RE: (ITS#7434) idassert-bind fails after restarting slapd

--_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Quanah=2C=20 =20 I finally got back around to working on this over the last couple of days. = Where I'm at with my project is: I have two servers (virtual machines)=2C = named master and replica=2C with slapd configured with my directory inform= ation and single-master replication between them. =20 I created a Kerberos realm and various principals in open ldap. =20 Replication access is authenticated using sasl/gssapi with the slapd princ= ipal=2C ldap/replica.example.net. =20 k5start has been added to system startup to buid the credential cache for = slapd. =20 That brings me to configuring referrals and proxyAuth on replica. What ap= pears to be happening is that at the initial configuration (before restarti= ng the daemon) is the client binds to the replica and authenticates with it= s kerberos ticket. The "magic" is performed on the sasl user and the ldap directory entry is returned. It then proceeds into the modifi= cation and notices the update referral. It then checks to determine if the= binddn used in in the olcDbIDAssertBind statems can authzTo the bound user. It can and the proxy of the modificati= on proceeds. On the master=2C the proxy request is received=2C more "magic= " is done on the user id to make sure it is in=20 the correct form=2C the authzTo attribute is again checked and allowed. Th= e update is performed as the user=2C and success is returned back through t= he chain to the user. This is how I would expect=20 the process to proceed. However=2C if I restart the server (or slapd daemo= n)=2C this behavior changes. After restarting=2C the bind occurs at the re= plica=2C does "magic"=2C and then sees the referral and attempts the proxy.= What's notable here is that the check of authzTo is NOT performed. The refereal is then chased=2C but the authzTo check was never made. Since= there is no user to "authzTo"=2C does the referral get chased with perhaps= a "null" or anonymous user? Whatever the case=2C it appears the the original binding user is never sent= over the proxy. Over at the master=2C I see the bind request come on from= the replica which is treated as an anonymous bind request. No magic=2C no authzTo check=2C no nothing. It then goes straight into the= modification and tries to perform=2C but is blocked due to the bound user = being anonymous and the stronger authentication error (8) is returned. =20 Given that the bind occured anonymously=2C I feel that error is expected an= d wanted. =20 I had been trying to use sasl binding here=2C but was not having the same s= ucess that I had with syncrepl. In order to only fight one battle at a tim= e=2C I changed by proxy config to use a simple bind instead of sasl/gssapi.= =20 =20 Referrals and proxy authentication are configured on replica with the follo= wing ldif. I tried setting the override flag because the man page makes it= sound like it forces the authzTo check at bind time. By doing that I was hoping I could force the check and see the authzTo proc= ess in my logs. Is this what the ITS you mentions is referring to?=20 dn: olcDatabase=3D{1}hdb=2Ccn=3Dconfig changetype: modify add: olcUpdateref olcUpdateref: "ldap://master.example.net:389/" =20 dn: cn=3Dmodule{0}=2Ccn=3Dconfig changetype: modify add: olcModuleLoad olcModuleLoad: {1}back_ldap =20 dn: olcOverlay=3Dchain=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainReturnError: TRUE =20 dn: olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}fronten= d=2Ccn=3Dconfig changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: "ldap://master.example.net:389/" olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=3Dsimple binddn=3D"cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" credentials=3Dshhh-secret mode=3Dself flags=3Doverride starttls=3Dcritical tls_reqcert=3Ddemand tls_cacert=3D/etc/ssl/certs/cacert.pem =20 =20 After adding that information via ldapmodify=2C I attempt to perform an upd= ate on the replica. For testing=2C i simply change the description attribu= te for uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet. I'm us= ing this simple ldif to test with: dn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet changetype: modify replace: description description: Network Administrator Initially after configuring the proxy and obtainng a kerberos ticket for th= e account (administrator=2C self write)=2C this update succeeds. Looking a= t syslog on replica=2C I see happiness. The ldap modify binds using gssapi= =2C I see SASL name being correctly converted to uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet. Dec 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: auth= cid=3D"administrator" Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: conn 1005 id=3Dadmini= strator [len=3D13] Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: u:id converted to uid= =3Dadministrator=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <uid=3Dadministrator= =2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth> Dec 3 22:17:01 replica slapd[994]: <<< dnNormalize: <uid=3Dadministrator= =2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth> Dec 3 22:17:01 replica slapd[994]: =3D=3D>slap_sasl2dn: converting SASL n= ame uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth to a D= N Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_context_apply [depth= =3D1] string=3D'uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn= =3Dauth' Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_rule_apply rule=3D'uid= =3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth'= string=3D'uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth= ' [1 pass(es)] Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_rule_apply rule=3D'uid= =3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3D= administrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth' [1 pass(es)] Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_context_apply [depth= =3D1] res=3D{0=2C'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dn= et'} Dec 3 22:17:01 replica slapd[994]: [rw] authid: "uid=3Dadministrator=2Ccn= =3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" -> "uid=3Dadministrator=2Cou=3Dpe= ople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 replica slapd[994]: slap_parseURI: parsing uid=3Dadministr= ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: <<< dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: <=3D=3Dslap_sasl2dn: Converted SASL na= me to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: dn:id converted to ui= d=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: slapA= uthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 replica slapd[994]: SASL proxy authorize [conn=3D1005]: au= thcid=3D"administrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET" Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D2 BIND authcid=3D"adm= inistrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET" Dec 3 22:17:01 replica slapd[994]: SASL Authorize [conn=3D1005]: proxy a= uthorization allowed authzDN=3D"" Dec 3 22:17:01 replica slapd[994]: send_ldap_sasl: err=3D0 len=3D-1 Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor Dec 3 22:17:01 replica slapd[994]: daemon: activity on: Dec 3 22:17:01 replica slapd[994]:=20 Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D2 BIND dn=3D"uid=3Dadm= inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=3DGSSAPI sasl_ssf= =3D56 ssf=3D56 Dec 3 22:17:01 replica slapd[994]: do_bind: SASL/GSSAPI bind: dn=3D"uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" sasl_ssf=3D56 Dec 3 22:17:01 replica slapd[994]: send_ldap_response: msgid=3D3 tag=3D97= err=3D0 Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D2 RESULT tag=3D97 err= =3D0 text=3D Dec 3 22:17:01 replica slapd[994]: <=3D=3D slap_sasl_bind: rc=3D0 All good=2C so far on replica. I believe the sasl/gssapi authntication pr= ocess is completed. Now to perform the modify. Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 do_modify Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 do_modify: dn (uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet) Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=3Dadministrat= or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=3Dadministrat= or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 modifications: Dec 3 22:17:01 replica slapd[994]: #011replace: description Dec 3 22:17:01 replica slapd[994]: #011#011one value=2C length 21 Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD dn=3D"uid=3Dadm= inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD attr=3Ddescript= ion Dec 3 22:17:01 replica slapd[994]: bdb_dn2entry("uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 replica slapd[994]: send_ldap_result: conn=3D1005 op=3D3 p= =3D3 Dec 3 22:17:01 replica slapd[994]: send_ldap_result: err=3D10 matched=3D"= " text=3D"" Dec 3 22:17:01 replica slapd[994]: send_ldap_result: referral=3D"ldap://m= aster.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet" Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=3Dadministrat= or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor Dec 3 22:17:01 replica slapd[994]: daemon: activity on: Dec 3 22:17:01 replica slapd[994]:=20 Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=3Dadministrato= r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3Dp= eople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref= =3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D= example=2Cdc=3Dnet" -> "ldap://master.example.net:389" Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref= =3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D= example=2Cdc=3Dnet": URI=3D"ldap://master.example.net:389" found in cache =20 Okay=2C now it seems that the referral is returned and chased on behalf of= the client. Finally=2C from the perspective of replica=2C success! Modif= ied data comes back to replica via syncrepl. Dec 3 22:17:01 replica slapd[994]: =3D>ldap_back_getconn: conn 0x7fe0b01= 47c30 fetched refcnt=3D1. Dec 3 22:17:01 replica slapd[994]: send_ldap_result: conn=3D1005 op=3D3 p= =3D3 Dec 3 22:17:01 replica slapd[994]: send_ldap_result: err=3D0 matched=3D""= text=3D"" Dec 3 22:17:01 replica slapd[994]: send_ldap_response: msgid=3D4 tag=3D10= 3 err=3D0 Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 RESULT tag=3D103 er= r=3D0 text=3D =20 Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor Dec 3 22:17:01 replica slapd[994]: daemon: activity on: Dec 3 22:17:01 replica slapd[994]: 15r Dec 3 22:17:01 replica slapd[994]:=20 Dec 3 22:17:01 replica slapd[994]: daemon: read active on 15 Dec 3 22:17:01 replica slapd[994]: connection_get(15) Dec 3 22:17:01 replica slapd[994]: connection_get(15): got connid=3D0 Dec 3 22:17:01 replica slapd[994]: =3D>do_syncrepl rid=3D123 Dec 3 22:17:01 replica slapd[994]: =3D>do_syncrep2 rid=3D123 Dec 3 22:17:01 replica slapd[994]: do_syncrep2: rid=3D123 cookie=3Drid=3D= 123=2Ccsn=3D20121204031701.560697Z#000000#000#000000 Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=3Dadministrat= or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=3Dadministrat= or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: >>> dnPretty: <cn=3Dadmin=2Cdc=3Dexamp= le=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: <<< dnPretty: <cn=3Dadmin=2Cdc=3Dexamp= le=2Cdc=3Dnet> Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <cn=3Dadmin=2Cdc=3Dex= ample=2Cdc=3Dnet> Dec 3 22:17:01 replica rsyslogd-2177: imuxsock begins to drop messages fr= om pid 994 due to rate-limiting So everything looks good (correct?) on replica. Meanwhile=2C back at the = master....=20 Dec 3 22:17:01 master slapd[947]: daemon: activity on 1 descriptor Dec 3 22:17:01 master slapd[947]: daemon: activity on: Dec 3 22:17:01 master slapd[947]: 51r Dec 3 22:17:01 master slapd[947]:=20 Dec 3 22:17:01 master slapd[947]: daemon: read active on 51 Dec 3 22:17:01 master slapd[947]: connection_get(51) Dec 3 22:17:01 master slapd[947]: connection_get(51): got connid=3D1054 Dec 3 22:17:01 master slapd[947]: connection_read(51): checking for input= on id=3D1054 Dec 3 22:17:01 master slapd[947]: op tag 0x66=2C time 1354591021 Dec 3 22:17:01 master slapd[947]: daemon: activity on 1 descriptor Dec 3 22:17:01 master slapd[947]: daemon: activity on: Dec 3 22:17:01 master slapd[947]:=20 Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 do_modify Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 do_modify: dn (uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet) Dec 3 22:17:01 master slapd[947]: =3D> get_ctrls Dec 3 22:17:01 master slapd[947]: =3D> get_ctrls: oid=3D"2.16.840.1.11373= 0.3.4.18" (noncritical) Dec 3 22:17:01 master slapd[947]: parseProxyAuthz: conn 1054 authzid=3D"d= n:uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: slap_sasl_getdn: conn 1054 id=3Ddn:uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet [len=3D48] Dec 3 22:17:01 master slapd[947]: >>> dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 master slapd[947]: <<< dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 master slapd[947]: =3D=3D>slap_sasl2dn: converting SASL na= me uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet to a DN Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_context_apply [depth=3D= 1] string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet' Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_rule_apply rule=3D'uid= =3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth'= string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet' [1 = pass(es)] Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_rule_apply rule=3D'uid= =3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3D= administrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet' [1 pass(es)] Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_context_apply [depth=3D= 1] res=3D{0=2C'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'= } Dec 3 22:17:01 master slapd[947]: [rw] authid: "uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" -> "uid=3Dadministrator=2Cou=3Dpeople= =2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: slap_parseURI: parsing uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: >>> dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 master slapd[947]: <<< dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 master slapd[947]: <=3D=3Dslap_sasl2dn: Converted SASL nam= e to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: slap_sasl_getdn: dn:id converted to uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: parseProxyAuthz: conn=3D1054 "uid=3Dadm= inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: =3D=3D>slap_sasl_authorized: can cn=3Dr= eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet become uid=3Dadministrator=2C= ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet? Dec 3 22:17:01 master slapd[947]: =3D=3D>slap_sasl_check_authz: does uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet match authzTo rule= in cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet? Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "cn=3Dreplica= =2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:= "authzTo" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("cn=3Dreplica=2Cou=3Dhosts= =2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "cn=3D= replica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=3D0 Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result not in cach= e (authzTo) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: auth access to "cn= =3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" "authzTo" requested Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [2] attr authzTo Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "cn=3Dre= plica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "authzTo" requested Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "cn=3Dr= eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20 Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: users Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [1] applying read(=3Drsc= xd) (stop) Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [1] mask: read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: auth access g= ranted by read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: auth access grante= d by read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result was in cach= e (authzTo) Dec 3 22:17:01 master slapd[947]: =3D=3D=3D>slap_sasl_match: comparing DN= uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet to rule dn:* Dec 3 22:17:01 master slapd[947]: slap_parseURI: parsing dn:* Dec 3 22:17:01 master slapd[947]: <=3D=3D=3Dslap_sasl_match: comparison r= eturned 0 Dec 3 22:17:01 master slapd[947]: <=3D=3Dslap_sasl_check_authz: authzTo c= heck returning 0 Dec 3 22:17:01 master slapd[947]: <=3D=3D slap_sasl_authorized: return 0 Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 PROXYAUTHZ dn=3D"uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: <=3D get_ctrls: n=3D1 rc=3D0 err=3D"" Dec 3 22:17:01 master slapd[947]: >>> dnPrettyNormal: <uid=3Dadministrato= r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 master slapd[947]: <<< dnPrettyNormal: <uid=3Dadministrato= r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3Dp= eople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 modifications: Dec 3 22:17:01 master slapd[947]: #011replace: description Dec 3 22:17:01 master slapd[947]: #011#011one value=2C length 21 Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 MOD dn=3D"uid=3Dadmi= nistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 MOD attr=3Ddescripti= on Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "uid=3Dadminis= trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:= "(null)" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=3D0 Dec 3 22:17:01 master slapd[947]: =3D> test_filter Dec 3 22:17:01 master slapd[947]: PRESENT Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access to "= uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" = requested Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp= le=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20 Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr objectClass Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da= dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass"= requested Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "cn=3Dr= eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20 Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: users Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] applying read(=3Drsc= xd) (stop) Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] mask: read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: search access= granted by read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access gran= ted by read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: <=3D test_filter 6 Dec 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fscope = 1 rc 6 Dec 3 22:17:01 master slapd[947]: hdb_modify: uid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: slap_queue_csn: queing 0x7fa90f0fe110 2= 0121204031701.560697Z#000000#000#000000 Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: 0x0000000b: uid=3D= administrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result not in cach= e (description) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: delete access to "= uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "description" = requested Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp= le=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20 Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr description Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da= dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "description"= requested Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "uid=3D= administrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20 Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] applying write(=3Dwr= scxd) (stop) Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] mask: write(=3Dwrscx= d) Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: delete access= granted by write(=3Dwrscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: delete access gran= ted by write(=3Dwrscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result not in cach= e (description) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: add access to "uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "description" req= uested Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp= le=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20 Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr description Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da= dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "description"= requested Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to value by "uid=3Dadmin= istrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20 Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] applying write(=3Dwr= scxd) (stop) Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] mask: write(=3Dwrscx= d) Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: add access gr= anted by write(=3Dwrscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: add access granted= by write(=3Dwrscxd) Dec 3 22:17:01 master slapd[947]: acl: internal mod entryCSN: modify acce= ss granted Dec 3 22:17:01 master slapd[947]: acl: internal mod modifiersName: modify= access granted Dec 3 22:17:01 master slapd[947]: acl: internal mod modifyTimestamp: modi= fy access granted Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace descriptio= n Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace entryCSN Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace modifiersN= ame Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace modifyTime= stamp Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "inetOrgPerso= n" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "posixAccount= " Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "shadowAccoun= t" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "krbPrincipal= Aux" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "krbTicketPol= icyAux" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "objectClass" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "cn" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "sn" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "uidNumber" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "gidNumber" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "userPassword" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "homeDirectory" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "structuralObject= Class" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "uid" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "entryUUID" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "creatorsName" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "createTimestamp" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbPrincipalName= " Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbPrincipalKey" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastPwdChange= " Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastFailedAut= h" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLoginFailedCo= unt" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastSuccessfu= lAuth" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbExtraData" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "description" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "entryCSN" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "modifiersName" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "modifyTimestamp" Dec 3 22:17:01 master slapd[947]: =3D> key_change(DELETE=2Cb) Dec 3 22:17:01 master slapd[947]: bdb_idl_delete_key: b=20 Dec 3 22:17:01 master slapd[947]: <=3D key_change 0 Dec 3 22:17:01 master slapd[947]: =3D> key_change(ADD=2Cb) Dec 3 22:17:01 master slapd[947]: bdb_idl_insert_key: b=20 Dec 3 22:17:01 master slapd[947]: <=3D key_change 0 Dec 3 22:17:01 master slapd[947]: =3D> entry_encode(0x0000000b):=20 Dec 3 22:17:01 master slapd[947]: <=3D entry_encode(0x0000000b):=20 Dec 3 22:17:01 master slapd[947]: hdb_modify: updated id=3D0000000b dn=3D"= uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: send_ldap_result: conn=3D1054 op=3D3 p= =3D3 Dec 3 22:17:01 master slapd[947]: send_ldap_result: err=3D0 matched=3D"" = text=3D"" Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "uid=3Dadminis= trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:= "(null)" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=3D0 Dec 3 22:17:01 master slapd[947]: =3D> test_filter Dec 3 22:17:01 master slapd[947]: PRESENT Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access to "= uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" = requested Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp= le=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20 Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr objectClass Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da= dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass"= requested Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "cn=3Dr= eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20 Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: users Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] applying read(=3Drsc= xd) (stop) Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] mask: read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: search access= granted by read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access gran= ted by read(=3Drscxd) Dec 3 22:17:01 master slapd[947]: <=3D test_filter 6 Dec 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fscope = 1 rc 6 Dec 3 22:17:01 master slapd[947]: syncprov_sendresp: cookie=3Drid=3D123= =2Ccsn=3D20121204031701.560697Z#000000#000#000000 Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "uid=3Dadminis= trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:= "(null)" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Everything looks good on the master. I see uid=3Dadministrator gets sent = over from the the proxy on replica and the update proceeds as expected. No= w if I restart slapd on replica=2C things change. performing the same modi= fucation=2C we again see sasl/gssapi authentication occuring on replica jus= t as before Dec 3 22:20:38 replica slapd[1412]: [rw] authid: "uid=3Dadministrator=2C= cn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" -> "uid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:20:38 replica slapd[1412]: slap_parseURI: parsing uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:20:38 replica slapd[1412]: >>> dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:20:38 replica slapd[1412]: <<< dnNormalize: <uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:20:38 replica slapd[1412]: <=3D=3Dslap_sasl2dn: Converted SASL n= ame to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:20:38 replica slapd[1412]: slap_sasl_getdn: dn:id converted to u= id=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet Dec 3 22:20:38 replica slapd[1412]: SASL Canonicalize [conn=3D1000]: slap= AuthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:20:38 replica slapd[1412]: SASL proxy authorize [conn=3D1000]: a= uthcid=3D"administrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET" Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIND authcid=3D"ad= ministrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET" Dec 3 22:20:38 replica slapd[1412]: SASL Authorize [conn=3D1000]: proxy = authorization allowed authzDN=3D"" Dec 3 22:20:38 replica slapd[1412]: send_ldap_sasl: err=3D0 len=3D-1 Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIND dn=3D"uid=3Da= dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=3DGSSAPI sasl_ss= f=3D56 ssf=3D56 Dec 3 22:20:38 replica slapd[1412]: do_bind: SASL/GSSAPI bind: dn=3D"uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" sasl_ssf=3D56 Dec 3 22:20:38 replica slapd[1412]: send_ldap_response: msgid=3D3 tag=3D9= 7 err=3D0 Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 RESULT tag=3D97 er= r=3D0 text=3D Dec 3 22:20:38 replica slapd[1412]: <=3D=3D slap_sasl_bind: rc=3D0 Again=2C we head into the modification: Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 do_modify Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 do_modify: dn (uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet) Dec 3 22:20:38 replica slapd[1412]: >>> dnPrettyNormal: <uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:20:38 replica slapd[1412]: <<< dnPrettyNormal: <uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 modifications: Dec 3 22:20:38 replica slapd[1412]: #011replace: description Dec 3 22:20:38 replica slapd[1412]: #011#011one value=2C length 21 Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 MOD dn=3D"uid=3Dad= ministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 MOD attr=3Ddescrip= tion Dec 3 22:20:38 replica slapd[1412]: bdb_dn2entry("uid=3Dadministrator=2Co= u=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:20:38 replica slapd[1412]: =3D> hdb_dn2id("ou=3Dpeople=2Cdc=3Dex= ample=2Cdc=3Dnet") Dec 3 22:20:38 replica slapd[1412]: <=3D hdb_dn2id: got id=3D0x3 Dec 3 22:20:38 replica slapd[1412]: daemon: activity on 1 descriptor Dec 3 22:20:38 replica slapd[1412]: daemon: activity on: Dec 3 22:20:38 replica slapd[1412]: =20 So far=2C so good (I think)=2C replica sees the need to refer the action a= nd tries to chase it on behalf of the clent: Dec 3 22:20:38 replica slapd[1412]: =3D> hdb_dn2id("uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet") Dec 3 22:20:38 replica slapd[1412]: <=3D hdb_dn2id: got id=3D0xb Dec 3 22:20:38 replica slapd[1412]: entry_decode: "" Dec 3 22:20:38 replica slapd[1412]: <=3D entry_decode() Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 = p=3D3 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D10 matched=3D= "" text=3D"" Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: referral=3D"ldap://= master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cd= c=3Dnet" Dec 3 22:20:38 replica slapd[1412]: >>> dnPrettyNormal: <uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:20:38 replica slapd[1412]: <<< dnPrettyNormal: <uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet> Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 ldap_chain_op: ref= =3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D= example=2Cdc=3Dnet" -> "ldap://master.example.net:389" Dec 3 22:20:38 replica slapd[1412]: ldap_back_db_open: URI=3Dldap://maste= r.example.net:389 Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 ldap_chain_op: ref= =3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D= example=2Cdc=3Dnet" temporary Dec 3 22:20:38 replica slapd[1412]: =3D>ldap_back_getconn: conn=3D1000 op= =3D3: lc=3D0x7f213015a7d0 inserted refcnt=3D1 rc=3D0 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 = p=3D3 =20 At this point=2C I "assume" the modification has been passed off to master.= However=2C I notice that I never see the replica checking authzTo like be= fore the restart. I think this is where it's falling apart for me and the e= rr=3D8 back is returned from master. =20 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D8 matched=3D"= " text=3D"modifications require authentication" Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 = p=3D3 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D8 matched=3D"= " text=3D"" Dec 3 22:20:38 replica slapd[1412]: send_ldap_response: msgid=3D4 tag=3D1= 03 err=3D8 Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 RESULT tag=3D103 e= rr=3D8 text=3D Dec 3 22:20:38 replica slapd[1412]: daemon: activity on 1 descriptor Dec 3 22:20:38 replica slapd[1412]: daemon: activity on: Dec 3 22:20:38 replica slapd[1412]: 18r =20 Over on the master we see the proxy connection occurs=2C but the client cr= edentials never apper to arrive. I say that because=2C it looks to me like= the proxy connection from replica appears to bind anonymously. Dec 3 22:20:38 master slapd[947]: daemon: activity on 1 descriptor Dec 3 22:20:38 master slapd[947]: daemon: activity on: Dec 3 22:20:38 master slapd[947]:=20 Dec 3 22:20:38 master slapd[947]: slap_listener_activate(8):=20 Dec 3 22:20:38 master slapd[947]: >>> slap_listener(ldap:///) Dec 3 22:20:38 master slapd[947]: daemon: listen=3D8=2C new connection on= 51 Dec 3 22:20:38 master slapd[947]: daemon: added 51r (active) listener=3D(= nil) Dec 3 22:20:38 master slapd[947]: conn=3D1056 fd=3D51 ACCEPT from IP=3D19= 2.168.1.2:34759 (IP=3D0.0.0.0:389) Dec 3 22:20:38 master slapd[947]: daemon: activity on 2 descriptors Dec 3 22:20:38 master slapd[947]: daemon: activity on: Dec 3 22:20:38 master slapd[947]: 51r Dec 3 22:20:38 master slapd[947]:=20 Dec 3 22:20:38 master slapd[947]: daemon: read active on 51 Dec 3 22:20:38 master slapd[947]: connection_get(51) Dec 3 22:20:38 master slapd[947]: connection_get(51): got connid=3D1056 Dec 3 22:20:38 master slapd[947]: connection_read(51): checking for input= on id=3D1056 Dec 3 22:20:38 master slapd[947]: op tag 0x60=2C time 1354591238 Dec 3 22:20:38 master slapd[947]: conn=3D1056 op=3D0 do_bind Dec 3 22:20:38 master slapd[947]: >>> dnPrettyNormal: <> Dec 3 22:20:38 master slapd[947]: <<< dnPrettyNormal: <>=2C <> Dec 3 22:20:38 master slapd[947]: conn=3D1056 op=3D0 BIND dn=3D"" method= =3D128 Dec 3 22:20:38 master slapd[947]: do_bind: version=3D3 dn=3D"" method=3D1= 28 Dec 3 22:20:38 master slapd[947]: send_ldap_result: conn=3D1056 op=3D0 p= =3D3 Dec 3 22:20:38 master slapd[947]: send_ldap_result: err=3D0 matched=3D"" = text=3D"" Dec 3 22:20:38 master slapd[947]: send_ldap_response: msgid=3D1 tag=3D97 = err=3D0 Dec 3 22:20:38 master slapd[947]: conn=3D1056 op=3D0 RESULT tag=3D97 err= =3D0 text=3D Dec 3 22:20:38 master slapd[947]: do_bind: v3 anonymous bind Dec 3 22:20:38 master slapd[947]: daemon: activity on 2 descriptors Dec 3 22:20:38 master slapd[947]: daemon: activity on: Dec 3 22:20:38 master slapd[947]: 51r Dec 3 22:20:38 master slapd[947]:=20 After=2C the (anonymous) bind=2C the master never attempts to if the proxya= uth request is allowed via authzTo or anything else (perhaps obviously). T= he modification just proceeds anonymously and eventually fails. =20 Not sure if I'm saying this in a way that makes any sense to you. Hopeful= ly=2C it does. It appears=2C that the proxy on replica after restarting=2C= never tries to determine if the olcDbIDAssertBind binddn is permitted to i= mpersonate the client via the authzTo attribute and proceeds with the refer= al chase anonymously. =20 I'll copy paste configs below. Sorry this is so long=2C but I figure the= more information=2C the better when trying to solve any problem. =20 Thanks =20 Barry =20 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv master configuration vvvvvvvvvvvvvvvvv= vvvvvvvvvvv dn: cn=3Dconfig objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: ea6bf008-d108-1031-912d-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/master_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ldap/master_slapd_key.pem olcAuthzPolicy: to olcSaslHost: master.example.net olcSaslRealm: EXAMPLE.NET olcAuthzRegexp: {0}uid=3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Cc= n=3Dgssapi=2Ccn=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet olcAuthzRegexp: {1}uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn= =3Dauth uid=3D$1=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet olcLogLevel: -1 entryCSN: 20121204013949.466434Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121204013949Z dn: cn=3Dmodule{0}=2Ccn=3Dconfig objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov structuralObjectClass: olcModuleList entryUUID: ea6dda08-d108-1031-9135-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z entryCSN: 20121203054749.860918Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121203054749Z dn: cn=3Dschema=2Ccn=3Dconfig objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: ea6c3a0e-d108-1031-9130-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z entryCSN: 20121202201635.672699Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201635Z <snip schemas > dn: olcBackend=3D{0}hdb=2Ccn=3Dconfig objectClass: olcBackendConfig olcBackend: {0}hdb structuralObjectClass: olcBackendConfig entryUUID: ea6f949c-d108-1031-9136-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z entryCSN: 20121202201635.694663Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201635Z dn: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr= ed=2Ccn=3Dexternal =2Ccn=3Dauth manage by * break olcAccess: {1}to dn.exact=3D"" by * read olcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read olcSizeLimit: 500 structuralObjectClass: olcDatabaseConfig entryUUID: ea6c0bf6-d108-1031-912e-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z entryCSN: 20121202201635.671512Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201635Z dn: olcDatabase=3D{0}config=2Ccn=3Dconfig objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr= ed=2Ccn=3Dexternal=2Ccn=3Dauth manage by * break structuralObjectClass: olcDatabaseConfig entryUUID: ea6c325c-d108-1031-912f-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z entryCSN: 20121202201635.672495Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201635Z dn: olcDatabase=3D{1}hdb=2Ccn=3Dconfig objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=3Dexample=2Cdc=3Dnet olcLastMod: TRUE olcRootDN: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet olcRootPW:: e1NTSEF9cGhKNWtqME9rOGJnVXp0dy9hYzZEaWFmU1U1Z0FTZk0=3D olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: memberUid eq olcDbIndex: uniqueMember eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: krbPrincipalName eq=2Cpres=2Csub olcDbIndex: krbPwdPolicyReference eq structuralObjectClass: olcHdbConfig entryUUID: ea6fa3ce-d108-1031-9137-8fbb37ee6dd9 creatorsName: cn=3Dconfig createTimestamp: 20121202201635Z olcAccess: {0}to attrs=3DuserPassword=2CshadowLastChange by group.exact=3D= "cn=3Dreplic ators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by self write by anon= ymous auth olcAccess: {1}to attrs=3DauthzTo=2CauthzFrom=2Ccn=2CuidNumber=2CgidNumber= =2Cuid by users r ead by anonymous none olcAccess: {2}to attrs=3DkrbLastSuccessfulAuth=2CkrbExtraData=2CkrbLastFai= ledAuth=2Ckr bLoginFailedCount by group.exact=3D"cn=3Dreplicators=2Cou=3Dgroups=2Cdc= =3Dexample=2Cdc=3Dnet" read by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" wr= ite by dn=3D"cn=3Dadm-sr v=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" write by self read by * none olcAccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" by= group.exact=3D"cn =3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by dn=3D"cn= =3Dkdc-srv=2Cou=3Dkerberos=2C dc=3Dexample=2Cdc=3Dnet" read by dn=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc= =3Dexample=2Cdc=3Dnet" writ e by * none olcAccess: {4}to dn.base=3D"" by * read olcAccess: {5}to * by dn=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2C= dc=3Dnet" write by s elf write by users read entryCSN: 20121203054749.804561Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121203054749Z dn: olcOverlay=3D{0}syncprov=2ColcDatabase=3D{1}hdb=2Ccn=3Dconfig objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 structuralObjectClass: olcSyncProvConfig entryUUID: b77dc36a-d158-1031-9917-2f12ddec6588 creatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth createTimestamp: 20121203054749Z entryCSN: 20121203054749.962179Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121203054749Z vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv dc=3D= example=2Cdc=3Dnet vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv dn: dc=3Dexample=2Cdc=3Dnet objectClass: top objectClass: dcObject objectClass: organization o: example.net dc: example structuralObjectClass: organization entryUUID: eac01854-d108-1031-95b6-31806daa9e45 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121202201636Z entryCSN: 20121202201636.222029Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121202201636Z contextCSN: 20121204035116.890381Z#000000#000#000000 dn: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: eac2e160-d108-1031-95b7-31806daa9e45 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121202201636Z entryCSN: 20121202201636.240572Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121202201636Z dn: ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: people description: user account objects structuralObjectClass: organizationalUnit entryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.299880Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: ou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: groups description: group objects structuralObjectClass: organizationalUnit entryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.394485Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: hosts description: host/computer objects structuralObjectClass: organizationalUnit entryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.400935Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: kerberos description: kerberos realm container structuralObjectClass: organizationalUnit entryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.409140Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet cn: replica objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server=2C replica structuralObjectClass: organizationalRole entryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z krbPrincipalName: host/replica.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRU= RAxZ oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6= Mn3k f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu= 6lb/ QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065600Z krbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D userPassword:: <secret> entryCSN: 20121203233422.105322Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203233422Z dn: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet cn: master objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server=2C replica userPassword:: e0NSWVBUfSo=3D structuralObjectClass: organizationalRole entryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z krbPrincipalName: host/master.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW= +aWr 8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5= 522A i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH1= 5xNZ VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060855Z krbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121203060855.932134Z#000000#000#000000 modifiersName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203060855Z dn: cn=3Dadministrator=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet objectClass: posixGroup cn: administrator gidNumber: 50000 structuralObjectClass: posixGroup entryUUID: 1d079216-d12b-1031-978d-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.465616Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet objectClass: top objectClass: groupOfNames cn: replicators member: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet member: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet structuralObjectClass: groupOfNames entryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.477792Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux cn: administrator sn: administrator uidNumber: 50000 gidNumber: 50000 userPassword:: <secret> homeDirectory: /home/administrator structuralObjectClass: inetOrgPerson uid: administrator entryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z krbPrincipalName: administrator@EXAMPLE.NET krbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+Ecqcdxa= iluD o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/= Ot7l cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADm= Ozq8 96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8o= AcwB aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6= yoME 2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo= 8yyO mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgED= oSgE JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLR= VhBT VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXG= a5U+ g=3D krbLastPwdChange: 20121203054848Z krbLastFailedAuth: 20121204013714Z krbLoginFailedCount: 0 description: Network Administrator krbLastSuccessfulAuth: 20121204035116Z krbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121204035116.890381Z#000000#000#000000 modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121204035116Z dn: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: kdc-srv description: Kerberos KDC userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.563692Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: adm-srv description: Kerberos Admin Server userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.575773Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet cn: EXAMPLE.NET objectClass: top objectClass: krbRealmContainer objectClass: krbTicketPolicyAux krbSubTrees: dc=3Dexample=2Cdc=3Dnet krbSearchScope: 2 krbMaxRenewableAge: 604800 krbMaxTicketLife: 36000 structuralObjectClass: krbRealmContainer entryUUID: c03d58b8-d134-1031-83e7-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.757228Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos= =2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 192 krbPrincipalName: K/M@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g= AwIB EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/= c4Ks HI=3D krbLastPwdChange: 19700101000000Z krbExtraData:: AAkBAAEArgC8UA=3D=3D krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c04d9282-d134-1031-83e8-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.863568Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET= =2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: krbtgt/EXAMPLE.NET@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNn= fmRR GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7= UKy1 93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9= KwFT B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8= oR krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0518180-d134-1031-83e9-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.889347Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3D= kerberos=2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/admin@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtC= kdsY 5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M2= 8Ix6 SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZ= M5wu tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3a= Qz krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c05346be-d134-1031-83ea-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.900950Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 300 krbMaxRenewableAge: 604800 krbTicketFlags: 8196 krbPrincipalName: kadmin/changepw@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceW= qIB2 ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0w= wSqU ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd= 423Z epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9z= Pl krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c054d88a-d134-1031-83eb-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.911237Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/history@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: kadmin/history@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g= AwIB EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd= /N+Z 2g=3D krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0562d3e-d134-1031-83ec-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.919957Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPL= E.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/master.example.net@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gABhOeGOuo9UBDjK7hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4= Ta3z Y4ZaEYItXr2awBW6QXSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtG= g1qY oev8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj= 0sgn ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf4UwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qYDwpK0Hycj+cwyCjFsVKTsjzA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAxTSMEh/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZA= Bm krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAANAD4gA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0581144-d134-1031-83ed-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.932349Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.= NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet krbPrincipalName: ldap/master.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588 creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203060105Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPU= S2wz qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14TYWZyLZem= 5kvD yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAb= Nr3p vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060153Z krbLastSuccessfulAuth: 20121203061721Z krbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121203061721.358939Z#000000#000#000000 modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203061721Z dn: krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE= .NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet krbPrincipalName: ldap/replica.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 205686f2-d162-1031-9537-2fa18b539eb9 creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203065511Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUX= FMNw 2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKb= ipUj AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOv= mT4x MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065628Z krbLastSuccessfulAuth: 20121204032538Z krbExtraData:: AAIcTbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121204032538.048010Z#000000#000#000000 modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121204032538Z =20 =20 =20 vvvvvvvvvvvvvvvvvvvv replica config vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv =20 dn: cn=3Dconfig objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: af9b0068-d108-1031-9417-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201456Z olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/replica_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ldap/replica_slapd_key.pem olcLogLevel: stats olcAuthzRegexp: {0}uid=3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Cc= n=3Dgssapi=2Ccn=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet olcAuthzRegexp: {1}uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn= =3Dauth uid=3D$1=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet olcSaslHost: replica.example.net olcSaslRealm: EXAMPLE.NET entryCSN: 20121204023449.956406Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121204023449Z dn: cn=3Dmodule{0}=2Ccn=3Dconfig objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}back_ldap structuralObjectClass: olcModuleList entryUUID: af9d1e34-d108-1031-941f-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201457Z entryCSN: 20121204041212.292184Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121204041212Z dn: cn=3Dschema=2Ccn=3Dconfig objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: af9b564e-d108-1031-941a-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201456Z entryCSN: 20121202201456.995860Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201456Z < snip schemas > dn: olcBackend=3D{0}hdb= =2Ccn=3Dconfig objectClass: olcBackendConfig olcBackend: {0}hdb structuralObjectClass: olcBackendConfig entryUUID: af9e498a-d108-1031-9420-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201457Z entryCSN: 20121202201457.015189Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201457Z dn: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr= ed=2Ccn=3Dexternal =2Ccn=3Dauth manage by * break olcAccess: {1}to dn.exact=3D"" by * read olcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read olcSizeLimit: 500 structuralObjectClass: olcDatabaseConfig entryUUID: af9b211a-d108-1031-9418-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201456Z entryCSN: 20121202201456.994497Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201456Z dn: olcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainReturnError: TRUE structuralObjectClass: olcChainConfig entryUUID: 8605cc76-d214-1031-93d2-613cc62fd42f creatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth createTimestamp: 20121204041212Z entryCSN: 20121204041212.352767Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121204041212Z dn: olcDatabase=3D{0}ldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}fron= tend=2Ccn=3Dconfig objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: "ldap://master.example.net:389/" olcDbIDAssertBind: bindmethod=3Dsimple binddn=3D"cn=3Dreplica=2Cou=3Dhosts= =2Cdc=3Dexample=2Cdc =3Dnet" credentials=3D<secret> mode=3Dself flags=3Doverride starttls=3Dcr= itical tls_req cert=3Ddemand tls_cacert=3D/etc/ssl/certs/cacert.pem olcDbRebindAsUser: TRUE structuralObjectClass: olcLDAPConfig entryUUID: 8609b6f6-d214-1031-93d3-613cc62fd42f creatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth createTimestamp: 20121204041212Z entryCSN: 20121204041212.378432Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121204041212Z dn: olcDatabase=3D{0}config=2Ccn=3Dconfig objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr= ed=2Ccn=3Dexternal =2Ccn=3Dauth manage by * break structuralObjectClass: olcDatabaseConfig entryUUID: af9b4528-d108-1031-9419-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201456Z entryCSN: 20121202201456.995421Z#000000#000#000000 modifiersName: cn=3Dconfig modifyTimestamp: 20121202201456Z dn: olcDatabase=3D{1}hdb=2Ccn=3Dconfig objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=3Dexample=2Cdc=3Dnet olcLastMod: TRUE olcRootDN: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet olcRootPW:: e1NTSEF9eW1nS3JTR0VkMW5LQ0VaQ0Y4UjJBTDlPTlEveENDbzY=3D olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: memberUid eq olcDbIndex: uniqueMember eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: krbPrincipalName eq=2Cpres=2Csub olcDbIndex: krbPwdPolicyReference eq structuralObjectClass: olcHdbConfig entryUUID: af9e5d12-d108-1031-9421-cd3569532aaf creatorsName: cn=3Dconfig createTimestamp: 20121202201457Z olcAccess: {0}to attrs=3DuserPassword=2CshadowLastChange by group.exact=3D= "cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by self wri= te by anonymous auth olcAccess: {1}to attrs=3DauthzTo=2CauthzFrom by group.exact=3D"cn=3Dreplic= ators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by users read by anonym= ous none olcAccess: {2}to attrs=3DkrbLastSuccessfulAuth=2CkrbExtraData=2CkrbLastFai= ledAuth=2CkrbLoginFailedCount by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3D= example=2Cdc=3Dnet" read by dn =3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" read by self = read by * none olcAccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" by= dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" read by dn= =3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2C dc=3Dnet" read by * none olcAccess: {4}to dn.base=3D"" by * read olcAccess: {5}to * by self write by users read olcSyncrepl: {0}rid=3D123 provider=3D"ldap://master.example.net:389/" type= =3DrefreshAndPersist retry=3D"60 30 300 +" searchbase=3D"dc=3Dexample=2Cdc= =3Dnet" bindmethod=3Dsasl saslmech=3Dgssapi starttls=3Dcritical tls_reqcert=3Ddemand tls_cacert=3D= /etc/ssl/certs/cacert.pem olcUpdateRef: "ldap://master.example.net:389/" entryCSN: 20121204041212.283590Z#000000#000#000000 modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal= =2Ccn=3Dauth modifyTimestamp: 20121204041212Z =20 =20 =20 dn: dc=3Dexample=2Cdc=3Dnet objectClass: top objectClass: dcObject objectClass: organization o: example.net dc: example structuralObjectClass: organization entryUUID: eac01854-d108-1031-95b6-31806daa9e45 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121202201636Z entryCSN: 20121202201636.222029Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121202201636Z contextCSN: 20121204035116.890381Z#000000#000#000000 dn: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: eac2e160-d108-1031-95b7-31806daa9e45 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121202201636Z entryCSN: 20121202201636.240572Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121202201636Z dn: ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: people description: user account objects structuralObjectClass: organizationalUnit entryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.299880Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: ou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: groups description: group objects structuralObjectClass: organizationalUnit entryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.394485Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: hosts description: host/computer objects structuralObjectClass: organizationalUnit entryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.400935Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet objectClass: organizationalUnit ou: kerberos description: kerberos realm container structuralObjectClass: organizationalUnit entryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.409140Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet cn: replica objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server=2C replica structuralObjectClass: organizationalRole entryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z krbPrincipalName: host/replica.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRU= RAxZ oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6= Mn3k f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu= 6lb/ QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065600Z krbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D userPassword:: <secret> entryCSN: 20121203233422.105322Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203233422Z dn: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet cn: master objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server=2C replica userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z krbPrincipalName: host/master.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW= +aWr 8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5= 522A i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH1= 5xNZ VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060855Z krbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121203060855.932134Z#000000#000#000000 modifiersName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203060855Z dn: cn=3Dadministrator=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet objectClass: posixGroup cn: administrator gidNumber: 50000 structuralObjectClass: posixGroup entryUUID: 1d079216-d12b-1031-978d-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.465616Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet objectClass: top objectClass: groupOfNames cn: replicators member: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet member: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet structuralObjectClass: groupOfNames entryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.477792Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux cn: administrator sn: administrator uidNumber: 50000 gidNumber: 50000 userPassword:: <secret> homeDirectory: /home/administrator structuralObjectClass: inetOrgPerson uid: administrator entryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z krbPrincipalName: administrator@EXAMPLE.NET krbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+Ecqcdxa= iluD o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/= Ot7l cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADm= Ozq8 96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8o= AcwB aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6= yoME 2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo= 8yyO mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgED= oSgE JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLR= VhBT VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXG= a5U+ g=3D krbLastPwdChange: 20121203054848Z krbLastFailedAuth: 20121204013714Z krbLoginFailedCount: 0 description: Network Administrator krbLastSuccessfulAuth: 20121204035116Z krbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121204035116.890381Z#000000#000#000000 modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121204035116Z dn: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: kdc-srv description: Kerberos KDC userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.563692Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet objectClass: simpleSecurityObject objectClass: organizationalRole cn: adm-srv description: Kerberos Admin Server userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203002123Z entryCSN: 20121203002123.575773Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203002123Z dn: cn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet cn: EXAMPLE.NET objectClass: top objectClass: krbRealmContainer objectClass: krbTicketPolicyAux krbSubTrees: dc=3Dexample=2Cdc=3Dnet krbSearchScope: 2 krbMaxRenewableAge: 604800 krbMaxTicketLife: 36000 structuralObjectClass: krbRealmContainer entryUUID: c03d58b8-d134-1031-83e7-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.757228Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos= =2Cdc=3Dexample=2Cdc=3D net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 192 krbPrincipalName: K/M@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g= AwIB EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/= c4Ks HI=3D krbLastPwdChange: 19700101000000Z krbExtraData:: AAkBAAEArgC8UA=3D=3D krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c04d9282-d134-1031-83e8-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.863568Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET= =2Cou=3Dkerberos =2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: krbtgt/EXAMPLE.NET@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNn= fmRR GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7= UKy1 93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9= KwFT B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8= oR krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0518180-d134-1031-83e9-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.889347Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3D= kerberos=2Cdc=3Dex ample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/admin@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtC= kdsY 5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M2= 8Ix6 SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZ= M5wu tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3a= Qz krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c05346be-d134-1031-83ea-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.900950Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou= =3Dkerberos=2Cdc =3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 300 krbMaxRenewableAge: 604800 krbTicketFlags: 8196 krbPrincipalName: kadmin/changepw@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceW= qIB2 ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0w= wSqU ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd= 423Z epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9z= Pl krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c054d88a-d134-1031-83eb-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.911237Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/history@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou= =3Dkerberos=2Cdc=3D example=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: kadmin/history@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g= AwIB EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd= /N+Z 2g=3D krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0562d3e-d134-1031-83ec-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.919957Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPL= E.NET=2Cou=3Dk erberos=2Cdc=3Dexample=2Cdc=3Dnet krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/master.example.net@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gABhOeGOuo9UBDjK7hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4= Ta3z Y4ZaEYItXr2awBW6QXSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtG= g1qY oev8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj= 0sgn ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf4UwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qYDwpK0Hycj+cwyCjFsVKTsjzA8o= AcwB aADAgEAoTEwL6ADAgEDoSgEJggAxTSMEh/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZA= Bm krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAANAD4gA=3D objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0581144-d134-1031-83ed-0707760cf534 creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203013022Z entryCSN: 20121203013022.932349Z#000000#000#000000 modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203013022Z dn: krbPrincipalName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.= NET=2Cou=3Dker beros=2Cdc=3Dexample=2Cdc=3Dnet krbPrincipalName: ldap/master.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588 creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203060105Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPU= S2wz qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14TYWZyLZem= 5kvD yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAb= Nr3p vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060153Z krbLastSuccessfulAuth: 20121203061721Z krbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D entryCSN: 20121203061721.358939Z#000000#000#000000 modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121203061721Z dn: krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE= .NET=2Cou=3Dke rberos=2Cdc=3Dexample=2Cdc=3Dnet krbPrincipalName: ldap/replica.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 205686f2-d162-1031-9537-2fa18b539eb9 creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet createTimestamp: 20121203065511Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB= AKFJ MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUX= FMNw 2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKb= ipUj AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOv= mT4x MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWg= AwIB AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=3D= =3D krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065628Z krbExtraData:: AAIcTbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D krbExtraData:: AAgBAA=3D=3D krbLastSuccessfulAuth: 20121204032538Z entryCSN: 20121204032538.048010Z#000000#000#000000 modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet modifyTimestamp: 20121204032538Z

Date: Fri=2C 9 Nov 2012 01:55:32 +0000 From: openldap-its@OpenLDAP.org To: blance3459@hotmail.com Subject: Re: (ITS#7434) idassert-bind fails after restarting slapd =20 =20 *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** =20 Thanks for your report to the OpenLDAP Issue Tracking System. Your report has been assigned the tracking number ITS#7434. =20 One of our support engineers will look at your report in due course. Note that this may take some time because our support engineers are volunteers. They only work on OpenLDAP when they have spare time. =20 If you need to provide additional information in regards to your issue report=2C you may do so by replying to this message. Note that any mail sent to openldap-its@openldap.org with (ITS#7434) in the subject will automatically be attached to the issue report. =20 mailto:openldap-its@openldap.org?subject=3D(ITS#7434) =20 You may follow the progress of this report by loading the following URL in a web browser: http://www.OpenLDAP.org/its/index.cgi?findid=3D7434 =20 Please remember to retain your issue tracking number (ITS#7434) on any further messages you send to us regarding this report. If you don't then you'll just waste our time and yours because we won't be able to properly track the report. =20 Please note that the Issue Tracking System is not intended to be used to seek help in the proper use of OpenLDAP Software. Such requests will be closed. =20 OpenLDAP Software is user supported. http://www.OpenLDAP.org/support/ =20

---

Copyright 1998-2007 The OpenLDAP Foundation=2C All Rights Reserved. =20

=

--_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

<html> <head> <style><!-- .hmmessage P { margin:0px=3B padding:0px } body.hmmessage { font-size: 12pt=3B font-family:Calibri } --></style></head> <body class=3D'hmmessage'><div dir=3D'ltr'>Quanah=2C <br>&nbsp=3B<br>I fina= lly got back around to working on this over the last couple of days.&nbsp= =3B Where I'm at with my project is:<BR><p style=3D"margin-right: 0px=3B" d= ir=3D"ltr">&nbsp=3BI have two servers (virtual machines)=2C named master an= d replica=2C&nbsp=3B with slapd configured with my directory information an= d single-master replication between them.&nbsp=3B <br>&nbsp=3BI created a K= erberos realm and various principals in open ldap.&nbsp=3B <br>&nbsp=3BRepl= ication access is authenticated using sasl/gssapi with the slapd principal= =2C ldap/replica.example.net.&nbsp=3B <br>&nbsp=3Bk5start has been added to= system startup to buid the credential cache for slapd.<br>&nbsp=3B <br>&nb= sp=3BThat brings me to configuring referrals and proxyAuth on replica.&nbsp= =3B </p>What appears to be happening is that at the initial configuration (= before restarting the daemon) is the client binds to the replica and authen= ticates with its kerberos ticket.&nbsp=3B The "magic" is performed on the s= asl user<br>and the ldap directory entry is returned.&nbsp=3B It then proce= eds into the modification and notices the update referral.&nbsp=3B It then = checks to determine if the binddn used in&nbsp=3B in the olcDbIDAssertBind<= br>statems can authzTo the bound user.&nbsp=3B It can and the proxy of the = modification proceeds.&nbsp=3B On the master=2C the proxy request is receiv= ed=2C more "magic" is done on the user id to make sure it is in <br>the cor= rect form=2C the authzTo attribute is again checked and allowed.&nbsp=3B Th= e update is performed as the user=2C and success is returned back through t= he chain to the user.&nbsp=3B This is how I would expect <br>the process to= proceed.&nbsp=3B However=2C if I restart the server (or slapd daemon)=2C t= his behavior changes.&nbsp=3B <BR>After restarting=2C the bind occurs at th= e replica=2C does "magic"=2C and then sees the referral and attempts the pr= oxy.&nbsp=3B What's notable here is that the check of authzTo is NOT perfor= med.<br>The refereal is then chased=2C but the authzTo check was never made= .&nbsp=3B Since there is no user to "authzTo"=2C does the referral get chas= ed with perhaps a "null" or anonymous user?<br>Whatever the case=2C it appe= ars the the original binding user is never sent over the proxy.&nbsp=3B Ove= r at the master=2C I see the bind request come on from the replica which is= treated as an anonymous bind request.<br>No magic=2C no authzTo check=2C n= o nothing.&nbsp=3B It then goes straight into the modification and tries to= perform=2C but is blocked due to the bound user being anonymous and the st= ronger authentication error (8) is returned.&nbsp=3B <br>Given that the bin= d occured anonymously=2C I feel that error is expected and wanted.<br>&nbsp= =3B<br>I had been trying to use sasl binding here=2C but was not having the= same sucess that I had with syncrepl.&nbsp=3B In order to only fight one b= attle at a time=2C I changed by proxy config to use a simple bind instead o= f sasl/gssapi.&nbsp=3B <br>&nbsp=3B<br>Referrals and proxy authentication a= re configured on replica with the following ldif.&nbsp=3B I tried setting t= he override flag because the man page makes it sound like it forces the aut= hzTo check at bind time.<br>By doing that I was hoping I could force the ch= eck and see the authzTo process in my logs.&nbsp=3B Is this what the ITS yo= u mentions is referring to?<BR>&nbsp=3B<br>dn: olcDatabase=3D{1}hdb=2Ccn=3D= config<br>&nbsp=3Bchangetype: modify<br>&nbsp=3Badd: olcUpdateref<br>&nbsp= =3BolcUpdateref: "<a href=3D"ldap://master.example.net:389/">ldap://master.= example.net:389/</a>"<br>&nbsp=3B <br>&nbsp=3Bdn: cn=3Dmodule{0}=2Ccn=3Dcon= fig<br>&nbsp=3Bchangetype: modify<br>&nbsp=3Badd: olcModuleLoad<br>&nbsp=3B= olcModuleLoad: {1}back_ldap<br>&nbsp=3B <br>&nbsp=3Bdn: olcOverlay=3Dchain= =2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br>&nbsp=3Bchangetype: add<br>&= nbsp=3BobjectClass: olcOverlayConfig<br>&nbsp=3BobjectClass: olcChainConfig= <br>&nbsp=3BolcOverlay: {0}chain<br>&nbsp=3BolcChainReturnError: TRUE<br>&n= bsp=3B <br>&nbsp=3Bdn: olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcData= base=3D{-1}frontend=2Ccn=3Dconfig<br>&nbsp=3Bchangetype: add<br>&nbsp=3Bobj= ectClass: olcLDAPConfig<br>&nbsp=3BobjectClass: olcChainDatabase<br>&nbsp= =3BolcDatabase: {0}ldap<br>&nbsp=3BolcDbURI: "<a href=3D"ldap://master.exam= ple.net:389/">ldap://master.example.net:389/</a>"<br>&nbsp=3BolcDbRebindAsU= ser: TRUE<br>&nbsp=3BolcDbIDAssertBind: bindmethod=3Dsimple<br>&nbsp=3B&nbs= p=3B binddn=3D"cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbs= p=3B&nbsp=3B credentials=3Dshhh-secret<br>&nbsp=3B&nbsp=3B mode=3Dself<br>&= nbsp=3B&nbsp=3B flags=3Doverride<br>&nbsp=3B&nbsp=3B starttls=3Dcritical<br=

&nbsp=3B&nbsp=3B tls_reqcert=3Ddemand<br>&nbsp=3B&nbsp=3B tls_cacert=3D/et=

c/ssl/certs/cacert.pem<BR>&nbsp=3B <br>&nbsp=3B <br>After adding that infor= mation via ldapmodify=2C I attempt to perform an update on the replica.&nbs= p=3B For testing=2C i simply change the description attribute for uid=3Dadm= inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet.&nbsp=3B I'm using this = simple ldif to test with:<br>&nbsp=3B <BR>dn: uid=3Dadministrator=2Cou=3Dpe= ople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bchangetype: modify<br>&nbsp=3Brep= lace: description<br>&nbsp=3Bdescription: Network Administrator<BR><br>Init= ially after configuring the proxy and obtainng a kerberos ticket for the ac= count (administrator=2C self write)=2C this update succeeds.&nbsp=3B Lookin= g at syslog on replica=2C I see happiness.&nbsp=3B The ldap modify binds us= ing gssapi=2C I see SASL name being correctly converted to uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet.<br>&nbsp=3B <BR>Dec&nbsp=3B 3 = 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: authcid=3D"ad= ministrator"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: slap_sas= l_getdn: conn 1005 id=3Dadministrator [len=3D13]<br>&nbsp=3BDec&nbsp=3B 3 2= 2:17:01 replica slapd[994]: slap_sasl_getdn: u:id converted to uid=3Dadmini= strator=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth<br>&nbsp=3BDec&nbsp=3B= 3 22:17:01 replica slapd[994]: &gt=3B&gt=3B&gt=3B dnNormalize: &lt=3Buid= =3Dadministrator=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth&gt=3B<br>&nbs= p=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: &lt=3B&lt=3B&lt=3B dnNormali= ze: &lt=3Buid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth&= gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: =3D=3D&gt=3Bsla= p_sasl2dn: converting SASL name uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn= =3Dgssapi=2Ccn=3Dauth to a DN<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica sla= pd[994]: =3D=3D&gt=3B rewrite_context_apply [depth=3D1] string=3D'uid=3Dadm= inistrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth'<br>&nbsp=3BDec&nbs= p=3B 3 22:17:01 replica slapd[994]: =3D=3D&gt=3B rewrite_rule_apply rule=3D= 'uid=3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Da= uth' string=3D'uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3D= auth' [1 pass(es)]<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: = =3D=3D&gt=3B rewrite_rule_apply rule=3D'uid=3D([^=2C]+)=2Ccn=3Dexample.net= =2Ccn=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3Dadministrator=2Ccn=3Dexample.ne= t=2Ccn=3Dgssapi=2Ccn=3Dauth' [1 pass(es)]<br>&nbsp=3BDec&nbsp=3B 3 22:17:01= replica slapd[994]: =3D=3D&gt=3B rewrite_context_apply [depth=3D1] res=3D{= 0=2C'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'}<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: [rw] authid: "uid=3Dadministr= ator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" -&gt=3B "uid=3Dadministr= ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:1= 7:01 replica slapd[994]: slap_parseURI: parsing uid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica = slapd[994]: &gt=3B&gt=3B&gt=3B dnNormalize: &lt=3Buid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01= replica slapd[994]: &lt=3B&lt=3B&lt=3B dnNormalize: &lt=3Buid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 = 22:17:01 replica slapd[994]: &lt=3B=3D=3Dslap_sasl2dn: Converted SASL name = to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BD= ec&nbsp=3B 3 22:17:01 replica slapd[994]: slap_sasl_getdn: dn:id converted = to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BD= ec&nbsp=3B 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: = slapAuthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"= <br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: SASL proxy authorize= [conn=3D1005]: authcid=3D"<a href=3D"mailto:administrator@EXAMPLE.NET">adm= inistrator@EXAMPLE.NET</a>" authzid=3D"<a href=3D"mailto:administrator@EXAM= PLE.NET">administrator@EXAMPLE.NET</a>"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 r= eplica slapd[994]: conn=3D1005 op=3D2 BIND authcid=3D"<a href=3D"mailto:adm= inistrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a>" authzid=3D"<a href= =3D"mailto:administrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a>"<br>&nb= sp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: SASL Authorize [conn=3D1005= ]:&nbsp=3B proxy authorization allowed authzDN=3D""<br>&nbsp=3BDec&nbsp=3B = 3 22:17:01 replica slapd[994]: send_ldap_sasl: err=3D0 len=3D-1<br>&nbsp=3B= Dec&nbsp=3B 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor= <br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: daemon: activity on:= <br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: <br>Dec&nbsp=3B 3 22= :17:01 replica slapd[994]: conn=3D1005 op=3D2 BIND dn=3D"uid=3Dadministrato= r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=3DGSSAPI sasl_ssf=3D56 ssf= =3D56<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: do_bind: SASL/G= SSAPI bind: dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dn= et" sasl_ssf=3D56<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: sen= d_ldap_response: msgid=3D3 tag=3D97 err=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:17:= 01 replica slapd[994]: conn=3D1005 op=3D2 RESULT tag=3D97 err=3D0 text=3D<b= r>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: &lt=3B=3D=3D slap_sasl= _bind: rc=3D0<BR><br>&nbsp=3BAll good=2C so far on replica.&nbsp=3B I belie= ve the sasl/gssapi authntication process is completed.&nbsp=3B Now to perfo= rm the modify.<BR><br>Dec&nbsp=3B 3 22:17:01 replica slapd[994]: conn=3D100= 5 op=3D3 do_modify<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: co= nn=3D1005 op=3D3 do_modify: dn (uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dex= ample=2Cdc=3Dnet)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: &gt= =3B&gt=3B&gt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2Cou=3Dpeople=2Cd= c=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slap= d[994]: &lt=3B&lt=3B&lt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B=2C &lt=3Buid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01= replica slapd[994]: conn=3D1005 op=3D3 modifications:<br>&nbsp=3BDec&nbsp= =3B 3 22:17:01 replica slapd[994]: #011replace: description<br>&nbsp=3BDec&= nbsp=3B 3 22:17:01 replica slapd[994]: #011#011one value=2C length 21<br>&n= bsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD dn= =3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD attr= =3Ddescription<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: bdb_dn= 2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br>&n= bsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: send_ldap_result: conn=3D1= 005 op=3D3 p=3D3<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: send= _ldap_result: err=3D10 matched=3D"" text=3D""<br>&nbsp=3BDec&nbsp=3B 3 22:1= 7:01 replica slapd[994]: send_ldap_result: referral=3D"<a href=3D"ldap://ma= ster.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cd= c=3Dexample=2Cdc=3Dnet</a>"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd= [994]: &gt=3B&gt=3B&gt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 re= plica slapd[994]: daemon: activity on 1 descriptor<br>&nbsp=3BDec&nbsp=3B 3= 22:17:01 replica slapd[994]: daemon: activity on:<br>&nbsp=3BDec&nbsp=3B 3= 22:17:01 replica slapd[994]: <br>Dec&nbsp=3B 3 22:17:01 replica slapd[994]= : &lt=3B&lt=3B&lt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2Cou=3Dpeopl= e=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B=2C &lt=3Buid=3Dadministrator=2Cou=3Dpeopl= e=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica= slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref=3D"<a href=3D"ldap://mas= ter.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cd= c=3Dexample=2Cdc=3Dnet</a>" -&gt=3B "<a href=3D"ldap://master.example.net:3= 89">ldap://master.example.net:389</a>"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 re= plica slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref=3D"<a href=3D"ldap:= //master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeopl= e=2Cdc=3Dexample=2Cdc=3Dnet</a>": URI=3D"<a href=3D"ldap://master.example.n= et:389">ldap://master.example.net:389</a>" found in cache<BR><br>&nbsp=3B <= br>&nbsp=3BOkay=2C now it seems that the referral is returned and chased on= behalf of the client.&nbsp=3B Finally=2C from the perspective of replica= =2C success!&nbsp=3B Modified data comes back to replica via syncrepl.<br>&= nbsp=3B <BR>Dec&nbsp=3B 3 22:17:01 replica slapd[994]: =3D&gt=3Bldap_back_g= etconn: conn 0x7fe0b0147c30 fetched refcnt=3D1.<br>&nbsp=3BDec&nbsp=3B 3 22= :17:01 replica slapd[994]: send_ldap_result: conn=3D1005 op=3D3 p=3D3<br>&n= bsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: send_ldap_result: err=3D0 = matched=3D"" text=3D""<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]= : send_ldap_response: msgid=3D4 tag=3D103 err=3D0<br>&nbsp=3BDec&nbsp=3B 3 = 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 RESULT tag=3D103 err=3D0 te= xt=3D<BR><br>&nbsp=3B<br>Dec&nbsp=3B 3 22:17:01 replica slapd[994]: daemon:= activity on 1 descriptor<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[9= 94]: daemon: activity on:<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[9= 94]:&nbsp=3B 15r<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: <br>= Dec&nbsp=3B 3 22:17:01 replica slapd[994]: daemon: read active on 15<br>&nb= sp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: connection_get(15)<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: connection_get(15): got conni= d=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: =3D&gt=3Bdo_syn= crepl rid=3D123<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: =3D&g= t=3Bdo_syncrep2 rid=3D123<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[9= 94]: do_syncrep2: rid=3D123 cookie=3Drid=3D123=2Ccsn=3D20121204031701.56069= 7Z#000000#000#000000<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: = &gt=3B&gt=3B&gt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2Cou=3Dpeople= =2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica = slapd[994]: &lt=3B&lt=3B&lt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2C= ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B=2C &lt=3Buid=3Dadministrator=2C= ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:= 01 replica slapd[994]: &gt=3B&gt=3B&gt=3B dnPretty: &lt=3Bcn=3Dadmin=2Cdc= =3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd= [994]: &lt=3B&lt=3B&lt=3B dnPretty: &lt=3Bcn=3Dadmin=2Cdc=3Dexample=2Cdc=3D= net&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 replica slapd[994]: &gt=3B&gt= =3B&gt=3B dnNormalize: &lt=3Bcn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>= &nbsp=3BDec&nbsp=3B 3 22:17:01 replica rsyslogd-2177: imuxsock begins to dr= op messages from pid 994 due to rate-limiting<BR><br>&nbsp=3BSo everything = looks good (correct?) on replica.&nbsp=3B Meanwhile=2C back at the master..= .. <br>&nbsp=3B<BR>Dec&nbsp=3B 3 22:17:01 master slapd[947]: daemon: activi= ty on 1 descriptor<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: dae= mon: activity on:<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]:&nbsp= =3B 51r<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: <br>Dec&nbsp= =3B 3 22:17:01 master slapd[947]: daemon: read active on 51<br>&nbsp=3BDec&= nbsp=3B 3 22:17:01 master slapd[947]: connection_get(51)<br>&nbsp=3BDec&nbs= p=3B 3 22:17:01 master slapd[947]: connection_get(51): got connid=3D1054<br=

&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: connection_read(51): che=

cking for input on id=3D1054<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd= [947]: op tag 0x66=2C time 1354591021<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: daemon: activity on 1 descriptor<br>&nbsp=3BDec&nbsp=3B 3 2= 2:17:01 master slapd[947]: daemon: activity on:<br>&nbsp=3BDec&nbsp=3B 3 22= :17:01 master slapd[947]: <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: con= n=3D1054 op=3D3 do_modify<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[94= 7]: conn=3D1054 op=3D3 do_modify: dn (uid=3Dadministrator=2Cou=3Dpeople=2Cd= c=3Dexample=2Cdc=3Dnet)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : =3D&gt=3B get_ctrls<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: = =3D&gt=3B get_ctrls: oid=3D"2.16.840.1.113730.3.4.18" (noncritical)<br>&nbs= p=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: parseProxyAuthz: conn 1054 au= thzid=3D"dn:uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br=

&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: slap_sasl_getdn: conn 10=

54 id=3Ddn:uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet [len= =3D48]<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &gt=3B&gt=3B&gt= =3B dnNormalize: &lt=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cd= c=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B&l= t=3B&lt=3B dnNormalize: &lt=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexam= ple=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: = =3D=3D&gt=3Bslap_sasl2dn: converting SASL name uid=3Dadministrator=2Cou=3Dp= eople=2Cdc=3Dexample=2Cdc=3Dnet to a DN<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 m= aster slapd[947]: =3D=3D&gt=3B rewrite_context_apply [depth=3D1] string=3D'= uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'<br>&nbsp=3BDec= &nbsp=3B 3 22:17:01 master slapd[947]: =3D=3D&gt=3B rewrite_rule_apply rule= =3D'uid=3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn= =3Dauth' string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3D= net' [1 pass(es)]<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D= =3D&gt=3B rewrite_rule_apply rule=3D'uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Cc= n=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D= example=2Cdc=3Dnet' [1 pass(es)]<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master s= lapd[947]: =3D=3D&gt=3B rewrite_context_apply [depth=3D1] res=3D{0=2C'uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'}<br>&nbsp=3BDec&n= bsp=3B 3 22:17:01 master slapd[947]: [rw] authid: "uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" -&gt=3B "uid=3Dadministrator=2Cou=3Dpe= ople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master sl= apd[947]: slap_parseURI: parsing uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3De= xample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &gt= =3B&gt=3B&gt=3B dnNormalize: &lt=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc= =3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[= 947]: &lt=3B&lt=3B&lt=3B dnNormalize: &lt=3Buid=3Dadministrator=2Cou=3Dpeop= le=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master= slapd[947]: &lt=3B=3D=3Dslap_sasl2dn: Converted SASL name to uid=3Dadminis= trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:= 17:01 master slapd[947]: slap_sasl_getdn: dn:id converted to uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:1= 7:01 master slapd[947]: parseProxyAuthz: conn=3D1054 "uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01= master slapd[947]: =3D=3D&gt=3Bslap_sasl_authorized: can cn=3Dreplica=2Cou= =3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet become uid=3Dadministrator=2Cou=3Dpeople= =2Cdc=3Dexample=2Cdc=3Dnet?<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[= 947]: =3D=3D&gt=3Bslap_sasl_check_authz: does uid=3Dadministrator=2Cou=3Dpe= ople=2Cdc=3Dexample=2Cdc=3Dnet match authzTo rule in cn=3Dreplica=2Cou=3Dho= sts=2Cdc=3Dexample=2Cdc=3Dnet?<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master sla= pd[947]: =3D&gt=3B bdb_entry_get: ndn: "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dex= ample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&= gt=3B bdb_entry_get: oc: "(null)"=2C at: "authzTo"<br>&nbsp=3BDec&nbsp=3B 3= 22:17:01 master slapd[947]: bdb_dn2entry("cn=3Dreplica=2Cou=3Dhosts=2Cdc= =3Dexample=2Cdc=3Dnet")<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : =3D&gt=3B bdb_entry_get: found entry: "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3De= xample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb= _entry_get: rc=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D= &gt=3B access_allowed: result not in cache (authzTo)<br>&nbsp=3BDec&nbsp=3B= 3 22:17:01 master slapd[947]: =3D&gt=3B access_allowed: auth access to "cn= =3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" "authzTo" requested<br>&= nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl_get: [2] att= r authzTo<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B ac= l_mask: access to entry "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dne= t"=2C attr "authzTo" requested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master sla= pd[947]: =3D&gt=3B acl_mask: to all values by "cn=3Dreplica=2Cou=3Dhosts=2C= dc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec&nbsp=3B 3 22:17:01 master slapd[= 947]: &lt=3B=3D check a_dn_pat: users<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: &lt=3B=3D acl_mask: [1] applying read(=3Drscxd) (stop)<br>&= nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D acl_mask: [1] ma= sk: read(=3Drscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D= &gt=3B slap_access_allowed: auth access granted by read(=3Drscxd)<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B access_allowed: auth= access granted by read(=3Drscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master = slapd[947]: =3D&gt=3B access_allowed: result was in cache (authzTo)<br>&nbs= p=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D=3D=3D&gt=3Bslap_sasl_matc= h: comparing DN uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet= to rule dn:*<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: slap_par= seURI: parsing dn:*<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &l= t=3B=3D=3D=3Dslap_sasl_match: comparison returned 0<br>&nbsp=3BDec&nbsp=3B = 3 22:17:01 master slapd[947]: &lt=3B=3D=3Dslap_sasl_check_authz: authzTo ch= eck returning 0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B= =3D=3D slap_sasl_authorized: return 0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: conn=3D1054 op=3D3 PROXYAUTHZ dn=3D"uid=3Dadministrator=2Co= u=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: &lt=3B=3D get_ctrls: n=3D1 rc=3D0 err=3D""<br>&nbsp=3BDec&n= bsp=3B 3 22:17:01 master slapd[947]: &gt=3B&gt=3B&gt=3B dnPrettyNormal: &lt= =3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nb= sp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B&lt=3B&lt=3B dnPrettyN= ormal: &lt=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt= =3B=2C &lt=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt= =3B<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3= modifications:<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: #011re= place: description<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: #01= 1#011one value=2C length 21<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[= 947]: conn=3D1054 op=3D3 MOD dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc= =3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]:= conn=3D1054 op=3D3 MOD attr=3Ddescription<br>&nbsp=3BDec&nbsp=3B 3 22:17:0= 1 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc= =3Dexample=2Cdc=3Dnet")<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : =3D&gt=3B bdb_entry_get: ndn: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3De= xample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D= &gt=3B bdb_entry_get: oc: "(null)"=2C at: "(null)"<br>&nbsp=3BDec&nbsp=3B 3= 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeopl= e=2Cdc=3Dexample=2Cdc=3Dnet")<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slap= d[947]: =3D&gt=3B bdb_entry_get: found entry: "uid=3Dadministrator=2Cou=3Dp= eople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master s= lapd[947]: bdb_entry_get: rc=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master s= lapd[947]: =3D&gt=3B test_filter<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master s= lapd[947]:&nbsp=3B&nbsp=3B&nbsp=3B&nbsp=3B PRESENT<br>&nbsp=3BDec&nbsp=3B 3= 22:17:01 master slapd[947]: =3D&gt=3B access_allowed: search access to "ui= d=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" re= quested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B dn: = [4] ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:= 01 master slapd[947]: =3D&gt=3B dn: [5] <br>Dec&nbsp=3B 3 22:17:01 master s= lapd[947]: =3D&gt=3B acl_get: [6] attr objectClass<br>&nbsp=3BDec&nbsp=3B 3= 22:17:01 master slapd[947]: =3D&gt=3B acl_mask: access to entry "uid=3Dadm= inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass" r= equested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl= _mask: to all values by "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dne= t"=2C (=3D0) <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D check = a_dn_pat: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D check a_dn_pat: self= <br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D check a_dn_= pat: users<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D a= cl_mask: [3] applying read(=3Drscxd) (stop)<br>&nbsp=3BDec&nbsp=3B 3 22:17:= 01 master slapd[947]: &lt=3B=3D acl_mask: [3] mask: read(=3Drscxd)<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B slap_access_allowed:= search access granted by read(=3Drscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 = master slapd[947]: =3D&gt=3B access_allowed: search access granted by read(= =3Drscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D te= st_filter 6<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: syncprov_m= atchops: sid ffffffff fscope 1 rc 6<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 maste= r slapd[947]: hdb_modify: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: slap_queue= _csn: queing 0x7fa90f0fe110 20121204031701.560697Z#000000#000#000000<br>&nb= sp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br>&nbsp=3BDec&nbsp=3B 3 22= :17:01 master slapd[947]: bdb_modify_internal: 0x0000000b: uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:= 01 master slapd[947]: =3D&gt=3B access_allowed: result not in cache (descri= ption)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acces= s_allowed: delete access to "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexamp= le=2Cdc=3Dnet" "description" requested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 ma= ster slapd[947]: =3D&gt=3B dn: [4] ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<= br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B dn: [5] <br>= Dec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl_get: [6] attr descr= iption<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl_m= ask: access to entry "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet"=2C attr "description" requested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 m= aster slapd[947]: =3D&gt=3B acl_mask: to all values by "uid=3Dadministrator= =2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec&nbsp=3B 3 22:17= :01 master slapd[947]: &lt=3B=3D check a_dn_pat: cn=3Dadm-srv=2Cou=3Dkerber= os=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd= [947]: &lt=3B=3D check a_dn_pat: self<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: &lt=3B=3D acl_mask: [2] applying write(=3Dwrscxd) (stop)<br=

&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D acl_mask: [2] =

mask: write(=3Dwrscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]:= =3D&gt=3B slap_access_allowed: delete access granted by write(=3Dwrscxd)<b= r>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B access_allowe= d: delete access granted by write(=3Dwrscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17= :01 master slapd[947]: =3D&gt=3B access_allowed: result not in cache (descr= iption)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acce= ss_allowed: add access to "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet" "description" requested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mast= er slapd[947]: =3D&gt=3B dn: [4] ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br=

&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B dn: [5] <br>De=

c&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl_get: [6] attr descrip= tion<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl_mas= k: access to entry "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet"=2C attr "description" requested<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 m= aster slapd[947]: =3D&gt=3B acl_mask: to value by "uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec&nbsp=3B 3 22:17:01 m= aster slapd[947]: &lt=3B=3D check a_dn_pat: cn=3Dadm-srv=2Cou=3Dkerberos=2C= dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : &lt=3B=3D check a_dn_pat: self<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master s= lapd[947]: &lt=3B=3D acl_mask: [2] applying write(=3Dwrscxd) (stop)<br>&nbs= p=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D acl_mask: [2] mask:= write(=3Dwrscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&= gt=3B slap_access_allowed: add access granted by write(=3Dwrscxd)<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B access_allowed: add = access granted by write(=3Dwrscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master= slapd[947]: acl: internal mod entryCSN: modify access granted<br>&nbsp=3BD= ec&nbsp=3B 3 22:17:01 master slapd[947]: acl: internal mod modifiersName: m= odify access granted<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: a= cl: internal mod modifyTimestamp: modify access granted<br>&nbsp=3BDec&nbsp= =3B 3 22:17:01 master slapd[947]: bdb_modify_internal: replace description<= br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb_modify_internal: r= eplace entryCSN<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb_mo= dify_internal: replace modifiersName<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mast= er slapd[947]: bdb_modify_internal: replace modifyTimestamp<br>&nbsp=3BDec&= nbsp=3B 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadmini= strator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "inetOrgPer= son"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_required= entry (uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C obj= ectClass "posixAccount"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : oc_check_required entry (uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet)=2C objectClass "shadowAccount"<br>&nbsp=3BDec&nbsp=3B 3 22:17:= 01 master slapd[947]: oc_check_required entry (uid=3Dadministrator=2Cou=3Dp= eople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "krbPrincipalAux"<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_required entry (uid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "k= rbTicketPolicyAux"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_= check_allowed type "objectClass"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master s= lapd[947]: oc_check_allowed type "cn"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: oc_check_allowed type "sn"<br>&nbsp=3BDec&nbsp=3B 3 22:17:0= 1 master slapd[947]: oc_check_allowed type "uidNumber"<br>&nbsp=3BDec&nbsp= =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "gidNumber"<br>&nbs= p=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "userPa= ssword"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allow= ed type "homeDirectory"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : oc_check_allowed type "structuralObjectClass"<br>&nbsp=3BDec&nbsp=3B 3 22= :17:01 master slapd[947]: oc_check_allowed type "uid"<br>&nbsp=3BDec&nbsp= =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "entryUUID"<br>&nbs= p=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "creato= rsName"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allow= ed type "createTimestamp"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[94= 7]: oc_check_allowed type "krbPrincipalName"<br>&nbsp=3BDec&nbsp=3B 3 22:17= :01 master slapd[947]: oc_check_allowed type "krbPrincipalKey"<br>&nbsp=3BD= ec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastPwdC= hange"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allowe= d type "krbLastFailedAuth"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[9= 47]: oc_check_allowed type "krbLoginFailedCount"<br>&nbsp=3BDec&nbsp=3B 3 2= 2:17:01 master slapd[947]: oc_check_allowed type "krbLastSuccessfulAuth"<br=

&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "k=

rbExtraData"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: oc_check_= allowed type "description"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[9= 47]: oc_check_allowed type "entryCSN"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 mas= ter slapd[947]: oc_check_allowed type "modifiersName"<br>&nbsp=3BDec&nbsp= =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "modifyTimestamp"<b= r>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B key_change(DE= LETE=2Cb)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb_idl_dele= te_key: b <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D key_chang= e 0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B key_chan= ge(ADD=2Cb)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb_idl_in= sert_key: b <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D key_cha= nge 0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B entry_= encode(0x0000000b): <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D= entry_encode(0x0000000b): <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: hd= b_modify: updated id=3D0000000b dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cd= c=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : send_ldap_result: conn=3D1054 op=3D3 p=3D3<br>&nbsp=3BDec&nbsp=3B 3 22:17= :01 master slapd[947]: send_ldap_result: err=3D0 matched=3D"" text=3D""<br>= &nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B bdb_entry_get: = ndn: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp= =3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B bdb_entry_get: oc: "= (null)"=2C at: "(null)"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]= : bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet= ")<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B bdb_entry= _get: found entry: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: bdb_entry_get:= rc=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B test= _filter<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]:&nbsp=3B&nbsp= =3B&nbsp=3B&nbsp=3B PRESENT<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[= 947]: =3D&gt=3B access_allowed: search access to "uid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" requested<br>&nbsp=3BDec= &nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B dn: [4] ou=3Dkerberos=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: = =3D&gt=3B dn: [5] <br>Dec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B a= cl_get: [6] attr objectClass<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd= [947]: =3D&gt=3B acl_mask: access to entry "uid=3Dadministrator=2Cou=3Dpeop= le=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass" requested<br>&nbsp=3BDe= c&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B acl_mask: to all values b= y "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec&n= bsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D check a_dn_pat: cn=3Dadm-srv= =2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:17:0= 1 master slapd[947]: &lt=3B=3D check a_dn_pat: self<br>&nbsp=3BDec&nbsp=3B = 3 22:17:01 master slapd[947]: &lt=3B=3D check a_dn_pat: users<br>&nbsp=3BDe= c&nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D acl_mask: [3] applying re= ad(=3Drscxd) (stop)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: &l= t=3B=3D acl_mask: [3] mask: read(=3Drscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:0= 1 master slapd[947]: =3D&gt=3B slap_access_allowed: search access granted b= y read(=3Drscxd)<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&g= t=3B access_allowed: search access granted by read(=3Drscxd)<br>&nbsp=3BDec= &nbsp=3B 3 22:17:01 master slapd[947]: &lt=3B=3D test_filter 6<br>&nbsp=3BD= ec&nbsp=3B 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fs= cope 1 rc 6<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: syncprov_s= endresp: cookie=3Drid=3D123=2Ccsn=3D20121204031701.560697Z#000000#000#00000= 0<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B bdb_entry_= get: ndn: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>= &nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B bdb_entry_get: = oc: "(null)"=2C at: "(null)"<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd= [947]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet")<br>&nbsp=3BDec&nbsp=3B 3 22:17:01 master slapd[947]: =3D&gt=3B bdb= _entry_get: found entry: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet"<BR><br>&nbsp=3BEverything looks good on the master.&nbsp=3B I = see uid=3Dadministrator gets sent over from the the proxy on replica and th= e update proceeds as expected.&nbsp=3B Now if I restart slapd on replica=2C= things change.&nbsp=3B performing the same modifucation=2C we again see sa= sl/gssapi authentication occuring on replica just as before<br>&nbsp=3B <BR=

Dec&nbsp=3B 3 22:20:38 replica slapd[1412]: [rw] authid: "uid=3Dadministra=

tor=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" -&gt=3B "uid=3Dadministra= tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:20= :38 replica slapd[1412]: slap_parseURI: parsing uid=3Dadministrator=2Cou=3D= people=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica = slapd[1412]: &gt=3B&gt=3B&gt=3B dnNormalize: &lt=3Buid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:20:38= replica slapd[1412]: &lt=3B&lt=3B&lt=3B dnNormalize: &lt=3Buid=3Dadministr= ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3= 22:20:38 replica slapd[1412]: &lt=3B=3D=3Dslap_sasl2dn: Converted SASL nam= e to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp= =3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: slap_sasl_getdn: dn:id conve= rted to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbs= p=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: SASL Canonicalize [conn=3D1= 000]: slapAuthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc= =3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: SASL proxy a= uthorize [conn=3D1000]: authcid=3D"<a href=3D"mailto:administrator@EXAMPLE.= NET">administrator@EXAMPLE.NET</a>" authzid=3D"<a href=3D"mailto:administra= tor@EXAMPLE.NET">administrator@EXAMPLE.NET</a>"<br>&nbsp=3BDec&nbsp=3B 3 22= :20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIND authcid=3D"<a href=3D"m= ailto:administrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a>" authzid=3D"= <a href=3D"mailto:administrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a>"= <br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: SASL Authorize [con= n=3D1000]:&nbsp=3B proxy authorization allowed authzDN=3D""<br>&nbsp=3BDec&= nbsp=3B 3 22:20:38 replica slapd[1412]: send_ldap_sasl: err=3D0 len=3D-1<br=

&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIN=

D dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech= =3DGSSAPI sasl_ssf=3D56 ssf=3D56<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica = slapd[1412]: do_bind: SASL/GSSAPI bind: dn=3D"uid=3Dadministrator=2Cou=3Dpe= ople=2Cdc=3Dexample=2Cdc=3Dnet" sasl_ssf=3D56<br>&nbsp=3BDec&nbsp=3B 3 22:2= 0:38 replica slapd[1412]: send_ldap_response: msgid=3D3 tag=3D97 err=3D0<br=

&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 RES=

ULT tag=3D97 err=3D0 text=3D<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slap= d[1412]: &lt=3B=3D=3D slap_sasl_bind: rc=3D0<BR><br>&nbsp=3BAgain=2C we hea= d into the modification:<br>&nbsp=3B <BR>Dec&nbsp=3B 3 22:20:38 replica sla= pd[1412]: conn=3D1000 op=3D3 do_modify<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 re= plica slapd[1412]: conn=3D1000 op=3D3 do_modify: dn (uid=3Dadministrator=2C= ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 re= plica slapd[1412]: &gt=3B&gt=3B&gt=3B dnPrettyNormal: &lt=3Buid=3Dadministr= ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3= 22:20:38 replica slapd[1412]: &lt=3B&lt=3B&lt=3B dnPrettyNormal: &lt=3Buid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B=2C &lt=3Buid= =3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BD= ec&nbsp=3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 modifications= :<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: #011replace: descr= iption<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: #011#011one v= alue=2C length 21<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: co= nn=3D1000 op=3D3 MOD dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet"<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: conn=3D= 1000 op=3D3 MOD attr=3Ddescription<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replic= a slapd[1412]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexamp= le=2Cdc=3Dnet")<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: =3D&= gt=3B hdb_dn2id("ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br>&nbsp=3BDec&nbs= p=3B 3 22:20:38 replica slapd[1412]: &lt=3B=3D hdb_dn2id: got id=3D0x3<br>&= nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: daemon: activity on 1 de= scriptor<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: daemon: act= ivity on:<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: <BR>&nbsp= =3B<br>&nbsp=3BSo far=2C so good (I think)=2C replica sees the need to refe= r the action and tries to chase it on behalf of the clent:<BR><br>&nbsp=3BD= ec&nbsp=3B 3 22:20:38 replica slapd[1412]: =3D&gt=3B hdb_dn2id("uid=3Dadmin= istrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br>&nbsp=3BDec&nbsp=3B 3= 22:20:38 replica slapd[1412]: &lt=3B=3D hdb_dn2id: got id=3D0xb<br>&nbsp= =3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: entry_decode: ""<br>&nbsp=3B= Dec&nbsp=3B 3 22:20:38 replica slapd[1412]: &lt=3B=3D entry_decode()<br>&nb= sp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1= 000 op=3D3 p=3D3<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: sen= d_ldap_result: err=3D10 matched=3D"" text=3D""<br>&nbsp=3BDec&nbsp=3B 3 22:= 20:38 replica slapd[1412]: send_ldap_result: referral=3D"<a href=3D"ldap://= master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cd= c=3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2C= dc=3Dexample=2Cdc=3Dnet</a>"<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slap= d[1412]: &gt=3B&gt=3B&gt=3B dnPrettyNormal: &lt=3Buid=3Dadministrator=2Cou= =3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:20:38= replica slapd[1412]: &lt=3B&lt=3B&lt=3B dnPrettyNormal: &lt=3Buid=3Dadmini= strator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B=2C &lt=3Buid=3Dadmini= strator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet&gt=3B<br>&nbsp=3BDec&nbsp= =3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 ldap_chain_op: ref= =3D"<a href=3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeo= ple=2Cdc=3Dexample=2Cdc=3Dnet">ldap://master.example.net:389/uid=3Dadminist= rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet</a>" -&gt=3B "<a href=3D"ldap= ://master.example.net:389">ldap://master.example.net:389</a>"<br>&nbsp=3BDe= c&nbsp=3B 3 22:20:38 replica slapd[1412]: ldap_back_db_open: URI=3Dldap://m= aster.example.net:389<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]= : conn=3D1000 op=3D3 ldap_chain_op: ref=3D"<a href=3D"ldap://master.example= .net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet">ldap:= //master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet</a>" temporary<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[= 1412]: =3D&gt=3Bldap_back_getconn: conn=3D1000 op=3D3: lc=3D0x7f213015a7d0 = inserted refcnt=3D1 rc=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[= 1412]: send_ldap_result: conn=3D1000 op=3D3 p=3D3<BR>&nbsp=3B <BR>&nbsp=3B<= br>At this point=2C I "assume" the modification has been passed off to mast= er.&nbsp=3B However=2C I notice that I never see the replica checking authz= To like before the restart. I think this is where it's falling apart for me= and the err=3D8 back is returned from master.<br>&nbsp=3B<br>&nbsp=3B<BR>D= ec&nbsp=3B 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D8 matche= d=3D"" text=3D"modifications require authentication"<br>&nbsp=3BDec&nbsp=3B= 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 p=3D3= <br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: send_ldap_result: e= rr=3D8 matched=3D"" text=3D""<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica sla= pd[1412]: send_ldap_response: msgid=3D4 tag=3D103 err=3D8<br>&nbsp=3BDec&nb= sp=3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 RESULT tag=3D103 e= rr=3D8 text=3D<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd[1412]: daemo= n: activity on 1 descriptor<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slapd= [1412]: daemon: activity on:<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 replica slap= d[1412]:&nbsp=3B 18r<BR>&nbsp=3B <br>&nbsp=3BOver on the master we see the = proxy connection occurs=2C but the client credentials never apper to arrive= .&nbsp=3B I say that because=2C it looks to me like the proxy connection fr= om replica appears to bind anonymously.<br>&nbsp=3B <BR>Dec&nbsp=3B 3 22:20= :38 master slapd[947]: daemon: activity on 1 descriptor<br>&nbsp=3BDec&nbsp= =3B 3 22:20:38 master slapd[947]: daemon: activity on:<br>&nbsp=3BDec&nbsp= =3B 3 22:20:38 master slapd[947]: <br>Dec&nbsp=3B 3 22:20:38 master slapd[9= 47]: slap_listener_activate(8): <br>Dec&nbsp=3B 3 22:20:38 master slapd[947= ]: &gt=3B&gt=3B&gt=3B slap_listener(<a href=3D"ldap:///">ldap:///</a>)<br>&= nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: daemon: listen=3D8=2C new = connection on 51<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: daemo= n: added 51r (active) listener=3D(nil)<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 ma= ster slapd[947]: conn=3D1056 fd=3D51 ACCEPT from IP=3D192.168.1.2:34759 (IP= =3D0.0.0.0:389)<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: daemon= : activity on 2 descriptors<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[= 947]: daemon: activity on:<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[9= 47]:&nbsp=3B 51r<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: <br>D= ec&nbsp=3B 3 22:20:38 master slapd[947]: daemon: read active on 51<br>&nbsp= =3BDec&nbsp=3B 3 22:20:38 master slapd[947]: connection_get(51)<br>&nbsp=3B= Dec&nbsp=3B 3 22:20:38 master slapd[947]: connection_get(51): got connid=3D= 1056<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: connection_read(5= 1): checking for input on id=3D1056<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 maste= r slapd[947]: op tag 0x60=2C time 1354591238<br>&nbsp=3BDec&nbsp=3B 3 22:20= :38 master slapd[947]: conn=3D1056 op=3D0 do_bind<br>&nbsp=3BDec&nbsp=3B 3 = 22:20:38 master slapd[947]: &gt=3B&gt=3B&gt=3B dnPrettyNormal: &lt=3B&gt=3B= <br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: &lt=3B&lt=3B&lt=3B dn= PrettyNormal: &lt=3B&gt=3B=2C &lt=3B&gt=3B<br>&nbsp=3BDec&nbsp=3B 3 22:20:3= 8 master slapd[947]: conn=3D1056 op=3D0 BIND dn=3D"" method=3D128<br>&nbsp= =3BDec&nbsp=3B 3 22:20:38 master slapd[947]: do_bind: version=3D3 dn=3D"" m= ethod=3D128<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: send_ldap_= result: conn=3D1056 op=3D0 p=3D3<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master s= lapd[947]: send_ldap_result: err=3D0 matched=3D"" text=3D""<br>&nbsp=3BDec&= nbsp=3B 3 22:20:38 master slapd[947]: send_ldap_response: msgid=3D1 tag=3D9= 7 err=3D0<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 master slapd[947]: conn=3D1056 = op=3D0 RESULT tag=3D97 err=3D0 text=3D<br>&nbsp=3BDec&nbsp=3B 3 22:20:38 ma= ster slapd[947]: do_bind: v3 anonymous bind<br>&nbsp=3BDec&nbsp=3B 3 22:20:= 38 master slapd[947]: daemon: activity on 2 descriptors<br>&nbsp=3BDec&nbsp= =3B 3 22:20:38 master slapd[947]: daemon: activity on:<br>&nbsp=3BDec&nbsp= =3B 3 22:20:38 master slapd[947]:&nbsp=3B 51r<br>&nbsp=3BDec&nbsp=3B 3 22:2= 0:38 master slapd[947]: <BR><br>After=2C the (anonymous) bind=2C the master= never attempts to if the proxyauth request is allowed via authzTo or anyth= ing else (perhaps obviously).&nbsp=3B The modification just proceeds anonym= ously and eventually fails.<br>&nbsp=3B <br>&nbsp=3BNot sure if I'm saying = this in a way that makes any sense to you.&nbsp=3B Hopefully=2C it does.&nb= sp=3B It appears=2C that the proxy on replica after restarting=2C never tri= es to determine if the olcDbIDAssertBind binddn is permitted to impersonate= the client via the authzTo attribute and proceeds with the referal chase a= nonymously.<br>&nbsp=3B <br>&nbsp=3BI'll copy paste configs below.&nbsp=3B&= nbsp=3B Sorry this is so long=2C but I figure the more information=2C the b= etter when trying to solve any problem.<br>&nbsp=3B <br>&nbsp=3BThanks<br>&= nbsp=3B <br>&nbsp=3BBarry<br>&nbsp=3B <br>&nbsp=3Bvvvvvvvvvvvvvvvvvvvvvvvvv= vvvvvvvvvv master configuration vvvvvvvvvvvvvvvvvvvvvvvvvvvv<br>&nbsp=3Bdn:= cn=3Dconfig<br>&nbsp=3BobjectClass: olcGlobal<br>&nbsp=3Bcn: config<br>&nb= sp=3BolcArgsFile: /var/run/slapd/slapd.args<br>&nbsp=3BolcPidFile: /var/run= /slapd/slapd.pid<br>&nbsp=3BolcToolThreads: 1<br>&nbsp=3BstructuralObjectCl= ass: olcGlobal<br>&nbsp=3BentryUUID: ea6bf008-d108-1031-912d-8fbb37ee6dd9<b= r>&nbsp=3BcreatorsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 20121202201= 635Z<br>&nbsp=3BolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem<br>&nbsp= =3BolcTLSCertificateFile: /etc/ssl/certs/master_slapd_cert.pem<br>&nbsp=3Bo= lcTLSCertificateKeyFile: /etc/ldap/master_slapd_key.pem<br>&nbsp=3BolcAuthz= Policy: to<br>&nbsp=3BolcSaslHost: master.example.net<br>&nbsp=3BolcSaslRea= lm: EXAMPLE.NET<br>&nbsp=3BolcAuthzRegexp: {0}uid=3Dldap/([^/.]+).example.= net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BolcAuthzRegexp: {1}uid=3D([^=2C]+)=2Ccn=3D= example.net=2Ccn=3Dgssapi=2Ccn=3Dauth uid=3D$1=2Cou=3Dpeople=2Cdc=3Dexample= =2Cdc=3Dnet<br>&nbsp=3BolcLogLevel: -1<br>&nbsp=3BentryCSN: 20121204013949.= 466434Z#000000#000#000000<br>&nbsp=3BmodifiersName: gidNumber=3D0+uidNumber= =3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3BmodifyTimestamp= : 20121204013949Z<br>&nbsp=3Bdn: cn=3Dmodule{0}=2Ccn=3Dconfig<br>&nbsp=3Bob= jectClass: olcModuleList<br>&nbsp=3Bcn: module{0}<br>&nbsp=3BolcModulePath:= /usr/lib/ldap<br>&nbsp=3BolcModuleLoad: {0}back_hdb<br>&nbsp=3BolcModuleLo= ad: {1}syncprov<br>&nbsp=3BstructuralObjectClass: olcModuleList<br>&nbsp=3B= entryUUID: ea6dda08-d108-1031-9135-8fbb37ee6dd9<br>&nbsp=3BcreatorsName: cn= =3Dconfig<br>&nbsp=3BcreateTimestamp: 20121202201635Z<br>&nbsp=3BentryCSN: = 20121203054749.860918Z#000000#000#000000<br>&nbsp=3BmodifiersName: gidNumbe= r=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3B= modifyTimestamp: 20121203054749Z<br>&nbsp=3Bdn: cn=3Dschema=2Ccn=3Dconfig<b= r>&nbsp=3BobjectClass: olcSchemaConfig<br>&nbsp=3Bcn: schema<br>&nbsp=3Bstr= ucturalObjectClass: olcSchemaConfig<br>&nbsp=3BentryUUID: ea6c3a0e-d108-103= 1-9130-8fbb37ee6dd9<br>&nbsp=3BcreatorsName: cn=3Dconfig<br>&nbsp=3BcreateT= imestamp: 20121202201635Z<br>&nbsp=3BentryCSN: 20121202201635.672699Z#00000= 0#000#000000<br>&nbsp=3BmodifiersName: cn=3Dconfig<br>&nbsp=3BmodifyTimesta= mp: 20121202201635Z<br>&nbsp=3B&lt=3Bsnip schemas &gt=3B<br>&nbsp=3Bdn: olc= Backend=3D{0}hdb=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcBackendConfig<br>= &nbsp=3BolcBackend: {0}hdb<br>&nbsp=3BstructuralObjectClass: olcBackendConf= ig<br>&nbsp=3BentryUUID: ea6f949c-d108-1031-9136-8fbb37ee6dd9<br>&nbsp=3Bcr= eatorsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 20121202201635Z<br>&nbs= p=3BentryCSN: 20121202201635.694663Z#000000#000#000000<br>&nbsp=3Bmodifiers= Name: cn=3Dconfig<br>&nbsp=3BmodifyTimestamp: 20121202201635Z<br>&nbsp=3Bdn= : olcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcDatab= aseConfig<br>&nbsp=3BobjectClass: olcFrontendConfig<br>&nbsp=3BolcDatabase:= {-1}frontend<br>&nbsp=3BolcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uid= Number=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal<br>&nbsp=3B =2Ccn=3Dauth manage = by * break<br>&nbsp=3BolcAccess: {1}to dn.exact=3D"" by * read<br>&nbsp=3Bo= lcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read<br>&nbsp=3BolcSizeLimi= t: 500<br>&nbsp=3BstructuralObjectClass: olcDatabaseConfig<br>&nbsp=3Bentry= UUID: ea6c0bf6-d108-1031-912e-8fbb37ee6dd9<br>&nbsp=3BcreatorsName: cn=3Dco= nfig<br>&nbsp=3BcreateTimestamp: 20121202201635Z<br>&nbsp=3BentryCSN: 20121= 202201635.671512Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dconfig<b= r>&nbsp=3BmodifyTimestamp: 20121202201635Z<br>&nbsp=3Bdn: olcDatabase=3D{0}= config=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcDatabaseConfig<br>&nbsp=3Bo= lcDatabase: {0}config<br>&nbsp=3BolcAccess: {0}to * by dn.exact=3DgidNumber= =3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth manage by * = break<br>&nbsp=3BstructuralObjectClass: olcDatabaseConfig<br>&nbsp=3BentryU= UID: ea6c325c-d108-1031-912f-8fbb37ee6dd9<br>&nbsp=3BcreatorsName: cn=3Dcon= fig<br>&nbsp=3BcreateTimestamp: 20121202201635Z<br>&nbsp=3BentryCSN: 201212= 02201635.672495Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dconfig<br=

&nbsp=3BmodifyTimestamp: 20121202201635Z<br>&nbsp=3Bdn: olcDatabase=3D{1}h=

db=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcDatabaseConfig<br>&nbsp=3Bobjec= tClass: olcHdbConfig<br>&nbsp=3BolcDatabase: {1}hdb<br>&nbsp=3BolcDbDirecto= ry: /var/lib/ldap<br>&nbsp=3BolcSuffix: dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3B= olcLastMod: TRUE<br>&nbsp=3BolcRootDN: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet= <br>&nbsp=3BolcRootPW:: e1NTSEF9cGhKNWtqME9rOGJnVXp0dy9hYzZEaWFmU1U1Z0FTZk0= =3D<br>&nbsp=3BolcDbCheckpoint: 512 30<br>&nbsp=3BolcDbConfig: {0}set_cache= size 0 2097152 0<br>&nbsp=3BolcDbConfig: {1}set_lk_max_objects 1500<br>&nbs= p=3BolcDbConfig: {2}set_lk_max_locks 1500<br>&nbsp=3BolcDbConfig: {3}set_lk= _max_lockers 1500<br>&nbsp=3BolcDbIndex: objectClass eq<br>&nbsp=3BolcDbInd= ex: uid eq<br>&nbsp=3BolcDbIndex: cn eq<br>&nbsp=3BolcDbIndex: ou eq<br>&nb= sp=3BolcDbIndex: dc eq<br>&nbsp=3BolcDbIndex: uidNumber eq<br>&nbsp=3BolcDb= Index: gidNumber eq<br>&nbsp=3BolcDbIndex: memberUid eq<br>&nbsp=3BolcDbInd= ex: uniqueMember eq<br>&nbsp=3BolcDbIndex: entryUUID eq<br>&nbsp=3BolcDbInd= ex: entryCSN eq<br>&nbsp=3BolcDbIndex: krbPrincipalName eq=2Cpres=2Csub<br>= &nbsp=3BolcDbIndex: krbPwdPolicyReference eq<br>&nbsp=3BstructuralObjectCla= ss: olcHdbConfig<br>&nbsp=3BentryUUID: ea6fa3ce-d108-1031-9137-8fbb37ee6dd9= <br>&nbsp=3BcreatorsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 201212022= 01635Z<br>&nbsp=3BolcAccess: {0}to attrs=3DuserPassword=2CshadowLastChange = by group.exact=3D"cn=3Dreplic<br>&nbsp=3B ators=2Cou=3Dgroups=2Cdc=3Dexampl= e=2Cdc=3Dnet" read by self write by anonymous auth<br>&nbsp=3BolcAccess: {1= }to attrs=3DauthzTo=2CauthzFrom=2Ccn=2CuidNumber=2CgidNumber=2Cuid by users= r<br>&nbsp=3B ead by anonymous none<br>&nbsp=3BolcAccess: {2}to attrs=3Dkr= bLastSuccessfulAuth=2CkrbExtraData=2CkrbLastFailedAuth=2Ckr<br>&nbsp=3B bLo= ginFailedCount by group.exact=3D"cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexam= ple=2Cdc=3Dnet"<br>&nbsp=3B&nbsp=3B read by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerbe= ros=2Cdc=3Dexample=2Cdc=3Dnet" write by dn=3D"cn=3Dadm-sr<br>&nbsp=3B v=2Co= u=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" write by self read by * none<br>&nb= sp=3BolcAccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet= " by group.exact=3D"cn<br>&nbsp=3B =3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexam= ple=2Cdc=3Dnet" read by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2C<br>&nbsp=3B d= c=3Dexample=2Cdc=3Dnet" read by dn=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3De= xample=2Cdc=3Dnet" writ<br>&nbsp=3B e by * none<br>&nbsp=3BolcAccess: {4}to= dn.base=3D"" by * read<br>&nbsp=3BolcAccess: {5}to * by dn=3D"cn=3Dadm-srv= =2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" write by s<br>&nbsp=3B elf writ= e by users read<br>&nbsp=3BentryCSN: 20121203054749.804561Z#000000#000#0000= 00<br>&nbsp=3BmodifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2C= cn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3BmodifyTimestamp: 20121203054749Z<br>&n= bsp=3Bdn: olcOverlay=3D{0}syncprov=2ColcDatabase=3D{1}hdb=2Ccn=3Dconfig<br>= &nbsp=3BobjectClass: olcOverlayConfig<br>&nbsp=3BobjectClass: olcSyncProvCo= nfig<br>&nbsp=3BolcOverlay: {0}syncprov<br>&nbsp=3BolcSpCheckpoint: 100 10<= br>&nbsp=3BolcSpSessionlog: 100<br>&nbsp=3BstructuralObjectClass: olcSyncPr= ovConfig<br>&nbsp=3BentryUUID: b77dc36a-d158-1031-9917-2f12ddec6588<br>&nbs= p=3BcreatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dextern= al=2Ccn=3Dauth<br>&nbsp=3BcreateTimestamp: 20121203054749Z<br>&nbsp=3Bentry= CSN: 20121203054749.962179Z#000000#000#000000<br>&nbsp=3BmodifiersName: gid= Number=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nb= sp=3BmodifyTimestamp: 20121203054749Z<BR>&nbsp=3Bvvvvvvvvvvvvvvvvvvvvvvvvvv= vvvvvvvv&nbsp=3B dc=3Dexample=2Cdc=3Dnet&nbsp=3B vvvvvvvvvvvvvvvvvvvvvvvvvv= vvvvvvvvvvvvvvvvvvvvv<br>&nbsp=3Bdn: dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bobj= ectClass: top<br>&nbsp=3BobjectClass: dcObject<br>&nbsp=3BobjectClass: orga= nization<br>&nbsp=3Bo: example.net<br>&nbsp=3Bdc: example<br>&nbsp=3Bstruct= uralObjectClass: organization<br>&nbsp=3BentryUUID: eac01854-d108-1031-95b6= -31806daa9e45<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet= <br>&nbsp=3BcreateTimestamp: 20121202201636Z<br>&nbsp=3BentryCSN: 201212022= 01636.222029Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121202201636Z<br>&nbsp= =3BcontextCSN: 20121204035116.890381Z#000000#000#000000<br>&nbsp=3Bdn: cn= =3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: simpleSecurityOb= ject<br>&nbsp=3BobjectClass: organizationalRole<br>&nbsp=3Bcn: admin<br>&nb= sp=3Bdescription: LDAP administrator<br>&nbsp=3BuserPassword:: &lt=3Bsecret= &gt=3B<br>&nbsp=3BstructuralObjectClass: organizationalRole<br>&nbsp=3Bentr= yUUID: eac2e160-d108-1031-95b7-31806daa9e45<br>&nbsp=3BcreatorsName: cn=3Da= dmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121202201636Z<= br>&nbsp=3BentryCSN: 20121202201636.240572Z#000000#000#000000<br>&nbsp=3Bmo= difiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestam= p: 20121202201636Z<br>&nbsp=3Bdn: ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>= &nbsp=3BobjectClass: organizationalUnit<br>&nbsp=3Bou: people<br>&nbsp=3Bde= scription: user account objects<br>&nbsp=3BstructuralObjectClass: organizat= ionalUnit<br>&nbsp=3BentryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93<br>&nb= sp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTi= mestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 20121203002123.299880Z#000000= #000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<= br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: ou=3Dgroups=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: organizationalUnit<br>&nbsp= =3Bou: groups<br>&nbsp=3Bdescription: group objects<br>&nbsp=3BstructuralOb= jectClass: organizationalUnit<br>&nbsp=3BentryUUID: 1cfcb788-d12b-1031-9788= -4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet= <br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 201212030= 02123.394485Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp= =3Bdn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: organiz= ationalUnit<br>&nbsp=3Bou: hosts<br>&nbsp=3Bdescription: host/computer obje= cts<br>&nbsp=3BstructuralObjectClass: organizationalUnit<br>&nbsp=3BentryUU= ID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmi= n=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>= &nbsp=3BentryCSN: 20121203002123.400935Z#000000#000#000000<br>&nbsp=3Bmodif= iersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: = 20121203002123Z<br>&nbsp=3Bdn: ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&= nbsp=3BobjectClass: organizationalUnit<br>&nbsp=3Bou: kerberos<br>&nbsp=3Bd= escription: kerberos realm container<br>&nbsp=3BstructuralObjectClass: orga= nizationalUnit<br>&nbsp=3BentryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93<b= r>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bcre= ateTimestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 20121203002123.409140Z#0= 00000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc= =3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: cn=3Drepl= ica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bcn: replica<br>&nbsp= =3BobjectClass: simpleSecurityObject<br>&nbsp=3BobjectClass: organizational= Role<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTic= ketPolicyAux<br>&nbsp=3BauthzTo: dn:*<br>&nbsp=3Bdescription: LDAP server= =2C replica<br>&nbsp=3BstructuralObjectClass: organizationalRole<br>&nbsp= =3BentryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93<br>&nbsp=3BcreatorsName:= cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 201212030= 02123Z<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:host/replica.example.= net@EXAMPLE.NET">host/replica.example.net@EXAMPLE.NET</a><br>&nbsp=3BkrbLog= inFailedCount: 0<br>&nbsp=3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDA= gEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gADgZgDa20URzdHW= Q1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRURAxZ<br>&nbsp=3B oJVqBI/zPGh/FDf9= m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6Mn3k<br>&nbsp=3B f= 62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu6lb= /<br>&nbsp=3B QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNS= kxswPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB6= 38xMCex7sQ1zfzZkLiViiKpw=3D=3D<br>&nbsp=3BkrbPasswordExpiration: 1970010100= 0000Z<br>&nbsp=3BkrbLastPwdChange: 20121203065600Z<br>&nbsp=3BkrbExtraData:= : AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>&nbsp=3BkrbExtraData:: = AAgBAA=3D=3D<br>&nbsp=3BuserPassword:: &lt=3Bsecret&gt=3B<br>&nbsp=3BentryC= SN: 20121203233422.105322Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn= =3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 201212032334= 22Z<br>&nbsp=3Bdn: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&n= bsp=3Bcn: master<br>&nbsp=3BobjectClass: simpleSecurityObject<br>&nbsp=3Bob= jectClass: organizationalRole<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&n= bsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BauthzTo: dn:*<br>&nbsp=3Bd= escription: LDAP server=2C replica<br>&nbsp=3BuserPassword:: e0NSWVBUfSo=3D= <br>&nbsp=3BstructuralObjectClass: organizationalRole<br>&nbsp=3BentryUUID:= 1d0514dc-d12b-1031-978c-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin= =2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>&= nbsp=3BkrbPrincipalName: <a href=3D"mailto:host/master.example.net@EXAMPLE.= NET">host/master.example.net@EXAMPLE.NET</a><br>&nbsp=3BkrbLoginFailedCount= : 0<br>&nbsp=3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCAS= gwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMd= eygNYlf/SiWtzll+A7x/QBVoz7zFW+aWr<br>&nbsp=3B 8/FMEBj49p4Bn0Goa371TBEoAcwBa= ADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5522A<br>&nbsp=3B i/CCoCVDIVBZHO= I48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH15xNZ<br>&nbsp=3B= VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWgA= wIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3= DaIILvcKv0w=3D=3D<br>&nbsp=3BkrbPasswordExpiration: 19700101000000Z<br>&nbs= p=3BkrbLastPwdChange: 20121203060855Z<br>&nbsp=3BkrbExtraData:: AAL3QbxQYWR= taW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>&nbsp=3BkrbExtraData:: AAgBAA=3D=3D<= br>&nbsp=3BentryCSN: 20121203060855.932134Z#000000#000#000000<br>&nbsp=3Bmo= difiersName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbs= p=3BmodifyTimestamp: 20121203060855Z<br>&nbsp=3Bdn: cn=3Dadministrator=2Cou= =3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: posixGroup<br>&= nbsp=3Bcn: administrator<br>&nbsp=3BgidNumber: 50000<br>&nbsp=3BstructuralO= bjectClass: posixGroup<br>&nbsp=3BentryUUID: 1d079216-d12b-1031-978d-4f8d9a= bcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nb= sp=3BcreateTimestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 20121203002123.4= 65616Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexampl= e=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: cn= =3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectCla= ss: top<br>&nbsp=3BobjectClass: groupOfNames<br>&nbsp=3Bcn: replicators<br>= &nbsp=3Bmember: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbs= p=3Bmember: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bs= tructuralObjectClass: groupOfNames<br>&nbsp=3BentryUUID: 1d096db6-d12b-1031= -978e-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc= =3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 201= 21203002123.477792Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin= =2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&= nbsp=3Bdn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&= nbsp=3BobjectClass: top<br>&nbsp=3BobjectClass: inetOrgPerson<br>&nbsp=3Bob= jectClass: posixAccount<br>&nbsp=3BobjectClass: shadowAccount<br>&nbsp=3Bob= jectClass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&n= bsp=3Bcn: administrator<br>&nbsp=3Bsn: administrator<br>&nbsp=3BuidNumber: = 50000<br>&nbsp=3BgidNumber: 50000<br>&nbsp=3BuserPassword:: &lt=3Bsecret&gt= =3B<br>&nbsp=3BhomeDirectory: /home/administrator<br>&nbsp=3BstructuralObje= ctClass: inetOrgPerson<br>&nbsp=3Buid: administrator<br>&nbsp=3BentryUUID: = 1d0a9bf0-d12b-1031-978f-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2C= dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>&nbs= p=3BkrbPrincipalName: <a href=3D"mailto:administrator@EXAMPLE.NET">administ= rator@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIB= AaMDAgEBpIICUzCCAk8wVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gALWKtjcuVI= PL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+EcqcdxailuD<br>&nbsp=3B o3oHvU0K11Y= iAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/Ot7l<br>&nbsp= =3B cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYA= DmOzq8<br>&nbsp=3B 96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/L= Nz2jwAqIwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQI= Cvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8oAcwB<br>&nbsp=3B aADAgEBoTEwL6ADAgEDoSgEJgg= A0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6yoME<br>&nbsp=3B 2gGDAWoAMCA= QKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo8yyO<br>&nbsp= =3B mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAg= EDoSgE<br>&nbsp=3B JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEug= FjAUoAMCAQWhDQQLRVhBT<br>&nbsp=3B VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEE= YGOMA8CDwINmmJXgnKPQr8jRDsxGToXGa5U+<br>&nbsp=3B g=3D<br>&nbsp=3BkrbLastPwd= Change: 20121203054848Z<br>&nbsp=3BkrbLastFailedAuth: 20121204013714Z<br>&n= bsp=3BkrbLoginFailedCount: 0<br>&nbsp=3Bdescription: Network Administrator<= br>&nbsp=3BkrbLastSuccessfulAuth: 20121204035116Z<br>&nbsp=3BkrbExtraData::= AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=3D<br>&nbsp=3BkrbExtraData:: AAgBA= A=3D=3D<br>&nbsp=3BentryCSN: 20121204035116.890381Z#000000#000#000000<br>&n= bsp=3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet= <br>&nbsp=3BmodifyTimestamp: 20121204035116Z<br>&nbsp=3Bdn: cn=3Dkdc-srv=2C= ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: simpleSecur= ityObject<br>&nbsp=3BobjectClass: organizationalRole<br>&nbsp=3Bcn: kdc-srv= <br>&nbsp=3Bdescription: Kerberos KDC<br>&nbsp=3BuserPassword:: &lt=3Bsecre= t&gt=3B<br>&nbsp=3BstructuralObjectClass: organizationalRole<br>&nbsp=3Bent= ryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3D= admin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z= <br>&nbsp=3BentryCSN: 20121203002123.563692Z#000000#000#000000<br>&nbsp=3Bm= odifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimesta= mp: 20121203002123Z<br>&nbsp=3Bdn: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexam= ple=2Cdc=3Dnet<br>&nbsp=3BobjectClass: simpleSecurityObject<br>&nbsp=3Bobje= ctClass: organizationalRole<br>&nbsp=3Bcn: adm-srv<br>&nbsp=3Bdescription: = Kerberos Admin Server<br>&nbsp=3BuserPassword:: &lt=3Bsecret&gt=3B<br>&nbsp= =3BstructuralObjectClass: organizationalRole<br>&nbsp=3BentryUUID: 1d18610e= -d12b-1031-9791-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexa= mple=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>&nbsp=3Bentr= yCSN: 20121203002123.575773Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn= =3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 201212030021= 23Z<br>&nbsp=3Bdn: cn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dn= et<br>&nbsp=3Bcn: EXAMPLE.NET<br>&nbsp=3BobjectClass: top<br>&nbsp=3Bobject= Class: krbRealmContainer<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbs= p=3BkrbSubTrees: dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BkrbSearchScope: 2<br>&n= bsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbMaxTicketLife: 36000<br>&nbs= p=3BstructuralObjectClass: krbRealmContainer<br>&nbsp=3BentryUUID: c03d58b8= -d134-1031-83e7-0707760cf534<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexa= mple=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203013022Z<br>&nbsp=3Bentr= yCSN: 20121203013022.757228Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn= =3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 201212030130= 22Z<br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipalName=3DK/M@EXAMPLE.NET=2Cc= n=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName= =3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc= =3Dnet</a><br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 3= 6000<br>&nbsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 192<b= r>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:K/M@EXAMPLE.NET">K/M@EXAMPLE.= NET</a><br>&nbsp=3BkrbPrincipalExpiration: 19700101000000Z<br>&nbsp=3BkrbPr= incipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB<b= r>&nbsp=3B EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxT= uO7OIrbK/c4Ks<br>&nbsp=3B HI=3D<br>&nbsp=3BkrbLastPwdChange: 19700101000000= Z<br>&nbsp=3BkrbExtraData:: AAkBAAEArgC8UA=3D=3D<br>&nbsp=3BkrbExtraData:: = AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIA= AgAAAAAAAAA=3D<br>&nbsp=3BobjectClass: krbPrincipal<br>&nbsp=3BobjectClass:= krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3Bstru= cturalObjectClass: krbPrincipal<br>&nbsp=3BentryUUID: c04d9282-d134-1031-83= e8-0707760cf534<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dn= et<br>&nbsp=3BcreateTimestamp: 20121203013022Z<br>&nbsp=3BentryCSN: 2012120= 3013022.863568Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp= =3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET= =2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipal= Name=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2C= dc=3Dexample=2Cdc=3Dnet</a><br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3Bkr= bMaxTicketLife: 36000<br>&nbsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbT= icketFlags: 0<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:krbtgt/EXAMPLE= .NET@EXAMPLE.NET">krbtgt/EXAMPLE.NET@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipa= lExpiration: 19700101000000Z<br>&nbsp=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCA= QGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gAOy= PPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNnfmRR<br>&nbsp=3B GQI5= lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7UKy1<b= r>&nbsp=3B 93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEK= E4BDYYAM9KwFT<br>&nbsp=3B B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQV= R0PWLB2OM5q1llQwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NE= ctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8oAcwB<br>&nbsp=3B aADAgEAoTEwL6ADAgED= oSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8oR<br>&nbsp=3BkrbLast= PwdChange: 19700101000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb2= 5ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAAAAAAAA=3D<br>&nbs= p=3BobjectClass: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&n= bsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krb= Principal<br>&nbsp=3BentryUUID: c0518180-d134-1031-83e9-0707760cf534<br>&nb= sp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTi= mestamp: 20121203013022Z<br>&nbsp=3BentryCSN: 20121203013022.889347Z#000000= #000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<= br>&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailt= o:krbPrincipalName=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dker= beros=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dkadmin/admin@EXAMPLE.NE= T=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a><br>&nbsp= =3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 10800<br>&nbsp=3Bkrb= MaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 4<br>&nbsp=3BkrbPrincipa= lName: <a href=3D"mailto:kadmin/admin@EXAMPLE.NET">kadmin/admin@EXAMPLE.NET= </a><br>&nbsp=3BkrbPrincipalExpiration: 19700101000000Z<br>&nbsp=3BkrbPrinc= ipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&= nbsp=3B MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7= CF2xtCkdsY<br>&nbsp=3B 5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAEL= hAAwMe5Vpq5Hd2Zy1E8M28Ix6<br>&nbsp=3B SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfA= wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZM5wu<br>&nbsp=3B tIcsdKbsYTDZgUzqIADtNt= 4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+= gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8oAcwB<br>&= nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM= +9bG3aQz<br>&nbsp=3BkrbLastPwdChange: 19700101000000Z<br>&nbsp=3BkrbExtraDa= ta:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAc= BAAIAAgAAAGlvbkA=3D<br>&nbsp=3BobjectClass: krbPrincipal<br>&nbsp=3BobjectC= lass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp= =3BstructuralObjectClass: krbPrincipal<br>&nbsp=3BentryUUID: c05346be-d134-= 1031-83ea-0707760cf534<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample= =2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203013022Z<br>&nbsp=3BentryCSN= : 20121203013022.900950Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Da= dmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203013022Z<= br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkadmin/changepw@EXAMPLE= .NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrinc= ipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos= =2Cdc=3Dexample=2Cdc=3Dnet</a><br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp= =3BkrbMaxTicketLife: 300<br>&nbsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3Bk= rbTicketFlags: 8196<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:kadmin/c= hangepw@EXAMPLE.NET">kadmin/changepw@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipa= lExpiration: 19700101000000Z<br>&nbsp=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCA= QGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gAHN= xSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceWqIB2<br>&nbsp=3B ic80= wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0wwSqU<b= r>&nbsp=3B ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEK= E4BDYYACd423Z<br>&nbsp=3B epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbp= L0kTawz9zdg60IgwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAs= CALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8oAcwB<br>&nbsp=3B aADAgEAoTEwL6ADAgED= oSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9zPl<br>&nbsp=3BkrbLast= PwdChange: 19700101000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb2= 5ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br>&nbs= p=3BobjectClass: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&n= bsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krb= Principal<br>&nbsp=3BentryUUID: c054d88a-d134-1031-83eb-0707760cf534<br>&nb= sp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTi= mestamp: 20121203013022Z<br>&nbsp=3BentryCSN: 20121203013022.911237Z#000000= #000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<= br>&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailt= o:krbPrincipalName=3Dkadmin/history@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dk= erberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dkadmin/history@EXAMPL= E.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a><br>&= nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 36000<br>&nbsp= =3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 0<br>&nbsp=3BkrbPr= incipalName: <a href=3D"mailto:kadmin/history@EXAMPLE.NET">kadmin/history@E= XAMPLE.NET</a><br>&nbsp=3BkrbPrincipalExpiration: 19700101000000Z<br>&nbsp= =3BkrbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD= +gAwIB<br>&nbsp=3B EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHp= jECIfASUXjBoB+Pkd/N+Z<br>&nbsp=3B 2g=3D<br>&nbsp=3BkrbLastPwdChange: 197001= 01000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQ= A<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br>&nbsp=3BobjectClass: = krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectClass= : krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<br>&nbs= p=3BentryUUID: c0562d3e-d134-1031-83ec-0707760cf534<br>&nbsp=3BcreatorsName= : cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203= 013022Z<br>&nbsp=3BentryCSN: 20121203013022.919957Z#000000#000#000000<br>&n= bsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bmodify= Timestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipalNam= e=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerbero= s=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dkadmin/master.example.net@E= XAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a>= <br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 10800<br>&n= bsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 4<br>&nbsp=3Bkr= bPrincipalName: <a href=3D"mailto:kadmin/master.example.net@EXAMPLE.NET">ka= dmin/master.example.net@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipalExpiration: = 19700101000000Z<br>&nbsp=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAg= EApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gABhOeGOuo9UBDjK7= hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4Ta3z<br>&nbsp=3B Y4ZaEYItXr2awBW6Q= XSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtGg1qY<br>&nbsp=3B oe= v8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj0sgn= <br>&nbsp=3B ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf= 4UwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qY= DwpK0Hycj+cwyCjFsVKTsjzA8oAcwB<br>&nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJggAxTSME= h/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZABm<br>&nbsp=3BkrbLastPwdChange: 19= 700101000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5= ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAANAD4gA=3D<br>&nbsp=3BobjectCla= ss: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectC= lass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<br>= &nbsp=3BentryUUID: c0581144-d134-1031-83ed-0707760cf534<br>&nbsp=3Bcreators= Name: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 2012= 1203013022Z<br>&nbsp=3BentryCSN: 20121203013022.932349Z#000000#000#000000<b= r>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bmo= difyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipa= lName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerbe= ros=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dldap/master.example.net@E= XAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a>= <br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:ldap/master.example.net@EXA= MPLE.NET">ldap/master.example.net@EXAMPLE.NET</a><br>&nbsp=3BobjectClass: k= rbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectClass:= krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<br>&nbsp= =3BentryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588<br>&nbsp=3BcreatorsName:= cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTi= mestamp: 20121203060105Z<br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbPr= incipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<b= r>&nbsp=3B MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pK= gmUyVdsPUS2wz<br>&nbsp=3B qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoT= AELhAAkzwNhAF14TYWZyLZem5kvD<br>&nbsp=3B yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf= 09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAbNr3p<br>&nbsp=3B vkmNXkIZNgUtw2FJ3Vt= GEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWgAwIB<br>&nbsp=3B AKEx= MC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D=3D<br=

&nbsp=3BkrbPasswordExpiration: 19700101000000Z<br>&nbsp=3BkrbLastPwdChange=

: 20121203060153Z<br>&nbsp=3BkrbLastSuccessfulAuth: 20121203061721Z<br>&nbs= p=3BkrbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>&nbsp= =3BkrbExtraData:: AAgBAA=3D=3D<br>&nbsp=3BentryCSN: 20121203061721.358939Z#= 000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2C= dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203061721Z<br>&nbs= p=3Bdn: <a href=3D"mailto:krbPrincipalName=3Dldap/replica.example.net@EXAMP= LE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPri= ncipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a><br>&nbsp=3BkrbPrincipalName: <a h= ref=3D"mailto:ldap/replica.example.net@EXAMPLE.NET">ldap/replica.example.ne= t@EXAMPLE.NET</a><br>&nbsp=3BobjectClass: krbPrincipal<br>&nbsp=3BobjectCla= ss: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3Bs= tructuralObjectClass: krbPrincipal<br>&nbsp=3BentryUUID: 205686f2-d162-1031= -9537-2fa18b539eb9<br>&nbsp=3BcreatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2C= dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203065511Z<br>&nbs= p=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQG= iAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gABVJB= bD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUXFMNw<br>&nbsp=3B 2R8oC1= rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKbipUj<br>= &nbsp=3B AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4= BDYYAOvmT4x<br>&nbsp=3B MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaB= sgthQCj3BCDmkwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2m= xhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=3D=3D<br>&nbsp=3BkrbPasswordExpiration: = 19700101000000Z<br>&nbsp=3BkrbLastPwdChange: 20121203065628Z<br>&nbsp=3Bkrb= LastSuccessfulAuth: 20121204032538Z<br>&nbsp=3BkrbExtraData:: AAIcTbxQYWRta= W5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>&nbsp=3BkrbExtraData:: AAgBAA=3D=3D<br=

&nbsp=3BentryCSN: 20121204032538.048010Z#000000#000#000000<br>&nbsp=3Bmodi=

fiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp= =3BmodifyTimestamp: 20121204032538Z<br>&nbsp=3B <br>&nbsp=3B <br>&nbsp=3B <= br>&nbsp=3Bvvvvvvvvvvvvvvvvvvvv replica config vvvvvvvvvvvvvvvvvvvvvvvvvvvv= vvvvvvvv<br>&nbsp=3B <br>&nbsp=3Bdn: cn=3Dconfig<br>&nbsp=3BobjectClass: ol= cGlobal<br>&nbsp=3Bcn: config<br>&nbsp=3BolcArgsFile: /var/run/slapd/slapd.= args<br>&nbsp=3BolcPidFile: /var/run/slapd/slapd.pid<br>&nbsp=3BolcToolThre= ads: 1<br>&nbsp=3BstructuralObjectClass: olcGlobal<br>&nbsp=3BentryUUID: af= 9b0068-d108-1031-9417-cd3569532aaf<br>&nbsp=3BcreatorsName: cn=3Dconfig<br>= &nbsp=3BcreateTimestamp: 20121202201456Z<br>&nbsp=3BolcTLSCACertificateFile= : /etc/ssl/certs/cacert.pem<br>&nbsp=3BolcTLSCertificateFile: /etc/ssl/cert= s/replica_slapd_cert.pem<br>&nbsp=3BolcTLSCertificateKeyFile: /etc/ldap/rep= lica_slapd_key.pem<br>&nbsp=3BolcLogLevel: stats<br>&nbsp=3BolcAuthzRegexp:= {0}uid=3Dldap/([^/.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn= =3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BolcAuthzR= egexp: {1}uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth uid= =3D$1=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BolcSaslHost: repli= ca.example.net<br>&nbsp=3BolcSaslRealm: EXAMPLE.NET<br>&nbsp=3BentryCSN: 20= 121204023449.956406Z#000000#000#000000<br>&nbsp=3BmodifiersName: gidNumber= =3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3Bm= odifyTimestamp: 20121204023449Z<br>&nbsp=3Bdn: cn=3Dmodule{0}=2Ccn=3Dconfig= <br>&nbsp=3BobjectClass: olcModuleList<br>&nbsp=3Bcn: module{0}<br>&nbsp=3B= olcModulePath: /usr/lib/ldap<br>&nbsp=3BolcModuleLoad: {0}back_hdb<br>&nbsp= =3BolcModuleLoad: {1}back_ldap<br>&nbsp=3BstructuralObjectClass: olcModuleL= ist<br>&nbsp=3BentryUUID: af9d1e34-d108-1031-941f-cd3569532aaf<br>&nbsp=3Bc= reatorsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 20121202201457Z<br>&nb= sp=3BentryCSN: 20121204041212.292184Z#000000#000#000000<br>&nbsp=3Bmodifier= sName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Da= uth<br>&nbsp=3BmodifyTimestamp: 20121204041212Z<br>&nbsp=3Bdn: cn=3Dschema= =2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcSchemaConfig<br>&nbsp=3Bcn: schem= a<br>&nbsp=3BstructuralObjectClass: olcSchemaConfig<br>&nbsp=3BentryUUID: a= f9b564e-d108-1031-941a-cd3569532aaf<br>&nbsp=3BcreatorsName: cn=3Dconfig<br=

&nbsp=3BcreateTimestamp: 20121202201456Z<br>&nbsp=3BentryCSN: 201212022014=

56.995860Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dconfig<br>&nbsp= =3BmodifyTimestamp: 20121202201456Z<BR>&nbsp=3B&lt=3B snip schemas &gt=3B<B= R>&nbsp=3Bdn: olcBackend=3D{0}hdb=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olc= BackendConfig<br>&nbsp=3BolcBackend: {0}hdb<br>&nbsp=3BstructuralObjectClas= s: olcBackendConfig<br>&nbsp=3BentryUUID: af9e498a-d108-1031-9420-cd3569532= aaf<br>&nbsp=3BcreatorsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 201212= 02201457Z<br>&nbsp=3BentryCSN: 20121202201457.015189Z#000000#000#000000<br>= &nbsp=3BmodifiersName: cn=3Dconfig<br>&nbsp=3BmodifyTimestamp: 201212022014= 57Z<br>&nbsp=3Bdn: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br>&nbsp=3Bobje= ctClass: olcDatabaseConfig<br>&nbsp=3BobjectClass: olcFrontendConfig<br>&nb= sp=3BolcDatabase: {-1}frontend<br>&nbsp=3BolcAccess: {0}to * by dn.exact=3D= gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal<br>&nbsp=3B =2C= cn=3Dauth manage by * break<br>&nbsp=3BolcAccess: {1}to dn.exact=3D"" by * = read<br>&nbsp=3BolcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read<br>&n= bsp=3BolcSizeLimit: 500<br>&nbsp=3BstructuralObjectClass: olcDatabaseConfig= <br>&nbsp=3BentryUUID: af9b211a-d108-1031-9418-cd3569532aaf<br>&nbsp=3Bcrea= torsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 20121202201456Z<br>&nbsp= =3BentryCSN: 20121202201456.994497Z#000000#000#000000<br>&nbsp=3BmodifiersN= ame: cn=3Dconfig<br>&nbsp=3BmodifyTimestamp: 20121202201456Z<br>&nbsp=3Bdn:= olcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br>&nbsp= =3BobjectClass: olcOverlayConfig<br>&nbsp=3BobjectClass: olcChainConfig<br>= &nbsp=3BolcOverlay: {0}chain<br>&nbsp=3BolcChainReturnError: TRUE<br>&nbsp= =3BstructuralObjectClass: olcChainConfig<br>&nbsp=3BentryUUID: 8605cc76-d21= 4-1031-93d2-613cc62fd42f<br>&nbsp=3BcreatorsName: gidNumber=3D0+uidNumber= =3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3BcreateTimestamp= : 20121204041212Z<br>&nbsp=3BentryCSN: 20121204041212.352767Z#000000#000#00= 0000<br>&nbsp=3BmodifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred= =2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3BmodifyTimestamp: 20121204041212Z<br=

&nbsp=3Bdn: olcDatabase=3D{0}ldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D=

{-1}frontend=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcLDAPConfig<br>&nbsp= =3BobjectClass: olcChainDatabase<br>&nbsp=3BolcDatabase: {0}ldap<br>&nbsp= =3BolcDbURI: "<a href=3D"ldap://master.example.net:389/">ldap://master.exam= ple.net:389/</a>"<br>&nbsp=3BolcDbIDAssertBind: bindmethod=3Dsimple binddn= =3D"cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc<br>&nbsp=3B =3Dnet" crede= ntials=3D&lt=3Bsecret&gt=3B mode=3Dself flags=3Doverride starttls=3Dcritica= l tls_req<br>&nbsp=3B cert=3Ddemand tls_cacert=3D/etc/ssl/certs/cacert.pem<= br>&nbsp=3BolcDbRebindAsUser: TRUE<br>&nbsp=3BstructuralObjectClass: olcLDA= PConfig<br>&nbsp=3BentryUUID: 8609b6f6-d214-1031-93d3-613cc62fd42f<br>&nbsp= =3BcreatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexterna= l=2Ccn=3Dauth<br>&nbsp=3BcreateTimestamp: 20121204041212Z<br>&nbsp=3BentryC= SN: 20121204041212.378432Z#000000#000#000000<br>&nbsp=3BmodifiersName: gidN= umber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbs= p=3BmodifyTimestamp: 20121204041212Z<br>&nbsp=3Bdn: olcDatabase=3D{0}config= =2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcDatabaseConfig<br>&nbsp=3BolcData= base: {0}config<br>&nbsp=3BolcAccess: {0}to * by dn.exact=3DgidNumber=3D0+u= idNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal<br>&nbsp=3B =2Ccn=3Dauth manag= e by * break<br>&nbsp=3BstructuralObjectClass: olcDatabaseConfig<br>&nbsp= =3BentryUUID: af9b4528-d108-1031-9419-cd3569532aaf<br>&nbsp=3BcreatorsName:= cn=3Dconfig<br>&nbsp=3BcreateTimestamp: 20121202201456Z<br>&nbsp=3BentryCS= N: 20121202201456.995421Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3D= config<br>&nbsp=3BmodifyTimestamp: 20121202201456Z<br>&nbsp=3Bdn: olcDataba= se=3D{1}hdb=2Ccn=3Dconfig<br>&nbsp=3BobjectClass: olcDatabaseConfig<br>&nbs= p=3BobjectClass: olcHdbConfig<br>&nbsp=3BolcDatabase: {1}hdb<br>&nbsp=3Bolc= DbDirectory: /var/lib/ldap<br>&nbsp=3BolcSuffix: dc=3Dexample=2Cdc=3Dnet<br=

&nbsp=3BolcLastMod: TRUE<br>&nbsp=3BolcRootDN: cn=3Dadmin=2Cdc=3Dexample=

=2Cdc=3Dnet<br>&nbsp=3BolcRootPW:: e1NTSEF9eW1nS3JTR0VkMW5LQ0VaQ0Y4UjJBTDlP= TlEveENDbzY=3D<br>&nbsp=3BolcDbCheckpoint: 512 30<br>&nbsp=3BolcDbConfig: {= 0}set_cachesize 0 2097152 0<br>&nbsp=3BolcDbConfig: {1}set_lk_max_objects 1= 500<br>&nbsp=3BolcDbConfig: {2}set_lk_max_locks 1500<br>&nbsp=3BolcDbConfig= : {3}set_lk_max_lockers 1500<br>&nbsp=3BolcDbIndex: objectClass eq<br>&nbsp= =3BolcDbIndex: uid eq<br>&nbsp=3BolcDbIndex: cn eq<br>&nbsp=3BolcDbIndex: o= u eq<br>&nbsp=3BolcDbIndex: dc eq<br>&nbsp=3BolcDbIndex: uidNumber eq<br>&n= bsp=3BolcDbIndex: gidNumber eq<br>&nbsp=3BolcDbIndex: memberUid eq<br>&nbsp= =3BolcDbIndex: uniqueMember eq<br>&nbsp=3BolcDbIndex: entryUUID eq<br>&nbsp= =3BolcDbIndex: entryCSN eq<br>&nbsp=3BolcDbIndex: krbPrincipalName eq=2Cpre= s=2Csub<br>&nbsp=3BolcDbIndex: krbPwdPolicyReference eq<br>&nbsp=3Bstructur= alObjectClass: olcHdbConfig<br>&nbsp=3BentryUUID: af9e5d12-d108-1031-9421-c= d3569532aaf<br>&nbsp=3BcreatorsName: cn=3Dconfig<br>&nbsp=3BcreateTimestamp= : 20121202201457Z<br>&nbsp=3BolcAccess: {0}to attrs=3DuserPassword=2Cshadow= LastChange by group.exact=3D"cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample= =2Cdc=3Dnet" read by self write by anonymous auth<br>&nbsp=3BolcAccess: {1}= to attrs=3DauthzTo=2CauthzFrom by group.exact=3D"cn=3Dreplicators=2Cou=3Dgr= oups=2Cdc=3Dexample=2Cdc=3Dnet" read by users read by anonymous none<br>&nb= sp=3BolcAccess: {2}to attrs=3DkrbLastSuccessfulAuth=2CkrbExtraData=2CkrbLas= tFailedAuth=2CkrbLoginFailedCount by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cd= c=3Dexample=2Cdc=3Dnet" read by dn<br>&nbsp=3B =3D"cn=3Dadm-srv=2Cou=3Dkerb= eros=2Cdc=3Dexample=2Cdc=3Dnet" read by self read by * none<br>&nbsp=3BolcA= ccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" by dn= =3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" read by dn=3D"c= n=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2C<br>&nbsp=3B dc=3Dnet" read by= * none<br>&nbsp=3BolcAccess: {4}to dn.base=3D"" by * read<br>&nbsp=3BolcAc= cess: {5}to * by self write by users read<br>&nbsp=3BolcSyncrepl: {0}rid=3D= 123 provider=3D"<a href=3D"ldap://master.example.net:389/">ldap://master.ex= ample.net:389/</a>" type=3DrefreshAndPersist retry=3D"60 30 300 +" searchba= se=3D"dc=3Dexample=2Cdc=3Dnet" bindmethod=3Dsasl<br>&nbsp=3B&nbsp=3B saslme= ch=3Dgssapi starttls=3Dcritical tls_reqcert=3Ddemand tls_cacert=3D/etc/ssl/= certs/cacert.pem<br>&nbsp=3BolcUpdateRef: "<a href=3D"ldap://master.example= .net:389/">ldap://master.example.net:389/</a>"<br>&nbsp=3BentryCSN: 2012120= 4041212.283590Z#000000#000#000000<br>&nbsp=3BmodifiersName: gidNumber=3D0+u= idNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbsp=3BmodifyT= imestamp: 20121204041212Z<br>&nbsp=3B <br>&nbsp=3B <br>&nbsp=3B <br>&nbsp= =3Bdn: dc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: top<br>&nbsp=3Bobjec= tClass: dcObject<br>&nbsp=3BobjectClass: organization<br>&nbsp=3Bo: example= .net<br>&nbsp=3Bdc: example<br>&nbsp=3BstructuralObjectClass: organization<= br>&nbsp=3BentryUUID: eac01854-d108-1031-95b6-31806daa9e45<br>&nbsp=3Bcreat= orsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 2= 0121202201636Z<br>&nbsp=3BentryCSN: 20121202201636.222029Z#000000#000#00000= 0<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp= =3BmodifyTimestamp: 20121202201636Z<br>&nbsp=3BcontextCSN: 20121204035116.8= 90381Z#000000#000#000000<br>&nbsp=3Bdn: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dne= t<br>&nbsp=3BobjectClass: simpleSecurityObject<br>&nbsp=3BobjectClass: orga= nizationalRole<br>&nbsp=3Bcn: admin<br>&nbsp=3Bdescription: LDAP administra= tor<br>&nbsp=3BuserPassword:: &lt=3Bsecret&gt=3B<br>&nbsp=3BstructuralObjec= tClass: organizationalRole<br>&nbsp=3BentryUUID: eac2e160-d108-1031-95b7-31= 806daa9e45<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=

&nbsp=3BcreateTimestamp: 20121202201636Z<br>&nbsp=3BentryCSN: 201212022016=

36.240572Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dex= ample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121202201636Z<br>&nbsp=3Bdn:= ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: organization= alUnit<br>&nbsp=3Bou: people<br>&nbsp=3Bdescription: user account objects<b= r>&nbsp=3BstructuralObjectClass: organizationalUnit<br>&nbsp=3BentryUUID: 1= cee4810-d12b-1031-9787-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cd= c=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>&nbsp= =3BentryCSN: 20121203002123.299880Z#000000#000#000000<br>&nbsp=3BmodifiersN= ame: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121= 203002123Z<br>&nbsp=3Bdn: ou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3B= objectClass: organizationalUnit<br>&nbsp=3Bou: groups<br>&nbsp=3Bdescriptio= n: group objects<br>&nbsp=3BstructuralObjectClass: organizationalUnit<br>&n= bsp=3BentryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93<br>&nbsp=3BcreatorsNa= me: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 201212= 03002123Z<br>&nbsp=3BentryCSN: 20121203002123.394485Z#000000#000#000000<br>= &nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bmodi= fyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: ou=3Dhosts=2Cdc=3Dexample=2Cdc= =3Dnet<br>&nbsp=3BobjectClass: organizationalUnit<br>&nbsp=3Bou: hosts<br>&= nbsp=3Bdescription: host/computer objects<br>&nbsp=3BstructuralObjectClass:= organizationalUnit<br>&nbsp=3BentryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abce= a93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp= =3BcreateTimestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 20121203002123.400= 935Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample= =2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: ou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: organizationa= lUnit<br>&nbsp=3Bou: kerberos<br>&nbsp=3Bdescription: kerberos realm contai= ner<br>&nbsp=3BstructuralObjectClass: organizationalUnit<br>&nbsp=3BentryUU= ID: 1cfef412-d12b-1031-978a-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmi= n=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<br>= &nbsp=3BentryCSN: 20121203002123.409140Z#000000#000#000000<br>&nbsp=3Bmodif= iersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: = 20121203002123Z<br>&nbsp=3Bdn: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cd= c=3Dnet<br>&nbsp=3Bcn: replica<br>&nbsp=3BobjectClass: simpleSecurityObject= <br>&nbsp=3BobjectClass: organizationalRole<br>&nbsp=3BobjectClass: krbPrin= cipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BauthzTo: dn:= *<br>&nbsp=3Bdescription: LDAP server=2C replica<br>&nbsp=3BstructuralObjec= tClass: organizationalRole<br>&nbsp=3BentryUUID: 1d02dae6-d12b-1031-978b-4f= 8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=

&nbsp=3BcreateTimestamp: 20121203002123Z<br>&nbsp=3BkrbPrincipalName: <a h=

ref=3D"mailto:host/replica.example.net@EXAMPLE.NET">host/replica.example.ne= t@EXAMPLE.NET</a><br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbPrincipal= Key:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br>&nbsp= =3B MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhb= RURAxZ<br>&nbsp=3B oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz= 54uBWIC4AFa66jXa6Mn3k<br>&nbsp=3B f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKA= HMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu6lb/<br>&nbsp=3B QQQHgCnrL6XaSAYoh3A5GHF0xa= 2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwI= BAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw=3D=3D<br>&nbsp= =3BkrbPasswordExpiration: 19700101000000Z<br>&nbsp=3BkrbLastPwdChange: 2012= 1203065600Z<br>&nbsp=3BkrbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFL= k5FVAA=3D<br>&nbsp=3BkrbExtraData:: AAgBAA=3D=3D<br>&nbsp=3BuserPassword:: = &lt=3Bsecret&gt=3B<br>&nbsp=3BentryCSN: 20121203233422.105322Z#000000#000#0= 00000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nb= sp=3BmodifyTimestamp: 20121203233422Z<br>&nbsp=3Bdn: cn=3Dmaster=2Cou=3Dhos= ts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bcn: master<br>&nbsp=3BobjectClass: = simpleSecurityObject<br>&nbsp=3BobjectClass: organizationalRole<br>&nbsp=3B= objectClass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>= &nbsp=3BauthzTo: dn:*<br>&nbsp=3Bdescription: LDAP server=2C replica<br>&nb= sp=3BuserPassword:: &lt=3Bsecret&gt=3B<br>&nbsp=3BstructuralObjectClass: or= ganizationalRole<br>&nbsp=3BentryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93= <br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bc= reateTimestamp: 20121203002123Z<br>&nbsp=3BkrbPrincipalName: <a href=3D"mai= lto:host/master.example.net@EXAMPLE.NET">host/master.example.net@EXAMPLE.NE= T</a><br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbPrincipalKey:: MIIBRK= ADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIB= EqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW+aWr<br>&n= bsp=3B 8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86Xg= WwWj5522A<br>&nbsp=3B i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKF= BMD+gAwIBEKE4BDYYAH15xNZ<br>&nbsp=3B VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsS= WdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAGu= LUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w=3D=3D<br>&nbsp=3BkrbPasswor= dExpiration: 19700101000000Z<br>&nbsp=3BkrbLastPwdChange: 20121203060855Z<b= r>&nbsp=3BkrbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>= &nbsp=3BkrbExtraData:: AAgBAA=3D=3D<br>&nbsp=3BentryCSN: 20121203060855.932= 134Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadm-srv=2Cou=3Dkerber= os=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203060855Z<br=

&nbsp=3Bdn: cn=3Dadministrator=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br>=

&nbsp=3BobjectClass: posixGroup<br>&nbsp=3Bcn: administrator<br>&nbsp=3Bgid= Number: 50000<br>&nbsp=3BstructuralObjectClass: posixGroup<br>&nbsp=3Bentry= UUID: 1d079216-d12b-1031-978d-4f8d9abcea93<br>&nbsp=3BcreatorsName: cn=3Dad= min=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203002123Z<b= r>&nbsp=3BentryCSN: 20121203002123.465616Z#000000#000#000000<br>&nbsp=3Bmod= ifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp= : 20121203002123Z<br>&nbsp=3Bdn: cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexam= ple=2Cdc=3Dnet<br>&nbsp=3BobjectClass: top<br>&nbsp=3BobjectClass: groupOfN= ames<br>&nbsp=3Bcn: replicators<br>&nbsp=3Bmember: cn=3Dreplica=2Cou=3Dhost= s=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bmember: cn=3Dmaster=2Cou=3Dhosts=2Cd= c=3Dexample=2Cdc=3Dnet<br>&nbsp=3BstructuralObjectClass: groupOfNames<br>&n= bsp=3BentryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93<br>&nbsp=3BcreatorsNa= me: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 201212= 03002123Z<br>&nbsp=3BentryCSN: 20121203002123.477792Z#000000#000#000000<br>= &nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bmodi= fyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: uid=3Dadministrator=2Cou=3Dpeop= le=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass: top<br>&nbsp=3BobjectC= lass: inetOrgPerson<br>&nbsp=3BobjectClass: posixAccount<br>&nbsp=3BobjectC= lass: shadowAccount<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3Bobje= ctClass: krbTicketPolicyAux<br>&nbsp=3Bcn: administrator<br>&nbsp=3Bsn: adm= inistrator<br>&nbsp=3BuidNumber: 50000<br>&nbsp=3BgidNumber: 50000<br>&nbsp= =3BuserPassword:: &lt=3Bsecret&gt=3B<br>&nbsp=3BhomeDirectory: /home/admini= strator<br>&nbsp=3BstructuralObjectClass: inetOrgPerson<br>&nbsp=3Buid: adm= inistrator<br>&nbsp=3BentryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93<br>&n= bsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateT= imestamp: 20121203002123Z<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:ad= ministrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a><br>&nbsp=3BkrbPrinci= palKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIBAKFJ<br>&n= bsp=3B MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+Ec= qcdxailuD<br>&nbsp=3B o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELh= AAQRTIM4QI0IPjmA1xg/Ot7l<br>&nbsp=3B cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkw= TKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADmOzq8<br>&nbsp=3B 96TliwJM9J3X0Dxb/Y+bcTz= 3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+g= AwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8oAcwB<br>&n= bsp=3B aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4= HaK+6yoME<br>&nbsp=3B 2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCY= IAHKR4PzhneCY8c8tLpo8yyO<br>&nbsp=3B mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADA= gEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgEDoSgE<br>&nbsp=3B JggA4e6VizsvWUEKEqAt58P= rPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLRVhBT<br>&nbsp=3B VBMRS5OR= VShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXGa5U+<br>&n= bsp=3B g=3D<br>&nbsp=3BkrbLastPwdChange: 20121203054848Z<br>&nbsp=3BkrbLast= FailedAuth: 20121204013714Z<br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3Bde= scription: Network Administrator<br>&nbsp=3BkrbLastSuccessfulAuth: 20121204= 035116Z<br>&nbsp=3BkrbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA= =3D<br>&nbsp=3BkrbExtraData:: AAgBAA=3D=3D<br>&nbsp=3BentryCSN: 20121204035= 116.890381Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dkdc-srv=2Cou= =3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 201212040= 35116Z<br>&nbsp=3Bdn: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dne= t<br>&nbsp=3BobjectClass: simpleSecurityObject<br>&nbsp=3BobjectClass: orga= nizationalRole<br>&nbsp=3Bcn: kdc-srv<br>&nbsp=3Bdescription: Kerberos KDC<= br>&nbsp=3BuserPassword:: &lt=3Bsecret&gt=3B<br>&nbsp=3BstructuralObjectCla= ss: organizationalRole<br>&nbsp=3BentryUUID: 1d168924-d12b-1031-9790-4f8d9a= bcea93<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nb= sp=3BcreateTimestamp: 20121203002123Z<br>&nbsp=3BentryCSN: 20121203002123.5= 63692Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexampl= e=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: cn= =3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BobjectClass= : simpleSecurityObject<br>&nbsp=3BobjectClass: organizationalRole<br>&nbsp= =3Bcn: adm-srv<br>&nbsp=3Bdescription: Kerberos Admin Server<br>&nbsp=3Buse= rPassword:: &lt=3Bsecret&gt=3B<br>&nbsp=3BstructuralObjectClass: organizati= onalRole<br>&nbsp=3BentryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93<br>&nbs= p=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTim= estamp: 20121203002123Z<br>&nbsp=3BentryCSN: 20121203002123.575773Z#000000#= 000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<b= r>&nbsp=3BmodifyTimestamp: 20121203002123Z<br>&nbsp=3Bdn: cn=3DEXAMPLE.NET= =2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bcn: EXAMPLE.NET<br>&n= bsp=3BobjectClass: top<br>&nbsp=3BobjectClass: krbRealmContainer<br>&nbsp= =3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BkrbSubTrees: dc=3Dexample=2Cd= c=3Dnet<br>&nbsp=3BkrbSearchScope: 2<br>&nbsp=3BkrbMaxRenewableAge: 604800<= br>&nbsp=3BkrbMaxTicketLife: 36000<br>&nbsp=3BstructuralObjectClass: krbRea= lmContainer<br>&nbsp=3BentryUUID: c03d58b8-d134-1031-83e7-0707760cf534<br>&= nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bcreate= Timestamp: 20121203013022Z<br>&nbsp=3BentryCSN: 20121203013022.757228Z#0000= 00#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dne= t<br>&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mai= lto:krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos= =2Cdc=3Dexample=2Cdc">krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET= =2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc</a>=3D<br>&nbsp=3B net<br>&nbsp=3BkrbL= oginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 36000<br>&nbsp=3BkrbMaxRene= wableAge: 604800<br>&nbsp=3BkrbTicketFlags: 192<br>&nbsp=3BkrbPrincipalName= : <a href=3D"mailto:K/M@EXAMPLE.NET">K/M@EXAMPLE.NET</a><br>&nbsp=3BkrbPrin= cipalExpiration: 19700101000000Z<br>&nbsp=3BkrbPrincipalKey:: MGagAwIBAaEDA= gEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB<br>&nbsp=3B EKE4BDYYALvAYAT= OnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/c4Ks<br>&nbsp=3B = HI=3D<br>&nbsp=3BkrbLastPwdChange: 19700101000000Z<br>&nbsp=3BkrbExtraData:= : AAkBAAEArgC8UA=3D=3D<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARV= hBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAAAAAAAA=3D<br>&nbsp=3B= objectClass: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp= =3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPri= ncipal<br>&nbsp=3BentryUUID: c04d9282-d134-1031-83e8-0707760cf534<br>&nbsp= =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTime= stamp: 20121203013022Z<br>&nbsp=3BentryCSN: 20121203013022.863568Z#000000#0= 00#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=

&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailto:=

krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou= =3Dkerberos">krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMP= LE.NET=2Cou=3Dkerberos</a><br>&nbsp=3B =2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp= =3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 36000<br>&nbsp=3Bkrb= MaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 0<br>&nbsp=3BkrbPrincipa= lName: <a href=3D"mailto:krbtgt/EXAMPLE.NET@EXAMPLE.NET">krbtgt/EXAMPLE.NET= @EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipalExpiration: 19700101000000Z<br>&nbs= p=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgA= wIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwF= c2CqS9kNvgpTNujaNnfmRR<br>&nbsp=3B GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN= 6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7UKy1<br>&nbsp=3B 93EQx3jtSTiD0aa2tNK9Fbkom= kYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9KwFT<br>&nbsp=3B B9MqvfMfba= 37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWgAwIB<br>&nbs= p=3B AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTT= A8oAcwB<br>&nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9= HckLfrcVL5goKRVOV8oR<br>&nbsp=3BkrbLastPwdChange: 19700101000000Z<br>&nbsp= =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbEx= traData:: AAcBAAIAAgAAAAAAAAA=3D<br>&nbsp=3BobjectClass: krbPrincipal<br>&n= bsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyA= ux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<br>&nbsp=3BentryUUID: c05= 18180-d134-1031-83e9-0707760cf534<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc= =3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203013022Z<br>&nbsp= =3BentryCSN: 20121203013022.889347Z#000000#000#000000<br>&nbsp=3BmodifiersN= ame: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121= 203013022Z<br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkadmin/admin= @EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dex">krbPrincipalName= =3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dex</a=

<br>&nbsp=3B ample=2Cdc=3Dnet<br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=

=3BkrbMaxTicketLife: 10800<br>&nbsp=3BkrbMaxRenewableAge: 604800<br>&nbsp= =3BkrbTicketFlags: 4<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:kadmin/= admin@EXAMPLE.NET">kadmin/admin@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipalExpi= ration: 19700101000000Z<br>&nbsp=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAw= IBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gAMjLoWHT= DPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtCkdsY<br>&nbsp=3B 5WwobkGKF= vGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M28Ix6<br>&nb= sp=3B SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDY= YAGZM5wu<br>&nbsp=3B tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFiv= BmdH1kEy8cwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84= Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8oAcwB<br>&nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJ= ggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3aQz<br>&nbsp=3BkrbLastPwdCh= ange: 19700101000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVh= BTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br>&nbsp=3Bo= bjectClass: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp= =3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPri= ncipal<br>&nbsp=3BentryUUID: c05346be-d134-1031-83ea-0707760cf534<br>&nbsp= =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTime= stamp: 20121203013022Z<br>&nbsp=3BentryCSN: 20121203013022.900950Z#000000#0= 00#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=

&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailto:=

krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dke= rberos=2Cdc">krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.= NET=2Cou=3Dkerberos=2Cdc</a><br>&nbsp=3B =3Dexample=2Cdc=3Dnet<br>&nbsp=3Bk= rbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 300<br>&nbsp=3BkrbMaxRen= ewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 8196<br>&nbsp=3BkrbPrincipalNa= me: <a href=3D"mailto:kadmin/changepw@EXAMPLE.NET">kadmin/changepw@EXAMPLE.= NET</a><br>&nbsp=3BkrbPrincipalExpiration: 19700101000000Z<br>&nbsp=3BkrbPr= incipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<b= r>&nbsp=3B MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaB= p9l1hsceWqIB2<br>&nbsp=3B ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoT= AELhAAt+ZrWZKAjKkUhSJt0wwSqU<br>&nbsp=3B ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2= M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd423Z<br>&nbsp=3B epUHmGMVf2I5sRQZRuo= ypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWgAwIB<br>&nbsp=3B AKEx= MC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8oAcwB<b= r>&nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/= w7dmvqU9zPl<br>&nbsp=3BkrbLastPwdChange: 19700101000000Z<br>&nbsp=3BkrbExtr= aData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: = AAcBAAIAAgAAAGlvbkA=3D<br>&nbsp=3BobjectClass: krbPrincipal<br>&nbsp=3Bobje= ctClass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbs= p=3BstructuralObjectClass: krbPrincipal<br>&nbsp=3BentryUUID: c054d88a-d134= -1031-83eb-0707760cf534<br>&nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample= =2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 20121203013022Z<br>&nbsp=3BentryCSN= : 20121203013022.911237Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Da= dmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203013022Z<= br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkadmin/history@EXAMPLE.= NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc">krbPrincipalName=3Dkadmin/hist= ory@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc</a>=3D<br>&nbsp=3B = example=2Cdc=3Dnet<br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicke= tLife: 36000<br>&nbsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlag= s: 0<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:kadmin/history@EXAMPLE.= NET">kadmin/history@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipalExpiration: 1970= 0101000000Z<br>&nbsp=3BkrbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME= 4wTKAHMAWgAwIBAKFBMD+gAwIB<br>&nbsp=3B EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKb= f2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd/N+Z<br>&nbsp=3B 2g=3D<br>&nbsp=3BkrbL= astPwdChange: 19700101000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXR= pb25ARVhBTVBMRS5ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br>&= nbsp=3BobjectClass: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br=

&nbsp=3BobjectClass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: =

krbPrincipal<br>&nbsp=3BentryUUID: c0562d3e-d134-1031-83ec-0707760cf534<br>= &nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bcreat= eTimestamp: 20121203013022Z<br>&nbsp=3BentryCSN: 20121203013022.919957Z#000= 000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dn= et<br>&nbsp=3BmodifyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"ma= ilto:krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPL= E.NET=2Cou=3Dk">krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2C= cn=3DEXAMPLE.NET=2Cou=3Dk</a><br>&nbsp=3B erberos=2Cdc=3Dexample=2Cdc=3Dnet= <br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbMaxTicketLife: 10800<br>&n= bsp=3BkrbMaxRenewableAge: 604800<br>&nbsp=3BkrbTicketFlags: 4<br>&nbsp=3Bkr= bPrincipalName: <a href=3D"mailto:kadmin/master.example.net@EXAMPLE.NET">ka= dmin/master.example.net@EXAMPLE.NET</a><br>&nbsp=3BkrbPrincipalExpiration: = 19700101000000Z<br>&nbsp=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAg= EApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gABhOeGOuo9UBDjK7= hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4Ta3z<br>&nbsp=3B Y4ZaEYItXr2awBW6Q= XSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtGg1qY<br>&nbsp=3B oe= v8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj0sgn= <br>&nbsp=3B ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf= 4UwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qY= DwpK0Hycj+cwyCjFsVKTsjzA8oAcwB<br>&nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJggAxTSME= h/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZABm<br>&nbsp=3BkrbLastPwdChange: 19= 700101000000Z<br>&nbsp=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5= ORVQA<br>&nbsp=3BkrbExtraData:: AAcBAAIAAgAAANAD4gA=3D<br>&nbsp=3BobjectCla= ss: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectC= lass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<br>= &nbsp=3BentryUUID: c0581144-d134-1031-83ed-0707760cf534<br>&nbsp=3Bcreators= Name: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 2012= 1203013022Z<br>&nbsp=3BentryCSN: 20121203013022.932349Z#000000#000#000000<b= r>&nbsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3Bmo= difyTimestamp: 20121203013022Z<br>&nbsp=3Bdn: <a href=3D"mailto:krbPrincipa= lName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dker">= krbPrincipalName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET= =2Cou=3Dker</a><br>&nbsp=3B beros=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BkrbP= rincipalName: <a href=3D"mailto:ldap/master.example.net@EXAMPLE.NET">ldap/m= aster.example.net@EXAMPLE.NET</a><br>&nbsp=3BobjectClass: krbPrincipal<br>&= nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3BobjectClass: krbTicketPolicy= Aux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<br>&nbsp=3BentryUUID: 91= a6199c-d15a-1031-9919-2f12ddec6588<br>&nbsp=3BcreatorsName: cn=3Dadm-srv=2C= ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BcreateTimestamp: 2012120= 3060105Z<br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp=3BkrbPrincipalKey:: MII= BRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br>&nbsp=3B MEegA= wIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPUS2wz<br=

&nbsp=3B qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14T=

YWZyLZem5kvD<br>&nbsp=3B yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIB= AKFBMD+gAwIBEKE4BDYYAAbNr3p<br>&nbsp=3B vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4= kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWgAwIB<br>&nbsp=3B AKExMC+gAwIBAaEoBCYI= APc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D=3D<br>&nbsp=3BkrbPass= wordExpiration: 19700101000000Z<br>&nbsp=3BkrbLastPwdChange: 20121203060153= Z<br>&nbsp=3BkrbLastSuccessfulAuth: 20121203061721Z<br>&nbsp=3BkrbExtraData= :: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>&nbsp=3BkrbExtraData::= AAgBAA=3D=3D<br>&nbsp=3BentryCSN: 20121203061721.358939Z#000000#000#000000= <br>&nbsp=3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc= =3Dnet<br>&nbsp=3BmodifyTimestamp: 20121203061721Z<br>&nbsp=3Bdn: <a href= =3D"mailto:krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DE= XAMPLE.NET=2Cou=3Dke">krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.N= ET=2Ccn=3DEXAMPLE.NET=2Cou=3Dke</a><br>&nbsp=3B rberos=2Cdc=3Dexample=2Cdc= =3Dnet<br>&nbsp=3BkrbPrincipalName: <a href=3D"mailto:ldap/replica.example.= net@EXAMPLE.NET">ldap/replica.example.net@EXAMPLE.NET</a><br>&nbsp=3Bobject= Class: krbPrincipal<br>&nbsp=3BobjectClass: krbPrincipalAux<br>&nbsp=3Bobje= ctClass: krbTicketPolicyAux<br>&nbsp=3BstructuralObjectClass: krbPrincipal<= br>&nbsp=3BentryUUID: 205686f2-d162-1031-9537-2fa18b539eb9<br>&nbsp=3Bcreat= orsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3B= createTimestamp: 20121203065511Z<br>&nbsp=3BkrbLoginFailedCount: 0<br>&nbsp= =3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAw= IBAKFJ<br>&nbsp=3B MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3= wddcUmq3o092v7mUXFMNw<br>&nbsp=3B 2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6= ADAgEXoTAELhAApsEJiySukR8L5M3DKbipUj<br>&nbsp=3B AITSVQQL2YSqY7xr/BY7Hm3huN= /juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOvmT4x<br>&nbsp=3B MDAmgH2qTgq= XTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWgAwIB<br>&nbsp= =3B AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA= =3D=3D<br>&nbsp=3BkrbPasswordExpiration: 19700101000000Z<br>&nbsp=3BkrbLast= PwdChange: 20121203065628Z<br>&nbsp=3BkrbExtraData:: AAIcTbxQYWRtaW5pc3RyYX= RvckBFWEFNUExFLk5FVAA=3D<br>&nbsp=3BkrbExtraData:: AAgBAA=3D=3D<br>&nbsp=3B= krbLastSuccessfulAuth: 20121204032538Z<br>&nbsp=3BentryCSN: 20121204032538.= 048010Z#000000#000#000000<br>&nbsp=3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dker= beros=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbsp=3BmodifyTimestamp: 20121204032538Z= <br>&nbsp=3B<BR><div><div id=3D"SkyDrivePlaceholder"></div>&gt=3B Date: Fri= =2C 9 Nov 2012 01:55:32 +0000<br>&gt=3B From: openldap-its@OpenLDAP.org<br>= &gt=3B To: blance3459@hotmail.com<br>&gt=3B Subject: Re: (ITS#7434) idasser= t-bind fails after restarting slapd<br>&gt=3B <br>&gt=3B <br>&gt=3B *** THI= S IS AN AUTOMATICALLY GENERATED REPLY ***<br>&gt=3B <br>&gt=3B Thanks for y= our report to the OpenLDAP Issue Tracking System. Your<br>&gt=3B report ha= s been assigned the tracking number ITS#7434.<br>&gt=3B <br>&gt=3B One of o= ur support engineers will look at your report in due course.<br>&gt=3B Note= that this may take some time because our support engineers<br>&gt=3B are v= olunteers. They only work on OpenLDAP when they have spare<br>&gt=3B time.= <br>&gt=3B <br>&gt=3B If you need to provide additional information in rega= rds to your<br>&gt=3B issue report=2C you may do so by replying to this mes= sage. Note that<br>&gt=3B any mail sent to openldap-its@openldap.org with = (ITS#7434)<br>&gt=3B in the subject will automatically be attached to the i= ssue report.<br>&gt=3B <br>&gt=3B mailto:openldap-its@openldap.org?subject= =3D(ITS#7434)<br>&gt=3B <br>&gt=3B You may follow the progress of this repo= rt by loading the following<br>&gt=3B URL in a web browser:<br>&gt=3B h= ttp://www.OpenLDAP.org/its/index.cgi?findid=3D7434<br>&gt=3B <br>&gt=3B Ple= ase remember to retain your issue tracking number (ITS#7434)<br>&gt=3B on a= ny further messages you send to us regarding this report. If<br>&gt=3B you= don't then you'll just waste our time and yours because we<br>&gt=3B won't= be able to properly track the report.<br>&gt=3B <br>&gt=3B Please note tha= t the Issue Tracking System is not intended to<br>&gt=3B be used to seek he= lp in the proper use of OpenLDAP Software.<br>&gt=3B Such requests will be = closed.<br>&gt=3B <br>&gt=3B OpenLDAP Software is user supported.<br>&gt=3B= http://www.OpenLDAP.org/support/<br>&gt=3B <br>&gt=3B --------------<br>&= gt=3B Copyright 1998-2007 The OpenLDAP Foundation=2C All Rights Reserved.<b= r>&gt=3B <br></div> </div></body> </html>=

--_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_--