3.3 Managing Realms

You can manage realms by using the kdb5_ldap_util utility.

This section provides information about the following:

3.3.1 Creating a Realm

You can use one of the following methods to create a realm:

Command Line

Use the following syntax to create a realm:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert]

create  [-subtrees subtree_dn_list] [-sscope search_scope]
	  [-containerref container_reference_dn]						

	  [-kdcdn kdc_service_list][-admindn admin_service_list]

	  [-pwddn passwd_service_list][-defencsalttypes enc_salt_types]

	  [-maxtktlife max_ticket_life]

	  [-maxrenewlife max_renewable_ticket_life]	  

	  [-ticket_flags] 	[-up] [-lp] [-k mkeytype] 

	  [-m|-P password][-sf stashfilename][-r realm]

For example:

kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create 
-sscope 2 -kdcdn cn=service-kdc,o=org:cn=service-kdc2,o=org 
-defencsalttypes des3-cbc-shal:normal -subtrees o=org

Output of the above command:

Password for "cn=admin,o=org":
Initializing database for realm ’ATHENA.MIT.EDU’
Enter KDC database master key:
Re-enter KDC database master key to verify:

Table 3-6 Parameters for Creating a Realm

Parameter

Description

-subtrees

Subtrees list where principals of the realm are placed.

-sscope

Scope for searching the principals under the specified subtree. The parameter sscope specifies the search scope for searching the principals under the subtree specified. The possible values are 1 or one (one level), 2 or sub (subtree).

-containerref

DN of the container object in which the principals of a realm will be created.

-kdcdn

List of KDC Service objects serving the realm. The list contains the DNs of the KDC Service objects separated by a colon (:).

-admindn

List of Administration Service objects serving the realm. The list contains the DNs of the Administration Service objects separated by a colon (:).

-pwddn

List of Password service objects serving the realm. The list contains the DNs of the Password service objects separated by a colon (:).

-maxtktlife

Maximum ticket life for principals in this realm.

-maxrenewlife

Maximum renewable life of tickets for principals in this realm.

-ticket_flags

Indicates the ticket flags. If this option is not set, there are no restrictions set and all ticket options are allowed.

-defencsalttypes

List of key:salt strings that specifies the default key/salt combinations for the realm. This value takes precedence over the value specified in the configuration file.

-up

Use the Universal Password of the user as the Kerberos password for the principals in the realm.

-lp

Enforce the login restrictions of the user to which the principals are attached or linked.

-k

Encryption type of the master key in the database. The default is the type given in the krb5.conf file.

-m

The Master password should be read from the keyboard rather than from a file or disk.

-P

Master database password.

-sf

Stash file of the master database password.

-r

Kerberos realm of the database. By default, the default_realm parameter of the krb5.conf file is used.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > New Realm.

Refer to the iManager online help for more information.

3.3.2 Modifying a Realm

You can modify the realm by using one of the following methods:

Command Line

Use the following syntax to modify a realm:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
        	       [-t trusted_cert]

modify  [-subtrees subtree_dn_list] [-sscope search_scope]
	[-containerref container_reference_dn]

	[-kdcdn kdc_service_list] 		[-clearkdcdn kdc_service_list] 

	[-addkdcdn kdc_service_list] 		[-admindn admin_service_list]

	[-clearadmindn admin_service_list]

	[-addadmindn admin_service_list][-pwddn passwd_service_list]

	[-clearpwddn passwd_service_list] 

	[-addpwddn passwd_service_list][-defencsalttype enc_salt_type] 		

	[-maxtktlife max_ticket_life|-clearmaxtklife] 

	[-maxrenewlife max_renewable_ticket_life|-clearmaxrenewlife]
	[-ticket_flags] [-up|-clearup] [-lp|clearlp] [-r realm]

For example:

kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org modify -clearkdcdn cn=service-kdc1,o=org:cn=service-kdc2,o=org -addkdcdn cn=service-kdc3,o=org:cn=service-kdc4,o=org -subtrees ou=users,o=org:ou=services,o=org

Output of the above command:

Password for "cn=admin,o=org":

Table 3-7 Parameters for Modifying a Realm

Parameter

Description

-subtrees

Subtrees list containing principals in the realm.

-sscope

Scope for searching the principals under the specified subtree. The parameter sscope specifies the search scope for searching the principals under the subtree specified. The possible values are 1 or one (one level), 2 or sub (subtree).

-containerref

DN of the container object in which the principals of a realm will be created.

-kdcdn

List of KDC service objects serving the realm. The list contains the DNs of the KDC Service objects separated by a colon (:). This list replaces the existing list.

-clearkdcdn

List of KDC service objects that need to be removed from the list. The list contains the DNs of the KDC service objects separated by a colon (:).

-addkdcdn

List of KDC service objects that need to be added to the list. The list contains the DNs of the KDC service objects separated by a colon (:).

-admindn

List of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by a colon (:). This list replaces the existing list.

-clearadmindn

List of Administration service objects that need to be removed from the list. The list contains the DNs of the Administration service objects separated by a colon (:).

-addadmindn

List of Administration service objects that need to be added to the list. The list contains the DNs of the Administration service objects separated by a colon (:).

-pwddn

List of Password service objects serving the realm. The list contains the DNs of the Password service objects separated by a colon (:). This list replaces the existing list.

-clearpwddn

List of Password service objects that need to be removed from the list. The list contains the DNs of the Administration service objects separated by a colon (:).

-addpwddn

List of Password service objects that need to be added to the list. The list contains the DNs of the Password service objects separated by a colon (:).

-defencsalttypes

List of key:salt strings that specifies the default key/salt combinations for the realm. This value takes precedence over the value specified in the configuration file.

-maxtktlife

Maximum ticket life for principals in this realm.

-clearmaxtklife

Clears the maximum ticket life value set for the realm in the directory.

-maxrenewlife

Maximum renewable life of tickets for principals in this realm.

-clearmaxrenewlife

Clears the maximum renewable ticket life value set for the realm in the directory.

-ticket_flags

Indicates the ticket flags. If this option is not set, there are no restrictions set and all tickets options are allowed.

-up

Uses the Universal Password of the user as the Kerberos password for the principals in the realm.

-clearup

Specifies not to use the Universal Password of the user as the Kerberos password.

-lp

Enforce the login restrictions of the users.

-clearlp

Exempt the login restrictions of the users.

-r

Kerberos realm of the database. By default, the default_realm parameter of the krb5.conf file is used.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > Edit Realm.

Refer to the iManager online help for more information.

Modifying the Subtree for a Realm

If you modify the subtree list for a realm and the existing subtree is left out, then all the principals in that subtree are excluded from realm.

Modifying the Search Scope for a Realm

If you modify the scope for a realm, then the principals created previously under the old scope still exist, but might be excluded from the realm.

For example, if your subtree is "o=mit" that has a container "ou=students,o=mit" and you change the search scope from "sub" to "one", the Kerberos principal objects that were created under "ou=students,o=mit" still exist and are excluded from the realm.

3.3.3 Viewing a Realm

Use the following syntax to view realms:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

view      [-r realm]

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU

Output of the above command:

Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDUSubtree: ou=users,o=orgSubtree: ou=servers,o=orgSearchScope: ONEMaximum ticket life: 0 days 01:00:00Maximum renewable life: 0 days 10:00:00Ticket flags: DISALLOW_FORWARDABLE

Table 3-8 Parameters for Viewing a Realm

Parameter

Description

-r

Kerberos realm of the database. By default, the default_realm parameter of the krb5.conf file is used.

3.3.4 Destroying a Realm

You can use one of the following methods to destroy a realm :

Command Line

Use the following syntax to destroy a realm:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert] 

destroy [-f] [-r realm]

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU

Output of the above command:

Password for "cn=admin,o=org":
Deleting KDC database of ’ATHENA.MIT.EDU’, are you sure?
(type ’yes’ to confirm)? yes
OK, deleting database of ’ATHENA.MIT.EDU’...
** Database of ’ATHENA.MIT.EDU’ destroyed.

The principals associated with this realm are also deleted.

Table 3-9 Parameters for Destroying a Realm

Parameter

Description

-f

If specified, does not prompt the user for confirmation.

-r

Kerberos realm of the database. By default, the default_realm parameter of the krb5.conf file is used.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > Delete Realm.

Refer to the iManager online help for more information.

3.3.5 Listing Realms

Use the following syntax to list realms:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

list

For example:

kdb5_ldap_util -D cn=admin,o=org|-H ldaps://ldap-server1.mit.edu list

Output of the above command:

Password for "cn=admin,o=org":
NOVELL.COM
ATHENA.MIT.EDU
MEDIA-LAB.MIT.EDU