Trying to figure out if this search is being denied. I wouldn’t think so but the last 3 lines at the end suggest otherwise. 5552876b conn=1000 fd=21 ACCEPT from IP=172.29.34.47:42310 (IP=0.0.0.0:389) 5552876b conn=1000 op=0 BIND dn="uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" method=128 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn’t_matter,dc=com" 5552876b => bdb_entry_get: found entry: "cn=defaultpp,ou=policies,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: result not in cache (userPassword) 5552876b => access_allowed: auth access to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" "userPassword" requested 5552876b => acl_get: [1] attr userPassword 5552876b => acl_mask: access to entry "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com", attr "userPassword" requested 5552876b => acl_mask: to value by "", (=0) 5552876b <= check a_dn_pat: self 5552876b <= check a_dn_pat: anonymous 5552876b <= acl_mask: [2] applying auth(=xd) (stop) 5552876b <= acl_mask: [2] mask: auth(=xd) 5552876b => slap_access_allowed: auth access granted by auth(=xd) 5552876b => access_allowed: auth access granted by auth(=xd) 5552876b conn=1000 op=0 BIND dn="uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" mech=SIMPLE ssf=0 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn’t_matter,dc=com" 5552876b conn=1000 op=0 RESULT tag=97 err=0 text= 5552876b conn=1000 op=1 BIND anonymous mech=implicit ssf=0 5552876b conn=1000 op=1 BIND dn="uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" method=128 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn’t_matter,dc=com" 5552876b => bdb_entry_get: found entry: "cn=defaultpp,ou=policies,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: result not in cache (userPassword) 5552876b => access_allowed: auth access to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" "userPassword" requested 5552876b => acl_get: [1] attr userPassword 5552876b => acl_mask: access to entry "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com", attr "userPassword" requested 5552876b => acl_mask: to value by "", (=0) 5552876b <= check a_dn_pat: self 5552876b <= check a_dn_pat: anonymous 5552876b <= acl_mask: [2] applying auth(=xd) (stop) 5552876b <= acl_mask: [2] mask: auth(=xd) 5552876b => slap_access_allowed: auth access granted by auth(=xd) 5552876b => access_allowed: auth access granted by auth(=xd) 5552876b conn=1000 op=1 BIND dn="uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" mech=SIMPLE ssf=0 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn’t_matter,dc=com" 5552876b conn=1000 op=1 RESULT tag=97 err=0 text= 5552876b begin get_filter 5552876b PRESENT 5552876b end get_filter 0 5552876b conn=1000 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 5552876b conn=1000 op=2 SRCH attr=* + altServer changelog firstChangeNumber lastChangeNumber lastPurgedChangeNumber namingContexts subschemaSubentry supportedAuthPasswordSchemes supportedControl supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms vendorName vendorVersion 5552876b => test_filter 5552876b PRESENT 5552876b => access_allowed: search access to "" "objectClass" requested 5552876b => slap_access_allowed: backend default search access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: search access granted by read(=rscxd) 5552876b <= test_filter 6 5552876b => access_allowed: read access to "" "entry" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (objectClass) 5552876b => access_allowed: read access to "" "objectClass" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (objectClass) 5552876b => access_allowed: result not in cache (structuralObjectClass) 5552876b => access_allowed: read access to "" "structuralObjectClass" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (configContext) 5552876b => access_allowed: read access to "" "configContext" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (namingContexts) 5552876b => access_allowed: read access to "" "namingContexts" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (namingContexts) 5552876b => access_allowed: result not in cache (monitorContext) 5552876b => access_allowed: read access to "" "monitorContext" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (supportedControl) 5552876b => access_allowed: read access to "" "supportedControl" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result not in cache (supportedExtension) 5552876b => access_allowed: read access to "" "supportedExtension" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (supportedExtension) 5552876b => access_allowed: result was in cache (supportedExtension) 5552876b => access_allowed: result was in cache (supportedExtension) 5552876b => access_allowed: result not in cache (supportedFeatures) 5552876b => access_allowed: read access to "" "supportedFeatures" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result not in cache (supportedLDAPVersion) 5552876b => access_allowed: read access to "" "supportedLDAPVersion" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (supportedSASLMechanisms) 5552876b => access_allowed: read access to "" "supportedSASLMechanisms" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (entryDN) 5552876b => access_allowed: read access to "" "entryDN" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (entryDN) 5552876b => access_allowed: result not in cache (subschemaSubentry) 5552876b => access_allowed: read access to "" "subschemaSubentry" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn’t_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (subschemaSubentry) 5552876b conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 5552876b begin get_filter 5552876b EQUALITY 5552876b end get_filter 0 5552876b conn=1000 op=3 SRCH base="cn=accesslog" scope=2 deref=0 filter="(uid=global.admin)" 5552876b => access_allowed: search access to "cn=accesslog" "entry" requested 5552876b => acl_get: [1] attr entry 5552876b => acl_mask: access to entry "cn=accesslog", attr "entry" requested 5552876b => acl_mask: to all values by "uid=an_admin,ou=people,dc=doesn’t_matter,dc=com", (=0) 5552876b <= check a_dn_pat: cn=admin,dc=doesn’t_matter,dc=com 5552876b <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 5552876b <= acl_mask: no more <who> clauses, returning =0 (stop) 5552876b => slap_access_allowed: search access denied by =0 5552876b => access_allowed: no more rules 5552876b conn=1000 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text= So the application is a java application and the developers haven’t a clue on how to debug the java ldap side. I am not sure why it’s looking at accesslog in the context of this connection, and it shouldn’t have access to accesslog but
it shouldn’t matter anyway, accesslog is database{1} and the actual suffix to be searched is database{3} User uid=an_admin,ou=People,dc=doesn’t_matter,dc=com is pretty much allowed to do anything in the suffixed database {dc=doesn’t_matter,dc=com} My contention is that there isn’t an error here but the application isn’t happy with the new setup and as I said, they are not knowledgeable about how to debug from the java side. Does this log indicate an error? (I know err=32 is no such object) Craig |