weak regex/glob in listprincs in kadmin (on ldap)?
Chris Hecker
checker at d6.com
Sun Jul 11 21:23:33 EDT 2021
>From looking at the code in src/lib/kadm5/srv/svr_iters.c
<https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
it seems like the listprincs command should support [] patterns like
che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
backend). listprincs chec* works of course.
There's also no way to iterate in the API and listprincs just give a
generic server error on too big of a result, so I was going to bisect
using brackets and found they weren't supported. I haven't tried
debugging it yet, but is this because the ldap backend doesn't support
them?
Is there a recommended way of using the kadm5 interface to iterate
through tons of principals?
Thanks,
Chris
PS. The thing that started this is I'm trying figure out which princs
have passwords that are about to expire.
More information about the Kerberos
mailing list