Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Men of peace usually are [brave]. -- Spock, "The Savage Curtain", stardate 5906.5

devel / comp.protocols.kerberos / Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?

SubjectAuthor
o Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?Chris Hecker

1
Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?

<mailman.1.1626072781.12350.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=101&group=comp.protocols.kerberos#101

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: chec...@d6.com (Chris Hecker)
Newsgroups: comp.protocols.kerberos
Subject: Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?
Date: Mon, 12 Jul 2021 06:52:54 +0000
Organization: TNet Consulting
Lines: 41
Message-ID: <mailman.1.1626072781.12350.kerberos@mit.edu>
References: <em4154e8a9-2617-4251-a579-17d9e235fa21@checker-blade15>
<51e03d3f-ab7d-3958-9bdb-a6cd862d8776@mit.edu>
Reply-To: Chris Hecker <checker@d6.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="16457"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: eM_Client/8.2.1473.0
To: "Greg Hudson" <ghudson@mit.edu>, kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=HcEYn6CJKF73HQev6L/gC6aYpcjCMiQ4KilIr+abZ70gyek28vix+cLpuNUcqMk+N9XaVwidHtkW0v+AV/QWCegV+c2X2zCJBQ9z8ghsuhlhTKcnP8CWiK2XFSqAjmlbyVOr8CYAgNmux1rmlIQ94rZUqIC4PLqTMiua8UXxErK5GBQ24CDzg/jS+g8m0J/jqEm9KGwTt4AztsgjchFEBM8MSD3R4LsR+CUJ4BvF773AgHOycImFA1+OCaeoB8iE10TkqGCwcfvSW5py6L+ia2YBJ3zYRFhmrzIPUC+YqVRcSfZ88Z2W/tqf/zLhHy/350afTX/pXFrVbw26mirX6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=kz+afKV1LVN5u8V/0xclK3URh9Jc3G7WZhcMUVhlQS8=;
b=efC/BlkfyyPO7qEq0Edhr4SrdXjxB5Ia5WcsfnT2m13N2dwC/aby6NxhjZRjOKnEB29xjEw5J5A5PnULC1X1kFlCXlFbWqYzrdsX3eJfR/aFNTwek817zeO4sX3yvLvj1GqNtGVaWWTlqmd+jhdRIP8z4aEhGAlJTKhCHLJ4HD2RRit+CTU0430zLdzjswf3mY66VtvxwlmoOqFggNsoHSlP73g857MyxlwlkqmkgqoocaPwRkjp0BbkOb2xK4NMWU3SHw2h8ZnPjD2v0IHdVYJJvsi7EzvjI3taTc78wgHRC5c6o9uEp4O+kdN4H6TYSi9qmo2HPpxpMZqB5HKZPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=kz+afKV1LVN5u8V/0xclK3URh9Jc3G7WZhcMUVhlQS8=;
b=s8s5qfyGRccCJVWrZ1igPx5DPhhb9re5o+/fhJEl3R1Fl5971Eg8OHVzmmScWXjqpfIeTV9dJQtJSAaH2NVIFPodWaQgnq7nFKpiJPkGFXYV/RcSbl5p7CyrGGxaKWYBeCJ6TW/4dOsquVgOtBgKaRt4vq2ZXpwmijf70XNF7Ps=
Authentication-Results: spf=pass (sender IP is 209.85.214.179)
smtp.mailfrom=d6.com; mit.edu; dkim=pass (signature was verified)
header.d=d6-com.20150623.gappssmtp.com; mit.edu; dmarc=pass action=none
header.from=d6.com;
Received-SPF: Pass (protection.outlook.com: domain of d6.com designates
209.85.214.179 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.214.179; helo=mail-pl1-f179.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=d6-com.20150623.gappssmtp.com; s=20150623;
h=from:to:subject:date:message-id:in-reply-to:references:reply-to
:user-agent:mime-version:content-transfer-encoding;
bh=kz+afKV1LVN5u8V/0xclK3URh9Jc3G7WZhcMUVhlQS8=;
b=GfvU4FrajIslaZsqonEKUz30cvYZxuJRjOKjbWiv2XjBzCRNjhv60G0ShHBaKoiwSb
1+GeCQHSBvcPNYr1mc6Dj5VTxBOs9RPoxYkpByMQQa0FIqr2sm3ELOGF8wW6+nPAsf6J
/jf8+BpUVnKQIKRjfw6lH5XXGXOzD2WoHt0RnsRuLP27xx/x0jOWPy2ztb+kNHHF3+bu
v/ROk/Zd1W46N4bMxAELWfFyH7NKhZ64P4jP3XU2HZEh/Ro3zz6anEDCHggzJNKx2j/y
0zrGzGx7croyDHnlmdMArQclFyDjqfB+0nI1dn8+1Fi+i9mLVC0D5E0UG0qkn5sMzYkX
IO4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
:references:reply-to:user-agent:mime-version
:content-transfer-encoding;
bh=kz+afKV1LVN5u8V/0xclK3URh9Jc3G7WZhcMUVhlQS8=;
b=ajtXcGibiimXJTnnDTDXK760eH2UjSkCCkNFWQuXKSMy4wLeEydEozg30FSCF9+b1V
2Z+IJdky1eeR8R6LOZdQWgEOlK6Bdzx5HvLqCR45lKy0J9IsEIJDC5jK9Tr+GG6OyZ8O
uly+vU/11heZkfzs8jZ1h0VYkjmdTNMXeYKZHdWxphSlsUV2QmZrwwnDGveloqu+Gje5
bWV4YgiR/PtFAZgbB7Owfu/jJbASvl+vZl219RJN1kp/kQ1fSIqEN8dEZ00xRrhJeu6N
ikr1k2bIqbnSOnfkatOasd0W8e50eLIVi5M2vnMGWFYI6R5ciG3swy/1bfCp7WaW9yHa
P+Lg==
X-Gm-Message-State: AOAM531a+7ptpkjraf5il3bJDrksVL2y1MrMuZyL+00HBGzY6y8FUIN3
mLST/2RzuAWKVakDYqnuPfQ83Q==
X-Google-Smtp-Source: ABdhPJxKGnye3mBebP7XRMbk+j0NNnEvfftf8fnobo29avZkFJOrzt6eyoIfyJEQTnOo1KBn4H0rtA==
X-Received: by 2002:a17:902:b409:b029:129:a9a6:fc76 with SMTP id
x9-20020a170902b409b0290129a9a6fc76mr28420803plr.68.1626072775711;
Sun, 11 Jul 2021 23:52:55 -0700 (PDT)
In-Reply-To: <51e03d3f-ab7d-3958-9bdb-a6cd862d8776@mit.edu>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f4b75c1f-ca7d-40b5-0b2d-08d94501ae06
X-MS-TrafficTypeDiagnostic: CH0PR01MB6859:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <CH0PR01MB6859689CEEBF320DF122E1E196159@CH0PR01MB6859.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: DpeW6YW8jHU5aaIQh+8s4pvNXvcpGp7fn7/JM3wbM7CbY37ltecuRpOHYoSSvfT4m6ymqIUwCtgZ82aQldLF5CbFh4WwjZ4og0R3dRHIvTD4fCuIHr7UgBzCDwM4DC39MOHk2N2FDCCiQLF6T+HCo8V6RcS7r1SsMPfsEwsp6jg9RLLFNeZx1pd4wYuXVOBh7Usqq2nOko77M/d0Nkl/BDAPnwL4zzQhpLWDmVIf5hPdK0dPnlurcM6rh7IawliCQqUpfaxAgV0smODOxS7lDtKqaEusheuxqEcic+0TY+xX4TORjTLRYLYEOVA9O0f9u5o7FsZ2TNNpHJRmaBBE1r5eMoBLRxVPvvhUfVf7zMo8PQktgxHJHOKZPgz8QrVljfrcC9KlTFrOhkzVAEDlU/FycRi2hbsXhWfrkD2gPqzUqx4Hmk2I8C5m9/M0nwUNsRG7RxEKQ81k+IsnJd7bp0afaTazmz3bKB/0Z9ZIfKkXKIF19Cd8HIsCjWwOCsHNSdQqj/9MLhA/4uebjhbXpTAcYGBOKGSLWzhzoUzfvkhhLNV0GaM8QdKbmpc1t4bRYm/8s6zfAflBsceOcfoQxy6ZpJiW2K1s4ddetHBctnIr5ARvQQmZA0MfKgTCEbMhGMGRm8aWAHnYhgOgbigWk6+oymgmB6iaG8Kt/yu18NfZkIIgxPd//yeJW8h0u93Jjq3/2G5g+oE6MWohBArlL/o5aH8mpcb1xj9HbEDrZrvOPxDFkFGOmI0mGP/53tdO
X-Forefront-Antispam-Report: CIP:209.85.214.179; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-pl1-f179.google.com;
PTR:mail-pl1-f179.google.com; CAT:NONE;
SFS:(4636009)(7916004)(136003)(376002)(39860400002)(396003)(346002)(2906002)(356005)(86362001)(336012)(956004)(786003)(316002)(33716001)(7636003)(3450700001)(7596003)(8676002)(9686003)(83380400001)(5660300002)(68406010)(26005)(498600001)(53546011)(70586007)(155343003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jul 2021 06:52:56.6531 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f4b75c1f-ca7d-40b5-0b2d-08d94501ae06
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT065.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR01MB6859
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by PCH.mit.edu id
16C6qxxY032749
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Chris Hecker - Mon, 12 Jul 2021 06:52 UTC

It's a bummer there's no iteration interface for get_principals because
there's no way it's going to be able to return them all for any
reasonably sized realm, so it'd be nice to be able to iterate as a
client. I guess that complicates the db layer a lot though.

It's not clear how you'd iterate them all with the current API in a
remotely efficient manner. Maybe people don't want to do that very
often though.

Chris

------ Original Message ------
From: "Greg Hudson" <ghudson@mit.edu>
To: "Chris Hecker" <checker@d6.com>; kerberos@mit.edu
Sent: 2021-07-11 22:55:14
Subject: Re: weak regex/glob in listprincs in kadmin (on ldap)?

>On 7/11/21 9:23 PM, Chris Hecker wrote:
>> From looking at the code in src/lib/kadm5/srv/svr_iters.c
>> <https://github.com/krb5/krb5/blob/f573f7f8ee5269103a0492d6521a3242c5ffb63b/src/lib/kadm5/srv/svr_iters.c#L180>
>> it seems like the listprincs command should support [] patterns like
>> che[ca]* but it doesn't in my version (1.15.1 on centos with ldap
>> backend). listprincs chec* works of course.
>
>With the LDAP KDB module, the expression is applied at the KDB layer via
>an LDAP filter expression, as well as at the libkadm5 layer. LDAP
>filter expressions can only handle '*' globbing. Possibly the LDAP KDB
>module should check if [] or ? is in the glob pattern and return all
>results (like the other KDB modules do for all match expressions).
>
>> Is there a recommended way of using the kadm5 interface to iterate
>> through tons of principals? [...] I'm trying figure out which princs
>> have passwords that are about to expire.
>
>You might try "kdb5_util tabdump -n princ_tktpolicy" if you can run on a
>KDC, or variations of that.

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor