On 8/20/25 23:43, Travis Bean wrote:
“Cannot bind to LDAP server ldapi:/// as ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials - while initializing database.”
This means libkdb_ldap called ldap_sasl_bind_s() and got back an LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP server didn't match the password from the service stash file.
I looked at the script you linked and didn't find any obvious problems, but there might be more information in the slapd log. My next step after that would be to use gdb to debug through first the MIT krb5 side (making sure it read the expected password) and then slapd, after building both components from source with -g and no -O option. It may be easier to debug the MIT krb5 side if you can reproduce the problem with kadmin.local.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
