manpagez: man pages & more
man sso_util(8)
Home | html | info | man
sso_util(8)               BSD System Manager's Manual              sso_util(8)


NAME

     sso_util -- Kerberos -- Open Directory Single Sign On


SYNOPSIS

     sso_util command [-args]


DESCRIPTION

     sso_util is a tool for setting up, interrogating and tearing down Ker-
     beros configurations within the Apple Single Sign On environment. This
     tool can configure services, create and consume encrypted config records
     and tear down Kerberos installations

     Commands for sso_util :

     info [-p] [-g | -l | -L | -r dir_node_path | -s [-R record_name] [-a]
              [dir_node_path]]
              Returns information about the current Single Sign On environment

              info command arguments:

              -p       Returns the data in XML format

              -g       Returns the default Kerberos realm name

              -l       Returns a list of the services sso_util knows how to
                       kerberize

              -L       Returns the default Kerberos log file paths

              -r dir_node_path
                       Looks in the given node and returns wether or not it
                       has a Kerberos record associated with it and if so
                       returns the default realm name.  if dir_node_path is
                       '.' (default) it also returns all the realm names
                       available on the search path

              -s       Returns information relating to the secure config
                       record attached to a given computer record in the
                       directory

              -R       Provides the name of the computer record to retrive the
                       secure config record info from

              -a       Requests all the available information on the secure
                       config record

              dir_node_path
                       specifies the directory node in which to search for the
                       computer record

     remove [-k [-a admin_name [-p password]] [-d]
              Tears down a Kerberos KDC

              remove command arguments:

              -k       removes both the krb5kdc and kadmind processes, and
                       their attendant data and config information

              -a       If the admin name is present, sso_util will attempt to
                       remove the kdc from the list of KDCs in the Ker-
                       berosClient config record in the default directory node

              -d       Removes the kadmind process. It does not alter any
                       other data

     configure -r REALM -a admin_name [-p password] service
              Configures Kerberized serivces on the local machine for the
              given realm

              configure command arguments:

              -r REALM
                       Kerberos realm for the service principals

              -a admin_name
                       Account name of an administrator authorized to make
                       changes in the Kerberos database

              -p password
                       Password for the above administrator

              service  Service can be any number of afp, ftp, imap, pop, smtp,
                       ssh, or all

     generateconfig -r REALM -R record_name -f dir_node_path -U user_list -a
              admin_name [-p password] service
              Creates a secure config record and attaches it to a computer
              record in the given directory

              configure command arguments:

              -r REALM
                       Kerberos realm for the service principals

              -R record_name
                       Name of the Computer record to attach the secure config
                       record to

              -f dir_node_path
                       specifies the directory node in which to find the given
                       computer record

              -U user_list
                       Comma separated list of users authorized to use the
                       secure config record. The users must be in the same
                       passwords server as the admin

              -a admin_name
                       Account name of an administrator authorized to make
                       changes in the Kerberos database and also authorized to
                       make changes in the directory node specified by -f

              -p password
                       Password for the above administrator

              service  Service can be any number of afp, ftp, imap, pop, smtp,
                       ssh, or all

     useconfig [-u] [-R record_name] [-f dir_node_path] -a admin_name [-p
              password]
              Uses a secure config record to configure a server for Kerberos

              configure command arguments:

              -u       Forces the update, ignoring that the update may already
                       have been installed

              -R record_name
                       Name of the Computer record contining the secure config
                       record

              -f dir_node_path
                       Specifies the directory node in which to find the given
                       computer record

              -a admin_name
                       Account name of an user authorized to use the secure
                       config record (see generateconfig )

              -p password
                       Password for the above user


EXAMPLES

     To configure a server in realm FOO.COM when you have the kerberos admin-
     istrators password

     sso_util configure -r FOO.COM -a kerberos_admin -p password all

     To create a secure config record to allow the delegated admins, fred and
     barney, to configure a server named fred.foo.com in realm FOO.COM (using
     an existing computer record). The Open Directory Master for foo.com is
     odmaster.foo.com. This can be run on any server and neither fred nor bar-
     ney need to have the Kerberos administrators password

     sso_util generateconfig -r FOO.COM -R fred.foo.com -f /LDAPv3/odmas-
     ter.foo.com  -U fred,barney -a kerberos_admin -p password all

     To use the secure config record to allow barney to configure the server
     named fred.foo.com

     sso_util useconfig -R fred.foo.com -f /LDAPv3/odmaster.foo.com -a barney
     -p barneys_password


FILES

     /etc/krb5.keytab  The configure and useconfig commnads create or modify
                       the krb5.keytab file.


DIAGNOSTICS

     You can add -v debug_level to any of the sso_util commands. Debug level 1
     provides status information, higher levels add progressivly more levels
     of detail.


NOTES

     The sso_util tool is used by the Apple Single Sign On system to set up
     Kerberized services integrated with the rest of the Single Sign On compo-
     nents.


SEE ALSO

     kerberos(1), kerberosautoconfig(8), kdcsetup(8), krbservicesetup(8),
     krb5kdc(8),

Darwin                           June 12, 2008                          Darwin

Mac OS X 10.4 Server - Generated Thu Jun 12 20:00:31 CDT 2008
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.