weak regex/glob in listprincs in kadmin (on ldap)?

Chris Hecker checker at d6.com
Sun Jul 11 21:23:33 EDT 2021


>From looking at the code in src/lib/kadm5/srv/svr_iters.c 
<https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180> 
it seems like the listprincs command should support [] patterns like 
che[ca]* but it doesn't in my version (1.15.1 on centos with ldap 
backend).  listprincs chec* works of course.

There's also no way to iterate in the API and listprincs just give a 
generic server error on too big of a result, so I was going to bisect 
using brackets and found they weren't supported.  I haven't tried 
debugging it yet, but is this because the ldap backend doesn't support 
them?

Is there a recommended way of using the kadm5 interface to iterate 
through tons of principals?

Thanks,
Chris

PS.  The thing that started this is I'm trying figure out which princs 
have passwords that are about to expire.


More information about the Kerberos mailing list