1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • weak regex/glob in listprincs in kadmin (on ldap)?

    From Chris Hecker@21:1/5 to All on Mon Jul 12 01:23:33 2021
    From looking at the code in src/lib/kadm5/srv/svr_iters.c <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
    it seems like the listprincs command should support [] patterns like
    che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
    backend). listprincs chec* works of course.

    There's also no way to iterate in the API and listprincs just give a
    generic server error on too big of a result, so I was going to bisect
    using brackets and found they weren't supported. I haven't tried
    debugging it yet, but is this because the ldap backend doesn't support
    them?

    Is there a recommended way of using the kadm5 interface to iterate
    through tons of principals?

    Thanks,
    Chris

    PS. The thing that started this is I'm trying figure out which princs
    have passwords that are about to expire.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Chris Hecker on Mon Jul 12 01:55:14 2021
    To: kerberos@mit.edu

    On 7/11/21 9:23 PM, Chris Hecker wrote:
    From looking at the code in src/lib/kadm5/srv/svr_iters.c <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
    it seems like the listprincs command should support [] patterns like
    che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
    backend). listprincs chec* works of course.

    With the LDAP KDB module, the expression is applied at the KDB layer via
    an LDAP filter expression, as well as at the libkadm5 layer. LDAP
    filter expressions can only handle '*' globbing. Possibly the LDAP KDB
    module should check if [] or ? is in the glob pattern and return all
    results (like the other KDB modules do for all match expressions).

    Is there a recommended way of using the kadm5 interface to iterate
    through tons of principals? [...] I'm trying figure out which princs
    have passwords that are about to expire.

    You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
    KDC, or variations of that.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Chris Hecker on Mon Jul 12 16:49:32 2021
    Copy: kerberos@mit.edu

    "Chris Hecker" <checker@d6.com> writes:

    It's not clear how you'd iterate them all with the current API in a
    remotely efficient manner. Maybe people don't want to do that very
    often though.

    Whenever I wanted to do something like that, I generally did it using kadmin.local or the library equivalent on a KDC replica rather than trying
    to do it over protocol.

    I'm not a huge fan of the kadmin network protocol. It works, mostly, but whenever I was doing something very complicated, I usually had better luck writing some code that could run on a KDC against a local database (I
    never used LDAP, but the same principle mostly applies) and then wrapping
    my own protocol around whatever that operation wanted to return.

    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)