could not config n-way multi-master because insufficient access
my env is Debian squeeze, OpenLDAP 2.4.17( from packages.debian.org) I create an OpenLDAP Server, and try to config N-Wat multi-master, according to OpenLDAP Admin Guide. i adding init.ldif file on the server , the following is the content *dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config* * objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret* and I get error --- insufficient access , even if I set acess to * by * write in slapd.conf actually, I don't understand what the guide said. ' This sets up the config database: * dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret* the above configuration block could not be import in my computer, it is said at the begin. Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): * dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 $URI1 olcServerID: 2 $URI2 olcServerID: 3 $URI3 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=$URI1 binddn=cn=config bindmethod=simple credentials=secret searchbase=cn=config type=refreshAndPersist retry=5 5 300 5 timeout=1 olcSyncRepl: rid=002 provider=$URI2 binddn=cn=config bindmethod=simple credentials=secret searchbase=cn=config type=refreshAndPersist retry=5 5 300 5 timeout=1 olcSyncRepl: rid=003 provider=$URI3 binddn=cn=config bindmethod=simple credentials=secret searchbase=cn=config type=refreshAndPersist retry=5 5 300 5 timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE* the configuration block seems conflict with the former, why should I write olcServerID: 1 $URI1 into LDAP Server if olcServerID: 1 is right, and why should I not write an entire configuration, but two configuration file which seems conflict separately. I have set up an unlimit previledge, why LDAP Server report insufficient access. what previledge should be set. thanks for help gtalk:freeespe...@gmail.com gtalk%3afreeespe...@gmail.com
Re: Bidirectional sync using openldap and active directory
Thanks for response. I've already found LSC project, but I wasn't sure that LSC is compatible with Kerberos tokens and users' process of changing his own password. Benjamin MONTHOUËL Systems Administrator Assistant NETASQ France - We Secure IT Villeneuve d'Ascq Le 04/06/2010 13:17, Jonathan Clarke a écrit : On 27/05/2010 10:25, Benjamin MONTHOUEL wrote: Hi, I'd like to know which method is recommended by openldap.org to perform a bidirectional sync with Microsoft Active Directory. This method has to notice that users changed their password by themselves. Kerberos token ??? Thanks for any information. Hi, OpenLDAP does not include any mechanism to sync with Active Directory. Both directories have replication mechanisms, but they are incompatible. I can personally (this is not an openldap.org recommendation) recommend using a third party tool to synchronize the two directories, such as Ldap Synchronization Connector (LSC), which is designed for exactly this purpose - see http://lsc-project.org. Hope this helps, Jonathan
Re: how to get DIT structure info
В Птн, 04/06/2010 в 21:09 +0800, owen nirvana пишет: hi, I have a question. I want to manage some data by OpenLDAP, and I hope show them by tree structure when I list. So I want to get the DIT structure info and create the corresponding nodes in my treeview. so , how to do? What API are you using? GTK/C? -- Покотиленко Костик cas...@meteor.dp.ua
Re: LDAP C API
В Чтв, 03/06/2010 в 18:10 -0700, Quanah Gibson-Mount пишет: --On Thursday, June 03, 2010 6:56 PM +0300 Покотиленко Костик cas...@meteor.dp.ua wrote: Did this message hit the list? Hi there, I'm writing GTK application for managing LDAP directory, a kind of GTK variant of phpldapadmin. As for now I'm able to browse directory, objects' probepries and their values. What is not clear is how to figure out the RDN and Required property, and Structural value. How it is done? What do you mean by required property? The property which is required for this object. I thought there could be some calls to figure out whether the attribute required or not (also if it RDN or structural or just plain attribute). I know It's possible to analize the schema to figure that out, but maybe there is a simple way. The RDN is the first value of the full DN. So if the attribute=value equals to first part of full DN then it is RDN, right? You can look at the structuralObjectClass attr to find what it is structurally. To be more specific, there is a code to process ldap search result: - for (entry = ldap_first_entry(ld, msg); entry != NULL; entry = ldap_next_entry(ld, entry)) { // process entry here ... for( attr = ldap_first_attribute(ld, entry, ber); attr != NULL; attr = ldap_next_attribute(ld, entry, ber)) { // process attributes here ... if ((vals = ldap_get_values(ld, entry, attr)) != NULL) { for(i = 0; vals[i]; i++) { // processing values here ... } } } } - Say I want to fill GUI table for each entry with such Headers: Attribute, Values, Attribute Type (RDN|Required|Structural) So, I need to have a way to know whether each attibute is RDN or Required or Structural, etc -- Покотиленко Костик cas...@meteor.dp.ua
RE: User restriction
Date: Sat, 5 Jun 2010 11:39:22 -0700 From: h...@symas.com To: bgmi...@staff.telkomsa.net CC: openldap-technical@openldap.org; jonat...@phillipoux.net; stuart_cherring...@hotmail.co.uk Subject: Re: User restriction Buchan Milne wrote: On Friday, 4 June 2010 13:47:42 Jonathan Clarke wrote: On 04/06/2010 11:49, Stuart Cherrington wrote: As far as I know, nss_base_passwd is not a valid keyword in ldap.conf for OpenLDAP clients. If you're configuring this on a Linux server, I think you'll find the equivalent configuration in /etc/libnss_ldap.conf or similar. Upstream default is /etc/ldap.conf, libnss-ldap.conf is an unnecessary Debian- ism. The upstream default has been an endless source of confusion for the better part of a decade. Renaming ala Debian is the right answer. OK - Thanks for all your comments so far, the whole LDAP structure is starting to become clearer but not as simple as I'd like. As Aron suggested, I used the ldapcompare command to see if I could pull the 'member' information from the schema but it fails. An ldapsearch shows the following: ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xx # extended LDIF # # LDAPv3 # base ou=auth,dc=ldn,dc=sw,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL # # auth, ldn.sw.com dn: ou=auth,dc=ldn,dc=sw,dc=com ou: auth objectClass: organizationalUnit objectClass: top # access, auth, ldn.sw.com dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com objectClass: groupOfNames objectClass: top cn: access member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com # search result search: 2 result: 0 Success You can clearly see the first Member line is myself. If I now try: ldapcompare2.4 -v -x -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w ou=auth,dc=ldn,dc=sw,dc=com member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com ldap_initialize( ldap://10.2.250.15 ) DN:ou=auth,dc=ldn,dc=sw,dc=com, attr:member, value:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com Compare Result: No such attribute (16) UNDEFINED Any pointers here would be useful. Thanks, Stuart. _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now
Re: Pam password authentication
On Saturday, 5 June 2010 22:52:10 Siddhartha Jain wrote: I came across a similar bug where enabling chaining between a master and slave allows invalid passwords to be accepted by pam_ldap. Unfortunately, no word from OpenLDAP or pam_ldap maintainers on the issue. Did you file an ITS? I have been looking at pam_ldap source code but haven't been able to pinpoint the issue. In my case, it has something to do with password policy not being handled properly when chaining is enabled. I suggest try tweaking those pam_password statements and see if you can deduce anything. Well, the first thing would be to be absolutely sure the PAM config is correct, I haven't had time to compare, my PAM config is quite a bit more complex (with pam_ccreds in the mix), but I do have a required pam_deny.so at the end of mine ... (and I can't remember if it is a requirement because of the two sufficient's, or because of the pam_ccreds stuff which follows). Regards, Buchan
Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
On Friday, 4 June 2010 23:50:26 Jo Rhett wrote: I'm seeing a problem where I can authenticate as a user using the ldap tools (ie ldapsearch) but I am unable to login using PAM. Comparing debug on the server shows that ldapsearch is doing a new BIND, where's PAM is not: Jun 4 14:58:52 ldap-server slapd[5158]: = dn: [1] Jun 4 14:58:52 ldap-server slapd[5158]: = acl_get: [2] attr userPassword Jun 4 14:58:52 ldap-server slapd[5158]: access_allowed: no res from state (userPassword) Jun 4 14:58:52 ldap-server slapd[5158]: = acl_mask: access to entry uid=jrhett,ou=Users,dc=equinix,dc=com, attr userPassword requested Jun 4 14:58:52 ldap-server slapd[5158]: = acl_mask: to value by , (=0) Jun 4 14:58:52 ldap-server slapd[5158]: = check a_dn_pat: anonymous Jun 4 14:58:52 ldap-server slapd[5158]: = acl_mask: [1] applying auth(=xd) (stop) Jun 4 14:58:52 ldap-server slapd[5158]: = acl_mask: [1] mask: auth(=xd) Jun 4 14:58:52 ldap-server slapd[5158]: = access_allowed: auth access granted by auth(=xd) Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_result: conn=75 op=2 p=3 Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_result: err=49 matched= text= Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_response: msgid=3 tag=97 err=49 Jun 4 14:58:52 ldap-server slapd[5158]: conn=75 op=2 RESULT tag=97 err=49 text= Now ldapsearch has identical debug output down until just below the access_allowed line. Jun 4 15:02:54 ldap-server slapd[5158]: = acl_get: [2] attr userPassword Jun 4 15:02:54 ldap-server slapd[5158]: access_allowed: no res from state (userPassword) Jun 4 15:02:54 ldap-server slapd[5158]: = acl_mask: access to entry uid=jrhett,ou=Users,dc=equinix,dc=com, attr userPassword requested Jun 4 15:02:54 ldap-server slapd[5158]: = acl_mask: to value by , (=0) Jun 4 15:02:54 ldap-server slapd[5158]: = check a_dn_pat: anonymous Jun 4 15:02:54 ldap-server slapd[5158]: = acl_mask: [1] applying auth(=xd) (stop) Jun 4 15:02:54 ldap-server slapd[5158]: = acl_mask: [1] mask: auth(=xd) Jun 4 15:02:54 ldap-server slapd[5158]: = access_allowed: auth access granted by auth(=xd) Jun 4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 BIND dn=uid=jrhett,ou=Users,dc=equinix,dc=com mech=SIMPLE ssf=0 Jun 4 15:02:54 ldap-server slapd[5158]: do_bind: v3 bind: uid=jrhett,ou=Users,dc=equinix,dc=com to uid=jrhett,ou=Users,dc=equinix,dc=com Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_result: conn=83 op=0 p=3 Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_result: err=0 matched= text= Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_response: msgid=1 tag=97 err=0 Jun 4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 RESULT tag=97 err=0 text= Jun 4 15:02:54 ldap-server slapd[5158]: daemon: activity on 1 descriptor Jun 4 15:02:54 ldap-server slapd[5158]: daemon: activity on: Can someone give me a clue what's going wrong here? err=49 is invalid credentials, thus one or more of: 1)Wrong DN 2)Wrong password 3)ACLs don't allow simple auth Your successful authentication with the same DN with ldapsearch rules out (1) and (also indicated in the acl logging for the pam_ldap case) (3). That leaves on more cause ... The key to this problem is that I'm trying to avoid putting system logins, rootbinddns on each server, and just do anonymous bind's for authentication. Well, it needn't be rootbinddns, in the sense that you should be just as happy to lose a binddn or rootbinddn as with providing anonymous access (these users should be least-privilege, only with access to similar data you are already exposing to all users who would have access to the credentials - via 'getent passwd'), but you could consider using Kerberos keytab's or certificates, or per-host credentials. Either way, I have used anonymous for nss_ldap/pam_ldap before, without problems. No configuration file on this client has a valid Manager or any other authentication password, and I'm trying to keep it that way. In theory, this should work ;-) I mean, ldapsearch works fine ... Sure, but are you sure ldapsearch and pam_ldap are using the same password? If you *think* so, maybe you should check with a packet capture ... Regards, Buchan
Re: [SOLVED] Pam password authentication
I have solved this issue, unfortunately i don't think i sent it back to the mailing list. It was to do with my combination of required and sufficient, and i lacked pam_deny.so I replaced it with authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient /usr/local/lib/pam_ldap.so no_warn authrequiredpam_unix.so no_warn use_first_pass And this seems to have corrected the behaviour. On 07/06/2010, at 7:31 PM, Buchan Milne wrote: On Saturday, 5 June 2010 22:52:10 Siddhartha Jain wrote: I came across a similar bug where enabling chaining between a master and slave allows invalid passwords to be accepted by pam_ldap. Unfortunately, no word from OpenLDAP or pam_ldap maintainers on the issue. Did you file an ITS? I have been looking at pam_ldap source code but haven't been able to pinpoint the issue. In my case, it has something to do with password policy not being handled properly when chaining is enabled. I suggest try tweaking those pam_password statements and see if you can deduce anything. Well, the first thing would be to be absolutely sure the PAM config is correct, I haven't had time to compare, my PAM config is quite a bit more complex (with pam_ccreds in the mix), but I do have a required pam_deny.so at the end of mine ... (and I can't remember if it is a requirement because of the two sufficient's, or because of the pam_ccreds stuff which follows). Regards, Buchan
Re: ldap with squid auth helper
On Friday, 4 June 2010 21:05:26 Gerardo Herzig wrote: Hi all. Im triyng to use squid with the squid_ldap_group auth helper. The schema looks like o=Company -Groups |-ProxyUsers | |-Managers |-Sales Managers and Sales are OrganizationalUnit, ProxyUsers is GroupofUniqueNames Each entry of Managers and Sales inherits from PosixAccount and InetOrgPerson ProxyUsers entry for the user foo is: UniqueMember: uid=foo,ou=Managers,o=Company UniqueMember: uid=anotherfoo,ou=Sales,o=Company Inside the ProxyUsers can be people from Managers, Sales, and so. Im faliling to test squid_ldap_group from command line (i think the filters part) 1) Is there a way to test if the user foo is part of the ProxyUsers group? Yes, but from a squid perspective, you will be relying on DN construction in the filter if you do it this way. 2) It is possible to tell squid_ldap_group to look for uid=foo in Manager AND Sales, and if there is one try to use it? Like if the filter could be (uid=foo) _AND_ (ou=Managers _OR_ ou=Sales)? This sounds more like a question you should pose to the developers of this software, but having gone down a path requiring DN construction may not be the best option. Or, d you need to cater to identical uid values in different containers? Regards, Buchan
Re: LDAP C API
--On Monday, June 07, 2010 11:17 AM +0300 Покотиленко Костик cas...@meteor.dp.ua wrote: So, I need to have a way to know whether each attibute is RDN or Required or Structural, etc Then you need to parse the schema. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: smbk5pwd: ldappassword hangs
--On Monday, June 07, 2010 11:56 AM +0200 Frank Van Damme frank.vanda...@gmail.com wrote: 2010/5/31 Frank Van Damme frank.vanda...@gmail.com: Hi list, I installed and configured the smbk5pwd overlay as described on http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd. This succeeded, the module is loaded etc. But an unwelcome side effect is that password changes don't function anymore. With the overlay/module disabled, there is no problem; if I enable it, the ldappasswd command hangs. I marked where I hit Ctrl-C on the hanging ldappasswd command. This is the slapd log... Does no one have an idea, please? What version of OpenLDAP are you using? You've failed to mention that anywhere. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Pam password authentication
This is more of a pam config problem than openldap related... but your account section probably needs either ldap or unix to be required/sufficient rather than optional. As it is now it will check that there is no nologin file, and then check through your pam login.access file, it will check that the user exists in passwd or ldap but wont fail if it isnt, just that it meets criteria set in the access file, which might be setup to allow anything in. Also, your auth section is setup such that if opie succeeds, you are auth'd, it wont bother to check ldap or unix because if it fails, it will return failure immedaitely (that's what requisite does). Id be careful with the use of optional in pamconfig, espcially around the auth and account sections. I would reserve its use for session (if anywhere), as its more of a try it, if it works Ok, if not, so what rule, good for homedir creation or displaying motd (so if it fails, you still get in, since its not critical you see motd or have a homedir, but nice if it does work). -T Thank you for this, I will definitely take your advice, and go over pam more throughly, as it was one of my weaker areas of understanding. Your help is appreciated William
Re: LDAP C API
В Пнд, 07/06/2010 в 08:47 -0700, Quanah Gibson-Mount пишет: --On Monday, June 07, 2010 11:17 AM +0300 Покотиленко Костик cas...@meteor.dp.ua wrote: So, I need to have a way to know whether each attibute is RDN or Required or Structural, etc Then you need to parse the schema. Thanks. -- Покотиленко Костик cas...@meteor.dp.ua
Re: smbk5pwd: ldappassword hangs
Hi - On Mon, 7 Jun 2010 11:56:48 +0200, Frank Van Damme frank.vanda...@gmail.com wrote: 2010/5/31 Frank Van Damme frank.vanda...@gmail.com: Hi list, I installed and configured the smbk5pwd overlay as described on http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd. This succeeded, the module is loaded etc. But an unwelcome side effect is that password changes don't function anymore. With the overlay/module disabled, there is no problem; if I enable it, the ldappasswd command hangs. I marked where I hit Ctrl-C on the hanging ldappasswd command. This is the slapd log... Does no one have an idea, please? Not really ... I'm also adding the log in a situation where the module is not used and the ldappasswd operation is requested (which succeeds). At a certain point, the log says do_extended, that's where the previous log stops... Same problem as i figured out: in the last two weeks i am testing the combination Heimdal+OpenLdap+Samba and the smbk5pwd overlay. I compiled the stable OpenLdap and Heimdal release successfully and combined it with Samba. The error is nearly the same as described above. Only when i am changing the password over Kerberos (via pam or kpasswd) the password changes will done to the samba password (for userPassword i use the {K5KEY} entry as described in smbk5pwd). Try the ldappasswd with verbose output, you may see that the command tries over and over to change the password... Regards, Marco do_bind: v3 bind: uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be to uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched= text= send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 15 : 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0a ldap_write: want=14, written=14 : 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0a conn=0 op=0 RESULT tag=97 err=0 text= daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=0 connection_read(15): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 : 30 32 02 01 02 77 2d 8002...w-. ldap_read: want=44, got=44 : 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 .1.3.6.1.4.1.420 0010: 33 2e 31 2e 31 31 2e 31 81 12 30 10 81 06 74 72 3.1.11.1..0...tr 0020: 79 74 72 79 82 06 74 72 79 74 72 79 ytry..trytry ber_get_next: tag 0x30 len 50 contents: ber_dump: buf=0x824a1a8 ptr=0x824a1a8 end=0x824a1da len=50 : 02 01 02 77 2d 80 17 31 2e 33 2e 36 2e 31 2e 34 ...w-..1.3.6.1.4 0010: 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 31 81 12 .1.4203.1.11.1.. 0020: 30 10 81 06 74 72 79 74 72 79 82 06 74 72 79 74 0...trytry..tryt 0030: 72 79 ry ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=0 op=1 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x824a1a8 ptr=0x824a1ab end=0x824a1da len=47 : 77 2d 80 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w-..1.3.6.1.4.1. 0010: 34 32 30 33 2e 31 2e 31 31 2e 31 81 12 30 10 81 4203.1.11.1..0.. 0020: 06 74 72 79 74 72 79 82 06 74 72 79 74 72 79 .trytry..trytry ber_scanf fmt (m) ber: ber_dump: buf=0x824a1a8 ptr=0x824a1c6 end=0x824a1da len=20 : 00 12 30 10 81 06 74 72 79 74 72 79 82 06 74 72 ..0...trytry..tr 0010: 79 74 72 79ytry conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 do_extended: oid=1.3.6.1.4.1.4203.1.11.1 conn=0 op=1 PASSMOD old new bdb_dn2entry(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be) = bdb_entry_get: ndn: uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be = bdb_entry_get: oc: (null), at: userPassword bdb_dn2entry(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be) = bdb_entry_get: found entry: uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be bdb_entry_get: rc=0 = access_allowed: auth access to uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be userPassword requested = acl_get: [1] attr userPassword = slap_access_allowed: result not in cache (userPassword) = acl_mask: access to entry uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be, attr userPassword requested = acl_mask: to value by uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be, (=0) = check a_dn_pat: cn=admin,dc=otec,dc=vub,dc=ac,dc=be = check a_dn_pat: anonymous = check a_dn_pat: self = acl_mask: [3] applying