[39539] in Kerberos
Re: bind to LDAP server produces "invalid credentials" error
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Aug 21 13:56:40 2025
Message-ID: <2696e2f7-43be-4745-843f-f0264769b263@mit.edu>
Date: Thu, 21 Aug 2025 13:56:27 -0400
MIME-Version: 1.0
To: Travis Bean <tbean74@gmail.com>, kerberos@mit.edu
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <CAFk47JhihapGzET44=pOcnfpjoBy8g-EK_X_1VYggNYxK=beKg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 8/20/25 23:43, Travis Bean wrote:
> “Cannot bind to LDAP server ldapi:/// as
> ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
> - while initializing database.”
This means libkdb_ldap called ldap_sasl_bind_s() and got back an
LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
server didn't match the password from the service stash file.
I looked at the script you linked and didn't find any obvious problems,
but there might be more information in the slapd log. My next step
after that would be to use gdb to debug through first the MIT krb5 side
(making sure it read the expected password) and then slapd, after
building both components from source with -g and no -O option. It may
be easier to debug the MIT krb5 side if you can reproduce the problem
with kadmin.local.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
