[38948] in Kerberos
Re: weak regex/glob in listprincs in kadmin (on ldap)?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 12 01:58:03 2021
To: Chris Hecker <checker@d6.com>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <51e03d3f-ab7d-3958-9bdb-a6cd862d8776@mit.edu>
Date: Mon, 12 Jul 2021 01:55:14 -0400
MIME-Version: 1.0
In-Reply-To: <em4154e8a9-2617-4251-a579-17d9e235fa21@checker-blade15>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 7/11/21 9:23 PM, Chris Hecker wrote:
> From looking at the code in src/lib/kadm5/srv/svr_iters.c
> <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
> it seems like the listprincs command should support [] patterns like
> che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
> backend). listprincs chec* works of course.
With the LDAP KDB module, the expression is applied at the KDB layer via
an LDAP filter expression, as well as at the libkadm5 layer. LDAP
filter expressions can only handle '*' globbing. Possibly the LDAP KDB
module should check if [] or ? is in the glob pattern and return all
results (like the other KDB modules do for all match expressions).
> Is there a recommended way of using the kadm5 interface to iterate
> through tons of principals? [...] I'm trying figure out which princs
> have passwords that are about to expire.
You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
KDC, or variations of that.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
