It's a bummer there's no iteration interface for get_principals because there's no way it's going to be able to return them all for any reasonably sized realm, so it'd be nice to be able to iterate as a client. I guess that complicates the db layer a lot though.
It's not clear how you'd iterate them all with the current API in a remotely efficient manner. Maybe people don't want to do that very often though. Chris ------ Original Message ------ From: "Greg Hudson" <ghud...@mit.edu> To: "Chris Hecker" <chec...@d6.com>; kerberos@mit.edu Sent: 2021-07-11 22:55:14 Subject: Re: weak regex/glob in listprincs in kadmin (on ldap)? >On 7/11/21 9:23 PM, Chris Hecker wrote: >> From looking at the code in src/lib/kadm5/srv/svr_iters.c >> >> <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180> >> it seems like the listprincs command should support [] patterns like >> che[ca]* but it doesn't in my version (1.15.1 on centos with ldap >> backend). listprincs chec* works of course. > >With the LDAP KDB module, the expression is applied at the KDB layer via >an LDAP filter expression, as well as at the libkadm5 layer. LDAP >filter expressions can only handle '*' globbing. Possibly the LDAP KDB >module should check if [] or ? is in the glob pattern and return all >results (like the other KDB modules do for all match expressions). > >> Is there a recommended way of using the kadm5 interface to iterate >> through tons of principals? [...] I'm trying figure out which princs >> have passwords that are about to expire. > >You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a >KDC, or variations of that. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
