[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: (ITS#7434) idassert-bind fails after restarting slapd
--_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Quanah=2C=20
=20
I finally got back around to working on this over the last couple of days. =
Where I'm at with my project is: I have two servers (virtual machines)=2C =
named master and replica=2C with slapd configured with my directory inform=
ation and single-master replication between them. =20
I created a Kerberos realm and various principals in open ldap. =20
Replication access is authenticated using sasl/gssapi with the slapd princ=
ipal=2C ldap/replica.example.net. =20
k5start has been added to system startup to buid the credential cache for =
slapd.
=20
That brings me to configuring referrals and proxyAuth on replica. What ap=
pears to be happening is that at the initial configuration (before restarti=
ng the daemon) is the client binds to the replica and authenticates with it=
s kerberos ticket. The "magic" is performed on the sasl user
and the ldap directory entry is returned. It then proceeds into the modifi=
cation and notices the update referral. It then checks to determine if the=
binddn used in in the olcDbIDAssertBind
statems can authzTo the bound user. It can and the proxy of the modificati=
on proceeds. On the master=2C the proxy request is received=2C more "magic=
" is done on the user id to make sure it is in=20
the correct form=2C the authzTo attribute is again checked and allowed. Th=
e update is performed as the user=2C and success is returned back through t=
he chain to the user. This is how I would expect=20
the process to proceed. However=2C if I restart the server (or slapd daemo=
n)=2C this behavior changes. After restarting=2C the bind occurs at the re=
plica=2C does "magic"=2C and then sees the referral and attempts the proxy.=
What's notable here is that the check of authzTo is NOT performed.
The refereal is then chased=2C but the authzTo check was never made. Since=
there is no user to "authzTo"=2C does the referral get chased with perhaps=
a "null" or anonymous user?
Whatever the case=2C it appears the the original binding user is never sent=
over the proxy. Over at the master=2C I see the bind request come on from=
the replica which is treated as an anonymous bind request.
No magic=2C no authzTo check=2C no nothing. It then goes straight into the=
modification and tries to perform=2C but is blocked due to the bound user =
being anonymous and the stronger authentication error (8) is returned. =20
Given that the bind occured anonymously=2C I feel that error is expected an=
d wanted.
=20
I had been trying to use sasl binding here=2C but was not having the same s=
ucess that I had with syncrepl. In order to only fight one battle at a tim=
e=2C I changed by proxy config to use a simple bind instead of sasl/gssapi.=
=20
=20
Referrals and proxy authentication are configured on replica with the follo=
wing ldif. I tried setting the override flag because the man page makes it=
sound like it forces the authzTo check at bind time.
By doing that I was hoping I could force the check and see the authzTo proc=
ess in my logs. Is this what the ITS you mentions is referring to?=20
dn: olcDatabase=3D{1}hdb=2Ccn=3Dconfig
changetype: modify
add: olcUpdateref
olcUpdateref: "ldap://master.example.net:389/";
=20
dn: cn=3Dmodule{0}=2Ccn=3Dconfig
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}back_ldap
=20
dn: olcOverlay=3Dchain=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
=20
dn: olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}fronten=
d=2Ccn=3Dconfig
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: "ldap://master.example.net:389/";
olcDbRebindAsUser: TRUE
olcDbIDAssertBind: bindmethod=3Dsimple
binddn=3D"cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"
credentials=3Dshhh-secret
mode=3Dself
flags=3Doverride
starttls=3Dcritical
tls_reqcert=3Ddemand
tls_cacert=3D/etc/ssl/certs/cacert.pem =20
=20
After adding that information via ldapmodify=2C I attempt to perform an upd=
ate on the replica. For testing=2C i simply change the description attribu=
te for uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet. I'm us=
ing this simple ldif to test with:
dn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
changetype: modify
replace: description
description: Network Administrator
Initially after configuring the proxy and obtainng a kerberos ticket for th=
e account (administrator=2C self write)=2C this update succeeds. Looking a=
t syslog on replica=2C I see happiness. The ldap modify binds using gssapi=
=2C I see SASL name being correctly converted to uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet.
Dec 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: auth=
cid=3D"administrator"
Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: conn 1005 id=3Dadmini=
strator [len=3D13]
Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: u:id converted to uid=
=3Dadministrator=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth
Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <uid=3Dadministrator=
=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth>
Dec 3 22:17:01 replica slapd[994]: <<< dnNormalize: <uid=3Dadministrator=
=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth>
Dec 3 22:17:01 replica slapd[994]: =3D=3D>slap_sasl2dn: converting SASL n=
ame uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth to a D=
N
Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_context_apply [depth=
=3D1] string=3D'uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=
=3Dauth'
Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_rule_apply rule=3D'uid=
=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth'=
string=3D'uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth=
' [1 pass(es)]
Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_rule_apply rule=3D'uid=
=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3D=
administrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth' [1 pass(es)]
Dec 3 22:17:01 replica slapd[994]: =3D=3D> rewrite_context_apply [depth=
=3D1] res=3D{0=2C'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dn=
et'}
Dec 3 22:17:01 replica slapd[994]: [rw] authid: "uid=3Dadministrator=2Ccn=
=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" -> "uid=3Dadministrator=2Cou=3Dpe=
ople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 replica slapd[994]: slap_parseURI: parsing uid=3Dadministr=
ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: <<< dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: <=3D=3Dslap_sasl2dn: Converted SASL na=
me to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: dn:id converted to ui=
d=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: slapA=
uthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 replica slapd[994]: SASL proxy authorize [conn=3D1005]: au=
thcid=3D"administrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET"
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D2 BIND authcid=3D"adm=
inistrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET"
Dec 3 22:17:01 replica slapd[994]: SASL Authorize [conn=3D1005]: proxy a=
uthorization allowed authzDN=3D""
Dec 3 22:17:01 replica slapd[994]: send_ldap_sasl: err=3D0 len=3D-1
Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor
Dec 3 22:17:01 replica slapd[994]: daemon: activity on:
Dec 3 22:17:01 replica slapd[994]:=20
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D2 BIND dn=3D"uid=3Dadm=
inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=3DGSSAPI sasl_ssf=
=3D56 ssf=3D56
Dec 3 22:17:01 replica slapd[994]: do_bind: SASL/GSSAPI bind: dn=3D"uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" sasl_ssf=3D56
Dec 3 22:17:01 replica slapd[994]: send_ldap_response: msgid=3D3 tag=3D97=
err=3D0
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D2 RESULT tag=3D97 err=
=3D0 text=3D
Dec 3 22:17:01 replica slapd[994]: <=3D=3D slap_sasl_bind: rc=3D0
All good=2C so far on replica. I believe the sasl/gssapi authntication pr=
ocess is completed. Now to perform the modify.
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 do_modify
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 do_modify: dn (uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)
Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=3Dadministrat=
or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=3Dadministrat=
or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 modifications:
Dec 3 22:17:01 replica slapd[994]: #011replace: description
Dec 3 22:17:01 replica slapd[994]: #011#011one value=2C length 21
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD dn=3D"uid=3Dadm=
inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD attr=3Ddescript=
ion
Dec 3 22:17:01 replica slapd[994]: bdb_dn2entry("uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 replica slapd[994]: send_ldap_result: conn=3D1005 op=3D3 p=
=3D3
Dec 3 22:17:01 replica slapd[994]: send_ldap_result: err=3D10 matched=3D"=
" text=3D""
Dec 3 22:17:01 replica slapd[994]: send_ldap_result: referral=3D"ldap://m=
aster.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet"
Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=3Dadministrat=
or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor
Dec 3 22:17:01 replica slapd[994]: daemon: activity on:
Dec 3 22:17:01 replica slapd[994]:=20
Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=3Dadministrato=
r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3Dp=
eople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref=
=3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D=
example=2Cdc=3Dnet" -> "ldap://master.example.net:389";
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref=
=3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D=
example=2Cdc=3Dnet": URI=3D"ldap://master.example.net:389"; found in cache
=20
Okay=2C now it seems that the referral is returned and chased on behalf of=
the client. Finally=2C from the perspective of replica=2C success! Modif=
ied data comes back to replica via syncrepl.
Dec 3 22:17:01 replica slapd[994]: =3D>ldap_back_getconn: conn 0x7fe0b01=
47c30 fetched refcnt=3D1.
Dec 3 22:17:01 replica slapd[994]: send_ldap_result: conn=3D1005 op=3D3 p=
=3D3
Dec 3 22:17:01 replica slapd[994]: send_ldap_result: err=3D0 matched=3D""=
text=3D""
Dec 3 22:17:01 replica slapd[994]: send_ldap_response: msgid=3D4 tag=3D10=
3 err=3D0
Dec 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 RESULT tag=3D103 er=
r=3D0 text=3D
=20
Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor
Dec 3 22:17:01 replica slapd[994]: daemon: activity on:
Dec 3 22:17:01 replica slapd[994]: 15r
Dec 3 22:17:01 replica slapd[994]:=20
Dec 3 22:17:01 replica slapd[994]: daemon: read active on 15
Dec 3 22:17:01 replica slapd[994]: connection_get(15)
Dec 3 22:17:01 replica slapd[994]: connection_get(15): got connid=3D0
Dec 3 22:17:01 replica slapd[994]: =3D>do_syncrepl rid=3D123
Dec 3 22:17:01 replica slapd[994]: =3D>do_syncrep2 rid=3D123
Dec 3 22:17:01 replica slapd[994]: do_syncrep2: rid=3D123 cookie=3Drid=3D=
123=2Ccsn=3D20121204031701.560697Z#000000#000#000000
Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=3Dadministrat=
or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=3Dadministrat=
or=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: >>> dnPretty: <cn=3Dadmin=2Cdc=3Dexamp=
le=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: <<< dnPretty: <cn=3Dadmin=2Cdc=3Dexamp=
le=2Cdc=3Dnet>
Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <cn=3Dadmin=2Cdc=3Dex=
ample=2Cdc=3Dnet>
Dec 3 22:17:01 replica rsyslogd-2177: imuxsock begins to drop messages fr=
om pid 994 due to rate-limiting
So everything looks good (correct?) on replica. Meanwhile=2C back at the =
master....=20
Dec 3 22:17:01 master slapd[947]: daemon: activity on 1 descriptor
Dec 3 22:17:01 master slapd[947]: daemon: activity on:
Dec 3 22:17:01 master slapd[947]: 51r
Dec 3 22:17:01 master slapd[947]:=20
Dec 3 22:17:01 master slapd[947]: daemon: read active on 51
Dec 3 22:17:01 master slapd[947]: connection_get(51)
Dec 3 22:17:01 master slapd[947]: connection_get(51): got connid=3D1054
Dec 3 22:17:01 master slapd[947]: connection_read(51): checking for input=
on id=3D1054
Dec 3 22:17:01 master slapd[947]: op tag 0x66=2C time 1354591021
Dec 3 22:17:01 master slapd[947]: daemon: activity on 1 descriptor
Dec 3 22:17:01 master slapd[947]: daemon: activity on:
Dec 3 22:17:01 master slapd[947]:=20
Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 do_modify
Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 do_modify: dn (uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)
Dec 3 22:17:01 master slapd[947]: =3D> get_ctrls
Dec 3 22:17:01 master slapd[947]: =3D> get_ctrls: oid=3D"2.16.840.1.11373=
0.3.4.18" (noncritical)
Dec 3 22:17:01 master slapd[947]: parseProxyAuthz: conn 1054 authzid=3D"d=
n:uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: slap_sasl_getdn: conn 1054 id=3Ddn:uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet [len=3D48]
Dec 3 22:17:01 master slapd[947]: >>> dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 master slapd[947]: <<< dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 master slapd[947]: =3D=3D>slap_sasl2dn: converting SASL na=
me uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet to a DN
Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_context_apply [depth=3D=
1] string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'
Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_rule_apply rule=3D'uid=
=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth'=
string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet' [1 =
pass(es)]
Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_rule_apply rule=3D'uid=
=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3D=
administrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet' [1 pass(es)]
Dec 3 22:17:01 master slapd[947]: =3D=3D> rewrite_context_apply [depth=3D=
1] res=3D{0=2C'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'=
}
Dec 3 22:17:01 master slapd[947]: [rw] authid: "uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" -> "uid=3Dadministrator=2Cou=3Dpeople=
=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: slap_parseURI: parsing uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: >>> dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 master slapd[947]: <<< dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 master slapd[947]: <=3D=3Dslap_sasl2dn: Converted SASL nam=
e to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: slap_sasl_getdn: dn:id converted to uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: parseProxyAuthz: conn=3D1054 "uid=3Dadm=
inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: =3D=3D>slap_sasl_authorized: can cn=3Dr=
eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet become uid=3Dadministrator=2C=
ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet?
Dec 3 22:17:01 master slapd[947]: =3D=3D>slap_sasl_check_authz: does uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet match authzTo rule=
in cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet?
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "cn=3Dreplica=
=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:=
"authzTo"
Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("cn=3Dreplica=2Cou=3Dhosts=
=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "cn=3D=
replica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=3D0
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result not in cach=
e (authzTo)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: auth access to "cn=
=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" "authzTo" requested
Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [2] attr authzTo
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "cn=3Dre=
plica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "authzTo" requested
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "cn=3Dr=
eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: users
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [1] applying read(=3Drsc=
xd) (stop)
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [1] mask: read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: auth access g=
ranted by read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: auth access grante=
d by read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result was in cach=
e (authzTo)
Dec 3 22:17:01 master slapd[947]: =3D=3D=3D>slap_sasl_match: comparing DN=
uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet to rule dn:*
Dec 3 22:17:01 master slapd[947]: slap_parseURI: parsing dn:*
Dec 3 22:17:01 master slapd[947]: <=3D=3D=3Dslap_sasl_match: comparison r=
eturned 0
Dec 3 22:17:01 master slapd[947]: <=3D=3Dslap_sasl_check_authz: authzTo c=
heck returning 0
Dec 3 22:17:01 master slapd[947]: <=3D=3D slap_sasl_authorized: return 0
Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 PROXYAUTHZ dn=3D"uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: <=3D get_ctrls: n=3D1 rc=3D0 err=3D""
Dec 3 22:17:01 master slapd[947]: >>> dnPrettyNormal: <uid=3Dadministrato=
r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 master slapd[947]: <<< dnPrettyNormal: <uid=3Dadministrato=
r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=3Dp=
eople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 modifications:
Dec 3 22:17:01 master slapd[947]: #011replace: description
Dec 3 22:17:01 master slapd[947]: #011#011one value=2C length 21
Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 MOD dn=3D"uid=3Dadmi=
nistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3 MOD attr=3Ddescripti=
on
Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "uid=3Dadminis=
trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:=
"(null)"
Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=3D0
Dec 3 22:17:01 master slapd[947]: =3D> test_filter
Dec 3 22:17:01 master slapd[947]: PRESENT
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access to "=
uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" =
requested
Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp=
le=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20
Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr objectClass
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da=
dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass"=
requested
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "cn=3Dr=
eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: users
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] applying read(=3Drsc=
xd) (stop)
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] mask: read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: search access=
granted by read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access gran=
ted by read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: <=3D test_filter 6
Dec 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fscope =
1 rc 6
Dec 3 22:17:01 master slapd[947]: hdb_modify: uid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: slap_queue_csn: queing 0x7fa90f0fe110 2=
0121204031701.560697Z#000000#000#000000
Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: 0x0000000b: uid=3D=
administrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result not in cach=
e (description)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: delete access to "=
uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "description" =
requested
Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp=
le=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20
Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr description
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da=
dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "description"=
requested
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "uid=3D=
administrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] applying write(=3Dwr=
scxd) (stop)
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] mask: write(=3Dwrscx=
d)
Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: delete access=
granted by write(=3Dwrscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: delete access gran=
ted by write(=3Dwrscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: result not in cach=
e (description)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: add access to "uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "description" req=
uested
Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp=
le=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20
Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr description
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da=
dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "description"=
requested
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to value by "uid=3Dadmin=
istrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] applying write(=3Dwr=
scxd) (stop)
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [2] mask: write(=3Dwrscx=
d)
Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: add access gr=
anted by write(=3Dwrscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: add access granted=
by write(=3Dwrscxd)
Dec 3 22:17:01 master slapd[947]: acl: internal mod entryCSN: modify acce=
ss granted
Dec 3 22:17:01 master slapd[947]: acl: internal mod modifiersName: modify=
access granted
Dec 3 22:17:01 master slapd[947]: acl: internal mod modifyTimestamp: modi=
fy access granted
Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace descriptio=
n
Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace entryCSN
Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace modifiersN=
ame
Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace modifyTime=
stamp
Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "inetOrgPerso=
n"
Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "posixAccount=
"
Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "shadowAccoun=
t"
Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "krbPrincipal=
Aux"
Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "krbTicketPol=
icyAux"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "objectClass"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "cn"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "sn"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "uidNumber"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "gidNumber"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "userPassword"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "homeDirectory"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "structuralObject=
Class"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "uid"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "entryUUID"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "creatorsName"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "createTimestamp"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbPrincipalName=
"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbPrincipalKey"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastPwdChange=
"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastFailedAut=
h"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLoginFailedCo=
unt"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastSuccessfu=
lAuth"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbExtraData"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "description"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "entryCSN"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "modifiersName"
Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "modifyTimestamp"
Dec 3 22:17:01 master slapd[947]: =3D> key_change(DELETE=2Cb)
Dec 3 22:17:01 master slapd[947]: bdb_idl_delete_key: b=20
Dec 3 22:17:01 master slapd[947]: <=3D key_change 0
Dec 3 22:17:01 master slapd[947]: =3D> key_change(ADD=2Cb)
Dec 3 22:17:01 master slapd[947]: bdb_idl_insert_key: b=20
Dec 3 22:17:01 master slapd[947]: <=3D key_change 0
Dec 3 22:17:01 master slapd[947]: =3D> entry_encode(0x0000000b):=20
Dec 3 22:17:01 master slapd[947]: <=3D entry_encode(0x0000000b):=20
Dec 3 22:17:01 master slapd[947]: hdb_modify: updated id=3D0000000b dn=3D"=
uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: send_ldap_result: conn=3D1054 op=3D3 p=
=3D3
Dec 3 22:17:01 master slapd[947]: send_ldap_result: err=3D0 matched=3D"" =
text=3D""
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "uid=3Dadminis=
trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:=
"(null)"
Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=3D0
Dec 3 22:17:01 master slapd[947]: =3D> test_filter
Dec 3 22:17:01 master slapd[947]: PRESENT
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access to "=
uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" =
requested
Dec 3 22:17:01 master slapd[947]: =3D> dn: [4] ou=3Dkerberos=2Cdc=3Dexamp=
le=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: =3D> dn: [5]=20
Dec 3 22:17:01 master slapd[947]: =3D> acl_get: [6] attr objectClass
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: access to entry "uid=3Da=
dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass"=
requested
Dec 3 22:17:01 master slapd[947]: =3D> acl_mask: to all values by "cn=3Dr=
eplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0)=20
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: cn=3Dadm-srv=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: self
Dec 3 22:17:01 master slapd[947]: <=3D check a_dn_pat: users
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] applying read(=3Drsc=
xd) (stop)
Dec 3 22:17:01 master slapd[947]: <=3D acl_mask: [3] mask: read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> slap_access_allowed: search access=
granted by read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: =3D> access_allowed: search access gran=
ted by read(=3Drscxd)
Dec 3 22:17:01 master slapd[947]: <=3D test_filter 6
Dec 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fscope =
1 rc 6
Dec 3 22:17:01 master slapd[947]: syncprov_sendresp: cookie=3Drid=3D123=
=2Ccsn=3D20121204031701.560697Z#000000#000#000000
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: ndn: "uid=3Dadminis=
trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: oc: "(null)"=2C at:=
"(null)"
Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:17:01 master slapd[947]: =3D> bdb_entry_get: found entry: "uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Everything looks good on the master. I see uid=3Dadministrator gets sent =
over from the the proxy on replica and the update proceeds as expected. No=
w if I restart slapd on replica=2C things change. performing the same modi=
fucation=2C we again see sasl/gssapi authentication occuring on replica jus=
t as before
Dec 3 22:20:38 replica slapd[1412]: [rw] authid: "uid=3Dadministrator=2C=
cn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" -> "uid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:20:38 replica slapd[1412]: slap_parseURI: parsing uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:20:38 replica slapd[1412]: >>> dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:20:38 replica slapd[1412]: <<< dnNormalize: <uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:20:38 replica slapd[1412]: <=3D=3Dslap_sasl2dn: Converted SASL n=
ame to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:20:38 replica slapd[1412]: slap_sasl_getdn: dn:id converted to u=
id=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
Dec 3 22:20:38 replica slapd[1412]: SASL Canonicalize [conn=3D1000]: slap=
AuthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:20:38 replica slapd[1412]: SASL proxy authorize [conn=3D1000]: a=
uthcid=3D"administrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET"
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIND authcid=3D"ad=
ministrator@EXAMPLE.NET" authzid=3D"administrator@EXAMPLE.NET"
Dec 3 22:20:38 replica slapd[1412]: SASL Authorize [conn=3D1000]: proxy =
authorization allowed authzDN=3D""
Dec 3 22:20:38 replica slapd[1412]: send_ldap_sasl: err=3D0 len=3D-1
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIND dn=3D"uid=3Da=
dministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=3DGSSAPI sasl_ss=
f=3D56 ssf=3D56
Dec 3 22:20:38 replica slapd[1412]: do_bind: SASL/GSSAPI bind: dn=3D"uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" sasl_ssf=3D56
Dec 3 22:20:38 replica slapd[1412]: send_ldap_response: msgid=3D3 tag=3D9=
7 err=3D0
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 RESULT tag=3D97 er=
r=3D0 text=3D
Dec 3 22:20:38 replica slapd[1412]: <=3D=3D slap_sasl_bind: rc=3D0
Again=2C we head into the modification:
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 do_modify
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 do_modify: dn (uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)
Dec 3 22:20:38 replica slapd[1412]: >>> dnPrettyNormal: <uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:20:38 replica slapd[1412]: <<< dnPrettyNormal: <uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 modifications:
Dec 3 22:20:38 replica slapd[1412]: #011replace: description
Dec 3 22:20:38 replica slapd[1412]: #011#011one value=2C length 21
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 MOD dn=3D"uid=3Dad=
ministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 MOD attr=3Ddescrip=
tion
Dec 3 22:20:38 replica slapd[1412]: bdb_dn2entry("uid=3Dadministrator=2Co=
u=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:20:38 replica slapd[1412]: =3D> hdb_dn2id("ou=3Dpeople=2Cdc=3Dex=
ample=2Cdc=3Dnet")
Dec 3 22:20:38 replica slapd[1412]: <=3D hdb_dn2id: got id=3D0x3
Dec 3 22:20:38 replica slapd[1412]: daemon: activity on 1 descriptor
Dec 3 22:20:38 replica slapd[1412]: daemon: activity on:
Dec 3 22:20:38 replica slapd[1412]: =20
So far=2C so good (I think)=2C replica sees the need to refer the action a=
nd tries to chase it on behalf of the clent:
Dec 3 22:20:38 replica slapd[1412]: =3D> hdb_dn2id("uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")
Dec 3 22:20:38 replica slapd[1412]: <=3D hdb_dn2id: got id=3D0xb
Dec 3 22:20:38 replica slapd[1412]: entry_decode: ""
Dec 3 22:20:38 replica slapd[1412]: <=3D entry_decode()
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 =
p=3D3
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D10 matched=3D=
"" text=3D""
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: referral=3D"ldap://=
master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cd=
c=3Dnet"
Dec 3 22:20:38 replica slapd[1412]: >>> dnPrettyNormal: <uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:20:38 replica slapd[1412]: <<< dnPrettyNormal: <uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=2C <uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 ldap_chain_op: ref=
=3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D=
example=2Cdc=3Dnet" -> "ldap://master.example.net:389";
Dec 3 22:20:38 replica slapd[1412]: ldap_back_db_open: URI=3Dldap://maste=
r.example.net:389
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 ldap_chain_op: ref=
=3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D=
example=2Cdc=3Dnet" temporary
Dec 3 22:20:38 replica slapd[1412]: =3D>ldap_back_getconn: conn=3D1000 op=
=3D3: lc=3D0x7f213015a7d0 inserted refcnt=3D1 rc=3D0
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 =
p=3D3 =20
At this point=2C I "assume" the modification has been passed off to master.=
However=2C I notice that I never see the replica checking authzTo like be=
fore the restart. I think this is where it's falling apart for me and the e=
rr=3D8 back is returned from master.
=20
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D8 matched=3D"=
" text=3D"modifications require authentication"
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 =
p=3D3
Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D8 matched=3D"=
" text=3D""
Dec 3 22:20:38 replica slapd[1412]: send_ldap_response: msgid=3D4 tag=3D1=
03 err=3D8
Dec 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 RESULT tag=3D103 e=
rr=3D8 text=3D
Dec 3 22:20:38 replica slapd[1412]: daemon: activity on 1 descriptor
Dec 3 22:20:38 replica slapd[1412]: daemon: activity on:
Dec 3 22:20:38 replica slapd[1412]: 18r =20
Over on the master we see the proxy connection occurs=2C but the client cr=
edentials never apper to arrive. I say that because=2C it looks to me like=
the proxy connection from replica appears to bind anonymously.
Dec 3 22:20:38 master slapd[947]: daemon: activity on 1 descriptor
Dec 3 22:20:38 master slapd[947]: daemon: activity on:
Dec 3 22:20:38 master slapd[947]:=20
Dec 3 22:20:38 master slapd[947]: slap_listener_activate(8):=20
Dec 3 22:20:38 master slapd[947]: >>> slap_listener(ldap:///)
Dec 3 22:20:38 master slapd[947]: daemon: listen=3D8=2C new connection on=
51
Dec 3 22:20:38 master slapd[947]: daemon: added 51r (active) listener=3D(=
nil)
Dec 3 22:20:38 master slapd[947]: conn=3D1056 fd=3D51 ACCEPT from IP=3D19=
2.168.1.2:34759 (IP=3D0.0.0.0:389)
Dec 3 22:20:38 master slapd[947]: daemon: activity on 2 descriptors
Dec 3 22:20:38 master slapd[947]: daemon: activity on:
Dec 3 22:20:38 master slapd[947]: 51r
Dec 3 22:20:38 master slapd[947]:=20
Dec 3 22:20:38 master slapd[947]: daemon: read active on 51
Dec 3 22:20:38 master slapd[947]: connection_get(51)
Dec 3 22:20:38 master slapd[947]: connection_get(51): got connid=3D1056
Dec 3 22:20:38 master slapd[947]: connection_read(51): checking for input=
on id=3D1056
Dec 3 22:20:38 master slapd[947]: op tag 0x60=2C time 1354591238
Dec 3 22:20:38 master slapd[947]: conn=3D1056 op=3D0 do_bind
Dec 3 22:20:38 master slapd[947]: >>> dnPrettyNormal: <>
Dec 3 22:20:38 master slapd[947]: <<< dnPrettyNormal: <>=2C <>
Dec 3 22:20:38 master slapd[947]: conn=3D1056 op=3D0 BIND dn=3D"" method=
=3D128
Dec 3 22:20:38 master slapd[947]: do_bind: version=3D3 dn=3D"" method=3D1=
28
Dec 3 22:20:38 master slapd[947]: send_ldap_result: conn=3D1056 op=3D0 p=
=3D3
Dec 3 22:20:38 master slapd[947]: send_ldap_result: err=3D0 matched=3D"" =
text=3D""
Dec 3 22:20:38 master slapd[947]: send_ldap_response: msgid=3D1 tag=3D97 =
err=3D0
Dec 3 22:20:38 master slapd[947]: conn=3D1056 op=3D0 RESULT tag=3D97 err=
=3D0 text=3D
Dec 3 22:20:38 master slapd[947]: do_bind: v3 anonymous bind
Dec 3 22:20:38 master slapd[947]: daemon: activity on 2 descriptors
Dec 3 22:20:38 master slapd[947]: daemon: activity on:
Dec 3 22:20:38 master slapd[947]: 51r
Dec 3 22:20:38 master slapd[947]:=20
After=2C the (anonymous) bind=2C the master never attempts to if the proxya=
uth request is allowed via authzTo or anything else (perhaps obviously). T=
he modification just proceeds anonymously and eventually fails.
=20
Not sure if I'm saying this in a way that makes any sense to you. Hopeful=
ly=2C it does. It appears=2C that the proxy on replica after restarting=2C=
never tries to determine if the olcDbIDAssertBind binddn is permitted to i=
mpersonate the client via the authzTo attribute and proceeds with the refer=
al chase anonymously.
=20
I'll copy paste configs below. Sorry this is so long=2C but I figure the=
more information=2C the better when trying to solve any problem.
=20
Thanks
=20
Barry
=20
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv master configuration vvvvvvvvvvvvvvvvv=
vvvvvvvvvvv
dn: cn=3Dconfig
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: ea6bf008-d108-1031-912d-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/master_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ldap/master_slapd_key.pem
olcAuthzPolicy: to
olcSaslHost: master.example.net
olcSaslRealm: EXAMPLE.NET
olcAuthzRegexp: {0}uid=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Cc=
n=3Dgssapi=2Ccn=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
olcAuthzRegexp: {1}uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=
=3Dauth uid=3D$1=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
olcLogLevel: -1
entryCSN: 20121204013949.466434Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121204013949Z
dn: cn=3Dmodule{0}=2Ccn=3Dconfig
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
structuralObjectClass: olcModuleList
entryUUID: ea6dda08-d108-1031-9135-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
entryCSN: 20121203054749.860918Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121203054749Z
dn: cn=3Dschema=2Ccn=3Dconfig
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: ea6c3a0e-d108-1031-9130-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
entryCSN: 20121202201635.672699Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201635Z
<snip schemas >
dn: olcBackend=3D{0}hdb=2Ccn=3Dconfig
objectClass: olcBackendConfig
olcBackend: {0}hdb
structuralObjectClass: olcBackendConfig
entryUUID: ea6f949c-d108-1031-9136-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
entryCSN: 20121202201635.694663Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201635Z
dn: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr=
ed=2Ccn=3Dexternal
=2Ccn=3Dauth manage by * break
olcAccess: {1}to dn.exact=3D"" by * read
olcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read
olcSizeLimit: 500
structuralObjectClass: olcDatabaseConfig
entryUUID: ea6c0bf6-d108-1031-912e-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
entryCSN: 20121202201635.671512Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201635Z
dn: olcDatabase=3D{0}config=2Ccn=3Dconfig
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr=
ed=2Ccn=3Dexternal=2Ccn=3Dauth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: ea6c325c-d108-1031-912f-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
entryCSN: 20121202201635.672495Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201635Z
dn: olcDatabase=3D{1}hdb=2Ccn=3Dconfig
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=3Dexample=2Cdc=3Dnet
olcLastMod: TRUE
olcRootDN: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
olcRootPW:: e1NTSEF9cGhKNWtqME9rOGJnVXp0dy9hYzZEaWFmU1U1Z0FTZk0=3D
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: krbPrincipalName eq=2Cpres=2Csub
olcDbIndex: krbPwdPolicyReference eq
structuralObjectClass: olcHdbConfig
entryUUID: ea6fa3ce-d108-1031-9137-8fbb37ee6dd9
creatorsName: cn=3Dconfig
createTimestamp: 20121202201635Z
olcAccess: {0}to attrs=3DuserPassword=2CshadowLastChange by group.exact=3D=
"cn=3Dreplic
ators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by self write by anon=
ymous auth
olcAccess: {1}to attrs=3DauthzTo=2CauthzFrom=2Ccn=2CuidNumber=2CgidNumber=
=2Cuid by users r
ead by anonymous none
olcAccess: {2}to attrs=3DkrbLastSuccessfulAuth=2CkrbExtraData=2CkrbLastFai=
ledAuth=2Ckr
bLoginFailedCount by group.exact=3D"cn=3Dreplicators=2Cou=3Dgroups=2Cdc=
=3Dexample=2Cdc=3Dnet"
read by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" wr=
ite by dn=3D"cn=3Dadm-sr
v=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" write by self read by * none
olcAccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" by=
group.exact=3D"cn
=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by dn=3D"cn=
=3Dkdc-srv=2Cou=3Dkerberos=2C
dc=3Dexample=2Cdc=3Dnet" read by dn=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=
=3Dexample=2Cdc=3Dnet" writ
e by * none
olcAccess: {4}to dn.base=3D"" by * read
olcAccess: {5}to * by dn=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2C=
dc=3Dnet" write by s
elf write by users read
entryCSN: 20121203054749.804561Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121203054749Z
dn: olcOverlay=3D{0}syncprov=2ColcDatabase=3D{1}hdb=2Ccn=3Dconfig
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
structuralObjectClass: olcSyncProvConfig
entryUUID: b77dc36a-d158-1031-9917-2f12ddec6588
creatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
createTimestamp: 20121203054749Z
entryCSN: 20121203054749.962179Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121203054749Z vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv dc=3D=
example=2Cdc=3Dnet vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
dn: dc=3Dexample=2Cdc=3Dnet
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.net
dc: example
structuralObjectClass: organization
entryUUID: eac01854-d108-1031-95b6-31806daa9e45
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121202201636Z
entryCSN: 20121202201636.222029Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121202201636Z
contextCSN: 20121204035116.890381Z#000000#000#000000
dn: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: eac2e160-d108-1031-95b7-31806daa9e45
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121202201636Z
entryCSN: 20121202201636.240572Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121202201636Z
dn: ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: people
description: user account objects
structuralObjectClass: organizationalUnit
entryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.299880Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: ou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: groups
description: group objects
structuralObjectClass: organizationalUnit
entryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.394485Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: hosts
description: host/computer objects
structuralObjectClass: organizationalUnit
entryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.400935Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: kerberos
description: kerberos realm container
structuralObjectClass: organizationalUnit
entryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.409140Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
cn: replica
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
authzTo: dn:*
description: LDAP server=2C replica
structuralObjectClass: organizationalRole
entryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
krbPrincipalName: host/replica.example.net@EXAMPLE.NET
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRU=
RAxZ
oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6=
Mn3k
f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu=
6lb/
QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203065600Z
krbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
userPassword:: <secret>
entryCSN: 20121203233422.105322Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203233422Z
dn: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
cn: master
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
authzTo: dn:*
description: LDAP server=2C replica
userPassword:: e0NSWVBUfSo=3D
structuralObjectClass: organizationalRole
entryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
krbPrincipalName: host/master.example.net@EXAMPLE.NET
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW=
+aWr
8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5=
522A
i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH1=
5xNZ
VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203060855Z
krbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121203060855.932134Z#000000#000#000000
modifiersName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203060855Z
dn: cn=3Dadministrator=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: posixGroup
cn: administrator
gidNumber: 50000
structuralObjectClass: posixGroup
entryUUID: 1d079216-d12b-1031-978d-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.465616Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: top
objectClass: groupOfNames
cn: replicators
member: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
member: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
structuralObjectClass: groupOfNames
entryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.477792Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: administrator
sn: administrator
uidNumber: 50000
gidNumber: 50000
userPassword:: <secret>
homeDirectory: /home/administrator
structuralObjectClass: inetOrgPerson
uid: administrator
entryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
krbPrincipalName: administrator@EXAMPLE.NET
krbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+Ecqcdxa=
iluD
o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/=
Ot7l
cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADm=
Ozq8
96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8o=
AcwB
aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6=
yoME
2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo=
8yyO
mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgED=
oSgE
JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLR=
VhBT
VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXG=
a5U+
g=3D
krbLastPwdChange: 20121203054848Z
krbLastFailedAuth: 20121204013714Z
krbLoginFailedCount: 0
description: Network Administrator
krbLastSuccessfulAuth: 20121204035116Z
krbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121204035116.890381Z#000000#000#000000
modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121204035116Z
dn: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: kdc-srv
description: Kerberos KDC
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.563692Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: adm-srv
description: Kerberos Admin Server
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.575773Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
cn: EXAMPLE.NET
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: dc=3Dexample=2Cdc=3Dnet
krbSearchScope: 2
krbMaxRenewableAge: 604800
krbMaxTicketLife: 36000
structuralObjectClass: krbRealmContainer
entryUUID: c03d58b8-d134-1031-83e7-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.757228Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=
=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 36000
krbMaxRenewableAge: 604800
krbTicketFlags: 192
krbPrincipalName: K/M@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g=
AwIB
EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/=
c4Ks
HI=3D
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAkBAAEArgC8UA=3D=3D
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c04d9282-d134-1031-83e8-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.863568Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=
=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 36000
krbMaxRenewableAge: 604800
krbTicketFlags: 0
krbPrincipalName: krbtgt/EXAMPLE.NET@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNn=
fmRR
GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7=
UKy1
93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9=
KwFT
B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8=
oR
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c0518180-d134-1031-83e9-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.889347Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3D=
kerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 604800
krbTicketFlags: 4
krbPrincipalName: kadmin/admin@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtC=
kdsY
5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M2=
8Ix6
SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZ=
M5wu
tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3a=
Qz
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c05346be-d134-1031-83ea-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.900950Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 300
krbMaxRenewableAge: 604800
krbTicketFlags: 8196
krbPrincipalName: kadmin/changepw@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceW=
qIB2
ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0w=
wSqU
ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd=
423Z
epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9z=
Pl
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c054d88a-d134-1031-83eb-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.911237Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/history@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 36000
krbMaxRenewableAge: 604800
krbTicketFlags: 0
krbPrincipalName: kadmin/history@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g=
AwIB
EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd=
/N+Z
2g=3D
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c0562d3e-d134-1031-83ec-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.919957Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPL=
E.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 604800
krbTicketFlags: 4
krbPrincipalName: kadmin/master.example.net@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gABhOeGOuo9UBDjK7hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4=
Ta3z
Y4ZaEYItXr2awBW6QXSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtG=
g1qY
oev8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj=
0sgn
ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf4UwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qYDwpK0Hycj+cwyCjFsVKTsjzA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAxTSMEh/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZA=
Bm
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAANAD4gA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c0581144-d134-1031-83ed-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.932349Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.=
NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbPrincipalName: ldap/master.example.net@EXAMPLE.NET
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588
creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203060105Z
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPU=
S2wz
qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14TYWZyLZem=
5kvD
yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAb=
Nr3p
vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203060153Z
krbLastSuccessfulAuth: 20121203061721Z
krbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121203061721.358939Z#000000#000#000000
modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203061721Z
dn: krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE=
.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
krbPrincipalName: ldap/replica.example.net@EXAMPLE.NET
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: 205686f2-d162-1031-9537-2fa18b539eb9
creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203065511Z
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUX=
FMNw
2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKb=
ipUj
AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOv=
mT4x
MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203065628Z
krbLastSuccessfulAuth: 20121204032538Z
krbExtraData:: AAIcTbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121204032538.048010Z#000000#000#000000
modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121204032538Z
=20
=20
=20
vvvvvvvvvvvvvvvvvvvv replica config vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
=20
dn: cn=3Dconfig
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: af9b0068-d108-1031-9417-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201456Z
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/replica_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ldap/replica_slapd_key.pem
olcLogLevel: stats
olcAuthzRegexp: {0}uid=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Cc=
n=3Dgssapi=2Ccn=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
olcAuthzRegexp: {1}uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=
=3Dauth uid=3D$1=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
olcSaslHost: replica.example.net
olcSaslRealm: EXAMPLE.NET
entryCSN: 20121204023449.956406Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121204023449Z
dn: cn=3Dmodule{0}=2Ccn=3Dconfig
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}back_ldap
structuralObjectClass: olcModuleList
entryUUID: af9d1e34-d108-1031-941f-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201457Z
entryCSN: 20121204041212.292184Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121204041212Z
dn: cn=3Dschema=2Ccn=3Dconfig
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: af9b564e-d108-1031-941a-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201456Z
entryCSN: 20121202201456.995860Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201456Z < snip schemas > dn: olcBackend=3D{0}hdb=
=2Ccn=3Dconfig
objectClass: olcBackendConfig
olcBackend: {0}hdb
structuralObjectClass: olcBackendConfig
entryUUID: af9e498a-d108-1031-9420-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201457Z
entryCSN: 20121202201457.015189Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201457Z
dn: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr=
ed=2Ccn=3Dexternal
=2Ccn=3Dauth manage by * break
olcAccess: {1}to dn.exact=3D"" by * read
olcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read
olcSizeLimit: 500
structuralObjectClass: olcDatabaseConfig
entryUUID: af9b211a-d108-1031-9418-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201456Z
entryCSN: 20121202201456.994497Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201456Z
dn: olcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
structuralObjectClass: olcChainConfig
entryUUID: 8605cc76-d214-1031-93d2-613cc62fd42f
creatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
createTimestamp: 20121204041212Z
entryCSN: 20121204041212.352767Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121204041212Z
dn: olcDatabase=3D{0}ldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}fron=
tend=2Ccn=3Dconfig
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: "ldap://master.example.net:389/";
olcDbIDAssertBind: bindmethod=3Dsimple binddn=3D"cn=3Dreplica=2Cou=3Dhosts=
=2Cdc=3Dexample=2Cdc
=3Dnet" credentials=3D<secret> mode=3Dself flags=3Doverride starttls=3Dcr=
itical tls_req
cert=3Ddemand tls_cacert=3D/etc/ssl/certs/cacert.pem
olcDbRebindAsUser: TRUE
structuralObjectClass: olcLDAPConfig
entryUUID: 8609b6f6-d214-1031-93d3-613cc62fd42f
creatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
createTimestamp: 20121204041212Z
entryCSN: 20121204041212.378432Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121204041212Z
dn: olcDatabase=3D{0}config=2Ccn=3Dconfig
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercr=
ed=2Ccn=3Dexternal
=2Ccn=3Dauth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: af9b4528-d108-1031-9419-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201456Z
entryCSN: 20121202201456.995421Z#000000#000#000000
modifiersName: cn=3Dconfig
modifyTimestamp: 20121202201456Z
dn: olcDatabase=3D{1}hdb=2Ccn=3Dconfig
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=3Dexample=2Cdc=3Dnet
olcLastMod: TRUE
olcRootDN: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
olcRootPW:: e1NTSEF9eW1nS3JTR0VkMW5LQ0VaQ0Y4UjJBTDlPTlEveENDbzY=3D
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: krbPrincipalName eq=2Cpres=2Csub
olcDbIndex: krbPwdPolicyReference eq
structuralObjectClass: olcHdbConfig
entryUUID: af9e5d12-d108-1031-9421-cd3569532aaf
creatorsName: cn=3Dconfig
createTimestamp: 20121202201457Z
olcAccess: {0}to attrs=3DuserPassword=2CshadowLastChange by group.exact=3D=
"cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by self wri=
te by anonymous auth
olcAccess: {1}to attrs=3DauthzTo=2CauthzFrom by group.exact=3D"cn=3Dreplic=
ators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet" read by users read by anonym=
ous none
olcAccess: {2}to attrs=3DkrbLastSuccessfulAuth=2CkrbExtraData=2CkrbLastFai=
ledAuth=2CkrbLoginFailedCount by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3D=
example=2Cdc=3Dnet" read by dn
=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" read by self =
read by * none
olcAccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" by=
dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" read by dn=
=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2C
dc=3Dnet" read by * none
olcAccess: {4}to dn.base=3D"" by * read
olcAccess: {5}to * by self write by users read
olcSyncrepl: {0}rid=3D123 provider=3D"ldap://master.example.net:389/"; type=
=3DrefreshAndPersist retry=3D"60 30 300 +" searchbase=3D"dc=3Dexample=2Cdc=
=3Dnet" bindmethod=3Dsasl
saslmech=3Dgssapi starttls=3Dcritical tls_reqcert=3Ddemand tls_cacert=3D=
/etc/ssl/certs/cacert.pem
olcUpdateRef: "ldap://master.example.net:389/";
entryCSN: 20121204041212.283590Z#000000#000#000000
modifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=
=2Ccn=3Dauth
modifyTimestamp: 20121204041212Z
=20
=20
=20
dn: dc=3Dexample=2Cdc=3Dnet
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.net
dc: example
structuralObjectClass: organization
entryUUID: eac01854-d108-1031-95b6-31806daa9e45
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121202201636Z
entryCSN: 20121202201636.222029Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121202201636Z
contextCSN: 20121204035116.890381Z#000000#000#000000
dn: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: eac2e160-d108-1031-95b7-31806daa9e45
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121202201636Z
entryCSN: 20121202201636.240572Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121202201636Z
dn: ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: people
description: user account objects
structuralObjectClass: organizationalUnit
entryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.299880Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: ou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: groups
description: group objects
structuralObjectClass: organizationalUnit
entryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.394485Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: hosts
description: host/computer objects
structuralObjectClass: organizationalUnit
entryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.400935Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: organizationalUnit
ou: kerberos
description: kerberos realm container
structuralObjectClass: organizationalUnit
entryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.409140Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
cn: replica
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
authzTo: dn:*
description: LDAP server=2C replica
structuralObjectClass: organizationalRole
entryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
krbPrincipalName: host/replica.example.net@EXAMPLE.NET
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRU=
RAxZ
oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6=
Mn3k
f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu=
6lb/
QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203065600Z
krbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
userPassword:: <secret>
entryCSN: 20121203233422.105322Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203233422Z
dn: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
cn: master
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
authzTo: dn:*
description: LDAP server=2C replica
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
krbPrincipalName: host/master.example.net@EXAMPLE.NET
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW=
+aWr
8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5=
522A
i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH1=
5xNZ
VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203060855Z
krbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121203060855.932134Z#000000#000#000000
modifiersName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203060855Z
dn: cn=3Dadministrator=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: posixGroup
cn: administrator
gidNumber: 50000
structuralObjectClass: posixGroup
entryUUID: 1d079216-d12b-1031-978d-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.465616Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: top
objectClass: groupOfNames
cn: replicators
member: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
member: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet
structuralObjectClass: groupOfNames
entryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.477792Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: administrator
sn: administrator
uidNumber: 50000
gidNumber: 50000
userPassword:: <secret>
homeDirectory: /home/administrator
structuralObjectClass: inetOrgPerson
uid: administrator
entryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
krbPrincipalName: administrator@EXAMPLE.NET
krbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+Ecqcdxa=
iluD
o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/=
Ot7l
cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADm=
Ozq8
96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8o=
AcwB
aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6=
yoME
2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo=
8yyO
mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgED=
oSgE
JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLR=
VhBT
VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXG=
a5U+
g=3D
krbLastPwdChange: 20121203054848Z
krbLastFailedAuth: 20121204013714Z
krbLoginFailedCount: 0
description: Network Administrator
krbLastSuccessfulAuth: 20121204035116Z
krbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121204035116.890381Z#000000#000#000000
modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121204035116Z
dn: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: kdc-srv
description: Kerberos KDC
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.563692Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: adm-srv
description: Kerberos Admin Server
userPassword:: <secret>
structuralObjectClass: organizationalRole
entryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203002123Z
entryCSN: 20121203002123.575773Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203002123Z
dn: cn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
cn: EXAMPLE.NET
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: dc=3Dexample=2Cdc=3Dnet
krbSearchScope: 2
krbMaxRenewableAge: 604800
krbMaxTicketLife: 36000
structuralObjectClass: krbRealmContainer
entryUUID: c03d58b8-d134-1031-83e7-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.757228Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=
=2Cdc=3Dexample=2Cdc=3D
net
krbLoginFailedCount: 0
krbMaxTicketLife: 36000
krbMaxRenewableAge: 604800
krbTicketFlags: 192
krbPrincipalName: K/M@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g=
AwIB
EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/=
c4Ks
HI=3D
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAkBAAEArgC8UA=3D=3D
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c04d9282-d134-1031-83e8-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.863568Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=
=2Cou=3Dkerberos
=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 36000
krbMaxRenewableAge: 604800
krbTicketFlags: 0
krbPrincipalName: krbtgt/EXAMPLE.NET@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNn=
fmRR
GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7=
UKy1
93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9=
KwFT
B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8=
oR
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAAAAAAA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c0518180-d134-1031-83e9-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.889347Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3D=
kerberos=2Cdc=3Dex
ample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 604800
krbTicketFlags: 4
krbPrincipalName: kadmin/admin@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtC=
kdsY
5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M2=
8Ix6
SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZ=
M5wu
tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3a=
Qz
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c05346be-d134-1031-83ea-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.900950Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=
=3Dkerberos=2Cdc
=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 300
krbMaxRenewableAge: 604800
krbTicketFlags: 8196
krbPrincipalName: kadmin/changepw@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceW=
qIB2
ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0w=
wSqU
ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd=
423Z
epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9z=
Pl
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c054d88a-d134-1031-83eb-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.911237Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/history@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=
=3Dkerberos=2Cdc=3D
example=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 36000
krbMaxRenewableAge: 604800
krbTicketFlags: 0
krbPrincipalName: kadmin/history@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+g=
AwIB
EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd=
/N+Z
2g=3D
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAAGlvbkA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c0562d3e-d134-1031-83ec-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.919957Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPL=
E.NET=2Cou=3Dk
erberos=2Cdc=3Dexample=2Cdc=3Dnet
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 604800
krbTicketFlags: 4
krbPrincipalName: kadmin/master.example.net@EXAMPLE.NET
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gABhOeGOuo9UBDjK7hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4=
Ta3z
Y4ZaEYItXr2awBW6QXSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtG=
g1qY
oev8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj=
0sgn
ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf4UwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qYDwpK0Hycj+cwyCjFsVKTsjzA8o=
AcwB
aADAgEAoTEwL6ADAgEDoSgEJggAxTSMEh/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZA=
Bm
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA
krbExtraData:: AAcBAAIAAgAAANAD4gA=3D
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: c0581144-d134-1031-83ed-0707760cf534
creatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203013022Z
entryCSN: 20121203013022.932349Z#000000#000#000000
modifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203013022Z
dn: krbPrincipalName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.=
NET=2Cou=3Dker
beros=2Cdc=3Dexample=2Cdc=3Dnet
krbPrincipalName: ldap/master.example.net@EXAMPLE.NET
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588
creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203060105Z
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPU=
S2wz
qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14TYWZyLZem=
5kvD
yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAb=
Nr3p
vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203060153Z
krbLastSuccessfulAuth: 20121203061721Z
krbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
entryCSN: 20121203061721.358939Z#000000#000#000000
modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121203061721Z
dn: krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE=
.NET=2Cou=3Dke
rberos=2Cdc=3Dexample=2Cdc=3Dnet
krbPrincipalName: ldap/replica.example.net@EXAMPLE.NET
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
structuralObjectClass: krbPrincipal
entryUUID: 205686f2-d162-1031-9537-2fa18b539eb9
creatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
createTimestamp: 20121203065511Z
krbLoginFailedCount: 0
krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIB=
AKFJ
MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUX=
FMNw
2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKb=
ipUj
AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOv=
mT4x
MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWg=
AwIB
AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=3D=
=3D
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20121203065628Z
krbExtraData:: AAIcTbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D
krbExtraData:: AAgBAA=3D=3D
krbLastSuccessfulAuth: 20121204032538Z
entryCSN: 20121204032538.048010Z#000000#000#000000
modifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet
modifyTimestamp: 20121204032538Z
> Date: Fri=2C 9 Nov 2012 01:55:32 +0000
> From: openldap-its@OpenLDAP.org
> To: blance3459@hotmail.com
> Subject: Re: (ITS#7434) idassert-bind fails after restarting slapd
>=20
>=20
> *** THIS IS AN AUTOMATICALLY GENERATED REPLY ***
>=20
> Thanks for your report to the OpenLDAP Issue Tracking System. Your
> report has been assigned the tracking number ITS#7434.
>=20
> One of our support engineers will look at your report in due course.
> Note that this may take some time because our support engineers
> are volunteers. They only work on OpenLDAP when they have spare
> time.
>=20
> If you need to provide additional information in regards to your
> issue report=2C you may do so by replying to this message. Note that
> any mail sent to openldap-its@openldap.org with (ITS#7434)
> in the subject will automatically be attached to the issue report.
>=20
> mailto:openldap-its@openldap.org?subject=3D(ITS#7434)
>=20
> You may follow the progress of this report by loading the following
> URL in a web browser:
> http://www.OpenLDAP.org/its/index.cgi?findid=3D7434
>=20
> Please remember to retain your issue tracking number (ITS#7434)
> on any further messages you send to us regarding this report. If
> you don't then you'll just waste our time and yours because we
> won't be able to properly track the report.
>=20
> Please note that the Issue Tracking System is not intended to
> be used to seek help in the proper use of OpenLDAP Software.
> Such requests will be closed.
>=20
> OpenLDAP Software is user supported.
> http://www.OpenLDAP.org/support/
>=20
> --------------
> Copyright 1998-2007 The OpenLDAP Foundation=2C All Rights Reserved.
>=20
=
--_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Quanah=2C <br> =3B<br>I fina=
lly got back around to working on this over the last couple of days. =
=3B Where I'm at with my project is:<BR><p style=3D"margin-right: 0px=3B" d=
ir=3D"ltr"> =3BI have two servers (virtual machines)=2C named master an=
d replica=2C =3B with slapd configured with my directory information an=
d single-master replication between them. =3B <br> =3BI created a K=
erberos realm and various principals in open ldap. =3B <br> =3BRepl=
ication access is authenticated using sasl/gssapi with the slapd principal=
=2C ldap/replica.example.net. =3B <br> =3Bk5start has been added to=
system startup to buid the credential cache for slapd.<br> =3B <br>&nb=
sp=3BThat brings me to configuring referrals and proxyAuth on replica. =
=3B </p>What appears to be happening is that at the initial configuration (=
before restarting the daemon) is the client binds to the replica and authen=
ticates with its kerberos ticket. =3B The "magic" is performed on the s=
asl user<br>and the ldap directory entry is returned. =3B It then proce=
eds into the modification and notices the update referral. =3B It then =
checks to determine if the binddn used in =3B in the olcDbIDAssertBind<=
br>statems can authzTo the bound user. =3B It can and the proxy of the =
modification proceeds. =3B On the master=2C the proxy request is receiv=
ed=2C more "magic" is done on the user id to make sure it is in <br>the cor=
rect form=2C the authzTo attribute is again checked and allowed. =3B Th=
e update is performed as the user=2C and success is returned back through t=
he chain to the user. =3B This is how I would expect <br>the process to=
proceed. =3B However=2C if I restart the server (or slapd daemon)=2C t=
his behavior changes. =3B <BR>After restarting=2C the bind occurs at th=
e replica=2C does "magic"=2C and then sees the referral and attempts the pr=
oxy. =3B What's notable here is that the check of authzTo is NOT perfor=
med.<br>The refereal is then chased=2C but the authzTo check was never made=
. =3B Since there is no user to "authzTo"=2C does the referral get chas=
ed with perhaps a "null" or anonymous user?<br>Whatever the case=2C it appe=
ars the the original binding user is never sent over the proxy. =3B Ove=
r at the master=2C I see the bind request come on from the replica which is=
treated as an anonymous bind request.<br>No magic=2C no authzTo check=2C n=
o nothing. =3B It then goes straight into the modification and tries to=
perform=2C but is blocked due to the bound user being anonymous and the st=
ronger authentication error (8) is returned. =3B <br>Given that the bin=
d occured anonymously=2C I feel that error is expected and wanted.<br> =
=3B<br>I had been trying to use sasl binding here=2C but was not having the=
same sucess that I had with syncrepl. =3B In order to only fight one b=
attle at a time=2C I changed by proxy config to use a simple bind instead o=
f sasl/gssapi. =3B <br> =3B<br>Referrals and proxy authentication a=
re configured on replica with the following ldif. =3B I tried setting t=
he override flag because the man page makes it sound like it forces the aut=
hzTo check at bind time.<br>By doing that I was hoping I could force the ch=
eck and see the authzTo process in my logs. =3B Is this what the ITS yo=
u mentions is referring to?<BR> =3B<br>dn: olcDatabase=3D{1}hdb=2Ccn=3D=
config<br> =3Bchangetype: modify<br> =3Badd: olcUpdateref<br> =
=3BolcUpdateref: "<a href=3D"ldap://master.example.net:389/";>ldap://master.=
example.net:389/</a>"<br> =3B <br> =3Bdn: cn=3Dmodule{0}=2Ccn=3Dcon=
fig<br> =3Bchangetype: modify<br> =3Badd: olcModuleLoad<br> =3B=
olcModuleLoad: {1}back_ldap<br> =3B <br> =3Bdn: olcOverlay=3Dchain=
=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br> =3Bchangetype: add<br>&=
nbsp=3BobjectClass: olcOverlayConfig<br> =3BobjectClass: olcChainConfig=
<br> =3BolcOverlay: {0}chain<br> =3BolcChainReturnError: TRUE<br>&n=
bsp=3B <br> =3Bdn: olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcData=
base=3D{-1}frontend=2Ccn=3Dconfig<br> =3Bchangetype: add<br> =3Bobj=
ectClass: olcLDAPConfig<br> =3BobjectClass: olcChainDatabase<br> =
=3BolcDatabase: {0}ldap<br> =3BolcDbURI: "<a href=3D"ldap://master.exam=
ple.net:389/">ldap://master.example.net:389/</a>"<br> =3BolcDbRebindAsU=
ser: TRUE<br> =3BolcDbIDAssertBind: bindmethod=3Dsimple<br> =3B&nbs=
p=3B binddn=3D"cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"<br>&nbs=
p=3B =3B credentials=3Dshhh-secret<br> =3B =3B mode=3Dself<br>&=
nbsp=3B =3B flags=3Doverride<br> =3B =3B starttls=3Dcritical<br=
> =3B =3B tls_reqcert=3Ddemand<br> =3B =3B tls_cacert=3D/et=
c/ssl/certs/cacert.pem<BR> =3B <br> =3B <br>After adding that infor=
mation via ldapmodify=2C I attempt to perform an update on the replica.&nbs=
p=3B For testing=2C i simply change the description attribute for uid=3Dadm=
inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet. =3B I'm using this =
simple ldif to test with:<br> =3B <BR>dn: uid=3Dadministrator=2Cou=3Dpe=
ople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bchangetype: modify<br> =3Brep=
lace: description<br> =3Bdescription: Network Administrator<BR><br>Init=
ially after configuring the proxy and obtainng a kerberos ticket for the ac=
count (administrator=2C self write)=2C this update succeeds. =3B Lookin=
g at syslog on replica=2C I see happiness. =3B The ldap modify binds us=
ing gssapi=2C I see SASL name being correctly converted to uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet.<br> =3B <BR>Dec =3B 3 =
22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: authcid=3D"ad=
ministrator"<br> =3BDec =3B 3 22:17:01 replica slapd[994]: slap_sas=
l_getdn: conn 1005 id=3Dadministrator [len=3D13]<br> =3BDec =3B 3 2=
2:17:01 replica slapd[994]: slap_sasl_getdn: u:id converted to uid=3Dadmini=
strator=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth<br> =3BDec =3B=
3 22:17:01 replica slapd[994]: >=3B>=3B>=3B dnNormalize: <=3Buid=
=3Dadministrator=2Ccn=3DEXAMPLE.NET=2Ccn=3DGSSAPI=2Ccn=3Dauth>=3B<br>&nbs=
p=3BDec =3B 3 22:17:01 replica slapd[994]: <=3B<=3B<=3B dnNormali=
ze: <=3Buid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth&=
gt=3B<br> =3BDec =3B 3 22:17:01 replica slapd[994]: =3D=3D>=3Bsla=
p_sasl2dn: converting SASL name uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=
=3Dgssapi=2Ccn=3Dauth to a DN<br> =3BDec =3B 3 22:17:01 replica sla=
pd[994]: =3D=3D>=3B rewrite_context_apply [depth=3D1] string=3D'uid=3Dadm=
inistrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth'<br> =3BDec&nbs=
p=3B 3 22:17:01 replica slapd[994]: =3D=3D>=3B rewrite_rule_apply rule=3D=
'uid=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Da=
uth' string=3D'uid=3Dadministrator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3D=
auth' [1 pass(es)]<br> =3BDec =3B 3 22:17:01 replica slapd[994]: =
=3D=3D>=3B rewrite_rule_apply rule=3D'uid=3D([^=2C]+)=2Ccn=3Dexample.net=
=2Ccn=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3Dadministrator=2Ccn=3Dexample.ne=
t=2Ccn=3Dgssapi=2Ccn=3Dauth' [1 pass(es)]<br> =3BDec =3B 3 22:17:01=
replica slapd[994]: =3D=3D>=3B rewrite_context_apply [depth=3D1] res=3D{=
0=2C'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'}<br> =
=3BDec =3B 3 22:17:01 replica slapd[994]: [rw] authid: "uid=3Dadministr=
ator=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" ->=3B "uid=3Dadministr=
ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:1=
7:01 replica slapd[994]: slap_parseURI: parsing uid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:01 replica =
slapd[994]: >=3B>=3B>=3B dnNormalize: <=3Buid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01=
replica slapd[994]: <=3B<=3B<=3B dnNormalize: <=3Buid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 =
22:17:01 replica slapd[994]: <=3B=3D=3Dslap_sasl2dn: Converted SASL name =
to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BD=
ec =3B 3 22:17:01 replica slapd[994]: slap_sasl_getdn: dn:id converted =
to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BD=
ec =3B 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=3D1005]: =
slapAuthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=
<br> =3BDec =3B 3 22:17:01 replica slapd[994]: SASL proxy authorize=
[conn=3D1005]: authcid=3D"<a href=3D"mailto:administrator@EXAMPLE.NET";>adm=
inistrator@EXAMPLE.NET</a>" authzid=3D"<a href=3D"mailto:administrator@EXAM=
PLE.NET">administrator@EXAMPLE.NET</a>"<br> =3BDec =3B 3 22:17:01 r=
eplica slapd[994]: conn=3D1005 op=3D2 BIND authcid=3D"<a href=3D"mailto:adm=
inistrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a>" authzid=3D"<a href=
=3D"mailto:administrator@EXAMPLE.NET";>administrator@EXAMPLE.NET</a>"<br>&nb=
sp=3BDec =3B 3 22:17:01 replica slapd[994]: SASL Authorize [conn=3D1005=
]: =3B proxy authorization allowed authzDN=3D""<br> =3BDec =3B =
3 22:17:01 replica slapd[994]: send_ldap_sasl: err=3D0 len=3D-1<br> =3B=
Dec =3B 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor=
<br> =3BDec =3B 3 22:17:01 replica slapd[994]: daemon: activity on:=
<br> =3BDec =3B 3 22:17:01 replica slapd[994]: <br>Dec =3B 3 22=
:17:01 replica slapd[994]: conn=3D1005 op=3D2 BIND dn=3D"uid=3Dadministrato=
r=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=3DGSSAPI sasl_ssf=3D56 ssf=
=3D56<br> =3BDec =3B 3 22:17:01 replica slapd[994]: do_bind: SASL/G=
SSAPI bind: dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dn=
et" sasl_ssf=3D56<br> =3BDec =3B 3 22:17:01 replica slapd[994]: sen=
d_ldap_response: msgid=3D3 tag=3D97 err=3D0<br> =3BDec =3B 3 22:17:=
01 replica slapd[994]: conn=3D1005 op=3D2 RESULT tag=3D97 err=3D0 text=3D<b=
r> =3BDec =3B 3 22:17:01 replica slapd[994]: <=3B=3D=3D slap_sasl=
_bind: rc=3D0<BR><br> =3BAll good=2C so far on replica. =3B I belie=
ve the sasl/gssapi authntication process is completed. =3B Now to perfo=
rm the modify.<BR><br>Dec =3B 3 22:17:01 replica slapd[994]: conn=3D100=
5 op=3D3 do_modify<br> =3BDec =3B 3 22:17:01 replica slapd[994]: co=
nn=3D1005 op=3D3 do_modify: dn (uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dex=
ample=2Cdc=3Dnet)<br> =3BDec =3B 3 22:17:01 replica slapd[994]: >=
=3B>=3B>=3B dnPrettyNormal: <=3Buid=3Dadministrator=2Cou=3Dpeople=2Cd=
c=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 replica slap=
d[994]: <=3B<=3B<=3B dnPrettyNormal: <=3Buid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B=2C <=3Buid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01=
replica slapd[994]: conn=3D1005 op=3D3 modifications:<br> =3BDec =
=3B 3 22:17:01 replica slapd[994]: #011replace: description<br> =3BDec&=
nbsp=3B 3 22:17:01 replica slapd[994]: #011#011one value=2C length 21<br>&n=
bsp=3BDec =3B 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD dn=
=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =
=3BDec =3B 3 22:17:01 replica slapd[994]: conn=3D1005 op=3D3 MOD attr=
=3Ddescription<br> =3BDec =3B 3 22:17:01 replica slapd[994]: bdb_dn=
2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br>&n=
bsp=3BDec =3B 3 22:17:01 replica slapd[994]: send_ldap_result: conn=3D1=
005 op=3D3 p=3D3<br> =3BDec =3B 3 22:17:01 replica slapd[994]: send=
_ldap_result: err=3D10 matched=3D"" text=3D""<br> =3BDec =3B 3 22:1=
7:01 replica slapd[994]: send_ldap_result: referral=3D"<a href=3D"ldap://ma=
ster.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cd=
c=3Dexample=2Cdc=3Dnet</a>"<br> =3BDec =3B 3 22:17:01 replica slapd=
[994]: >=3B>=3B>=3B dnPrettyNormal: <=3Buid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 re=
plica slapd[994]: daemon: activity on 1 descriptor<br> =3BDec =3B 3=
22:17:01 replica slapd[994]: daemon: activity on:<br> =3BDec =3B 3=
22:17:01 replica slapd[994]: <br>Dec =3B 3 22:17:01 replica slapd[994]=
: <=3B<=3B<=3B dnPrettyNormal: <=3Buid=3Dadministrator=2Cou=3Dpeopl=
e=2Cdc=3Dexample=2Cdc=3Dnet>=3B=2C <=3Buid=3Dadministrator=2Cou=3Dpeopl=
e=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 replica=
slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref=3D"<a href=3D"ldap://mas=
ter.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cd=
c=3Dexample=2Cdc=3Dnet</a>" ->=3B "<a href=3D"ldap://master.example.net:3=
89">ldap://master.example.net:389</a>"<br> =3BDec =3B 3 22:17:01 re=
plica slapd[994]: conn=3D1005 op=3D3 ldap_chain_op: ref=3D"<a href=3D"ldap:=
//master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeopl=
e=2Cdc=3Dexample=2Cdc=3Dnet</a>": URI=3D"<a href=3D"ldap://master.example.n=
et:389">ldap://master.example.net:389</a>" found in cache<BR><br> =3B <=
br> =3BOkay=2C now it seems that the referral is returned and chased on=
behalf of the client. =3B Finally=2C from the perspective of replica=
=2C success! =3B Modified data comes back to replica via syncrepl.<br>&=
nbsp=3B <BR>Dec =3B 3 22:17:01 replica slapd[994]: =3D>=3Bldap_back_g=
etconn: conn 0x7fe0b0147c30 fetched refcnt=3D1.<br> =3BDec =3B 3 22=
:17:01 replica slapd[994]: send_ldap_result: conn=3D1005 op=3D3 p=3D3<br>&n=
bsp=3BDec =3B 3 22:17:01 replica slapd[994]: send_ldap_result: err=3D0 =
matched=3D"" text=3D""<br> =3BDec =3B 3 22:17:01 replica slapd[994]=
: send_ldap_response: msgid=3D4 tag=3D103 err=3D0<br> =3BDec =3B 3 =
22:17:01 replica slapd[994]: conn=3D1005 op=3D3 RESULT tag=3D103 err=3D0 te=
xt=3D<BR><br> =3B<br>Dec =3B 3 22:17:01 replica slapd[994]: daemon:=
activity on 1 descriptor<br> =3BDec =3B 3 22:17:01 replica slapd[9=
94]: daemon: activity on:<br> =3BDec =3B 3 22:17:01 replica slapd[9=
94]: =3B 15r<br> =3BDec =3B 3 22:17:01 replica slapd[994]: <br>=
Dec =3B 3 22:17:01 replica slapd[994]: daemon: read active on 15<br>&nb=
sp=3BDec =3B 3 22:17:01 replica slapd[994]: connection_get(15)<br> =
=3BDec =3B 3 22:17:01 replica slapd[994]: connection_get(15): got conni=
d=3D0<br> =3BDec =3B 3 22:17:01 replica slapd[994]: =3D>=3Bdo_syn=
crepl rid=3D123<br> =3BDec =3B 3 22:17:01 replica slapd[994]: =3D&g=
t=3Bdo_syncrep2 rid=3D123<br> =3BDec =3B 3 22:17:01 replica slapd[9=
94]: do_syncrep2: rid=3D123 cookie=3Drid=3D123=2Ccsn=3D20121204031701.56069=
7Z#000000#000#000000<br> =3BDec =3B 3 22:17:01 replica slapd[994]: =
>=3B>=3B>=3B dnPrettyNormal: <=3Buid=3Dadministrator=2Cou=3Dpeople=
=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 replica =
slapd[994]: <=3B<=3B<=3B dnPrettyNormal: <=3Buid=3Dadministrator=2C=
ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B=2C <=3Buid=3Dadministrator=2C=
ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:=
01 replica slapd[994]: >=3B>=3B>=3B dnPretty: <=3Bcn=3Dadmin=2Cdc=
=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 replica slapd=
[994]: <=3B<=3B<=3B dnPretty: <=3Bcn=3Dadmin=2Cdc=3Dexample=2Cdc=3D=
net>=3B<br> =3BDec =3B 3 22:17:01 replica slapd[994]: >=3B>=
=3B>=3B dnNormalize: <=3Bcn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br>=
 =3BDec =3B 3 22:17:01 replica rsyslogd-2177: imuxsock begins to dr=
op messages from pid 994 due to rate-limiting<BR><br> =3BSo everything =
looks good (correct?) on replica. =3B Meanwhile=2C back at the master..=
.. <br> =3B<BR>Dec =3B 3 22:17:01 master slapd[947]: daemon: activi=
ty on 1 descriptor<br> =3BDec =3B 3 22:17:01 master slapd[947]: dae=
mon: activity on:<br> =3BDec =3B 3 22:17:01 master slapd[947]: =
=3B 51r<br> =3BDec =3B 3 22:17:01 master slapd[947]: <br>Dec =
=3B 3 22:17:01 master slapd[947]: daemon: read active on 51<br> =3BDec&=
nbsp=3B 3 22:17:01 master slapd[947]: connection_get(51)<br> =3BDec&nbs=
p=3B 3 22:17:01 master slapd[947]: connection_get(51): got connid=3D1054<br=
> =3BDec =3B 3 22:17:01 master slapd[947]: connection_read(51): che=
cking for input on id=3D1054<br> =3BDec =3B 3 22:17:01 master slapd=
[947]: op tag 0x66=2C time 1354591021<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: daemon: activity on 1 descriptor<br> =3BDec =3B 3 2=
2:17:01 master slapd[947]: daemon: activity on:<br> =3BDec =3B 3 22=
:17:01 master slapd[947]: <br>Dec =3B 3 22:17:01 master slapd[947]: con=
n=3D1054 op=3D3 do_modify<br> =3BDec =3B 3 22:17:01 master slapd[94=
7]: conn=3D1054 op=3D3 do_modify: dn (uid=3Dadministrator=2Cou=3Dpeople=2Cd=
c=3Dexample=2Cdc=3Dnet)<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: =3D>=3B get_ctrls<br> =3BDec =3B 3 22:17:01 master slapd[947]: =
=3D>=3B get_ctrls: oid=3D"2.16.840.1.113730.3.4.18" (noncritical)<br>&nbs=
p=3BDec =3B 3 22:17:01 master slapd[947]: parseProxyAuthz: conn 1054 au=
thzid=3D"dn:uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br=
> =3BDec =3B 3 22:17:01 master slapd[947]: slap_sasl_getdn: conn 10=
54 id=3Ddn:uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet [len=
=3D48]<br> =3BDec =3B 3 22:17:01 master slapd[947]: >=3B>=3B>=
=3B dnNormalize: <=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cd=
c=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 master slapd[947]: <=3B&l=
t=3B<=3B dnNormalize: <=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexam=
ple=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 master slapd[947]: =
=3D=3D>=3Bslap_sasl2dn: converting SASL name uid=3Dadministrator=2Cou=3Dp=
eople=2Cdc=3Dexample=2Cdc=3Dnet to a DN<br> =3BDec =3B 3 22:17:01 m=
aster slapd[947]: =3D=3D>=3B rewrite_context_apply [depth=3D1] string=3D'=
uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'<br> =3BDec=
 =3B 3 22:17:01 master slapd[947]: =3D=3D>=3B rewrite_rule_apply rule=
=3D'uid=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=
=3Dauth' string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3D=
net' [1 pass(es)]<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D=
=3D>=3B rewrite_rule_apply rule=3D'uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Cc=
n=3Dgssapi=2Ccn=3Dauth' string=3D'uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3D=
example=2Cdc=3Dnet' [1 pass(es)]<br> =3BDec =3B 3 22:17:01 master s=
lapd[947]: =3D=3D>=3B rewrite_context_apply [depth=3D1] res=3D{0=2C'uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet'}<br> =3BDec&n=
bsp=3B 3 22:17:01 master slapd[947]: [rw] authid: "uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" ->=3B "uid=3Dadministrator=2Cou=3Dpe=
ople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master sl=
apd[947]: slap_parseURI: parsing uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3De=
xample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:01 master slapd[947]: >=
=3B>=3B>=3B dnNormalize: <=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=
=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 master slapd[=
947]: <=3B<=3B<=3B dnNormalize: <=3Buid=3Dadministrator=2Cou=3Dpeop=
le=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:17:01 master=
slapd[947]: <=3B=3D=3Dslap_sasl2dn: Converted SASL name to uid=3Dadminis=
trator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:=
17:01 master slapd[947]: slap_sasl_getdn: dn:id converted to uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:1=
7:01 master slapd[947]: parseProxyAuthz: conn=3D1054 "uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01=
master slapd[947]: =3D=3D>=3Bslap_sasl_authorized: can cn=3Dreplica=2Cou=
=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet become uid=3Dadministrator=2Cou=3Dpeople=
=2Cdc=3Dexample=2Cdc=3Dnet?<br> =3BDec =3B 3 22:17:01 master slapd[=
947]: =3D=3D>=3Bslap_sasl_check_authz: does uid=3Dadministrator=2Cou=3Dpe=
ople=2Cdc=3Dexample=2Cdc=3Dnet match authzTo rule in cn=3Dreplica=2Cou=3Dho=
sts=2Cdc=3Dexample=2Cdc=3Dnet?<br> =3BDec =3B 3 22:17:01 master sla=
pd[947]: =3D>=3B bdb_entry_get: ndn: "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dex=
ample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D&=
gt=3B bdb_entry_get: oc: "(null)"=2C at: "authzTo"<br> =3BDec =3B 3=
22:17:01 master slapd[947]: bdb_dn2entry("cn=3Dreplica=2Cou=3Dhosts=2Cdc=
=3Dexample=2Cdc=3Dnet")<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: =3D>=3B bdb_entry_get: found entry: "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3De=
xample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master slapd[947]: bdb=
_entry_get: rc=3D0<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D=
>=3B access_allowed: result not in cache (authzTo)<br> =3BDec =3B=
3 22:17:01 master slapd[947]: =3D>=3B access_allowed: auth access to "cn=
=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet" "authzTo" requested<br>&=
nbsp=3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B acl_get: [2] att=
r authzTo<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B ac=
l_mask: access to entry "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dne=
t"=2C attr "authzTo" requested<br> =3BDec =3B 3 22:17:01 master sla=
pd[947]: =3D>=3B acl_mask: to all values by "cn=3Dreplica=2Cou=3Dhosts=2C=
dc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec =3B 3 22:17:01 master slapd[=
947]: <=3B=3D check a_dn_pat: users<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: <=3B=3D acl_mask: [1] applying read(=3Drscxd) (stop)<br>&=
nbsp=3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D acl_mask: [1] ma=
sk: read(=3Drscxd)<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D=
>=3B slap_access_allowed: auth access granted by read(=3Drscxd)<br> =
=3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B access_allowed: auth=
access granted by read(=3Drscxd)<br> =3BDec =3B 3 22:17:01 master =
slapd[947]: =3D>=3B access_allowed: result was in cache (authzTo)<br>&nbs=
p=3BDec =3B 3 22:17:01 master slapd[947]: =3D=3D=3D>=3Bslap_sasl_matc=
h: comparing DN uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet=
to rule dn:*<br> =3BDec =3B 3 22:17:01 master slapd[947]: slap_par=
seURI: parsing dn:*<br> =3BDec =3B 3 22:17:01 master slapd[947]: &l=
t=3B=3D=3D=3Dslap_sasl_match: comparison returned 0<br> =3BDec =3B =
3 22:17:01 master slapd[947]: <=3B=3D=3Dslap_sasl_check_authz: authzTo ch=
eck returning 0<br> =3BDec =3B 3 22:17:01 master slapd[947]: <=3B=
=3D=3D slap_sasl_authorized: return 0<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: conn=3D1054 op=3D3 PROXYAUTHZ dn=3D"uid=3Dadministrator=2Co=
u=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: <=3B=3D get_ctrls: n=3D1 rc=3D0 err=3D""<br> =3BDec&n=
bsp=3B 3 22:17:01 master slapd[947]: >=3B>=3B>=3B dnPrettyNormal: <=
=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br>&nb=
sp=3BDec =3B 3 22:17:01 master slapd[947]: <=3B<=3B<=3B dnPrettyN=
ormal: <=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=
=3B=2C <=3Buid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=
=3B<br> =3BDec =3B 3 22:17:01 master slapd[947]: conn=3D1054 op=3D3=
modifications:<br> =3BDec =3B 3 22:17:01 master slapd[947]: #011re=
place: description<br> =3BDec =3B 3 22:17:01 master slapd[947]: #01=
1#011one value=2C length 21<br> =3BDec =3B 3 22:17:01 master slapd[=
947]: conn=3D1054 op=3D3 MOD dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=
=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master slapd[947]:=
conn=3D1054 op=3D3 MOD attr=3Ddescription<br> =3BDec =3B 3 22:17:0=
1 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=
=3Dexample=2Cdc=3Dnet")<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: =3D>=3B bdb_entry_get: ndn: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3De=
xample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D=
>=3B bdb_entry_get: oc: "(null)"=2C at: "(null)"<br> =3BDec =3B 3=
22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeopl=
e=2Cdc=3Dexample=2Cdc=3Dnet")<br> =3BDec =3B 3 22:17:01 master slap=
d[947]: =3D>=3B bdb_entry_get: found entry: "uid=3Dadministrator=2Cou=3Dp=
eople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master s=
lapd[947]: bdb_entry_get: rc=3D0<br> =3BDec =3B 3 22:17:01 master s=
lapd[947]: =3D>=3B test_filter<br> =3BDec =3B 3 22:17:01 master s=
lapd[947]: =3B =3B =3B =3B PRESENT<br> =3BDec =3B 3=
22:17:01 master slapd[947]: =3D>=3B access_allowed: search access to "ui=
d=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" re=
quested<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B dn: =
[4] ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:=
01 master slapd[947]: =3D>=3B dn: [5] <br>Dec =3B 3 22:17:01 master s=
lapd[947]: =3D>=3B acl_get: [6] attr objectClass<br> =3BDec =3B 3=
22:17:01 master slapd[947]: =3D>=3B acl_mask: access to entry "uid=3Dadm=
inistrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass" r=
equested<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B acl=
_mask: to all values by "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dne=
t"=2C (=3D0) <br>Dec =3B 3 22:17:01 master slapd[947]: <=3B=3D check =
a_dn_pat: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =
=3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D check a_dn_pat: self=
<br> =3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D check a_dn_=
pat: users<br> =3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D a=
cl_mask: [3] applying read(=3Drscxd) (stop)<br> =3BDec =3B 3 22:17:=
01 master slapd[947]: <=3B=3D acl_mask: [3] mask: read(=3Drscxd)<br> =
=3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B slap_access_allowed:=
search access granted by read(=3Drscxd)<br> =3BDec =3B 3 22:17:01 =
master slapd[947]: =3D>=3B access_allowed: search access granted by read(=
=3Drscxd)<br> =3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D te=
st_filter 6<br> =3BDec =3B 3 22:17:01 master slapd[947]: syncprov_m=
atchops: sid ffffffff fscope 1 rc 6<br> =3BDec =3B 3 22:17:01 maste=
r slapd[947]: hdb_modify: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:01 master slapd[947]: slap_queue=
_csn: queing 0x7fa90f0fe110 20121204031701.560697Z#000000#000#000000<br>&nb=
sp=3BDec =3B 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br> =3BDec =3B 3 22=
:17:01 master slapd[947]: bdb_modify_internal: 0x0000000b: uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:=
01 master slapd[947]: =3D>=3B access_allowed: result not in cache (descri=
ption)<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B acces=
s_allowed: delete access to "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexamp=
le=2Cdc=3Dnet" "description" requested<br> =3BDec =3B 3 22:17:01 ma=
ster slapd[947]: =3D>=3B dn: [4] ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<=
br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B dn: [5] <br>=
Dec =3B 3 22:17:01 master slapd[947]: =3D>=3B acl_get: [6] attr descr=
iption<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B acl_m=
ask: access to entry "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet"=2C attr "description" requested<br> =3BDec =3B 3 22:17:01 m=
aster slapd[947]: =3D>=3B acl_mask: to all values by "uid=3Dadministrator=
=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec =3B 3 22:17=
:01 master slapd[947]: <=3B=3D check a_dn_pat: cn=3Dadm-srv=2Cou=3Dkerber=
os=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:01 master slapd=
[947]: <=3B=3D check a_dn_pat: self<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: <=3B=3D acl_mask: [2] applying write(=3Dwrscxd) (stop)<br=
> =3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D acl_mask: [2] =
mask: write(=3Dwrscxd)<br> =3BDec =3B 3 22:17:01 master slapd[947]:=
=3D>=3B slap_access_allowed: delete access granted by write(=3Dwrscxd)<b=
r> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B access_allowe=
d: delete access granted by write(=3Dwrscxd)<br> =3BDec =3B 3 22:17=
:01 master slapd[947]: =3D>=3B access_allowed: result not in cache (descr=
iption)<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B acce=
ss_allowed: add access to "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet" "description" requested<br> =3BDec =3B 3 22:17:01 mast=
er slapd[947]: =3D>=3B dn: [4] ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br=
> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B dn: [5] <br>De=
c =3B 3 22:17:01 master slapd[947]: =3D>=3B acl_get: [6] attr descrip=
tion<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B acl_mas=
k: access to entry "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet"=2C attr "description" requested<br> =3BDec =3B 3 22:17:01 m=
aster slapd[947]: =3D>=3B acl_mask: to value by "uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec =3B 3 22:17:01 m=
aster slapd[947]: <=3B=3D check a_dn_pat: cn=3Dadm-srv=2Cou=3Dkerberos=2C=
dc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: <=3B=3D check a_dn_pat: self<br> =3BDec =3B 3 22:17:01 master s=
lapd[947]: <=3B=3D acl_mask: [2] applying write(=3Dwrscxd) (stop)<br>&nbs=
p=3BDec =3B 3 22:17:01 master slapd[947]: <=3B=3D acl_mask: [2] mask:=
write(=3Dwrscxd)<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D&=
gt=3B slap_access_allowed: add access granted by write(=3Dwrscxd)<br> =
=3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B access_allowed: add =
access granted by write(=3Dwrscxd)<br> =3BDec =3B 3 22:17:01 master=
slapd[947]: acl: internal mod entryCSN: modify access granted<br> =3BD=
ec =3B 3 22:17:01 master slapd[947]: acl: internal mod modifiersName: m=
odify access granted<br> =3BDec =3B 3 22:17:01 master slapd[947]: a=
cl: internal mod modifyTimestamp: modify access granted<br> =3BDec =
=3B 3 22:17:01 master slapd[947]: bdb_modify_internal: replace description<=
br> =3BDec =3B 3 22:17:01 master slapd[947]: bdb_modify_internal: r=
eplace entryCSN<br> =3BDec =3B 3 22:17:01 master slapd[947]: bdb_mo=
dify_internal: replace modifiersName<br> =3BDec =3B 3 22:17:01 mast=
er slapd[947]: bdb_modify_internal: replace modifyTimestamp<br> =3BDec&=
nbsp=3B 3 22:17:01 master slapd[947]: oc_check_required entry (uid=3Dadmini=
strator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "inetOrgPer=
son"<br> =3BDec =3B 3 22:17:01 master slapd[947]: oc_check_required=
entry (uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C obj=
ectClass "posixAccount"<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: oc_check_required entry (uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet)=2C objectClass "shadowAccount"<br> =3BDec =3B 3 22:17:=
01 master slapd[947]: oc_check_required entry (uid=3Dadministrator=2Cou=3Dp=
eople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "krbPrincipalAux"<br> =
=3BDec =3B 3 22:17:01 master slapd[947]: oc_check_required entry (uid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)=2C objectClass "k=
rbTicketPolicyAux"<br> =3BDec =3B 3 22:17:01 master slapd[947]: oc_=
check_allowed type "objectClass"<br> =3BDec =3B 3 22:17:01 master s=
lapd[947]: oc_check_allowed type "cn"<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: oc_check_allowed type "sn"<br> =3BDec =3B 3 22:17:0=
1 master slapd[947]: oc_check_allowed type "uidNumber"<br> =3BDec =
=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "gidNumber"<br>&nbs=
p=3BDec =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "userPa=
ssword"<br> =3BDec =3B 3 22:17:01 master slapd[947]: oc_check_allow=
ed type "homeDirectory"<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: oc_check_allowed type "structuralObjectClass"<br> =3BDec =3B 3 22=
:17:01 master slapd[947]: oc_check_allowed type "uid"<br> =3BDec =
=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "entryUUID"<br>&nbs=
p=3BDec =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "creato=
rsName"<br> =3BDec =3B 3 22:17:01 master slapd[947]: oc_check_allow=
ed type "createTimestamp"<br> =3BDec =3B 3 22:17:01 master slapd[94=
7]: oc_check_allowed type "krbPrincipalName"<br> =3BDec =3B 3 22:17=
:01 master slapd[947]: oc_check_allowed type "krbPrincipalKey"<br> =3BD=
ec =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastPwdC=
hange"<br> =3BDec =3B 3 22:17:01 master slapd[947]: oc_check_allowe=
d type "krbLastFailedAuth"<br> =3BDec =3B 3 22:17:01 master slapd[9=
47]: oc_check_allowed type "krbLoginFailedCount"<br> =3BDec =3B 3 2=
2:17:01 master slapd[947]: oc_check_allowed type "krbLastSuccessfulAuth"<br=
> =3BDec =3B 3 22:17:01 master slapd[947]: oc_check_allowed type "k=
rbExtraData"<br> =3BDec =3B 3 22:17:01 master slapd[947]: oc_check_=
allowed type "description"<br> =3BDec =3B 3 22:17:01 master slapd[9=
47]: oc_check_allowed type "entryCSN"<br> =3BDec =3B 3 22:17:01 mas=
ter slapd[947]: oc_check_allowed type "modifiersName"<br> =3BDec =
=3B 3 22:17:01 master slapd[947]: oc_check_allowed type "modifyTimestamp"<b=
r> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B key_change(DE=
LETE=2Cb)<br> =3BDec =3B 3 22:17:01 master slapd[947]: bdb_idl_dele=
te_key: b <br>Dec =3B 3 22:17:01 master slapd[947]: <=3B=3D key_chang=
e 0<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B key_chan=
ge(ADD=2Cb)<br> =3BDec =3B 3 22:17:01 master slapd[947]: bdb_idl_in=
sert_key: b <br>Dec =3B 3 22:17:01 master slapd[947]: <=3B=3D key_cha=
nge 0<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B entry_=
encode(0x0000000b): <br>Dec =3B 3 22:17:01 master slapd[947]: <=3B=3D=
entry_encode(0x0000000b): <br>Dec =3B 3 22:17:01 master slapd[947]: hd=
b_modify: updated id=3D0000000b dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cd=
c=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: send_ldap_result: conn=3D1054 op=3D3 p=3D3<br> =3BDec =3B 3 22:17=
:01 master slapd[947]: send_ldap_result: err=3D0 matched=3D"" text=3D""<br>=
 =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B bdb_entry_get: =
ndn: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =
=3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B bdb_entry_get: oc: "=
(null)"=2C at: "(null)"<br> =3BDec =3B 3 22:17:01 master slapd[947]=
: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet=
")<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B bdb_entry=
_get: found entry: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet"<br> =3BDec =3B 3 22:17:01 master slapd[947]: bdb_entry_get:=
rc=3D0<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B test=
_filter<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3B =
=3B =3B =3B PRESENT<br> =3BDec =3B 3 22:17:01 master slapd[=
947]: =3D>=3B access_allowed: search access to "uid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" "objectClass" requested<br> =3BDec=
 =3B 3 22:17:01 master slapd[947]: =3D>=3B dn: [4] ou=3Dkerberos=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:01 master slapd[947]: =
=3D>=3B dn: [5] <br>Dec =3B 3 22:17:01 master slapd[947]: =3D>=3B a=
cl_get: [6] attr objectClass<br> =3BDec =3B 3 22:17:01 master slapd=
[947]: =3D>=3B acl_mask: access to entry "uid=3Dadministrator=2Cou=3Dpeop=
le=2Cdc=3Dexample=2Cdc=3Dnet"=2C attr "objectClass" requested<br> =3BDe=
c =3B 3 22:17:01 master slapd[947]: =3D>=3B acl_mask: to all values b=
y "cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet"=2C (=3D0) <br>Dec&n=
bsp=3B 3 22:17:01 master slapd[947]: <=3B=3D check a_dn_pat: cn=3Dadm-srv=
=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:17:0=
1 master slapd[947]: <=3B=3D check a_dn_pat: self<br> =3BDec =3B =
3 22:17:01 master slapd[947]: <=3B=3D check a_dn_pat: users<br> =3BDe=
c =3B 3 22:17:01 master slapd[947]: <=3B=3D acl_mask: [3] applying re=
ad(=3Drscxd) (stop)<br> =3BDec =3B 3 22:17:01 master slapd[947]: &l=
t=3B=3D acl_mask: [3] mask: read(=3Drscxd)<br> =3BDec =3B 3 22:17:0=
1 master slapd[947]: =3D>=3B slap_access_allowed: search access granted b=
y read(=3Drscxd)<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D&g=
t=3B access_allowed: search access granted by read(=3Drscxd)<br> =3BDec=
 =3B 3 22:17:01 master slapd[947]: <=3B=3D test_filter 6<br> =3BD=
ec =3B 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fs=
cope 1 rc 6<br> =3BDec =3B 3 22:17:01 master slapd[947]: syncprov_s=
endresp: cookie=3Drid=3D123=2Ccsn=3D20121204031701.560697Z#000000#000#00000=
0<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B bdb_entry_=
get: ndn: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br>=
 =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B bdb_entry_get: =
oc: "(null)"=2C at: "(null)"<br> =3BDec =3B 3 22:17:01 master slapd=
[947]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet")<br> =3BDec =3B 3 22:17:01 master slapd[947]: =3D>=3B bdb=
_entry_get: found entry: "uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet"<BR><br> =3BEverything looks good on the master. =3B I =
see uid=3Dadministrator gets sent over from the the proxy on replica and th=
e update proceeds as expected. =3B Now if I restart slapd on replica=2C=
things change. =3B performing the same modifucation=2C we again see sa=
sl/gssapi authentication occuring on replica just as before<br> =3B <BR=
>Dec =3B 3 22:20:38 replica slapd[1412]: [rw] authid: "uid=3Dadministra=
tor=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth" ->=3B "uid=3Dadministra=
tor=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet"<br> =3BDec =3B 3 22:20=
:38 replica slapd[1412]: slap_parseURI: parsing uid=3Dadministrator=2Cou=3D=
people=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BDec =3B 3 22:20:38 replica =
slapd[1412]: >=3B>=3B>=3B dnNormalize: <=3Buid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:20:38=
replica slapd[1412]: <=3B<=3B<=3B dnNormalize: <=3Buid=3Dadministr=
ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3=
22:20:38 replica slapd[1412]: <=3B=3D=3Dslap_sasl2dn: Converted SASL nam=
e to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =
=3BDec =3B 3 22:20:38 replica slapd[1412]: slap_sasl_getdn: dn:id conve=
rted to uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbs=
p=3BDec =3B 3 22:20:38 replica slapd[1412]: SASL Canonicalize [conn=3D1=
000]: slapAuthcDN=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=
=3Dnet"<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: SASL proxy a=
uthorize [conn=3D1000]: authcid=3D"<a href=3D"mailto:administrator@EXAMPLE.=
NET">administrator@EXAMPLE.NET</a>" authzid=3D"<a href=3D"mailto:administra=
tor@EXAMPLE.NET">administrator@EXAMPLE.NET</a>"<br> =3BDec =3B 3 22=
:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIND authcid=3D"<a href=3D"m=
ailto:administrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a>" authzid=3D"=
<a href=3D"mailto:administrator@EXAMPLE.NET";>administrator@EXAMPLE.NET</a>"=
<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: SASL Authorize [con=
n=3D1000]: =3B proxy authorization allowed authzDN=3D""<br> =3BDec&=
nbsp=3B 3 22:20:38 replica slapd[1412]: send_ldap_sasl: err=3D0 len=3D-1<br=
> =3BDec =3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 BIN=
D dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet" mech=
=3DGSSAPI sasl_ssf=3D56 ssf=3D56<br> =3BDec =3B 3 22:20:38 replica =
slapd[1412]: do_bind: SASL/GSSAPI bind: dn=3D"uid=3Dadministrator=2Cou=3Dpe=
ople=2Cdc=3Dexample=2Cdc=3Dnet" sasl_ssf=3D56<br> =3BDec =3B 3 22:2=
0:38 replica slapd[1412]: send_ldap_response: msgid=3D3 tag=3D97 err=3D0<br=
> =3BDec =3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D2 RES=
ULT tag=3D97 err=3D0 text=3D<br> =3BDec =3B 3 22:20:38 replica slap=
d[1412]: <=3B=3D=3D slap_sasl_bind: rc=3D0<BR><br> =3BAgain=2C we hea=
d into the modification:<br> =3B <BR>Dec =3B 3 22:20:38 replica sla=
pd[1412]: conn=3D1000 op=3D3 do_modify<br> =3BDec =3B 3 22:20:38 re=
plica slapd[1412]: conn=3D1000 op=3D3 do_modify: dn (uid=3Dadministrator=2C=
ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet)<br> =3BDec =3B 3 22:20:38 re=
plica slapd[1412]: >=3B>=3B>=3B dnPrettyNormal: <=3Buid=3Dadministr=
ator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3=
22:20:38 replica slapd[1412]: <=3B<=3B<=3B dnPrettyNormal: <=3Buid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B=2C <=3Buid=
=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BD=
ec =3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 modifications=
:<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: #011replace: descr=
iption<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: #011#011one v=
alue=2C length 21<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: co=
nn=3D1000 op=3D3 MOD dn=3D"uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet"<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: conn=3D=
1000 op=3D3 MOD attr=3Ddescription<br> =3BDec =3B 3 22:20:38 replic=
a slapd[1412]: bdb_dn2entry("uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexamp=
le=2Cdc=3Dnet")<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: =3D&=
gt=3B hdb_dn2id("ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br> =3BDec&nbs=
p=3B 3 22:20:38 replica slapd[1412]: <=3B=3D hdb_dn2id: got id=3D0x3<br>&=
nbsp=3BDec =3B 3 22:20:38 replica slapd[1412]: daemon: activity on 1 de=
scriptor<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: daemon: act=
ivity on:<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: <BR> =
=3B<br> =3BSo far=2C so good (I think)=2C replica sees the need to refe=
r the action and tries to chase it on behalf of the clent:<BR><br> =3BD=
ec =3B 3 22:20:38 replica slapd[1412]: =3D>=3B hdb_dn2id("uid=3Dadmin=
istrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet")<br> =3BDec =3B 3=
22:20:38 replica slapd[1412]: <=3B=3D hdb_dn2id: got id=3D0xb<br> =
=3BDec =3B 3 22:20:38 replica slapd[1412]: entry_decode: ""<br> =3B=
Dec =3B 3 22:20:38 replica slapd[1412]: <=3B=3D entry_decode()<br>&nb=
sp=3BDec =3B 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1=
000 op=3D3 p=3D3<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: sen=
d_ldap_result: err=3D10 matched=3D"" text=3D""<br> =3BDec =3B 3 22:=
20:38 replica slapd[1412]: send_ldap_result: referral=3D"<a href=3D"ldap://=
master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cd=
c=3Dnet">ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2C=
dc=3Dexample=2Cdc=3Dnet</a>"<br> =3BDec =3B 3 22:20:38 replica slap=
d[1412]: >=3B>=3B>=3B dnPrettyNormal: <=3Buid=3Dadministrator=2Cou=
=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =3B 3 22:20:38=
replica slapd[1412]: <=3B<=3B<=3B dnPrettyNormal: <=3Buid=3Dadmini=
strator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B=2C <=3Buid=3Dadmini=
strator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet>=3B<br> =3BDec =
=3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 ldap_chain_op: ref=
=3D"<a href=3D"ldap://master.example.net:389/uid=3Dadministrator=2Cou=3Dpeo=
ple=2Cdc=3Dexample=2Cdc=3Dnet">ldap://master.example.net:389/uid=3Dadminist=
rator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet</a>" ->=3B "<a href=3D"ldap=
://master.example.net:389">ldap://master.example.net:389</a>"<br> =3BDe=
c =3B 3 22:20:38 replica slapd[1412]: ldap_back_db_open: URI=3Dldap://m=
aster.example.net:389<br> =3BDec =3B 3 22:20:38 replica slapd[1412]=
: conn=3D1000 op=3D3 ldap_chain_op: ref=3D"<a href=3D"ldap://master.example=
.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet">ldap:=
//master.example.net:389/uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet</a>" temporary<br> =3BDec =3B 3 22:20:38 replica slapd[=
1412]: =3D>=3Bldap_back_getconn: conn=3D1000 op=3D3: lc=3D0x7f213015a7d0 =
inserted refcnt=3D1 rc=3D0<br> =3BDec =3B 3 22:20:38 replica slapd[=
1412]: send_ldap_result: conn=3D1000 op=3D3 p=3D3<BR> =3B <BR> =3B<=
br>At this point=2C I "assume" the modification has been passed off to mast=
er. =3B However=2C I notice that I never see the replica checking authz=
To like before the restart. I think this is where it's falling apart for me=
and the err=3D8 back is returned from master.<br> =3B<br> =3B<BR>D=
ec =3B 3 22:20:38 replica slapd[1412]: send_ldap_result: err=3D8 matche=
d=3D"" text=3D"modifications require authentication"<br> =3BDec =3B=
3 22:20:38 replica slapd[1412]: send_ldap_result: conn=3D1000 op=3D3 p=3D3=
<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: send_ldap_result: e=
rr=3D8 matched=3D"" text=3D""<br> =3BDec =3B 3 22:20:38 replica sla=
pd[1412]: send_ldap_response: msgid=3D4 tag=3D103 err=3D8<br> =3BDec&nb=
sp=3B 3 22:20:38 replica slapd[1412]: conn=3D1000 op=3D3 RESULT tag=3D103 e=
rr=3D8 text=3D<br> =3BDec =3B 3 22:20:38 replica slapd[1412]: daemo=
n: activity on 1 descriptor<br> =3BDec =3B 3 22:20:38 replica slapd=
[1412]: daemon: activity on:<br> =3BDec =3B 3 22:20:38 replica slap=
d[1412]: =3B 18r<BR> =3B <br> =3BOver on the master we see the =
proxy connection occurs=2C but the client credentials never apper to arrive=
. =3B I say that because=2C it looks to me like the proxy connection fr=
om replica appears to bind anonymously.<br> =3B <BR>Dec =3B 3 22:20=
:38 master slapd[947]: daemon: activity on 1 descriptor<br> =3BDec =
=3B 3 22:20:38 master slapd[947]: daemon: activity on:<br> =3BDec =
=3B 3 22:20:38 master slapd[947]: <br>Dec =3B 3 22:20:38 master slapd[9=
47]: slap_listener_activate(8): <br>Dec =3B 3 22:20:38 master slapd[947=
]: >=3B>=3B>=3B slap_listener(<a href=3D"ldap:///";>ldap:///</a>)<br>&=
nbsp=3BDec =3B 3 22:20:38 master slapd[947]: daemon: listen=3D8=2C new =
connection on 51<br> =3BDec =3B 3 22:20:38 master slapd[947]: daemo=
n: added 51r (active) listener=3D(nil)<br> =3BDec =3B 3 22:20:38 ma=
ster slapd[947]: conn=3D1056 fd=3D51 ACCEPT from IP=3D192.168.1.2:34759 (IP=
=3D0.0.0.0:389)<br> =3BDec =3B 3 22:20:38 master slapd[947]: daemon=
: activity on 2 descriptors<br> =3BDec =3B 3 22:20:38 master slapd[=
947]: daemon: activity on:<br> =3BDec =3B 3 22:20:38 master slapd[9=
47]: =3B 51r<br> =3BDec =3B 3 22:20:38 master slapd[947]: <br>D=
ec =3B 3 22:20:38 master slapd[947]: daemon: read active on 51<br> =
=3BDec =3B 3 22:20:38 master slapd[947]: connection_get(51)<br> =3B=
Dec =3B 3 22:20:38 master slapd[947]: connection_get(51): got connid=3D=
1056<br> =3BDec =3B 3 22:20:38 master slapd[947]: connection_read(5=
1): checking for input on id=3D1056<br> =3BDec =3B 3 22:20:38 maste=
r slapd[947]: op tag 0x60=2C time 1354591238<br> =3BDec =3B 3 22:20=
:38 master slapd[947]: conn=3D1056 op=3D0 do_bind<br> =3BDec =3B 3 =
22:20:38 master slapd[947]: >=3B>=3B>=3B dnPrettyNormal: <=3B>=3B=
<br> =3BDec =3B 3 22:20:38 master slapd[947]: <=3B<=3B<=3B dn=
PrettyNormal: <=3B>=3B=2C <=3B>=3B<br> =3BDec =3B 3 22:20:3=
8 master slapd[947]: conn=3D1056 op=3D0 BIND dn=3D"" method=3D128<br> =
=3BDec =3B 3 22:20:38 master slapd[947]: do_bind: version=3D3 dn=3D"" m=
ethod=3D128<br> =3BDec =3B 3 22:20:38 master slapd[947]: send_ldap_=
result: conn=3D1056 op=3D0 p=3D3<br> =3BDec =3B 3 22:20:38 master s=
lapd[947]: send_ldap_result: err=3D0 matched=3D"" text=3D""<br> =3BDec&=
nbsp=3B 3 22:20:38 master slapd[947]: send_ldap_response: msgid=3D1 tag=3D9=
7 err=3D0<br> =3BDec =3B 3 22:20:38 master slapd[947]: conn=3D1056 =
op=3D0 RESULT tag=3D97 err=3D0 text=3D<br> =3BDec =3B 3 22:20:38 ma=
ster slapd[947]: do_bind: v3 anonymous bind<br> =3BDec =3B 3 22:20:=
38 master slapd[947]: daemon: activity on 2 descriptors<br> =3BDec =
=3B 3 22:20:38 master slapd[947]: daemon: activity on:<br> =3BDec =
=3B 3 22:20:38 master slapd[947]: =3B 51r<br> =3BDec =3B 3 22:2=
0:38 master slapd[947]: <BR><br>After=2C the (anonymous) bind=2C the master=
never attempts to if the proxyauth request is allowed via authzTo or anyth=
ing else (perhaps obviously). =3B The modification just proceeds anonym=
ously and eventually fails.<br> =3B <br> =3BNot sure if I'm saying =
this in a way that makes any sense to you. =3B Hopefully=2C it does.&nb=
sp=3B It appears=2C that the proxy on replica after restarting=2C never tri=
es to determine if the olcDbIDAssertBind binddn is permitted to impersonate=
the client via the authzTo attribute and proceeds with the referal chase a=
nonymously.<br> =3B <br> =3BI'll copy paste configs below. =3B&=
nbsp=3B Sorry this is so long=2C but I figure the more information=2C the b=
etter when trying to solve any problem.<br> =3B <br> =3BThanks<br>&=
nbsp=3B <br> =3BBarry<br> =3B <br> =3Bvvvvvvvvvvvvvvvvvvvvvvvvv=
vvvvvvvvvv master configuration vvvvvvvvvvvvvvvvvvvvvvvvvvvv<br> =3Bdn:=
cn=3Dconfig<br> =3BobjectClass: olcGlobal<br> =3Bcn: config<br>&nb=
sp=3BolcArgsFile: /var/run/slapd/slapd.args<br> =3BolcPidFile: /var/run=
/slapd/slapd.pid<br> =3BolcToolThreads: 1<br> =3BstructuralObjectCl=
ass: olcGlobal<br> =3BentryUUID: ea6bf008-d108-1031-912d-8fbb37ee6dd9<b=
r> =3BcreatorsName: cn=3Dconfig<br> =3BcreateTimestamp: 20121202201=
635Z<br> =3BolcTLSCACertificateFile: /etc/ssl/certs/cacert.pem<br> =
=3BolcTLSCertificateFile: /etc/ssl/certs/master_slapd_cert.pem<br> =3Bo=
lcTLSCertificateKeyFile: /etc/ldap/master_slapd_key.pem<br> =3BolcAuthz=
Policy: to<br> =3BolcSaslHost: master.example.net<br> =3BolcSaslRea=
lm: EXAMPLE.NET<br> =3BolcAuthzRegexp: {0}uid=3Dldap/([^/\.]+).example.=
net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BolcAuthzRegexp: {1}uid=3D([^=2C]+)=2Ccn=3D=
example.net=2Ccn=3Dgssapi=2Ccn=3Dauth uid=3D$1=2Cou=3Dpeople=2Cdc=3Dexample=
=2Cdc=3Dnet<br> =3BolcLogLevel: -1<br> =3BentryCSN: 20121204013949.=
466434Z#000000#000#000000<br> =3BmodifiersName: gidNumber=3D0+uidNumber=
=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br> =3BmodifyTimestamp=
: 20121204013949Z<br> =3Bdn: cn=3Dmodule{0}=2Ccn=3Dconfig<br> =3Bob=
jectClass: olcModuleList<br> =3Bcn: module{0}<br> =3BolcModulePath:=
/usr/lib/ldap<br> =3BolcModuleLoad: {0}back_hdb<br> =3BolcModuleLo=
ad: {1}syncprov<br> =3BstructuralObjectClass: olcModuleList<br> =3B=
entryUUID: ea6dda08-d108-1031-9135-8fbb37ee6dd9<br> =3BcreatorsName: cn=
=3Dconfig<br> =3BcreateTimestamp: 20121202201635Z<br> =3BentryCSN: =
20121203054749.860918Z#000000#000#000000<br> =3BmodifiersName: gidNumbe=
r=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br> =3B=
modifyTimestamp: 20121203054749Z<br> =3Bdn: cn=3Dschema=2Ccn=3Dconfig<b=
r> =3BobjectClass: olcSchemaConfig<br> =3Bcn: schema<br> =3Bstr=
ucturalObjectClass: olcSchemaConfig<br> =3BentryUUID: ea6c3a0e-d108-103=
1-9130-8fbb37ee6dd9<br> =3BcreatorsName: cn=3Dconfig<br> =3BcreateT=
imestamp: 20121202201635Z<br> =3BentryCSN: 20121202201635.672699Z#00000=
0#000#000000<br> =3BmodifiersName: cn=3Dconfig<br> =3BmodifyTimesta=
mp: 20121202201635Z<br> =3B<=3Bsnip schemas >=3B<br> =3Bdn: olc=
Backend=3D{0}hdb=2Ccn=3Dconfig<br> =3BobjectClass: olcBackendConfig<br>=
 =3BolcBackend: {0}hdb<br> =3BstructuralObjectClass: olcBackendConf=
ig<br> =3BentryUUID: ea6f949c-d108-1031-9136-8fbb37ee6dd9<br> =3Bcr=
eatorsName: cn=3Dconfig<br> =3BcreateTimestamp: 20121202201635Z<br>&nbs=
p=3BentryCSN: 20121202201635.694663Z#000000#000#000000<br> =3Bmodifiers=
Name: cn=3Dconfig<br> =3BmodifyTimestamp: 20121202201635Z<br> =3Bdn=
: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br> =3BobjectClass: olcDatab=
aseConfig<br> =3BobjectClass: olcFrontendConfig<br> =3BolcDatabase:=
{-1}frontend<br> =3BolcAccess: {0}to * by dn.exact=3DgidNumber=3D0+uid=
Number=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal<br> =3B =2Ccn=3Dauth manage =
by * break<br> =3BolcAccess: {1}to dn.exact=3D"" by * read<br> =3Bo=
lcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read<br> =3BolcSizeLimi=
t: 500<br> =3BstructuralObjectClass: olcDatabaseConfig<br> =3Bentry=
UUID: ea6c0bf6-d108-1031-912e-8fbb37ee6dd9<br> =3BcreatorsName: cn=3Dco=
nfig<br> =3BcreateTimestamp: 20121202201635Z<br> =3BentryCSN: 20121=
202201635.671512Z#000000#000#000000<br> =3BmodifiersName: cn=3Dconfig<b=
r> =3BmodifyTimestamp: 20121202201635Z<br> =3Bdn: olcDatabase=3D{0}=
config=2Ccn=3Dconfig<br> =3BobjectClass: olcDatabaseConfig<br> =3Bo=
lcDatabase: {0}config<br> =3BolcAccess: {0}to * by dn.exact=3DgidNumber=
=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth manage by * =
break<br> =3BstructuralObjectClass: olcDatabaseConfig<br> =3BentryU=
UID: ea6c325c-d108-1031-912f-8fbb37ee6dd9<br> =3BcreatorsName: cn=3Dcon=
fig<br> =3BcreateTimestamp: 20121202201635Z<br> =3BentryCSN: 201212=
02201635.672495Z#000000#000#000000<br> =3BmodifiersName: cn=3Dconfig<br=
> =3BmodifyTimestamp: 20121202201635Z<br> =3Bdn: olcDatabase=3D{1}h=
db=2Ccn=3Dconfig<br> =3BobjectClass: olcDatabaseConfig<br> =3Bobjec=
tClass: olcHdbConfig<br> =3BolcDatabase: {1}hdb<br> =3BolcDbDirecto=
ry: /var/lib/ldap<br> =3BolcSuffix: dc=3Dexample=2Cdc=3Dnet<br> =3B=
olcLastMod: TRUE<br> =3BolcRootDN: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet=
<br> =3BolcRootPW:: e1NTSEF9cGhKNWtqME9rOGJnVXp0dy9hYzZEaWFmU1U1Z0FTZk0=
=3D<br> =3BolcDbCheckpoint: 512 30<br> =3BolcDbConfig: {0}set_cache=
size 0 2097152 0<br> =3BolcDbConfig: {1}set_lk_max_objects 1500<br>&nbs=
p=3BolcDbConfig: {2}set_lk_max_locks 1500<br> =3BolcDbConfig: {3}set_lk=
_max_lockers 1500<br> =3BolcDbIndex: objectClass eq<br> =3BolcDbInd=
ex: uid eq<br> =3BolcDbIndex: cn eq<br> =3BolcDbIndex: ou eq<br>&nb=
sp=3BolcDbIndex: dc eq<br> =3BolcDbIndex: uidNumber eq<br> =3BolcDb=
Index: gidNumber eq<br> =3BolcDbIndex: memberUid eq<br> =3BolcDbInd=
ex: uniqueMember eq<br> =3BolcDbIndex: entryUUID eq<br> =3BolcDbInd=
ex: entryCSN eq<br> =3BolcDbIndex: krbPrincipalName eq=2Cpres=2Csub<br>=
 =3BolcDbIndex: krbPwdPolicyReference eq<br> =3BstructuralObjectCla=
ss: olcHdbConfig<br> =3BentryUUID: ea6fa3ce-d108-1031-9137-8fbb37ee6dd9=
<br> =3BcreatorsName: cn=3Dconfig<br> =3BcreateTimestamp: 201212022=
01635Z<br> =3BolcAccess: {0}to attrs=3DuserPassword=2CshadowLastChange =
by group.exact=3D"cn=3Dreplic<br> =3B ators=2Cou=3Dgroups=2Cdc=3Dexampl=
e=2Cdc=3Dnet" read by self write by anonymous auth<br> =3BolcAccess: {1=
}to attrs=3DauthzTo=2CauthzFrom=2Ccn=2CuidNumber=2CgidNumber=2Cuid by users=
r<br> =3B ead by anonymous none<br> =3BolcAccess: {2}to attrs=3Dkr=
bLastSuccessfulAuth=2CkrbExtraData=2CkrbLastFailedAuth=2Ckr<br> =3B bLo=
ginFailedCount by group.exact=3D"cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexam=
ple=2Cdc=3Dnet"<br> =3B =3B read by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerbe=
ros=2Cdc=3Dexample=2Cdc=3Dnet" write by dn=3D"cn=3Dadm-sr<br> =3B v=2Co=
u=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" write by self read by * none<br>&nb=
sp=3BolcAccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet=
" by group.exact=3D"cn<br> =3B =3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexam=
ple=2Cdc=3Dnet" read by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2C<br> =3B d=
c=3Dexample=2Cdc=3Dnet" read by dn=3D"cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3De=
xample=2Cdc=3Dnet" writ<br> =3B e by * none<br> =3BolcAccess: {4}to=
dn.base=3D"" by * read<br> =3BolcAccess: {5}to * by dn=3D"cn=3Dadm-srv=
=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" write by s<br> =3B elf writ=
e by users read<br> =3BentryCSN: 20121203054749.804561Z#000000#000#0000=
00<br> =3BmodifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2C=
cn=3Dexternal=2Ccn=3Dauth<br> =3BmodifyTimestamp: 20121203054749Z<br>&n=
bsp=3Bdn: olcOverlay=3D{0}syncprov=2ColcDatabase=3D{1}hdb=2Ccn=3Dconfig<br>=
 =3BobjectClass: olcOverlayConfig<br> =3BobjectClass: olcSyncProvCo=
nfig<br> =3BolcOverlay: {0}syncprov<br> =3BolcSpCheckpoint: 100 10<=
br> =3BolcSpSessionlog: 100<br> =3BstructuralObjectClass: olcSyncPr=
ovConfig<br> =3BentryUUID: b77dc36a-d158-1031-9917-2f12ddec6588<br>&nbs=
p=3BcreatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dextern=
al=2Ccn=3Dauth<br> =3BcreateTimestamp: 20121203054749Z<br> =3Bentry=
CSN: 20121203054749.962179Z#000000#000#000000<br> =3BmodifiersName: gid=
Number=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nb=
sp=3BmodifyTimestamp: 20121203054749Z<BR> =3Bvvvvvvvvvvvvvvvvvvvvvvvvvv=
vvvvvvvv =3B dc=3Dexample=2Cdc=3Dnet =3B vvvvvvvvvvvvvvvvvvvvvvvvvv=
vvvvvvvvvvvvvvvvvvvvv<br> =3Bdn: dc=3Dexample=2Cdc=3Dnet<br> =3Bobj=
ectClass: top<br> =3BobjectClass: dcObject<br> =3BobjectClass: orga=
nization<br> =3Bo: example.net<br> =3Bdc: example<br> =3Bstruct=
uralObjectClass: organization<br> =3BentryUUID: eac01854-d108-1031-95b6=
-31806daa9e45<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet=
<br> =3BcreateTimestamp: 20121202201636Z<br> =3BentryCSN: 201212022=
01636.222029Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121202201636Z<br> =
=3BcontextCSN: 20121204035116.890381Z#000000#000#000000<br> =3Bdn: cn=
=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: simpleSecurityOb=
ject<br> =3BobjectClass: organizationalRole<br> =3Bcn: admin<br>&nb=
sp=3Bdescription: LDAP administrator<br> =3BuserPassword:: <=3Bsecret=
>=3B<br> =3BstructuralObjectClass: organizationalRole<br> =3Bentr=
yUUID: eac2e160-d108-1031-95b7-31806daa9e45<br> =3BcreatorsName: cn=3Da=
dmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121202201636Z<=
br> =3BentryCSN: 20121202201636.240572Z#000000#000#000000<br> =3Bmo=
difiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestam=
p: 20121202201636Z<br> =3Bdn: ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>=
 =3BobjectClass: organizationalUnit<br> =3Bou: people<br> =3Bde=
scription: user account objects<br> =3BstructuralObjectClass: organizat=
ionalUnit<br> =3BentryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93<br>&nb=
sp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTi=
mestamp: 20121203002123Z<br> =3BentryCSN: 20121203002123.299880Z#000000=
#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<=
br> =3BmodifyTimestamp: 20121203002123Z<br> =3Bdn: ou=3Dgroups=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: organizationalUnit<br> =
=3Bou: groups<br> =3Bdescription: group objects<br> =3BstructuralOb=
jectClass: organizationalUnit<br> =3BentryUUID: 1cfcb788-d12b-1031-9788=
-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet=
<br> =3BcreateTimestamp: 20121203002123Z<br> =3BentryCSN: 201212030=
02123.394485Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203002123Z<br> =
=3Bdn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: organiz=
ationalUnit<br> =3Bou: hosts<br> =3Bdescription: host/computer obje=
cts<br> =3BstructuralObjectClass: organizationalUnit<br> =3BentryUU=
ID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmi=
n=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br>=
 =3BentryCSN: 20121203002123.400935Z#000000#000#000000<br> =3Bmodif=
iersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: =
20121203002123Z<br> =3Bdn: ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&=
nbsp=3BobjectClass: organizationalUnit<br> =3Bou: kerberos<br> =3Bd=
escription: kerberos realm container<br> =3BstructuralObjectClass: orga=
nizationalUnit<br> =3BentryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93<b=
r> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bcre=
ateTimestamp: 20121203002123Z<br> =3BentryCSN: 20121203002123.409140Z#0=
00000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=
=3Dnet<br> =3BmodifyTimestamp: 20121203002123Z<br> =3Bdn: cn=3Drepl=
ica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bcn: replica<br> =
=3BobjectClass: simpleSecurityObject<br> =3BobjectClass: organizational=
Role<br> =3BobjectClass: krbPrincipalAux<br> =3BobjectClass: krbTic=
ketPolicyAux<br> =3BauthzTo: dn:*<br> =3Bdescription: LDAP server=
=2C replica<br> =3BstructuralObjectClass: organizationalRole<br> =
=3BentryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93<br> =3BcreatorsName:=
cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 201212030=
02123Z<br> =3BkrbPrincipalName: <a href=3D"mailto:host/replica.example.=
net@EXAMPLE.NET">host/replica.example.net@EXAMPLE.NET</a><br> =3BkrbLog=
inFailedCount: 0<br> =3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDA=
gEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gADgZgDa20URzdHW=
Q1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRURAxZ<br> =3B oJVqBI/zPGh/FDf9=
m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6Mn3k<br> =3B f=
62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu6lb=
/<br> =3B QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNS=
kxswPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB6=
38xMCex7sQ1zfzZkLiViiKpw=3D=3D<br> =3BkrbPasswordExpiration: 1970010100=
0000Z<br> =3BkrbLastPwdChange: 20121203065600Z<br> =3BkrbExtraData:=
: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br> =3BkrbExtraData:: =
AAgBAA=3D=3D<br> =3BuserPassword:: <=3Bsecret>=3B<br> =3BentryC=
SN: 20121203233422.105322Z#000000#000#000000<br> =3BmodifiersName: cn=
=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 201212032334=
22Z<br> =3Bdn: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&n=
bsp=3Bcn: master<br> =3BobjectClass: simpleSecurityObject<br> =3Bob=
jectClass: organizationalRole<br> =3BobjectClass: krbPrincipalAux<br>&n=
bsp=3BobjectClass: krbTicketPolicyAux<br> =3BauthzTo: dn:*<br> =3Bd=
escription: LDAP server=2C replica<br> =3BuserPassword:: e0NSWVBUfSo=3D=
<br> =3BstructuralObjectClass: organizationalRole<br> =3BentryUUID:=
1d0514dc-d12b-1031-978c-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=
=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br>&=
nbsp=3BkrbPrincipalName: <a href=3D"mailto:host/master.example.net@EXAMPLE.=
NET">host/master.example.net@EXAMPLE.NET</a><br> =3BkrbLoginFailedCount=
: 0<br> =3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCAS=
gwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMd=
eygNYlf/SiWtzll+A7x/QBVoz7zFW+aWr<br> =3B 8/FMEBj49p4Bn0Goa371TBEoAcwBa=
ADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5522A<br> =3B i/CCoCVDIVBZHO=
I48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH15xNZ<br> =3B=
VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWgA=
wIB<br> =3B AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3=
DaIILvcKv0w=3D=3D<br> =3BkrbPasswordExpiration: 19700101000000Z<br>&nbs=
p=3BkrbLastPwdChange: 20121203060855Z<br> =3BkrbExtraData:: AAL3QbxQYWR=
taW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br> =3BkrbExtraData:: AAgBAA=3D=3D<=
br> =3BentryCSN: 20121203060855.932134Z#000000#000#000000<br> =3Bmo=
difiersName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbs=
p=3BmodifyTimestamp: 20121203060855Z<br> =3Bdn: cn=3Dadministrator=2Cou=
=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: posixGroup<br>&=
nbsp=3Bcn: administrator<br> =3BgidNumber: 50000<br> =3BstructuralO=
bjectClass: posixGroup<br> =3BentryUUID: 1d079216-d12b-1031-978d-4f8d9a=
bcea93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nb=
sp=3BcreateTimestamp: 20121203002123Z<br> =3BentryCSN: 20121203002123.4=
65616Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexampl=
e=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203002123Z<br> =3Bdn: cn=
=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectCla=
ss: top<br> =3BobjectClass: groupOfNames<br> =3Bcn: replicators<br>=
 =3Bmember: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br>&nbs=
p=3Bmember: cn=3Dmaster=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bs=
tructuralObjectClass: groupOfNames<br> =3BentryUUID: 1d096db6-d12b-1031=
-978e-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=
=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br> =3BentryCSN: 201=
21203002123.477792Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=
=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203002123Z<br>&=
nbsp=3Bdn: uid=3Dadministrator=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br>&=
nbsp=3BobjectClass: top<br> =3BobjectClass: inetOrgPerson<br> =3Bob=
jectClass: posixAccount<br> =3BobjectClass: shadowAccount<br> =3Bob=
jectClass: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyAux<br>&n=
bsp=3Bcn: administrator<br> =3Bsn: administrator<br> =3BuidNumber: =
50000<br> =3BgidNumber: 50000<br> =3BuserPassword:: <=3Bsecret>=
=3B<br> =3BhomeDirectory: /home/administrator<br> =3BstructuralObje=
ctClass: inetOrgPerson<br> =3Buid: administrator<br> =3BentryUUID: =
1d0a9bf0-d12b-1031-978f-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=2C=
dc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br>&nbs=
p=3BkrbPrincipalName: <a href=3D"mailto:administrator@EXAMPLE.NET";>administ=
rator@EXAMPLE.NET</a><br> =3BkrbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIB=
AaMDAgEBpIICUzCCAk8wVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gALWKtjcuVI=
PL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+EcqcdxailuD<br> =3B o3oHvU0K11Y=
iAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/Ot7l<br> =
=3B cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYA=
DmOzq8<br> =3B 96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/L=
Nz2jwAqIwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQI=
Cvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8oAcwB<br> =3B aADAgEBoTEwL6ADAgEDoSgEJgg=
A0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6yoME<br> =3B 2gGDAWoAMCA=
QKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo8yyO<br> =
=3B mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAg=
EDoSgE<br> =3B JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEug=
FjAUoAMCAQWhDQQLRVhBT<br> =3B VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEE=
YGOMA8CDwINmmJXgnKPQr8jRDsxGToXGa5U+<br> =3B g=3D<br> =3BkrbLastPwd=
Change: 20121203054848Z<br> =3BkrbLastFailedAuth: 20121204013714Z<br>&n=
bsp=3BkrbLoginFailedCount: 0<br> =3Bdescription: Network Administrator<=
br> =3BkrbLastSuccessfulAuth: 20121204035116Z<br> =3BkrbExtraData::=
AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=3D<br> =3BkrbExtraData:: AAgBA=
A=3D=3D<br> =3BentryCSN: 20121204035116.890381Z#000000#000#000000<br>&n=
bsp=3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet=
<br> =3BmodifyTimestamp: 20121204035116Z<br> =3Bdn: cn=3Dkdc-srv=2C=
ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: simpleSecur=
ityObject<br> =3BobjectClass: organizationalRole<br> =3Bcn: kdc-srv=
<br> =3Bdescription: Kerberos KDC<br> =3BuserPassword:: <=3Bsecre=
t>=3B<br> =3BstructuralObjectClass: organizationalRole<br> =3Bent=
ryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93<br> =3BcreatorsName: cn=3D=
admin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z=
<br> =3BentryCSN: 20121203002123.563692Z#000000#000#000000<br> =3Bm=
odifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimesta=
mp: 20121203002123Z<br> =3Bdn: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexam=
ple=2Cdc=3Dnet<br> =3BobjectClass: simpleSecurityObject<br> =3Bobje=
ctClass: organizationalRole<br> =3Bcn: adm-srv<br> =3Bdescription: =
Kerberos Admin Server<br> =3BuserPassword:: <=3Bsecret>=3B<br> =
=3BstructuralObjectClass: organizationalRole<br> =3BentryUUID: 1d18610e=
-d12b-1031-9791-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexa=
mple=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br> =3Bentr=
yCSN: 20121203002123.575773Z#000000#000#000000<br> =3BmodifiersName: cn=
=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 201212030021=
23Z<br> =3Bdn: cn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dn=
et<br> =3Bcn: EXAMPLE.NET<br> =3BobjectClass: top<br> =3Bobject=
Class: krbRealmContainer<br> =3BobjectClass: krbTicketPolicyAux<br>&nbs=
p=3BkrbSubTrees: dc=3Dexample=2Cdc=3Dnet<br> =3BkrbSearchScope: 2<br>&n=
bsp=3BkrbMaxRenewableAge: 604800<br> =3BkrbMaxTicketLife: 36000<br>&nbs=
p=3BstructuralObjectClass: krbRealmContainer<br> =3BentryUUID: c03d58b8=
-d134-1031-83e7-0707760cf534<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexa=
mple=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203013022Z<br> =3Bentr=
yCSN: 20121203013022.757228Z#000000#000#000000<br> =3BmodifiersName: cn=
=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 201212030130=
22Z<br> =3Bdn: <a href=3D"mailto:krbPrincipalName=3DK/M@EXAMPLE.NET=2Cc=
n=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=
=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=
=3Dnet</a><br> =3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 3=
6000<br> =3BkrbMaxRenewableAge: 604800<br> =3BkrbTicketFlags: 192<b=
r> =3BkrbPrincipalName: <a href=3D"mailto:K/M@EXAMPLE.NET";>K/M@EXAMPLE.=
NET</a><br> =3BkrbPrincipalExpiration: 19700101000000Z<br> =3BkrbPr=
incipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB<b=
r> =3B EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxT=
uO7OIrbK/c4Ks<br> =3B HI=3D<br> =3BkrbLastPwdChange: 19700101000000=
Z<br> =3BkrbExtraData:: AAkBAAEArgC8UA=3D=3D<br> =3BkrbExtraData:: =
AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br> =3BkrbExtraData:: AAcBAAIA=
AgAAAAAAAAA=3D<br> =3BobjectClass: krbPrincipal<br> =3BobjectClass:=
krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyAux<br> =3Bstru=
cturalObjectClass: krbPrincipal<br> =3BentryUUID: c04d9282-d134-1031-83=
e8-0707760cf534<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dn=
et<br> =3BcreateTimestamp: 20121203013022Z<br> =3BentryCSN: 2012120=
3013022.863568Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203013022Z<br> =
=3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=
=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipal=
Name=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2C=
dc=3Dexample=2Cdc=3Dnet</a><br> =3BkrbLoginFailedCount: 0<br> =3Bkr=
bMaxTicketLife: 36000<br> =3BkrbMaxRenewableAge: 604800<br> =3BkrbT=
icketFlags: 0<br> =3BkrbPrincipalName: <a href=3D"mailto:krbtgt/EXAMPLE=
.NET@EXAMPLE.NET">krbtgt/EXAMPLE.NET@EXAMPLE.NET</a><br> =3BkrbPrincipa=
lExpiration: 19700101000000Z<br> =3BkrbPrincipalKey:: MIIBgqADAgEBoQMCA=
QGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gAOy=
PPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNnfmRR<br> =3B GQI5=
lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7UKy1<b=
r> =3B 93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEK=
E4BDYYAM9KwFT<br> =3B B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQV=
R0PWLB2OM5q1llQwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NE=
ctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8oAcwB<br> =3B aADAgEAoTEwL6ADAgED=
oSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8oR<br> =3BkrbLast=
PwdChange: 19700101000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb2=
5ARVhBTVBMRS5ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAAAAAAAA=3D<br>&nbs=
p=3BobjectClass: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br>&n=
bsp=3BobjectClass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krb=
Principal<br> =3BentryUUID: c0518180-d134-1031-83e9-0707760cf534<br>&nb=
sp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTi=
mestamp: 20121203013022Z<br> =3BentryCSN: 20121203013022.889347Z#000000=
#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<=
br> =3BmodifyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailt=
o:krbPrincipalName=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dker=
beros=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dkadmin/admin@EXAMPLE.NE=
T=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a><br> =
=3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 10800<br> =3Bkrb=
MaxRenewableAge: 604800<br> =3BkrbTicketFlags: 4<br> =3BkrbPrincipa=
lName: <a href=3D"mailto:kadmin/admin@EXAMPLE.NET";>kadmin/admin@EXAMPLE.NET=
</a><br> =3BkrbPrincipalExpiration: 19700101000000Z<br> =3BkrbPrinc=
ipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br>&=
nbsp=3B MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7=
CF2xtCkdsY<br> =3B 5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAEL=
hAAwMe5Vpq5Hd2Zy1E8M28Ix6<br> =3B SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfA=
wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZM5wu<br> =3B tIcsdKbsYTDZgUzqIADtNt=
4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWgAwIB<br> =3B AKExMC+=
gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8oAcwB<br>&=
nbsp=3B aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM=
+9bG3aQz<br> =3BkrbLastPwdChange: 19700101000000Z<br> =3BkrbExtraDa=
ta:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br> =3BkrbExtraData:: AAc=
BAAIAAgAAAGlvbkA=3D<br> =3BobjectClass: krbPrincipal<br> =3BobjectC=
lass: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyAux<br> =
=3BstructuralObjectClass: krbPrincipal<br> =3BentryUUID: c05346be-d134-=
1031-83ea-0707760cf534<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=
=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203013022Z<br> =3BentryCSN=
: 20121203013022.900950Z#000000#000#000000<br> =3BmodifiersName: cn=3Da=
dmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203013022Z<=
br> =3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkadmin/changepw@EXAMPLE=
.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrinc=
ipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=
=2Cdc=3Dexample=2Cdc=3Dnet</a><br> =3BkrbLoginFailedCount: 0<br> =
=3BkrbMaxTicketLife: 300<br> =3BkrbMaxRenewableAge: 604800<br> =3Bk=
rbTicketFlags: 8196<br> =3BkrbPrincipalName: <a href=3D"mailto:kadmin/c=
hangepw@EXAMPLE.NET">kadmin/changepw@EXAMPLE.NET</a><br> =3BkrbPrincipa=
lExpiration: 19700101000000Z<br> =3BkrbPrincipalKey:: MIIBgqADAgEBoQMCA=
QGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gAHN=
xSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceWqIB2<br> =3B ic80=
wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0wwSqU<b=
r> =3B ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEK=
E4BDYYACd423Z<br> =3B epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbp=
L0kTawz9zdg60IgwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAs=
CALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8oAcwB<br> =3B aADAgEAoTEwL6ADAgED=
oSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9zPl<br> =3BkrbLast=
PwdChange: 19700101000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb2=
5ARVhBTVBMRS5ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br>&nbs=
p=3BobjectClass: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br>&n=
bsp=3BobjectClass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krb=
Principal<br> =3BentryUUID: c054d88a-d134-1031-83eb-0707760cf534<br>&nb=
sp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTi=
mestamp: 20121203013022Z<br> =3BentryCSN: 20121203013022.911237Z#000000=
#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<=
br> =3BmodifyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailt=
o:krbPrincipalName=3Dkadmin/history@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dk=
erberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dkadmin/history@EXAMPL=
E.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a><br>&=
nbsp=3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 36000<br> =
=3BkrbMaxRenewableAge: 604800<br> =3BkrbTicketFlags: 0<br> =3BkrbPr=
incipalName: <a href=3D"mailto:kadmin/history@EXAMPLE.NET";>kadmin/history@E=
XAMPLE.NET</a><br> =3BkrbPrincipalExpiration: 19700101000000Z<br> =
=3BkrbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD=
+gAwIB<br> =3B EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHp=
jECIfASUXjBoB+Pkd/N+Z<br> =3B 2g=3D<br> =3BkrbLastPwdChange: 197001=
01000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQ=
A<br> =3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br> =3BobjectClass: =
krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =3BobjectClass=
: krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPrincipal<br>&nbs=
p=3BentryUUID: c0562d3e-d134-1031-83ec-0707760cf534<br> =3BcreatorsName=
: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203=
013022Z<br> =3BentryCSN: 20121203013022.919957Z#000000#000#000000<br>&n=
bsp=3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bmodify=
Timestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailto:krbPrincipalNam=
e=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerbero=
s=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dkadmin/master.example.net@E=
XAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a>=
<br> =3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 10800<br>&n=
bsp=3BkrbMaxRenewableAge: 604800<br> =3BkrbTicketFlags: 4<br> =3Bkr=
bPrincipalName: <a href=3D"mailto:kadmin/master.example.net@EXAMPLE.NET";>ka=
dmin/master.example.net@EXAMPLE.NET</a><br> =3BkrbPrincipalExpiration: =
19700101000000Z<br> =3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAg=
EApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gABhOeGOuo9UBDjK7=
hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4Ta3z<br> =3B Y4ZaEYItXr2awBW6Q=
XSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtGg1qY<br> =3B oe=
v8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj0sgn=
<br> =3B ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf=
4UwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qY=
DwpK0Hycj+cwyCjFsVKTsjzA8oAcwB<br> =3B aADAgEAoTEwL6ADAgEDoSgEJggAxTSME=
h/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZABm<br> =3BkrbLastPwdChange: 19=
700101000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5=
ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAANAD4gA=3D<br> =3BobjectCla=
ss: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =3BobjectC=
lass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPrincipal<br>=
 =3BentryUUID: c0581144-d134-1031-83ed-0707760cf534<br> =3Bcreators=
Name: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 2012=
1203013022Z<br> =3BentryCSN: 20121203013022.932349Z#000000#000#000000<b=
r> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bmo=
difyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailto:krbPrincipa=
lName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerbe=
ros=2Cdc=3Dexample=2Cdc=3Dnet">krbPrincipalName=3Dldap/master.example.net@E=
XAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a>=
<br> =3BkrbPrincipalName: <a href=3D"mailto:ldap/master.example.net@EXA=
MPLE.NET">ldap/master.example.net@EXAMPLE.NET</a><br> =3BobjectClass: k=
rbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =3BobjectClass:=
krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPrincipal<br> =
=3BentryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588<br> =3BcreatorsName:=
cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTi=
mestamp: 20121203060105Z<br> =3BkrbLoginFailedCount: 0<br> =3BkrbPr=
incipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<b=
r> =3B MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pK=
gmUyVdsPUS2wz<br> =3B qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoT=
AELhAAkzwNhAF14TYWZyLZem5kvD<br> =3B yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf=
09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAbNr3p<br> =3B vkmNXkIZNgUtw2FJ3Vt=
GEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWgAwIB<br> =3B AKEx=
MC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D=3D<br=
> =3BkrbPasswordExpiration: 19700101000000Z<br> =3BkrbLastPwdChange=
: 20121203060153Z<br> =3BkrbLastSuccessfulAuth: 20121203061721Z<br>&nbs=
p=3BkrbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br> =
=3BkrbExtraData:: AAgBAA=3D=3D<br> =3BentryCSN: 20121203061721.358939Z#=
000000#000#000000<br> =3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2C=
dc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203061721Z<br>&nbs=
p=3Bdn: <a href=3D"mailto:krbPrincipalName=3Dldap/replica.example.net@EXAMP=
LE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet">krbPri=
ncipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet</a><br> =3BkrbPrincipalName: <a h=
ref=3D"mailto:ldap/replica.example.net@EXAMPLE.NET";>ldap/replica.example.ne=
t@EXAMPLE.NET</a><br> =3BobjectClass: krbPrincipal<br> =3BobjectCla=
ss: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyAux<br> =3Bs=
tructuralObjectClass: krbPrincipal<br> =3BentryUUID: 205686f2-d162-1031=
-9537-2fa18b539eb9<br> =3BcreatorsName: cn=3Dadm-srv=2Cou=3Dkerberos=2C=
dc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203065511Z<br>&nbs=
p=3BkrbLoginFailedCount: 0<br> =3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQG=
iAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gABVJB=
bD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUXFMNw<br> =3B 2R8oC1=
rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKbipUj<br>=
 =3B AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4=
BDYYAOvmT4x<br> =3B MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaB=
sgthQCj3BCDmkwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2m=
xhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=3D=3D<br> =3BkrbPasswordExpiration: =
19700101000000Z<br> =3BkrbLastPwdChange: 20121203065628Z<br> =3Bkrb=
LastSuccessfulAuth: 20121204032538Z<br> =3BkrbExtraData:: AAIcTbxQYWRta=
W5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br> =3BkrbExtraData:: AAgBAA=3D=3D<br=
> =3BentryCSN: 20121204032538.048010Z#000000#000#000000<br> =3Bmodi=
fiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =
=3BmodifyTimestamp: 20121204032538Z<br> =3B <br> =3B <br> =3B <=
br> =3Bvvvvvvvvvvvvvvvvvvvv replica config vvvvvvvvvvvvvvvvvvvvvvvvvvvv=
vvvvvvvv<br> =3B <br> =3Bdn: cn=3Dconfig<br> =3BobjectClass: ol=
cGlobal<br> =3Bcn: config<br> =3BolcArgsFile: /var/run/slapd/slapd.=
args<br> =3BolcPidFile: /var/run/slapd/slapd.pid<br> =3BolcToolThre=
ads: 1<br> =3BstructuralObjectClass: olcGlobal<br> =3BentryUUID: af=
9b0068-d108-1031-9417-cd3569532aaf<br> =3BcreatorsName: cn=3Dconfig<br>=
 =3BcreateTimestamp: 20121202201456Z<br> =3BolcTLSCACertificateFile=
: /etc/ssl/certs/cacert.pem<br> =3BolcTLSCertificateFile: /etc/ssl/cert=
s/replica_slapd_cert.pem<br> =3BolcTLSCertificateKeyFile: /etc/ldap/rep=
lica_slapd_key.pem<br> =3BolcLogLevel: stats<br> =3BolcAuthzRegexp:=
{0}uid=3Dldap/([^/\.]+).example.net=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=
=3Dauth cn=3D$1=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BolcAuthzR=
egexp: {1}uid=3D([^=2C]+)=2Ccn=3Dexample.net=2Ccn=3Dgssapi=2Ccn=3Dauth uid=
=3D$1=2Cou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BolcSaslHost: repli=
ca.example.net<br> =3BolcSaslRealm: EXAMPLE.NET<br> =3BentryCSN: 20=
121204023449.956406Z#000000#000#000000<br> =3BmodifiersName: gidNumber=
=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br> =3Bm=
odifyTimestamp: 20121204023449Z<br> =3Bdn: cn=3Dmodule{0}=2Ccn=3Dconfig=
<br> =3BobjectClass: olcModuleList<br> =3Bcn: module{0}<br> =3B=
olcModulePath: /usr/lib/ldap<br> =3BolcModuleLoad: {0}back_hdb<br> =
=3BolcModuleLoad: {1}back_ldap<br> =3BstructuralObjectClass: olcModuleL=
ist<br> =3BentryUUID: af9d1e34-d108-1031-941f-cd3569532aaf<br> =3Bc=
reatorsName: cn=3Dconfig<br> =3BcreateTimestamp: 20121202201457Z<br>&nb=
sp=3BentryCSN: 20121204041212.292184Z#000000#000#000000<br> =3Bmodifier=
sName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Da=
uth<br> =3BmodifyTimestamp: 20121204041212Z<br> =3Bdn: cn=3Dschema=
=2Ccn=3Dconfig<br> =3BobjectClass: olcSchemaConfig<br> =3Bcn: schem=
a<br> =3BstructuralObjectClass: olcSchemaConfig<br> =3BentryUUID: a=
f9b564e-d108-1031-941a-cd3569532aaf<br> =3BcreatorsName: cn=3Dconfig<br=
> =3BcreateTimestamp: 20121202201456Z<br> =3BentryCSN: 201212022014=
56.995860Z#000000#000#000000<br> =3BmodifiersName: cn=3Dconfig<br> =
=3BmodifyTimestamp: 20121202201456Z<BR> =3B<=3B snip schemas >=3B<B=
R> =3Bdn: olcBackend=3D{0}hdb=2Ccn=3Dconfig<br> =3BobjectClass: olc=
BackendConfig<br> =3BolcBackend: {0}hdb<br> =3BstructuralObjectClas=
s: olcBackendConfig<br> =3BentryUUID: af9e498a-d108-1031-9420-cd3569532=
aaf<br> =3BcreatorsName: cn=3Dconfig<br> =3BcreateTimestamp: 201212=
02201457Z<br> =3BentryCSN: 20121202201457.015189Z#000000#000#000000<br>=
 =3BmodifiersName: cn=3Dconfig<br> =3BmodifyTimestamp: 201212022014=
57Z<br> =3Bdn: olcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br> =3Bobje=
ctClass: olcDatabaseConfig<br> =3BobjectClass: olcFrontendConfig<br>&nb=
sp=3BolcDatabase: {-1}frontend<br> =3BolcAccess: {0}to * by dn.exact=3D=
gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal<br> =3B =2C=
cn=3Dauth manage by * break<br> =3BolcAccess: {1}to dn.exact=3D"" by * =
read<br> =3BolcAccess: {2}to dn.base=3D"cn=3DSubschema" by * read<br>&n=
bsp=3BolcSizeLimit: 500<br> =3BstructuralObjectClass: olcDatabaseConfig=
<br> =3BentryUUID: af9b211a-d108-1031-9418-cd3569532aaf<br> =3Bcrea=
torsName: cn=3Dconfig<br> =3BcreateTimestamp: 20121202201456Z<br> =
=3BentryCSN: 20121202201456.994497Z#000000#000#000000<br> =3BmodifiersN=
ame: cn=3Dconfig<br> =3BmodifyTimestamp: 20121202201456Z<br> =3Bdn:=
olcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2Ccn=3Dconfig<br> =
=3BobjectClass: olcOverlayConfig<br> =3BobjectClass: olcChainConfig<br>=
 =3BolcOverlay: {0}chain<br> =3BolcChainReturnError: TRUE<br> =
=3BstructuralObjectClass: olcChainConfig<br> =3BentryUUID: 8605cc76-d21=
4-1031-93d2-613cc62fd42f<br> =3BcreatorsName: gidNumber=3D0+uidNumber=
=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br> =3BcreateTimestamp=
: 20121204041212Z<br> =3BentryCSN: 20121204041212.352767Z#000000#000#00=
0000<br> =3BmodifiersName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=
=2Ccn=3Dexternal=2Ccn=3Dauth<br> =3BmodifyTimestamp: 20121204041212Z<br=
> =3Bdn: olcDatabase=3D{0}ldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D=
{-1}frontend=2Ccn=3Dconfig<br> =3BobjectClass: olcLDAPConfig<br> =
=3BobjectClass: olcChainDatabase<br> =3BolcDatabase: {0}ldap<br> =
=3BolcDbURI: "<a href=3D"ldap://master.example.net:389/";>ldap://master.exam=
ple.net:389/</a>"<br> =3BolcDbIDAssertBind: bindmethod=3Dsimple binddn=
=3D"cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cdc<br> =3B =3Dnet" crede=
ntials=3D<=3Bsecret>=3B mode=3Dself flags=3Doverride starttls=3Dcritica=
l tls_req<br> =3B cert=3Ddemand tls_cacert=3D/etc/ssl/certs/cacert.pem<=
br> =3BolcDbRebindAsUser: TRUE<br> =3BstructuralObjectClass: olcLDA=
PConfig<br> =3BentryUUID: 8609b6f6-d214-1031-93d3-613cc62fd42f<br> =
=3BcreatorsName: gidNumber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexterna=
l=2Ccn=3Dauth<br> =3BcreateTimestamp: 20121204041212Z<br> =3BentryC=
SN: 20121204041212.378432Z#000000#000#000000<br> =3BmodifiersName: gidN=
umber=3D0+uidNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br>&nbs=
p=3BmodifyTimestamp: 20121204041212Z<br> =3Bdn: olcDatabase=3D{0}config=
=2Ccn=3Dconfig<br> =3BobjectClass: olcDatabaseConfig<br> =3BolcData=
base: {0}config<br> =3BolcAccess: {0}to * by dn.exact=3DgidNumber=3D0+u=
idNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal<br> =3B =2Ccn=3Dauth manag=
e by * break<br> =3BstructuralObjectClass: olcDatabaseConfig<br> =
=3BentryUUID: af9b4528-d108-1031-9419-cd3569532aaf<br> =3BcreatorsName:=
cn=3Dconfig<br> =3BcreateTimestamp: 20121202201456Z<br> =3BentryCS=
N: 20121202201456.995421Z#000000#000#000000<br> =3BmodifiersName: cn=3D=
config<br> =3BmodifyTimestamp: 20121202201456Z<br> =3Bdn: olcDataba=
se=3D{1}hdb=2Ccn=3Dconfig<br> =3BobjectClass: olcDatabaseConfig<br>&nbs=
p=3BobjectClass: olcHdbConfig<br> =3BolcDatabase: {1}hdb<br> =3Bolc=
DbDirectory: /var/lib/ldap<br> =3BolcSuffix: dc=3Dexample=2Cdc=3Dnet<br=
> =3BolcLastMod: TRUE<br> =3BolcRootDN: cn=3Dadmin=2Cdc=3Dexample=
=2Cdc=3Dnet<br> =3BolcRootPW:: e1NTSEF9eW1nS3JTR0VkMW5LQ0VaQ0Y4UjJBTDlP=
TlEveENDbzY=3D<br> =3BolcDbCheckpoint: 512 30<br> =3BolcDbConfig: {=
0}set_cachesize 0 2097152 0<br> =3BolcDbConfig: {1}set_lk_max_objects 1=
500<br> =3BolcDbConfig: {2}set_lk_max_locks 1500<br> =3BolcDbConfig=
: {3}set_lk_max_lockers 1500<br> =3BolcDbIndex: objectClass eq<br> =
=3BolcDbIndex: uid eq<br> =3BolcDbIndex: cn eq<br> =3BolcDbIndex: o=
u eq<br> =3BolcDbIndex: dc eq<br> =3BolcDbIndex: uidNumber eq<br>&n=
bsp=3BolcDbIndex: gidNumber eq<br> =3BolcDbIndex: memberUid eq<br> =
=3BolcDbIndex: uniqueMember eq<br> =3BolcDbIndex: entryUUID eq<br> =
=3BolcDbIndex: entryCSN eq<br> =3BolcDbIndex: krbPrincipalName eq=2Cpre=
s=2Csub<br> =3BolcDbIndex: krbPwdPolicyReference eq<br> =3Bstructur=
alObjectClass: olcHdbConfig<br> =3BentryUUID: af9e5d12-d108-1031-9421-c=
d3569532aaf<br> =3BcreatorsName: cn=3Dconfig<br> =3BcreateTimestamp=
: 20121202201457Z<br> =3BolcAccess: {0}to attrs=3DuserPassword=2Cshadow=
LastChange by group.exact=3D"cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexample=
=2Cdc=3Dnet" read by self write by anonymous auth<br> =3BolcAccess: {1}=
to attrs=3DauthzTo=2CauthzFrom by group.exact=3D"cn=3Dreplicators=2Cou=3Dgr=
oups=2Cdc=3Dexample=2Cdc=3Dnet" read by users read by anonymous none<br>&nb=
sp=3BolcAccess: {2}to attrs=3DkrbLastSuccessfulAuth=2CkrbExtraData=2CkrbLas=
tFailedAuth=2CkrbLoginFailedCount by dn=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cd=
c=3Dexample=2Cdc=3Dnet" read by dn<br> =3B =3D"cn=3Dadm-srv=2Cou=3Dkerb=
eros=2Cdc=3Dexample=2Cdc=3Dnet" read by self read by * none<br> =3BolcA=
ccess: {3}to dn.subtree=3D"ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" by dn=
=3D"cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet" read by dn=3D"c=
n=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2C<br> =3B dc=3Dnet" read by=
* none<br> =3BolcAccess: {4}to dn.base=3D"" by * read<br> =3BolcAc=
cess: {5}to * by self write by users read<br> =3BolcSyncrepl: {0}rid=3D=
123 provider=3D"<a href=3D"ldap://master.example.net:389/";>ldap://master.ex=
ample.net:389/</a>" type=3DrefreshAndPersist retry=3D"60 30 300 +" searchba=
se=3D"dc=3Dexample=2Cdc=3Dnet" bindmethod=3Dsasl<br> =3B =3B saslme=
ch=3Dgssapi starttls=3Dcritical tls_reqcert=3Ddemand tls_cacert=3D/etc/ssl/=
certs/cacert.pem<br> =3BolcUpdateRef: "<a href=3D"ldap://master.example=
.net:389/">ldap://master.example.net:389/</a>"<br> =3BentryCSN: 2012120=
4041212.283590Z#000000#000#000000<br> =3BmodifiersName: gidNumber=3D0+u=
idNumber=3D0=2Ccn=3Dpeercred=2Ccn=3Dexternal=2Ccn=3Dauth<br> =3BmodifyT=
imestamp: 20121204041212Z<br> =3B <br> =3B <br> =3B <br> =
=3Bdn: dc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: top<br> =3Bobjec=
tClass: dcObject<br> =3BobjectClass: organization<br> =3Bo: example=
.net<br> =3Bdc: example<br> =3BstructuralObjectClass: organization<=
br> =3BentryUUID: eac01854-d108-1031-95b6-31806daa9e45<br> =3Bcreat=
orsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 2=
0121202201636Z<br> =3BentryCSN: 20121202201636.222029Z#000000#000#00000=
0<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =
=3BmodifyTimestamp: 20121202201636Z<br> =3BcontextCSN: 20121204035116.8=
90381Z#000000#000#000000<br> =3Bdn: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dne=
t<br> =3BobjectClass: simpleSecurityObject<br> =3BobjectClass: orga=
nizationalRole<br> =3Bcn: admin<br> =3Bdescription: LDAP administra=
tor<br> =3BuserPassword:: <=3Bsecret>=3B<br> =3BstructuralObjec=
tClass: organizationalRole<br> =3BentryUUID: eac2e160-d108-1031-95b7-31=
806daa9e45<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=
> =3BcreateTimestamp: 20121202201636Z<br> =3BentryCSN: 201212022016=
36.240572Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dex=
ample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121202201636Z<br> =3Bdn:=
ou=3Dpeople=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: organization=
alUnit<br> =3Bou: people<br> =3Bdescription: user account objects<b=
r> =3BstructuralObjectClass: organizationalUnit<br> =3BentryUUID: 1=
cee4810-d12b-1031-9787-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=2Cd=
c=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br> =
=3BentryCSN: 20121203002123.299880Z#000000#000#000000<br> =3BmodifiersN=
ame: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121=
203002123Z<br> =3Bdn: ou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br> =3B=
objectClass: organizationalUnit<br> =3Bou: groups<br> =3Bdescriptio=
n: group objects<br> =3BstructuralObjectClass: organizationalUnit<br>&n=
bsp=3BentryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93<br> =3BcreatorsNa=
me: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 201212=
03002123Z<br> =3BentryCSN: 20121203002123.394485Z#000000#000#000000<br>=
 =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bmodi=
fyTimestamp: 20121203002123Z<br> =3Bdn: ou=3Dhosts=2Cdc=3Dexample=2Cdc=
=3Dnet<br> =3BobjectClass: organizationalUnit<br> =3Bou: hosts<br>&=
nbsp=3Bdescription: host/computer objects<br> =3BstructuralObjectClass:=
organizationalUnit<br> =3BentryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abce=
a93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =
=3BcreateTimestamp: 20121203002123Z<br> =3BentryCSN: 20121203002123.400=
935Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=
=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203002123Z<br> =3Bdn: ou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: organizationa=
lUnit<br> =3Bou: kerberos<br> =3Bdescription: kerberos realm contai=
ner<br> =3BstructuralObjectClass: organizationalUnit<br> =3BentryUU=
ID: 1cfef412-d12b-1031-978a-4f8d9abcea93<br> =3BcreatorsName: cn=3Dadmi=
n=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<br>=
 =3BentryCSN: 20121203002123.409140Z#000000#000#000000<br> =3Bmodif=
iersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: =
20121203002123Z<br> =3Bdn: cn=3Dreplica=2Cou=3Dhosts=2Cdc=3Dexample=2Cd=
c=3Dnet<br> =3Bcn: replica<br> =3BobjectClass: simpleSecurityObject=
<br> =3BobjectClass: organizationalRole<br> =3BobjectClass: krbPrin=
cipalAux<br> =3BobjectClass: krbTicketPolicyAux<br> =3BauthzTo: dn:=
*<br> =3Bdescription: LDAP server=2C replica<br> =3BstructuralObjec=
tClass: organizationalRole<br> =3BentryUUID: 1d02dae6-d12b-1031-978b-4f=
8d9abcea93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=
> =3BcreateTimestamp: 20121203002123Z<br> =3BkrbPrincipalName: <a h=
ref=3D"mailto:host/replica.example.net@EXAMPLE.NET";>host/replica.example.ne=
t@EXAMPLE.NET</a><br> =3BkrbLoginFailedCount: 0<br> =3BkrbPrincipal=
Key:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br> =
=3B MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhb=
RURAxZ<br> =3B oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz=
54uBWIC4AFa66jXa6Mn3k<br> =3B f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKA=
HMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu6lb/<br> =3B QQQHgCnrL6XaSAYoh3A5GHF0xa=
2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWgAwIB<br> =3B AKExMC+gAwI=
BAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw=3D=3D<br> =
=3BkrbPasswordExpiration: 19700101000000Z<br> =3BkrbLastPwdChange: 2012=
1203065600Z<br> =3BkrbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFL=
k5FVAA=3D<br> =3BkrbExtraData:: AAgBAA=3D=3D<br> =3BuserPassword:: =
<=3Bsecret>=3B<br> =3BentryCSN: 20121203233422.105322Z#000000#000#0=
00000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nb=
sp=3BmodifyTimestamp: 20121203233422Z<br> =3Bdn: cn=3Dmaster=2Cou=3Dhos=
ts=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bcn: master<br> =3BobjectClass: =
simpleSecurityObject<br> =3BobjectClass: organizationalRole<br> =3B=
objectClass: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyAux<br>=
 =3BauthzTo: dn:*<br> =3Bdescription: LDAP server=2C replica<br>&nb=
sp=3BuserPassword:: <=3Bsecret>=3B<br> =3BstructuralObjectClass: or=
ganizationalRole<br> =3BentryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93=
<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bc=
reateTimestamp: 20121203002123Z<br> =3BkrbPrincipalName: <a href=3D"mai=
lto:host/master.example.net@EXAMPLE.NET">host/master.example.net@EXAMPLE.NE=
T</a><br> =3BkrbLoginFailedCount: 0<br> =3BkrbPrincipalKey:: MIIBRK=
ADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIB=
EqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW+aWr<br>&n=
bsp=3B 8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86Xg=
WwWj5522A<br> =3B i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKF=
BMD+gAwIBEKE4BDYYAH15xNZ<br> =3B VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsS=
WdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAGu=
LUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w=3D=3D<br> =3BkrbPasswor=
dExpiration: 19700101000000Z<br> =3BkrbLastPwdChange: 20121203060855Z<b=
r> =3BkrbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br>=
 =3BkrbExtraData:: AAgBAA=3D=3D<br> =3BentryCSN: 20121203060855.932=
134Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadm-srv=2Cou=3Dkerber=
os=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203060855Z<br=
> =3Bdn: cn=3Dadministrator=2Cou=3Dgroups=2Cdc=3Dexample=2Cdc=3Dnet<br>=
 =3BobjectClass: posixGroup<br> =3Bcn: administrator<br> =3Bgid=
Number: 50000<br> =3BstructuralObjectClass: posixGroup<br> =3Bentry=
UUID: 1d079216-d12b-1031-978d-4f8d9abcea93<br> =3BcreatorsName: cn=3Dad=
min=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203002123Z<b=
r> =3BentryCSN: 20121203002123.465616Z#000000#000#000000<br> =3Bmod=
ifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp=
: 20121203002123Z<br> =3Bdn: cn=3Dreplicators=2Cou=3Dgroups=2Cdc=3Dexam=
ple=2Cdc=3Dnet<br> =3BobjectClass: top<br> =3BobjectClass: groupOfN=
ames<br> =3Bcn: replicators<br> =3Bmember: cn=3Dreplica=2Cou=3Dhost=
s=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bmember: cn=3Dmaster=2Cou=3Dhosts=2Cd=
c=3Dexample=2Cdc=3Dnet<br> =3BstructuralObjectClass: groupOfNames<br>&n=
bsp=3BentryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93<br> =3BcreatorsNa=
me: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 201212=
03002123Z<br> =3BentryCSN: 20121203002123.477792Z#000000#000#000000<br>=
 =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bmodi=
fyTimestamp: 20121203002123Z<br> =3Bdn: uid=3Dadministrator=2Cou=3Dpeop=
le=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass: top<br> =3BobjectC=
lass: inetOrgPerson<br> =3BobjectClass: posixAccount<br> =3BobjectC=
lass: shadowAccount<br> =3BobjectClass: krbPrincipalAux<br> =3Bobje=
ctClass: krbTicketPolicyAux<br> =3Bcn: administrator<br> =3Bsn: adm=
inistrator<br> =3BuidNumber: 50000<br> =3BgidNumber: 50000<br> =
=3BuserPassword:: <=3Bsecret>=3B<br> =3BhomeDirectory: /home/admini=
strator<br> =3BstructuralObjectClass: inetOrgPerson<br> =3Buid: adm=
inistrator<br> =3BentryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93<br>&n=
bsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateT=
imestamp: 20121203002123Z<br> =3BkrbPrincipalName: <a href=3D"mailto:ad=
ministrator@EXAMPLE.NET">administrator@EXAMPLE.NET</a><br> =3BkrbPrinci=
palKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIBAKFJ<br>&n=
bsp=3B MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+Ec=
qcdxailuD<br> =3B o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELh=
AAQRTIM4QI0IPjmA1xg/Ot7l<br> =3B cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkw=
TKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADmOzq8<br> =3B 96TliwJM9J3X0Dxb/Y+bcTz=
3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWgAwIB<br> =3B AKExMC+g=
AwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8oAcwB<br>&n=
bsp=3B aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4=
HaK+6yoME<br> =3B 2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCY=
IAHKR4PzhneCY8c8tLpo8yyO<br> =3B mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADA=
gEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgEDoSgE<br> =3B JggA4e6VizsvWUEKEqAt58P=
rPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLRVhBT<br> =3B VBMRS5OR=
VShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXGa5U+<br>&n=
bsp=3B g=3D<br> =3BkrbLastPwdChange: 20121203054848Z<br> =3BkrbLast=
FailedAuth: 20121204013714Z<br> =3BkrbLoginFailedCount: 0<br> =3Bde=
scription: Network Administrator<br> =3BkrbLastSuccessfulAuth: 20121204=
035116Z<br> =3BkrbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA=
=3D<br> =3BkrbExtraData:: AAgBAA=3D=3D<br> =3BentryCSN: 20121204035=
116.890381Z#000000#000#000000<br> =3BmodifiersName: cn=3Dkdc-srv=2Cou=
=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 201212040=
35116Z<br> =3Bdn: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dne=
t<br> =3BobjectClass: simpleSecurityObject<br> =3BobjectClass: orga=
nizationalRole<br> =3Bcn: kdc-srv<br> =3Bdescription: Kerberos KDC<=
br> =3BuserPassword:: <=3Bsecret>=3B<br> =3BstructuralObjectCla=
ss: organizationalRole<br> =3BentryUUID: 1d168924-d12b-1031-9790-4f8d9a=
bcea93<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br>&nb=
sp=3BcreateTimestamp: 20121203002123Z<br> =3BentryCSN: 20121203002123.5=
63692Z#000000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexampl=
e=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203002123Z<br> =3Bdn: cn=
=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BobjectClass=
: simpleSecurityObject<br> =3BobjectClass: organizationalRole<br> =
=3Bcn: adm-srv<br> =3Bdescription: Kerberos Admin Server<br> =3Buse=
rPassword:: <=3Bsecret>=3B<br> =3BstructuralObjectClass: organizati=
onalRole<br> =3BentryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93<br>&nbs=
p=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTim=
estamp: 20121203002123Z<br> =3BentryCSN: 20121203002123.575773Z#000000#=
000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<b=
r> =3BmodifyTimestamp: 20121203002123Z<br> =3Bdn: cn=3DEXAMPLE.NET=
=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bcn: EXAMPLE.NET<br>&n=
bsp=3BobjectClass: top<br> =3BobjectClass: krbRealmContainer<br> =
=3BobjectClass: krbTicketPolicyAux<br> =3BkrbSubTrees: dc=3Dexample=2Cd=
c=3Dnet<br> =3BkrbSearchScope: 2<br> =3BkrbMaxRenewableAge: 604800<=
br> =3BkrbMaxTicketLife: 36000<br> =3BstructuralObjectClass: krbRea=
lmContainer<br> =3BentryUUID: c03d58b8-d134-1031-83e7-0707760cf534<br>&=
nbsp=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bcreate=
Timestamp: 20121203013022Z<br> =3BentryCSN: 20121203013022.757228Z#0000=
00#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dne=
t<br> =3BmodifyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mai=
lto:krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=
=2Cdc=3Dexample=2Cdc">krbPrincipalName=3DK/M@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=
=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc</a>=3D<br> =3B net<br> =3BkrbL=
oginFailedCount: 0<br> =3BkrbMaxTicketLife: 36000<br> =3BkrbMaxRene=
wableAge: 604800<br> =3BkrbTicketFlags: 192<br> =3BkrbPrincipalName=
: <a href=3D"mailto:K/M@EXAMPLE.NET";>K/M@EXAMPLE.NET</a><br> =3BkrbPrin=
cipalExpiration: 19700101000000Z<br> =3BkrbPrincipalKey:: MGagAwIBAaEDA=
gEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB<br> =3B EKE4BDYYALvAYAT=
OnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/c4Ks<br> =3B =
HI=3D<br> =3BkrbLastPwdChange: 19700101000000Z<br> =3BkrbExtraData:=
: AAkBAAEArgC8UA=3D=3D<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARV=
hBTVBMRS5ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAAAAAAAA=3D<br> =3B=
objectClass: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =
=3BobjectClass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPri=
ncipal<br> =3BentryUUID: c04d9282-d134-1031-83e8-0707760cf534<br> =
=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTime=
stamp: 20121203013022Z<br> =3BentryCSN: 20121203013022.863568Z#000000#0=
00#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=
> =3BmodifyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailto:=
krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=
=3Dkerberos">krbPrincipalName=3Dkrbtgt/EXAMPLE.NET@EXAMPLE.NET=2Ccn=3DEXAMP=
LE.NET=2Cou=3Dkerberos</a><br> =3B =2Cdc=3Dexample=2Cdc=3Dnet<br> =
=3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 36000<br> =3Bkrb=
MaxRenewableAge: 604800<br> =3BkrbTicketFlags: 0<br> =3BkrbPrincipa=
lName: <a href=3D"mailto:krbtgt/EXAMPLE.NET@EXAMPLE.NET";>krbtgt/EXAMPLE.NET=
@EXAMPLE.NET</a><br> =3BkrbPrincipalExpiration: 19700101000000Z<br>&nbs=
p=3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgA=
wIBAKFJ<br> =3B MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwF=
c2CqS9kNvgpTNujaNnfmRR<br> =3B GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN=
6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7UKy1<br> =3B 93EQx3jtSTiD0aa2tNK9Fbkom=
kYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9KwFT<br> =3B B9MqvfMfba=
37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWgAwIB<br>&nbs=
p=3B AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTT=
A8oAcwB<br> =3B aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9=
HckLfrcVL5goKRVOV8oR<br> =3BkrbLastPwdChange: 19700101000000Z<br> =
=3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br> =3BkrbEx=
traData:: AAcBAAIAAgAAAAAAAAA=3D<br> =3BobjectClass: krbPrincipal<br>&n=
bsp=3BobjectClass: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyA=
ux<br> =3BstructuralObjectClass: krbPrincipal<br> =3BentryUUID: c05=
18180-d134-1031-83e9-0707760cf534<br> =3BcreatorsName: cn=3Dadmin=2Cdc=
=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203013022Z<br> =
=3BentryCSN: 20121203013022.889347Z#000000#000#000000<br> =3BmodifiersN=
ame: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121=
203013022Z<br> =3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkadmin/admin=
@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dex">krbPrincipalName=
=3Dkadmin/admin@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc=3Dex</a=
><br> =3B ample=2Cdc=3Dnet<br> =3BkrbLoginFailedCount: 0<br> =
=3BkrbMaxTicketLife: 10800<br> =3BkrbMaxRenewableAge: 604800<br> =
=3BkrbTicketFlags: 4<br> =3BkrbPrincipalName: <a href=3D"mailto:kadmin/=
admin@EXAMPLE.NET">kadmin/admin@EXAMPLE.NET</a><br> =3BkrbPrincipalExpi=
ration: 19700101000000Z<br> =3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAw=
IBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gAMjLoWHT=
DPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtCkdsY<br> =3B 5WwobkGKF=
vGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M28Ix6<br>&nb=
sp=3B SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDY=
YAGZM5wu<br> =3B tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFiv=
BmdH1kEy8cwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84=
Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8oAcwB<br> =3B aADAgEAoTEwL6ADAgEDoSgEJ=
ggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3aQz<br> =3BkrbLastPwdCh=
ange: 19700101000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVh=
BTVBMRS5ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br> =3Bo=
bjectClass: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =
=3BobjectClass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPri=
ncipal<br> =3BentryUUID: c05346be-d134-1031-83ea-0707760cf534<br> =
=3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTime=
stamp: 20121203013022Z<br> =3BentryCSN: 20121203013022.900950Z#000000#0=
00#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br=
> =3BmodifyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailto:=
krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dke=
rberos=2Cdc">krbPrincipalName=3Dkadmin/changepw@EXAMPLE.NET=2Ccn=3DEXAMPLE.=
NET=2Cou=3Dkerberos=2Cdc</a><br> =3B =3Dexample=2Cdc=3Dnet<br> =3Bk=
rbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 300<br> =3BkrbMaxRen=
ewableAge: 604800<br> =3BkrbTicketFlags: 8196<br> =3BkrbPrincipalNa=
me: <a href=3D"mailto:kadmin/changepw@EXAMPLE.NET";>kadmin/changepw@EXAMPLE.=
NET</a><br> =3BkrbPrincipalExpiration: 19700101000000Z<br> =3BkrbPr=
incipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ<b=
r> =3B MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaB=
p9l1hsceWqIB2<br> =3B ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoT=
AELhAAt+ZrWZKAjKkUhSJt0wwSqU<br> =3B ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2=
M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd423Z<br> =3B epUHmGMVf2I5sRQZRuo=
ypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWgAwIB<br> =3B AKEx=
MC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8oAcwB<b=
r> =3B aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/=
w7dmvqU9zPl<br> =3BkrbLastPwdChange: 19700101000000Z<br> =3BkrbExtr=
aData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA<br> =3BkrbExtraData:: =
AAcBAAIAAgAAAGlvbkA=3D<br> =3BobjectClass: krbPrincipal<br> =3Bobje=
ctClass: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicyAux<br>&nbs=
p=3BstructuralObjectClass: krbPrincipal<br> =3BentryUUID: c054d88a-d134=
-1031-83eb-0707760cf534<br> =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=
=2Cdc=3Dnet<br> =3BcreateTimestamp: 20121203013022Z<br> =3BentryCSN=
: 20121203013022.911237Z#000000#000#000000<br> =3BmodifiersName: cn=3Da=
dmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121203013022Z<=
br> =3Bdn: <a href=3D"mailto:krbPrincipalName=3Dkadmin/history@EXAMPLE.=
NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc">krbPrincipalName=3Dkadmin/hist=
ory@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dkerberos=2Cdc</a>=3D<br> =3B =
example=2Cdc=3Dnet<br> =3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicke=
tLife: 36000<br> =3BkrbMaxRenewableAge: 604800<br> =3BkrbTicketFlag=
s: 0<br> =3BkrbPrincipalName: <a href=3D"mailto:kadmin/history@EXAMPLE.=
NET">kadmin/history@EXAMPLE.NET</a><br> =3BkrbPrincipalExpiration: 1970=
0101000000Z<br> =3BkrbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME=
4wTKAHMAWgAwIBAKFBMD+gAwIB<br> =3B EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKb=
f2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd/N+Z<br> =3B 2g=3D<br> =3BkrbL=
astPwdChange: 19700101000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXR=
pb25ARVhBTVBMRS5ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAAGlvbkA=3D<br>&=
nbsp=3BobjectClass: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br=
> =3BobjectClass: krbTicketPolicyAux<br> =3BstructuralObjectClass: =
krbPrincipal<br> =3BentryUUID: c0562d3e-d134-1031-83ec-0707760cf534<br>=
 =3BcreatorsName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bcreat=
eTimestamp: 20121203013022Z<br> =3BentryCSN: 20121203013022.919957Z#000=
000#000#000000<br> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dn=
et<br> =3BmodifyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"ma=
ilto:krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPL=
E.NET=2Cou=3Dk">krbPrincipalName=3Dkadmin/master.example.net@EXAMPLE.NET=2C=
cn=3DEXAMPLE.NET=2Cou=3Dk</a><br> =3B erberos=2Cdc=3Dexample=2Cdc=3Dnet=
<br> =3BkrbLoginFailedCount: 0<br> =3BkrbMaxTicketLife: 10800<br>&n=
bsp=3BkrbMaxRenewableAge: 604800<br> =3BkrbTicketFlags: 4<br> =3Bkr=
bPrincipalName: <a href=3D"mailto:kadmin/master.example.net@EXAMPLE.NET";>ka=
dmin/master.example.net@EXAMPLE.NET</a><br> =3BkrbPrincipalExpiration: =
19700101000000Z<br> =3BkrbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAg=
EApIIBajCCAWYwVKAHMAWgAwIBAKFJ<br> =3B MEegAwIBEqFABD4gABhOeGOuo9UBDjK7=
hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4Ta3z<br> =3B Y4ZaEYItXr2awBW6Q=
XSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtGg1qY<br> =3B oe=
v8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj0sgn=
<br> =3B ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf=
4UwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qY=
DwpK0Hycj+cwyCjFsVKTsjzA8oAcwB<br> =3B aADAgEAoTEwL6ADAgEDoSgEJggAxTSME=
h/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZABm<br> =3BkrbLastPwdChange: 19=
700101000000Z<br> =3BkrbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5=
ORVQA<br> =3BkrbExtraData:: AAcBAAIAAgAAANAD4gA=3D<br> =3BobjectCla=
ss: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =3BobjectC=
lass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPrincipal<br>=
 =3BentryUUID: c0581144-d134-1031-83ed-0707760cf534<br> =3Bcreators=
Name: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 2012=
1203013022Z<br> =3BentryCSN: 20121203013022.932349Z#000000#000#000000<b=
r> =3BmodifiersName: cn=3Dadmin=2Cdc=3Dexample=2Cdc=3Dnet<br> =3Bmo=
difyTimestamp: 20121203013022Z<br> =3Bdn: <a href=3D"mailto:krbPrincipa=
lName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=2Cou=3Dker">=
krbPrincipalName=3Dldap/master.example.net@EXAMPLE.NET=2Ccn=3DEXAMPLE.NET=
=2Cou=3Dker</a><br> =3B beros=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BkrbP=
rincipalName: <a href=3D"mailto:ldap/master.example.net@EXAMPLE.NET";>ldap/m=
aster.example.net@EXAMPLE.NET</a><br> =3BobjectClass: krbPrincipal<br>&=
nbsp=3BobjectClass: krbPrincipalAux<br> =3BobjectClass: krbTicketPolicy=
Aux<br> =3BstructuralObjectClass: krbPrincipal<br> =3BentryUUID: 91=
a6199c-d15a-1031-9919-2f12ddec6588<br> =3BcreatorsName: cn=3Dadm-srv=2C=
ou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BcreateTimestamp: 2012120=
3060105Z<br> =3BkrbLoginFailedCount: 0<br> =3BkrbPrincipalKey:: MII=
BRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ<br> =3B MEegA=
wIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPUS2wz<br=
> =3B qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14T=
YWZyLZem5kvD<br> =3B yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIB=
AKFBMD+gAwIBEKE4BDYYAAbNr3p<br> =3B vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4=
kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWgAwIB<br> =3B AKExMC+gAwIBAaEoBCYI=
APc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg=3D=3D<br> =3BkrbPass=
wordExpiration: 19700101000000Z<br> =3BkrbLastPwdChange: 20121203060153=
Z<br> =3BkrbLastSuccessfulAuth: 20121203061721Z<br> =3BkrbExtraData=
:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA=3D<br> =3BkrbExtraData::=
AAgBAA=3D=3D<br> =3BentryCSN: 20121203061721.358939Z#000000#000#000000=
<br> =3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=
=3Dnet<br> =3BmodifyTimestamp: 20121203061721Z<br> =3Bdn: <a href=
=3D"mailto:krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.NET=2Ccn=3DE=
XAMPLE.NET=2Cou=3Dke">krbPrincipalName=3Dldap/replica.example.net@EXAMPLE.N=
ET=2Ccn=3DEXAMPLE.NET=2Cou=3Dke</a><br> =3B rberos=2Cdc=3Dexample=2Cdc=
=3Dnet<br> =3BkrbPrincipalName: <a href=3D"mailto:ldap/replica.example.=
net@EXAMPLE.NET">ldap/replica.example.net@EXAMPLE.NET</a><br> =3Bobject=
Class: krbPrincipal<br> =3BobjectClass: krbPrincipalAux<br> =3Bobje=
ctClass: krbTicketPolicyAux<br> =3BstructuralObjectClass: krbPrincipal<=
br> =3BentryUUID: 205686f2-d162-1031-9537-2fa18b539eb9<br> =3Bcreat=
orsName: cn=3Dadm-srv=2Cou=3Dkerberos=2Cdc=3Dexample=2Cdc=3Dnet<br> =3B=
createTimestamp: 20121203065511Z<br> =3BkrbLoginFailedCount: 0<br> =
=3BkrbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAw=
IBAKFJ<br> =3B MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3=
wddcUmq3o092v7mUXFMNw<br> =3B 2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6=
ADAgEXoTAELhAApsEJiySukR8L5M3DKbipUj<br> =3B AITSVQQL2YSqY7xr/BY7Hm3huN=
/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOvmT4x<br> =3B MDAmgH2qTgq=
XTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWgAwIB<br> =
=3B AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA=
=3D=3D<br> =3BkrbPasswordExpiration: 19700101000000Z<br> =3BkrbLast=
PwdChange: 20121203065628Z<br> =3BkrbExtraData:: AAIcTbxQYWRtaW5pc3RyYX=
RvckBFWEFNUExFLk5FVAA=3D<br> =3BkrbExtraData:: AAgBAA=3D=3D<br> =3B=
krbLastSuccessfulAuth: 20121204032538Z<br> =3BentryCSN: 20121204032538.=
048010Z#000000#000#000000<br> =3BmodifiersName: cn=3Dkdc-srv=2Cou=3Dker=
beros=2Cdc=3Dexample=2Cdc=3Dnet<br> =3BmodifyTimestamp: 20121204032538Z=
<br> =3B<BR><div><div id=3D"SkyDrivePlaceholder"></div>>=3B Date: Fri=
=2C 9 Nov 2012 01:55:32 +0000<br>>=3B From: openldap-its@OpenLDAP.org<br>=
>=3B To: blance3459@hotmail.com<br>>=3B Subject: Re: (ITS#7434) idasser=
t-bind fails after restarting slapd<br>>=3B <br>>=3B <br>>=3B *** THI=
S IS AN AUTOMATICALLY GENERATED REPLY ***<br>>=3B <br>>=3B Thanks for y=
our report to the OpenLDAP Issue Tracking System. Your<br>>=3B report ha=
s been assigned the tracking number ITS#7434.<br>>=3B <br>>=3B One of o=
ur support engineers will look at your report in due course.<br>>=3B Note=
that this may take some time because our support engineers<br>>=3B are v=
olunteers. They only work on OpenLDAP when they have spare<br>>=3B time.=
<br>>=3B <br>>=3B If you need to provide additional information in rega=
rds to your<br>>=3B issue report=2C you may do so by replying to this mes=
sage. Note that<br>>=3B any mail sent to openldap-its@openldap.org with =
(ITS#7434)<br>>=3B in the subject will automatically be attached to the i=
ssue report.<br>>=3B <br>>=3B mailto:openldap-its@openldap.org?subject=
=3D(ITS#7434)<br>>=3B <br>>=3B You may follow the progress of this repo=
rt by loading the following<br>>=3B URL in a web browser:<br>>=3B h=
ttp://www.OpenLDAP.org/its/index.cgi?findid=3D7434<br>>=3B <br>>=3B Ple=
ase remember to retain your issue tracking number (ITS#7434)<br>>=3B on a=
ny further messages you send to us regarding this report. If<br>>=3B you=
don't then you'll just waste our time and yours because we<br>>=3B won't=
be able to properly track the report.<br>>=3B <br>>=3B Please note tha=
t the Issue Tracking System is not intended to<br>>=3B be used to seek he=
lp in the proper use of OpenLDAP Software.<br>>=3B Such requests will be =
closed.<br>>=3B <br>>=3B OpenLDAP Software is user supported.<br>>=3B=
http://www.OpenLDAP.org/support/<br>>=3B <br>>=3B --------------<br>&=
gt=3B Copyright 1998-2007 The OpenLDAP Foundation=2C All Rights Reserved.<b=
r>>=3B <br></div> </div></body>
</html>=
--_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_--