I've found and fixed my problem. Squeeze's krb5-kdc-ldap *does* have the
complete kerberos.schema (in /usr/share/doc), but dist-upgrading from
Lenny uses the pre-existing schema in /etc/ldap/schema when the
migration from slapd.conf to slapd.d takes place. I suggest adding a
note to NEWS.Debian to explain the need for a schema upgrade:
MIT Kerberos >= 1.8 includes new principal lockout functionality not
present in previous releases. If you are upgrading an existing LDAP
backed Kerberos installation, you must use the new kerberos.schema.
To repair my existing installation, I found it easiest to revert to
classic configuration and replace /etc/ldap/schema/kerberos.schema (stop
slapd first). I realize I should probably use ldapmodify on cn=config
instead but I haven't found a practical way to "upgrade" schemas
(assuming this is supported at all).
Cheers,
Rob
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
