my first experiment with ldap back end

[Ken Raeburn]

On Jun 5, 2006, at 5:25, Savitha R wrote:
>> First problem: Syntax where?  What entry?  Okay, yeah, the error
>> messages from the krb5 code are pretty poor, but that's no reason to
>> continue the, um, tradition.
>
> Need to look into this. Debug message from slapd would help.

Okay, I'll check further.

>> At this point it stopped; after 10 seconds or so I interrupt it (I'm
>> running it under gdb), and it seems to be stalled in the LDAP code
>> (problem #3):
>
> We had faced this problem with 2.2.6-37.35 version of openldap. There
> seems to be some issue in unbinding when multiple handles are  
> created to
> the LDAP server.  The problem disappeared when the openldap client was
> upgraded.

This is 2.2.23, which is what's shipped in the current Debian release  
(3.1).  What version do we need?  It would be poor if we can't work  
with what vendors are shipping, and if we can't detect a broken  
version (by version number if nothing else).

> This problem should not occur if the realm is associated with a
> subtree. While destroying a realm, the principals belonging to the  
> realm
> are deleted. The principals are searched under the subtree which is
> associated with the realm. If no subtree is associated, the search  
> base
> will be "".

Ah, the -subtree option to kdb5_ldap_util create.

> If the searchbase is "", the ldap client tries to pick up the search
> base from the BASE option in ldap.conf file. If the client sends the
> searchbase as "", the server can be configured to take a default  
> search
> base by setting the defaultsearchbase in slapd.conf file on the  
> server.

So I need either a subtree at creation time, or a defaultsearchbase  
specification.  Is there a way to warn at realm creation time if the  
defaultsearchbase is not set properly?

Ken