Full_Name: Barry Lance Version: 2.4.28 OS: Ubuntu 12.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (70.226.37.226) Two servers: Master (192.168.1.1) and Replica (192.168.1.2) both running slap 2.4.28 and ubuntu 12.04. Replica is a replication partner of Master using syncrepl. Replication is working fine. When I attempt to add a chain overlay to Replica to send all writes over to the master, it works exactly as expected allowing both normal users and the rootdn to make appropriate changes. However, once I either reboot the replica server or restart slapd, the chain overlay fails to allow any changes on the master. Looking at syslog shows that before the reboot/restart the requesting users' dn is proxied over as expected. After the restarting slapd or rebooting Replica, all changes are proxied anonymously (dn=""). I am using simple binds at this point in the project, but it doesn't seems to matter if I proxy in the clear, ldaps, or TLS the result is the same. All three methods can successfully negotiate a connection. I've even tried switching between using the rootdn and a different user as the binddn in my overlay, but the result is still the same no matter what I use for the binddn. When I look at my config, I notice that "chain-idassert-bind" appears to be hashed or encrypted in thew config. Is that normal? Just seems really odd that my config would work immediately when added, but fail after the the daemon has been restarted. Am I missing something really silly? Hopefully, someone can assist me on this. I've been driving myself crazy trying to figure out why this behavior is occurring. Disclaimer: I am using openldap as part of my capstone project for graduation. I'm not asking for anyone to do my "homework" for me, I'm just stuck on this one issue that I would love to resolve so I can move on to the Kerberos phase of my project (and maybe even study for an exam coming up in my algorithms class next week). Here is my overlay config using the rootDN and TLS (on Replica): dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: "ldap://master.example.net/" olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=example,dc=net" credentials=(secret) mode=self starttls=critical tls_cacert=/etc/ssl/certs/cacert.pem tls_reqcert=demand And without TLS (also on Replica): dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: "ldap://master.example.net/" olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=example,dc=net" credentials=(secret) mode=self
--On Friday, November 09, 2012 1:55 AM +0000 blance3459@hotmail.com wrote: > Full_Name: Barry Lance > Version: 2.4.28 > OS: Ubuntu 12.04 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (70.226.37.226) > Hi Barry, Thanks for the report. I would note that OpenLDAP 2.4.28 is 5 releases old at this point. I don't see anything specific in the CHANGES file between 2.4.28 and 2.4.33 for this issue, but it may be fixed and not logged in there. Confirming that the behavior persists with 2.4.33 would be helpful. Also, don't confuse encoding with encryption. ;) It is standard in LDIF for data to be base64 encoded if the attribute value requires it based on the characters in the data. You can use various tools to decode the attribute value back out. Regards, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Friday, November 09, 2012 2:10 AM +0000 quanah@zimbra.com wrote: > --On Friday, November 09, 2012 1:55 AM +0000 blance3459@hotmail.com wrote: > >> Full_Name: Barry Lance >> Version: 2.4.28 >> OS: Ubuntu 12.04 >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (70.226.37.226) >> > > Hi Barry, Hi Barry, Are you sure you aren't hitting: Fixed slapd-ldap idassert bind handling (ITS#7403) Fixed in OpenLDAP 2.4.33? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah, I finally got back around to working on this over the last couple of days. Where I'm at with my project is: I have two servers (virtual machines), named master and replica, with slapd configured with my directory information and single-master replication between them. I created a Kerberos realm and various principals in open ldap. Replication access is authenticated using sasl/gssapi with the slapd principal, ldap/replica.example.net. k5start has been added to system startup to buid the credential cache for slapd. That brings me to configuring referrals and proxyAuth on replica. What appears to be happening is that at the initial configuration (before restarting the daemon) is the client binds to the replica and authenticates with its kerberos ticket. The "magic" is performed on the sasl user and the ldap directory entry is returned. It then proceeds into the modification and notices the update referral. It then checks to determine if the binddn used in in the olcDbIDAssertBind statems can authzTo the bound user. It can and the proxy of the modification proceeds. On the master, the proxy request is received, more "magic" is done on the user id to make sure it is in the correct form, the authzTo attribute is again checked and allowed. The update is performed as the user, and success is returned back through the chain to the user. This is how I would expect the process to proceed. However, if I restart the server (or slapd daemon), this behavior changes. After restarting, the bind occurs at the replica, does "magic", and then sees the referral and attempts the proxy. What's notable here is that the check of authzTo is NOT performed. The refereal is then chased, but the authzTo check was never made. Since there is no user to "authzTo", does the referral get chased with perhaps a "null" or anonymous user? Whatever the case, it appears the the original binding user is never sent over the proxy. Over at the master, I see the bind request come on from the replica which is treated as an anonymous bind request. No magic, no authzTo check, no nothing. It then goes straight into the modification and tries to perform, but is blocked due to the bound user being anonymous and the stronger authentication error (8) is returned. Given that the bind occured anonymously, I feel that error is expected and wanted. I had been trying to use sasl binding here, but was not having the same sucess that I had with syncrepl. In order to only fight one battle at a time, I changed by proxy config to use a simple bind instead of sasl/gssapi. Referrals and proxy authentication are configured on replica with the following ldif. I tried setting the override flag because the man page makes it sound like it forces the authzTo check at bind time. By doing that I was hoping I could force the check and see the authzTo process in my logs. Is this what the ITS you mentions is referring to? dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcUpdateref olcUpdateref: "ldap://master.example.net:389/" dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {1}back_ldap dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainReturnError: TRUE dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: "ldap://master.example.net:389/" olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=simple binddn="cn=replica,ou=hosts,dc=example,dc=net" credentials=shhh-secret mode=self flags=override starttls=critical tls_reqcert=demand tls_cacert=/etc/ssl/certs/cacert.pem After adding that information via ldapmodify, I attempt to perform an update on the replica. For testing, i simply change the description attribute for uid=administrator,ou=people,dc=example,dc=net. I'm using this simple ldif to test with: dn: uid=administrator,ou=people,dc=example,dc=net changetype: modify replace: description description: Network Administrator Initially after configuring the proxy and obtainng a kerberos ticket for the account (administrator, self write), this update succeeds. Looking at syslog on replica, I see happiness. The ldap modify binds using gssapi, I see SASL name being correctly converted to uid=administrator,ou=people,dc=example,dc=net. Dec 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=1005]: authcid="administrator" Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: conn 1005 id=administrator [len=13] Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: u:id converted to uid=administrator,cn=EXAMPLE.NET,cn=GSSAPI,cn=auth Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <uid=administrator,cn=EXAMPLE.NET,cn=GSSAPI,cn=auth> Dec 3 22:17:01 replica slapd[994]: <<< dnNormalize: <uid=administrator,cn=example.net,cn=gssapi,cn=auth> Dec 3 22:17:01 replica slapd[994]: ==>slap_sasl2dn: converting SASL name uid=administrator,cn=example.net,cn=gssapi,cn=auth to a DN Dec 3 22:17:01 replica slapd[994]: ==> rewrite_context_apply [depth=1] string='uid=administrator,cn=example.net,cn=gssapi,cn=auth' Dec 3 22:17:01 replica slapd[994]: ==> rewrite_rule_apply rule='uid=ldap/([^/\.]+).example.net,cn=example.net,cn=gssapi,cn=auth' string='uid=administrator,cn=example.net,cn=gssapi,cn=auth' [1 pass(es)] Dec 3 22:17:01 replica slapd[994]: ==> rewrite_rule_apply rule='uid=([^,]+),cn=example.net,cn=gssapi,cn=auth' string='uid=administrator,cn=example.net,cn=gssapi,cn=auth' [1 pass(es)] Dec 3 22:17:01 replica slapd[994]: ==> rewrite_context_apply [depth=1] res={0,'uid=administrator,ou=people,dc=example,dc=net'} Dec 3 22:17:01 replica slapd[994]: [rw] authid: "uid=administrator,cn=example.net,cn=gssapi,cn=auth" -> "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 replica slapd[994]: slap_parseURI: parsing uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: <<< dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: <==slap_sasl2dn: Converted SASL name to uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 replica slapd[994]: slap_sasl_getdn: dn:id converted to uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 replica slapd[994]: SASL Canonicalize [conn=1005]: slapAuthcDN="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 replica slapd[994]: SASL proxy authorize [conn=1005]: authcid="administrator@EXAMPLE.NET" authzid="administrator@EXAMPLE.NET" Dec 3 22:17:01 replica slapd[994]: conn=1005 op=2 BIND authcid="administrator@EXAMPLE.NET" authzid="administrator@EXAMPLE.NET" Dec 3 22:17:01 replica slapd[994]: SASL Authorize [conn=1005]: proxy authorization allowed authzDN="" Dec 3 22:17:01 replica slapd[994]: send_ldap_sasl: err=0 len=-1 Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor Dec 3 22:17:01 replica slapd[994]: daemon: activity on: Dec 3 22:17:01 replica slapd[994]: Dec 3 22:17:01 replica slapd[994]: conn=1005 op=2 BIND dn="uid=administrator,ou=people,dc=example,dc=net" mech=GSSAPI sasl_ssf=56 ssf=56 Dec 3 22:17:01 replica slapd[994]: do_bind: SASL/GSSAPI bind: dn="uid=administrator,ou=people,dc=example,dc=net" sasl_ssf=56 Dec 3 22:17:01 replica slapd[994]: send_ldap_response: msgid=3 tag=97 err=0 Dec 3 22:17:01 replica slapd[994]: conn=1005 op=2 RESULT tag=97 err=0 text= Dec 3 22:17:01 replica slapd[994]: <== slap_sasl_bind: rc=0 All good, so far on replica. I believe the sasl/gssapi authntication process is completed. Now to perform the modify. Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 do_modify Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 do_modify: dn (uid=administrator,ou=people,dc=example,dc=net) Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net>, <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 modifications: Dec 3 22:17:01 replica slapd[994]: #011replace: description Dec 3 22:17:01 replica slapd[994]: #011#011one value, length 21 Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 MOD dn="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 MOD attr=description Dec 3 22:17:01 replica slapd[994]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:17:01 replica slapd[994]: send_ldap_result: conn=1005 op=3 p=3 Dec 3 22:17:01 replica slapd[994]: send_ldap_result: err=10 matched="" text="" Dec 3 22:17:01 replica slapd[994]: send_ldap_result: referral="ldap://master.example.net:389/uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor Dec 3 22:17:01 replica slapd[994]: daemon: activity on: Dec 3 22:17:01 replica slapd[994]: Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net>, <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 ldap_chain_op: ref="ldap://master.example.net:389/uid=administrator,ou=people,dc=example,dc=net" -> "ldap://master.example.net:389" Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 ldap_chain_op: ref="ldap://master.example.net:389/uid=administrator,ou=people,dc=example,dc=net": URI="ldap://master.example.net:389" found in cache Okay, now it seems that the referral is returned and chased on behalf of the client. Finally, from the perspective of replica, success! Modified data comes back to replica via syncrepl. Dec 3 22:17:01 replica slapd[994]: =>ldap_back_getconn: conn 0x7fe0b0147c30 fetched refcnt=1. Dec 3 22:17:01 replica slapd[994]: send_ldap_result: conn=1005 op=3 p=3 Dec 3 22:17:01 replica slapd[994]: send_ldap_result: err=0 matched="" text="" Dec 3 22:17:01 replica slapd[994]: send_ldap_response: msgid=4 tag=103 err=0 Dec 3 22:17:01 replica slapd[994]: conn=1005 op=3 RESULT tag=103 err=0 text= Dec 3 22:17:01 replica slapd[994]: daemon: activity on 1 descriptor Dec 3 22:17:01 replica slapd[994]: daemon: activity on: Dec 3 22:17:01 replica slapd[994]: 15r Dec 3 22:17:01 replica slapd[994]: Dec 3 22:17:01 replica slapd[994]: daemon: read active on 15 Dec 3 22:17:01 replica slapd[994]: connection_get(15) Dec 3 22:17:01 replica slapd[994]: connection_get(15): got connid=0 Dec 3 22:17:01 replica slapd[994]: =>do_syncrepl rid=123 Dec 3 22:17:01 replica slapd[994]: =>do_syncrep2 rid=123 Dec 3 22:17:01 replica slapd[994]: do_syncrep2: rid=123 cookie=rid=123,csn=20121204031701.560697Z#000000#000#000000 Dec 3 22:17:01 replica slapd[994]: >>> dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: <<< dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net>, <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: >>> dnPretty: <cn=admin,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: <<< dnPretty: <cn=admin,dc=example,dc=net> Dec 3 22:17:01 replica slapd[994]: >>> dnNormalize: <cn=admin,dc=example,dc=net> Dec 3 22:17:01 replica rsyslogd-2177: imuxsock begins to drop messages from pid 994 due to rate-limiting So everything looks good (correct?) on replica. Meanwhile, back at the master.... Dec 3 22:17:01 master slapd[947]: daemon: activity on 1 descriptor Dec 3 22:17:01 master slapd[947]: daemon: activity on: Dec 3 22:17:01 master slapd[947]: 51r Dec 3 22:17:01 master slapd[947]: Dec 3 22:17:01 master slapd[947]: daemon: read active on 51 Dec 3 22:17:01 master slapd[947]: connection_get(51) Dec 3 22:17:01 master slapd[947]: connection_get(51): got connid=1054 Dec 3 22:17:01 master slapd[947]: connection_read(51): checking for input on id=1054 Dec 3 22:17:01 master slapd[947]: op tag 0x66, time 1354591021 Dec 3 22:17:01 master slapd[947]: daemon: activity on 1 descriptor Dec 3 22:17:01 master slapd[947]: daemon: activity on: Dec 3 22:17:01 master slapd[947]: Dec 3 22:17:01 master slapd[947]: conn=1054 op=3 do_modify Dec 3 22:17:01 master slapd[947]: conn=1054 op=3 do_modify: dn (uid=administrator,ou=people,dc=example,dc=net) Dec 3 22:17:01 master slapd[947]: => get_ctrls Dec 3 22:17:01 master slapd[947]: => get_ctrls: oid="2.16.840.1.113730.3.4.18" (noncritical) Dec 3 22:17:01 master slapd[947]: parseProxyAuthz: conn 1054 authzid="dn:uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: slap_sasl_getdn: conn 1054 id=dn:uid=administrator,ou=people,dc=example,dc=net [len=48] Dec 3 22:17:01 master slapd[947]: >>> dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 master slapd[947]: <<< dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 master slapd[947]: ==>slap_sasl2dn: converting SASL name uid=administrator,ou=people,dc=example,dc=net to a DN Dec 3 22:17:01 master slapd[947]: ==> rewrite_context_apply [depth=1] string='uid=administrator,ou=people,dc=example,dc=net' Dec 3 22:17:01 master slapd[947]: ==> rewrite_rule_apply rule='uid=ldap/([^/\.]+).example.net,cn=example.net,cn=gssapi,cn=auth' string='uid=administrator,ou=people,dc=example,dc=net' [1 pass(es)] Dec 3 22:17:01 master slapd[947]: ==> rewrite_rule_apply rule='uid=([^,]+),cn=example.net,cn=gssapi,cn=auth' string='uid=administrator,ou=people,dc=example,dc=net' [1 pass(es)] Dec 3 22:17:01 master slapd[947]: ==> rewrite_context_apply [depth=1] res={0,'uid=administrator,ou=people,dc=example,dc=net'} Dec 3 22:17:01 master slapd[947]: [rw] authid: "uid=administrator,ou=people,dc=example,dc=net" -> "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: slap_parseURI: parsing uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: >>> dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 master slapd[947]: <<< dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 master slapd[947]: <==slap_sasl2dn: Converted SASL name to uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: slap_sasl_getdn: dn:id converted to uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: parseProxyAuthz: conn=1054 "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: ==>slap_sasl_authorized: can cn=replica,ou=hosts,dc=example,dc=net become uid=administrator,ou=people,dc=example,dc=net? Dec 3 22:17:01 master slapd[947]: ==>slap_sasl_check_authz: does uid=administrator,ou=people,dc=example,dc=net match authzTo rule in cn=replica,ou=hosts,dc=example,dc=net? Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: ndn: "cn=replica,ou=hosts,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: oc: "(null)", at: "authzTo" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("cn=replica,ou=hosts,dc=example,dc=net") Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: found entry: "cn=replica,ou=hosts,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=0 Dec 3 22:17:01 master slapd[947]: => access_allowed: result not in cache (authzTo) Dec 3 22:17:01 master slapd[947]: => access_allowed: auth access to "cn=replica,ou=hosts,dc=example,dc=net" "authzTo" requested Dec 3 22:17:01 master slapd[947]: => acl_get: [2] attr authzTo Dec 3 22:17:01 master slapd[947]: => acl_mask: access to entry "cn=replica,ou=hosts,dc=example,dc=net", attr "authzTo" requested Dec 3 22:17:01 master slapd[947]: => acl_mask: to all values by "cn=replica,ou=hosts,dc=example,dc=net", (=0) Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: users Dec 3 22:17:01 master slapd[947]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 3 22:17:01 master slapd[947]: <= acl_mask: [1] mask: read(=rscxd) Dec 3 22:17:01 master slapd[947]: => slap_access_allowed: auth access granted by read(=rscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: auth access granted by read(=rscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: result was in cache (authzTo) Dec 3 22:17:01 master slapd[947]: ===>slap_sasl_match: comparing DN uid=administrator,ou=people,dc=example,dc=net to rule dn:* Dec 3 22:17:01 master slapd[947]: slap_parseURI: parsing dn:* Dec 3 22:17:01 master slapd[947]: <===slap_sasl_match: comparison returned 0 Dec 3 22:17:01 master slapd[947]: <==slap_sasl_check_authz: authzTo check returning 0 Dec 3 22:17:01 master slapd[947]: <== slap_sasl_authorized: return 0 Dec 3 22:17:01 master slapd[947]: conn=1054 op=3 PROXYAUTHZ dn="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: <= get_ctrls: n=1 rc=0 err="" Dec 3 22:17:01 master slapd[947]: >>> dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 master slapd[947]: <<< dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net>, <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:17:01 master slapd[947]: conn=1054 op=3 modifications: Dec 3 22:17:01 master slapd[947]: #011replace: description Dec 3 22:17:01 master slapd[947]: #011#011one value, length 21 Dec 3 22:17:01 master slapd[947]: conn=1054 op=3 MOD dn="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: conn=1054 op=3 MOD attr=description Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: ndn: "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: oc: "(null)", at: "(null)" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: found entry: "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=0 Dec 3 22:17:01 master slapd[947]: => test_filter Dec 3 22:17:01 master slapd[947]: PRESENT Dec 3 22:17:01 master slapd[947]: => access_allowed: search access to "uid=administrator,ou=people,dc=example,dc=net" "objectClass" requested Dec 3 22:17:01 master slapd[947]: => dn: [4] ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: => dn: [5] Dec 3 22:17:01 master slapd[947]: => acl_get: [6] attr objectClass Dec 3 22:17:01 master slapd[947]: => acl_mask: access to entry "uid=administrator,ou=people,dc=example,dc=net", attr "objectClass" requested Dec 3 22:17:01 master slapd[947]: => acl_mask: to all values by "cn=replica,ou=hosts,dc=example,dc=net", (=0) Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: cn=adm-srv,ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: users Dec 3 22:17:01 master slapd[947]: <= acl_mask: [3] applying read(=rscxd) (stop) Dec 3 22:17:01 master slapd[947]: <= acl_mask: [3] mask: read(=rscxd) Dec 3 22:17:01 master slapd[947]: => slap_access_allowed: search access granted by read(=rscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: search access granted by read(=rscxd) Dec 3 22:17:01 master slapd[947]: <= test_filter 6 Dec 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fscope 1 rc 6 Dec 3 22:17:01 master slapd[947]: hdb_modify: uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: slap_queue_csn: queing 0x7fa90f0fe110 20121204031701.560697Z#000000#000#000000 Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: 0x0000000b: uid=administrator,ou=people,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: => access_allowed: result not in cache (description) Dec 3 22:17:01 master slapd[947]: => access_allowed: delete access to "uid=administrator,ou=people,dc=example,dc=net" "description" requested Dec 3 22:17:01 master slapd[947]: => dn: [4] ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: => dn: [5] Dec 3 22:17:01 master slapd[947]: => acl_get: [6] attr description Dec 3 22:17:01 master slapd[947]: => acl_mask: access to entry "uid=administrator,ou=people,dc=example,dc=net", attr "description" requested Dec 3 22:17:01 master slapd[947]: => acl_mask: to all values by "uid=administrator,ou=people,dc=example,dc=net", (=0) Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: cn=adm-srv,ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <= acl_mask: [2] applying write(=wrscxd) (stop) Dec 3 22:17:01 master slapd[947]: <= acl_mask: [2] mask: write(=wrscxd) Dec 3 22:17:01 master slapd[947]: => slap_access_allowed: delete access granted by write(=wrscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: delete access granted by write(=wrscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: result not in cache (description) Dec 3 22:17:01 master slapd[947]: => access_allowed: add access to "uid=administrator,ou=people,dc=example,dc=net" "description" requested Dec 3 22:17:01 master slapd[947]: => dn: [4] ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: => dn: [5] Dec 3 22:17:01 master slapd[947]: => acl_get: [6] attr description Dec 3 22:17:01 master slapd[947]: => acl_mask: access to entry "uid=administrator,ou=people,dc=example,dc=net", attr "description" requested Dec 3 22:17:01 master slapd[947]: => acl_mask: to value by "uid=administrator,ou=people,dc=example,dc=net", (=0) Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: cn=adm-srv,ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <= acl_mask: [2] applying write(=wrscxd) (stop) Dec 3 22:17:01 master slapd[947]: <= acl_mask: [2] mask: write(=wrscxd) Dec 3 22:17:01 master slapd[947]: => slap_access_allowed: add access granted by write(=wrscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: add access granted by write(=wrscxd) Dec 3 22:17:01 master slapd[947]: acl: internal mod entryCSN: modify access granted Dec 3 22:17:01 master slapd[947]: acl: internal mod modifiersName: modify access granted Dec 3 22:17:01 master slapd[947]: acl: internal mod modifyTimestamp: modify access granted Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace description Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace entryCSN Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace modifiersName Dec 3 22:17:01 master slapd[947]: bdb_modify_internal: replace modifyTimestamp Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=administrator,ou=people,dc=example,dc=net), objectClass "inetOrgPerson" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=administrator,ou=people,dc=example,dc=net), objectClass "posixAccount" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=administrator,ou=people,dc=example,dc=net), objectClass "shadowAccount" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=administrator,ou=people,dc=example,dc=net), objectClass "krbPrincipalAux" Dec 3 22:17:01 master slapd[947]: oc_check_required entry (uid=administrator,ou=people,dc=example,dc=net), objectClass "krbTicketPolicyAux" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "objectClass" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "cn" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "sn" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "uidNumber" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "gidNumber" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "userPassword" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "homeDirectory" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "structuralObjectClass" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "uid" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "entryUUID" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "creatorsName" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "createTimestamp" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbPrincipalName" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbPrincipalKey" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastPwdChange" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastFailedAuth" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLoginFailedCount" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbLastSuccessfulAuth" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "krbExtraData" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "description" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "entryCSN" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "modifiersName" Dec 3 22:17:01 master slapd[947]: oc_check_allowed type "modifyTimestamp" Dec 3 22:17:01 master slapd[947]: => key_change(DELETE,b) Dec 3 22:17:01 master slapd[947]: bdb_idl_delete_key: b Dec 3 22:17:01 master slapd[947]: <= key_change 0 Dec 3 22:17:01 master slapd[947]: => key_change(ADD,b) Dec 3 22:17:01 master slapd[947]: bdb_idl_insert_key: b Dec 3 22:17:01 master slapd[947]: <= key_change 0 Dec 3 22:17:01 master slapd[947]: => entry_encode(0x0000000b): Dec 3 22:17:01 master slapd[947]: <= entry_encode(0x0000000b): Dec 3 22:17:01 master slapd[947]: hdb_modify: updated id=0000000b dn="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: send_ldap_result: conn=1054 op=3 p=3 Dec 3 22:17:01 master slapd[947]: send_ldap_result: err=0 matched="" text="" Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: ndn: "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: oc: "(null)", at: "(null)" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: found entry: "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: bdb_entry_get: rc=0 Dec 3 22:17:01 master slapd[947]: => test_filter Dec 3 22:17:01 master slapd[947]: PRESENT Dec 3 22:17:01 master slapd[947]: => access_allowed: search access to "uid=administrator,ou=people,dc=example,dc=net" "objectClass" requested Dec 3 22:17:01 master slapd[947]: => dn: [4] ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: => dn: [5] Dec 3 22:17:01 master slapd[947]: => acl_get: [6] attr objectClass Dec 3 22:17:01 master slapd[947]: => acl_mask: access to entry "uid=administrator,ou=people,dc=example,dc=net", attr "objectClass" requested Dec 3 22:17:01 master slapd[947]: => acl_mask: to all values by "cn=replica,ou=hosts,dc=example,dc=net", (=0) Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: cn=adm-srv,ou=kerberos,dc=example,dc=net Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: self Dec 3 22:17:01 master slapd[947]: <= check a_dn_pat: users Dec 3 22:17:01 master slapd[947]: <= acl_mask: [3] applying read(=rscxd) (stop) Dec 3 22:17:01 master slapd[947]: <= acl_mask: [3] mask: read(=rscxd) Dec 3 22:17:01 master slapd[947]: => slap_access_allowed: search access granted by read(=rscxd) Dec 3 22:17:01 master slapd[947]: => access_allowed: search access granted by read(=rscxd) Dec 3 22:17:01 master slapd[947]: <= test_filter 6 Dec 3 22:17:01 master slapd[947]: syncprov_matchops: sid ffffffff fscope 1 rc 6 Dec 3 22:17:01 master slapd[947]: syncprov_sendresp: cookie=rid=123,csn=20121204031701.560697Z#000000#000#000000 Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: ndn: "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: oc: "(null)", at: "(null)" Dec 3 22:17:01 master slapd[947]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:17:01 master slapd[947]: => bdb_entry_get: found entry: "uid=administrator,ou=people,dc=example,dc=net" Everything looks good on the master. I see uid=administrator gets sent over from the the proxy on replica and the update proceeds as expected. Now if I restart slapd on replica, things change. performing the same modifucation, we again see sasl/gssapi authentication occuring on replica just as before Dec 3 22:20:38 replica slapd[1412]: [rw] authid: "uid=administrator,cn=example.net,cn=gssapi,cn=auth" -> "uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:20:38 replica slapd[1412]: slap_parseURI: parsing uid=administrator,ou=people,dc=example,dc=net Dec 3 22:20:38 replica slapd[1412]: >>> dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:20:38 replica slapd[1412]: <<< dnNormalize: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:20:38 replica slapd[1412]: <==slap_sasl2dn: Converted SASL name to uid=administrator,ou=people,dc=example,dc=net Dec 3 22:20:38 replica slapd[1412]: slap_sasl_getdn: dn:id converted to uid=administrator,ou=people,dc=example,dc=net Dec 3 22:20:38 replica slapd[1412]: SASL Canonicalize [conn=1000]: slapAuthcDN="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:20:38 replica slapd[1412]: SASL proxy authorize [conn=1000]: authcid="administrator@EXAMPLE.NET" authzid="administrator@EXAMPLE.NET" Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=2 BIND authcid="administrator@EXAMPLE.NET" authzid="administrator@EXAMPLE.NET" Dec 3 22:20:38 replica slapd[1412]: SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" Dec 3 22:20:38 replica slapd[1412]: send_ldap_sasl: err=0 len=-1 Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=2 BIND dn="uid=administrator,ou=people,dc=example,dc=net" mech=GSSAPI sasl_ssf=56 ssf=56 Dec 3 22:20:38 replica slapd[1412]: do_bind: SASL/GSSAPI bind: dn="uid=administrator,ou=people,dc=example,dc=net" sasl_ssf=56 Dec 3 22:20:38 replica slapd[1412]: send_ldap_response: msgid=3 tag=97 err=0 Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=2 RESULT tag=97 err=0 text= Dec 3 22:20:38 replica slapd[1412]: <== slap_sasl_bind: rc=0 Again, we head into the modification: Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 do_modify Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 do_modify: dn (uid=administrator,ou=people,dc=example,dc=net) Dec 3 22:20:38 replica slapd[1412]: >>> dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:20:38 replica slapd[1412]: <<< dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net>, <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 modifications: Dec 3 22:20:38 replica slapd[1412]: #011replace: description Dec 3 22:20:38 replica slapd[1412]: #011#011one value, length 21 Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 MOD dn="uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 MOD attr=description Dec 3 22:20:38 replica slapd[1412]: bdb_dn2entry("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:20:38 replica slapd[1412]: => hdb_dn2id("ou=people,dc=example,dc=net") Dec 3 22:20:38 replica slapd[1412]: <= hdb_dn2id: got id=0x3 Dec 3 22:20:38 replica slapd[1412]: daemon: activity on 1 descriptor Dec 3 22:20:38 replica slapd[1412]: daemon: activity on: Dec 3 22:20:38 replica slapd[1412]: So far, so good (I think), replica sees the need to refer the action and tries to chase it on behalf of the clent: Dec 3 22:20:38 replica slapd[1412]: => hdb_dn2id("uid=administrator,ou=people,dc=example,dc=net") Dec 3 22:20:38 replica slapd[1412]: <= hdb_dn2id: got id=0xb Dec 3 22:20:38 replica slapd[1412]: entry_decode: "" Dec 3 22:20:38 replica slapd[1412]: <= entry_decode() Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=1000 op=3 p=3 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=10 matched="" text="" Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: referral="ldap://master.example.net:389/uid=administrator,ou=people,dc=example,dc=net" Dec 3 22:20:38 replica slapd[1412]: >>> dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:20:38 replica slapd[1412]: <<< dnPrettyNormal: <uid=administrator,ou=people,dc=example,dc=net>, <uid=administrator,ou=people,dc=example,dc=net> Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 ldap_chain_op: ref="ldap://master.example.net:389/uid=administrator,ou=people,dc=example,dc=net" -> "ldap://master.example.net:389" Dec 3 22:20:38 replica slapd[1412]: ldap_back_db_open: URI=ldap://master.example.net:389 Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 ldap_chain_op: ref="ldap://master.example.net:389/uid=administrator,ou=people,dc=example,dc=net" temporary Dec 3 22:20:38 replica slapd[1412]: =>ldap_back_getconn: conn=1000 op=3: lc=0x7f213015a7d0 inserted refcnt=1 rc=0 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=1000 op=3 p=3 At this point, I "assume" the modification has been passed off to master. However, I notice that I never see the replica checking authzTo like before the restart. I think this is where it's falling apart for me and the err=8 back is returned from master. Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=8 matched="" text="modifications require authentication" Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: conn=1000 op=3 p=3 Dec 3 22:20:38 replica slapd[1412]: send_ldap_result: err=8 matched="" text="" Dec 3 22:20:38 replica slapd[1412]: send_ldap_response: msgid=4 tag=103 err=8 Dec 3 22:20:38 replica slapd[1412]: conn=1000 op=3 RESULT tag=103 err=8 text= Dec 3 22:20:38 replica slapd[1412]: daemon: activity on 1 descriptor Dec 3 22:20:38 replica slapd[1412]: daemon: activity on: Dec 3 22:20:38 replica slapd[1412]: 18r Over on the master we see the proxy connection occurs, but the client credentials never apper to arrive. I say that because, it looks to me like the proxy connection from replica appears to bind anonymously. Dec 3 22:20:38 master slapd[947]: daemon: activity on 1 descriptor Dec 3 22:20:38 master slapd[947]: daemon: activity on: Dec 3 22:20:38 master slapd[947]: Dec 3 22:20:38 master slapd[947]: slap_listener_activate(8): Dec 3 22:20:38 master slapd[947]: >>> slap_listener(ldap:///) Dec 3 22:20:38 master slapd[947]: daemon: listen=8, new connection on 51 Dec 3 22:20:38 master slapd[947]: daemon: added 51r (active) listener=(nil) Dec 3 22:20:38 master slapd[947]: conn=1056 fd=51 ACCEPT from IP=192.168.1.2:34759 (IP=0.0.0.0:389) Dec 3 22:20:38 master slapd[947]: daemon: activity on 2 descriptors Dec 3 22:20:38 master slapd[947]: daemon: activity on: Dec 3 22:20:38 master slapd[947]: 51r Dec 3 22:20:38 master slapd[947]: Dec 3 22:20:38 master slapd[947]: daemon: read active on 51 Dec 3 22:20:38 master slapd[947]: connection_get(51) Dec 3 22:20:38 master slapd[947]: connection_get(51): got connid=1056 Dec 3 22:20:38 master slapd[947]: connection_read(51): checking for input on id=1056 Dec 3 22:20:38 master slapd[947]: op tag 0x60, time 1354591238 Dec 3 22:20:38 master slapd[947]: conn=1056 op=0 do_bind Dec 3 22:20:38 master slapd[947]: >>> dnPrettyNormal: <> Dec 3 22:20:38 master slapd[947]: <<< dnPrettyNormal: <>, <> Dec 3 22:20:38 master slapd[947]: conn=1056 op=0 BIND dn="" method=128 Dec 3 22:20:38 master slapd[947]: do_bind: version=3 dn="" method=128 Dec 3 22:20:38 master slapd[947]: send_ldap_result: conn=1056 op=0 p=3 Dec 3 22:20:38 master slapd[947]: send_ldap_result: err=0 matched="" text="" Dec 3 22:20:38 master slapd[947]: send_ldap_response: msgid=1 tag=97 err=0 Dec 3 22:20:38 master slapd[947]: conn=1056 op=0 RESULT tag=97 err=0 text= Dec 3 22:20:38 master slapd[947]: do_bind: v3 anonymous bind Dec 3 22:20:38 master slapd[947]: daemon: activity on 2 descriptors Dec 3 22:20:38 master slapd[947]: daemon: activity on: Dec 3 22:20:38 master slapd[947]: 51r Dec 3 22:20:38 master slapd[947]: After, the (anonymous) bind, the master never attempts to if the proxyauth request is allowed via authzTo or anything else (perhaps obviously). The modification just proceeds anonymously and eventually fails. Not sure if I'm saying this in a way that makes any sense to you. Hopefully, it does. It appears, that the proxy on replica after restarting, never tries to determine if the olcDbIDAssertBind binddn is permitted to impersonate the client via the authzTo attribute and proceeds with the referal chase anonymously. I'll copy paste configs below. Sorry this is so long, but I figure the more information, the better when trying to solve any problem. Thanks Barry vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv master configuration vvvvvvvvvvvvvvvvvvvvvvvvvvvv dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: ea6bf008-d108-1031-912d-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/master_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ldap/master_slapd_key.pem olcAuthzPolicy: to olcSaslHost: master.example.net olcSaslRealm: EXAMPLE.NET olcAuthzRegexp: {0}uid=ldap/([^/\.]+).example.net,cn=example.net,cn=gssapi,cn=auth cn=$1,ou=hosts,dc=example,dc=net olcAuthzRegexp: {1}uid=([^,]+),cn=example.net,cn=gssapi,cn=auth uid=$1,ou=people,dc=example,dc=net olcLogLevel: -1 entryCSN: 20121204013949.466434Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121204013949Z dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov structuralObjectClass: olcModuleList entryUUID: ea6dda08-d108-1031-9135-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z entryCSN: 20121203054749.860918Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121203054749Z dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: ea6c3a0e-d108-1031-9130-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z entryCSN: 20121202201635.672699Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201635Z <snip schemas > dn: olcBackend={0}hdb,cn=config objectClass: olcBackendConfig olcBackend: {0}hdb structuralObjectClass: olcBackendConfig entryUUID: ea6f949c-d108-1031-9136-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z entryCSN: 20121202201635.694663Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201635Z dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500 structuralObjectClass: olcDatabaseConfig entryUUID: ea6c0bf6-d108-1031-912e-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z entryCSN: 20121202201635.671512Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201635Z dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break structuralObjectClass: olcDatabaseConfig entryUUID: ea6c325c-d108-1031-912f-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z entryCSN: 20121202201635.672495Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201635Z dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=net olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW:: e1NTSEF9cGhKNWtqME9rOGJnVXp0dy9hYzZEaWFmU1U1Z0FTZk0= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: memberUid eq olcDbIndex: uniqueMember eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: krbPrincipalName eq,pres,sub olcDbIndex: krbPwdPolicyReference eq structuralObjectClass: olcHdbConfig entryUUID: ea6fa3ce-d108-1031-9137-8fbb37ee6dd9 creatorsName: cn=config createTimestamp: 20121202201635Z olcAccess: {0}to attrs=userPassword,shadowLastChange by group.exact="cn=replic ators,ou=groups,dc=example,dc=net" read by self write by anonymous auth olcAccess: {1}to attrs=authzTo,authzFrom,cn,uidNumber,gidNumber,uid by users r ead by anonymous none olcAccess: {2}to attrs=krbLastSuccessfulAuth,krbExtraData,krbLastFailedAuth,kr bLoginFailedCount by group.exact="cn=replicators,ou=groups,dc=example,dc=net" read by dn="cn=kdc-srv,ou=kerberos,dc=example,dc=net" write by dn="cn=adm-sr v,ou=kerberos,dc=example,dc=net" write by self read by * none olcAccess: {3}to dn.subtree="ou=kerberos,dc=example,dc=net" by group.exact="cn =replicators,ou=groups,dc=example,dc=net" read by dn="cn=kdc-srv,ou=kerberos, dc=example,dc=net" read by dn="cn=adm-srv,ou=kerberos,dc=example,dc=net" writ e by * none olcAccess: {4}to dn.base="" by * read olcAccess: {5}to * by dn="cn=adm-srv,ou=kerberos,dc=example,dc=net" write by s elf write by users read entryCSN: 20121203054749.804561Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121203054749Z dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 structuralObjectClass: olcSyncProvConfig entryUUID: b77dc36a-d158-1031-9917-2f12ddec6588 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20121203054749Z entryCSN: 20121203054749.962179Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121203054749Z vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv dc=example,dc=net vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv dn: dc=example,dc=net objectClass: top objectClass: dcObject objectClass: organization o: example.net dc: example structuralObjectClass: organization entryUUID: eac01854-d108-1031-95b6-31806daa9e45 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121202201636Z entryCSN: 20121202201636.222029Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121202201636Z contextCSN: 20121204035116.890381Z#000000#000#000000 dn: cn=admin,dc=example,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: eac2e160-d108-1031-95b7-31806daa9e45 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121202201636Z entryCSN: 20121202201636.240572Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121202201636Z dn: ou=people,dc=example,dc=net objectClass: organizationalUnit ou: people description: user account objects structuralObjectClass: organizationalUnit entryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.299880Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: ou=groups,dc=example,dc=net objectClass: organizationalUnit ou: groups description: group objects structuralObjectClass: organizationalUnit entryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.394485Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: ou=hosts,dc=example,dc=net objectClass: organizationalUnit ou: hosts description: host/computer objects structuralObjectClass: organizationalUnit entryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.400935Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: ou=kerberos,dc=example,dc=net objectClass: organizationalUnit ou: kerberos description: kerberos realm container structuralObjectClass: organizationalUnit entryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.409140Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=replica,ou=hosts,dc=example,dc=net cn: replica objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server, replica structuralObjectClass: organizationalRole entryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z krbPrincipalName: host/replica.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRURAxZ oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6Mn3k f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu6lb/ QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065600Z krbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== userPassword:: <secret> entryCSN: 20121203233422.105322Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203233422Z dn: cn=master,ou=hosts,dc=example,dc=net cn: master objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server, replica userPassword:: e0NSWVBUfSo= structuralObjectClass: organizationalRole entryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z krbPrincipalName: host/master.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW+aWr 8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5522A i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH15xNZ VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060855Z krbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121203060855.932134Z#000000#000#000000 modifiersName: cn=adm-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121203060855Z dn: cn=administrator,ou=groups,dc=example,dc=net objectClass: posixGroup cn: administrator gidNumber: 50000 structuralObjectClass: posixGroup entryUUID: 1d079216-d12b-1031-978d-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.465616Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=replicators,ou=groups,dc=example,dc=net objectClass: top objectClass: groupOfNames cn: replicators member: cn=replica,ou=hosts,dc=example,dc=net member: cn=master,ou=hosts,dc=example,dc=net structuralObjectClass: groupOfNames entryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.477792Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: uid=administrator,ou=people,dc=example,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux cn: administrator sn: administrator uidNumber: 50000 gidNumber: 50000 userPassword:: <secret> homeDirectory: /home/administrator structuralObjectClass: inetOrgPerson uid: administrator entryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z krbPrincipalName: administrator@EXAMPLE.NET krbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+EcqcdxailuD o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/Ot7l cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADmOzq8 96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8oAcwB aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6yoME 2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo8yyO mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgEDoSgE JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLRVhBT VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXGa5U+ g= krbLastPwdChange: 20121203054848Z krbLastFailedAuth: 20121204013714Z krbLoginFailedCount: 0 description: Network Administrator krbLastSuccessfulAuth: 20121204035116Z krbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121204035116.890381Z#000000#000#000000 modifiersName: cn=kdc-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121204035116Z dn: cn=kdc-srv,ou=kerberos,dc=example,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: kdc-srv description: Kerberos KDC userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.563692Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=adm-srv,ou=kerberos,dc=example,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: adm-srv description: Kerberos Admin Server userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.575773Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net cn: EXAMPLE.NET objectClass: top objectClass: krbRealmContainer objectClass: krbTicketPolicyAux krbSubTrees: dc=example,dc=net krbSearchScope: 2 krbMaxRenewableAge: 604800 krbMaxTicketLife: 36000 structuralObjectClass: krbRealmContainer entryUUID: c03d58b8-d134-1031-83e7-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.757228Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=K/M@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 192 krbPrincipalName: K/M@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/c4Ks HI= krbLastPwdChange: 19700101000000Z krbExtraData:: AAkBAAEArgC8UA== krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c04d9282-d134-1031-83e8-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.863568Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=krbtgt/EXAMPLE.NET@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: krbtgt/EXAMPLE.NET@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNnfmRR GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7UKy1 93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9KwFT B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8oR krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0518180-d134-1031-83e9-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.889347Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/admin@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/admin@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtCkdsY 5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M28Ix6 SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZM5wu tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3aQz krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c05346be-d134-1031-83ea-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.900950Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/changepw@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 300 krbMaxRenewableAge: 604800 krbTicketFlags: 8196 krbPrincipalName: kadmin/changepw@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceWqIB2 ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0wwSqU ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd423Z epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9zPl krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c054d88a-d134-1031-83eb-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.911237Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/history@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: kadmin/history@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd/N+Z 2g= krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0562d3e-d134-1031-83ec-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.919957Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/master.example.net@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/master.example.net@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gABhOeGOuo9UBDjK7hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4Ta3z Y4ZaEYItXr2awBW6QXSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtGg1qY oev8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj0sgn ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf4UwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qYDwpK0Hycj+cwyCjFsVKTsjzA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAxTSMEh/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZABm krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAANAD4gA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0581144-d134-1031-83ed-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.932349Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=ldap/master.example.net@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbPrincipalName: ldap/master.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588 creatorsName: cn=adm-srv,ou=kerberos,dc=example,dc=net createTimestamp: 20121203060105Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPUS2wz qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14TYWZyLZem5kvD yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAbNr3p vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060153Z krbLastSuccessfulAuth: 20121203061721Z krbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121203061721.358939Z#000000#000#000000 modifiersName: cn=kdc-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121203061721Z dn: krbPrincipalName=ldap/replica.example.net@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net krbPrincipalName: ldap/replica.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 205686f2-d162-1031-9537-2fa18b539eb9 creatorsName: cn=adm-srv,ou=kerberos,dc=example,dc=net createTimestamp: 20121203065511Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUXFMNw 2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKbipUj AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOvmT4x MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065628Z krbLastSuccessfulAuth: 20121204032538Z krbExtraData:: AAIcTbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121204032538.048010Z#000000#000#000000 modifiersName: cn=kdc-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121204032538Z vvvvvvvvvvvvvvvvvvvv replica config vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: af9b0068-d108-1031-9417-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201456Z olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/replica_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ldap/replica_slapd_key.pem olcLogLevel: stats olcAuthzRegexp: {0}uid=ldap/([^/\.]+).example.net,cn=example.net,cn=gssapi,cn=auth cn=$1,ou=hosts,dc=example,dc=net olcAuthzRegexp: {1}uid=([^,]+),cn=example.net,cn=gssapi,cn=auth uid=$1,ou=people,dc=example,dc=net olcSaslHost: replica.example.net olcSaslRealm: EXAMPLE.NET entryCSN: 20121204023449.956406Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121204023449Z dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}back_ldap structuralObjectClass: olcModuleList entryUUID: af9d1e34-d108-1031-941f-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201457Z entryCSN: 20121204041212.292184Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121204041212Z dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: af9b564e-d108-1031-941a-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201456Z entryCSN: 20121202201456.995860Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201456Z < snip schemas > dn: olcBackend={0}hdb,cn=config objectClass: olcBackendConfig olcBackend: {0}hdb structuralObjectClass: olcBackendConfig entryUUID: af9e498a-d108-1031-9420-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201457Z entryCSN: 20121202201457.015189Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201457Z dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500 structuralObjectClass: olcDatabaseConfig entryUUID: af9b211a-d108-1031-9418-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201456Z entryCSN: 20121202201456.994497Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201456Z dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainReturnError: TRUE structuralObjectClass: olcChainConfig entryUUID: 8605cc76-d214-1031-93d2-613cc62fd42f creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20121204041212Z entryCSN: 20121204041212.352767Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121204041212Z dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: "ldap://master.example.net:389/" olcDbIDAssertBind: bindmethod=simple binddn="cn=replica,ou=hosts,dc=example,dc =net" credentials=<secret> mode=self flags=override starttls=critical tls_req cert=demand tls_cacert=/etc/ssl/certs/cacert.pem olcDbRebindAsUser: TRUE structuralObjectClass: olcLDAPConfig entryUUID: 8609b6f6-d214-1031-93d3-613cc62fd42f creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20121204041212Z entryCSN: 20121204041212.378432Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121204041212Z dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break structuralObjectClass: olcDatabaseConfig entryUUID: af9b4528-d108-1031-9419-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201456Z entryCSN: 20121202201456.995421Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121202201456Z dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=net olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW:: e1NTSEF9eW1nS3JTR0VkMW5LQ0VaQ0Y4UjJBTDlPTlEveENDbzY= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: memberUid eq olcDbIndex: uniqueMember eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: krbPrincipalName eq,pres,sub olcDbIndex: krbPwdPolicyReference eq structuralObjectClass: olcHdbConfig entryUUID: af9e5d12-d108-1031-9421-cd3569532aaf creatorsName: cn=config createTimestamp: 20121202201457Z olcAccess: {0}to attrs=userPassword,shadowLastChange by group.exact="cn=replicators,ou=groups,dc=example,dc=net" read by self write by anonymous auth olcAccess: {1}to attrs=authzTo,authzFrom by group.exact="cn=replicators,ou=groups,dc=example,dc=net" read by users read by anonymous none olcAccess: {2}to attrs=krbLastSuccessfulAuth,krbExtraData,krbLastFailedAuth,krbLoginFailedCount by dn="cn=kdc-srv,ou=kerberos,dc=example,dc=net" read by dn ="cn=adm-srv,ou=kerberos,dc=example,dc=net" read by self read by * none olcAccess: {3}to dn.subtree="ou=kerberos,dc=example,dc=net" by dn="cn=kdc-srv,ou=kerberos,dc=example,dc=net" read by dn="cn=adm-srv,ou=kerberos,dc=example, dc=net" read by * none olcAccess: {4}to dn.base="" by * read olcAccess: {5}to * by self write by users read olcSyncrepl: {0}rid=123 provider="ldap://master.example.net:389/" type=refreshAndPersist retry="60 30 300 +" searchbase="dc=example,dc=net" bindmethod=sasl saslmech=gssapi starttls=critical tls_reqcert=demand tls_cacert=/etc/ssl/certs/cacert.pem olcUpdateRef: "ldap://master.example.net:389/" entryCSN: 20121204041212.283590Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20121204041212Z dn: dc=example,dc=net objectClass: top objectClass: dcObject objectClass: organization o: example.net dc: example structuralObjectClass: organization entryUUID: eac01854-d108-1031-95b6-31806daa9e45 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121202201636Z entryCSN: 20121202201636.222029Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121202201636Z contextCSN: 20121204035116.890381Z#000000#000#000000 dn: cn=admin,dc=example,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: eac2e160-d108-1031-95b7-31806daa9e45 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121202201636Z entryCSN: 20121202201636.240572Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121202201636Z dn: ou=people,dc=example,dc=net objectClass: organizationalUnit ou: people description: user account objects structuralObjectClass: organizationalUnit entryUUID: 1cee4810-d12b-1031-9787-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.299880Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: ou=groups,dc=example,dc=net objectClass: organizationalUnit ou: groups description: group objects structuralObjectClass: organizationalUnit entryUUID: 1cfcb788-d12b-1031-9788-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.394485Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: ou=hosts,dc=example,dc=net objectClass: organizationalUnit ou: hosts description: host/computer objects structuralObjectClass: organizationalUnit entryUUID: 1cfdb37c-d12b-1031-9789-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.400935Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: ou=kerberos,dc=example,dc=net objectClass: organizationalUnit ou: kerberos description: kerberos realm container structuralObjectClass: organizationalUnit entryUUID: 1cfef412-d12b-1031-978a-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.409140Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=replica,ou=hosts,dc=example,dc=net cn: replica objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server, replica structuralObjectClass: organizationalRole entryUUID: 1d02dae6-d12b-1031-978b-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z krbPrincipalName: host/replica.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gADgZgDa20URzdHWQ1WObQespjD5JMlRSb3fbZN8fG+gFml3DZQzinhbRURAxZ oJVqBI/zPGh/FDf9m+5bDBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAz54uBWIC4AFa66jXa6Mn3k f62uOX1YE6N3JlXl1EG2abEzZw1xWglReNN68wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAKu6lb/ QQQHgCnrL6XaSAYoh3A5GHF0xa2/vTWwq+lX4zmCpbY2l2up3TBVKZrhlenNSkxswPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAGjfhZNlm0+a6MGvBgok7WxzB638xMCex7sQ1zfzZkLiViiKpw== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065600Z krbExtraData:: AAIATbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== userPassword:: <secret> entryCSN: 20121203233422.105322Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203233422Z dn: cn=master,ou=hosts,dc=example,dc=net cn: master objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux authzTo: dn:* description: LDAP server, replica userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d0514dc-d12b-1031-978c-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z krbPrincipalName: host/master.example.net@EXAMPLE.NET krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gACzEUo41sdOc4i+gbyFE/lai6sMdeygNYlf/SiWtzll+A7x/QBVoz7zFW+aWr 8/FMEBj49p4Bn0Goa371TBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAGW4+8wBum86XgWwWj5522A i/CCoCVDIVBZHOI48rJZHrgu59tvH0fH7TDkcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAH15xNZ VJSjkEKx2M7Ai17Og8lMWwXAsDB2h+LsGC+HsSWdbE0P4yCNkjMOdIwnwJJ3OA48wPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAGuLUyYlXYKdpNk9KEe7TuHulCL0Fzr4N8WXAv3DaIILvcKv0w== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060855Z krbExtraData:: AAL3QbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121203060855.932134Z#000000#000#000000 modifiersName: cn=adm-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121203060855Z dn: cn=administrator,ou=groups,dc=example,dc=net objectClass: posixGroup cn: administrator gidNumber: 50000 structuralObjectClass: posixGroup entryUUID: 1d079216-d12b-1031-978d-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.465616Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=replicators,ou=groups,dc=example,dc=net objectClass: top objectClass: groupOfNames cn: replicators member: cn=replica,ou=hosts,dc=example,dc=net member: cn=master,ou=hosts,dc=example,dc=net structuralObjectClass: groupOfNames entryUUID: 1d096db6-d12b-1031-978e-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.477792Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: uid=administrator,ou=people,dc=example,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux cn: administrator sn: administrator uidNumber: 50000 gidNumber: 50000 userPassword:: <secret> homeDirectory: /home/administrator structuralObjectClass: inetOrgPerson uid: administrator entryUUID: 1d0a9bf0-d12b-1031-978f-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z krbPrincipalName: administrator@EXAMPLE.NET krbPrincipalKey:: MIICa6ADAgEBoQMCAQGiAwIBAaMDAgEBpIICUzCCAk8wVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gALWKtjcuVIPL0PLDhUQleHDwIp4PB4O0T3ays8putrnZEUxVC+EcqcdxailuD o3oHvU0K11YiAyckIKjfzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAQRTIM4QI0IPjmA1xg/Ot7l cXQSCNuv7MRgBJl7N1QsxS7naYbgLlyybkbXkwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADmOzq8 96TliwJM9J3X0Dxb/Y+bcTz3e4/FarTIvzEMrMneaW57VGLWX1y162/LNz2jwAqIwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAMBGuqUqQw8nhnQ194wQICvc+Iu0yPUdSTzjGXtDhPSaAHj70DA8oAcwB aADAgEBoTEwL6ADAgEDoSgEJggA0mkFMVjyT2Jn553z2fZNIOQ8fYR2jtUcGFbyUL4s4HaK+6yoME 2gGDAWoAMCAQKhDwQNYWRtaW5pc3RyYXRvcqExMC+gAwIBA6EoBCYIAHKR4PzhneCY8c8tLpo8yyO mpk8FynWjl7rVe+Zqq9gIt4KXTTBLoBYwFKADAgEDoQ0EC0VYQU1QTEUuTkVUoTEwL6ADAgEDoSgE JggA4e6VizsvWUEKEqAt58PrPViScqavK7u2VuYDpNNuVwTv3zGmMEugFjAUoAMCAQWhDQQLRVhBT VBMRS5ORVShMTAvoAMCAQOhKAQmCACA4sM1SoUcEEYGOMA8CDwINmmJXgnKPQr8jRDsxGToXGa5U+ g= krbLastPwdChange: 20121203054848Z krbLastFailedAuth: 20121204013714Z krbLoginFailedCount: 0 description: Network Administrator krbLastSuccessfulAuth: 20121204035116Z krbExtraData:: AAJAPbxQcm9vdC9hZG1pbkBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121204035116.890381Z#000000#000#000000 modifiersName: cn=kdc-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121204035116Z dn: cn=kdc-srv,ou=kerberos,dc=example,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: kdc-srv description: Kerberos KDC userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d168924-d12b-1031-9790-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.563692Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=adm-srv,ou=kerberos,dc=example,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: adm-srv description: Kerberos Admin Server userPassword:: <secret> structuralObjectClass: organizationalRole entryUUID: 1d18610e-d12b-1031-9791-4f8d9abcea93 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203002123Z entryCSN: 20121203002123.575773Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203002123Z dn: cn=EXAMPLE.NET,ou=kerberos,dc=example,dc=net cn: EXAMPLE.NET objectClass: top objectClass: krbRealmContainer objectClass: krbTicketPolicyAux krbSubTrees: dc=example,dc=net krbSearchScope: 2 krbMaxRenewableAge: 604800 krbMaxTicketLife: 36000 structuralObjectClass: krbRealmContainer entryUUID: c03d58b8-d134-1031-83e7-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.757228Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=K/M@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=example,dc= net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 192 krbPrincipalName: K/M@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB EKE4BDYYALvAYATOnUQCrTUO54HKuJKnttvmnxYyud5Fh6T22oTH0qAUzKRfDdxTuO7OIrbK/c4Ks HI= krbLastPwdChange: 19700101000000Z krbExtraData:: AAkBAAEArgC8UA== krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c04d9282-d134-1031-83e8-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.863568Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=krbtgt/EXAMPLE.NET@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos ,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: krbtgt/EXAMPLE.NET@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAOyPPy2RLdudifS8baeUvv3AxlGKKubyeRUcnwFc2CqS9kNvgpTNujaNnfmRR GQI5lTHUdwGYqHfr+ayuTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAe8n+vM9TXvNAG43Va7UKy1 93EQx3jtSTiD0aa2tNK9FbkomkYG0mWlz/xW4wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM9KwFT B9MqvfMfba37K7zY6lqPhLpF8d0uucRA/Ewed1i9wfjiOuxQVR0PWLB2OM5q1llQwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAFObLZrmdRD8NEctxP0TySKwmGNnKiX7m+EMMvNj4xmNIa2yTTA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAXVm59rkWXluDnx/F0XOEDh4i3Nz9HckLfrcVL5goKRVOV8oR krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAAAAAAA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0518180-d134-1031-83e9-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.889347Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/admin@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc=ex ample,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/admin@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAMjLoWHTDPL9j+ribbAohbY8+SM973mU5iIvxN7MItjbLtXBh/7CF2xtCkdsY 5WwobkGKFvGkZvTL+olZjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAwMe5Vpq5Hd2Zy1E8M28Ix6 SbAtMeUjzpEqwQM3P838foPwM9ZfRYhfZ0UfAwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGZM5wu tIcsdKbsYTDZgUzqIADtNt4GYjBIJx13JO40Bto78eCybAvE4uqFivBmdH1kEy8cwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAHrJty4X1D5dPY/PW84Lgb0YYuazteCJMYvphJZr3LeKs7suBzA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAMDfJDyzgWa4vsKv6rs9IkXOq8eEePAQPB9s0UPbM+9bG3aQz krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c05346be-d134-1031-83ea-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.900950Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/changepw@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc =example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 300 krbMaxRenewableAge: 604800 krbTicketFlags: 8196 krbPrincipalName: kadmin/changepw@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAHNxSgJ9GwIH0UmFf5Ol8WWQ/2Wy6nQqmf+yX4dVzEQFsmaBp9l1hsceWqIB2 ic80wlAJW9Do0gSOaiYfjBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAt+ZrWZKAjKkUhSJt0wwSqU ootXhNduXIRVjUJxWVtXdPTI7RcL/yjZK2M0MwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACd423Z epUHmGMVf2I5sRQZRuoypVddoREy1pTtTMIiGvqai7Z+PRHbpL0kTawz9zdg60IgwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAGGbQu5FJ0ewAsCALf9yDbvOIa7Abx0PmnGw+PSKWOt8Dsur9TA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAjG9iwd398xO7bFH+bAQDGv0Hh6Qr+QIpNAUB/w7dmvqU9zPl krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c054d88a-d134-1031-83eb-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.911237Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/history@EXAMPLE.NET,cn=EXAMPLE.NET,ou=kerberos,dc= example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 36000 krbMaxRenewableAge: 604800 krbTicketFlags: 0 krbPrincipalName: kadmin/history@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MGagAwIBAaEDAgEBogMCAQGjAwIBAKRQME4wTKAHMAWgAwIBAKFBMD+gAwIB EKE4BDYYAOhayj3RDyyg78DGPFKNATBnpKKbf2qwLJbJ0nPXoUdjtbHpjECIfASUXjBoB+Pkd/N+Z 2g= krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAAGlvbkA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0562d3e-d134-1031-83ec-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.919957Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=kadmin/master.example.net@EXAMPLE.NET,cn=EXAMPLE.NET,ou=k erberos,dc=example,dc=net krbLoginFailedCount: 0 krbMaxTicketLife: 10800 krbMaxRenewableAge: 604800 krbTicketFlags: 4 krbPrincipalName: kadmin/master.example.net@EXAMPLE.NET krbPrincipalExpiration: 19700101000000Z krbPrincipalKey:: MIIBgqADAgEBoQMCAQGiAwIBAaMDAgEApIIBajCCAWYwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gABhOeGOuo9UBDjK7hTQ3Xfs8vsWB+Afl0JkPaSt3T3tRkZbWxAhTxXl+4Ta3z Y4ZaEYItXr2awBW6QXSZzBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAUUoLikQRp1c+vGFRtGg1qY oev8m55VO73g+xEqcx02MJa1x+esm5y9VTMLswTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYACj0sgn ZOyWATgpst3N3pSom4smhxBWYgpTMghwaS5gFeKMZhccDSI8Ahm4nQPFmq3Jrf4UwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAL0gPnqCvdlb4//Xw5iE8Jvj2qYDwpK0Hycj+cwyCjFsVKTsjzA8oAcwB aADAgEAoTEwL6ADAgEDoSgEJggAxTSMEh/7bfV2AYx4VoP8cIeunsqtrcvNIItmDxSqZ0ecZABm krbLastPwdChange: 19700101000000Z krbExtraData:: AAKuALxQZGJfY3JlYXRpb25ARVhBTVBMRS5ORVQA krbExtraData:: AAcBAAIAAgAAANAD4gA= objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: c0581144-d134-1031-83ed-0707760cf534 creatorsName: cn=admin,dc=example,dc=net createTimestamp: 20121203013022Z entryCSN: 20121203013022.932349Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=net modifyTimestamp: 20121203013022Z dn: krbPrincipalName=ldap/master.example.net@EXAMPLE.NET,cn=EXAMPLE.NET,ou=ker beros,dc=example,dc=net krbPrincipalName: ldap/master.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 91a6199c-d15a-1031-9919-2f12ddec6588 creatorsName: cn=adm-srv,ou=kerberos,dc=example,dc=net createTimestamp: 20121203060105Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gAA6GzVEXOsoNQbzbqFy0KZqXt04aRDje4Gxq4ZS4b/z+l6pKgmUyVdsPUS2wz qeKY56slAvVlnRCQt+uZTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAAkzwNhAF14TYWZyLZem5kvD yuLARt7Z3LLsduQ1j6s7P6EFMDNWPaHCJf09cwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAAbNr3p vkmNXkIZNgUtw2FJ3VtGEU9MmDmNHCFKSk4kHCR9naWPkbMzRmWA7s/yGkwIWxCMwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIAPc+l15I9VR4tYjNfS6XRX09JRoioaavGokNvj0RJa1/h4j3hg== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203060153Z krbLastSuccessfulAuth: 20121203061721Z krbExtraData:: AAJRQLxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== entryCSN: 20121203061721.358939Z#000000#000#000000 modifiersName: cn=kdc-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121203061721Z dn: krbPrincipalName=ldap/replica.example.net@EXAMPLE.NET,cn=EXAMPLE.NET,ou=ke rberos,dc=example,dc=net krbPrincipalName: ldap/replica.example.net@EXAMPLE.NET objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux structuralObjectClass: krbPrincipal entryUUID: 205686f2-d162-1031-9537-2fa18b539eb9 creatorsName: cn=adm-srv,ou=kerberos,dc=example,dc=net createTimestamp: 20121203065511Z krbLoginFailedCount: 0 krbPrincipalKey:: MIIBRKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBLDCCASgwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gABVJBbD8SWzRxzA92ncPp+x/Trd3GJY/P6w+ErH3wddcUmq3o092v7mUXFMNw 2R8oC1rwLD2B/deCyuHDTBEoAcwBaADAgEAoTkwN6ADAgEXoTAELhAApsEJiySukR8L5M3DKbipUj AITSVQQL2YSqY7xr/BY7Hm3huN/juvnC7u/ZQwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAOvmT4x MDAmgH2qTgqXTSLwRcBvT7QMWYMH0oi7HW8DYC09HDAdD2/vqaBsgthQCj3BCDmkwPKAHMAWgAwIB AKExMC+gAwIBAaEoBCYIALQe5Qa57ZwsYK2mxhbNOhrO0Yn/OVLez1VQiEmrpj2/GvJLXA== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20121203065628Z krbExtraData:: AAIcTbxQYWRtaW5pc3RyYXRvckBFWEFNUExFLk5FVAA= krbExtraData:: AAgBAA== krbLastSuccessfulAuth: 20121204032538Z entryCSN: 20121204032538.048010Z#000000#000#000000 modifiersName: cn=kdc-srv,ou=kerberos,dc=example,dc=net modifyTimestamp: 20121204032538Z > Date: Fri, 9 Nov 2012 01:55:32 +0000 > From: openldap-its@OpenLDAP.org > To: blance3459@hotmail.com > Subject: Re: (ITS#7434) idassert-bind fails after restarting slapd > > > *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** > > Thanks for your report to the OpenLDAP Issue Tracking System. Your > report has been assigned the tracking number ITS#7434. > > One of our support engineers will look at your report in due course. > Note that this may take some time because our support engineers > are volunteers. They only work on OpenLDAP when they have spare > time. > > If you need to provide additional information in regards to your > issue report, you may do so by replying to this message. Note that > any mail sent to openldap-its@openldap.org with (ITS#7434) > in the subject will automatically be attached to the issue report. > > mailto:openldap-its@openldap.org?subject=(ITS#7434) > > You may follow the progress of this report by loading the following > URL in a web browser: > http://www.OpenLDAP.org/its/index.cgi?findid=7434 > > Please remember to retain your issue tracking number (ITS#7434) > on any further messages you send to us regarding this report. If > you don't then you'll just waste our time and yours because we > won't be able to properly track the report. > > Please note that the Issue Tracking System is not intended to > be used to seek help in the proper use of OpenLDAP Software. > Such requests will be closed. > > OpenLDAP Software is user supported. > http://www.OpenLDAP.org/support/ > > -------------- > Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved. >
--On Tuesday, December 04, 2012 4:37 PM +0000 blance3459@hotmail.com wrote: > --_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Quanah=2C=20 > =20 > I finally got back around to working on this over the last couple of > days. = Where I'm at with my project is: I have two servers (virtual > machines)=2C = named master and replica=2C with slapd configured with my > directory inform= ation and single-master replication between them. =20 > I created a Kerberos realm and various principals in open ldap. =20 > Replication access is authenticated using sasl/gssapi with the slapd > princ= ipal=2C ldap/replica.example.net. =20 > k5start has been added to system startup to buid the credential cache > for = slapd. Hi Barry, Two things: Please use an email client that can create emails that are readable, instead of whatever it is you're doing now. ;) Second, you never answered about trying a current release of OpenLDAP. I pointed out two bits that may have resulted in your situation being fixed. Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah, Trying to post a reply using my hotmail account. Sorry for the unreadable output previously posted. I'm almost embarassed to say I've been involved in IT for over 15 years and never used a mailing list before. Anyhow, I did download the source packages and compiled them. However, the semester was winding down and I was under a lot of pressure to have something completed before the end of finals week so my professor could assgn me a grade for the work I had done. I revered back to my previous version to to get some stuff written. Not to mention, my algorithms professor was kicking my butt too. Wil I ever "really" need an FFT in the real world? lol The more I looked at what I was trying to accomplish, I realized I was attaking the problem all wrong. What I was being asked to do was something more like configuring my two slapd servers to act more like Active Directory global catalog servers. GC's utilitze MM instead of single master replication so I scrapped the SM replication design in favor of MM. Once this was done, I no longer needed the chaining overlay or proxy auth. I now have MM replication of both cn=config and my directory data (with delta) working and my Kerberos KDC's are happy. One thing I did find was that configuring MM replication made me learn a little more about how to "properly" name/configure an overlay with the syncprov and accesslog modules by digging into the test scripts. I had some issues with sync state on the consumers , but I found a post you made to someone else a few years back that solved my delta replication issue by configuring an syncprov overlay on the accesslog db. Not sure I remember seeing that in the Admin Guide. Looking back at the orignal post I noticed the chain overlay I had configured was dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config. knowing what I know now, I'm not 100% sure that was correct. Shouldn't that overlay have been in either config database of my directory or ldap backend database for the chain rather than a "frontend"? Just a thought I've been kicking around in my head. Either way, I have my ldap config working. We can either close this issue if you'd like or leave it open and I'll attempt to confirm my theory on the overlay not being properly located when I get a chance. Completely your choice. But I do have a couple questions on my MM replication of cn=config if you want to take them. First, does it make sense or is it possible to do delta replication on cn=config? The data "on the wire" seems like it would be much smaller and less frequent than directory data so perhaps it's not as beneficial? Secondly, I am using a simple bind with this replication agreement (versus sasl/gssapi and tls for my directoiry data). When configuring limits and acl's for replication of my dit, I created a groupofnames (cn=replicators, ou=groups, dc=example,dc=net) that has each ldap server as a member. My thought process was that this made the solution a bit more scalable. As ldap servers were added to the topology, they could be added to the group of names and automtically be given the correct permissions an limits. Likewise, as server are decomisioned, they could easily be removed by deleteing them from the group and directory. Can I use this same group of names in cn=config replication by creating a similar limit and acl using this group of names? Since I am handling the formatting of the gssapi uid in cn=config (maybe a mistake if I ever wanted to be able to handle multiple directories/domains), can I use the gssapi authtication of hosts in dc=example,dc=net? Seems I sould be able to since it appears that when the authorization occurs in the database, the bind id is assumed to be already authenticated and accepted as presented with no further authentication taking place. I'm thinking that so long as that uid is formatted into a dn listed in an acl, the matching access is applied? Am I way off base in my thinking? Now that I have a rough workable solution I'm just trying to pretty it up a bit and make the design more efficient and scalable. Thanks Barry
Okay, trying again with Thunderbird since Hotmail is determined only to send in HTML format... Quanah, Trying to post a reply using my Hotmail account. Sorry for the unreadable output previously posted. I'm almost embarrassed to say I've been involved in IT for over 15 years and never used a mailing list before. Anyhow, I did download the source packages and compiled them. However, the semester was winding down and I was under a lot of pressure to have something completed before the end of finals week so my professor could assign me a grade for the work I had done. I revered back to my previous version to to get some stuff written. Not to mention, my algorithms professor was kicking my butt too. Will I ever "really" need an FFT in the real world? lol The more I looked at what I was trying to accomplish, I realized I was attacking the problem all wrong. What I was being asked to do was something more like configuring my two slapd servers to act more like Active Directory global catalog servers. GC's utilize MM instead of single master replication so I scrapped the SM replication design in favor of MM. Once this was done, I no longer needed the chaining overlay or proxy auth. I now have MM replication of both cn=config and my directory data (with delta) working and my Kerberos KDC's are happy. One thing I did find was that configuring MM replication made me learn a little more about how to "properly" name/configure an overlay with the syncprov and accesslog modules by digging into the test scripts. I had some issues with sync state on the consumers , but I found a post you made to someone else a few years back that solved my delta replication issue by configuring an syncprov overlay on the accesslog db. Not sure I remember seeing that in the Admin Guide. Looking back at the original post I noticed the chain overlay I had configured was dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config. knowing what I know now, I'm not 100% sure that was correct. Shouldn't that overlay have been in either config database of my directory or ldap backend database for the chain rather than a "frontend"? Just a thought I've been kicking around in my head. Either way, I have my ldap config working. We can either close this issue if you'd like or leave it open and I'll attempt to confirm my theory on the overlay not being properly located when I get a chance. Completely your choice. But I do have a couple questions on my MM replication of cn=config if you want to take them. First, does it make sense or is it possible to do delta replication on cn=config? The data "on the wire" seems like it would be much smaller and less frequent than directory data so perhaps it's not as beneficial? Secondly, I am using a simple bind with this replication agreement (versus sasl/gssapi and tls for my directory data). When configuring limits and acl's for replication of my dit, I created a groupofnames (cn=replicators, ou=groups, dc=example,dc=net) that has each ldap server as a member. My thought process was that this made the solution a bit more scalable. As ldap servers were added to the topology, they could be added to the group of names and automatically be given the correct permissions an limits. Likewise, as server are decommissioned, they could easily be removed by deleting them from the group and directory. Can I use this same group of names in cn=config replication by creating a similar limit and acl using this group of names? Since I am handling the formatting of the gssapi uid in cn=config (maybe a mistake if I ever wanted to be able to handle multiple directories/domains), can I use the gssapi authentication of hosts in dc=example,dc=net? Seems I should be able to since it appears that when the authorization occurs in the database, the bind id is assumed to be already authenticated and accepted as presented with no further authentication taking place. I'm thinking that so long as that uid is formatted into a db listed in an acl, the matching access is applied? Am I way off base in my thinking? Now that I have a rough workable solution I'm just trying to pretty it up a bit and make the design more efficient and scalable. Thanks Barry
blance3459@hotmail.com wrote: > Full_Name: Barry Lance > Version: 2.4.28 > OS: Ubuntu 12.04 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (70.226.37.226) It appears the submitter found an alternate solution, but just for future reference this issue was the same as ITS#7381, now fixed in git master. > > Two servers: Master (192.168.1.1) and Replica (192.168.1.2) both running slap > 2.4.28 and ubuntu 12.04. Replica is a replication partner of Master using > syncrepl. Replication is working fine. When I attempt to add a chain overlay > to Replica to send all writes over to the master, it works exactly as expected > allowing both normal users and the rootdn to make appropriate changes. However, > once I either reboot the replica server or restart slapd, the chain overlay > fails to allow any changes on the master. Looking at syslog shows that before > the reboot/restart the requesting users' dn is proxied over as expected. After > the restarting slapd or rebooting Replica, all changes are proxied anonymously > (dn=""). > > I am using simple binds at this point in the project, but it doesn't seems to > matter if I proxy in the clear, ldaps, or TLS the result is the same. All three > methods can successfully negotiate a connection. I've even tried switching > between using the rootdn and a different user as the binddn in my overlay, but > the result is still the same no matter what I use for the binddn. When I look > at my config, I notice that "chain-idassert-bind" appears to be hashed or > encrypted in thew config. Is that normal? Just seems really odd that my config > would work immediately when added, but fail after the the daemon has been > restarted. Am I missing something really silly? Hopefully, someone can assist > me on this. I've been driving myself crazy trying to figure out why this > behavior is occurring. > > Disclaimer: I am using openldap as part of my capstone project for graduation. > I'm not asking for anyone to do my "homework" for me, I'm just stuck on this one > issue that I would love to resolve so I can move on to the Kerberos phase of my > project (and maybe even study for an exam coming up in my algorithms class next > week). > > Here is my overlay config using the rootDN and TLS (on Replica): > > dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config > changetype: add > objectClass: olcLDAPConfig > objectClass: olcChainDatabase > olcDatabase: {0}ldap > olcDbURI: "ldap://master.example.net/" > olcDbRebindAsUser: TRUE > olcDbIDAssertBind: bindmethod=simple > binddn="cn=admin,dc=example,dc=net" > credentials=(secret) > mode=self > starttls=critical > tls_cacert=/etc/ssl/certs/cacert.pem > tls_reqcert=demand > > And without TLS (also on Replica): > > dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config > changetype: add > objectClass: olcLDAPConfig > objectClass: olcChainDatabase > olcDatabase: {0}ldap > olcDbURI: "ldap://master.example.net/" > olcDbRebindAsUser: TRUE > olcDbIDAssertBind: bindmethod=simple > binddn="cn=admin,dc=example,dc=net" > credentials=(secret) > mode=self > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Closed
dup #7381