3.5 Managing Ticket Policies

The ticket policy objects stored in eDirectory can be attached to Kerberos principals. Policy-related attributes can also be associated directly with the principals or realms but are not explained here.

3.5.1 Creating a Ticket Policy

You can use one of the following methods to add a Ticket policy:

Command Line

Use the following command to add a ticket policy:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
         [-t trusted_cert]
create_policy [-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life] 	[ticket_flags] [-r realm] policy_name

For example: 

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy 
-r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" 
-allow_postdated +needchange -allow_forwardable usertktpolicy

Refer to the following table for the description of the parameters:

Table 3-16 create_policy Parameters

Parameter

Description

-maxtklife

Maximum ticket life for principals.

-maxrenewlife

Maximum renewable life of tickets for principals.

ticket_flags

Specifies the ticket flags. If this option is not specified, by default, none of the flags are set. This means that all the ticket options are allowed and no restrictions is set.

The various flags are:

 

{-|+}allow_postdated

Allows or prohibits principals from obtaining postdated tickets.

 

{-|+}allow_forwardable

Allows or prohibits principals from obtaining forwardable tickets.

 

{-|+}allow_renewable

Allows or prohibits principals from obtaining renewable tickets.

 

{-|+}allow_proxiable

Allows or prohibits principals from obtaining proxiable tickets.

 

{-|+}allow_dup_skey

Disables or enables user-to-user authentication for principals, by prohibiting or allowing obtaining of a session key for another user.

 

{-|+}requires_preauth

Makes principals require or not require pre-authentication before being allowed to kinit.

 

{-|+}requires_hwauth

Makes principals require or not require pre-authentication by using a hardware device before being allowed to kinit.

 

{-|+}allow_svr

Allows or prohibits issuance of service tickets for this principal.

 

{-|+}allow_tgs_req

(-)allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. (+) allow_tgs_req clears this flag. The default is (+) allow_tgs_req. In effect, (-)allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.

 

{-|+}allow_tix

Allows or prohibits issuance of any tickets for principals. The default is "+allow_tix".

 

{-|+}needchange

Makes principals require or not require a password change.

 

{-|+}password_ changing_service

Used to set or unset principals as password changing services.

-r

Realm to which the ticket policy belongs. By default, the default_realm parameter of the krb5.conf file is used.

policy_name

Name of the policy.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Policy.

Refer to the iManager online help for more information.

3.5.2 Modifying a Ticket Policy

You can use one of the following methods to modify a ticket policy:

Command Line

Use the following command to modify a ticket policy:

kdb5_ldap_util [-D user_dn] [-w passwd]] [-H ldap_uri]
           [-t trusted_cert]
modify_policy  [-maxtktlife max_ticket_life] 	[-maxrenewlife max_renewable_ticket_life] [ticket_flags] [-r realm] policy_name

For more information on the parameters, refer to Table 3-16.

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu  modify_policy -maxtktlife "1 day" -maxrenewlife "1 week" +allow_postdated -requires_preauth usertktpolicy

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Policy.

Refer to the iManager online help for more information.

3.5.3 Destroying a Ticket Policy

You can use one of the following methods to destroy a ticket policy:

Command Line

Use the following command to destroy a ticket policy:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
          [-t trusted_cert]
destroy_policy  [-force] [-r realm] policy_name

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu  destroy_policy   -r ATHENA.MIT.EDU usertktpolicy
This will delete the policy object 'usertktpolicy', are you sure?(type 'yes' to confirm)? Yes* policy object 'usertktpolicy' deleted.

Table 3-17 destroy_policy Parameters

Parameter

Description

-force

Forces the deletion of the policy object. If you do not specify this option, you are prompted for confirmation while deleting the policy. Enter YES to confirm the deletion.

-r

Realm to which the ticket policy belongs. By default, the default_realm parameters of the krb5.conf file is used.

policy_name

Name of the policy.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Delete Policy.

Refer to the iManager online help for more information.

3.5.4 Viewing a Ticket Policy

Use the following command to view a ticket policy:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
           [-t trusted_cert]
view_policy [-r realm] policy_name

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu  view_policy -r ATHENA.MIT.EDU usertktpolicy

The expected output is: 

Ticket Policy: usertktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE

Table 3-18 view_policy Parameters

Parameter

Description

-r

Realm to which the ticket policy belongs. By default, the default_realm parameters of the krb5.conf file is used.

policy_name

Name of the policy.

3.5.5 Listing Ticket Policies

Use the following command to list policies:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
           [-t trusted_cert]

list_policy [-r realm]

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu  list_policy

The expected output is as follows:

usertktpolicy
tempusertktpolicy

krbtktpolicy

Table 3-19 view_policy Parameters

Parameter

Description

-r

Realm for which the ticket policies are to be listed. By default, the default_realm parameters of the krb5.conf file is used.