kdb5_ldap_util fails, no idea why
Todd Grayson
tgrayson at cloudera.com
Mon Nov 7 09:06:38 EST 2016
>From that error message you need to provide the schema file for the
kerebros ldap objects to your directory instance. Can we assume you
followed top down the instructions from here?
https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian at lhanke.de> wrote:
> I'm currently setting up a new KDC for a new domain. I also have a shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
> while creating realm 'UAC.MICROSULT.DE'
>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list