[39541] in Kerberos
bind to LDAP server produces "invalid credentials" error
daemon@ATHENA.MIT.EDU (Travis Bean)
Fri Aug 22 12:52:10 2025
MIME-Version: 1.0
From: Travis Bean <tbean74@gmail.com>
Date: Fri, 22 Aug 2025 09:52:48 -0700
Message-ID: <CAFk47JjLGggUJHbkGUcJDqjBijYnrESqdPg+nUjVxUS6aa7Ocw@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, Aug 21, 2025 at 10:56 AM Greg Hudson <ghudson@mit.edu> wrote:
>
> On 8/20/25 23:43, Travis Bean wrote:
> > “Cannot bind to LDAP server ldapi:/// as
> > ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
> > - while initializing database.”
>
> This means libkdb_ldap called ldap_sasl_bind_s() and got back an
> LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
> server didn't match the password from the service stash file.
I found out that krb5-admin-server is failing with the exact same
error as krb5-kdc. This time krb5-admin-server references
cn=adm-srv,cn=krbContainer,dc=example,dc=local, which is referenced in
my krb5.conf as ldap_kadmind_dn as well as referenced by
kdb5_ldap_util for my service stash file.
When attempting to start krb5-admin-server and krb5-kdc, syslog
doesn't log anything substantial—it only logs "Failed with result
'exit-code'."
If this is a problem with my service stash file, how do I fix this? I
double-checked the kdb5_ldap_util syntax for creating the service
stash file, and there are no errors on my part.
My OpenLDAP/Kerberos code used to work just fine in the past. My test
Bash script is part of a larger project located at
launchpad.net/linuxha. Nothing substantial has changed with my
OpenLDAP/Kerberos Bash code for LinuxHA. In fact, all minor changes,
such as an upgraded krb5.conf, were rolled back to a previous revision
for testing, but to no avail.
Kind regards,
Travis Bean
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
