[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL userPassword Problem Re-Visited
Hi All,
This is a long post; sorry, but I need to show the traces.
I have now worked out why, although apparently binding
successfully as the record DN, I could not see the
userPassword attribute of my posixAccount record.
Incidentally, this is OpenLDAP 2.0.22 on FreeBSD 4.5.
The problem lies with our setup. We have 7 directories,
6 with suffixes of the form dc=au,dc=cordoors,dc=com,
and a master directory of dc=cordoors,dc=com which
contains references to the other 6 directories,
thus enabling us to look up records with the generic
base of "dc=cordoors,dc=com."
Here is our slapd.conf:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/ci.schema
# Define global ACLs to disable default read access.
access to attrs=userPassword
by self write
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by anonymous auth
by * none
access to attrs=entry
by self write
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by * read
access to "dn=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com"
by self write
by * read
access to "dn=uid=.*,dc=..,dc=cordoors,dc=com"
by self write
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by * read
access to *
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by * read
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org:389
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#loglevel 140
sizelimit 1000
defaultsearchbase dc=cordoors,dc=com
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#######################################################################
# ldbm database definitions
# The database directories MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
#######################################################################
password-hash {MD5}
#######################################################################
# DO NOT CHANGE BELOW THIS NOTICE. The rest of this configuration
# is generated automatically and changes will be lost.
#######################################################################
include /usr/local/etc/openldap/schema/sendmail.schema
database ldbm
suffix "dc=au,dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/au
cachesize 5000
dbcachesize 500000
index gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost eq
index objectClass eq
replogfile /usr/local/etc/openldap/replog/log
replica host=slavehost.ci.com.au:389
binddn="cn=xxxxx,dc=au,dc=cordoors,dc=com"
bindmethod=simple credentials=yyyyy
##################################################
database ldbm
suffix "dc=my,dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/my
cachesize 5000
dbcachesize 500000
index gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost eq
index objectClass eq
replogfile /usr/local/etc/openldap/replog/log
replica host=slavehost.ci.com.au:389
binddn="cn=xxxxx,dc=my,dc=cordoors,dc=com"
bindmethod=simple credentials=yyyyy
##################################################
database ldbm
suffix "dc=id,dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/id
cachesize 5000
dbcachesize 500000
index gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost eq
index objectClass eq
replogfile /usr/local/etc/openldap/replog/log
replica host=slavehost.ci.com.au:389
binddn="cn=xxxxx,dc=id,dc=cordoors,dc=com"
bindmethod=simple credentials=yyyyy
##################################################
database ldbm
suffix "dc=sg,dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/sg
cachesize 5000
dbcachesize 500000
index gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost eq
index objectClass eq
replogfile /usr/local/etc/openldap/replog/log
replica host=slavehost.ci.com.au:389
binddn="cn=xxxxx,dc=sg,dc=cordoors,dc=com"
bindmethod=simple credentials=yyyyy
##################################################
database ldbm
suffix "dc=th,dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/th
cachesize 5000
dbcachesize 500000
index gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost eq
index objectClass eq
replogfile /usr/local/etc/openldap/replog/log
replica host=slavehost.ci.com.au:389
binddn="cn=xxxxx,dc=th,dc=cordoors,dc=com"
bindmethod=simple credentials=yyyyy
##################################################
database ldbm
suffix "dc=us,dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/us
cachesize 5000
dbcachesize 500000
index gecos,employeeNumber,uid,uidNumber,sn,cn,ciApp,ciHost eq
index objectClass eq
replogfile /usr/local/etc/openldap/replog/log
replica host=slavehost.ci.com.au:389
binddn="cn=xxxxx,dc=us,dc=cordoors,dc=com"
bindmethod=simple credentials=yyyyy
##################################################
database ldbm
suffix "dc=cordoors,dc=com"
rootdn "cn=zzzzz,dc=cordoors,dc=com"
rootpw {MD5}aaaaaaaaaaaaaaa
directory /usr/openldap-ldbm/master
cachesize 5000
dbcachesize 500000
index objectClass,dc,ciHost eq
##################################################
Now, if I (apparently successfully) bind as my posixAccount
user, and ask to see my password, interesting things happen.
The query
ldapsearch -x -C -LLL -w mypassword -D uid=chris,dc=au,dc=cordoors,dc=com \
'(&(objectclass=posixaccount)(uid=chris))' userPassword
returns only the dn, no userPassword. But if I specify the
search base, all is well and I can see the password attribute:
ldapsearch -x -C -LLL -w mypassword -D uid=chris,dc=au,dc=cordoors,dc=com \
-b dc=au,dc=cordoors,dc=com '(&(objectclass=posixaccount)(uid=chris))' userPassword
Running slapd -d 128, I get thfollowing trace when things work:
---------------------------------------------------------------
Global ACL: access to attrs=userPassword
by self write (=wrscx)
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by anonymous auth (=x)
by * none (=n)
Global ACL: access to attrs=entry
by self write (=wrscx)
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by * read (=rscx)
Global ACL: access to dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
by self write (=wrscx)
by * read (=rscx)
Global ACL: access to dn.regex=employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by * read (=rscx)
Global ACL: access to *
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by * read (=rscx)
slapd starting
=> access_allowed: auth access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth (=x) (stop)
<= acl_mask: [3] mask: auth (=x)
=> access_allowed: auth access granted by auth (=x)
ber_flush: 14 bytes to sd 13
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr objectClass
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uid
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl uid=chris,dc=au,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= acl_mask: [1] applying write (=wrscx) (stop)
<= acl_mask: [1] mask: write (=wrscx)
=> access_allowed: read access granted by write (=wrscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr objectClass
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr objectClass
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gidNumber
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr homeDirectory
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr homeDirectory
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr loginShell
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr loginShell
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gecos
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr gecos
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr cn
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr cn
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uid
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] employeeNumber=.*,ou=.*,ou=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr uid
<= acl_get: [6] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= acl_mask: [1] applying write (=wrscx) (stop)
<= acl_mask: [1] mask: write (=wrscx)
=> access_allowed: read access granted by write (=wrscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to value by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= acl_mask: [1] applying write (=wrscx) (stop)
<= acl_mask: [1] mask: write (=wrscx)
=> access_allowed: read access granted by write (=wrscx)
ber_flush: 282 bytes to sd 13
ber_flush: 14 bytes to sd 13
slapd shutdown: waiting for 0 threads to terminate
slapd stopped.
-------------------------------------------------------------------
which shows a perfectly good bind and retrieve as expected. The trace below,
however, starts out with a good bind, but loses the bind id once the
references have all been checked and the possible directories found. By
the time we are searching the dc=xx,dc=cordoors,dc=com directories, we
are effectively bound anonymously (at least, this is what I *think* the
trace shows).
Is this so? If so, is this what's meant to happen? Why does it do
this? Any way to get around it? It's not a drastic thing, but it
sure is counter-intuitive.
--Chris Robertson
Corinthian Engineering
-------------------------------------------------------------------
Global ACL: access to attrs=userPassword
by self write (=wrscx)
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by anonymous auth (=x)
by * none (=n)
Global ACL: access to attrs=entry
by self write (=wrscx)
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by * read (=rscx)
Global ACL: access to dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
by self write (=wrscx)
by * read (=rscx)
Global ACL: access to dn.regex=uid=.*,dc=..,dc=cordoors,dc=com
by self write (=wrscx)
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by * read (=rscx)
Global ACL: access to *
by dn.regex=uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com write (=wrscx)
by * read (=rscx)
slapd starting
=> access_allowed: auth access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth (=x) (stop)
<= acl_mask: [3] mask: auth (=x)
=> access_allowed: auth access granted by auth (=x)
ber_flush: 14 bytes to sd 13
=> access_allowed: read access to "dc=au,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=au,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=au,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=au,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=au,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=au,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=my,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=my,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=my,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=my,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=my,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=my,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=id,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=id,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=id,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=id,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=id,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=id,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=th,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=th,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=th,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=th,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=th,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=th,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=sg,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=sg,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=sg,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=sg,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=sg,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=sg,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
=> access_allowed: read access to "dc=us,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=us,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "dc=us,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "dc=us,dc=cordoors,dc=com" "ref" requested
=> acl_get: [1] check attr ref
=> acl_get: [2] check attr ref
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [5] ciHost=[a-z][a-z]*,dc=cordoors,dc=com nsub: 0
=> acl_get: [6] check attr ref
<= acl_get: [6] acl dc=us,dc=cordoors,dc=com attr: ref
=> acl_mask: access to entry "dc=us,dc=cordoors,dc=com", attr "ref" requested
=> acl_mask: to all values by "UID=CHRIS,DC=AU,DC=CORDOORS,DC=COM", (=n)
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read (=rscx) (stop)
<= acl_mask: [2] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
ber_flush: 61 bytes to sd 13
ber_flush: 14 bytes to sd 13
ber_flush: 14 bytes to sd 20
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr objectClass
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: search access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uid
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl uid=chris,dc=au,dc=cordoors,dc=com attr: entry
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr objectClass
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> acl_get: [2] check attr objectClass
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr objectClass
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: objectClass
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "objectClass" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uidNumber" requested
=> acl_get: [1] check attr uidNumber
=> acl_get: [2] check attr uidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uidNumber" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gidNumber" requested
=> acl_get: [1] check attr gidNumber
=> acl_get: [2] check attr gidNumber
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gidNumber
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gidNumber
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gidNumber" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr homeDirectory
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "homeDirectory" requested
=> acl_get: [1] check attr homeDirectory
=> acl_get: [2] check attr homeDirectory
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr homeDirectory
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: homeDirectory
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "homeDirectory" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr loginShell
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "loginShell" requested
=> acl_get: [1] check attr loginShell
=> acl_get: [2] check attr loginShell
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr loginShell
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: loginShell
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "loginShell" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gecos
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "gecos" requested
=> acl_get: [1] check attr gecos
=> acl_get: [2] check attr gecos
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr gecos
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: gecos
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "gecos" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr cn
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr cn
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: cn
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "cn" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uid
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "uid" requested
=> acl_get: [1] check attr uid
=> acl_get: [2] check attr uid
=> dnpat: [3] uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com nsub: 0
=> dnpat: [4] uid=.*,dc=..,dc=cordoors,dc=com nsub: 0
=> acl_get: [4] matched
=> acl_get: [4] check attr uid
<= acl_get: [4] acl uid=chris,dc=au,dc=cordoors,dc=com attr: uid
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "uid" requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read (=rscx) (stop)
<= acl_mask: [3] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=chris,dc=au,dc=cordoors,dc=com" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=chris,dc=au,dc=cordoors,dc=com attr: userPassword
=> acl_mask: access to entry "uid=chris,dc=au,dc=cordoors,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth (=x) (stop)
<= acl_mask: [3] mask: auth (=x)
=> access_allowed: read access denied by auth (=x)
acl: access to attribute userPassword not allowed
ber_flush: 253 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
ber_flush: 14 bytes to sd 20
slapd shutdown: waiting for 0 threads to terminate
slapd stopped.
----------------------------------------------------------------------