Comment # 15 on bug 1196526 from 
Created attachment 857469 [details]
ldapsearch -b 'cn=schema' '(objectClass=*)' \* \+

(In reply to William Brown from comment #14)
> 
> I'm pretty sure the krb schema ships with 389-ds, so there should be no
> extra actions required to set this up.
> 
> If you can show me the output of "ldapsearch -H ldaps://<server url> -b
> 'cn=schema' '(objectClass=*') \* \+ " that would help a bit. Similar the
> output of rpm -ql 389-ds
>

Yes, you are right. The Kerberos schema is included in the 389-ds package:

> tumbleweed:~ # rpm -ql 389-ds | grep -E 'krb|kerberos'
> /usr/share/dirsrv/data/60kerberos.ldif
> /usr/share/dirsrv/data/60krb5kdc.ldif

I think the problem here is that John created the directory instance without
using YaST and then the kerberos schema is not added. For example, when using
"dscreate interactive":

> tumbleweed:~ # ldapsearch -H ldaps://tumbleweed.test.net -b 'cn=schema' -D "CN=Directory Manager" -w <redacted> '(objectClass=*)' \* \+ | grep krb
> tumbleweed:~ #

If the directory instance is created by yast-auth-server module then it should
work.

> /src/lib/authserver/dir/ds389.rb:
> 
> ::FileUtils.copy('/usr/share/dirsrv/data/60kerberos.ldif', '/etc/dirsrv/slapd-' + instance_name + '/schema/60kerberos.ldif')

John, can you confirm your directory instance was not created using YaST and
that everything works after adding the top-level entry and the kerberos schema
to it?

You are receiving this mail because: