To:
kerberos@mit.edu
It's a bummer there's no iteration interface for get_principals because
there's no way it's going to be able to return them all for any
reasonably sized realm, so it'd be nice to be able to iterate as a
client. I guess that complicates the db layer a lot though.
It's not clear how you'd iterate them all with the current API in a
remotely efficient manner. Maybe people don't want to do that very
often though.
Chris
------ Original Message ------
From: "Greg Hudson" <
ghudson@mit.edu>
To: "Chris Hecker" <
checker@d6.com>;
kerberos@mit.edu
Sent: 2021-07-11 22:55:14
Subject: Re: weak regex/glob in listprincs in kadmin (on ldap)?
On 7/11/21 9:23 PM, Chris Hecker wrote:
From looking at the code in src/lib/kadm5/srv/svr_iters.c
<https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
it seems like the listprincs command should support [] patterns like
che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
backend). listprincs chec* works of course.
With the LDAP KDB module, the expression is applied at the KDB layer via
an LDAP filter expression, as well as at the libkadm5 layer. LDAP
filter expressions can only handle '*' globbing. Possibly the LDAP KDB >module should check if [] or ? is in the glob pattern and return all
results (like the other KDB modules do for all match expressions).
Is there a recommended way of using the kadm5 interface to iterate
through tons of principals? [...] I'm trying figure out which princs
have passwords that are about to expire.
You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
KDC, or variations of that.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)