Re: SyncRepl Chaining

6 Sep 2013


      From:	Quanah Gibson-Mount quanah@zimbra.com
To:	espeake@oreillyauto.com
Date:	09/06/2013 10:42 AM
Subject:	Re: SyncRepl Chaining
--On Friday, September 06, 2013 10:39 AM -0500 espeake@oreillyauto.com
wrote:
...
root@tntest-ldap-3:~# ldapwhoami -d -1 -Wx -D
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
Debug output from ldapwhoami is useless
...
ldap_bind: Invalid credentials (49)
This error can indicate any of a number of things:
a) Wrong password
b) Acls block the ability to auth to the password
c) The DN specified doesn't exist
What you would need to provide is the debug output from *slapd* to see
which of a, b, or c was the problem.
--Quanah
--
Here is the olcAcces from the slapcat on the database.  Rule {0} should
what it is using but becaus eof it not authenticating rule {2} is being
applied instead.
Here is the slapd debug.
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: conn=1015 op=0 BIND
dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (userPassword)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: auth access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_get: [1] attr
userPassword
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: access to entry
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: to value by "",
(=0)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=syncrepl,ou=system,dc=oreillyauto,dc=com
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=readonlyuser,ou=system,dc=oreillyauto,dc=com
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=ldapadmin,ou=system,dc=oreillyauto,dc=com
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=newuseradmin,ou=system,dc=oreillyauto,dc=com
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat:
uid=passwordadmin,ou=system,dc=oreillyauto,dc=com
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_mask: no more <who>
clauses, returning =0 (stop)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => slap_access_allowed: auth
access denied by =0
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: no more
rules
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep  6 11:01:25  slapd[20347]: last message repeated 3 times
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]:     PRESENT
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]:     PRESENT
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]:     EQUALITY
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]:     EQUALITY
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_access_allowed: granted
to database root
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]:     PRESENT
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (objectClass)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (objectClass)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (uid)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (description)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdPolicySubentry)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (structuralObjectClass)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]:     PRESENT
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access
to "cn=accesslog" "children" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
"structuralObjectClass" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access
to "reqStart=20130906160125.000000Z,cn=accesslog" "entry" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (entryUUID)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (creatorsName)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (createTimestamp)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdHistory)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (pwdHistory)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (userPassword)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdChangedTime)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (pwdFailureTime)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (pwdFailureTime)
Sep  6 11:01:25  slapd[20347]: last message repeated 33 times
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (entryCSN)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (modifiersName)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (modifyTimestamp)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (entryDN)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (entryDN)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (subschemaSubentry)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (subschemaSubentry)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (hasSubordinates)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates"
requested
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was
in cache (hasSubordinates)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep  6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not
in cache (objectClass)
Sep  6 11:01:25 tntest-ldap-1 rsyslogd-2177: imuxsock begins to drop
messages from pid 20347 due to rate-limiting
Sep  6 11:01:27 tntest-ldap-1 rsyslogd-2177: imuxsock lost 116 messages
from pid 20347 due to rate-limiting
Thanks,
Eric
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
  Message id: CA5BC600DE5.AFB93
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: SyncRepl Chaining