3.2 Configuration and Administration Utilities
Use the kdb5_ldap_util utility to manage realms, Kerberos services, and ticket policies.
Use the kadmin utility to manage principals, password policies, and keytab entries.
You can also use iManager to configure and administer the Novell Kerberos KDC.
3.2.1 The kdb5_ldap_util Utility
This utility has the following syntax:
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri][-t trusted_cert] cmd [cmd_options]
The kdb5_ldap_util parameters are described below:
Table 3-2 kdb5_ldap_util Parameters
-D |
Distinguished name of the user who has sufficient rights to authenticate to the LDAP server and configure Kerberos services. |
-w |
Userdn password. We do not recommend that you use this option because the password is visible when you enter it through command line. |
-H |
URI of the LDAP server. |
-t |
Filename that contains the trusted root certificate of the LDAP server. |
The command options include the following:
Table 3-3 kdb5_ldap_util Command Options
3.2.2 The kadmin Utility
You can use the kadmin or kadmin.local utilities to manage principals, keys, and password policies. In the Novell Kerberos KDC, kadmin.local is used to access the database (eDirectory) remotely, unlike MIT Kerberos.
kadmin is a client utility and contacts the Administration server, which in turn contacts eDirectory for any administration request.
kadmin.local directly contacts eDirectory for completing the administration request.
The syntax for using this utility is as follows:
kadmin [-r realm] [-p principal] [-q query] [-s admin_server[:port]] [-w password] [[-c ccache]|[-k [-t keytab]]]
kadmin.local [-r realm] [-p principal] [-q query] [-x db_args] [-e "enc:salt ..."] [-m]
cmd [cmd_options]
The kadmin and kadmin.local parameters are described below:
Table 3-4 kadmin and kadmin.local Parameters
-r |
Kerberos realm of the database. By default, the default_realm parameter of the krb5.conf file is used. |
-p |
Principal to authenticate to the administration server. |
-q |
Passes the query directly to kadmin, which performs the query and then exits. |
-s |
The admin server that kadmin should contact. |
-c |
Indicates to use credentials_cache as the credentials cache. The credentials_cache should contain a service ticket for the kadmin/admin service; it can be acquired with the kinit(1) program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. |
-k |
Uses a keytab to decrypt the KDC response instead of prompting for a password on the keyboard. In this case, the default principal is host/hostname. If there is not a keytab specified with the t option, then the default keytab is used. |
-t |
Uses a keytab to decrypt the KDC response. This can only be used with the -k option. |
-x |
Database-specific parameters.
-
-x host=<hostname>
Specifies the LDAP server to connect to by a LDAP URI. The same as the ldap_servers parameter in the configuration file.
-
-x binddn=<bind_dn>
DN of the object used by the administration server to bind to the LDAP server. The object should have the read and write rights on the realm container, subtrees, and principal container configured for the realm. The binddn equates to ldap_kadmin_dn in the configuration file.
-
-x bindpwd=<bind_password>
Password for the binddn. You are recommended not to use this option. Instead, you can securely store the password in a file by using the setsrvpw command of kdb5_ldap_util. This option overrides the password that is read from the ldap_service_password_file.
-
-x cert=<certificate_file>
The trusted root certificate file for the LDAP server. The same as the ldap_root_certificate_file parameter from the configuration file.
|
-e |
Sets the list of encryption types and salt types to be used for any new keys created. |
-m |
Do not authenticate using a keytab. This option causes kadmin to prompt for the master database password. |
-w |
Uses the password specified and does not prompt for it.
NOTE:Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if unauthorized users get read access to the script.
|
The command options include the following:
Table 3-5 kadmin and kadmin.local Command Options
add_principal, addprinc, ank
|
Adds a principal. |
delete_principal, delprinc
|
Deletes a principal. |
modify_principal, modprinc
|
Modifies a principal. |
change_password, cpw
|
Sets the principal password. |
get_principal, getprinc
|
Displays the attributes of a principal. |
list_principals, listprincs, get_principals, getprincs
|
Lists all the principals. |
add_policy, addpol
|
Adds a password policy. |
modify_policy, modpol
|
Modifies a password policy. |
delete_policy, delpol
|
Deletes a password policy. |
get_policy, getpol
|
Displays the attributes of a password policy. |
list_policies, listpols, get_policies, getpols
|
Lists the password policies. |
ktadd
|
Adds entries to a keytab. |
ktremove
|
Removes entries from a keytab. |