getprinc -terse format
Lukas Kubin
kubin at opf.slu.cz
Tue Aug 31 02:03:21 EDT 2004
Thank you for the great help Mike.
Could someone, please, add the "terse" option format description for
both getprinc and getpol commands into the admin's Kerberos documentation?
Thank you.
lukas
Mike Friedman wrote:
> On Mon, 30 Aug 2004 at 10:48 (+0200), Lukas Kubin wrote:
>
>
>>I would like to parse "getprinc -terse" output in our accounts
>>administration scripts. However I can't find the "terse" output format
>>description. E.g. when I need to look for "needchange" option, I don't
>>know, which of the fields stores this value. Is there any description of
>>the "terse" format somewhere (except of source code)?
>
>
> Lukas,
>
> I had the same requirement, so I found the answer in the source code (see
> below for the field layout).
>
> As it happens, a principal's attributes, such as 'needchange', are
> represented as a sequence of bit flags, aggregated into a single byte.
> So after you find the field (1 byte long), you have to parse the bits.
>
> First, here's the layout of the output from 'getprinc -terse':
>
> ======================================================================
> Fields in 'getprinc -terse' output
>
> princ-canonical-name
> princ-exp-time
> last-pw-change
> pw-exp-time
> princ-max-life
> modifying-princ-canonical-name
> princ-mod-date
> princ-attributes <=== This is the field you want
> princ-kvno
> princ-mkvno
> princ-policy (or 'None')
> princ-max-renewable-life
> princ-last-success
> princ-last-failed
> princ-fail-auth-count
> princ-n-key-data
> ver
> kvno
> data-type[0]
> data-type[1]
> ======================================================================
>
> Following is a perl subroutine I use to check for a specific attribute
> value. To see if the 'needchange' option is set, you would do something
> like this:
>
> my $REQUIRES_PWCHANGE = 512;
> if (&attribute($REQUIRES_PWCHANGE)) {
> # needchange attribute is set
> ...
> ...
> }
>
> (The value '512' represents the bit position in the 'attributes' byte
> corresponding to 'needchange').
>
> # ----------------------------------------------------
> sub attribute {
>
> # Check whether a KDC attribute flag is set for a specified
> # principal. Return 1 if it is, 0 if not.
>
> my ($attr_flag) = @_;
>
> my $rc;
> my $xx;
> my ($attribute_string, at attributes,$flags);
>
> $attribute_string = `$kadmin 'getprinc -terse $userID' 2>/dev/null`;
>
> ($xx,$attribute_string) = split(/\n/,$attribute_string);
> @attributes = split (" ",$attribute_string);
> $flags = $attributes[7];
>
> # If attribute is set, return 1, else 0:
> $rc = ($flags & $attr_flag) ? 1 : 0;
>
> return $rc;
> }
> # ----------------------------------------------------
>
>
> I hope this helps.
>
> Mike
>
> ------------------------------------------------------------------------------
> Mike Friedman System and Network Security
> mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
> 1-510-642-1410 University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
> ------------------------------------------------------------------------------
>
--
Lukas Kubin
phone: +420596398275
email: kubin at opf.slu.cz
Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kubin.vcf
Type: text/x-vcard
Size: 329 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20040831/d4e7eb0c/attachment.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20040831/d4e7eb0c/attachment.bin
More information about the Kerberos
mailing list