From: Quanah Gibson-Mount <quanah(a)zimbra.com>
To: espeake(a)oreillyauto.com
Date: 09/06/2013 10:42 AM
Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 10:39 AM -0500 espeake(a)oreillyauto.com
wrote:
> root@tntest-ldap-3:~# ldapwhoami -d -1 -Wx -D
> "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
Debug output from ldapwhoami is useless
> ldap_bind: Invalid credentials (49)
This error can indicate any of a number of things:
a) Wrong password
b) Acls block the ability to auth to the password
c) The DN specified doesn't exist
What you would need to provide is the debug output from *slapd* to see
which of a, b, or c was the problem.
--Quanah
--
Here is the olcAcces from the slapcat on the database. Rule {0} should
what it is using but becaus eof it not authenticating rule {2} is being
applied instead.
Here is the slapd debug.
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: conn=1015 op=0 BIND
dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (userPassword)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: auth access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_get: [1] attr
userPassword
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: access to entry
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: to value by "",
(=0)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=syncrepl,ou=system,dc=oreillyauto,dc=com
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=readonlyuser,ou=system,dc=oreillyauto,dc=com
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=ldapadmin,ou=system,dc=oreillyauto,dc=com
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=newuseradmin,ou=system,dc=oreillyauto,dc=com
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=passwordadmin,ou=system,dc=oreillyauto,dc=com
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_mask: no more <who>
clauses, returning =0 (stop)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => slap_access_allowed: auth
access denied by =0
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: no more
rules
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 11:01:25 slapd[20347]: last message repeated 3 times
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: EQUALITY
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: EQUALITY
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_access_allowed: granted
to database root
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (objectClass)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (objectClass)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (uid)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (description)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdPolicySubentry)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (structuralObjectClass)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access
to "cn=accesslog" "children" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
"structuralObjectClass" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access
to "reqStart=20130906160125.000000Z,cn=accesslog" "entry" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (entryUUID)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (creatorsName)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (createTimestamp)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdHistory)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (pwdHistory)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (userPassword)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdChangedTime)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdFailureTime)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (pwdFailureTime)
Sep 6 11:01:25 slapd[20347]: last message repeated 33 times
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (entryCSN)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (modifiersName)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (modifyTimestamp)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (entryDN)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (entryDN)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (subschemaSubentry)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (subschemaSubentry)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (hasSubordinates)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates"
requested
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (hasSubordinates)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (objectClass)
Sep 6 11:01:25 tntest-ldap-1 rsyslogd-2177: imuxsock begins to drop
messages from pid 20347 due to rate-limiting
Sep 6 11:01:27 tntest-ldap-1 rsyslogd-2177: imuxsock lost 116 messages
from pid 20347 due to rate-limiting
Thanks,
Eric
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
Message id: CA5BC600DE5.AFB93
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.