weak regex/glob in listprincs in kadmin (on ldap)?

Chris Hecker checker at d6.com
Mon Jul 12 02:52:54 EDT 2021

It's a bummer there's no iteration interface for get_principals because 
there's no way it's going to be able to return them all for any 
reasonably sized realm, so it'd be nice to be able to iterate as a 
client.  I guess that complicates the db layer a lot though.

It's not clear how you'd iterate them all with the current API in a 
remotely efficient manner.  Maybe people don't want to do that very 
often though.


------ Original Message ------
From: "Greg Hudson" <ghudson at mit.edu>
To: "Chris Hecker" <checker at d6.com>; kerberos at mit.edu
Sent: 2021-07-11 22:55:14
Subject: Re: weak regex/glob in listprincs in kadmin (on ldap)?

>On 7/11/21 9:23 PM, Chris Hecker wrote:
>>  From looking at the code in src/lib/kadm5/srv/svr_iters.c
>>  <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
>>  it seems like the listprincs command should support [] patterns like
>>  che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
>>  backend).  listprincs chec* works of course.
>With the LDAP KDB module, the expression is applied at the KDB layer via
>an LDAP filter expression, as well as at the libkadm5 layer.  LDAP
>filter expressions can only handle '*' globbing.  Possibly the LDAP KDB
>module should check if [] or ? is in the glob pattern and return all
>results (like the other KDB modules do for all match expressions).
>>  Is there a recommended way of using the kadm5 interface to iterate
>>  through tons of principals? [...] I'm trying figure out which princs
>>  have passwords that are about to expire.
>You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
>KDC, or variations of that.

More information about the Kerberos mailing list