The policy objects stored in eDirectory can be attached to Kerberos principals, realms, or even the Kerberos container. Policy-related attributes can also be associated directly with the user or realm but are not explained here.
You can add a Ticket Policy using either of the following methods:
Use the following command to add a ticket policy:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
create_policy [-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_dn
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 create_policy
-maxtktlife "1 day" -maxrenewlife "1 week"
-allow_postdated +needchange -allow_forwardable cn=tktpolicy,o=org
Refer to the following table for the description of the parameters:
Table 29. create_policy Parameter Description
You can modify a ticket policy using either of the following methods:
Use the following command to modify a ticket policy:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
modify_policy [-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_dn
For more information on the parameters, refer to Table 29, create_policy Parameter Description.
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth cn=tktpolicy,o=org
You can destroy a ticket policy using either of the following methods:
Use the following command to destroy a ticket policy:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
destroy_policy [-force] policy_dn
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 destroy_policy
-force cn=tktpolicy,o=org
Table 30. destroy_policy Parameter Description
Use the following command to view a ticket policy:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
view_policy policy_dn
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 view_policy cn=tktpolicy,o=org
The expected output will be:
Policy: tktpolicy
Maximum ticket life: 0 days 00:60:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
Table 31. view_policy Parameter Description
Use the following command to list policies:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
list_policy [-basedn base_dn]
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 list_policy
-basedn o=org
The expected output will be as follows:
cn=tktpolicy,o=org
cn=tktpolicy2,o=org
cn=tktpolicy3,o=org
Table 32. list_policy Parameter Description