How to set up Kerberos with OpenLDAP backend

@ahasenack I followed the sldap guide step by step to then do the backend with kerberos with your guide and everything was going well until that last part of the modification that gave me an error, the previous ones were modified without problems.

Nothing else jumps to mind. Enable logging as explained in the “Logging” section at https://ubuntu.com/server/docs/service-ldap and then inspect /var/log/syslog and see if that gives more clues about the problem.

@ahasenack ok I’ll try that and I’ll let you know if it works or not

@ahasenack good morning, I have not solved the error yet, but here I show you what I get in syslog to see if you can help me

Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 op=0 BIND dn=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” mech=EXTERNAL bind_ssf=0 ssf=71
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 op=0 RESULT tag=97 err=0 qtime=0.000131 etime=0.000512 text=
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 op=1 MOD dn=“olcDatabase={1}mdb,cn=config”
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 op=1 MOD attr=olcAccess
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: slapd: line 0: bad DN ““ou=People,dc=test,dc=cvg,dc=com”” in to DN clause
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: ::= access to [ by [ ] [ ] ]+ #012 ::= * | dn[.=] [filter=] [attrs=]#012 ::= [val[/][.]=] | #012 ::= [ , ]#012 ::= | @ | ! | entry | children#012 ::= [ * | anonymous | users | self | dn[.]= ]#012#011[ realanonymous | realusers | realself | realdn[.]= ]#012#011[dnattr=]#012#011[realdnattr=]#012#011[group[/[/]][.]=]#012#011[peername[.]=] [sockname[.]=]#012#011[domain[.]=] [sockurl[.]=]#012#011[dynacl/[/][.][=]]#012#011[ssf=] [transport_ssf=] [tls_ssf=] [sasl_ssf=]#012 ::= exact | regex | base(Object)#012 ::= base(Object) | one(level) | sub(tree) | children | exact | regex#012 ::= exact | regex | base(Object) | one(level) | sub(tree) | children#012 ::= exact | regex | ip | ipv6 | path#012 ::= exact | regex | base(Object) | sub(tree)#012 ::= [[real]self]{|}#012 ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage#012 ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+#012 ::= [ stop | continue | break ]#012dynacl:#012#011=ACI#011=#012
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 op=1 RESULT tag=103 err=80 qtime=0.000221 etime=0.001709 text= handler exited with 1
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 op=2 UNBIND
Feb 22 13:38:50 pzosdgstldaptest slapd[814]: conn=1148 fd=24 closed

image1440×328 101 KB

@ahasenack good morning, I still have not been able to solve the error, could you please help me with the problem

Sorry, I’m very busy at the moment with the upcoming beta freeze for lunar. After that I can take another look.

@enriqueginnari09 I’m back on this now, sorry for the delay.

That can happen if you are adding an ACL (olcAccess) referencing a DN that does not exist. Maybe there is a typo? Or you just didn’t create ou=People,dc=test,dc=cvg,dc=com yet? Looking back at our exchanges here in the comments, that’s what I asked on Feb 15th actually.

Scratch that, I just added such an ACL to a non-existing DN and it worked just fine.