Configure KeyCape LLDAP people OU

sso-mfa/k8s/keycape/create-secrets.sh

@@ -78,6 +78,8 @@ lldap:
   bindDN: "uid=admin,ou=people,dc=netkingdom,dc=local"
   bindPW: "${LLDAP_BIND_PW}"
   baseDN: "dc=netkingdom,dc=local"
+  userOU: "ou=people"
+  groupOU: "ou=groups"
 
 authelia:
   # Cluster-internal URL for server-side token exchange.

sso-mfa/k8s/keycape/deployment.yaml

@@ -54,7 +54,7 @@ spec:
           # 2026-05-24: direct-imported into railiance01 k3s for the
           # bootstrap-console OIDC/MFA rollout. Use IfNotPresent while the
           # HTTP registry push/pull path is being cleaned up.
-          image: 92.205.130.254:32166/coulomb/key-cape:main-937cb39
+          image: 92.205.130.254:32166/coulomb/key-cape:main-06d20c3
           imagePullPolicy: IfNotPresent
 
           ports:

workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md

@@ -201,6 +201,12 @@ without depending on token-list admin credentials. The live `keycape-config`
 now uses `realm: coulomb` and `requireForAll: true`, and Railiance runs image
 `main-937cb39`.
 
+**2026-05-25:** Fixed the subsequent token-exchange `user not found` error.
+Live LLDAP stores users under `ou=people`, while KeyCape's default lookup base
+was `ou=users`. KeyCape commit `06d20c3` makes the LLDAP OU settings explicit
+in YAML, live `keycape-config` now sets `userOU: ou=people` and
+`groupOU: ou=groups`, and Railiance runs image `main-06d20c3`.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret