fix: add missing Kerberos configuration and refactor misleading names.

README.md

@@ -221,8 +221,9 @@ Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bo
 |---|---|---|
 | `KERBEROS_ENABLE` | `0` | Set to `1` to enable |
 | `KRB5_REALM` | — | Kerberos realm (uppercase, e.g. `EXAMPLE.ORG`) |
-| `KRB5_SASL_HOST` | — | Hostname matching the `ldap/<host>@REALM` service principal |
+| `KRB5_KDC_HOST` | — | Hostname of the Kerberos KDC |
-| `KRB5_KTNAME` | `/etc/ldap/ldap.keytab` | Path to the keytab inside the container |
+| `LDAP_HOSTNAME` | — | Hostname matching the `ldap/<host>@REALM` service principal |
+| `KRB5_KTNAME` | `/etc/krb5.keytab` | Path to the keytab inside the container |
 
 ### Principal-to-DN mapping
 
@@ -242,7 +243,7 @@ Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bo
    ```bash
    container cp kerberos:/tmp/ldap.keytab ~/app-data/openldap/ldap.keytab
    ```
-3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/ldap/ldap.keytab`) and set the Kerberos env vars in `openldap.env`.
+3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/krb5.keytab`) and set the Kerberos env vars in `openldap.env`.
 4. On first start, bootstrap applies the SASL configuration automatically. For an already-initialised instance apply it manually:
    ```bash
    ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<'EOF'

bootstrap/init.py

@@ -19,7 +19,7 @@ password = os.environ.get("LDAP_PASSWORD") or "changeit"
 tls_enabled = os.environ.get("TLS_ENABLED") == "1"
 kerberos_enabled = os.environ.get("KERBEROS_ENABLE") == "1"
 krb5_realm = os.environ.get("KRB5_REALM", "")
-krb5_sasl_host = os.environ.get("KRB5_SASL_HOST", "")
+ldap_hostname = os.environ.get("LDAP_HOSTNAME", "")
 admin_dn = f"cn=admin,{base_dn}"
 
 
@@ -121,7 +121,7 @@ def main():
         apply_ldif(LDIF_DIR / "config-tls.ldif", env)
     if kerberos_enabled:
         apply_ldif(LDIF_DIR / "config-sasl.ldif", env,
-                   base_dn=base_dn, krb5_realm=krb5_realm, sasl_host=krb5_sasl_host)
+                   base_dn=base_dn, krb5_realm=krb5_realm, ldap_hostname=ldap_hostname)
 
     print("cn=config updated.")
 

bootstrap/ldif/config-sasl.ldif

@@ -1,7 +1,7 @@
 dn: cn=config
 changetype: modify
 replace: olcSaslHost
-olcSaslHost: {{ sasl_host }}
+olcSaslHost: {{ ldap_hostname }}
 -
 replace: olcSaslRealm
 olcSaslRealm: {{ krb5_realm }}

env.example

@@ -8,5 +8,5 @@ LDAP_ADMIN_PASSWORD=changeit
 KERBEROS_ENABLE=0
 KRB5_REALM=EXAMPLE.ORG
 KRB5_KDC_HOST=kerberos.example.org
-KRB5_SASL_HOST=ldap.example.org
+LDAP_HOSTNAME=ldap.example.org
 KRB5_KTNAME=/etc/krb5.keytab

scripts/accounts_editor.py

@@ -21,7 +21,8 @@ ENV_VARS = {
     "LDAP_ADMIN_PASSWORD":  "Admin Password",
     "KERBEROS_ENABLE":      "Enable Kerberos",
     "KRB5_REALM":           "Realm",
-    "KRB5_SASL_HOST":       "SASL Host",
+    "KRB5_KDC_HOST":        "KDC Host",
+    "LDAP_HOSTNAME":        "LDAP Hostname",
     "KRB5_KTNAME":          "Keytab Path",
 }