freeipa/ipa-server/ipa-install/share/kerberos.ldif

#kerberos user
dn: uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: kdc
userPassword: $PASSWORD

#kerberos base object
dn: cn=kerberos,$SUFFIX
changetype: add
objectClass: krbContainer
objectClass: top
cn: kerberos
aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)