[Date Prev][Date Next] [Chronological] [Thread] [Top]

Write access error with GSSAPI on OpenLDAP 2.2.26

To: openldap-software@OpenLDAP.org
Subject: Write access error with GSSAPI on OpenLDAP 2.2.26
From: John Mok <jmok@attglobal.net>
Date: Thu, 14 Jul 2005 18:42:19 +0800
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)


The LDAP server runs on FreeBSD 5.3 and was set up with the following :-

Heimdal 0.6.4
OpenLDAP 2.2.26
Cyrus SASL 2.1.21

The problem is that the write access, e.g. adding a new entry, is only successful when I bind to the server as rootdn, i.e. "cn=ldapadmin,cn=gssapi,cn=auth". On the attached slapd.conf, though I grant the write access to other Kerberos users, they failed to add or modify LDAP entries (log attached). The system returned an error code 50 "no write access to parent". I hope someone could advise if there is anything wrong in the slapd.conf, or something else.

Thanks a lot.

John Mok

Jul 14 11:37:13 bsd1 slapd[91391]: @(#) $OpenLDAP: slapd 2.2.26 (Jul 13 2005 17:54:34) $ 	root@bsd1.javapro.org:/usr/local/src/openldap-2.2.26/servers/slapd
Jul 14 11:37:13 bsd1 slapd[91391]: line 19 (pidfile 	/usr/local/var/run/slapd.pid)
Jul 14 11:37:13 bsd1 slapd[91391]: line 20 (argsfile /usr/local/var/run/slapd.args)
Jul 14 11:37:13 bsd1 slapd[91391]: line 61 (database bdb)
Jul 14 11:37:13 bsd1 slapd[91391]: bdb_db_init: Initializing BDB database
Jul 14 11:37:13 bsd1 slapd[91391]: line 63 (suffix 	"dc=javapro,dc=org")
Jul 14 11:37:13 bsd1 slapd[91391]: >>> dnPrettyNormal: <dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: <<< dnPrettyNormal: <dc=javapro,dc=org>, <dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: line 65 (rootdn 	"cn=ldapadmin,dc=javapro,dc=org")
Jul 14 11:37:13 bsd1 slapd[91391]: >>> dnPrettyNormal: <cn=ldapadmin,dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: <<< dnPrettyNormal: <cn=ldapadmin,dc=javapro,dc=org>, <cn=ldapadmin,dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: line 70 (rootpw ***)
Jul 14 11:37:13 bsd1 slapd[91391]: line 74 (directory /usr/local/var/openldap-data)
Jul 14 11:37:13 bsd1 slapd[91391]: line 75 (mode 		0600)
Jul 14 11:37:13 bsd1 slapd[91391]: line 77 (index objectClass	eq)
Jul 14 11:37:13 bsd1 slapd[91391]: index objectClass 0x0004
Jul 14 11:37:13 bsd1 slapd[91391]: line 78 (index uid,uidNumber,gidNumber eq)
Jul 14 11:37:13 bsd1 slapd[91391]: index uid 0x0004
Jul 14 11:37:13 bsd1 slapd[91391]: index uidNumber 0x0004
Jul 14 11:37:13 bsd1 slapd[91391]: index gidNumber 0x0004
Jul 14 11:37:13 bsd1 slapd[91391]: line 79 (index cn		eq)
Jul 14 11:37:13 bsd1 slapd[91391]: index cn 0x0004
Jul 14 11:37:13 bsd1 slapd[91391]: line 83 (access to dn="dc=javapro,dc=org" by dn="cn=ldapadmin,dc=javapro,dc=org" write)
Jul 14 11:37:13 bsd1 slapd[91391]: >>> dnNormalize: <dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: <<< dnNormalize: <dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: >>> dnNormalize: <cn=ldapadmin,dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: <<< dnNormalize: <cn=ldapadmin,dc=javapro,dc=org>
Jul 14 11:37:13 bsd1 slapd[91391]: matching_rule_use_init
Jul 14 11:37:13 bsd1 slapd[91391]:     1.2.840.113556.1.4.804 (integerBitOrMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     1.2.840.113556.1.4.803 (integerBitAndMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber $ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $ homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $ nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $ dc $ mail $ altServer ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.35 (certificateMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.35 NAME 'certificateMatch' APPLIES ( cACertificate $ userCertificate ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.34 (certificateExactMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.30 (objectIdentifierFirstComponentMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedApplicationContext $ ldapSyntaxes $ supportedFeatures $ supportedExtension $ supportedControl ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.29 (integerFirstComponentMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.27 (generalizedTimeMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.24 (protocolInformationMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.23 (uniqueMemberMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.22 (presentationAddressMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.20 (telephoneNumberMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $ telephoneNumber ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.17 (octetStringMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES userPassword )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.16 (bitStringMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.14 (integerMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $ shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.13 (booleanMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES hasSubordinates )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.11 (caseIgnoreListMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $ postalAddress ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.8 (numericStringMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.7 (caseExactSubstringsMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.6 (caseExactOrderingMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.5 (caseExactMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( nisMapName $ ipServiceProtocol $ preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ labeledURI $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.4 (caseIgnoreSubstringsMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.3 (caseIgnoreOrderingMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $ serialNumber ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.2 (caseIgnoreMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( nisMapName $ ipServiceProtocol $ preferredLanguage $ employeeType $ employeeNumber $ displayName $ departmentNumber $ carLicense $ documentPublisher $ buildingName $ organizationalStatus $ uniqueIdentifier $ co $ personalTitle $ documentLocation $ documentVersion $ documentTitle $ documentIdentifier $ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $ uid $ dmdName $ houseIdentifier $ dnQualifier $ generationQualifier $ initials $ givenName $ destinationIndicator $ physicalDeliveryOfficeName $ postOfficeBox $ postalCode $ businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $ serialNumber $ sn $ knowledgeInformation $ labeledURI $ cn $ name $ ref $ vendorVersion $ vendorName $ supportedSASLMechanisms ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.1 (distinguishedNameMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $ secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $ member $ distinguishedName $ aliasedObjectName $ namingContexts $ subschemaSubentry $ modifiersName $ creatorsName ) )
Jul 14 11:37:13 bsd1 slapd[91391]:     2.5.13.0 (objectIdentifierMatch): 
Jul 14 11:37:13 bsd1 slapd[91391]: matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedApplicationContext $ supportedFeatures $ supportedExtension $ supportedControl ) )
Jul 14 11:37:13 bsd1 slapd[91392]: slapd startup: initiated.
Jul 14 11:37:13 bsd1 slapd[91392]: backend_startup: starting "dc=javapro,dc=org"
Jul 14 11:37:13 bsd1 slapd[91392]: bdb_db_open: dc=javapro,dc=org
Jul 14 11:37:13 bsd1 slapd[91392]: bdb_db_open: dbenv_open(/usr/local/var/openldap-data)
Jul 14 11:37:13 bsd1 slapd[91392]: slapd starting
Jul 14 11:37:13 bsd1 slapd[91392]: daemon: added 6r
Jul 14 11:37:13 bsd1 slapd[91392]: daemon: added 7r
Jul 14 11:37:13 bsd1 slapd[91392]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 11:37:13 bsd1 slapd[91392]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: new connection on 10
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 fd=10 ACCEPT from IP=192.168.16.254:52813 (IP=0.0.0.0:389)
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: added 10r
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on:
Jul 14 15:08:43 bsd1 slapd[92184]: 
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on:
Jul 14 15:08:43 bsd1 slapd[92184]:  10r
Jul 14 15:08:43 bsd1 slapd[92184]: 
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: read activity on 10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10)
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10): got connid=0
Jul 14 15:08:43 bsd1 slapd[92184]: connection_read(10): checking for input on id=0
Jul 14 15:08:43 bsd1 slapd[92184]: ber_get_next on fd 10 failed errno=35 (Resource temporarily unavailable)
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: do_bind
Jul 14 15:08:43 bsd1 slapd[92184]: >>> dnPrettyNormal: <>
Jul 14 15:08:43 bsd1 slapd[92184]: <<< dnPrettyNormal: <>, <>
Jul 14 15:08:43 bsd1 slapd[92184]: do_sasl_bind: dn () mech GSSAPI
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=0 BIND dn="" method=163
Jul 14 15:08:43 bsd1 slapd[92184]: ==> sasl_bind: dn="" mech=GSSAPI datalen=628
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_sasl: err=14 len=110
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_response: msgid=1 tag=97 err=14
Jul 14 15:08:43 bsd1 slapd[92184]: <== slap_sasl_bind: rc=14
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on:
Jul 14 15:08:43 bsd1 slapd[92184]:  10r
Jul 14 15:08:43 bsd1 slapd[92184]: 
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: read activity on 10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10)
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10): got connid=0
Jul 14 15:08:43 bsd1 slapd[92184]: connection_read(10): checking for input on id=0
Jul 14 15:08:43 bsd1 slapd[92184]: do_bind
Jul 14 15:08:43 bsd1 slapd[92184]: ber_get_next on fd 10 failed errno=35 (Resource temporarily unavailable)
Jul 14 15:08:43 bsd1 slapd[92184]: >>> dnPrettyNormal: <>
Jul 14 15:08:43 bsd1 slapd[92184]: <<< dnPrettyNormal: <>, <>
Jul 14 15:08:43 bsd1 slapd[92184]: do_sasl_bind: dn () mech GSSAPI
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=1 BIND dn="" method=163
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: ==> sasl_bind: dn="" mech=<continuing> datalen=0
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_sasl: err=14 len=65
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_response: msgid=2 tag=97 err=14
Jul 14 15:08:43 bsd1 slapd[92184]: <== slap_sasl_bind: rc=14
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on:
Jul 14 15:08:43 bsd1 slapd[92184]:  10r
Jul 14 15:08:43 bsd1 slapd[92184]: 
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: read activity on 10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10)
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10): got connid=0
Jul 14 15:08:43 bsd1 slapd[92184]: connection_read(10): checking for input on id=0
Jul 14 15:08:43 bsd1 slapd[92184]: do_bind
Jul 14 15:08:43 bsd1 slapd[92184]: ber_get_next on fd 10 failed errno=35 (Resource temporarily unavailable)
Jul 14 15:08:43 bsd1 slapd[92184]: >>> dnPrettyNormal: <>
Jul 14 15:08:43 bsd1 slapd[92184]: <<< dnPrettyNormal: <>, <>
Jul 14 15:08:43 bsd1 slapd[92184]: do_sasl_bind: dn () mech GSSAPI
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=2 BIND dn="" method=163
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: ==> sasl_bind: dn="" mech=<continuing> datalen=65
Jul 14 15:08:43 bsd1 slapd[92184]: SASL Canonicalize [conn=0]: authcid="john/admin"
Jul 14 15:08:43 bsd1 slapd[92184]: slap_sasl_getdn: id=john/admin [len=10]
Jul 14 15:08:43 bsd1 slapd[92184]: slap_sasl_getdn: u:id converted to uid=john/admin,cn=GSSAPI,cn=auth
Jul 14 15:08:43 bsd1 slapd[92184]: >>> dnNormalize: <uid=john/admin,cn=GSSAPI,cn=auth>
Jul 14 15:08:43 bsd1 slapd[92184]: <<< dnNormalize: <uid=john/admin,cn=gssapi,cn=auth>
Jul 14 15:08:43 bsd1 slapd[92184]: ==>slap_sasl2dn: converting SASL name uid=john/admin,cn=gssapi,cn=auth to a DN
Jul 14 15:08:43 bsd1 slapd[92184]: slap_sasl_regexp: converting SASL name uid=john/admin,cn=gssapi,cn=auth
Jul 14 15:08:43 bsd1 slapd[92184]: <==slap_sasl2dn: Converted SASL name to <nothing>
Jul 14 15:08:43 bsd1 slapd[92184]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=john/admin,cn=gssapi,cn=auth"
Jul 14 15:08:43 bsd1 slapd[92184]: SASL [conn=0] Failure: Could not open db
Jul 14 15:08:43 bsd1 slapd[92184]: SASL proxy authorize [conn=0]: authcid="john/admin" authzid="john/admin"
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=2 BIND authcid="john/admin"
Jul 14 15:08:43 bsd1 slapd[92184]: SASL Authorize [conn=0]:  proxy authorization allowed
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_sasl: err=0 len=-1
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_response: msgid=3 tag=97 err=0
Jul 14 15:08:43 bsd1 slapd[92184]: <== slap_sasl_bind: rc=0
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=2 BIND dn="uid=john/admin,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
Jul 14 15:08:43 bsd1 slapd[92184]: do_bind: SASL/GSSAPI bind: dn="uid=john/admin,cn=gssapi,cn=auth" ssf=56
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on:
Jul 14 15:08:43 bsd1 slapd[92184]:  10r
Jul 14 15:08:43 bsd1 slapd[92184]: 
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: read activity on 10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10)
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10): got connid=0
Jul 14 15:08:43 bsd1 slapd[92184]: connection_read(10): checking for input on id=0
Jul 14 15:08:43 bsd1 slapd[92184]: ber_get_next on fd 10 failed errno=35 (Resource temporarily unavailable)
Jul 14 15:08:43 bsd1 slapd[92184]: do_add
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: >>> dnPrettyNormal: <uid=mary,ou=people,dc=javapro,dc=org>
Jul 14 15:08:43 bsd1 slapd[92184]: <<< dnPrettyNormal: <uid=mary,ou=people,dc=javapro,dc=org>, <uid=mary,ou=people,dc=javapro,dc=org>
Jul 14 15:08:43 bsd1 slapd[92184]: do_add: dn (uid=mary,ou=people,dc=javapro,dc=org)
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=3 ADD dn="uid=mary,ou=people,dc=javapro,dc=org"
Jul 14 15:08:43 bsd1 slapd[92184]: bdb_dn2entry("uid=mary,ou=people,dc=javapro,dc=org")
Jul 14 15:08:43 bsd1 slapd[92184]: => bdb_dn2id( "dc=javapro,dc=org" )
Jul 14 15:08:43 bsd1 slapd[92184]: <= bdb_dn2id: got id=0x00000001
Jul 14 15:08:43 bsd1 slapd[92184]: => bdb_dn2id( "ou=people,dc=javapro,dc=org" )
Jul 14 15:08:43 bsd1 slapd[92184]: <= bdb_dn2id: got id=0x00000003
Jul 14 15:08:43 bsd1 slapd[92184]: => bdb_dn2id( "uid=mary,ou=people,dc=javapro,dc=org" )
Jul 14 15:08:43 bsd1 slapd[92184]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
Jul 14 15:08:43 bsd1 slapd[92184]: entry_decode: "ou=people,dc=javapro,dc=org"
Jul 14 15:08:43 bsd1 slapd[92184]: <= entry_decode(ou=people,dc=javapro,dc=org)
Jul 14 15:08:43 bsd1 slapd[92184]: bdb_referrals: op=104 target="uid=mary,ou=people,dc=javapro,dc=org" matched="ou=people,dc=javapro,dc=org"
Jul 14 15:08:43 bsd1 slapd[92184]: ==> bdb_add: uid=mary,ou=people,dc=javapro,dc=org
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_required entry (uid=mary,ou=people,dc=javapro,dc=org), objectClass "account"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_required entry (uid=mary,ou=people,dc=javapro,dc=org), objectClass "posixAccount"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "uid"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "cn"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "objectClass"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "userPassword"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "loginShell"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "uidNumber"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "gidNumber"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "homeDirectory"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "gecos"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "structuralObjectClass"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "entryUUID"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "creatorsName"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "createTimestamp"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "entryCSN"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "modifiersName"
Jul 14 15:08:43 bsd1 slapd[92184]: oc_check_allowed type "modifyTimestamp"
Jul 14 15:08:43 bsd1 slapd[92184]: bdb_dn2entry("uid=mary,ou=people,dc=javapro,dc=org")
Jul 14 15:08:43 bsd1 slapd[92184]: => bdb_dn2id( "uid=mary,ou=people,dc=javapro,dc=org" )
Jul 14 15:08:43 bsd1 slapd[92184]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
Jul 14 15:08:43 bsd1 slapd[92184]: => access_allowed: write access to "ou=people,dc=javapro,dc=org" "children" requested
Jul 14 15:08:43 bsd1 slapd[92184]: => acl_get: [1] attr children
Jul 14 15:08:43 bsd1 slapd[92184]: => acl_mask: access to entry "ou=people,dc=javapro,dc=org", attr "children" requested
Jul 14 15:08:43 bsd1 slapd[92184]: => acl_mask: to all values by "uid=john/admin,cn=gssapi,cn=auth", (=n) 
Jul 14 15:08:43 bsd1 slapd[92184]: <= check a_dn_pat: uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth
Jul 14 15:08:43 bsd1 slapd[92184]: <= acl_mask: no more <who> clauses, returning =n (stop)
Jul 14 15:08:43 bsd1 slapd[92184]: => access_allowed: write access denied by =n
Jul 14 15:08:43 bsd1 slapd[92184]: bdb_add: no write access to parent
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_result: conn=0 op=3 p=3
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_result: err=50 matched="" text="no write access to parent"
Jul 14 15:08:43 bsd1 slapd[92184]: send_ldap_response: msgid=4 tag=105 err=50
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=3 RESULT tag=105 err=50 text=no write access to parent
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on:
Jul 14 15:08:43 bsd1 slapd[92184]:  10r
Jul 14 15:08:43 bsd1 slapd[92184]: 
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: read activity on 10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10)
Jul 14 15:08:43 bsd1 slapd[92184]: connection_get(10): got connid=0
Jul 14 15:08:43 bsd1 slapd[92184]: connection_read(10): checking for input on id=0
Jul 14 15:08:43 bsd1 slapd[92184]: do_unbind
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 op=4 UNBIND
Jul 14 15:08:43 bsd1 slapd[92184]: ber_get_next on fd 10 failed errno=0 (Undefined error: 0)
Jul 14 15:08:43 bsd1 slapd[92184]: connection_read(10): input error=-2 id=0, closing.
Jul 14 15:08:43 bsd1 slapd[92184]: connection_closing: readying conn=0 sd=10 for close
Jul 14 15:08:43 bsd1 slapd[92184]: connection_close: deferring conn=0 sd=10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_resched: reaquiring locks conn=0 sd=10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_resched: attempting closing conn=0 sd=10
Jul 14 15:08:43 bsd1 slapd[92184]: connection_close: conn=0 sd=10
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: removing 10
Jul 14 15:08:43 bsd1 slapd[92184]: conn=0 fd=10 closed
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: activity on 1 descriptors
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=6 active_threads=0 tvp=NULL
Jul 14 15:08:43 bsd1 slapd[92184]: daemon: select: listen=7 active_threads=0 tvp=NULL

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include 	/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

## Added logging parameters
loglevel -1

pidfile		/usr/local/var/run/slapd.pid
argsfile	/usr/local/var/run/slapd.args

#sasl-regexp uid=([^,]*),cn=javapro.org,cn=gssapi,cn=auth uid=$1,dc=javapro,dc=org

# Load dynamic backend modules:
# modulepath	/usr/local/libexec/openldap
# moduleload	back_bdb.la
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=javapro,dc=org"
rootdn		"uid=ldapadmin,cn=gssapi,cn=auth"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/usr/local/var/openldap-data
mode 		0600
# Indices to maintain
index	objectClass	eq
index	uid,uidNumber,gidNumber eq
index	cn		eq

# Set ACL granting access to Kerberos administrator
access to * 
	by dn="uid=ldapadmin,cn=javapro.org,cn=gssapi,cn=auth" write
access to * 
	by dn="uid=john/admin,cn=GSSAPI,cn=auth" write
access to * 
	by * read

Follow-Ups:
- Re: Write access error with GSSAPI on OpenLDAP 2.2.26
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Problems compiling OpenLDAP-2.3.4
Next by Date: Re: poor performance of OpenLDAP vs AD?
Index(es):
- Chronological
- Thread