• Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?

    From Chris Hecker@21:1/5 to Greg Hudson on Mon Jul 12 06:52:54 2021
    To: kerberos@mit.edu

    It's a bummer there's no iteration interface for get_principals because
    there's no way it's going to be able to return them all for any
    reasonably sized realm, so it'd be nice to be able to iterate as a
    client. I guess that complicates the db layer a lot though.

    It's not clear how you'd iterate them all with the current API in a
    remotely efficient manner. Maybe people don't want to do that very
    often though.


    ------ Original Message ------
    From: "Greg Hudson" <ghudson@mit.edu>
    To: "Chris Hecker" <checker@d6.com>; kerberos@mit.edu
    Sent: 2021-07-11 22:55:14
    Subject: Re: weak regex/glob in listprincs in kadmin (on ldap)?

    On 7/11/21 9:23 PM, Chris Hecker wrote:
    From looking at the code in src/lib/kadm5/srv/svr_iters.c
    it seems like the listprincs command should support [] patterns like
    che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
    backend). listprincs chec* works of course.

    With the LDAP KDB module, the expression is applied at the KDB layer via
    an LDAP filter expression, as well as at the libkadm5 layer. LDAP
    filter expressions can only handle '*' globbing. Possibly the LDAP KDB >module should check if [] or ? is in the glob pattern and return all
    results (like the other KDB modules do for all match expressions).

    Is there a recommended way of using the kadm5 interface to iterate
    through tons of principals? [...] I'm trying figure out which princs
    have passwords that are about to expire.

    You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
    KDC, or variations of that.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)