my first experiment with ldap back end

Praveenkumar Sahukar psahukar at novell.com
Wed Jun 7 06:47:18 EDT 2006 

>>> On Tue, Jun 6, 2006 at 12:39 AM, in message
<5043A0A4-80F9-46AC-96D6-A3A7F2947F1F at MIT.EDU>, Ken Raeburn
<raeburn at MIT.EDU>
wrote: 
> On Jun 5, 2006, at 5:25, Savitha R wrote:
>>> First problem: Syntax where?  What entry?  Okay, yeah, the error
>>> messages from the krb5 code are pretty poor, but that's no reason
to
>>> continue the, um, tradition.
>>
>> Need to look into this. Debug message from slapd would help.
> 
> Okay, I'll check further.

This problem is fixed. 

> 
>>> At this point it stopped; after 10 seconds or so I interrupt it
(I'm
>>> running it under gdb), and it seems to be stalled in the LDAP code
>>> (problem #3):
>>
>> We had faced this problem with 2.2.6- 37.35 version of openldap.
There
>> seems to be some issue in unbinding when multiple handles are  
>> created to
>> the LDAP server.  The problem disappeared when the openldap client
was
>> upgraded.
> 
> This is 2.2.23, which is what's shipped in the current Debian release
 
> (3.1).  What version do we need?  It would be poor if we can't work 

> with what vendors are shipping, and if we can't detect a broken  
> version (by version number if nothing else).
> 
>> This problem should not occur if the realm is associated with a
>> subtree. While destroying a realm, the principals belonging to the 

>> realm
>> are deleted. The principals are searched under the subtree which is
>> associated with the realm. If no subtree is associated, the search 

>> base
>> will be "".
> 
> Ah, the - subtree option to kdb5_ldap_util create.
> 
>> If the searchbase is "", the ldap client tries to pick up the
search
>> base from the BASE option in ldap.conf file. If the client sends
the
>> searchbase as "", the server can be configured to take a default  
>> search
>> base by setting the defaultsearchbase in slapd.conf file on the  
>> server.
> 
> So I need either a subtree at creation time, or a defaultsearchbase 

> specification.  Is there a way to warn at realm creation time if the 

> defaultsearchbase is not set properly?

The realm can be created from any node. The slapd.conf will only be
present on the LDAP server node. So getting the information may not be
possible.

-Praveen Kumar

More information about the krbdev mailing list