On 03/08/2014 12:26 PM, Tobias Hachmer wrote: > kdb5_ldap_util: Kerberos Container create FAILED: Object class > violation while creating realm 'EXAMPLE.COM'
I was able to reproduce this with a setup similar to yours, using OpenLDAP 2.4.28-1.1ubuntu4.4. It doesn't appear to like seeing an 'ou' attribute in the DN of a krbContainer object: > Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_required entry > (ou=mit- kerberos,dc=example,dc=com), objectClass "krbContainer" > Mar 07 16:34:32 ldapkerberos slapd[959]: Entry (ou=mit- > kerberos,dc=example,dc=com), attribute 'ou' not allowed If I use a cn= as the first element of the container DN, it works. Since krbContainer is defined in the schema with attributes "MUST ( cn )" and nothing else, this may be expected behavior. > I have set up a test machine with debian wheezy (kerberos version > 1.10.1). With the krb5_ldap_util here everything works fine. I could produce the same behavior with krb5 1.10, so I don't think there has been a relevant change on our side. Perhaps there is a different OpenLDAP version on the test machine? Did you use all of the same DNs? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
