On 7/11/21 9:23 PM, Chris Hecker wrote:
From looking at the code in src/lib/kadm5/srv/svr_iters.c
it seems like the listprincs command should support  patterns like
che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
backend). listprincs chec* works of course.
With the LDAP KDB module, the expression is applied at the KDB layer via
an LDAP filter expression, as well as at the libkadm5 layer. LDAP
filter expressions can only handle '*' globbing. Possibly the LDAP KDB >module should check if  or ? is in the glob pattern and return all
results (like the other KDB modules do for all match expressions).
Is there a recommended way of using the kadm5 interface to iterate
through tons of principals? [...] I'm trying figure out which princs
have passwords that are about to expire.
You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
KDC, or variations of that.
|Location:||Huddersfield, West Yorkshire, UK|
|Nodes:||16 (1 / 15)|