Ok... after a bit of a struggle, I have gotten OpenLDAP 2.4.6 going with
MIT kerberos 1.6.3 with some small caveats...
1: (and you know this already), the documentation for the slapd.d
format is.. uhm.. bad. For example the "slapd.ldif" in the source isn't
even valid, the "module" section (commented out, but there) is missing the
"cn:" specifier.
There is something awry with the kerberos 5/gssapi setup for using a
krb5 credential as a RootDN; according to your documentation it should be
of the form:
uid=user/instance,cn=realm.com,cn=gssapi,cn=auth
This isn't working for me. After enabling Auth logging I found that it
authenticated me as:
uid=user/instance,cn=gssapi,cn=auth
(note the lack of realm...) "why?" have I botched something (which I may
have), or is there an error with the documentation?