Difference between kerberos.openldap.ldif and kerberos.ldif; why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Fri Aug 30 16:53:48 EDT 2019

Hello,

• what is the difference between
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema ,
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif and
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif ?

https://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/ldapbackend.html suggests doing conversions and replacing
some text in the intermediate file to “dn: cn=kerberos,cn=schema,cn=config cn: kerberos” - a single line, but it likely
means two lines:

dn: cn=kerberos,cn=schema,cn=config
cn: kerberos

Why doesn’t MIT Kerberos provide a schema file, that can be directly used, but one has to convert kerberos.schema with
slaptest and then edit the file?

In fact, instead of the schema conversion described at the link above, I did
  include: krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
and compared the results.  They are the same.  So why is kerberos.openldap.ldif not recommended, instead of converting
kerberos.schema?

• On the system I am testing, 

kdb5_ldap_util -D A1 -w A2 create -r X

correctly uses ldapi://var/run/ldapi to connect. Why do I have to pass -H in order to see the domains:

kdb5_ldap_util -H ldapi://%2Fvar%2Frun%2Fldapi list
XYZ - correct answer
? 

kdb5_ldap_util list     prints:
kdb5_ldap_util: Cannot bind to LDAP server 'ldapi://' as 'uid=admin_kdc,cn=krbContainer': Can't contact LDAP server
while initializing database

It connects to /usr/local/var/run/ldapi, after reading the URI both from /usr/local/etc/openldap/ldap.conf and from
~/.ldaprc and both latter files contain "URI ldapi://%2Fvar%2Frun%2Fldapi
SASL_MECH EXTERNAL"

In kdc.conf I have
[dbdefaults]
ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi
ldap_kerberos_container_dn = cn=krbContainer                                                                        
ldap_kdc_dn = uid=admin_kdc,cn=krbContainer
ldap_kadmind_dn = uid=admin_kdc,cn=krbContainer
##  ldap_kadmind_dn = cn=kadmin,c=kerberos
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash

[dbmodules]
LDAP = {
  db_library = kldap
}

and the default realm uses DB2 backend.

• The documentation at https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#dbdefaults suggests,
that if ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi is in the [dbdefaults] section, then it does not have to be listed
in a module within [dbmodules].  I cannot confirm this.  If I have ldap_servers only in dbdefaults, then “kadmin.local
-r X ” cannot find the socket to connect, until I add ldap_servers to [dbmodules] LDAP={..}.

• Once I have created a domain in the (open)ldap backend, ldap_kerberos_container_dn = cn=krbContainer, in a way that
“kdb5_ldap_util -H ldapi://%2Fvar%2Frun%2Fldapi  list” does list the test domain and "kadim.local -r X" let me add
principals, how can I query with ldapsearch the cn=krbContainer namespace to see what is there?

ldapsearch -b "cn=krbcontainer" -s children shows 32 No such object.

Thanks in advance
  Dilyan