[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Evaluation bug (ITS#3173)




--On Tuesday, June 08, 2004 4:32 PM -0700 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

> Could this simply be due to the separator between 5 and 6
> in the RegistryDataAuditor by clause?

This continues in OL 2.2.13, with my ACL's set either way.

At least now I have debugging output.

My current theory is:

I perform WRITE op to OL master
syncRepl begins
DB gets locked, so ACL evaluation locks
everything gets hung.

Notes:
ldap-dev0 = master
ldap-dev2 = replica
ldap-dev3 = replica

Both replica's are started, both in synch with master.
ADD is initiated

debug -1 output:

conn=2 op=4 ADD dn="cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu"
bdb_dn2entry("cn=proxy5,cn=webauth,cn=applications,dc=stanford,dc=edu")
=> bdb_dn2id( "cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: got id=0x00000004
=> bdb_dn2id( "cn=webauth,cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: got id=0x00045518
=> bdb_dn2id( "cn=proxy5,cn=webauth,cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found 
(-30990)
entry_decode: "cn=Webauth,cn=Applications,dc=stanford,dc=edu"
<= entry_decode(cn=Webauth,cn=Applications,dc=stanford,dc=edu)
bdb_referrals: op=104 
target="cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu" 
matched="cn=W
ebauth,cn=Applications,dc=stanford,dc=edu"
>>> dnPretty: 
<suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu>
=> 
ldap_bv2dn(suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu,0)
<= 
ldap_bv2dn(suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu,0)=0
=> ldap_dn2bv(272)
<= 
ldap_dn2bv(suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu,272)=0
<<< dnPretty: 
<suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu>
>>> dnNormalize: 
<suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu>
=> 
ldap_bv2dn(suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu,0)
<= 
ldap_bv2dn(suRegID=cd67ebdae76c11d1b7532436000baa77,cn=People,dc=stanford,dc=edu,0)=0
=> ldap_dn2bv(272)
<= 
ldap_dn2bv(suRegID=cd67ebdae76c11d1b7532436000baa77,cn=people,dc=stanford,dc=edu,272)=0
<<< dnNormalize: 
<suRegID=cd67ebdae76c11d1b7532436000baa77,cn=people,dc=stanford,dc=edu>
==> bdb_add: cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu
oc_check_required entry 
(cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu), objectClass "appl
icationProcess"
oc_check_required entry 
(cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu), objectClass "suAp
plication"
oc_check_required entry 
(cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu), objectClass "krb5
Principal"
oc_check_allowed type "objectClass"
oc_check_allowed type "cn"
oc_check_allowed type "description"
oc_check_allowed type "krb5PrincipalName"
oc_check_allowed type "owner"
oc_check_allowed type "suAdministrator"
oc_check_allowed type "structuralObjectClass"
oc_check_allowed type "entryUUID"
oc_check_allowed type "creatorsName"
oc_check_allowed type "createTimestamp"
oc_check_allowed type "entryCSN"
oc_check_allowed type "modifiersName"
oc_check_allowed type "modifyTimestamp"
bdb_dn2entry("cn=proxy5,cn=webauth,cn=applications,dc=stanford,dc=edu")
=> bdb_dn2id( "cn=proxy5,cn=webauth,cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found 
(-30990)
=> access_allowed: write access to 
"cn=Webauth,cn=Applications,dc=stanford,dc=edu" "children" reques
ted
=> dn: [1]
=> dn: [2] cn=monitor
=> acl_get: [3] attr children
=> acl_mask: access to entry 
"cn=Webauth,cn=Applications,dc=stanford,dc=edu", attr "children" reques
ted
=> acl_mask: to all values by "uid=quanah,cn=accounts,dc=stanford,dc=edu", 
(=n)
<= check a_dn_pat: 
cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
=> bdb_entry_get: ndn: "cn=supervisor,cn=applications,dc=stanford,dc=edu"
=> bdb_entry_get: oc: "groupOfNames", at: "member"
bdb_dn2entry("cn=supervisor,cn=applications,dc=stanford,dc=edu")
=> bdb_dn2id( "cn=supervisor,cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: got id=0x00000005
entry_decode: "cn=supervisor,cn=Applications,dc=stanford,dc=edu"
<= entry_decode(cn=supervisor,cn=Applications,dc=stanford,dc=edu)
=> bdb_entry_get: found entry: 
"cn=supervisor,cn=applications,dc=stanford,dc=edu"
bdb_entry_get: rc=0
dnMatch 1
        "uid=chandau,cn=accounts,dc=stanford,dc=edu"
        "uid=quanah,cn=accounts,dc=stanford,dc=edu"
dnMatch 0
        "uid=quanah,cn=accounts,dc=stanford,dc=edu"
        "uid=quanah,cn=accounts,dc=stanford,dc=edu"
<= check a_authz.sai_sasl_ssf: ACL 56 > OP 56
<= acl_mask: [2] applying write(=wrscx) (stop)
<= acl_mask: [2] mask: write(=wrscx)
=> access_allowed: write access granted by write(=wrscx)
=> access_allowed: write access to 
"cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu" "entry"
 requested
=> dn: [1]
=> dn: [2] cn=monitor
=> acl_get: [3] attr entry
=> acl_mask: access to entry 
"cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu", attr "entry"
 requested
=> acl_mask: to all values by "uid=quanah,cn=accounts,dc=stanford,dc=edu", 
(=n)
<= check a_dn_pat: 
cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
<= check a_authz.sai_sasl_ssf: ACL 56 > OP 56
<= acl_mask: [2] applying write(=wrscx) (stop)
<= acl_mask: [2] mask: write(=wrscx)
=> access_allowed: write access granted by write(=wrscx)
=> bdb_dn2id_add( 
"cn=proxy5,cn=webauth,cn=applications,dc=stanford,dc=edu", 0x0004efb1 )
bdb_idl_insert_key: 4efb1 %cn=webauth,cn=applications,dc=stanford,dc=edu
bdb_idl_insert_key: 4efb1 @cn=webauth,cn=applications,dc=stanford,dc=edu
bdb_idl_insert_key: 4efb1 @cn=applications,dc=stanford,dc=edu
<= bdb_dn2id_add: 0
=> entry_encode(0x0004efb1): 
cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu
=> index_entry_add( 323505, 
"cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu" )
=> key_change(ADD,4efb1)
bdb_idl_insert_key: 4efb1 [0283e35a]
<= key_change 0
=> key_change(ADD,4efb1)
bdb_idl_insert_key: 4efb1 [0b9cc936]
<= key_change 0
=> key_change(ADD,4efb1)
bdb_idl_insert_key: 4efb1 [43f33743]
<= key_change 0
=> key_change(ADD,4efb1)
bdb_idl_insert_key: 4efb1 [0096defd]
<= key_change 0
=> key_change(ADD,4efb1)
bdb_idl_insert_key: 4efb1 [2543ee9e]
<= key_change 0
=> key_change(ADD,4efb1)
bdb_idl_insert_key: 4efb1 [5d735fab]
<= key_change 0
<= index_entry_add( 323505, 
"cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu" ) success
bdb_dn2entry("cn=ldapsync,dc=stanford,dc=edu")
bdb_modify_internal: 0x0004efb0: cn=ldapsync,dc=stanford,dc=edu
acl: no-user-mod contextCSN: modify access granted
bdb_modify_internal: replace
oc_check_required entry (cn=ldapsync,dc=stanford,dc=edu), objectClass 
"subentry"
oc_check_required entry (cn=ldapsync,dc=stanford,dc=edu), objectClass 
"syncProviderSubentry"
oc_check_allowed type "objectClass"
oc_check_allowed type "structuralObjectClass"
oc_check_allowed type "cn"
oc_check_allowed type "subtreeSpecification"
oc_check_allowed type "contextCSN"
=> entry_encode(0x0004efb0): cn=ldapsync,dc=stanford,dc=edu
=> bdb_search
bdb_dn2entry("dc=stanford,dc=edu")
search_candidates: base="dc=stanford,dc=edu" (0x00000001) scope=2
=> bdb_dn2idl( "dc=stanford,dc=edu" )
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        PRESENT
=> bdb_presence_candidates (objectClass)
<= bdb_filter_candidates: id=-1 first=1 last=323505
<= bdb_list_candidates: id=-1 first=1 last=323505
<= bdb_filter_candidates: id=-1 first=1 last=323505
bdb_search_candidates: id=-1 first=1 last=323505
=> test_filter
    AND
=> test_filter_and
=> test_filter
    NOT
=> test_filter
    EQUALITY
=> access_allowed: search access to 
"cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu" "entry
CSN" requested
=> dn: [1]
=> dn: [2] cn=monitor
=> acl_get: [3] attr entryCSN
=> acl_mask: access to entry 
"cn=proxy5,cn=Webauth,cn=applications,dc=stanford,dc=edu", attr "entryC
SN" requested
=> acl_mask: to value by 
"cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu", (=n)
<= check a_dn_pat: 
cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
=> bdb_entry_get: ndn: "cn=supervisor,cn=applications,dc=stanford,dc=edu"
=> bdb_entry_get: oc: "groupOfNames", at: "member"
bdb_dn2entry("cn=supervisor,cn=applications,dc=stanford,dc=edu")
=> bdb_entry_get: found entry: 
"cn=supervisor,cn=applications,dc=stanford,dc=edu"
bdb_entry_get: rc=0
dnMatch -12
        "uid=chandau,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=quanah,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=wjones,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=caseyd1,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -15
        "uid=mpmw,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -16
        "uid=rra,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -15
        "uid=torg,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -11
        "uid=svuyyuru,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -14
        "uid=hallk,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -11
        "uid=jonpilat,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
=> bdb_entry_get: ndn: "cn=ldapadmin,cn=applications,dc=stanford,dc=edu"
=> bdb_entry_get: oc: "groupOfNames", at: "member"
bdb_dn2entry("cn=ldapadmin,cn=applications,dc=stanford,dc=edu")
=> bdb_dn2id( "cn=ldapadmin,cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: got id=0x00000006
entry_decode: "cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
<= entry_decode(cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu)
=> bdb_entry_get: found entry: 
"cn=ldapadmin,cn=applications,dc=stanford,dc=edu"
bdb_entry_get: rc=0
dnMatch -12
        "uid=chandau,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=quanah,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=phoenix,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=wjones,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -15
        "uid=mpmw,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -15
        "uid=torg,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -11
        "uid=morpheus,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -16
        "uid=rra,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -11
        "uid=jonpilat,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=antonu,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=jlucker,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -14
        "uid=sfeng,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -14
        "uid=hallk,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=meeilee,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=cjurney,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=riepel,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch 3
        "cn=regadmin,cn=service,cn=applications,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -11
        "uid=svuyyuru,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=priimak,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -12
        "uid=dbender,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
dnMatch -13
        "uid=molive,cn=accounts,dc=stanford,dc=edu"
        "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
=> bdb_entry_get: ndn: "cn=ldapreplica,cn=applications,dc=stanford,dc=edu"
=> bdb_entry_get: oc: "groupOfNames", at: "member"
bdb_dn2entry("cn=ldapreplica,cn=applications,dc=stanford,dc=edu")
=> bdb_dn2id( "cn=ldapreplica,cn=applications,dc=stanford,dc=edu" )
<= bdb_dn2id: got id=0x0004efae


At this point, it hangs, with the occasional:

daemon: select timeout - yielding
daemon: select: listen=6 active_threads=1 tvp=zero
daemon: select: listen=7 active_threads=1 tvp=zero
daemon: select timeout - yielding
daemon: select: listen=6 active_threads=1 tvp=zero
daemon: select: listen=7 active_threads=1 tvp=zero
daemon: select timeout - yielding
daemon: select: listen=6 active_threads=1 tvp=zero
daemon: select: listen=7 active_threads=1 tvp=zero

messages.

ACL's:

# $Id: slapd.acl.master,v 1.27 2004/02/27 07:25:17 quanah Exp $
# ACL include file for slapd
#
# this is specific to the master

access to dn.base=""
        by * read

access to dn.subtree="cn=monitor"
        by * read

access to *
        by 
dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 write
        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 write
        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by 
dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 read
        by * break


ldapreplica group:

ldapsearch -h ldap-dev0 cn=ldapreplicator
SASL/GSSAPI authentication started
SASL username: quanah@stanford.edu
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=ldapreplicator
# requesting: ALL
#

# search result
search: 5
result: 0 Success

# numResponses: 1
ldap-dev0:~> ldapsearch -h ldap-dev0 cn=ldapreplica
SASL/GSSAPI authentication started
SASL username: quanah@stanford.edu
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=ldapreplica
# requesting: ALL
#

# ldapReplica, Applications, stanford.edu
dn: cn=ldapReplica,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: ldapReplica
member: cn=ldap-dev1,cn=ldap,cn=operational,dc=stanford,dc=edu
member: cn=ldap-dev2,cn=ldap,cn=operational,dc=stanford,dc=edu
member: cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1


Note: It's bind ID is definitely 
cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu:


>>> dnPrettyNormal: <cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,0)
<= ldap_bv2dn(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
<<< dnPrettyNormal: 
<cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>, 
<cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>
do_sasl_bind: dn (cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu) 
mech GSSAPI
conn=1 op=0 BIND 
dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" method=163
==> sasl_bind: dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" 
mech=GSSAPI datalen=535
connection_get(13)
connection_get(13): got connid=1
connection_read(13): checking for input on id=1
>>> dnPrettyNormal: <cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,0)
<= ldap_bv2dn(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
<<< dnPrettyNormal: 
<cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>, 
<cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>
do_sasl_bind: dn (cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu) 
mech GSSAPI
conn=1 op=1 BIND 
dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" method=163
==> sasl_bind: dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" 
mech=<continuing> datalen=0
>>> dnPrettyNormal: <cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,0)
<= ldap_bv2dn(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
<<< dnPrettyNormal: 
<cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>, 
<cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu>
do_sasl_bind: dn (cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu) 
mech GSSAPI
conn=1 op=2 BIND 
dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" method=163
==> sasl_bind: dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" 
mech=<continuing> datalen=53
SASL Canonicalize [conn=1]: authcid="ldap/ldap-dev3.stanford.edu"
slap_sasl_getdn: id=ldap/ldap-dev3.stanford.edu [len=27]
slap_sasl_getdn: u:id converted to 
uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=GSSAPI,cn=auth
>>> dnNormalize: 
<uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=GSSAPI,cn=auth>
=> 
ldap_bv2dn(uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=GSSAPI,cn=auth,0)
<= 
ldap_bv2dn(uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=GSSAPI,cn=auth,0)=0
=> ldap_dn2bv(272)
<= 
ldap_dn2bv(uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth,272)=0
<<< dnNormalize: 
<uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name 
uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth to a DN
slap_sasl_regexp: converting SASL name 
uid=ldap/ldap-dev3.stanford.edu,cn=stanford.edu,cn=gssapi,cn=auth
slap_sasl_regexp: converted SASL name to 
ldaps:///cn=ldap,cn=Operational,dc=stanford,dc=edu??sub?krb5PrincipalName=ldap/ldap-dev3.stanford.edu@stanford.edu
slap_parseURI: parsing 
ldaps:///cn=ldap,cn=Operational,dc=stanford,dc=edu??sub?krb5PrincipalName=ldap/ldap-dev3.stanford.edu@stanford.edu
ldap_url_parse_ext(ldaps:///cn=ldap,cn=Operational,dc=stanford,dc=edu??sub?krb5PrincipalName=ldap/ldap-dev3.stanford.edu@stanford.edu)
str2filter "krb5PrincipalName=ldap/ldap-dev3.stanford.edu@stanford.edu"
put_filter: "krb5PrincipalName=ldap/ldap-dev3.stanford.edu@stanford.edu"
put_filter: default
put_simple_filter: 
"krb5PrincipalName=ldap/ldap-dev3.stanford.edu@stanford.edu"
begin get_filter
EQUALITY
>>> dnNormalize: <cn=ldap,cn=Operational,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=ldap,cn=Operational,dc=stanford,dc=edu,0)
<= ldap_bv2dn(cn=ldap,cn=Operational,dc=stanford,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldap,cn=operational,dc=stanford,dc=edu,272)=0
<<< dnNormalize: <cn=ldap,cn=operational,dc=stanford,dc=edu>
slap_sasl2dn: performing internal search 
(base=cn=ldap,cn=operational,dc=stanford,dc=edu, scope=2)
=> bdb_search
bdb_dn2entry("cn=ldap,cn=operational,dc=stanford,dc=edu")
search_candidates: base="cn=ldap,cn=operational,dc=stanford,dc=edu" 
(0x0004ccef) scope=2
=> bdb_dn2idl( "cn=ldap,cn=operational,dc=stanford,dc=edu" )
bdb_idl_fetch_key: @cn=ldap,cn=operational,dc=stanford,dc=edu
<= bdb_dn2idl: id=4 first=314607 last=323501
=> bdb_filter_candidates
    AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
    OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
    EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
    EQUALITY
=> bdb_equality_candidates (krb5PrincipalName)
=> key_read
bdb_idl_fetch_key: [4121fd40]
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=323501, last=323501
<= bdb_filter_candidates: id=1 first=323501 last=323501
<= bdb_list_candidates: id=1 first=323501 last=323501
<= bdb_filter_candidates: id=1 first=323501 last=323501
<= bdb_list_candidates: id=1 first=323501 last=323501
<= bdb_filter_candidates: id=1 first=323501 last=323501
bdb_search_candidates: id=1 first=323501 last=323501
entry_decode: "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
<= entry_decode(cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu)
=> bdb_dn2id( "cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" )
<= bdb_dn2id: got id=0x0004efad
=> test_filter
    EQUALITY
=> access_allowed: auth access to 
"cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" 
"krb5PrincipalName" requested
=> dn: [1]
=> dn: [2] cn=monitor
=> acl_get: [3] attr krb5PrincipalName
=> acl_mask: access to entry 
"cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu", attr 
"krb5PrincipalName" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: 
cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
<= check a_dn_pat: 
cn=registrydataauditor,cn=service,cn=applications,dc=stanford,dc=edu
<= check a_dn_pat: *
<= acl_mask: [6] applying +0 (break)
<= acl_mask: [6] mask: =n
=> acl_get: [5] attr krb5PrincipalName
=> acl_mask: access to entry 
"cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu", attr 
"krb5PrincipalName" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: 
cn=slog-accounts,cn=service,cn=applications,dc=stanford,dc=edu
<= check a_dn_pat: 
cn=rr-accounts-rw,cn=service,cn=applications,dc=stanford,dc=edu
<= check a_dn_pat: 
cn=rr-accounts-ro,cn=service,cn=applications,dc=stanford,dc=edu
<= check a_dn_pat: *
<= acl_mask: [4] applying search(=scx) (stop)
<= acl_mask: [4] mask: search(=scx)
=> access_allowed: auth access granted by search(=scx)
<= test_filter 6
send_ldap_result: conn=1 op=0 p=3
send_ldap_result: err=0 matched="" text=""
<==slap_sasl2dn: Converted SASL name to 
cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu
getdn: dn:id converted to 
cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu
SASL Canonicalize [conn=1]: 
slapAuthcDN="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
SASL proxy authorize [conn=1]: 
authcid="ldap/ldap-dev3.stanford.edu@stanford.edu" 
authzid="ldap/ldap-dev3.stanford.edu@stanford.edu"
conn=1 op=2 BIND authcid="ldap/ldap-dev3.stanford.edu@stanford.edu"
SASL Authorize [conn=1]:  proxy authorization allowed
send_ldap_sasl: err=0 len=-1
send_ldap_response: msgid=3 tag=97 err=0
ber_flush: 14 bytes to sd 13
  0000:  30 0c 02 01 03 61 07 0a  01 00 04 00 04 00         0....a........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 03 61 07 0a  01 00 04 00 04 00         0....a........
<== slap_sasl_bind: rc=0
conn=1 op=2 BIND 
dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" mech=GSSAPI 
ssf=56
do_bind: SASL/GSSAPI bind: 
dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu" ssf=56
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=1
connection_read(13): checking for input on id=1
ldap_pvt_sasl_install
ber_get_next
sasl_read: want=4, got=4
<= get_ctrls: n=1 rc=0 err=""
    attrs: * objectClass structuralObjectClass entryCSN
conn=1 op=3 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 
filter="(objectClass=*)"
conn=1 op=3 SRCH attr=* objectClass structuralObjectClass entryCSN
==> limits_get: conn=1 op=3 
dn="cn=ldap-dev3,cn=ldap,cn=operational,dc=stanford,dc=edu"
=> bdb_search
bdb_dn2entry("dc=stanford,dc=edu")
bdb_dn2entry("cn=ldapsync,dc=stanford,dc=edu")



What I don't get, is it never iterates through the ACL's to determine if 
the bound replica has permissions to read *, objectClass, 
structuralObjectClass or entryCSN.  Or if it is, that definitely isn't 
logged (see above).

I've updated the complete log as:

3173-quanah-20040616.gz

in ftp.openldap.org/incoming

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html