Comment 1 for bug 1783183

"/etc/krb5/user/389/client.keytab" feels like a local modification you made, to store keytab files somewhere under /etc/krb5. I suggest you add an apparmor exception in /etc/apparmor.d/local/usr.sbin.slapd.

Unless I'm wrong and that directory is being used as a standard location by some package. Please let me know which is the case.

As to the /tpm/krb5cc_389 file, can you elaborate on the scenario that led to this behavior? Why is slapd trying to read that ticket cache file? Maybe because it failed to read the keytab file?