weak regex/glob in listprincs in kadmin (on ldap)?
Chris Hecker
checker at d6.com
Mon Jul 12 02:52:54 EDT 2021
It's a bummer there's no iteration interface for get_principals because
there's no way it's going to be able to return them all for any
reasonably sized realm, so it'd be nice to be able to iterate as a
client. I guess that complicates the db layer a lot though.
It's not clear how you'd iterate them all with the current API in a
remotely efficient manner. Maybe people don't want to do that very
often though.
Chris
------ Original Message ------
From: "Greg Hudson" <ghudson at mit.edu>
To: "Chris Hecker" <checker at d6.com>; kerberos at mit.edu
Sent: 2021-07-11 22:55:14
Subject: Re: weak regex/glob in listprincs in kadmin (on ldap)?
>On 7/11/21 9:23 PM, Chris Hecker wrote:
>> From looking at the code in src/lib/kadm5/srv/svr_iters.c
>> <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
>> it seems like the listprincs command should support [] patterns like
>> che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
>> backend). listprincs chec* works of course.
>
>With the LDAP KDB module, the expression is applied at the KDB layer via
>an LDAP filter expression, as well as at the libkadm5 layer. LDAP
>filter expressions can only handle '*' globbing. Possibly the LDAP KDB
>module should check if [] or ? is in the glob pattern and return all
>results (like the other KDB modules do for all match expressions).
>
>> Is there a recommended way of using the kadm5 interface to iterate
>> through tons of principals? [...] I'm trying figure out which princs
>> have passwords that are about to expire.
>
>You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
>KDC, or variations of that.
More information about the Kerberos
mailing list