Pierangelo Masarati wrote:
That sounds like a bug. In fact, {K5KEY} is loaded by smbk5pwd, so if in slapd.conf you correctly load the module __before__ using password-hash things work as expected. However, when the configuration is loaded from the back-config database, modules are loaded __after__ the global entry, which contains password-hash. Apparently, checking the value of the password-hash attribute must be deferred to __after__ loading the entire configuration. This might be true in general. I suggest you file an ITS for this issue http://www.openldap.org/its/.
If it's a general problem, then we're going to need to re-shuffle the layout of the cn=config tree so that global directives are processed after any modules are loaded. But I think password mechs are the only item that can be registered at runtime that currently have a problem.