This is the mappings from the looks very different from the replica

# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <cn=mapping,cn=sasl,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# mapping, sasl, config
dn: cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsContainer
cn: mapping

# Full Principal, mapping, sasl, config
dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: \(.*\)@\(.*\)
cn: Full Principal
nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov
nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)

# Name Only, mapping, sasl, config
dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
nsSaslMapRegexString: ^[^:@]+$
cn: Name Only
nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov
nsSaslMapFilterTemplate: (krbPrincipalName=&@ITMODEV.GOV)

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

-----Original Message-----
From: Rob Crittenden [] 
Sent: Tuesday, November 10, 2015 1:26 PM
To: Gronde, Christopher (Contractor) <>; Rich 
Megginson <>;
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication 

Gronde, Christopher (Contractor) wrote:
> Is it possible to delete the mapping and try it and if it doesn't work or 
> breaks something else add it back?  How would I go about deleting this 
> mapping?  Or adding the mapping for principal name in the right order?

So what I'd do is this:

Do the same cn=mappping ldapsearch on the working master to see what the 
differences are. Determine if this is an ordering problem or if there is just 
extra gunk on this non-working master.

And compare the versions of 389-ds: rpm -q 389-ds-base. They should be the 
same. If not then maybe one supports the new ordering and one doesn't.


1. Stop dirsrv
2. cp dse.ldif dse.ldif.mappings
3. edit dse.ldif to match your findings. Either re-order the entries or remove 
ones you don't need (or both).
4. Start dirsrv
5. Start krb5kdc

Step 1 is super important because 389-ds writes dse.ldif on shutdown so all 
changes made while the service is running will be lost.

You can also do this via ldapmodify but it is far easier and less error prone 
to use your favorite editor in this case.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to