summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/kadmin/kadmind.8
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kadmin/kadmind.8')
-rw-r--r--crypto/heimdal/kadmin/kadmind.847
1 files changed, 29 insertions, 18 deletions
diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8
index 1169530..f7a3f5b 100644
--- a/crypto/heimdal/kadmin/kadmind.8
+++ b/crypto/heimdal/kadmin/kadmind.8
@@ -1,4 +1,6 @@
-.Dd June 7, 2000
+.\" $Id: kadmind.8,v 1.10 2002/08/20 17:07:11 joda Exp $
+.\"
+.Dd March 5, 2002
.Dt KADMIND 8
.Os HEIMDAL
.Sh NAME
@@ -27,21 +29,22 @@
.Sh DESCRIPTION
.Nm
listens for requests for changes to the Kerberos database and performs
-these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by
+these, subject to permissions. When starting, if stdin is a socket it
+assumes that it has been started by
.Xr inetd 8 ,
otherwise it behaves as a daemon, forking processes for each new
-connection. The
+connection. The
.Fl -debug
-option causes
+option causes
.Nm
-to accept exactly one connection, which is useful for debugging.
+to accept exactly one connection, which is useful for debugging.
.Pp
If built with krb4 support, it implements both the Heimdal Kerberos 5
administrative protocol and the Kerberos 4 protocol. Password changes
via the Kerberos 4 protocol are also performed by
.Nm kadmind ,
but the
-.Xr kpasswdd 8
+.Xr kpasswdd 8
daemon is responsible for the Kerberos 5 password changing protocol
(used by
.Xr kpasswd 1 )
@@ -51,7 +54,7 @@ This daemon should only be run on ther master server, and not on any
slaves.
.Pp
Principals are always allowed to change their own password and list
-their own principals. Apart from that, doing any operation requires
+their own principal. Apart from that, doing any operation requires
permission explicitly added in the ACL file
.Pa /var/heimdal/kadmind.acl .
The format of this file is:
@@ -61,10 +64,10 @@ The format of this file is:
.Op Va principal-pattern
.Ed
.Pp
-Where rights is any combination of:
-.Bl -bullet
+Where rights is any (comma separated) combination of:
+.Bl -bullet -compact
.It
-change-password | cpw
+change-password or cpw
.It
list
.It
@@ -81,17 +84,18 @@ all
.Pp
And the optional
.Ar principal-pattern
-restricts the rights to principals that match the glob-style pattern.
+restricts the rights to operations on principals that match the
+glob-style pattern.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
-.Fl c Ar file Ns ,
+.Fl c Ar file ,
.Fl -config-file= Ns Ar file
.Xc
location of config file
.It Xo
-.Fl k Ar file Ns ,
+.Fl k Ar file ,
.Fl -key-file= Ns Ar file
.Xc
location of master key file
@@ -100,23 +104,23 @@ location of master key file
.Xc
what keytab to use
.It Xo
-.Fl r Ar realm Ns ,
+.Fl r Ar realm ,
.Fl -realm= Ns Ar realm
.Xc
realm to use
.It Xo
-.Fl d Ns ,
+.Fl d ,
.Fl -debug
.Xc
enable debugging
.It Xo
-.Fl p Ar port Ns ,
+.Fl p Ar port ,
.Fl -ports= Ns Ar port
.Xc
ports to listen to. By default, if run as a daemon, it listen to ports
749, and 751 (if built with Kerberos 4 support), but you can add any
number of ports with this option. The port string is a whitespace
-separated list of port specifications, with the special string
+separated list of port specifications, with the special string
.Dq +
representing the default set of ports.
.El
@@ -130,9 +134,16 @@ to listen to port 4711 in addition to any
compiled in defaults:
.Pp
.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &"
+.Pp
+This acl file will grant Joe all rights, and allow Mallory to view and
+add host principals.
+.Bd -literal -offset indent
+joe/admin@EXAMPLE.COM all
+mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM
+.Ed
.\".Sh DIAGNOSTICS
.Sh SEE ALSO
-.Xr kadmin 1 ,
.Xr kpasswd 1 ,
+.Xr kadmin 8 ,
.Xr kdc 8 ,
.Xr kpasswdd 8
OpenPOWER on IntegriCloud