string) Specifies maximum renewable life of
|
|
Packit |
fd8b60 |
tickets for principals in this realm.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
.B \fIticket_flags\fP
|
|
Packit |
fd8b60 |
Specifies global ticket flags for the realm. Allowable flags are
|
|
Packit |
fd8b60 |
documented in the description of the \fBadd_principal\fP command in
|
|
Packit |
fd8b60 |
kadmin(1)\&.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
shell% kdb5_ldap_util \-r ATHENA.MIT.EDU \-D cn=admin,o=org \-H
|
|
Packit |
fd8b60 |
ldaps://ldap\-server1.mit.edu modify +requires_preauth
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
shell%
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS view
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBview\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Displays the attributes of a realm.
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
|
|
Packit |
fd8b60 |
\-r ATHENA.MIT.EDU view
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
Realm Name: ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
Subtree: ou=users,o=org
|
|
Packit |
fd8b60 |
Subtree: ou=servers,o=org
|
|
Packit |
fd8b60 |
SearchScope: ONE
|
|
Packit |
fd8b60 |
Maximum ticket life: 0 days 01:00:00
|
|
Packit |
fd8b60 |
Maximum renewable life: 0 days 10:00:00
|
|
Packit |
fd8b60 |
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS destroy
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBdestroy\fP [\fB\-f\fP]
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Destroys an existing realm. Options:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-f\fP
|
|
Packit |
fd8b60 |
If specified, will not prompt the user for confirmation.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
shell% kdb5_ldap_util \-r ATHENA.MIT.EDU \-D cn=admin,o=org \-H
|
|
Packit |
fd8b60 |
ldaps://ldap\-server1.mit.edu destroy
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
|
|
Packit |
fd8b60 |
(type \(aqyes\(aq to confirm)? yes
|
|
Packit |
fd8b60 |
OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
|
|
Packit |
fd8b60 |
shell%
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS list
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBlist\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Lists the names of realms under the container.
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
|
|
Packit |
fd8b60 |
ldaps://ldap\-server1.mit.edu list
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU
|
|
Packit |
fd8b60 |
OPENLDAP.MIT.EDU
|
|
Packit |
fd8b60 |
MEDIA\-LAB.MIT.EDU
|
|
Packit |
fd8b60 |
shell%
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS stashsrvpw
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBstashsrvpw\fP
|
|
Packit |
fd8b60 |
[\fB\-f\fP \fIfilename\fP]
|
|
Packit |
fd8b60 |
\fIname\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Allows an administrator to store the password for service object in a
|
|
Packit |
fd8b60 |
file so that KDC and Administration server can use it to authenticate
|
|
Packit |
fd8b60 |
to the LDAP server. Options:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-f\fP \fIfilename\fP
|
|
Packit |
fd8b60 |
Specifies the complete path of the service password file. By
|
|
Packit |
fd8b60 |
default, \fB/usr/local/var/service_passwd\fP is used.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
.B \fIname\fP
|
|
Packit |
fd8b60 |
Specifies the name of the object whose password is to be stored.
|
|
Packit |
fd8b60 |
If krb5kdc(8) or kadmind(8) are configured for
|
|
Packit |
fd8b60 |
simple binding, this should be the distinguished name it will
|
|
Packit |
fd8b60 |
use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
|
|
Packit |
fd8b60 |
variable in kdc.conf(5)\&. If the KDC or kadmind is
|
|
Packit |
fd8b60 |
configured for SASL binding, this should be the authentication
|
|
Packit |
fd8b60 |
name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
|
|
Packit |
fd8b60 |
\fBldap_kadmind_sasl_authcid\fP variable.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile
|
|
Packit |
fd8b60 |
cn=service\-kdc,o=org
|
|
Packit |
fd8b60 |
Password for "cn=service\-kdc,o=org":
|
|
Packit |
fd8b60 |
Re\-enter password for "cn=service\-kdc,o=org":
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS create_policy
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBcreate_policy\fP
|
|
Packit |
fd8b60 |
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fIticket_flags\fP]
|
|
Packit |
fd8b60 |
\fIpolicy_name\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Creates a ticket policy in the directory. Options:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-maxtktlife\fP \fImax_ticket_life\fP
|
|
Packit |
fd8b60 |
(getdate string) Specifies maximum ticket life for
|
|
Packit |
fd8b60 |
principals.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
|
|
Packit |
fd8b60 |
(getdate string) Specifies maximum renewable life of
|
|
Packit |
fd8b60 |
tickets for principals.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
.B \fIticket_flags\fP
|
|
Packit |
fd8b60 |
Specifies the ticket flags. If this option is not specified, by
|
|
Packit |
fd8b60 |
default, no restriction will be set by the policy. Allowable
|
|
Packit |
fd8b60 |
flags are documented in the description of the \fBadd_principal\fP
|
|
Packit |
fd8b60 |
command in kadmin(1)\&.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
.B \fIpolicy_name\fP
|
|
Packit |
fd8b60 |
Specifies the name of the ticket policy.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
|
|
Packit |
fd8b60 |
\-r ATHENA.MIT.EDU create_policy \-maxtktlife "1 day"
|
|
Packit |
fd8b60 |
\-maxrenewlife "1 week" \-allow_postdated +needchange
|
|
Packit |
fd8b60 |
\-allow_forwardable tktpolicy
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS modify_policy
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBmodify_policy\fP
|
|
Packit |
fd8b60 |
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
|
|
Packit |
fd8b60 |
[\fIticket_flags\fP]
|
|
Packit |
fd8b60 |
\fIpolicy_name\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Modifies the attributes of a ticket policy. Options are same as for
|
|
Packit |
fd8b60 |
\fBcreate_policy\fP\&.
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H
|
|
Packit |
fd8b60 |
ldaps://ldap\-server1.mit.edu \-r ATHENA.MIT.EDU modify_policy
|
|
Packit |
fd8b60 |
\-maxtktlife "60 minutes" \-maxrenewlife "10 hours"
|
|
Packit |
fd8b60 |
+allow_postdated \-requires_preauth tktpolicy
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS view_policy
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBview_policy\fP
|
|
Packit |
fd8b60 |
\fIpolicy_name\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Displays the attributes of the named ticket policy.
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
|
|
Packit |
fd8b60 |
\-r ATHENA.MIT.EDU view_policy tktpolicy
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
Ticket policy: tktpolicy
|
|
Packit |
fd8b60 |
Maximum ticket life: 0 days 01:00:00
|
|
Packit |
fd8b60 |
Maximum renewable life: 0 days 10:00:00
|
|
Packit |
fd8b60 |
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS destroy_policy
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBdestroy_policy\fP
|
|
Packit |
fd8b60 |
[\fB\-force\fP]
|
|
Packit |
fd8b60 |
\fIpolicy_name\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Destroys an existing ticket policy. Options:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
\fB\-force\fP
|
|
Packit |
fd8b60 |
Forces the deletion of the policy object. If not specified, the
|
|
Packit |
fd8b60 |
user will be prompted for confirmation before deleting the policy.
|
|
Packit |
fd8b60 |
.TP
|
|
Packit |
fd8b60 |
.B \fIpolicy_name\fP
|
|
Packit |
fd8b60 |
Specifies the name of the ticket policy.
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
|
|
Packit |
fd8b60 |
\-r ATHENA.MIT.EDU destroy_policy tktpolicy
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
This will delete the policy object \(aqtktpolicy\(aq, are you sure?
|
|
Packit |
fd8b60 |
(type \(aqyes\(aq to confirm)? yes
|
|
Packit |
fd8b60 |
** policy object \(aqtktpolicy\(aq deleted.
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SS list_policy
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
\fBlist_policy\fP
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Lists ticket policies.
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
Example:
|
|
Packit |
fd8b60 |
.INDENT 0.0
|
|
Packit |
fd8b60 |
.INDENT 3.5
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
.nf
|
|
Packit |
fd8b60 |
.ft C
|
|
Packit |
fd8b60 |
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
|
|
Packit |
fd8b60 |
\-r ATHENA.MIT.EDU list_policy
|
|
Packit |
fd8b60 |
Password for "cn=admin,o=org":
|
|
Packit |
fd8b60 |
tktpolicy
|
|
Packit |
fd8b60 |
tmppolicy
|
|
Packit |
fd8b60 |
userpolicy
|
|
Packit |
fd8b60 |
.ft P
|
|
Packit |
fd8b60 |
.fi
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.UNINDENT
|
|
Packit |
fd8b60 |
.SH ENVIRONMENT
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
See kerberos(7) for a description of Kerberos environment
|
|
Packit |
fd8b60 |
variables.
|
|
Packit |
fd8b60 |
.SH SEE ALSO
|
|
Packit |
fd8b60 |
.sp
|
|
Packit |
fd8b60 |
kadmin(1), kerberos(7)
|
|
Packit |
fd8b60 |
.SH AUTHOR
|
|
Packit |
fd8b60 |
MIT
|
|
Packit |
fd8b60 |
.SH COPYRIGHT
|
|
Packit |
fd8b60 |
1985-2020, MIT
|
|
Packit |
fd8b60 |
.\" Generated by docutils manpage writer.
|
|
Packit |
fd8b60 |
.
|