Kent Nasveschuk wrote:
Although I specified in slapd.conf on the slave servers:
moduleload /opt/openldap-2.3.39/lib/smbk5pwd.la
I omitted:
overlay smbk5pwd
I'm guessing slapd never passed credentials to KDC, hence the (49) error
code.
The README states quite clearly that the overlay evaluates the Kerberos keys
stored in the LDAP entry. It never talks to the KDC; there's no reason to
since the KDC's data all resides in the LDAP entry. As I said in my first
reply to you - it only works if you actually configure it.
1 more question, how does the smbk5pwd module handle a Kerberos password
that is expired? Is there a specific error code? I suppose I could
expire one then try it.
I guess you're talking about the krb5PasswordEnd attribute. The overlay does
not check this at all.
2 days of wrestling with this, finally got it to work.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
