Although I specified in slapd.conf on the slave servers:
moduleload /opt/openldap-2.3.39/lib/smbk5pwd.la
I omitted:
overlay smbk5pwd
I'm guessing slapd never passed credentials to KDC, hence the (49) error code.
1 more question, how does the smbk5pwd module handle a Kerberos password that is expired? Is there a specific error code? I suppose I could expire one then try it.
2 days of wrestling with this, finally got it to work.
Kent Nasveschuk wrote:
Although I specified in slapd.conf on the slave servers:
moduleload /opt/openldap-2.3.39/lib/smbk5pwd.la
I omitted:
overlay smbk5pwd
I'm guessing slapd never passed credentials to KDC, hence the (49) error code.
The README states quite clearly that the overlay evaluates the Kerberos keys stored in the LDAP entry. It never talks to the KDC; there's no reason to since the KDC's data all resides in the LDAP entry. As I said in my first reply to you - it only works if you actually configure it.
1 more question, how does the smbk5pwd module handle a Kerberos password that is expired? Is there a specific error code? I suppose I could expire one then try it.
I guess you're talking about the krb5PasswordEnd attribute. The overlay does not check this at all.
2 days of wrestling with this, finally got it to work.
openldap-software@openldap.org