Managing Ticket Policies

The policy objects stored in eDirectory can be attached to Kerberos principals, realms, or even the Kerberos container. Policy-related attributes can also be associated directly with the user or realm but are not explained here.


Creating a Ticket Policy

You can add a Ticket Policy using either of the following methods:


Command Line

Use the following command to add a ticket policy:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
        [-p ldap_port] [-t trusted_cert] 
 
create_policy [-maxtktlife max_ticket_life] 
        [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_dn

For example: 

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 create_policy  
-maxtktlife "1 day" -maxrenewlife "1 week"  
-allow_postdated +needchange -allow_forwardable cn=tktpolicy,o=org

Refer to the following table for the description of the parameters:


Table 29. create_policy Parameter Description

Parameter Description

-D

Distinguished name of the user who has sufficient rights to authenticate to the LDAP server.

-w

Specifies the userdn password. This is not recommended.

-h

Host name or IP Address of the server hosting LDAP service for a Kerberos realm.

-p

SSL port number of the LDAP server.

-t

Specifies the filename that contains Trusted Root Certificate of the LDAP server.

-maxtklife

Specifies the maximum life-time of ticket issued.

-maxrenewlife

Specifies the maximum life-time to which issued ticket can be renewed.

ticket_flags

Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means that all the ticket options will be allowed and no restriction will be set.

The various flags are:

 

{-|+}allow_postdated

allows (+) principals to obtain postdated tickets / prohibits
(-) principals from obtaining postdated tickets.

 

{-|+}allow_forwardable

allows (+) principals to obtain forwardable tickets / prohibits (-) principals from obtaining forwardable tickets.

 

{-|+}allow_renewable

allows (+) principals to obtain renewable tickets / prohibits
(-) principals from obtaining renewable tickets.

 

{-|+}allow_proxiable

allows (+) principals to obtain proxiable tickets / prohibits (-) principals from obtaining proxiable tickets.

 

{-|+}allow_dup_skey

disables (-) / enables (+) user-to-user authentication for principals, by respectively prohibiting / allowing obtaining of a session key for another user.

 

{-|+}requires_preauth

makes principals require (+) / not require (-) pre-authentication before being allowed to 'kinit'.

 

{-|+}requires_hwauth

makes principals require (+) / not require (-) pre-authentication using a hardware device before being allowed to 'kinit'.

 

{-|+}allow_svr

allows (+) / prohibits (-) issuance of service tickets for this principal.

 

{-|+}allow_tgs_req

(-)allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. (+) allow_tgs_req clears this flag. The default is (+) allow_tgs_req. In effect, (-)allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.

 

{-|+}allow_tix

allows (+) / prohibits (-) issuance of any tickets for principals. The default is "+allow_tix".

 

{-|+}needchange

makes principals require (+) / not require (-) a password change.

 

{-|+}password_
changing_service

used to set (+) / unset(-) principals as password changing services.

policy_dn

Distinguished name of the policy.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Policy.

Refer to the iManager online help for more information.


Modifying a Ticket Policy

You can modify a ticket policy using either of the following methods:


Command Line

Use the following command to modify a ticket policy:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert] 
 
modify_policy   [-maxtktlife max_ticket_life] 
         [-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy_dn

For more information on the parameters, refer to Table 29, create_policy Parameter Description.

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth cn=tktpolicy,o=org


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Policy.

Refer to the iManager online help for more information.


Destroying a Ticket Policy

You can destroy a ticket policy using either of the following methods:


Command Line

Use the following command to destroy a ticket policy:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
         [-p ldap_port] [-t trusted_cert] 
 
destroy_policy  [-force] policy_dn

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 destroy_policy  
-force  cn=tktpolicy,o=org


Table 30. destroy_policy Parameter Description

Parameter Description

-D

Distinguished name of the user who has sufficient rights to authenticate to the LDAP server.

-w

Specifies the userdn password. This is not recommended.

-h

Host name or IP Address of the server hosting LDAP service for a Kerberos realm.

-p

SSL port number of the LDAP server.

-t

Specifies the filename that contains Trusted Root Certificate of the LDAP server.

-force

Forces the deletion of the policy object. If you do not specify this option, you will be prompted for confirmation while deleting the policy. Enter YES to confirm the deletion.

policy_dn

Distinguished name of the policy.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Delete Policy.

Refer to the iManager online help for more information.


Viewing a Ticket Policy

Use the following command to view a ticket policy:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert] 
 
view_policy policy_dn

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 view_policy cn=tktpolicy,o=org

The expected output will be: 

Policy: tktpolicy 
Maximum ticket life: 0 days 00:60:00 
Maximum renewable life: 0 days 10:00:00 
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE


Table 31. view_policy Parameter Description

Parameter Description

-D

Distinguished name of the user who has sufficient rights to authenticate to the LDAP server.

-w

Specifies the userdn password. This is not recommended.

-h

Host name or IP Address of the server hosting LDAP service for a Kerberos realm.

-p

SSL port number of the LDAP server.

-t

Specifies the filename that contains Trusted Root Certificate of the LDAP server.

policy_dn

Distinguished name of the policy.


Listing Ticket Policies

Use the following command to list policies:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert]
list_policy [-basedn base_dn]

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 list_policy  
-basedn o=org

The expected output will be as follows:

cn=tktpolicy,o=org 
cn=tktpolicy2,o=org 
cn=tktpolicy3,o=org


Table 32. list_policy Parameter Description

Parameter Description

-D

Distinguished name of the user who has sufficient rights to authenticate to the LDAP server.

-w

Specifies the userdn password. This is not recommended.

-h

Host name or IP Address of the server hosting LDAP service for a Kerberos realm.

-p

SSL port number of the LDAP server.

-t

Specifies the filename that contains Trusted Root Certificate of the LDAP server.

-basedn

Specifies the base DN for searching the policies. The 'basedn' option is made available to limit the search to a particular subtree. If this option is not provided, the entire tree will be searched, which means that the default value for the base DN is root. Therefore, this option is suitable in scenerios where the tree is distributed over more than one geographical location.