[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Using ppolicy and autogroup to apply policy to a group a users
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: Using ppolicy and autogroup to apply policy to a group a users
- From: Clément OUDOT <clement.oudot@worteks.com>
- Date: Mon, 8 Oct 2018 10:34:37 +0200
- Autocrypt: addr=clement.oudot@worteks.com; prefer-encrypt=mutual; keydata= xsFNBFrYrkABEAC/AR9ZPZh3pjfYG/D4V7cFSN7Xv1qgVoudHKCjn5WeLuZXyBtWM6RGHIyo JIPjXcU8mG0+SWQf+e9IENuvQ1wEqtkUZ1YQtyYMGAOfIP2YK+nC+4R7xv2ZLuiQk37/8DS5 dT82h0vCSQbemdecH4UY3vrUeHBxiz95Nt6RtCpWDrICb0gyQJ23hwGMPkSrCSCC1uVexpuP YBTjKO1BPqjbGOWNbOuBpgwpBUzdIGX63Cfssy3OU1AiBilpOvHGYUSXblyFzQCFSmNFgNqJ 1CIIjS6+tO46uL0VgT4KYKcGR+Zn/krqTPq+BBXBOpDnuhGKf8BI+m6FPpiCPBGk6PQbUjIw WtMwXsda8qSNQ1Odsk8YlS24nkjsHc0N/VExxpYle/EfbkwqdsaLNhgJZoyGtJ7zLy4NJVs4 rJMiF7d3P6rVjWnXb5o3LkgrDjlvlwchNGWWEbdaVw4snnrPfHX1qq2LhDcTcK4NguZMAKTV O1ziZvlUejtD7VSjfK/3XPsF4/5wPXbyQ96xab9RWwNkjqdj1xDJTQLAb+4iCNZZf7e7P4JY IUSrX8ymT49JfvruSrWgKtJllnKqoHB+81LBmqlKxje+n2+z2gDJJbcPkieGeoDFWYidpIWK 9TzOGSSaDZhA+gq+lwQ8rBzpyuoCAJWYc3Y39T0P6aGK19u9IwARAQABzSpDbMOpbWVudCBP VURPVCA8Y2xlbWVudC5vdWRvdEB3b3J0ZWtzLmNvbT7CwX0EEwEIACcFAlrYrkACGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQrgYhihiI5FRoEhAAo/1/zBlAOE90VYc+ syjBjd3WtiAcn3Om3sGHVe60XwUqdpPEYVgFTMrim1geWfDxACUpzpUZLUEN32HfjpkVz01H gQs84xFLytcNcRmXEcVCiO1zbjGQUll7PA7nHlNTgtM/XRZpTf1woB2SFvccvVJWMjXlG3aY u8CzlMdR8l17wV9kzavvmQR4BnCdEqeyJHTuZ8D2k6mUay8WkM5+AYMcMZhAlsWSbZdNu+zP q/WT+fNU9uWf6rI6uDPzNFyr1VI3q5alOdp6k+qlFuqmq1uS7yfa+HHpgxufyqxheZbdJAum E4GsFsdhJHkUGeneaoS+WzVuAi/PMLbJ178aF94DeMmWJZbqshBJ5bNFKnZaerQzxHokdPUt mFggjVr7WT4yyUsdjbuZLE/UxCSQj+nyPNTFAYg5Y4AapzoeTGy1HnY4Z+G6TFbHVdqEoffE gnUaIRhhwVvCl6YdjqYeJTuA2pcVPMRgG7KTNC6uVNKx7VhSVl8is3cpG0fiNJ0ZXdHr1I6p N7+xD21TtT75ZirfIkz3lGyMaZagi/QoBI+ghuXwq5ggFdu3/gzLmFpNt6MFnGzivjc3vUqI oQSfEvQjeSdeEoULkOECwi9HR7LcTlW3Ys1iQXypKPsFDAZKQ7ayTlH6BbvUoppbRw7Gtvai YeTz/C7b6EyWOJb5vG/OwU0EWtiuQAEQANkshc1daL2yM61xTA8dI0k/q3Cl7DmikSFEewwS 0+nzO2+G89NF4xhn3lFcZ8xhKRR5o+BBfZlazPbPAirHbaSFHh+Vr00QL1dnG0mlyTVbuAkD 6K21QvRrNUDgg2In4TkuXQCwt29VVHjFfDcVa3ax87E7r0ckWwzWmIHDFdBDDR8MkiDKSPGu wpN7lQz4U+6j0Mztzl10BWyC/U8YVJLclC0VDheyw19uvw5J0MtSbhZ7Mub/uFjgYrwRc+hq 5ncSHe8GXHd3Pk9u6VkiPyUbEp8c4rK+TUWb0IWbtJBhJ8WhyjsWiS+f2Gjz6Q+Yy8TT9Swx KO1yDj9YKzcxsADt2w4sjMJqkjCAErXsAg4uuXFGuEordNaC8Hh0VqXBV92wXQTI29OHxzIU cdl7SdmTnGSPeSjX4McQpbO84yCfEQ6N1yRa+DwJW86I/8A6eUhr0dO6Wo+zB19J/jV2xkdV yliw2DAvakovk0qcfs41yQM1uwbkiNEU4FsqyqEmnt06ccsOgEWpE1E70A6CqlOjxCS0imow GCBQ94S3WzK0bF1UP7xYAl/tEfM8GgZUaoj07avM++h9OeM2mh80NBi7ETH0HsYXatAEkVv1 QubnHZZYxDUk2OQsJlyRcN/gRff80YRfI+r7jlO+oLHl27TCFNsXnWyxxKdE4CoOQYqZABEB AAHCwWUEGAEIAA8FAlrYrkACGwwFCQlmAYAACgkQrgYhihiI5FSSaBAApwPWyDQTWslzlNCP NaTfdoT36wf78URv3LRuvx6DqQfATZ6CHapZn27iNRnLyPtqKyQhu4u2qFk3clS5orYgFbew vVyAOg7FKJJ/0NEofwFDbBhoRtms4VkdVgeVD9BbQAJ7TGbixuD19kmYBAhz3FIGd4SiJJ1P IqL8R712FD6pvK7x0BE3bfirGeFls6278bv4MB99Aji//jOU94ar54htatksE9nvq2DCvqfL +/gYDxjTpSusT7cavYoYRZX3smAx+XTwcYxjzDjxfjo/JFLKy6P57Ir/nn54ShbmC9WiOvtG dGW7zNw0Q//gbNdWYBom5j5Tpl5qcV3MYs0M2pr4hUZYVyJtj3vOEVQZJ79g51VzQSMSHhFl uil2RHffirR1yYhTo6gSlpJLps8bk+8lvzTbPzCVCXwRU8/ALc5zvBj0JoAwNQPeqDNROhGu E2/1H4niP9Ogx58CdmvDudDQ8GyUwYYMoeT1smwnEBUFv0a1JR9pZBIbmfsskJLY8qFomLaU d1KZm4EWLfchHMJF4411spHPkM2NioxWsoMSJwtQTPg0Q2R5hI4BT2RCSRLNe1zV7txupUPz wEW90UqJaTXi3gCr5UCc/FLRjTiKaC/DeggWr448q23qYUDnh1Mtg2pBq+Vd1kme+Bg2LPZk ynRXCjPIjKasxsn+kMg=
- Content-language: fr-FR
- Openpgp: preference=signencrypt
- Organization: Worteks
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1
Hello,
we often have the question on this list: how apply a policy to a branch
or a group of users?
I was thinking we could use autogroup we this kind of configuration:
dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: pwdPolicy memberUrl seeAlso
olcAGmemberOfAd: pwdPolicySubentry
The goal is to have a memberUrl inside a pwdPolicy object, that can
target accounts that need to have this policy. For example:
dn: cn=default,ou=ppolicies,dc=example,dc=com
changetype: modify
replace: memberURL
memberURL: ldap:///ou=users,dc=example,dc=com??one?(uid=user*)
The autogroup "olcAGattrSet" is working well, I can see the seeAlso
values. But the "olcAGmemberOfAd" does not seem to be applied.
I don't know if this is a conflict with ppolicy overlay, or other
overlays (dynlist, memberof). I join a full debug log, maybe you can
find what is going wrong. We see that
"autogroup_member_search_modify_cb" function is called, but user entry
is not modified.
Do you think this configuration could work?
--
Clément Oudot | Identity Solutions Manager
clement.oudot@worteks.com
Worteks | https://www.worteks.com
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb slap_listener_activate(7):
5bbb13cb daemon: epoll: listen=7 busy
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb >>> slap_listener(ldap://127.0.0.1:389)
5bbb13cb daemon: listen=7, new connection on 14
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb daemon: added 14r (active) listener=(nil)
5bbb13cb conn=1001 fd=14 ACCEPT from IP=127.0.0.1:36418 (IP=127.0.0.1:389)
5bbb13cb daemon: activity on 2 descriptors
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
ber_get_next
ldap_read: want=8, got=8
0000: 30 2c 02 01 01 60 27 02 0,...`'.
ldap_read: want=38, got=38
0000: 01 03 04 1a 63 6e 3d 61 64 6d 69 6e 2c 64 63 3d ....cn=admin,dc=
0010: 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 80 06 example,dc=com..
0020: 73 65 63 72 65 74 secret
ber_get_next: tag 0x30 len 44 contents:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a580 end=0x7f293010a5ac len=44
0000: 02 01 01 60 27 02 01 03 04 1a 63 6e 3d 61 64 6d ...`'.....cn=adm
0010: 69 6e 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 in,dc=example,dc
0020: 3d 63 6f 6d 80 06 73 65 63 72 65 74 =com..secret
5bbb13cb op tag 0x60, time 1538986955
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5bbb13cb conn=1001 op=0 do_bind
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a583 end=0x7f293010a5ac len=41
0000: 60 27 02 01 03 04 1a 63 6e 3d 61 64 6d 69 6e 2c `'.....cn=admin,
0010: 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f dc=example,dc=co
0020: 6d 80 06 73 65 63 72 65 74 m..secret
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a5a4 end=0x7f293010a5ac len=8
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
0000: 00 06 73 65 63 72 65 74 ..secret
5bbb13cb >>> dnPrettyNormal: <cn=admin,dc=example,dc=com>
=> ldap_bv2dn(cn=admin,dc=example,dc=com,0)
<= ldap_bv2dn(cn=admin,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=example,dc=com)=0
5bbb13cb <<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com>
5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128
5bbb13cb do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128
5bbb13cb ==> mdb_bind: dn: cn=admin,dc=example,dc=com
5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
5bbb13cb do_bind: v3 bind: "cn=admin,dc=example,dc=com" to "cn=admin,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=0 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb => mdb_entry_get: ndn: "cn=admin,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=admin,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=admin,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798)
5bbb13cb => mdb_entry_get: cannot find entry: "cn=admin,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=32
5bbb13cb send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
5bbb13cb conn=1001 op=0 RESULT tag=97 err=0 text=
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
ber_get_next
ldap_read: want=8, got=8
0000: 30 7d 02 01 02 66 78 04 0}...fx.
ldap_read: want=119, got=119
0000: 29 63 6e 3d 64 65 66 61 75 6c 74 2c 6f 75 3d 70 )cn=default,ou=p
0010: 70 6f 6c 69 63 69 65 73 2c 64 63 3d 65 78 61 6d policies,dc=exam
0020: 70 6c 65 2c 64 63 3d 63 6f 6d 30 4b 30 49 0a 01 ple,dc=com0K0I..
0030: 02 30 44 04 09 6d 65 6d 62 65 72 55 52 4c 31 37 .0D..memberURL17
0040: 04 35 6c 64 61 70 3a 2f 2f 2f 6f 75 3d 75 73 65 .5ldap:///ou=use
0050: 72 73 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 rs,dc=example,dc
0060: 3d 63 6f 6d 3f 3f 6f 6e 65 3f 28 75 69 64 3d 75 =com??one?(uid=u
0070: 73 65 72 31 32 33 29 ser123)
ber_get_next: tag 0x30 len 125 contents:
ber_dump: buf=0x7f292c103c90 ptr=0x7f292c103c90 end=0x7f292c103d0d len=125
0000: 02 01 02 66 78 04 29 63 6e 3d 64 65 66 61 75 6c ...fx.)cn=defaul
0010: 74 2c 6f 75 3d 70 70 6f 6c 69 63 69 65 73 2c 64 t,ou=ppolicies,d
0020: 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d c=example,dc=com
0030: 30 4b 30 49 0a 01 02 30 44 04 09 6d 65 6d 62 65 0K0I...0D..membe
0040: 72 55 52 4c 31 37 04 35 6c 64 61 70 3a 2f 2f 2f rURL17.5ldap:///
0050: 6f 75 3d 75 73 65 72 73 2c 64 63 3d 65 78 61 6d ou=users,dc=exam
0060: 70 6c 65 2c 64 63 3d 63 6f 6d 3f 3f 6f 6e 65 3f ple,dc=com??one?
0070: 28 75 69 64 3d 75 73 65 72 31 32 33 29 (uid=user123)
5bbb13cb op tag 0x66, time 1538986955
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5bbb13cb conn=1001 op=1 do_modify
ber_scanf fmt ({m) ber:
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
ber_dump: buf=0x7f292c103c90 ptr=0x7f292c103c93 end=0x7f292c103d0d len=122
0000: 66 78 04 29 63 6e 3d 64 65 66 61 75 6c 74 2c 6f fx.)cn=default,o
0010: 75 3d 70 70 6f 6c 69 63 69 65 73 2c 64 63 3d 65 u=ppolicies,dc=e
0020: 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 30 4b 30 xample,dc=com0K0
0030: 49 0a 01 02 30 44 04 09 6d 65 6d 62 65 72 55 52 I...0D..memberUR
0040: 4c 31 37 04 35 6c 64 61 70 3a 2f 2f 2f 6f 75 3d L17.5ldap:///ou=
0050: 75 73 65 72 73 2c 64 63 3d 65 78 61 6d 70 6c 65 users,dc=example
0060: 2c 64 63 3d 63 6f 6d 3f 3f 6f 6e 65 3f 28 75 69 ,dc=com??one?(ui
0070: 64 3d 75 73 65 72 31 32 33 29 d=user123)
5bbb13cb conn=1001 op=1 do_modify: dn (cn=default,ou=ppolicies,dc=example,dc=com)
ber_scanf fmt ({e{m[W]}}) ber:
ber_dump: buf=0x7f292c103c90 ptr=0x7f292c103cc2 end=0x7f292c103d0d len=75
0000: 30 49 0a 01 02 30 44 04 09 6d 65 6d 62 65 72 55 0I...0D..memberU
0010: 52 4c 31 37 04 35 6c 64 61 70 3a 2f 2f 2f 6f 75 RL17.5ldap:///ou
0020: 3d 75 73 65 72 73 2c 64 63 3d 65 78 61 6d 70 6c =users,dc=exampl
0030: 65 2c 64 63 3d 63 6f 6d 3f 3f 6f 6e 65 3f 28 75 e,dc=com??one?(u
0040: 69 64 3d 75 73 65 72 31 32 33 29 id=user123)
5bbb13cb >>> dnPrettyNormal: <cn=default,ou=ppolicies,dc=example,dc=com>
=> ldap_bv2dn(cn=default,ou=ppolicies,dc=example,dc=com,0)
<= ldap_bv2dn(cn=default,ou=ppolicies,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=default,ou=ppolicies,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=default,ou=ppolicies,dc=example,dc=com)=0
5bbb13cb <<< dnPrettyNormal: <cn=default,ou=ppolicies,dc=example,dc=com>, <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb conn=1001 op=1 modifications:
5bbb13cb replace: memberURL
5bbb13cb one value, length 53
5bbb13cb conn=1001 op=1 MOD dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb conn=1001 op=1 MOD attr=memberURL
5bbb13cb ==> autogroup_modify_entry <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb dnMatch 0
"cn=default,ou=ppolicies,dc=example,dc=com"
"cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb base_candidates: base: "cn=default,ou=ppolicies,dc=example,dc=com" (0x00000040)
5bbb13cb => test_filter
5bbb13cb EQUALITY
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "objectClass" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 5
5bbb13cb mdb_search: 64 does not match filter
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> unique_modify <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb constraint_update()
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ppolicy_get: using default policy
5bbb13cb mdb_modify: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb slap_queue_csn: queueing 0x7f292c104650 20181008082235.383864Z#000000#001#000000
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb mdb_modify_internal: 0x00000040: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= acl_access_allowed: granted to database root
5bbb13cb mdb_modify_internal: replace memberURL
5bbb13cb mdb_modify_internal: replace entryCSN
5bbb13cb mdb_modify_internal: replace modifiersName
5bbb13cb mdb_modify_internal: replace modifyTimestamp
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "device"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "pwdPolicy"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "extensibleObject"
5bbb13cb mdb_idl_delete_keys: 40
5bbb13cb mdb_idl_insert_keys: 40
5bbb13cb => mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_modify: updated id=00000040 dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> autogroup_response MODIFY <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb dnMatch 0
"cn=default,ou=ppolicies,dc=example,dc=com"
"cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb autogroup_response MODIFY changing memberURL for group <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb ==> autogroup_delete_member_from_group removing all members from <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb base_candidates: base: "cn=default,ou=ppolicies,dc=example,dc=com" (0x00000040)
5bbb13cb => test_filter
5bbb13cb EQUALITY
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "objectClass" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 5
5bbb13cb mdb_search: 64 does not match filter
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> unique_modify <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb => access_allowed: manage access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: manage access granted by manage(=mwrscxd)
5bbb13cb unique_modify: administrative bypass, skipping
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ppolicy_get: using default policy
5bbb13cb mdb_modify: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb mdb_modify_internal: 0x00000040: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= acl_access_allowed: granted to database root
5bbb13cb mdb_modify_internal: delete seeAlso
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "device"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "pwdPolicy"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "extensibleObject"
5bbb13cb => mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_modify: updated id=00000040 dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> autogroup_delete_group <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ==> autogroup_add_group <cn=default,ou=ppolicies,dc=example,dc=com>
ldap_url_parse_ext(ldap:///ou=users,dc=example,dc=com??one?(uid=user123))
5bbb13cb >>> dnPrettyNormal: <ou=users,dc=example,dc=com>
=> ldap_bv2dn(ou=users,dc=example,dc=com,0)
<= ldap_bv2dn(ou=users,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=users,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=users,dc=example,dc=com)=0
5bbb13cb <<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=users,dc=example,dc=com>
5bbb13cb str2filter "(uid=user123)"
put_filter: "(uid=user123)"
put_filter: simple
put_simple_filter: "uid=user123"
5bbb13cb begin get_filter
5bbb13cb EQUALITY
ber_scanf fmt ({mm}) ber:
ber_dump: buf=0x7f292c1070f0 ptr=0x7f292c1070f0 end=0x7f292c107100 len=16
0000: a3 0e 04 03 75 69 64 04 07 75 73 65 72 31 32 33 ....uid..user123
5bbb13cb end get_filter 0
5bbb13cb ==> autogroup_add_members_from_filter <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("ou=users,dc=example,dc=com")
5bbb13cb => mdb_dn2id("ou=users,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x2
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "ou=users,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb search_candidates: base="ou=users,dc=example,dc=com" (0x00000002) scope=1
5bbb13cb => mdb_filter_candidates
5bbb13cb OR
5bbb13cb => mdb_list_candidates 0xa1
5bbb13cb => mdb_filter_candidates
5bbb13cb EQUALITY
5bbb13cb => mdb_equality_candidates (objectClass)
5bbb13cb => key_read
5bbb13cb mdb_idl_fetch_key: [b49d1940]
5bbb13cb <= mdb_index_read: failed (-30798)
5bbb13cb <= mdb_equality_candidates: id=0, first=0, last=0
5bbb13cb <= mdb_filter_candidates: id=0 first=0 last=0
5bbb13cb => mdb_filter_candidates
5bbb13cb EQUALITY
5bbb13cb => mdb_equality_candidates (uid)
5bbb13cb => key_read
5bbb13cb mdb_idl_fetch_key: [c04ab411]
5bbb13cb <= mdb_index_read 1 candidates
5bbb13cb <= mdb_equality_candidates: id=1, first=212, last=212
5bbb13cb <= mdb_filter_candidates: id=1 first=212 last=212
5bbb13cb <= mdb_list_candidates: id=1 first=212 last=212
5bbb13cb <= mdb_filter_candidates: id=1 first=212 last=212
5bbb13cb mdb_search_candidates: id=1 first=212 last=212
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => test_filter
5bbb13cb EQUALITY
5bbb13cb => access_allowed: search access to "uid=user123,ou=users,dc=example,dc=com" "uid" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 6
5bbb13cb ==> autogroup_member_search_modify_cb <uid=user123,ou=users,dc=example,dc=com>
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb => mdb_search
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb base_candidates: base: "cn=default,ou=ppolicies,dc=example,dc=com" (0x00000040)
5bbb13cb => test_filter
5bbb13cb EQUALITY
5bbb13cb => access_allowed: search access to "cn=default,ou=ppolicies,dc=example,dc=com" "objectClass" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: search access granted by manage(=mwrscxd)
5bbb13cb <= test_filter 5
5bbb13cb mdb_search: 64 does not match filter
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb ==> unique_modify <cn=default,ou=ppolicies,dc=example,dc=com>
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb => access_allowed: manage access to "cn=default,ou=ppolicies,dc=example,dc=com" "entry" requested
5bbb13cb <= root access granted
5bbb13cb => access_allowed: manage access granted by manage(=mwrscxd)
5bbb13cb unique_modify: administrative bypass, skipping
5bbb13cb => mdb_entry_get: ndn: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb => mdb_entry_get: oc: "(null)", at: "(null)"
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb => mdb_entry_get: found entry: "cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb mdb_entry_get: rc=0
5bbb13cb ppolicy_get: using default policy
5bbb13cb mdb_modify: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_dn2entry("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb => mdb_dn2id("cn=default,ou=ppolicies,dc=example,dc=com")
5bbb13cb <= mdb_dn2id: got id=0x40
5bbb13cb => mdb_entry_decode:
5bbb13cb <= mdb_entry_decode
5bbb13cb mdb_modify_internal: 0x00000040: cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= acl_access_allowed: granted to database root
5bbb13cb mdb_modify_internal: add seeAlso
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "device"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "pwdPolicy"
5bbb13cb oc_check_required entry (cn=default,ou=ppolicies,dc=example,dc=com), objectClass "extensibleObject"
5bbb13cb => mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb <= mdb_entry_encode(0x00000040): cn=default,ou=ppolicies,dc=example,dc=com
5bbb13cb mdb_modify: updated id=00000040 dn="cn=default,ou=ppolicies,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=1 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb autogroup_add_group: added memberURL DN <ou=users,dc=example,dc=com> with filter <(uid=user123)>
5bbb13cb send_ldap_response: msgid=2 tag=103 err=0
ber_flush2: 14 bytes to sd 14
0000: 30 0c 02 01 02 67 07 0a 01 00 04 00 04 00 0....g........
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 67 07 0a 01 00 04 00 04 00 0....g........
5bbb13cb conn=1001 op=1 RESULT tag=103 err=0 text=
5bbb13cb slap_graduate_commit_csn: removing 0x7f292c104650 20181008082235.383864Z#000000#001#000000
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f293015e3c0 ptr=0x7f293015e3c0 end=0x7f293015e3c5 len=5
0000: 02 01 03 42 00 ...B.
5bbb13cb op tag 0x42, time 1538986955
ber_get_next
ldap_read: want=8, got=0
5bbb13cb ber_get_next on fd 14 failed errno=0 (Success)
5bbb13cb connection_read(14): input error=-2 id=1001, closing.
5bbb13cb connection_closing: readying conn=1001 sd=14 for close
5bbb13cb connection_close: deferring conn=1001 sd=14
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb conn=1001 op=2 do_unbind
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb conn=1001 op=2 UNBIND
5bbb13cb connection_resched: attempting closing conn=1001 sd=14
5bbb13cb connection_close: conn=1001 sd=14
5bbb13cb daemon: removing 14
5bbb13cb conn=1001 fd=14 closed