KDB5_LDAP_UTIL(8) KDB5_LDAP_UTIL(8)
NAME
kdb5_ldap_util - Kerberos Configuration Utility
SYNOPSIS
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri] command [command_options]
DESCRIPTION
kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies.
COMMAND-LINE OPTIONS
-D user_dn
Specifies the Distinguished name (DN) of the user who has sufficient rights to perform the
operation on the LDAP server.
-w passwd
Specifies the password of user_dn. This option is not recommended.
-H ldapuri
Specifies the URI of the LDAP server.
COMMANDS
create [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]
[-k mkeytype] [-m|-P password|-sf stashfilename] [-s] [-r realm] [-kdcdn kdc_service_list]
[-admindn admin_service_list] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
[ticket_flags]
Creates realm in directory. Options:
-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals of a realm. The list contains
the DNs of the subtree objects separated by colon(:).
-sscope search_scope
Specifies the scope for searching the principals under the subtree. The possible val-ues values
ues are 1 or one (one level), 2 or sub (subtrees).
-containerref container_reference_dn
Specifies the DN of the container object in which the principals of a realm will be
created. If the container reference is not configured for a realm, the principals will
be created in the realm container.
-k mkeytype
Specifies the key type of the master key in the database; the default is that given in
kdc.conf.
-m Specifies that the master database password should be read from the TTY rather than
fetched from a file on the disk.
-P password
Specifies the master database password. This option is not recommended.
-sf stashfilename
Specifies the stash file of the master database password.
-s Specifies that the stash file is to be created.
-maxtktlife max_ticket_life
Specifies maximum ticket life for principals in this realm.
-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for principals in this realm.
ticket_flags
Specifies the ticket flags. If this option is not specified, by default, none of the
flags are set. This means all the ticket options will be allowed and no restriction
will be set.
The various flags are:
{-|+}allow_postdated
-allow_postdated prohibits principals from obtaining postdated tickets. (Sets the
KRB5_KDB_DISALLOW_POSTDATED flag.) +allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining renewable tickets. (Sets the
KRB5_KDB_DISALLOW_RENEWABLE flag.) +allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the
KRB5_KDB_DISALLOW_PROXIABLE flag.) +allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user authentication for principals by prohibiting
principals from obtaining a session key for another user. (Sets the KRB5_KDB_DISAL-LOW_DUP_SKEY KRB5_KDB_DISALLOW_DUP_SKEY
LOW_DUP_SKEY flag.) +allow_dup_skey clears this flag.
{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate using a hardware device before
being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) -requires_hwauth
clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for principals. (Sets the
KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service
ticket for principals is not permitted. This option is useless for most things.
+allow_tgs_req clears this flag. The default is +allow_tgs_req. In effect,
-allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for principals. +allow_tix clears this
flag. The default is +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DISAL-LOW_ALL_TIX KRB5_KDB_DISALLOW_ALL_TIX
LOW_ALL_TIX flag on principals in the database.
{-|+}needchange
+needchange sets a flag in attributes field to force a password change; -needchange
clears it. The default is -needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
{-|+}password_changing_service
+password_changing_service sets a flag in the attributes field marking principal as a
password change service principal (useless for most things). -password_changing_ser-vice -password_changing_service
vice clears the flag. This flag intentionally has a long name. The default is -pass-word_changing_service. -password_changing_service.
word_changing_service. In effect, +password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
Command Options Specific to eDirectory
-kdcdn kdc_service_list
Specifies the list of KDC service objects serving the realm. The list contains the DNs
of the KDC service objects separated by colon(:).
-admindn admin_service_list
Specifies the list of Administration service objects serving the realm. The list con-tains contains
tains the DNs of the Administration service objects separated by colon(:).
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org
-sscope SUB -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
modify [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]
[-r realm] [-kdcdn kdc_service_list | [-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]
[-admindn admin_service_list | [-clearadmindn admin_service_list] [-addadmindn admin_service_list]]
[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] [ticket_flags]
Modifies the attributes of a realm. Options:
-subtrees subtree_dn_list
Specifies the list of subtrees containing the principals of a realm. The list contains
the DNs of the subtree objects separated by colon(:). This list replaces the existing
list.
-sscope search_scope
Specifies the scope for searching the principals under the subtrees. The possible val-ues values
ues are 1 or one (one level), 2 or sub (subtrees).
-containerref container_reference_dn
Specifies the DN of the container object in which the principals of a realm will be
created.
-maxtktlife max_ticket_life
Specifies maximum ticket life for principals in this realm.
-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for principals in this realm.
ticket_flags
Specifies the ticket flags. If this option is not specified, by default, none of the
flags are set. This means all the ticket options will be allowed and no restriction
will be set.
The various flags are:
{-|+}allow_postdated
-allow_postdated prohibits principals from obtaining postdated tickets. (Sets the
KRB5_KDB_DISALLOW_POSTDATED flag.) +allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining renewable tickets. (Sets the
KRB5_KDB_DISALLOW_RENEWABLE flag.) +allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the
KRB5_KDB_DISALLOW_PROXIABLE flag.) +allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user authentication for principals by prohibiting
principals from obtaining a session key for another user. (Sets the KRB5_KDB_DISAL-LOW_DUP_SKEY KRB5_KDB_DISALLOW_DUP_SKEY
LOW_DUP_SKEY flag.) +allow_dup_skey clears this flag.
{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate using a hardware device before
being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) -requires_hwauth
clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for principals. (Sets the
KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service
ticket for principals is not permitted. This option is useless for most things.
+allow_tgs_req clears this flag. The default is +allow_tgs_req. In effect,
-allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for principals. +allow_tix clears this
flag. The default is +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DISAL-LOW_ALL_TIX KRB5_KDB_DISALLOW_ALL_TIX
LOW_ALL_TIX flag on principals in the database.
{-|+}needchange
+needchange sets a flag in attributes field to force a password change; -needchange
clears it. The default is -needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
{-|+}password_changing_service
+password_changing_service sets a flag in the attributes field marking principal as a
password change service principal (useless for most things). -password_changing_ser-vice -password_changing_service
vice clears the flag. This flag intentionally has a long name. The default is -pass-word_changing_service. -password_changing_service.
word_changing_service. In effect, +password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
Command Options Specific to eDirectory
-kdcdn kdc_service_list
Specifies the list of KDC service objects serving the realm. The list contains the DNs
of the KDC service objects separated by a colon (:). This list replaces the existing
list.
-clearkdcdn kdc_service_list
Specifies the list of KDC service objects that need to be removed from the existing
list. The list contains the DNs of the KDC service objects separated by a colon (:).
-addkdcdn kdc_service_list
Specifies the list of KDC service objects that need to be added to the existing list.
The list contains the DNs of the KDC service objects separated by a colon (:).
-admindn admin_service_list
Specifies the list of Administration service objects serving the realm. The list con-tains contains
tains the DNs of the Administration service objects separated by a colon (:). This list
replaces the existing list.
-clearadmindn admin_service_list
Specifies the list of Administration service objects that need to be removed from the
existing list. The list contains the DNs of the Administration service objects sepa-rated separated
rated by a colon (:).
-addadmindn admin_service_list
Specifies the list of Administration service objects that need to be added to the
existing list. The list contains the DNs of the Administration service objects sepa-rated separated
rated by a colon (:).
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify
+requires_preauth -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
view [-r realm]
Displays the attributes of a realm. Options:
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy [-f] [-r realm]
Destroys an existing realm. Options:
-f If specified, will not prompt the user for confirmation.
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy -r
ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
list Lists the name of realms.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org":
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
stashsrvpw [-f filename] servicedn
Allows an administrator to store the password for service object in a file so that KDC and
Administration server can use it to authenticate to the LDAP server. Options:
-f filename
Specifies the complete path of the service password file. By default,
/usr/local/var/service_passwd is used.
servicedn
Specifies Distinguished name (DN) of the service object whose password is to be stored
in file.
EXAMPLE:
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=service-kdc,o=org":
Re-enter password for "cn=service-kdc,o=org":
create_policy [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
[ticket_flags] policy_name
Creates a ticket policy in directory. Options:
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
-maxtktlife max_ticket_life
Specifies maximum ticket life for principals.
-maxrenewlife max_renewable_ticket_life
Specifies maximum renewable life of tickets for principals.
ticket_flags
Specifies the ticket flags. If this option is not specified, by default, none of the
flags are set. This means all the ticket options will be allowed and no restriction
will be set.
The various flags are:
{-|+}allow_postdated
-allow_postdated prohibits principals from obtaining postdated tickets. (Sets the
KRB5_KDB_DISALLOW_POSTDATED flag.) +allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.) +allow_forwardable clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits principals from obtaining renewable tickets. (Sets the
KRB5_KDB_DISALLOW_RENEWABLE flag.) +allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the
KRB5_KDB_DISALLOW_PROXIABLE flag.) +allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user authentication for principals by prohibiting
principals from obtaining a session key for another user. (Sets the KRB5_KDB_DISAL-LOW_DUP_SKEY KRB5_KDB_DISALLOW_DUP_SKEY
LOW_DUP_SKEY flag.) +allow_dup_skey clears this flag.
{-|+}requires_preauth
+requires_preauth requires principals to preauthenticate before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires principals to preauthenticate using a hardware device before
being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) -requires_hwauth
clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service tickets for principals. (Sets the
KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service
ticket for principals is not permitted. This option is useless for most things.
+allow_tgs_req clears this flag. The default is +allow_tgs_req. In effect,
-allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on principals in the database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for principals. +allow_tix clears this
flag. The default is +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DISAL-LOW_ALL_TIX KRB5_KDB_DISALLOW_ALL_TIX
LOW_ALL_TIX flag on principals in the database.
{-|+}needchange
+needchange sets a flag in attributes field to force a password change; -needchange
clears it. The default is -needchange. In effect, +needchange sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on principals in the database.
{-|+}password_changing_service
+password_changing_service sets a flag in the attributes field marking principal as a
password change service principal (useless for most things). -password_changing_ser-vice -password_changing_service
vice clears the flag. This flag intentionally has a long name. The default is -pass-word_changing_service. -password_changing_service.
word_changing_service. In effect, +password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on principals in the database.
policy_name
Specifies the name of the ticket policy.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r
ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange
-allow_forwardable tktpolicy
Password for "cn=admin,o=org":
modify_policy [-r realm] [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]
[ticket_flags] policy_name
Modifies the attributes of a ticket policy. Options are same as create_policy.
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r
ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated
-requires_preauth tktpolicy
Password for "cn=admin,o=org":
view_policy [-r realm] policy_name
Displays the attributes of a ticket policy. Options:
policy_name
Specifies the name of the ticket policy.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r
ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
destroy_policy [-r realm] [-force] policy_name
Destroys an existing ticket policy. Options:
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
-force Forces the deletion of the policy object. If not specified, will be prompted for con-firmation confirmation
firmation while deleting the policy. Enter yes to confirm the deletion.
policy_name
Specifies the name of the ticket policy.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r
ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
** policy object 'tktpolicy' deleted.
list_policy [-r realm]
Lists the ticket policies in realm if specified or in the default realm. Options:
-r realm
Specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r
ATHENA.MIT.EDU
Password for "cn=admin,o=org":
tktpolicy
tmppolicy
userpolicy
Commands Specific to eDirectory
setsrvpw [-randpw|-fileonly] [-f filename] service_dn
Allows an administrator to set password for service objects such as KDC and Administration
server in eDirectory and store them in a file. The -fileonly option stores the password in a
file and not in the eDirectory object. Options:
-randpw
Generates and sets a random password. This options can be specified to store the pass-word password
word both in eDirectory and a file. The -fileonly option can not be used if -randpw
option is already specified.
-fileonly
Stores the password only in a file and not in eDirectory. The -randpw option can not be
used when -fileonly options is specified.
-f filename
Specifies complete path of the service password file. By default, /usr/local/var/ser-vice_passwd /usr/local/var/service_passwd
vice_passwd is used.
service_dn
Specifies Distinguished name (DN) of the service object whose password is to be set.
EXAMPLE:
kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_key-file /home/andrew/conf_keyfile
file cn=service-kdc,o=org
Password for "cn=admin,o=org":
Password for "cn=service-kdc,o=org":
Re-enter password for "cn=service-kdc,o=org":
create_service {-kdc|-admin} [-servicehost service_host_list] [-realm realm_list] [-randpw|-fileonly]
[-f filename] service_dn
Creates a service in directory and assigns appropriate rights. Options:
-kdc Specifies the service is a KDC service
-admin Specifies the service is a Administration service
-servicehost service_host_list
Specifies the list of entries separated by a colon (:). Each entry consists of the
hostname or IP address of the server hosting the service, transport protocol, and the
port number of the service separated by a pound sign (#). For example,
server1#tcp#88:server2#udp#89.
-realm realm_list
Specifies the list of realms that are to be associated with this service. The list con-tains contains
tains the name of the realms separated by a colon (:).
-randpw
Generates and sets a random password. This option is used to set the random password
for the service object in directory and also to store it in the file. The -fileonly
option can not be used if -randpw option is specified.
-fileonly
Stores the password only in a file and not in eDirectory. The -randpw option can not be
used when -fileonly option is specified.
-f filename
Specifies the complete path of the file where the service object password is stashed.
service_dn
Specifies Distinguished name (DN) of the Kerberos service to be created.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_key-file /home/andrew/conf_keyfile
file cn=service-kdc,o=org
Password for "cn=admin,o=org":
File does not exist. Creating the file /home/andrew/conf_keyfile...
modify_service [-servicehost service_host_list | [-clearservicehost service_host_list] [-addservice-host [-addservicehost
host service_host_list]] [-realm realm_list | [-clearrealm realm_list] [-addrealm realm_list]] ser-vice_dn service_dn
vice_dn
Modifies the attributes of a service and assigns appropriate rights. Options:
-servicehost service_host_list
Specifies the list of entries separated by a colon (:). Each entry consists of a host
name or IP Address of the Server hosting the service, transport protocol, and port num-ber number
ber of the service separated by a pound sign (#). For example,
server1#tcp#88:server2#udp#89
-clearservicehost service_host_list
Specifies the list of servicehost entries to be removed from the existing list sepa-rated separated
rated by colon (:). Each entry consists of a host name or IP Address of the server
hosting the service, transport protocol, and port number of the service separated by a
pound sign (#).
-addservicehost service_host_list
Specifies the list of servicehost entries to be added to the existing list separated by
colon (:). Each entry consists of a host name or IP Address of the server hosting the
service, transport protocol, and port number of the service separated by a pound sign
(#).
-realm realm_list
Specifies the list of realms that are to be associated with this service. The list con-tains contains
tains the name of the realms separated by a colon (:). This list replaces the existing
list.
-clearrealm realm_list
Specifies the list of realms to be removed from the existing list. The list contains
the name of the realms separated by a colon (:).
-addrealm realm_list
Specifies the list of realms to be added to the existing list. The list contains the
name of the realms separated by a colon (:).
service_dn
Specifies Distinguished name (DN) of the Kerberos service to be modified.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org cn=servicekdc,o=org
kdc,o=org
Password for "cn=admin,o=org":
Changing rights for the service object. Please wait ... done
view_service service_dn
Displays the attributes of a service. Options:
service_dn
Specifies Distinguished name (DN) of the Kerberos service to be viewed.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org
Password for "cn=admin,o=org":
Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
destroy_service [-force] [-f stashfilename] service_dn
Destroys an existing service. Options:
-force If specified, will not prompt for user's confirmation, instead will force destruction
of the service.
-f stashfilename
Specifies the complete path of the service password file from where the entry corre-sponding corresponding
sponding to the service_dn needs to be removed.
service_dn
Specifies Distinguished name (DN) of the Kerberos service to be destroyed.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org
Password for "cn=admin,o=org":
This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? yes
** service object 'cn=service-kdc,o=org' deleted.
list_service [-basedn base_dn]
Lists the name of services under a given base in directory. Options:
-basedn base_dn
Specifies the base DN for searching the service objects, limiting the search to a par-ticular particular
ticular subtree. If this option is not provided, LDAP Server specific search base will
be used. For eg, in the case of OpenLDAP, value of defaultsearchbase from slapd.conf
file will be used, where as in the case of eDirectory, the default value for the base
DN is Root.
EXAMPLE:
kdb5_ldap_util -D cn=admin,o=org list_service
Password for "cn=admin,o=org":
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
SEE ALSO
kadmin(8)
KDB5_LDAP_UTIL(8)
|