I did a full review of LDAP service password file selection. * When the KDC or kadmind connects to the LDAP server and needs a bind password, it looks for the ldap_service_password_file variable in the realm's dbmodules section or in [dbdefaults]. If the variable is not found in either place, there is no default value, and the LDAP connection fails. * kdb5_ldap_util stashsrvpw does the following: - it looks up the database_module variable in [realms] -> realm, and in [dbdefaults] if no value is present in the realm subsection. - if a database_module variable is found, it looks up the ldap_service_password_file in the named subsection of [dbmodules], with no error checking. If no value is present, the code tries to fopen(NULL). - if no database_module variable is found, it uses a hardcoded default of "usr/local/var/service_passwd". This default is not used by the KDC or kadmind, and does not use the build prefix. I think the libkdb_ldap logic is find, but the kdb5_ldap_util logic is seriously confused. We should make the following changes to be consistent with libkdb_ldap: * If database_module is not present in the realm subsection, the default should be realm name (to be consistent with kdb5.c:get_conf_section()). [dbdefaults] should not be consulted for database_module, as kdb5.c does not do that. * If ldap_service_password_file is not present in the chosen [dbmodules] subsection, the command should fail rather than using a hardcoded default.