could not config n-way multi-master because insufficient access

[owen nirvana]

my env is Debian squeeze, OpenLDAP 2.4.17( from packages.debian.org)
I create an OpenLDAP Server, and try to config N-Wat multi-master, according
to OpenLDAP Admin Guide.
 i  adding init.ldif file on the server , the following is the content

*dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 1

dn: olcDatabase={0}config,cn=config* *
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret*

and I get error --- insufficient access , even if I set acess to * by *
write in slapd.conf

actually, I don't understand what the guide said.

'

This sets up the config database:

* dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcServerID: 1

 dn: olcDatabase={0}config,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: {0}config

 olcRootPW: secret*


the above configuration block could not be import in my computer, it is said
at the begin.



Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with
your actual ldap urls):

   *  dn: cn=config
 changetype: modify
 replace: olcServerID
 olcServerID: 1 $URI1
 olcServerID: 2 $URI2
 olcServerID: 3 $URI3

 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config

 changetype: add
 objectClass: olcOverlayConfig
 objectClass: olcSyncProvConfig
 olcOverlay: syncprov

 dn: olcDatabase={0}config,cn=config
 changetype: modify
 add: olcSyncRepl

 olcSyncRepl: rid=001 provider=$URI1 binddn=cn=config bindmethod=simple
   credentials=secret searchbase=cn=config type=refreshAndPersist
   retry=5 5 300 5 timeout=1

 olcSyncRepl: rid=002 provider=$URI2 binddn=cn=config bindmethod=simple
   credentials=secret searchbase=cn=config type=refreshAndPersist
   retry=5 5 300 5 timeout=1

 olcSyncRepl: rid=003 provider=$URI3 binddn=cn=config bindmethod=simple
   credentials=secret searchbase=cn=config type=refreshAndPersist
   retry=5 5 300 5 timeout=1

 -
 add: olcMirrorMode
 olcMirrorMode: TRUE*



the configuration block seems conflict with the former, why should I write
olcServerID: 1 $URI1 into LDAP Server if  olcServerID: 1 is right, and
why should I not write an entire configuration, but two configuration file
which seems conflict separately.

I have set up an unlimit previledge, why LDAP Server report insufficient
access. what previledge should be set.


thanks for help

gtalk:freeespe...@gmail.com gtalk%3afreeespe...@gmail.com

Re: Bidirectional sync using openldap and active directory

[Benjamin MONTHOUEL]

Thanks for response. I've already found LSC project, but I wasn't sure 
that LSC is compatible with Kerberos tokens and users' process of 
changing his own password.


Benjamin MONTHOUËL
Systems Administrator Assistant
NETASQ France - We Secure IT
Villeneuve d'Ascq


Le 04/06/2010 13:17, Jonathan Clarke a écrit :

On 27/05/2010 10:25, Benjamin MONTHOUEL wrote:

Hi,

I'd like to know which method is recommended by openldap.org to perform
a bidirectional sync with Microsoft Active Directory.
This method has to notice that users changed their password by
themselves. Kerberos token ???

Thanks for any information.


Hi,

OpenLDAP does not include any mechanism to sync with Active Directory. 
Both directories have replication mechanisms, but they are incompatible.


I can personally (this is not an openldap.org recommendation) 
recommend using a third party tool to synchronize the two directories, 
such as Ldap Synchronization Connector (LSC), which is designed for 
exactly this purpose - see http://lsc-project.org.


Hope this helps,
Jonathan

Re: how to get DIT structure info

[Покотиленко Костик]

В Птн, 04/06/2010 в 21:09 +0800, owen nirvana пишет:
 hi,
 I have a question. I want to manage some data by OpenLDAP, and I hope
 show them by tree structure when I list. So I want to get the DIT
 structure info and create the corresponding nodes in my treeview. so ,
 how to do?

What API are you using? GTK/C?

-- 
Покотиленко Костик cas...@meteor.dp.ua

Re: LDAP C API

[Покотиленко Костик]

В Чтв, 03/06/2010 в 18:10 -0700, Quanah Gibson-Mount пишет:
 --On Thursday, June 03, 2010 6:56 PM +0300 Покотиленко 
 Костик cas...@meteor.dp.ua wrote:
 
  Did this message hit the list?
 
  Hi there,
 
  I'm writing GTK application for managing LDAP directory, a kind of GTK
  variant of phpldapadmin.
 
  As for now I'm able to browse directory, objects' probepries and their
  values.
 
  What is not clear is how to figure out the RDN and Required property,
  and Structural value.
 
  How it is done?
 
 What do you mean by required property?

The property which is required for this object. I thought there could be
some calls to figure out whether the attribute required or not (also if
it RDN or structural or just plain attribute). I know It's possible to
analize the schema to figure that out, but maybe there is a simple way.

 The RDN is the first value of the 
 full DN.

So if the attribute=value equals to first part of full DN then it is
RDN, right?

  You can look at the structuralObjectClass attr to find what it is 
 structurally.

To be more specific, there is a code to process ldap search result:

-
for (entry = ldap_first_entry(ld, msg); entry != NULL; entry = 
ldap_next_entry(ld, entry)) {
// process entry here ...
for( attr = ldap_first_attribute(ld, entry, ber); attr != NULL; attr = 
ldap_next_attribute(ld, entry, ber)) {
// process attributes here ...
if ((vals = ldap_get_values(ld, entry, attr)) != NULL) {
for(i = 0; vals[i]; i++) {
// processing values here ...
}
}
}
}
-

Say I want to fill GUI table for each entry with such Headers: Attribute, 
Values, Attribute Type (RDN|Required|Structural)

So, I need to have a way to know whether each attibute is RDN or Required or 
Structural, etc

-- 
Покотиленко Костик cas...@meteor.dp.ua

RE: User restriction

[Stuart Cherrington]

 Date: Sat, 5 Jun 2010 11:39:22 -0700
 From: h...@symas.com
 To: bgmi...@staff.telkomsa.net
 CC: openldap-technical@openldap.org; jonat...@phillipoux.net; 
 stuart_cherring...@hotmail.co.uk
 Subject: Re: User restriction
 
 Buchan Milne wrote:
  On Friday, 4 June 2010 13:47:42 Jonathan Clarke wrote:
  On 04/06/2010 11:49, Stuart Cherrington wrote:
 
  As far as I know, nss_base_passwd is not a valid keyword in ldap.conf
  for OpenLDAP clients.
 
  If you're configuring this on a Linux server, I think you'll find the
  equivalent configuration in /etc/libnss_ldap.conf or similar.
 
  Upstream default is /etc/ldap.conf, libnss-ldap.conf is an unnecessary 
  Debian-
  ism.
 
 The upstream default has been an endless source of confusion for the better 
 part of a decade. Renaming ala Debian is the right answer.
 


OK - Thanks for all your comments so far, the whole LDAP structure is starting 
to become clearer but not as simple as I'd like. As Aron suggested, I used the 
ldapcompare command to see if I could pull the 'member' information from the 
schema but it fails.

An ldapsearch shows the following:

ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h 10.2.250.15 -D 
cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xx
# extended LDIF
#
# LDAPv3
# base ou=auth,dc=ldn,dc=sw,dc=com with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# auth, ldn.sw.com
dn: ou=auth,dc=ldn,dc=sw,dc=com
ou: auth
objectClass: organizationalUnit
objectClass: top

# access, auth, ldn.sw.com
dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com
objectClass: groupOfNames
objectClass: top
cn: access
member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com
member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com
member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com
member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com
member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com
member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com
member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com
member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com
member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com

# search result
search: 2
result: 0 Success

You can clearly see the first Member line is myself. If I now try:

ldapcompare2.4 -v -x -h 10.2.250.15 -D 
cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w  
ou=auth,dc=ldn,dc=sw,dc=com member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com

ldap_initialize( ldap://10.2.250.15 )
DN:ou=auth,dc=ldn,dc=sw,dc=com, attr:member, 
value:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
Compare Result: No such attribute (16)
UNDEFINED

Any pointers here would be useful.

Thanks,

Stuart.

  
_
http://clk.atdmt.com/UKM/go/19780/direct/01/
Do you have a story that started on Hotmail? Tell us now

Re: Pam password authentication

[Buchan Milne]

On Saturday, 5 June 2010 22:52:10 Siddhartha Jain wrote:
 I came across a similar bug where enabling chaining between a master and
  slave allows invalid passwords to be accepted by pam_ldap. Unfortunately,
  no word from OpenLDAP or pam_ldap maintainers on the issue.

Did you file an ITS?

  I have been
  looking at pam_ldap source code but haven't been able to pinpoint the
  issue. In my case, it has something to do with password policy not being
  handled properly when chaining is enabled. I suggest try tweaking those
  pam_password statements and see if you can deduce anything.

Well, the first thing would be to be absolutely sure the PAM config is correct, 
I haven't had time to compare, my PAM config is quite a bit more complex (with 
pam_ccreds in the mix), but I do have a required pam_deny.so at the end of 
mine ... (and I can't remember if it is a requirement because of the two 
sufficient's, or because of the pam_ccreds stuff which follows).

Regards,
Buchan

Re: pam_ldap doesn't bind SIMPLE for anonymous auth?

[Buchan Milne]

On Friday, 4 June 2010 23:50:26 Jo Rhett wrote:
 I'm seeing a problem where I can authenticate as a user using the ldap
  tools (ie ldapsearch) but I am unable to login using PAM.
 
 Comparing debug on the server shows that ldapsearch is doing a new BIND,
  where's PAM is not:
 
 Jun  4 14:58:52 ldap-server slapd[5158]: = dn: [1]
 Jun  4 14:58:52 ldap-server slapd[5158]: = acl_get: [2] attr userPassword
 Jun  4 14:58:52 ldap-server slapd[5158]: access_allowed: no res from state
  (userPassword) Jun  4 14:58:52 ldap-server slapd[5158]: = acl_mask:
  access to entry uid=jrhett,ou=Users,dc=equinix,dc=com, attr
  userPassword requested Jun  4 14:58:52 ldap-server slapd[5158]: =
  acl_mask: to value by , (=0) Jun  4 14:58:52 ldap-server slapd[5158]: =
  check a_dn_pat: anonymous Jun  4 14:58:52 ldap-server slapd[5158]: =
  acl_mask: [1] applying auth(=xd) (stop) Jun  4 14:58:52 ldap-server
  slapd[5158]: = acl_mask: [1] mask: auth(=xd) Jun  4 14:58:52 ldap-server
  slapd[5158]: = access_allowed: auth access granted by auth(=xd) Jun  4
  14:58:52 ldap-server slapd[5158]: send_ldap_result: conn=75 op=2 p=3 Jun 
  4 14:58:52 ldap-server slapd[5158]: send_ldap_result: err=49 matched=
  text= Jun  4 14:58:52 ldap-server slapd[5158]: send_ldap_response:
  msgid=3 tag=97 err=49 Jun  4 14:58:52 ldap-server slapd[5158]: conn=75
  op=2 RESULT tag=97 err=49 text=
 
 Now ldapsearch has identical debug output down until just below the
  access_allowed line.
 
 Jun  4 15:02:54 ldap-server slapd[5158]: = acl_get: [2] attr userPassword
 Jun  4 15:02:54 ldap-server slapd[5158]: access_allowed: no res from state
  (userPassword) Jun  4 15:02:54 ldap-server slapd[5158]: = acl_mask:
  access to entry uid=jrhett,ou=Users,dc=equinix,dc=com, attr
  userPassword requested Jun  4 15:02:54 ldap-server slapd[5158]: =
  acl_mask: to value by , (=0) Jun  4 15:02:54 ldap-server slapd[5158]: =
  check a_dn_pat: anonymous Jun  4 15:02:54 ldap-server slapd[5158]: =
  acl_mask: [1] applying auth(=xd) (stop) Jun  4 15:02:54 ldap-server
  slapd[5158]: = acl_mask: [1] mask: auth(=xd) Jun  4 15:02:54 ldap-server
  slapd[5158]: = access_allowed: auth access granted by auth(=xd) Jun  4
  15:02:54 ldap-server slapd[5158]: conn=83 op=0 BIND
  dn=uid=jrhett,ou=Users,dc=equinix,dc=com mech=SIMPLE ssf=0 Jun  4
  15:02:54 ldap-server slapd[5158]: do_bind: v3 bind:
  uid=jrhett,ou=Users,dc=equinix,dc=com to
  uid=jrhett,ou=Users,dc=equinix,dc=com Jun  4 15:02:54 ldap-server
  slapd[5158]: send_ldap_result: conn=83 op=0 p=3 Jun  4 15:02:54
  ldap-server slapd[5158]: send_ldap_result: err=0 matched= text= Jun  4
  15:02:54 ldap-server slapd[5158]: send_ldap_response: msgid=1 tag=97 err=0
  Jun  4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 RESULT tag=97 err=0
  text= Jun  4 15:02:54 ldap-server slapd[5158]: daemon: activity on 1
  descriptor Jun  4 15:02:54 ldap-server slapd[5158]: daemon: activity on:
 
 Can someone give me a clue what's going wrong here?

err=49 is invalid credentials, thus one or more of:
1)Wrong DN
2)Wrong password
3)ACLs don't allow simple auth

Your successful authentication with the same DN with ldapsearch rules out (1) 
and (also indicated in the acl logging for the pam_ldap case) (3).

That leaves on more cause ...

 The key to this problem is that I'm trying to avoid putting system logins,
  rootbinddns on each server, and just do anonymous bind's for
  authentication.

Well, it needn't be rootbinddns, in the sense that you should be just as 
happy to lose a binddn or rootbinddn as with providing anonymous access (these 
users should be least-privilege, only with access to similar data you are 
already exposing to all users who would have access to the credentials - via 
'getent passwd'), but you could consider using Kerberos keytab's or 
certificates, or per-host credentials.

Either way, I have used anonymous for nss_ldap/pam_ldap before, without 
problems.

  No configuration file on this client has a valid Manager
  or any other authentication password, and I'm trying to keep it that way. 
   In theory, this should work ;-)  I mean, ldapsearch works fine ...

Sure, but are you sure ldapsearch and pam_ldap are using the same password? If 
you *think* so, maybe you should check with a packet capture ...

Regards,
Buchan

Re: [SOLVED] Pam password authentication

[Indexer]

I have solved this issue, unfortunately i don't think i sent it back to the 
mailing list. It was to do with my combination of required and sufficient, and 
i lacked pam_deny.so I replaced it with 

authsufficient  pam_opie.so no_warn no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
authsufficient  /usr/local/lib/pam_ldap.so no_warn 
authrequiredpam_unix.so no_warn use_first_pass

And this seems to have corrected the behaviour.

On 07/06/2010, at 7:31 PM, Buchan Milne wrote:

 On Saturday, 5 June 2010 22:52:10 Siddhartha Jain wrote:
 I came across a similar bug where enabling chaining between a master and
 slave allows invalid passwords to be accepted by pam_ldap. Unfortunately,
 no word from OpenLDAP or pam_ldap maintainers on the issue.
 
 Did you file an ITS?
 
 I have been
 looking at pam_ldap source code but haven't been able to pinpoint the
 issue. In my case, it has something to do with password policy not being
 handled properly when chaining is enabled. I suggest try tweaking those
 pam_password statements and see if you can deduce anything.
 
 Well, the first thing would be to be absolutely sure the PAM config is 
 correct, 
 I haven't had time to compare, my PAM config is quite a bit more complex 
 (with 
 pam_ccreds in the mix), but I do have a required pam_deny.so at the end of 
 mine ... (and I can't remember if it is a requirement because of the two 
 sufficient's, or because of the pam_ccreds stuff which follows).
 
 Regards,
 Buchan

Re: ldap with squid auth helper

[Buchan Milne]

On Friday, 4 June 2010 21:05:26 Gerardo Herzig wrote:
 Hi all. Im triyng to use squid with the squid_ldap_group auth helper.
 
 The schema looks like
 o=Company
 
  -Groups
 
  |-ProxyUsers
 |
 |-Managers
 |-Sales
 
 Managers and Sales are OrganizationalUnit, ProxyUsers is GroupofUniqueNames
 
 Each entry of Managers and Sales inherits from PosixAccount and
 InetOrgPerson
 
 ProxyUsers entry for the user foo is:
 UniqueMember: uid=foo,ou=Managers,o=Company
 UniqueMember: uid=anotherfoo,ou=Sales,o=Company
 
 Inside the ProxyUsers can be people from Managers, Sales, and so.
 Im faliling to test squid_ldap_group from command line (i think the
 filters part)
 
 1) Is there a way to test if the user foo is part of the ProxyUsers group?

Yes, but from a squid perspective, you will be relying on DN construction in 
the filter if you do it this way.

 2) It is possible to tell squid_ldap_group to look for uid=foo in
 Manager AND Sales, and if there is one try to use it?
 Like if the filter could be (uid=foo) _AND_ (ou=Managers _OR_ ou=Sales)?

This sounds more like a question you should pose to the developers of this 
software, but having gone down a path requiring DN construction may not be the 
best option. Or, d you need to cater to identical uid values in different 
containers?

Regards,
Buchan

Re: LDAP C API

[Quanah Gibson-Mount]

--On Monday, June 07, 2010 11:17 AM +0300 Покотиленко 
Костик cas...@meteor.dp.ua wrote:



So, I need to have a way to know whether each attibute is RDN or Required
or Structural, etc


Then you need to parse the schema.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: smbk5pwd: ldappassword hangs

[Quanah Gibson-Mount]

--On Monday, June 07, 2010 11:56 AM +0200 Frank Van Damme 
frank.vanda...@gmail.com wrote:



2010/5/31 Frank Van Damme frank.vanda...@gmail.com:

Hi list,

I installed and configured the smbk5pwd overlay as described on
http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd.
This succeeded, the module is loaded etc. But an unwelcome side effect
is that password changes don't function anymore. With the
overlay/module disabled, there is no problem; if I enable it, the
ldappasswd command hangs. I marked where I hit Ctrl-C on the hanging
ldappasswd command.

This is the slapd log...



Does no one have an idea, please?


What version of OpenLDAP are you using?  You've failed to mention that 
anywhere.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: Pam password authentication

[Indexer]

 
 This is more of a pam config problem than openldap related... but your 
 account section probably needs either ldap or unix to be required/sufficient 
 rather than optional. As it is now it will check that there is no nologin 
 file, and then check through your pam login.access file, it will check that 
 the user exists in passwd or ldap but wont fail if it isnt, just that it 
 meets criteria set in the access file, which might be setup to allow anything 
 in. Also, your auth section is setup such that if opie succeeds, you are 
 auth'd, it wont bother to check ldap or unix because if it fails, it will 
 return failure immedaitely (that's what requisite does). Id be careful with 
 the use of optional in pamconfig, espcially around the auth and account 
 sections. I would reserve its use for session (if anywhere), as its more of a 
 try it, if it works Ok, if not, so what rule, good for homedir creation or 
 displaying motd (so if it fails, you still get in, since its not critical you 
 see motd or have a homedir, but nice if it does work).
 
 -T

Thank you for this, I will definitely take your advice, and go over pam more 
throughly, as it was one of my weaker areas of understanding. 

Your help is appreciated

William

Re: LDAP C API

[Покотиленко Костик]

В Пнд, 07/06/2010 в 08:47 -0700, Quanah Gibson-Mount пишет:
 --On Monday, June 07, 2010 11:17 AM +0300 Покотиленко 
 Костик cas...@meteor.dp.ua wrote:
 
  So, I need to have a way to know whether each attibute is RDN or Required
  or Structural, etc
 
 Then you need to parse the schema.

Thanks.

-- 
Покотиленко Костик cas...@meteor.dp.ua

Re: smbk5pwd: ldappassword hangs

[Marco Göbel]

Hi -

On Mon, 7 Jun 2010 11:56:48 +0200, Frank Van Damme
frank.vanda...@gmail.com wrote:
 2010/5/31 Frank Van Damme frank.vanda...@gmail.com:
 Hi list,

 I installed and configured the smbk5pwd overlay as described on
 http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd.
 This succeeded, the module is loaded etc. But an unwelcome side effect
 is that password changes don't function anymore. With the
 overlay/module disabled, there is no problem; if I enable it, the
 ldappasswd command hangs. I marked where I hit Ctrl-C on the hanging
 ldappasswd command.

 This is the slapd log...
 
 
 Does no one have an idea, please?
Not really ...

 I'm also adding the log in a situation where the module is not used
 and the ldappasswd operation is requested (which succeeds). At a
 certain point, the log says do_extended, that's where the previous
 log stops...

Same problem as i figured out: in the last two weeks i am testing the
combination Heimdal+OpenLdap+Samba and
the smbk5pwd overlay. I compiled the stable OpenLdap and Heimdal release
successfully and combined it with Samba.
The error is nearly the same as described above. Only when i am changing
the password over Kerberos (via pam or kpasswd)
the password changes will done to the samba password (for userPassword i
use the {K5KEY} entry as described in smbk5pwd).

Try the ldappasswd with verbose output, you may see that the command tries
over and over to change the password...

Regards,
Marco

 do_bind: v3 bind: uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be to
 uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be
 send_ldap_result: conn=0 op=0 p=3
 send_ldap_result: err=0 matched= text=
 send_ldap_response: msgid=1 tag=97 err=0
 ber_flush2: 14 bytes to sd 15
   :  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0a
 ldap_write: want=14, written=14
   :  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0a
 conn=0 op=0 RESULT tag=97 err=0 text=
 
 daemon: epoll: listen=7 active_threads=0 tvp=zero
 daemon: epoll: listen=8 active_threads=0 tvp=zero
 daemon: epoll: listen=9 active_threads=0 tvp=zero
 daemon: epoll: listen=10 active_threads=0 tvp=zero
 daemon: activity on 1 descriptor
 daemon: activity on: 15r
 daemon: read active on 15
 daemon: epoll: listen=7 active_threads=0 tvp=zero
 daemon: epoll: listen=8 active_threads=0 tvp=zero
 daemon: epoll: listen=9 active_threads=0 tvp=zero
 daemon: epoll: listen=10 active_threads=0 tvp=zero
 connection_get(15)
 connection_get(15): got connid=0
 connection_read(15): checking for input on id=0
 ber_get_next
 ldap_read: want=8, got=8
   :  30 32 02 01 02 77 2d 8002...w-.
 ldap_read: want=44, got=44
   :  17 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 34 32 30  
   .1.3.6.1.4.1.420
   0010:  33 2e 31 2e 31 31 2e 31  81 12 30 10 81 06 74 72  
   3.1.11.1..0...tr
   0020:  79 74 72 79 82 06 74 72  79 74 72 79   ytry..trytry
 ber_get_next: tag 0x30 len 50 contents:
 ber_dump: buf=0x824a1a8 ptr=0x824a1a8 end=0x824a1da len=50
   :  02 01 02 77 2d 80 17 31  2e 33 2e 36 2e 31 2e 34  
   ...w-..1.3.6.1.4
   0010:  2e 31 2e 34 32 30 33 2e  31 2e 31 31 2e 31 81 12  
   .1.4203.1.11.1..
   0020:  30 10 81 06 74 72 79 74  72 79 82 06 74 72 79 74  
   0...trytry..tryt
   0030:  72 79  ry
 ber_get_next
 ldap_read: want=8 error=Resource temporarily unavailable
 conn=0 op=1 do_extended
 ber_scanf fmt ({m) ber:
 ber_dump: buf=0x824a1a8 ptr=0x824a1ab end=0x824a1da len=47
   :  77 2d 80 17 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e  
   w-..1.3.6.1.4.1.
   0010:  34 32 30 33 2e 31 2e 31  31 2e 31 81 12 30 10 81  
   4203.1.11.1..0..
   0020:  06 74 72 79 74 72 79 82  06 74 72 79 74 72 79 
.trytry..trytry
 ber_scanf fmt (m) ber:
 ber_dump: buf=0x824a1a8 ptr=0x824a1c6 end=0x824a1da len=20
   :  00 12 30 10 81 06 74 72  79 74 72 79 82 06 74 72  
   ..0...trytry..tr
   0010:  79 74 72 79ytry
 conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
 do_extended: oid=1.3.6.1.4.1.4203.1.11.1
 conn=0 op=1 PASSMOD old new
 bdb_dn2entry(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be)
 = bdb_entry_get: ndn: uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be
 = bdb_entry_get: oc: (null), at: userPassword
 bdb_dn2entry(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be)
 = bdb_entry_get: found entry:
 uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be
 bdb_entry_get: rc=0
 = access_allowed: auth access to
 uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be userPassword
 requested
 = acl_get: [1] attr userPassword
 = slap_access_allowed: result not in cache (userPassword)
 = acl_mask: access to entry
 uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be, attr userPassword
 requested
 = acl_mask: to value by
 uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be, (=0)
 = check a_dn_pat: cn=admin,dc=otec,dc=vub,dc=ac,dc=be
 = check a_dn_pat: anonymous
 = check a_dn_pat: self
 = acl_mask: [3] applying