Openldap (specifically version 2.4) stores transaction history in log files by default in the ldap data directory (so /var/lib/ldap/log.###########). Currently these log files take up a lot of space, are never removed automatically, and grow infinitely. Manual removal for old logs works fine, but I'd like to limit the amount of logs slapd keeps automatically. # MY SCENARIO # I know that these transaction logs are used to recover ldap in case of a catastrophic failure. In my scenario ldap is regularly wiped and populated via a script (this isn't used for system login accounts). Because of this I don't need to concern myself with recovery, in case of a failure it's acceptable to run the script again. On the other hand, the regular wipe/population of ldap includes a lot of transactions, so these transaction logs build up pretty quickly. # LOGROTATE # logrotate has potential here, but if the most recent transaction log is ever removed then slapd will fail to start (it will complain about needing to perform recovery). Because I can't rely on the log names (because slapd keeps many small logs, incrementing the log file number as it goes) I'd like to use the Berkeley DB settings which creates these logs. I can count on the access/creation dates (most recent modify date is the most recent transaction log), but I'd still prefer to use Berkeley if possible. # DB_CONFIG # The settings for the transactions logs are said to be controlled by the Berkeley DB settings in /var/lib/ldap/DB_CONFIG. The example DB_CONFIG that comes with openldap specifies some transaction log settings: set_lg_regionmax 262144 set_lg_bsize 2097152 According to the Oracle documentation on Berkeley: set_lg_regionmax: Set the size of the underlying logging area of the Berkeley DB environment, in bytes. The log region is used to store filenames, and so may need to be increased in size if a large number of files will be opened and registered with the specified Berkeley DB environment's log manager. So this seems to just set the size of the file that tracks the transaction log files. set_lg_bsize: Set the size of the in-memory log buffer, in bytes. This seems to control how much RAM is allotted to the transaction buffer. The log.########### files in the ldap data directory are all 10485760 bytes which seems to correspond closely to set_lg_bsize (10485760 / 5 = 2097152 = set_lg_bsize) though I'm not sure if this is a coincidence. My interpretation of this is that $lg_bsize amount of transaction history is stored in memory at a time. When this limit is exceeded it pushes some of the transaction history to the most recent log file, and creates a new log if the current log reaches a certain size. # DB_LOG_AUTOREMOVE # According to the Berkeley documentation transaction logs can be removed by setting the flag DB_LOG_AUTOREMOVE in the DB_CONFIG. DB_LOG_AUTOREMOVE: If set, Berkeley DB will automatically remove log files that are no longer needed. However when I added this to the DB_CONFIG: set_flags DB_LOG_AUTOREMOVE and restarted slapd I didn't notice a difference. I removed the old transaction logs and ran the ldap population script that I have, and was able to rack up 290MB in transaction logs. It still doesn't seem to be limiting the logs at all. The reason for this may be related to the phrase: that are no longer needed # Actual Question # How does one configure the automatic removal of slapd's transaction logs using the Berkeley DB DB_CONFIG file?

Is it possible to change password for logged in LDAP user using passwd command? I have logged in to server1 using testuser. Trying to change password for itself (testuser) and got the below error. [testuser@server1 ~]$ passwd Changing password for user testuser. (current) LDAP Password: New password: Retype new password: password change failed: Insufficient access passwd: Authentication token manipulation error

The Gnome Keyrings "Login" and "Default" are not unlocked automatically on my Linux Mint 22 machine. This is an LDAP user account and login goes throughg pam_sss.so (SSSD). The journal seems to indicate that pam_gnome_keyring.so does not receive the entered password (gkr-pam: no password is available for user), but I do not understand why:

$ sudo journalctl -b | egrep -i 'keyring|pam'
Okt 11 17:24:16 promoter lightdm: gkr-pam: gnome-keyring-daemon started properly
Okt 11 17:24:17 promoter lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "fritz"
Okt 11 17:24:22 promoter lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=fritz
Okt 11 17:24:22 promoter lightdm: gkr-pam: no password is available for user
Okt 11 17:24:22 promoter lightdm: pam_unix(lightdm:session): session opened for user fritz(uid=30108) by (uid=0)
Okt 11 17:24:22 promoter lightdm: gkr-pam: gnome-keyring-daemon started properly

Here's the (hopefully) relevant sections of my PAM auth config. I could provide more, but I don't think that common-account, common-session, and common-password are relevant to this question:

$ cat /etc/pam.d/lightdm
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
-auth    optional        pam_gnome_keyring.so
-auth    optional        pam_kwallet.so
-auth    optional        pam_kwallet5.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
#session required        pam_loginuid.so
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional        pam_gnome_keyring.so auto_start
-session optional        pam_kwallet.so auto_start
-session optional        pam_kwallet5.so auto_start
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password

$ /etc/pam.d/cat common-auth 
# here are the per-package modules (the "Primary" block)
auth	[success=2 default=ignore]	pam_sss.so
auth	[success=1 default=ignore]	pam_unix.so nullok
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	required	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so 
# end of pam-auth-update config

###### Further observations: * The journal message gkr-pam: no password is available for user also appears when unlocking the screensaver from source cinnamon-screensaver-pam-helper.

I have a problem with my LDAP configuration on SUSE Linux Enterprise Server 12. As many of you know, the ldap.conf file has been replaced with sssd.conf and a couple of other conf files like nsswitch.conf. I want to have authentication through LDAP, picking users from a specific OU. I also need to get the definition for sudoers through LDAP. I have never worked with sssd before. My current NSS configuration looks as follows: passwd: files ldap shadow: files ldap group: files ldap hosts: files dns networks: files services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases: files passwd_compat: files group_compat: files sudoers: ldap files [I added this line] And here is my sssd.conf: [sssd] config_file_version = 2 services = nss, pam domains = ***** sbus_timeout = 30 [nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] [domain/GuH] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_user_object_class = posixAccount debug_level = 20 #access_provider = ldap ldap_uri = ldap://******.de ldap_search_base = o=*** create_homedir = truei ldap_tls_cacert = /etc/sssd/certs/*******.pem ldap_tls_cacertdir = /etc/sssd/certs ldap_id_use_start_tls = true ldap_default_bind_dn = cn=********,o=guh ldap_default_authtok_type = ******* ldap_default_authtok = ********* ldap_user_member_of = ********* ldap_group_name = cn=*******,ou=*******,ou=******,o=****** Just assume the * are put in correctly. Also, is there anything to do in a PAM config file? I have not seen anyone address it yet.

I have a bunch of AlmaLinux machines with SSSD configured to allow LDAP auth and it's working fine. We have a very huge LDAP directory and some users got multiple entries following this schema. dn: cn=John Dow,ou=randomgrp,ou=something,o=bla,c=xyz ou: RANDOMGRP uid: jdow@RANDOMGRP uniqueidentifier: 123456 AccredOrder: 3 memberOf: special_group dn: cn=John Dow,ou=primarygrp,ou=somewhere,o=bla,c=xyz ou: PRIMARYGRP uid: jdow uid: jdow@PRIMARYGRP uniqueidentifier: 123456 AccredOrder: 1 memberOf: special_group dn: cn=John Dow,ou=anothergrp,ou=somehow,o=bla,c=xyz ou: ANOTHERGRP uid: jdow@ANOTHERGRP uniqueidentifier: 123456 AccredOrder: 2 memberOf: special_group This is the result of a ldapsearch query filtered with uniqueIdentifier attribute. OU names can be different obviously, depending of the user. The first problem I faced is that LDAP is returning the info of those 3 accounts in random order, letting in sometimes jdow, sometimes jdow@ANOTHERGRP or sometimes jdow@RANDOMGRP. I fixed the problem using this filter in my sssd.conf file ldap_access_filter = (&(memberof=special_group)(accredorder=1)) That only let in users with accredorder set to 1 and it's working fine. The problem I have now is when the system is querying the LDAP for it's own business. Most of the time it's working fine but as the LDAP is randomly returning one of the 3 accounts, the tool running on the machines got sometimes jdow@ANOTHERGRP as an answer for the UID of the connected user when it was jdow one jour before and it messes up the software. I don't know if my explanation is clear but is there a way to filter "automatic" queries the system is making? Like a ldapsearch.conf where I could add default filters? To resume, I need to only get information for account with accredorder attribute set to 1 for all the queries the system would make. Thanks for your help

I can switch to the mentioned domain user with su command from the server, but ssh login is failing. The user domain group is already added in sssd.conf file under "simple_allow_groups" The errors in /var/log/secure appear as follows: Jan 18 04:10:18 m1-vlp0006 sshd: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.35.x.x user=postl\u522660 Jan 18 04:10:18 m1-vlp0006 sshd: pam_sss(sshd:account): Access denied for user postl\u522660: 6 (Permission denied) Jan 18 04:10:18 m1-vlp0006 sshd: Failed password for postl\\u522660 from 138.35.x.x port 57903 ssh2 Jan 18 04:10:18 m1-vlp0006 sshd: fatal: Access denied for user postl\\\\u522660 by PAM account configuration [preauth] Understood that , it says failed passwd. But in real it is not the case, I am able to login to other windows machine with that domain user successfully. Same credentials I am entering here as well. So my input credentials are correct, but not sure why it is showing like that. Further I can see a authentication success initially , but end up with access Denied. Is there any configuration missing to allow a particular AD user or group to permit login to this server, other than adding corresponding group of that user to "simple_allow_groups" configuration looks like below: [root@xxx.xxxx.xxx ~]# realm list --all POSTLl.xxxx.xxx type: kerberos realm-name: POSTL.xxxx.xxx domain-name: POSTL.xxxx.xxx configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@POSTL.xxxx.xxx login-policy: allow-permitted-logins permitted-logins: permitted-groups: gu-adm-infra-unix-systems, gu-adm-esm%unix, gu-adm-epicon, domain%users

I am new to Apache Directory Server (apacheds-2.0.0-M23) , and the official documentation about it is quite incomplete. I know that is possible to configure the server easily using Apache Directory Studio GUI, but i want the server to be deployed on a remote server not having a graphic interface that means, no way to use apache Directory Studio. i have tried to read this , then i have created a new partition using apache studio to see what files have been created on the disk. Effectively, there are folders and .ldif files created with attributes listed from the documentation. The problem here is that there are some auto-generated values for mandatory attributes such as entryCSN from this list for the file indexes.ldif So can someone tell me how to : Add a partition, a JDBM one Import an ldif file of entries under that partition

I've a couple of Linux servers, one setup as a SAMBA AD (ubuntu 18.04), the other as a member server (ubuntu 16.04) setup as a file server. It was working for a time, but now newer users created (successfully) on the AD server via users and computers (on a windows machine), are not able to use their credentials against the member server. Existing users can use their details normally, and this also syncs password updates etc. These users are able to use their credentials directly against the AD, for example on login to a domain machine, but not to connect to the fileserver. to demonstrate the problem fully, I can use 'getent passwd' on the member server, and it gives me a list of users, but not the full list of users from AD. Any user created recently is missing. How can I diagnose the issue? N.b 1 - It's not a server I've setup or configured, I've inherited responsibility for it from a leaving staff member. N.b 2 - I've done the normal searching, and generally only found similar issues which relate to getent only showing local users, which isn't the case for me. (e.g LDAP: getent passwd don't show my recent user addition )

We have LDAP running in our environment. A particular user X is provided sudo access as another user, Y, but when X tries the command sudo -u Y -I, the system asks for a password. After entering the password, it throws an error, unable to execute /bin/bash as Y. Another user granted access to use sudo in the same way can perform the same action without any issue. The problem seems to be only for the X user. Also, the settings were working fine for this user, who has only recently been facing this issue.

I would like to perform ldap queries using an alternate file (which is intended to be used with pam.d and so have the same format as /etc/ldap.conf) I think of using ldapsearch. In the manual, I cannot find any help for this purpose. Is it possible to perform ldap queries using an alternate *conf* file? My /etc/pam.d/myservice use the module pam_ldap with option config=/etc/myservice.ldap.conf.

Since a few time with OpenLDAP 2.6.2 on AlpineLinux 3.15, running the slapcat command generates this warning: Supplying multiple names in a single olcRefintAttribute value is unsupported and will be disallowed in a future version The olcRefintAttribute attribute from the refint overlay has the value memberof member owner. How can I fix this warning? I a migration required?

Somehow I ended up in SLES 15 with error messages like this: > (systemd): PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory However I'm not sure what lead to that situation, and also I'm unsure how to fix it, because there is no RPM with pam_ldap.so it seems. The system had been upgraded from SLES 12 SP5 via SLES 15 SP3 to SLES 15 SP4. Obviously LDAP client configuration was intended and once worked, but it does not at the moment.

I have, in the past, set up an LDAP server using OpenSuSE (13.2), which worked well since there was a YaST module which allowed a GUI set-up. Now I have the problem that I must set up an OpenLDAP server on a small department cluster running CentOS 7, which apparently does not have a GUI/TUI for such purposes. Since I am not experienced with the LDIF-based set-up and I fully expect that the maintenance of the cluster is going to be dropped on a different PhD student when I'm gone I want to be able to configure the LDAP server using some sort of GUI. To date I have tried Webmin, which was a total fiasco. It appears to set up the basic configuration of the server OK (at least slapd starts), but If I try to run any query against the DB the response is Search failed: No such object, even for the base DN. If I attempt to add a tree (i.e. an organisational unit) using said interface the result is an error stating that Webmin could not find a suitable object class for the new DN. Therefore I'm giving up on this piece of software. *My question is thus:* Is there a free tool which would allow one to configure an LDAP server in CentOS without having to write the entire configuration by hand? Here I am looking specifically for tools which are **not** web-based (so not phpLDAPadmin) but come with a GUI/TUI. Something like authconfig-gtk in CentOS.

My RHEL servers are enabled with Active Directory authentication configured in the sssd.conf file. I have allowed few AD groups in sssd.conf to login to the Linux server. The issue is: I need to know how do I add this AD groups members in local group membership. I tried adding the AD group in /etc/group but that's not working: docker:x:332:user1,user2,**g-my-AD-user-group**

First, we will install the packages onto VM1 with sudo wget https://repo.symas.com/configs/SOFL/rhel8/sofl.repo -O /etc/yum.repos.d/sofl.repo:

[bill@target ~]$ sudo wget https://repo.symas.com/configs/SOFL/rhel8/sofl.repo  -O /etc/yum.repos.d/sofl.repo
--2025-03-26 14:09:26--  https://repo.symas.com/configs/SOFL/rhel8/sofl.repo 
Resolving repo.symas.com (repo.symas.com)... 192.241.155.167
Connecting to repo.symas.com (repo.symas.com)|192.241.155.167|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 197
Saving to: ‘sofl.repo.2’

sofl.repo.2                             100%[=============================================================================>]     197  --.-KB/s    in 0s      

2025-03-26 14:09:26 (119 MB/s) - ‘sofl.repo.2’ saved [197/197]

Update the package cache with

sudo dnf check-update

[bill@target ~]$ sudo dnf check-update
Rocky Linux 9 - BaseOS                                                                                                         12 kB/s | 4.1 kB     00:00    
Rocky Linux 9 - AppStream                                                                                                      19 kB/s | 4.5 kB     00:00    
Rocky Linux 9 - Extras                                                                                                         12 kB/s | 2.9 kB     00:00    
Symas OpenLDAP for Linux RPM repository                                                                                        42 kB/s |  35 kB     00:00    

bpftool.aarch64                                                           7.4.0-503.33.1.el9_5                                                       baseos   
kernel.aarch64                                                            5.14.0-503.33.1.el9_5                                                      baseos   
kernel-core.aarch64                                                       5.14.0-503.33.1.el9_5                                                      baseos   
kernel-devel.aarch64                                                      5.14.0-503.33.1.el9_5                                                      appstream
kernel-headers.aarch64                                                    5.14.0-503.33.1.el9_5                                                      appstream
kernel-modules.aarch64                                                    5.14.0-503.33.1.el9_5                                                      baseos   
kernel-modules-core.aarch64                                               5.14.0-503.33.1.el9_5                                                      baseos   
kernel-tools.aarch64                                                      5.14.0-503.33.1.el9_5                                                      baseos   
kernel-tools-libs.aarch64                                                 5.14.0-503.33.1.el9_5                                                      baseos   
libxslt.aarch64                                                           1.1.34-9.el9_5.1                                                           appstream
passt.aarch64                                                             0^20240806.gee36266-7.el9_5                                                appstream
passt-selinux.noarch                                                      0^20240806.gee36266-7.el9_5                                                appstream
python3-perf.aarch64                                                      5.14.0-503.33.1.el9_5                                                      baseos

### 2. Install LDAP packages We will make use of the following LDAP packages 1. openldap 2. openldap-clients 3. openldap-servers 4. nss-pam-ldapd 5. mod_ldap > [!TIP] > > Server commands start with slap > > Client commands start with ldap Then install the packages with

sudo dnf install -y symas-openldap-clients symas-openldap-servers oddjob-mkhomedir

This doesn't work on mac so left in the dark, the error is

Last metadata expiration check: 0:07:21 ago on Thu 27 Mar 2025 08:27:37 CET.
Error: 
 Problem 1: cannot install the best candidate for the job
  - package symas-openldap-clients-2.4.59-1.el8.x86_64 from sofl does not have a compatible architecture
  - nothing provides libc.so.6(GLIBC_2.14)(64bit) needed by symas-openldap-clients-2.4.59-1.el8.x86_64 from sofl
  - nothing provides symas-openldap(x86-64) = 2.4.59-1.el8 needed by symas-openldap-clients-2.4.59-1.el8.x86_64 from sofl
 Problem 2: cannot install the best candidate for the job
  - package symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl does not have a compatible architecture
  - nothing provides libc.so.6(GLIBC_2.14)(64bit) needed by symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl
  - nothing provides libpthread.so.0(GLIBC_2.2.5)(64bit) needed by symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl
  - nothing provides libpthread.so.0(GLIBC_2.3.2)(64bit) needed by symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl
  - nothing provides libperl.so.5.26()(64bit) needed by symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl
  - nothing provides libpthread.so.0(GLIBC_2.12)(64bit) needed by symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl
  - nothing provides symas-openldap(x86-64) = 2.4.59-1.el8 needed by symas-openldap-servers-2.4.59-1.el8.x86_64 from sofl
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

This is my pam.conf for Slackware 15.0 #%PAM-1.0 # # Most of these PAM modules have man pages included, like # pam_unix(8) for example. # ################## # Authentication # ################## # auth required pam_env.so auth optional pam_group.so auth sufficient pam_krb5.so use_first_pass auth required pam_unix.so likeauth nullok -auth optional pam_gnome_keyring.so ################## # Account checks # ################## # # Only root can login if file /etc/nologin exists. # This is equivalent to NOLOGINS_FILE on login.defs # account required pam_nologin.so # # Enable restrictions by time, specified in /etc/security/time.conf # This is equivalent to PORTTIME_CHECKS_ENAB on login.defs # account required pam_time.so account sufficient pam_krb5.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 100 quiet account required pam_permit.so ############################# # Password quality checking # ############################# # # Please note that unless cracklib and libpwquality are installed, setting # passwords will not work unless the lines for the pam_pwquality module are # commented out and the line for the traditional no-quality-check password # changing is uncommented. # # The pam_pwquality module will check the quality of a user-supplied password # against the dictionary installed for cracklib. Other tests are (or may be) # done as well - see: man pam_pwquality # # Default password quality checking with pam_pwquality. If you don't want # password quality checking, comment out these two lines and uncomment the # traditional password handling line below. password requisite pam_pwquality.so minlen=6 retry=3 password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok password sufficient pam_krb5.so use_authtok | # Traditional password handling without pam_pwquality password checking. # Commented out by default to use the two pam_pwquality lines above. #password sufficient pam_unix.so nullok sha512 shadow minlen=6 # ATTENTION: always keep this line for pam_deny.so: password required pam_deny.so ######################### # Session Configuration # ######################### # # This applies the limits specified in /etc/security/limits.conf # session optional pam_krb5.so session optional pam_mkhomedir.so session required pam_limits.so session required pam_unix.so #session required pam_lastlog.so showfailed #session optional pam_mail.so standard -session optional pam_gnome_keyring.so auto_start I want user to authenticate to kerberos/ldap (ldap for info, kerberos for password) With this pam configuration I obtain a strange result: local unix users can authenticate..and is OK remote ldap users can authenticate..and is OK root cannot authenticate! what I miss?

I have the following ldapsearch: root@debian:~/ldif# ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b dc=nodomain -D cn=admin,dc=nodomain,cn=Pahlevanzadeh,ou=People,uid=mohsen,loginShell=/usr/bin/csh dn: dc=nodomain objectClass: top objectClass: dcObject objectClass: organization o: nodomain dc: nodomain dn: ou=People,dc=nodomain objectClass: organizationalUnit ou: People description: Organizational Unit for Sales Department dn: uid=mohsen,ou=People,dc=nodomain uid: mohsen cn: Pahlevanzadeh objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 20121 loginShell: /usr/sbin/csh uidNumber: 130 gidNumber: 137 homeDirectory: /home/mohsen gecos: A good boy,,, But when I using the following ldapsearch, I don't have above result: root@debian:~/ldif# ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=nodomain,cn=Pahlevanzadeh -D cn=admin,dc=nodomain,cn=Pahlevanzadeh SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 How can I create query with '-b' that I have the first result?

I have set up some RHEL9 servers to authenticate through the AD for the domain EXAMPLE.XYZ; this is done via Ansible playbooks, and so far all works well. (It's the same setup as this previous question: https://unix.stackexchange.com/questions/786569/joining-domain-via-ansible-returns-error-already-joined-to-this-domain-while-v) However, every few minutes, on each host (let's say on myhost42) there are bursts of error messages, several times per second, in /var/log/messages: Feb 19 15:23:32 myhost42 ldap_child: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'MYHOST42$@EXAMPLE.XYZ' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. This is the /etc/krb5.conf file: includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true default_realm = EXAMPLE.XYZ default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 [realms] [domain_realm] What can be done to troubleshoot the issue? --- EDIT #1: Based on a comment below and my researches, it might be due to a missing association between the AD domain and the Kerberos realm and/or missing entries in the Kerberos keytab.
However, I'm using the same configuration as another server farm, which works correctly.
This is the output of klist -kt /etc/krb5.keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ

I have the two OU: 1.People 2.newOU . My dc is nodomain. I have the following search and every thing is ok: root@debian:~/ldif# ldapsearch -c -Y EXTERNAL -H ldapi:/// -b dc=nodomain -D cn=admin,dc=nodomain -LLLQ dn: dc=nodomain objectClass: top objectClass: dcObject objectClass: organization o: nodomain dc: nodomain dn: uid=mohsen,ou=People,dc=nodomain uid: mohsen cn: Pahlevanzadeh objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 20121 loginShell: /usr/sbin/csh uidNumber: 130 gidNumber: 137 homeDirectory: /home/mohsen gecos: A good boy,,, dn: ou=newOU,dc=nodomain objectClass: organizationalUnit ou: newOU description: Organizational Unit for Sales Department dn: uid=naghmeh,ou=newOU,dc=nodomain uid: naghmeh cn: maleki objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 20121 loginShell: /usr/sbin/csh uidNumber: 130 gidNumber: 137 homeDirectory: /home/mohsen gecos: A good boy,,, I have two uid: 1.mohsen under People. 2. naghmeh under newOU
When I search suc as above, but add "ou=newOU" such as below: ldapsearch -c -Y EXTERNAL "ou=newOU" -H ldapi:/// -b dc=nodomain -D cn=admin,dc=nodomain -LLLQ I get the following result: dn: ou=newOU,dc=nodomain objectClass: organizationalUnit ou: newOU description: Organizational Unit for Sales Department Unfortunately , I didn't get uid and other information.
How can I access to other info via my OU ?

I have successfully added the recipe openldap to my yocto-base Linux distribution, by the instruction:

IMAGE_INSTALL += "openldap"

After that I've created a path/to/my-layer/recipes-support/openldap/openldap_%.bbappend file and put in it the instruction:

INSANE_SKIP_${PN} += "already-stripped"

The previous setting specifies to the Quality Assurance (QA) checks what to skip and in this case (see [Yocto manual](https://docs.yoctoproject.org/1.8/ref-manual/ref-manual.html#ref-classes-insane) about insane.bbclass) we ask to skip: > **already-stripped**: Checks that produced binaries have not already been stripped prior to the build system extracting debug symbols. It is common for upstream software projects to default to stripping debug symbols for output binaries. In order for debugging to work on the target using -dbg packages, this stripping must be disabled. Without the previous instruction the compilation of openldap fails with this error:

ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapcompare' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapdelete' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapexop' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapmodify' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapmodrdn' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldappasswd' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapsearch' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapurl' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/bin/ldapwhoami' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: QA Issue: File '/usr/sbin/slapd' from openldap was already stripped, this will prevent future debugging! [already-stripped]
ERROR: openldap-2.4.50-r0 do_package: Fatal QA errors found, failing task.

The compilation process produces the binary for the utility ldapsearch but this binary isn't installed into the image. Instead I'm sure that openldap results correctly installed into the distribution. I don't find any method to add ldapsearch (and other utilities correctly compiled) to the image. Could someone help me?