Donn Cave donn at
Tue Oct 19 13:09:19 EDT 2004

In article <4174FA8B.8010003 at>,
 jerry at ("Gerald (Jerry) Carter") wrote:
> Matt Joyce wrote:
> | How can I get more verbose error logs without recompiling?
> Verbose error logs for the krb libs or for Openldap ?

The normal level syslog logs from the Kerberos KDC host
can be pretty useful when there are authentication problems
involving a service principal.

The application error messages from the Cyrus SASL GSSAPI
module will help a little, but unfortunately tend to omit
specifics of the error.

> | And, once i've generated my ldap principal, and his key...
> | can I copy the key out of the keytab and chown/chmod it for
> | ldap in another directory and expect it to work?
> Since (as Sam already said), the service principal
> name is ldap/fqdn at REALM, each ldap server will need its
> own keytab.  It sounds like you are asking if you can
> use the same keytab for multiple OpenLDAP installations.
> Sorry if i misunderstood.

Or could be intending to run slapd under a less privileged
UID than 0, for whom /etc/krb5.keytab is inaccessible.
There's no reason that can't work, as long as you can specify
the location of the keytab.  The krb5 library mechanism for
that, an enviroment variable KRB5_KTNAME, is the only way
that comes to mind.

   Donn Cave, donn at

More information about the Kerberos mailing list