diff options
Diffstat (limited to 'crypto/krb5/doc/admin/admin_commands/kdb5_ldap_util.rst')
| -rw-r--r-- | crypto/krb5/doc/admin/admin_commands/kdb5_ldap_util.rst | 449 |
1 files changed, 0 insertions, 449 deletions
diff --git a/crypto/krb5/doc/admin/admin_commands/kdb5_ldap_util.rst b/crypto/krb5/doc/admin/admin_commands/kdb5_ldap_util.rst deleted file mode 100644 index 73a920f4388a..000000000000 --- a/crypto/krb5/doc/admin/admin_commands/kdb5_ldap_util.rst +++ /dev/null @@ -1,449 +0,0 @@ -.. _kdb5_ldap_util(8): - -kdb5_ldap_util -=============== - -SYNOPSIS --------- - -.. _kdb5_ldap_util_synopsis: - -**kdb5_ldap_util** -[**-D** *user_dn* [**-w** *passwd*]] -[**-H** *ldapuri*] -**command** -[*command_options*] - -.. _kdb5_ldap_util_synopsis_end: - - -DESCRIPTION ------------ - -kdb5_ldap_util allows an administrator to manage realms, Kerberos -services and ticket policies. - - -COMMAND-LINE OPTIONS --------------------- - -.. _kdb5_ldap_util_options: - -**-r** *realm* - Specifies the realm to be operated on. - -**-D** *user_dn* - Specifies the Distinguished Name (DN) of the user who has - sufficient rights to perform the operation on the LDAP server. - -**-w** *passwd* - Specifies the password of *user_dn*. This option is not - recommended. - -**-H** *ldapuri* - Specifies the URI of the LDAP server. - -By default, kdb5_ldap_util operates on the default realm (as specified -in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP -server in the same manner as :ref:kadmind(8)` would given the -parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. - -.. _kdb5_ldap_util_options_end: - - -COMMANDS --------- - -create -~~~~~~ - -.. _kdb5_ldap_util_create: - - **create** - [**-subtrees** *subtree_dn_list*] - [**-sscope** *search_scope*] - [**-containerref** *container_reference_dn*] - [**-k** *mkeytype*] - [**-kv** *mkeyVNO*] - [**-M** *mkeyname*] - [**-m|-P** *password*\|\ **-sf** *stashfilename*] - [**-s**] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - -Creates realm in directory. Options: - -**-subtrees** *subtree_dn_list* - Specifies the list of subtrees containing the principals of a - realm. The list contains the DNs of the subtree objects separated - by colon (``:``). - -**-sscope** *search_scope* - Specifies the scope for searching the principals under the - subtree. The possible values are 1 or one (one level), 2 or sub - (subtrees). - -**-containerref** *container_reference_dn* - Specifies the DN of the container object in which the principals - of a realm will be created. If the container reference is not - configured for a realm, the principals will be created in the - realm container. - -**-k** *mkeytype* - Specifies the key type of the master key in the database. The - default is given by the **master_key_type** variable in - :ref:`kdc.conf(5)`. - -**-kv** *mkeyVNO* - Specifies the version number of the master key in the database; - the default is 1. Note that 0 is not allowed. - -**-M** *mkeyname* - Specifies the principal name for the master key in the database. - If not specified, the name is determined by the - **master_key_name** variable in :ref:`kdc.conf(5)`. - -**-m** - Specifies that the master database password should be read from - the TTY rather than fetched from a file on the disk. - -**-P** *password* - Specifies the master database password. This option is not - recommended. - -**-sf** *stashfilename* - Specifies the stash file of the master database password. - -**-s** - Specifies that the stash file is to be created. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals in this realm. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals in this realm. - -*ticket_flags* - Specifies global ticket flags for the realm. Allowable flags are - documented in the description of the **add_principal** command in - :ref:`kadmin(1)`. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB - Password for "cn=admin,o=org": - Initializing database for realm 'ATHENA.MIT.EDU' - You will be prompted for the database Master Password. - It is important that you NOT FORGET this password. - Enter KDC database master key: - Re-enter KDC database master key to verify: - -.. _kdb5_ldap_util_create_end: - -modify -~~~~~~ - -.. _kdb5_ldap_util_modify: - - **modify** - [**-subtrees** *subtree_dn_list*] - [**-sscope** *search_scope*] - [**-containerref** *container_reference_dn*] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - -Modifies the attributes of a realm. Options: - -**-subtrees** *subtree_dn_list* - Specifies the list of subtrees containing the principals of a - realm. The list contains the DNs of the subtree objects separated - by colon (``:``). This list replaces the existing list. - -**-sscope** *search_scope* - Specifies the scope for searching the principals under the - subtrees. The possible values are 1 or one (one level), 2 or sub - (subtrees). - -**-containerref** *container_reference_dn* Specifies the DN of the - container object in which the principals of a realm will be - created. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals in this realm. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals in this realm. - -*ticket_flags* - Specifies global ticket flags for the realm. Allowable flags are - documented in the description of the **add_principal** command in - :ref:`kadmin(1)`. - -Example:: - - shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth - Password for "cn=admin,o=org": - shell% - -.. _kdb5_ldap_util_modify_end: - -view -~~~~ - -.. _kdb5_ldap_util_view: - - **view** - -Displays the attributes of a realm. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU view - Password for "cn=admin,o=org": - Realm Name: ATHENA.MIT.EDU - Subtree: ou=users,o=org - Subtree: ou=servers,o=org - SearchScope: ONE - Maximum ticket life: 0 days 01:00:00 - Maximum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - -.. _kdb5_ldap_util_view_end: - -destroy -~~~~~~~ - -.. _kdb5_ldap_util_destroy: - - **destroy** [**-f**] - -Destroys an existing realm. Options: - -**-f** - If specified, will not prompt the user for confirmation. - -Example:: - - shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy - Password for "cn=admin,o=org": - Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? - (type 'yes' to confirm)? yes - OK, deleting database of 'ATHENA.MIT.EDU'... - shell% - -.. _kdb5_ldap_util_destroy_end: - -list -~~~~ - -.. _kdb5_ldap_util_list: - - **list** - -Lists the names of realms under the container. - -Example:: - - shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list - Password for "cn=admin,o=org": - ATHENA.MIT.EDU - OPENLDAP.MIT.EDU - MEDIA-LAB.MIT.EDU - shell% - -.. _kdb5_ldap_util_list_end: - -stashsrvpw -~~~~~~~~~~ - -.. _kdb5_ldap_util_stashsrvpw: - - **stashsrvpw** - [**-f** *filename*] - *name* - -Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options: - -**-f** *filename* - Specifies the complete path of the service password file. By - default, ``/usr/local/var/service_passwd`` is used. - -*name* - Specifies the name of the object whose password is to be stored. - If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for - simple binding, this should be the distinguished name it will - use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** - variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is - configured for SASL binding, this should be the authentication - name it will use as given by the **ldap_kdc_sasl_authcid** or - **ldap_kadmind_sasl_authcid** variable. - -Example:: - - kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org - Password for "cn=service-kdc,o=org": - Re-enter password for "cn=service-kdc,o=org": - -.. _kdb5_ldap_util_stashsrvpw_end: - -create_policy -~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_create_policy: - - **create_policy** - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - *policy_name* - -Creates a ticket policy in the directory. Options: - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals. - -*ticket_flags* - Specifies the ticket flags. If this option is not specified, by - default, no restriction will be set by the policy. Allowable - flags are documented in the description of the **add_principal** - command in :ref:`kadmin(1)`. - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy - Password for "cn=admin,o=org": - -.. _kdb5_ldap_util_create_policy_end: - -modify_policy -~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_modify_policy: - - **modify_policy** - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - *policy_name* - -Modifies the attributes of a ticket policy. Options are same as for -**create_policy**. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy - Password for "cn=admin,o=org": - -.. _kdb5_ldap_util_modify_policy_end: - -view_policy -~~~~~~~~~~~ - -.. _kdb5_ldap_util_view_policy: - - **view_policy** - *policy_name* - -Displays the attributes of the named ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU view_policy tktpolicy - Password for "cn=admin,o=org": - Ticket policy: tktpolicy - Maximum ticket life: 0 days 01:00:00 - Maximum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - -.. _kdb5_ldap_util_view_policy_end: - -destroy_policy -~~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_destroy_policy: - - **destroy_policy** - [**-force**] - *policy_name* - -Destroys an existing ticket policy. Options: - -**-force** - Forces the deletion of the policy object. If not specified, the - user will be prompted for confirmation before deleting the policy. - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU destroy_policy tktpolicy - Password for "cn=admin,o=org": - This will delete the policy object 'tktpolicy', are you sure? - (type 'yes' to confirm)? yes - ** policy object 'tktpolicy' deleted. - -.. _kdb5_ldap_util_destroy_policy_end: - -list_policy -~~~~~~~~~~~ - -.. _kdb5_ldap_util_list_policy: - - **list_policy** - -Lists ticket policies. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - -r ATHENA.MIT.EDU list_policy - Password for "cn=admin,o=org": - tktpolicy - tmppolicy - userpolicy - -.. _kdb5_ldap_util_list_policy_end: - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kerberos(7)` |