[Date Prev][Date Next] [Chronological] [Thread] [Top]
ACL userPassword Problem Re-Visited

To: openldap-software@OpenLDAP.org
Subject: ACL userPassword Problem Re-Visited
From: Christine Robertson <chris@coreng.com.au>
Date: Thu, 7 Mar 2002 13:28:10 +1100 (EST)
Hi All,

This is a long post; sorry, but I need to show the traces.
I have now worked out why, although apparently binding
successfully as the record DN, I could not see the
userPassword attribute of my posixAccount record.
Incidentally, this is OpenLDAP 2.0.22 on FreeBSD 4.5.

The problem lies with our setup.  We have 7 directories,
6 with suffixes of the form dc=au,dc=cordoors,dc=com, 
and a master directory of dc=cordoors,dc=com which
contains references to the other 6 directories,
thus enabling us to look up records with the generic
base of "dc=cordoors,dc=com."

Here is our slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $
#
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/nis.schema
include		/usr/local/etc/openldap/schema/ci.schema

# Define global ACLs to disable default read access.

access to attrs=userPassword
	by self write
	by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
	by anonymous auth
	by * none
access to attrs=entry
	by self write
	by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
	by * read
access to "dn=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com"
	by self write
	by * read
access to "dn=uid=.*,dc=..,dc=cordoors,dc=com"
	by self write
	by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
	by * read
access to *
	by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
	by * read

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral        ldap://root.openldap.org:389

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args

#loglevel	140

sizelimit	1000

defaultsearchbase	dc=cordoors,dc=com

# Load dynamic backend modules:
  modulepath	/usr/local/libexec/openldap
# moduleload	back_ldap.la
  moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

#######################################################################
# ldbm database definitions
# The database directories MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended.
#######################################################################

password-hash {MD5}

#######################################################################
# DO NOT CHANGE BELOW THIS NOTICE.  The rest of this configuration
# is generated automatically and changes will be lost.
#######################################################################

include		/usr/local/etc/openldap/schema/sendmail.schema

database	ldbm
suffix		"dc=au,dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/au

cachesize	5000
dbcachesize	500000

index	gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost		eq
index	objectClass		eq

replogfile	/usr/local/etc/openldap/replog/log
replica	host=slavehost.ci.com.au:389
		binddn="cn=xxxxx,dc=au,dc=cordoors,dc=com"
		bindmethod=simple credentials=yyyyy

##################################################

database	ldbm
suffix		"dc=my,dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/my

cachesize	5000
dbcachesize	500000

index	gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost		eq
index	objectClass		eq

replogfile	/usr/local/etc/openldap/replog/log
replica	host=slavehost.ci.com.au:389
		binddn="cn=xxxxx,dc=my,dc=cordoors,dc=com"
		bindmethod=simple credentials=yyyyy

##################################################

database	ldbm
suffix		"dc=id,dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/id

cachesize	5000
dbcachesize	500000

index	gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost		eq
index	objectClass		eq

replogfile	/usr/local/etc/openldap/replog/log
replica	host=slavehost.ci.com.au:389
		binddn="cn=xxxxx,dc=id,dc=cordoors,dc=com"
		bindmethod=simple credentials=yyyyy

##################################################

database	ldbm
suffix		"dc=sg,dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/sg

cachesize	5000
dbcachesize	500000

index	gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost		eq
index	objectClass		eq

replogfile	/usr/local/etc/openldap/replog/log
replica	host=slavehost.ci.com.au:389
		binddn="cn=xxxxx,dc=sg,dc=cordoors,dc=com"
		bindmethod=simple credentials=yyyyy

##################################################

database	ldbm
suffix		"dc=th,dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/th

cachesize	5000
dbcachesize	500000

index	gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost		eq
index	objectClass		eq

replogfile	/usr/local/etc/openldap/replog/log
replica	host=slavehost.ci.com.au:389
		binddn="cn=xxxxx,dc=th,dc=cordoors,dc=com"
		bindmethod=simple credentials=yyyyy

##################################################
database	ldbm
suffix		"dc=us,dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/us

cachesize	5000
dbcachesize	500000

index	gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost		eq
index	objectClass		eq

replogfile	/usr/local/etc/openldap/replog/log
replica	host=slavehost.ci.com.au:389
		binddn="cn=xxxxx,dc=us,dc=cordoors,dc=com"
		bindmethod=simple credentials=yyyyy

##################################################

database	ldbm
suffix		"dc=cordoors,dc=com"
rootdn		"cn=zzzzz,dc=cordoors,dc=com"
rootpw		{MD5}aaaaaaaaaaaaaaa

directory	/usr/openldap-ldbm/master

cachesize	5000
dbcachesize	500000

index	objectClass,dc,ciHost		eq

##################################################

Now, if I (apparently successfully) bind as my posixAccount
user, and ask to see my password, interesting things happen.

The query
ldapsearch -x -C -LLL -w mypassword -D uid=chris,dc=au,dc=cordoors,dc=com \
    '(&(objectclass=posixaccount)(uid=chris))' userPassword

returns only the dn, no userPassword.  But if I specify the
search base, all is well and I can see the password attribute:

ldapsearch -x -C -LLL -w mypassword -D uid=chris,dc=au,dc=cordoors,dc=com \
    -b dc=au,dc=cordoors,dc=com '(&(objectclass=posixaccount)(uid=chris))' userPassword

Running slapd -d 128, I get thfollowing trace when things work:

---------------------------------------------------------------
Global ACL: access to attrs=userPassword
	by self write (=wrscx)
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by anonymous auth (=x)
	by * none (=n)

Global ACL: access to attrs=entry
	by self write (=wrscx)
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by * read (=rscx)

Global ACL: access to dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
	by self write (=wrscx)
	by * read (=rscx)

Global ACL: access to dn.regex=employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by * read (=rscx)

Global ACL: access to *
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by * read (=rscx)

slapd starting
=> access_allowed: auth access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth (=x) (stop)
<= acl_mask: [3] mask: auth (=x)
=> access_allowed: auth access granted by auth (=x)
ber_flush: 14 bytes to sd 13
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr objectClass
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uid
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl uid=chris,dc=au,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= acl_mask: [1] applying write (=wrscx) (stop)
<= acl_mask: [1] mask: write (=wrscx)
=> access_allowed: read access granted by write (=wrscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr objectClass
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr objectClass
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr homeDirectory
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr homeDirectory
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr loginShell
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr loginShell
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gecos
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gecos
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr cn
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr cn
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uid
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uid
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= acl_mask: [1] applying write (=wrscx) (stop)
<= acl_mask: [1] mask: write (=wrscx)
=> access_allowed: read access granted by write (=wrscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= acl_mask: [1] applying write (=wrscx) (stop)
<= acl_mask: [1] mask: write (=wrscx)
=> access_allowed: read access granted by write (=wrscx)
ber_flush: 282 bytes to sd 13
ber_flush: 14 bytes to sd 13
slapd shutdown: waiting for 0 threads to terminate
slapd stopped.
-------------------------------------------------------------------
which shows a perfectly good bind and retrieve as expected.  The trace below,
however, starts out with a good bind, but loses the bind id once the
references have all been checked and the possible directories found.  By
the time we are searching the dc=xx,dc=cordoors,dc=com directories, we
are effectively bound anonymously (at least, this is what I *think* the
trace shows).

Is this so?  If so, is this what's meant to happen?  Why does it do
this?  Any way to get around it?  It's not a drastic thing, but it
sure is counter-intuitive.

--Chris Robertson
Corinthian Engineering

-------------------------------------------------------------------

Global ACL: access to attrs=userPassword
	by self write (=wrscx)
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by anonymous auth (=x)
	by * none (=n)

Global ACL: access to attrs=entry
	by self write (=wrscx)
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by * read (=rscx)

Global ACL: access to dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
	by self write (=wrscx)
	by * read (=rscx)

Global ACL: access to dn.regex=uid=.*,dc=..,dc=cordoors,dc=com
	by self write (=wrscx)
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by * read (=rscx)

Global ACL: access to *
	by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
	by * read (=rscx)

slapd starting
=> access_allowed: auth access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth (=x) (stop)
<= acl_mask: [3] mask: auth (=x)
=> access_allowed: auth access granted by auth (=x)
ber_flush: 14 bytes to sd 13
=> access_allowed: read access to "dc=au,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=au,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=au,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=au,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=au,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=au,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=my,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=my,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=my,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=my,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=my,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=my,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=id,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=id,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=id,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=id,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=id,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=id,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=th,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=th,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=th,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=th,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=th,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=th,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=sg,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=sg,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=sg,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=sg,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=sg,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=sg,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=us,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=us,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=us,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=us,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=us,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=us,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n) 
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
ber_flush: 14 bytes to sd 13
ber_flush: 14 bytes to sd 20
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr objectClass
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uid
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl uid=chris,dc=au,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr objectClass
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr objectClass
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr homeDirectory
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr homeDirectory
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr loginShell
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr loginShell
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gecos
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gecos
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr cn
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr cn
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uid
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uid
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth (=x) (stop)
<= acl_mask: [3] mask: auth (=x)
=> access_allowed: read access denied by auth (=x)
acl: access to attribute userPassword not allowed
ber_flush: 253 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
slapd shutdown: waiting for 0 threads to terminate
slapd stopped.
----------------------------------------------------------------------
Follow-Ups:
- Number of ssl connections
  - From: "Raghu Babu" <rmovva@waterford.org>
- Re: ACL userPassword Problem Re-Visited
  - From: Stephan Siano <stephan.siano@suse.de>
Prev by Date: RE: LDAP query errors.
Next by Date: Number of ssl connections
Index(es):
- Chronological
- Thread