diff options
Diffstat (limited to 'src/man/kdb5_ldap_util.man')
| -rw-r--r-- | src/man/kdb5_ldap_util.man | 549 |
1 files changed, 549 insertions, 0 deletions
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man new file mode 100644 index 000000000000..83591a70c12c --- /dev/null +++ b/src/man/kdb5_ldap_util.man @@ -0,0 +1,549 @@ +.\" Man page generated from reStructuredText. +. +.TH "KDB5_LDAP_UTIL" "8" " " "1.15.1" "MIT Kerberos" +.SH NAME +kdb5_ldap_util \- Kerberos configuration utility +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH SYNOPSIS +.sp +\fBkdb5_ldap_util\fP +[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]] +[\fB\-H\fP \fIldapuri\fP] +\fBcommand\fP +[\fIcommand_options\fP] +.SH DESCRIPTION +.sp +kdb5_ldap_util allows an administrator to manage realms, Kerberos +services and ticket policies. +.SH COMMAND-LINE OPTIONS +.INDENT 0.0 +.TP +.B \fB\-D\fP \fIuser_dn\fP +Specifies the Distinguished Name (DN) of the user who has +sufficient rights to perform the operation on the LDAP server. +.TP +.B \fB\-w\fP \fIpasswd\fP +Specifies the password of \fIuser_dn\fP\&. This option is not +recommended. +.TP +.B \fB\-H\fP \fIldapuri\fP +Specifies the URI of the LDAP server. It is recommended to use +\fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. +.UNINDENT +.SH COMMANDS +.SS create +.INDENT 0.0 +.INDENT 3.5 +\fBcreate\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-k\fP \fImkeytype\fP] +[\fB\-kv\fP \fImkeyVNO\fP] +[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP] +[\fB\-s\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.UNINDENT +.UNINDENT +.sp +Creates realm in directory. Options: +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\fB:\fP). +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +Specifies the scope for searching the principals under the +subtree. The possible values are 1 or one (one level), 2 or sub +(subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +Specifies the DN of the container object in which the principals +of a realm will be created. If the container reference is not +configured for a realm, the principals will be created in the +realm container. +.TP +.B \fB\-k\fP \fImkeytype\fP +Specifies the key type of the master key in the database. The +default is given by the \fBmaster_key_type\fP variable in +\fIkdc.conf(5)\fP\&. +.TP +.B \fB\-kv\fP \fImkeyVNO\fP +Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed. +.TP +.B \fB\-m\fP +Specifies that the master database password should be read from +the TTY rather than fetched from a file on the disk. +.TP +.B \fB\-P\fP \fIpassword\fP +Specifies the master database password. This option is not +recommended. +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-sf\fP \fIstashfilename\fP +Specifies the stash file of the master database password. +.TP +.B \fB\-s\fP +Specifies that the stash file is to be created. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum ticket life for +principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals in this realm. +.TP +.B \fIticket_flags\fP +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \fBadd_principal\fP command in +\fIkadmin(1)\fP\&. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + create \-subtrees o=org \-sscope SUB \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Initializing database for realm \(aqATHENA.MIT.EDU\(aq +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re\-enter KDC database master key to verify: +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify +.INDENT 0.0 +.INDENT 3.5 +\fBmodify\fP +[\fB\-subtrees\fP \fIsubtree_dn_list\fP] +[\fB\-sscope\fP \fIsearch_scope\fP] +[\fB\-containerref\fP \fIcontainer_reference_dn\fP] +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +.UNINDENT +.UNINDENT +.sp +Modifies the attributes of a realm. Options: +.INDENT 0.0 +.TP +.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (\fB:\fP). This list replaces the existing list. +.TP +.B \fB\-sscope\fP \fIsearch_scope\fP +Specifies the scope for searching the principals under the +subtrees. The possible values are 1 or one (one level), 2 or sub +(subtrees). +.TP +.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the +container object in which the principals of a realm will be +created. +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum ticket life for +principals in this realm. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals in this realm. +.TP +.B \fIticket_flags\fP +Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the \fBadd_principal\fP command in +\fIkadmin(1)\fP\&. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu modify +requires_preauth \-r + ATHENA.MIT.EDU +Password for "cn=admin,o=org": +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS view +.INDENT 0.0 +.INDENT 3.5 +\fBview\fP [\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Displays the attributes of a realm. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + view \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.UNINDENT +.UNINDENT +.SS destroy +.INDENT 0.0 +.INDENT 3.5 +\fBdestroy\fP [\fB\-f\fP] [\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Destroys an existing realm. Options: +.INDENT 0.0 +.TP +.B \fB\-f\fP +If specified, will not prompt the user for confirmation. +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu destroy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +OK, deleting database of \(aqATHENA.MIT.EDU\(aq... +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list +.INDENT 0.0 +.INDENT 3.5 +\fBlist\fP +.UNINDENT +.UNINDENT +.sp +Lists the name of realms. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +shell% kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu list +Password for "cn=admin,o=org": +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA\-LAB.MIT.EDU +shell% +.ft P +.fi +.UNINDENT +.UNINDENT +.SS stashsrvpw +.INDENT 0.0 +.INDENT 3.5 +\fBstashsrvpw\fP +[\fB\-f\fP \fIfilename\fP] +\fIname\fP +.UNINDENT +.UNINDENT +.sp +Allows an administrator to store the password for service object in a +file so that KDC and Administration server can use it to authenticate +to the LDAP server. Options: +.INDENT 0.0 +.TP +.B \fB\-f\fP \fIfilename\fP +Specifies the complete path of the service password file. By +default, \fB/usr/local/var/service_passwd\fP is used. +.TP +.B \fIname\fP +Specifies the name of the object whose password is to be stored. +If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for +simple binding, this should be the distinguished name it will +use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP +variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is +configured for SASL binding, this should be the authentication +name it will use as given by the \fBldap_kdc_sasl_authcid\fP or +\fBldap_kadmind_sasl_authcid\fP variable. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile + cn=service\-kdc,o=org +Password for "cn=service\-kdc,o=org": +Re\-enter password for "cn=service\-kdc,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS create_policy +.INDENT 0.0 +.INDENT 3.5 +\fBcreate_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Creates a ticket policy in the directory. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-maxtktlife\fP \fImax_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum ticket life for +principals. +.TP +.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(\fIgetdate\fP string) Specifies maximum renewable life of +tickets for principals. +.TP +.B \fIticket_flags\fP +Specifies the ticket flags. If this option is not specified, by +default, no restriction will be set by the policy. Allowable +flags are documented in the description of the \fBadd_principal\fP +command in \fIkadmin(1)\fP\&. +.TP +.B \fIpolicy_name\fP +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" + \-maxrenewlife "1 week" \-allow_postdated +needchange + \-allow_forwardable tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +\fBmodify_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-maxtktlife\fP \fImax_ticket_life\fP] +[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP] +[\fIticket_flags\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Modifies the attributes of a ticket policy. Options are same as for +\fBcreate_policy\fP\&. +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H + ldaps://ldap\-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU + \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" + +allow_postdated \-requires_preauth tktpolicy +Password for "cn=admin,o=org": +.ft P +.fi +.UNINDENT +.UNINDENT +.SS view_policy +.INDENT 0.0 +.INDENT 3.5 +\fBview_policy\fP +[\fB\-r\fP \fIrealm\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Displays the attributes of a ticket policy. Options: +.INDENT 0.0 +.TP +.B \fIpolicy_name\fP +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + view_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +.ft P +.fi +.UNINDENT +.UNINDENT +.SS destroy_policy +.INDENT 0.0 +.INDENT 3.5 +\fBdestroy_policy\fP +[\fB\-r\fP \fIrealm\fP] +[\fB\-force\fP] +\fIpolicy_name\fP +.UNINDENT +.UNINDENT +.sp +Destroys an existing ticket policy. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.TP +.B \fB\-force\fP +Forces the deletion of the policy object. If not specified, the +user will be prompted for confirmation before deleting the policy. +.TP +.B \fIpolicy_name\fP +Specifies the name of the ticket policy. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + destroy_policy \-r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +This will delete the policy object \(aqtktpolicy\(aq, are you sure? +(type \(aqyes\(aq to confirm)? yes +** policy object \(aqtktpolicy\(aq deleted. +.ft P +.fi +.UNINDENT +.UNINDENT +.SS list_policy +.INDENT 0.0 +.INDENT 3.5 +\fBlist_policy\fP +[\fB\-r\fP \fIrealm\fP] +.UNINDENT +.UNINDENT +.sp +Lists the ticket policies in realm if specified or in the default +realm. Options: +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +Specifies the Kerberos realm of the database. +.UNINDENT +.sp +Example: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu + list_policy \-r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +tktpolicy +tmppolicy +userpolicy +.ft P +.fi +.UNINDENT +.UNINDENT +.SH SEE ALSO +.sp +\fIkadmin(1)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2017, MIT +.\" Generated by docutils manpage writer. +. |