Bad news for us, good news for security standards. So it seems that the OpenLDAP project is starting to work towards elimination of most simple bind functionality. There are a few posts here and there about it. As part of this, versions 2.1.23 and greater of OpenLDAP do not support the simple bind {KERBEROS} functionality that we are currently using. We are currently running version 2.1.21 in production.

Some options for working around this problem include:

1. Switching to the simple bind {SASL} option which uses a ldap->saslauthd->kerberos or ldap->saslauthd->pam->kerberos method of credentials authentication. (Haven't been able to make this work right yet)
2. Not upgrading OpenLDAP.. ever.
3. Eliminating ldap simple binds in the environment.
4. Moving authentication directly to Active Directory.

• Identifiers, Authentication, and Directories: Best Practices for Higher Education
• A Recipe for Configuring and Operating LDAP Directories
• eduPerson Object Class
• MACE-Dir - the directories working group of the Middleware Architecture Committee for Education (MACE)
• Internet2 Middleware Initiative
• IMT Architecture Working Group's Identity Management Initiative