[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: untoward change to ACL behavior (ITS#1921)
Thanks for the detailed information. Yes, there is a bug in
the ACL handling of 'to dn=""' and variants. I've committed
a fix to HEAD branch which should resolve the problem. Please
test.
Kurt
At 04:51 AM 2002-07-10, andrew.findlay@skills-1st.co.uk wrote:
>On Wed, Jul 10, 2002 at 03:52:28AM +0000, Kurt@OpenLDAP.org wrote:
>>
>> From the limited information in your report, I cannot possible
>> conclude your report is indicative of a software bug. It is
>> more likely a simple configuration issue. If you believe
>> there is a software (or documentation) bug, you should provide
>> enough information (configuration details, logs, etc.) to
>> convince developers that such does exist.
>
>I think there is a valid problem here. I have tested 2.1.2 with the
>ACL given in the example config file:
>
># Sample access control policy:
># Allow read access of root DSE
># Allow self write access
># Allow authenticated users read access
># Allow anonymous users to authenticate
># Directives needed to implement policy:
>access to dn="" by * read
>access to *
> by self write
> by users read
> by anonymous auth
>#
>
>With slapd 2.1.2 this seems to allow anonymous users to read all entries,
>which it should not.
>
>Reading slapd.access(5) I think the first directive should be:
>
> access to dn.base="" by * read
>
>but even with that in place, anon users can read all entries.
>
>I append a copy of my slapd.conf and a log extract showing what
>happens. The search command used was:
>
> ldapsearch -C -x -H ldap://localhost:389/ -b dc=example,dc=org 'cn=*pathan*'
>
>Clearly the example ACL is not implementing the policy that is
>described for it.
>
>Andrew
>--
>-----------------------------------------------------------------------
>| From Andrew Findlay, Skills 1st Ltd |
>| Consultant in large-scale systems, networks, and directory services |
>| Andrew.Findlay@skills-1st.co.uk +44 1628 782565 |
>-----------------------------------------------------------------------
># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23 2002/02/02 05:23:12 kurt Exp $
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include /usr/local/etc/openldap/schema/core.schema
>include /usr/local/etc/openldap/schema/cosine.schema
>include /usr/local/etc/openldap/schema/inetorgperson.schema
>include /usr/local/etc/openldap/schema/openldap.schema
>include /usr/local/etc/openldap/schema/nis.schema
>
># loglevel 96
>loglevel 992
>
># Define global ACLs to disable default read access.
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral ldap://root.openldap.org
>
>pidfile /usr/local/var/slapd.pid
>argsfile /usr/local/var/slapd.args
>
># Load dynamic backend modules:
># modulepath /usr/local/libexec/openldap
># moduleload back_ldap.la
># moduleload back_ldbm.la
># moduleload back_passwd.la
># moduleload back_shell.la
>
>########################################################################
># SASL mapping
>########################################################################
>
>saslRegexp
> uid=(.*),cn=brick.skills-1st.co.uk,cn=.*,cn=auth
> ldap://localhost/dc=example,dc=org??sub?uid=$1
>
>########################################################################
># Access Control
>########################################################################
>#
># Sample access control policy:
># Allow read access of root DSE
># Allow self write access
># Allow authenticated users read access
># Allow anonymous users to authenticate
># Directives needed to implement policy:
>access to dn.base="" by * read
>access to *
> by self write
> by users read
> by anonymous auth
>#
># if no access controls are present, the default policy is:
># Allow read by all
>#
># rootdn can always write!
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database bdb
>suffix "dc=example,dc=org"
>rootdn "cn=DSAmgr,dc=example,dc=org"
>
># Cleartext passwords, especially for the rootdn, should
># be avoid. See slappasswd(8) and slapd.conf(5) for details.
># Use of strong authentication encouraged.
>rootpw secret
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd/tools. Mode 700 recommended.
>directory /usr/local/var/openldap-data
># Indices to maintain
>index default pres,eq,sub
>index objectClass eq
>index cn
>index sn
>index uid
>
>-----------------------------------------------------------------------
>
>Log extract showing SLAPD startup, anon bind, and search for cn=*pathan*
>
>Startup:
>
>Jul 10 12:32:21 brick slapd[10490]: daemon: socket() failed errno=97 (Address family not supported by protocol)
>Jul 10 12:32:21 brick slapd[10490]: bdb_open: Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001)
>Jul 10 12:32:21 brick slapd[10490]: line 21 (pidfile ^I/usr/local/var/slapd.pid)
>Jul 10 12:32:21 brick slapd[10490]: line 22 (argsfile /usr/local/var/slapd.args)
>Jul 10 12:32:21 brick slapd[10490]: line 37 (saslRegexp uid=(.*),cn=brick.skills-1st.co.uk,cn=.*,cn=auth ldap://localhost/dc=example,dc=org??sub?uid=$1)
>Jul 10 12:32:21 brick slapd[10490]: str2filter "uid=$1"
>Jul 10 12:32:21 brick slapd[10490]: begin get_filter
>Jul 10 12:32:21 brick slapd[10490]: EQUALITY
>Jul 10 12:32:21 brick slapd[10490]: end get_filter 0
>Jul 10 12:32:21 brick slapd[10490]: line 49 (access to dn.base="" by * read)
>Jul 10 12:32:21 brick slapd[10490]: line 53 (access to * by self write by users read by anonymous auth)
>Jul 10 12:32:21 brick slapd[10490]: line 64 (database bdb)
>Jul 10 12:32:21 brick slapd[10490]: bdb_db_init: Initializing BDB database
>Jul 10 12:32:21 brick slapd[10490]: line 65 (suffix ^I"dc=example,dc=org")
>Jul 10 12:32:21 brick slapd[10490]: line 66 (rootdn ^I"cn=DSAmgr,dc=example,dc=org")
>Jul 10 12:32:21 brick slapd[10490]: line 71 (rootpw ***)
>Jul 10 12:32:21 brick slapd[10490]: line 74 (directory /usr/local/var/openldap-data)
>Jul 10 12:32:21 brick slapd[10490]: line 76 (index default^I^Ipres,eq,sub)
>Jul 10 12:32:21 brick slapd[10490]: line 77 (index objectClass^Ieq)
>Jul 10 12:32:21 brick slapd[10490]: index objectClass 0x0004
>Jul 10 12:32:21 brick slapd[10490]: line 78 (index cn)
>Jul 10 12:32:21 brick slapd[10490]: index cn 0x0716
>Jul 10 12:32:21 brick slapd[10490]: line 79 (index sn)
>Jul 10 12:32:21 brick slapd[10490]: index sn 0x0716
>Jul 10 12:32:21 brick slapd[10490]: line 80 (index uid)
>Jul 10 12:32:21 brick slapd[10490]: index uid 0x0716
>Jul 10 12:32:23 brick slapd[10492]: slapd starting
>
>Anon bind:
>
>Jul 10 12:32:30 brick slapd[10495]: daemon: conn=0 fd=12 connection from IP=127.0.0.1:42800 (IP=0.0.0.0:389) accepted.
>Jul 10 12:32:30 brick slapd[10498]: conn=0 op=0 BIND dn="" method=128
>Jul 10 12:32:30 brick slapd[10498]: conn=0 op=0 RESULT tag=97 err=0 text=
>
>Search:
>
>Jul 10 12:32:33 brick slapd[10498]: begin get_filter
>Jul 10 12:32:33 brick slapd[10498]: SUBSTRINGS
>Jul 10 12:32:33 brick slapd[10498]: begin get_substring_filter
>Jul 10 12:32:33 brick slapd[10498]: ANY
>Jul 10 12:32:33 brick slapd[10498]: end get_substring_filter
>Jul 10 12:32:33 brick slapd[10498]: end get_filter 0
>Jul 10 12:32:33 brick slapd[10498]: conn=0 op=1 SRCH base="dc=example,dc=org" scope=2 filter="(cn=*pathan*)"
>Jul 10 12:32:33 brick slapd[10498]: => bdb_filter_candidates
>Jul 10 12:32:33 brick slapd[10498]: ^IAND
>Jul 10 12:32:33 brick slapd[10498]: => bdb_list_candidates 0xa0
>Jul 10 12:32:33 brick slapd[10498]: => bdb_filter_candidates
>Jul 10 12:32:33 brick slapd[10498]: ^IDN SUBTREE
>Jul 10 12:32:33 brick slapd[10498]: <= bdb_filter_candidates: id=-1 first=1 last=1003
>Jul 10 12:32:33 brick slapd[10498]: => bdb_filter_candidates
>Jul 10 12:32:33 brick slapd[10498]: ^ISUBSTRINGS
>Jul 10 12:32:33 brick slapd[10498]: <= bdb_filter_candidates: id=1 first=1001 last=1001
>Jul 10 12:32:33 brick slapd[10498]: <= bdb_list_candidates: undefined rc=0
>Jul 10 12:32:33 brick slapd[10498]: <= bdb_filter_candidates: id=1 first=1001 last=1001
>Jul 10 12:32:33 brick slapd[10498]: => test_filter
>Jul 10 12:32:33 brick slapd[10498]: SUBSTRINGS
>Jul 10 12:32:33 brick slapd[10498]: begin test_substrings_filter
>Jul 10 12:32:33 brick slapd[10498]: => access_allowed: search access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "cn" requested
>Jul 10 12:32:33 brick slapd[10498]: => acl_get: [1] check attr cn
>Jul 10 12:32:33 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: cn
>Jul 10 12:32:33 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "cn" requested
>Jul 10 12:32:33 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:33 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:33 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:33 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:33 brick slapd[10498]: => access_allowed: search access granted by read(=rscx)
>Jul 10 12:32:33 brick slapd[10498]: <= test_filter 6
>Jul 10 12:32:33 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "entry" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr entry
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: entry
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "entry" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "objectClass" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr objectClass
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: objectClass
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "objectClass" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "displayName" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr displayName
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: displayName
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "displayName" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "cn" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr cn
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: cn
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "cn" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "sn" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr sn
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: sn
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "sn" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "uid" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr uid
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: uid
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "uid" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "mail" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr mail
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: mail
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "mail" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "telephoneNumber" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr telephoneNumber
>Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: telephoneNumber
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "telephoneNumber" requested
>Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:34 brick slapd[10498]: conn=0 op=1 ENTRY dn="cn=Andrew Pathan+uid=u000997,dc=example,dc=org"
>Jul 10 12:32:34 brick slapd[10498]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>Jul 10 12:32:40 brick slapd[10498]: conn=0 op=2 UNBIND
>Jul 10 12:32:40 brick slapd[10498]: conn=0 fd=12 closed
>Jul 10 12:32:52 brick slapd[10495]: daemon: conn=1 fd=12 connection from IP=127.0.0.1:42801 (IP=0.0.0.0:389) accepted.
>Jul 10 12:32:52 brick slapd[10498]: conn=1 op=0 BIND dn="" method=128
>Jul 10 12:32:52 brick slapd[10498]: conn=1 op=0 RESULT tag=97 err=0 text=
>Jul 10 12:32:52 brick slapd[10498]: begin get_filter
>Jul 10 12:32:52 brick slapd[10498]: PRESENT
>Jul 10 12:32:52 brick slapd[10498]: end get_filter 0
>Jul 10 12:32:52 brick slapd[10498]: conn=1 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
>Jul 10 12:32:52 brick slapd[10498]: => test_filter
>Jul 10 12:32:52 brick slapd[10498]: PRESENT
>Jul 10 12:32:52 brick slapd[10498]: => access_allowed: search access to "" "objectClass" requested
>Jul 10 12:32:52 brick slapd[10498]: => acl_get: [1] check attr objectClass
>Jul 10 12:32:52 brick slapd[10498]: <= acl_get: [1] acl attr: objectClass
>Jul 10 12:32:52 brick slapd[10498]: => acl_mask: access to entry "", attr "objectClass" requested
>Jul 10 12:32:52 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:52 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:52 brick slapd[10498]: => access_allowed: search access granted by read(=rscx)
>Jul 10 12:32:52 brick slapd[10498]: <= test_filter 6
>Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access to "" "entry" requested
>Jul 10 12:32:52 brick slapd[10498]: => acl_get: [1] check attr entry
>Jul 10 12:32:52 brick slapd[10498]: <= acl_get: [1] acl attr: entry
>Jul 10 12:32:52 brick slapd[10498]: => acl_mask: access to entry "", attr "entry" requested
>Jul 10 12:32:52 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:52 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access to "" "namingContexts" requested
>Jul 10 12:32:52 brick slapd[10498]: => acl_get: [1] check attr namingContexts
>Jul 10 12:32:52 brick slapd[10498]: <= acl_get: [1] acl attr: namingContexts
>Jul 10 12:32:52 brick slapd[10498]: => acl_mask: access to entry "", attr "namingContexts" requested
>Jul 10 12:32:52 brick slapd[10498]: => acl_mask: to all values by "", (=n)
>Jul 10 12:32:52 brick slapd[10498]: <= check a_dn_pat: *
>Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
>Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
>Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
>Jul 10 12:32:52 brick slapd[10498]: conn=1 op=1 ENTRY dn=""
>Jul 10 12:32:52 brick slapd[10498]: conn=1 op=1 RESULT tag=101 err=0 text=
>Jul 10 12:32:52 brick slapd[10501]: conn=1 op=2 UNBIND
>Jul 10 12:32:52 brick slapd[10501]: conn=1 fd=12 closed
>-----------------------------------------------------------------------
>
>Result of ldapsearch command:
>
>#
># LDAPv3
># filter: cn=*pathan*
># requesting: ALL
>#
>
># Andrew Pathan + u000997, example.org
>dn: cn=Andrew Pathan+uid=u000997,dc=example,dc=org
>objectClass: inetOrgPerson
>objectClass: person
>displayName: Andrew Pathan
>cn: Andrew Pathan
>sn: Pathan
>uid: u000997
>mail: u000997@example.org
>telephoneNumber: +44 1234 567997
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>-----------------------------------------------------------------------