kdb5_ldap_util create fails
Tobias Hachmer
tobias at hachmer.de
Sat Mar 8 12:26:06 EST 2014
Hello list,
I am going to set up a kdc with an openldap backend.
Environment:
Archlinux with:
- kerberos version 1.12.1 from official core repo
- openldap version 2.4.39 from official core repo
What I have done:
- very basic clean dit
- kerberos schema is loaded
- organizational unit for kerberos objects is created
- environment variable KRB5_CONFIG is set to the correct kdc.conf
While running "kdb5_ldap_util create -D cn=manager,dc=example,dc=com -r
EXAMPLE.COM -s -sscope sub -subtrees ou=users,dc=example,dc=com" I get this
error:
kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while
creating realm 'EXAMPLE.COM'
verbose log output from openldap:
...
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 do_add
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 do_add: dn (ou=mit-
kerberos,dc=example,dc=com)
Mar 07 16:34:32 ldapkerberos slapd[959]: >>> dnPrettyNormal: <ou=mit-
kerberos,dc=example,dc=com>
Mar 07 16:34:32 ldapkerberos slapd[959]: <<< dnPrettyNormal: <ou=mit-
kerberos,dc=example,dc=com>, <ou=mit-kerberos,dc=example,dc=com>
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 ADD dn="ou=mit-
kerberos,dc=example,dc=com"
Mar 07 16:34:32 ldapkerberos slapd[959]: bdb_dn2entry("ou=mit-
kerberos,dc=example,dc=com")
Mar 07 16:34:32 ldapkerberos slapd[959]: => bdb_dn2id("ou=mit-
kerberos,dc=example,dc=com")
Mar 07 16:34:32 ldapkerberos slapd[959]: <= bdb_dn2id: get failed: BDB0073
DB_NOTFOUND: No matching key/data pair found (-30988)
Mar 07 16:34:32 ldapkerberos slapd[959]: bdb_referrals: tag=104
target="ou=mit-kerberos,dc=example,dc=com" matched="dc=example,dc=com"
Mar 07 16:34:32 ldapkerberos slapd[959]: ==> bdb_add: ou=mit-
kerberos,dc=example,dc=com
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_required entry (ou=mit-
kerberos,dc=example,dc=com), objectClass "krbContainer"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type "objectClass"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type "cn"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type
"structuralObjectClass"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type "ou"
Mar 07 16:34:32 ldapkerberos slapd[959]: Entry (ou=mit-
kerberos,dc=example,dc=com), attribute 'ou' not allowed
Mar 07 16:34:32 ldapkerberos slapd[959]: bdb_add: entry failed schema check:
attribute 'ou' not allowed (65)
Mar 07 16:34:32 ldapkerberos slapd[959]: send_ldap_result: conn=1005 op=1 p=3
Mar 07 16:34:32 ldapkerberos slapd[959]: send_ldap_result: err=65 matched=""
text="attribute 'ou' not allowed"
Mar 07 16:34:32 ldapkerberos slapd[959]: send_ldap_response: msgid=2 tag=105
err=65
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 RESULT tag=105 err=65
text=attribute 'ou' not allowed
...
I have set up a test machine with debian wheezy (kerberos version 1.10.1).
With the krb5_ldap_util here everything works fine.
Is here anyone who can tell me whats here wrong, maybe a bug in krb5_ldap_util
or some schema changes?
Thanks and kind regards,
Tobias Hachmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20140308/9f21127a/attachment.bin
More information about the Kerberos
mailing list