bind to LDAP server produces "invalid credentials" error
Greg Hudson
ghudson at mit.edu
Thu Aug 21 13:56:27 EDT 2025
On 8/20/25 23:43, Travis Bean wrote:
> “Cannot bind to LDAP server ldapi:/// as
> ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
> - while initializing database.”
This means libkdb_ldap called ldap_sasl_bind_s() and got back an
LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
server didn't match the password from the service stash file.
I looked at the script you linked and didn't find any obvious problems,
but there might be more information in the slapd log. My next step
after that would be to use gdb to debug through first the MIT krb5 side
(making sure it read the expected password) and then slapd, after
building both components from source with -g and no -O option. It may
be easier to debug the MIT krb5 side if you can reproduce the problem
with kadmin.local.
More information about the Kerberos
mailing list