Query KDC for users matching an expiration date

Matthew J. Smith matt.smith at uconn.edu
Mon Mar 13 13:25:39 EST 2006


  I am looking for a way to efficiently implement three queries
regarding principals in our MIT KDC:

1) Give me a list of all expired users,
2) Give me a list of all users who will expire X days into the future,
3) Give me a list of all users whose password will expire X days into
the future

  As a quick and dirty proof of concept for a larger project, I am
shelling out a "get_principal" to kadmin for each principal, grep'ing
the appropriate date line, and operating on it.  Of course, eventually,
this would not be done via shell to kadmin, but instead could be
implemented in C or Perl's Authen:Krb5 (although I have not yet managed
to compile this package for linux/s390x).  But more importantly, looking
algorithmically at this process of checking each principal, I am hoping
something better exists, allowing me to issue a single dated query
against the KDC, and it can return the list of matching users.

Does such a mechanism exist?

Thank you,

More information about the Kerberos mailing list