[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using ppolicy and autogroup to apply policy to a group a users

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Using ppolicy and autogroup to apply policy to a group a users
From: Clément OUDOT <clement.oudot@worteks.com>
Date: Mon, 8 Oct 2018 10:34:37 +0200
Autocrypt: addr=clement.oudot@worteks.com; prefer-encrypt=mutual; keydata= xsFNBFrYrkABEAC/AR9ZPZh3pjfYG/D4V7cFSN7Xv1qgVoudHKCjn5WeLuZXyBtWM6RGHIyo JIPjXcU8mG0+SWQf+e9IENuvQ1wEqtkUZ1YQtyYMGAOfIP2YK+nC+4R7xv2ZLuiQk37/8DS5 dT82h0vCSQbemdecH4UY3vrUeHBxiz95Nt6RtCpWDrICb0gyQJ23hwGMPkSrCSCC1uVexpuP YBTjKO1BPqjbGOWNbOuBpgwpBUzdIGX63Cfssy3OU1AiBilpOvHGYUSXblyFzQCFSmNFgNqJ 1CIIjS6+tO46uL0VgT4KYKcGR+Zn/krqTPq+BBXBOpDnuhGKf8BI+m6FPpiCPBGk6PQbUjIw WtMwXsda8qSNQ1Odsk8YlS24nkjsHc0N/VExxpYle/EfbkwqdsaLNhgJZoyGtJ7zLy4NJVs4 rJMiF7d3P6rVjWnXb5o3LkgrDjlvlwchNGWWEbdaVw4snnrPfHX1qq2LhDcTcK4NguZMAKTV O1ziZvlUejtD7VSjfK/3XPsF4/5wPXbyQ96xab9RWwNkjqdj1xDJTQLAb+4iCNZZf7e7P4JY IUSrX8ymT49JfvruSrWgKtJllnKqoHB+81LBmqlKxje+n2+z2gDJJbcPkieGeoDFWYidpIWK 9TzOGSSaDZhA+gq+lwQ8rBzpyuoCAJWYc3Y39T0P6aGK19u9IwARAQABzSpDbMOpbWVudCBP VURPVCA8Y2xlbWVudC5vdWRvdEB3b3J0ZWtzLmNvbT7CwX0EEwEIACcFAlrYrkACGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQrgYhihiI5FRoEhAAo/1/zBlAOE90VYc+ syjBjd3WtiAcn3Om3sGHVe60XwUqdpPEYVgFTMrim1geWfDxACUpzpUZLUEN32HfjpkVz01H gQs84xFLytcNcRmXEcVCiO1zbjGQUll7PA7nHlNTgtM/XRZpTf1woB2SFvccvVJWMjXlG3aY u8CzlMdR8l17wV9kzavvmQR4BnCdEqeyJHTuZ8D2k6mUay8WkM5+AYMcMZhAlsWSbZdNu+zP q/WT+fNU9uWf6rI6uDPzNFyr1VI3q5alOdp6k+qlFuqmq1uS7yfa+HHpgxufyqxheZbdJAum E4GsFsdhJHkUGeneaoS+WzVuAi/PMLbJ178aF94DeMmWJZbqshBJ5bNFKnZaerQzxHokdPUt mFggjVr7WT4yyUsdjbuZLE/UxCSQj+nyPNTFAYg5Y4AapzoeTGy1HnY4Z+G6TFbHVdqEoffE gnUaIRhhwVvCl6YdjqYeJTuA2pcVPMRgG7KTNC6uVNKx7VhSVl8is3cpG0fiNJ0ZXdHr1I6p N7+xD21TtT75ZirfIkz3lGyMaZagi/QoBI+ghuXwq5ggFdu3/gzLmFpNt6MFnGzivjc3vUqI oQSfEvQjeSdeEoULkOECwi9HR7LcTlW3Ys1iQXypKPsFDAZKQ7ayTlH6BbvUoppbRw7Gtvai YeTz/C7b6EyWOJb5vG/OwU0EWtiuQAEQANkshc1daL2yM61xTA8dI0k/q3Cl7DmikSFEewwS 0+nzO2+G89NF4xhn3lFcZ8xhKRR5o+BBfZlazPbPAirHbaSFHh+Vr00QL1dnG0mlyTVbuAkD 6K21QvRrNUDgg2In4TkuXQCwt29VVHjFfDcVa3ax87E7r0ckWwzWmIHDFdBDDR8MkiDKSPGu wpN7lQz4U+6j0Mztzl10BWyC/U8YVJLclC0VDheyw19uvw5J0MtSbhZ7Mub/uFjgYrwRc+hq 5ncSHe8GXHd3Pk9u6VkiPyUbEp8c4rK+TUWb0IWbtJBhJ8WhyjsWiS+f2Gjz6Q+Yy8TT9Swx KO1yDj9YKzcxsADt2w4sjMJqkjCAErXsAg4uuXFGuEordNaC8Hh0VqXBV92wXQTI29OHxzIU cdl7SdmTnGSPeSjX4McQpbO84yCfEQ6N1yRa+DwJW86I/8A6eUhr0dO6Wo+zB19J/jV2xkdV yliw2DAvakovk0qcfs41yQM1uwbkiNEU4FsqyqEmnt06ccsOgEWpE1E70A6CqlOjxCS0imow GCBQ94S3WzK0bF1UP7xYAl/tEfM8GgZUaoj07avM++h9OeM2mh80NBi7ETH0HsYXatAEkVv1 QubnHZZYxDUk2OQsJlyRcN/gRff80YRfI+r7jlO+oLHl27TCFNsXnWyxxKdE4CoOQYqZABEB AAHCwWUEGAEIAA8FAlrYrkACGwwFCQlmAYAACgkQrgYhihiI5FSSaBAApwPWyDQTWslzlNCP NaTfdoT36wf78URv3LRuvx6DqQfATZ6CHapZn27iNRnLyPtqKyQhu4u2qFk3clS5orYgFbew vVyAOg7FKJJ/0NEofwFDbBhoRtms4VkdVgeVD9BbQAJ7TGbixuD19kmYBAhz3FIGd4SiJJ1P IqL8R712FD6pvK7x0BE3bfirGeFls6278bv4MB99Aji//jOU94ar54htatksE9nvq2DCvqfL +/gYDxjTpSusT7cavYoYRZX3smAx+XTwcYxjzDjxfjo/JFLKy6P57Ir/nn54ShbmC9WiOvtG dGW7zNw0Q//gbNdWYBom5j5Tpl5qcV3MYs0M2pr4hUZYVyJtj3vOEVQZJ79g51VzQSMSHhFl uil2RHffirR1yYhTo6gSlpJLps8bk+8lvzTbPzCVCXwRU8/ALc5zvBj0JoAwNQPeqDNROhGu E2/1H4niP9Ogx58CdmvDudDQ8GyUwYYMoeT1smwnEBUFv0a1JR9pZBIbmfsskJLY8qFomLaU d1KZm4EWLfchHMJF4411spHPkM2NioxWsoMSJwtQTPg0Q2R5hI4BT2RCSRLNe1zV7txupUPz wEW90UqJaTXi3gCr5UCc/FLRjTiKaC/DeggWr448q23qYUDnh1Mtg2pBq+Vd1kme+Bg2LPZk ynRXCjPIjKasxsn+kMg=
Content-language: fr-FR
Openpgp: preference=signencrypt
Organization: Worteks
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1

Hello,

we often have the question on this list: how apply a policy to a branch
or a group of users?

I was thinking we could use autogroup we this kind of configuration:

dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: pwdPolicy memberUrl seeAlso
olcAGmemberOfAd: pwdPolicySubentry

The goal is to have a memberUrl inside a pwdPolicy object, that can
target accounts that need to have this policy. For example:

dn: cn=default,ou=ppolicies,dc=example,dc=com
changetype: modify
replace: memberURL
memberURL: ldap:///ou=users,dc=example,dc=com??one?(uid=user*)

The autogroup "olcAGattrSet" is working well, I can see the seeAlso
values. But the "olcAGmemberOfAd" does not seem to be applied.

I don't know if this is a conflict with ppolicy overlay, or other
overlays (dynlist, memberof). I join a full debug log, maybe you can
find what is going wrong. We see that
"autogroup_member_search_modify_cb" function is called, but user entry
is not modified.

Do you think this configuration could work?

-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com

Worteks | https://www.worteks.com

5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb slap_listener_activate(7): 
5bbb13cb daemon: epoll: listen=7 busy
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb >>> slap_listener(ldap://127.0.0.1:389)
5bbb13cb daemon: listen=7, new connection on 14
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb daemon: added 14r (active) listener=(nil)
5bbb13cb conn=1001 fd=14 ACCEPT from IP=127.0.0.1:36418 (IP=127.0.0.1:389)
5bbb13cb daemon: activity on 2 descriptors
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
ber_get_next
ldap_read: want=8, got=8
  0000:  30 2c 02 01 01 60 27 02                            0,...`'.          
ldap_read: want=38, got=38
  0000:  01 03 04 1a 63 6e 3d 61  64 6d 69 6e 2c 64 63 3d   ....cn=admin,dc=  
  0010:  65 78 61 6d 70 6c 65 2c  64 63 3d 63 6f 6d 80 06   example,dc=com..  
  0020:  73 65 63 72 65 74                                  secret            
ber_get_next: tag 0x30 len 44 contents:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a580 end=0x7f293010a5ac len=44
  0000:  02 01 01 60 27 02 01 03  04 1a 63 6e 3d 61 64 6d   ...`'.....cn=adm  
  0010:  69 6e 2c 64 63 3d 65 78  61 6d 70 6c 65 2c 64 63   in,dc=example,dc  
  0020:  3d 63 6f 6d 80 06 73 65  63 72 65 74               =com..secret      
5bbb13cb op tag 0x60, time 1538986955
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5bbb13cb conn=1001 op=0 do_bind
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a583 end=0x7f293010a5ac len=41
  0000:  60 27 02 01 03 04 1a 63  6e 3d 61 64 6d 69 6e 2c   `'.....cn=admin,  
  0010:  64 63 3d 65 78 61 6d 70  6c 65 2c 64 63 3d 63 6f   dc=example,dc=co  
  0020:  6d 80 06 73 65 63 72 65  74                        m..secret         
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a5a4 end=0x7f293010a5ac len=8
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
  0000:  00 06 73 65 63 72 65 74                            ..secret          
5bbb13cb >>> dnPrettyNormal: <cn=admin,dc=example,dc=com>
=> ldap_bv2dn(cn=admin,dc=example,dc=com,0)
<= ldap_bv2dn(cn=admin,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 
5bbb13cb <<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com>
5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128
5bbb13cb do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128
5bbb13cb ==> mdb_bind: dn: cn=admin,dc=example,dc=com
5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
5bbb13cb do_bind: v3 bind: "cn=admin,dc=example,dc=com" to "cn=admin,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=0 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb => mdb_entry_get: ndn: "cn=admin,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=admin,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=admin,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798)
5bbb13cb => mdb_entry_get: cannot find entry: "cn=admin,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=32
5bbb13cb send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........    
5bbb13cb conn=1001 op=0 RESULT tag=97 err=0 text=
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
ber_get_next
ldap_read: want=8, got=8
  0000:  30 7d 02 01 02 66 78 04                            0}...fx.          
ldap_read: want=119, got=119
  0000:  29 63 6e 3d 64 65 66 61  75 6c 74 2c 6f 75 3d 70   )cn=default,ou=p  
  0010:  70 6f 6c 69 63 69 65 73  2c 64 63 3d 65 78 61 6d   policies,dc=exam  
  0020:  70 6c 65 2c 64 63 3d 63  6f 6d 30 4b 30 49 0a 01   ple,dc=com0K0I..  
  0030:  02 30 44 04 09 6d 65 6d  62 65 72 55 52 4c 31 37   .0D..memberURL17  
  0040:  04 35 6c 64 61 70 3a 2f  2f 2f 6f 75 3d 75 73 65   .5ldap:///ou=use  
  0050:  72 73 2c 64 63 3d 65 78  61 6d 70 6c 65 2c 64 63   rs,dc=example,dc  
  0060:  3d 63 6f 6d 3f 3f 6f 6e  65 3f 28 75 69 64 3d 75   =com??one?(uid=u  
  0070:  73 65 72 31 32 33 29                               ser123)           
ber_get_next: tag 0x30 len 125 contents:
ber_dump: buf=0x7f292c103c90 ptr=0x7f292c103c90 end=0x7f292c103d0d len=125
  0000:  02 01 02 66 78 04 29 63  6e 3d 64 65 66 61 75 6c   ...fx.)cn=defaul  
  0010:  74 2c 6f 75 3d 70 70 6f  6c 69 63 69 65 73 2c 64   t,ou=ppolicies,d  
  0020:  63 3d 65 78 61 6d 70 6c  65 2c 64 63 3d 63 6f 6d   c=example,dc=com  
  0030:  30 4b 30 49 0a 01 02 30  44 04 09 6d 65 6d 62 65   0K0I...0D..membe  
  0040:  72 55 52 4c 31 37 04 35  6c 64 61 70 3a 2f 2f 2f   rURL17.5ldap:///  
  0050:  6f 75 3d 75 73 65 72 73  2c 64 63 3d 65 78 61 6d   ou=users,dc=exam  
  0060:  70 6c 65 2c 64 63 3d 63  6f 6d 3f 3f 6f 6e 65 3f   ple,dc=com??one?  
  0070:  28 75 69 64 3d 75 73 65  72 31 32 33 29            (uid=user123)     
5bbb13cb op tag 0x66, time 1538986955
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5bbb13cb conn=1001 op=1 do_modify
ber_scanf fmt ({m) ber:
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
ber_dump: buf=0x7f292c103c90 ptr=0x7f292c103c93 end=0x7f292c103d0d len=122
  0000:  66 78 04 29 63 6e 3d 64  65 66 61 75 6c 74 2c 6f   fx.)cn=default,o  
  0010:  75 3d 70 70 6f 6c 69 63  69 65 73 2c 64 63 3d 65   u=ppolicies,dc=e  
  0020:  78 61 6d 70 6c 65 2c 64  63 3d 63 6f 6d 30 4b 30   xample,dc=com0K0  
  0030:  49 0a 01 02 30 44 04 09  6d 65 6d 62 65 72 55 52   I...0D..memberUR  
  0040:  4c 31 37 04 35 6c 64 61  70 3a 2f 2f 2f 6f 75 3d   L17.5ldap:///ou=  
  0050:  75 73 65 72 73 2c 64 63  3d 65 78 61 6d 70 6c 65   users,dc=example  
  0060:  2c 64 63 3d 63 6f 6d 3f  3f 6f 6e 65 3f 28 75 69   ,dc=com??one?(ui  
  0070:  64 3d 75 73 65 72 31 32  33 29                     d=user123)        
5bbb13cb conn=1001 op=1 do_modify: dn (cn=default,ou=ppolicies,dc=example,dc=com)
ber_scanf fmt ({e{m[W]}}) ber:
ber_dump: buf=0x7f292c103c90 ptr=0x7f292c103cc2 end=0x7f292c103d0d len=75
  0000:  30 49 0a 01 02 30 44 04  09 6d 65 6d 62 65 72 55   0I...0D..memberU  
  0010:  52 4c 31 37 04 35 6c 64  61 70 3a 2f 2f 2f 6f 75   RL17.5ldap:///ou  
  0020:  3d 75 73 65 72 73 2c 64  63 3d 65 78 61 6d 70 6c   =users,dc=exampl  
  0030:  65 2c 64 63 3d 63 6f 6d  3f 3f 6f 6e 65 3f 28 75   e,dc=com??one?(u  
  0040:  69 64 3d 75 73 65 72 31  32 33 29                  id=user123)       
5bbb13cb >>> dnPrettyNormal: <cn=default,ou=ppolicies,dc=example,dc=com>
=> ldap_bv2dn(cn=default,ou=ppolicies,dc=example,dc=com,0)
<= ldap_bv2dn(cn=default,ou=ppolicies,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=default,ou=ppolicies,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=default,ou=ppolicies,dc=example,dc=com)=0 
5bbb13cb <<< dnPrettyNormal: <cn=default,ou=ppolicies,dc=example,dc=com>, <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb conn=1001 op=1 modifications:
5bbb13cb        replace: memberURL
5bbb13cb                one value, length 53
5bbb13cb conn=1001 op=1 MOD dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb conn=1001 op=1 MOD attr=memberURL
5bbb13cb ==> autogroup_modify_entry <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb dnMatch 0
        "cn=default,ou=ppolicies,dc=example,dc=com"
        "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb base_candidates: base: "cn=default,ou=ppolicies,dc=example,dc=com" (0x00000040)
5bbb13cb => test_filter
5bbb13cb     EQUALITY
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "objectClass" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 5
5bbb13cb mdb_search: 64 does not match filter
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> unique_modify <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb constraint_update()
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ppolicy_get: using default policy
5bbb13cb mdb_modify: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb slap_queue_csn: queueing 0x7f292c104650 20181008082235.383864Z#000000#001#000000
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb mdb_modify_internal: 0x00000040: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= acl_access_allowed: granted to database root
5bbb13cb mdb_modify_internal: replace memberURL
5bbb13cb mdb_modify_internal: replace entryCSN
5bbb13cb mdb_modify_internal: replace modifiersName
5bbb13cb mdb_modify_internal: replace modifyTimestamp
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "device"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "pwdPolicy"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "extensibleObject"
5bbb13cb mdb_idl_delete_keys: 40 
5bbb13cb mdb_idl_insert_keys: 40 
5bbb13cb => mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_modify: updated id=00000040 dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> autogroup_response MODIFY <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb dnMatch 0
        "cn=default,ou=ppolicies,dc=example,dc=com"
        "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb autogroup_response MODIFY changing memberURL for group <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb ==> autogroup_delete_member_from_group removing all members from <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb base_candidates: base: "cn=default,ou=ppolicies,dc=example,dc=com" (0x00000040)
5bbb13cb => test_filter
5bbb13cb     EQUALITY
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "objectClass" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 5
5bbb13cb mdb_search: 64 does not match filter
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> unique_modify <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb => access_allowed: manage access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: manage access granted by manage(=mwrscxd)
5bbb13cb unique_modify: administrative bypass, skipping
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ppolicy_get: using default policy
5bbb13cb mdb_modify: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb mdb_modify_internal: 0x00000040: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= acl_access_allowed: granted to database root
5bbb13cb mdb_modify_internal: delete seeAlso
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "device"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "pwdPolicy"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "extensibleObject"
5bbb13cb => mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_modify: updated id=00000040 dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> autogroup_delete_group <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ==> autogroup_add_group <cn=default,ou=ppolicies,dc=example,dc=com>
ldap_url_parse_ext(ldap:///ou=users,dc=example,dc=com??one?(uid=user123))
5bbb13cb >>> dnPrettyNormal: <ou=users,dc=example,dc=com>
=> ldap_bv2dn(ou=users,dc=example,dc=com,0)
<= ldap_bv2dn(ou=users,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=users,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=users,dc=example,dc=com)=0 
5bbb13cb <<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=users,dc=example,dc=com>
5bbb13cb str2filter "(uid=user123)"
put_filter: "(uid=user123)"
put_filter: simple
put_simple_filter: "uid=user123"
5bbb13cb begin get_filter
5bbb13cb EQUALITY
ber_scanf fmt ({mm}) ber:
ber_dump: buf=0x7f292c1070f0 ptr=0x7f292c1070f0 end=0x7f292c107100 len=16
  0000:  a3 0e 04 03 75 69 64 04  07 75 73 65 72 31 32 33   ....uid..user123  
5bbb13cb end get_filter 0
5bbb13cb ==> autogroup_add_members_from_filter <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("ou=users,dc=example,dc=com")
5bbb13cb => mdb_dn2id("ou=users,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x2
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "ou=users,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb search_candidates: base="ou=users,dc=example,dc=com" (0x00000002) scope=1
5bbb13cb => mdb_filter_candidates
5bbb13cb        OR
5bbb13cb => mdb_list_candidates 0xa1
5bbb13cb => mdb_filter_candidates
5bbb13cb        EQUALITY
5bbb13cb => mdb_equality_candidates (objectClass)
5bbb13cb => key_read
5bbb13cb mdb_idl_fetch_key: [b49d1940]
5bbb13cb <= mdb_index_read: failed (-30798)
5bbb13cb <= mdb_equality_candidates: id=0, first=0, last=0
5bbb13cb <= mdb_filter_candidates: id=0 first=0 last=0
5bbb13cb => mdb_filter_candidates
5bbb13cb        EQUALITY
5bbb13cb => mdb_equality_candidates (uid)
5bbb13cb => key_read
5bbb13cb mdb_idl_fetch_key: [c04ab411]
5bbb13cb <= mdb_index_read 1 candidates
5bbb13cb <= mdb_equality_candidates: id=1, first=212, last=212
5bbb13cb <= mdb_filter_candidates: id=1 first=212 last=212
5bbb13cb <= mdb_list_candidates: id=1 first=212 last=212
5bbb13cb <= mdb_filter_candidates: id=1 first=212 last=212
5bbb13cb mdb_search_candidates: id=1 first=212 last=212
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => test_filter
5bbb13cb     EQUALITY
5bbb13cb => access_allowed: search access to "uid=user123,ou=users,dc=example,dc=com" "uid" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 6
5bbb13cb ==> autogroup_member_search_modify_cb <uid=user123,ou=users,dc=example,dc=com>
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb base_candidates: base: "cn=default,ou=ppolicies,dc=example,dc=com" (0x00000040)
5bbb13cb => test_filter
5bbb13cb     EQUALITY
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "objectClass" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 5
5bbb13cb mdb_search: 64 does not match filter
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> unique_modify <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb => access_allowed: manage access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: manage access granted by manage(=mwrscxd)
5bbb13cb unique_modify: administrative bypass, skipping
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ppolicy_get: using default policy
5bbb13cb mdb_modify: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb mdb_modify_internal: 0x00000040: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= acl_access_allowed: granted to database root
5bbb13cb mdb_modify_internal: add seeAlso
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "device"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "pwdPolicy"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "extensibleObject"
5bbb13cb => mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_modify: updated id=00000040 dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb autogroup_add_group: added memberURL DN <ou=users,dc=example,dc=com> with filter <(uid=user123)>
5bbb13cb send_ldap_response: msgid=2 tag=103 err=0
ber_flush2: 14 bytes to sd 14
  0000:  30 0c 02 01 02 67 07 0a  01 00 04 00 04 00         0....g........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 67 07 0a  01 00 04 00 04 00         0....g........    
5bbb13cb conn=1001 op=1 RESULT tag=103 err=0 text=
5bbb13cb slap_graduate_commit_csn: removing 0x7f292c104650 20181008082235.383864Z#000000#001#000000
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
ber_get_next
ldap_read: want=8, got=7
  0000:  30 05 02 01 03 42 00                               0....B.           
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f293015e3c0 ptr=0x7f293015e3c0 end=0x7f293015e3c5 len=5
  0000:  02 01 03 42 00                                     ...B.             
5bbb13cb op tag 0x42, time 1538986955
ber_get_next
ldap_read: want=8, got=0

5bbb13cb ber_get_next on fd 14 failed errno=0 (Success)
5bbb13cb connection_read(14): input error=-2 id=1001, closing.
5bbb13cb connection_closing: readying conn=1001 sd=14 for close
5bbb13cb connection_close: deferring conn=1001 sd=14
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb conn=1001 op=2 do_unbind
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb conn=1001 op=2 UNBIND
5bbb13cb connection_resched: attempting closing conn=1001 sd=14
5bbb13cb connection_close: conn=1001 sd=14
5bbb13cb daemon: removing 14
5bbb13cb conn=1001 fd=14 closed

Prev by Date: oracle user authentication through OpenLDAP
Next by Date: How to add a new schema on N-way multi-master with legacy config
Index(es):
- Chronological
- Thread