[35841] in Kerberos
Re: kdb5_ldap_util create fails
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Mar 8 15:51:46 2014
Message-ID: <531B82D5.7050807@mit.edu>
Date: Sat, 08 Mar 2014 15:51:33 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Tobias Hachmer <tobias@hachmer.de>, kerberos@mit.edu
In-Reply-To: <3873755.Echvvdaxdu@tobias-pc>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 03/08/2014 12:26 PM, Tobias Hachmer wrote:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class
> violation while creating realm 'EXAMPLE.COM'
I was able to reproduce this with a setup similar to yours, using
OpenLDAP 2.4.28-1.1ubuntu4.4. It doesn't appear to like seeing an
'ou' attribute in the DN of a krbContainer object:
> Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_required entry
> (ou=mit- kerberos,dc=example,dc=com), objectClass "krbContainer"
> Mar 07 16:34:32 ldapkerberos slapd[959]: Entry (ou=mit-
> kerberos,dc=example,dc=com), attribute 'ou' not allowed
If I use a cn= as the first element of the container DN, it works.
Since krbContainer is defined in the schema with attributes "MUST ( cn
)" and nothing else, this may be expected behavior.
> I have set up a test machine with debian wheezy (kerberos version
> 1.10.1). With the krb5_ldap_util here everything works fine.
I could produce the same behavior with krb5 1.10, so I don't think
there has been a relevant change on our side. Perhaps there is a
different OpenLDAP version on the test machine? Did you use all of
the same DNs?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
