kdb5_ldap_util create fails
Greg Hudson
ghudson at MIT.EDU
Sat Mar 8 15:51:33 EST 2014
On 03/08/2014 12:26 PM, Tobias Hachmer wrote:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class
> violation while creating realm 'EXAMPLE.COM'
I was able to reproduce this with a setup similar to yours, using
OpenLDAP 2.4.28-1.1ubuntu4.4. It doesn't appear to like seeing an
'ou' attribute in the DN of a krbContainer object:
> Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_required entry
> (ou=mit- kerberos,dc=example,dc=com), objectClass "krbContainer"
> Mar 07 16:34:32 ldapkerberos slapd[959]: Entry (ou=mit-
> kerberos,dc=example,dc=com), attribute 'ou' not allowed
If I use a cn= as the first element of the container DN, it works.
Since krbContainer is defined in the schema with attributes "MUST ( cn
)" and nothing else, this may be expected behavior.
> I have set up a test machine with debian wheezy (kerberos version
> 1.10.1). With the krb5_ldap_util here everything works fine.
I could produce the same behavior with krb5 1.10, so I don't think
there has been a relevant change on our side. Perhaps there is a
different OpenLDAP version on the test machine? Did you use all of
the same DNs?
More information about the Kerberos
mailing list