Why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Дилян Дилян
Fri Sep 6 11:43:15 EDT 2019

Hello Greg,

thanks for your replay.  I got it somehow on Monday, two days after you sent it.

• The documentation at https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#dbdefaults suggests,
> > that if ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi is in the [dbdefaults] section, then it does not have to be listed
> > in a module within [dbmodules].  I cannot confirm this.
> This appears to be a long-standing documentation error.  I will correct
> the documentation to remove ldap_servers from the list of LDAP variables
> which can appear in [dbdefaults].

Alright.  While “kdb5_ldap_util create -r Y.EXAMPLE” does take the ldap address from the ldap_servers setting for the
realm/domain, so no -H parameter is necessary, how is “kdb5_ldap_util list” supposed to obtain the address of the
ldap_server to connect to?  Does it use, if -H is missing, the ldap_server of the default domain?


More information about the krbdev mailing list