problem of using ldap attribute memberOf for authorization

fangjin_ut · ‎11-09-2012

Hi,

I modified the original post, as I found there are similar issues which describe the problem more clearly.

In short, does anyone have success to get the memberOf overlay attribute working with openLDAP and Cisco ASA?

I have configured the openLDAP with memberOf overlay and ldapsearch also returns the memberOf value.

However, when I try and query this information from Cisco it did not pick up on the memberOf attribute.

If there is no way to do that, what would be the work around to setup authorization base upon user's group?

Any help much appreciated,

Jin

fangjin_ut · ‎11-12-2012

Can anyone help? I have been stucked in the problem for quite some time

Jennifer Halim · ‎11-12-2012

Can you pls share the ASA configuration, and the output of "debug ldap 255" when you are trying to authenticate. Thx.

fangjin_ut · ‎11-13-2012

Thank you Jennifer for your reply. Here is output of debug ldap 255

asa# AAA API: In aaa_open

AAA session opened: handle = 36

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: LOCAL)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: testuser

Resp:

In localauth_ioctl

Local authentication of user testuser

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 36, pAcb = 0x00007ffec81bbc58

aaa_backend_callback: Error:

AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authentication Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT

AAA_NextFunction: authen svr = LOCAL, author svr = test_ldap, user pol = , tunn pol = RemoteAccess_Grp

AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,

AAA FSM: In AAA_InitTransaction

Initiating authorization query (Svr Grp: test_ldap)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 128.x.x.x

AAA FSM: In AAA_SendMsg

User: testuser

Resp:

[98] Session Start

[98] New request Session, context 0x00007ffec91999f8, reqType = Other

[98] Fiber started

[98] Creating LDAP context with uri=ldap://128.x.x.x:10001

[98] Connect to LDAP server: ldap://128.x.x.x:10001, status = Successful

[98] supportedLDAPVersion: value = 3

[98] Binding as Manager

[98] Performing Simple authentication for Manager to 128.x.x.x

[98] LDAP Search:

Base DN = [dc=adminauth,dc=abccompany,dc=ca]

Filter = [USERid=testuser]

Scope = [SUBTREE]

[98] User DN = [email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca]

[98] Server type for 128.x.x.x unknown - no password policy

[98] LDAP Search:

Base DN = [dc=adminauth,dc=abccompany,dc=ca]

Filter = [USERid=testuser]

Scope = [SUBTREE]

[98] Retrieved User Attributes:

[98] objectClass: value = top

[98] objectClass: value = adminauthsession

[98] cn: value = Jin Fang

[98] isams: value = FALSE

[98] isrosi: value = FALSE

[98] isauthadmin: value = FALSE

[98] rosilogin: value = null

[98] amslogin: value = null

[98] isdb2all: value = FALSE

[98] isrosisys: value = FALSE

[98] isCalendarApp: value = FALSE

[98] email: value = jin.fang@abccompany.ca

[98] etokensmartcardid: value = 23 11 b8 0d 2a 23

[98] etokenadminpassword: value = U2FsdGVkX1/ksAOeY+OsN4XlTJ4sqthq/p+6/9UqABiG37EUMvEN0B6ZBv1+sQjQ

[98] USERid: value = testuser

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 36, pAcb = 0x00007ffec81bbc58

[98] Fiber exit Tx=360 bytes Rx=1137 bytes, status=1

[98] Session End

AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Authorization Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT

AAA_NextFunction: author svr = test_ldap, user pol = , tunn pol = RemoteAccess_Grp

AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(RemoteAccess_Grp)

Got server ID 0 for group policy DB

Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: RemoteAccess_Grp

Resp:

grp_policy_ioctl(0x0000000003d84220, 114698, 0x00007ffebbe50e80)

grp_policy_ioctl: Looking up RemoteAccess_Grp

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 36, pAcb = 0x00007ffec81bbc58

AAA task: aaa_process_msg(0x00007ffebbe519c0) received message ty

pe 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Tunnel Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

Checking simultaneous login restriction (max allowance=254) for user testuser

AAA FSM: In AAA_Callback

user attributes:

1 User-Name(1) 8 "testuser"

2 User-Password(2) 10 (hidden)

3 AAA-AVP-Table(4243) 691 "[B3][02][00][00][0F][00][00][00][D0][00][00][00][E7][00]"

user policy attributes:

None

tunnel policy attributes:

1 Simultaneous-Logins(4098) 4 254

2 Primary-DNS(4101) 4 IP: 128.x.x.x

3 Secondary-DNS(4102) 4 IP: 0.0.0.0

4 Primary-WINS(4103) 4 IP: 0.0.0.0

5 Secondary-WINS(4104) 4 IP: 0.0.0.0

6 Tunnelling-Protocol(4107) 4 124

7 Group-Policy(4121) 16 "RemoteAccess_Grp"

8 Split-Tunnel-Inclusion-List(4123) 8 ""

9 Default-Domain-Name(4124) 15 "eis.abccompany.ca"

10 Split-Tunneling-Policy(4151) 4 0

11 List of address pools to assign addresses from(4313) 9 "adminpool"

Auth Status = ACCEPT

AAA API: In aaa_close

AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 3

In aaai_close_session (36)

ASA configuration, from output of show running

Cryptochecksum: 64b0ab89 44e6a9a7 a9cff433 5b067d13

: Saved

: Written by enable_15 at 10:14:24.509 EST Tue Nov 13 2012

!

ASA Version 8.6(1)2

!

hostname asa

domain-name eis.abccompany.ca

enable password RkhyZU9MUju8T6lM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 128.x.x.x 255.255.255.0 standby 128.x.x.x

!

interface GigabitEthernet0/1

nameif inside

security-level 0

ip address 192.x.x.x 255.255.255.0

!

interface GigabitEthernet0/1.100

vlan 307

nameif BFD

security-level 0

ip address 192.x.x.x 255.255.255.0

!

interface GigabitEthernet0/1.101

vlan 2150

no nameif

security-level 0

ip address 142.x.x.x 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

security-level 0

ip address 142.x.x.x 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 10

ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 128.x.x.x

domain-name eis.abccompany.ca

object network 142.x.x.x

host 142.x.x.x

object network 172.x.x.x

host 172.x.x.x

object network testdestination

subnet 172.x.x.x 255.255.255.0

object network 192.x.x.x

host 192.x.x.x

object network 142.x.x.x

host 142.x.x.x

access-list testacl standard permit 172.x.x.0 255.255.255.0

access-list qaacl extended permit ip any object 172.x.x.x log debugging

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu BFD 1500

mtu management 1500

ip local pool adminpool 10.20.50.1-10.20.50.254 mask 255.255.255.0

failover

failover lan unit secondary

failover lan interface failover-link GigabitEthernet0/7

failover link failover-link GigabitEthernet0/7

failover interface ip failover-link 192.168.1.250 255.255.255.0 standby 192.168.1.251

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (outside,outside) source static any any destination static ldap ldap

nat (outside,BFD) source static any any destination static 172.x.x.x 192.x.x.x

route outside 0.0.0.0 0.0.0.0 128.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map LDAP_memberOf

map-name memberOf Group-Policy

map-value memberOf CN=rosi,OU=groups,DC=adminauth,DC=abccompany,DC=ca RemoteAccess_Grp

dynamic-access-policy-record DfltAccessPolicy

user-message "match default"

action terminate

dynamic-access-policy-record ldapaccess

network-acl qaacl

aaa-server test_ldap protocol ldap

aaa-server test_ldap (outside) host 128.x.x.x

server-port 10001

ldap-base-dn dc=adminauth,dc=abccompany,dc=ca

ldap-scope subtree

ldap-naming-attribute USERid

ldap-login-password xxxxx

ldap-login-dn cn=Manager,dc=adminauth,dc=abccompany,dc=ca

user-identity domain abccompany.ca aaa-server test_ldap

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.x.x.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-DES-SHA ESP-3DES-SHA ESP-DES-MD5 ESP-AES-192-MD5 ESP-3DES-MD5 ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-128-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal 3DES DES AES AES192 AES256

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 128.x.x.0 255.255.255.0 outside

telnet timeout 5

ssh scopy enable

ssh 192.x.x.x 255.255.255.0 management

ssh timeout 60

console timeout 0

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

!

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.x.x.x source management

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy NoAccess internal

group-policy NoAccess attributes

wins-server none

dns-server value 128.x.x.x

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

default-domain value eis.abccompany.ca

address-pools none

group-policy DfltGrpPolicy attributes

dns-server value 128.x.x.x

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

default-domain value eis.abccompany.ca

group-policy RemoteAccess_Grp internal

group-policy RemoteAccess_Grp attributes

wins-server none

dns-server value 128.x.x.x

vpn-simultaneous-logins 254

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain value eis.abccompany.ca

address-pools value adminpool

username testuser password rt2fVDL0E7VRYMBa encrypted

username testuser attributes

service-type remote-access

tunnel-group DefaultRAGroup webvpn-attributes

group-alias DefaultRAGroup enable

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (outside) adminpool

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias DefaultWEBVPNprofile enable

tunnel-group RemoteAccess_TunnelGroup type remote-access

tunnel-group RemoteAccess_TunnelGroup general-attributes

address-pool adminpool

authorization-server-group test_ldap

default-group-policy RemoteAccess_Grp

authorization-required

tunnel-group RemoteAccess_TunnelGroup webvpn-attributes

group-alias RemoteAccess_TunnelGroup enable

tunnel-group-map default-group DefaultWEBVPNGroup

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:64b0ab8944e6a9a7a9cff4335b067d13

: end

I also attached the LDAP log entry, from which you can see how Cisco call for the LDAP queries.

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 fd=11 ACCEPT from IP=128.X.X.X (Cisco ASA):31569 (IP=0.0.0.0:10001)

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:

Nov 13 09:42:14 mfause slapd[29105]: 11r

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11

Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL

Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)

Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001

Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001

Nov 13 09:42:14 mfause slapd[29105]: op tag 0x60, time 1352817734

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 do_bind

Nov 13 09:42:14 mfause slapd[29105]: >>> dnPrettyNormal:

Nov 13 09:42:14 mfause slapd[29105]: <<< dnPrettyNormal: ,

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 BIND dn="cn=Manager,dc=adminauth,dc=abccompany,dc=ca" method=128

Nov 13 09:42:14 mfause slapd[29105]: do_bind: version=3 dn="cn=Manager,dc=adminauth,dc=abccompany,dc=ca" method=128

Nov 13 09:42:14 mfause slapd[29105]: ==> bdb_bind: dn: cn=Manager,dc=adminauth,dc=abccompany,dc=ca

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 BIND dn="cn=Manager,dc=adminauth,dc=abccompany,dc=ca" mech=SIMPLE ssf=0

Nov 13 09:42:14 mfause slapd[29105]: do_bind: v3 bind: "cn=Manager,dc=adminauth,dc=abccompany,dc=ca" to "cn=Manager,dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL

Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: conn=1001 op=1 p=3

Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: err=0 matched="" text=""

Nov 13 09:42:14 mfause slapd[29105]: send_ldap_response: msgid=2 tag=97 err=0

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 RESULT tag=97 err=0 text=

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:

Nov 13 09:42:14 mfause slapd[29105]: 11r

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11

Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL

Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)

Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001

Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001

Nov 13 09:42:14 mfause slapd[29105]: op tag 0x63, time 1352817734

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 do_search

Nov 13 09:42:14 mfause slapd[29105]: >>> dnPrettyNormal:

Nov 13 09:42:14 mfause slapd[29105]: <<< dnPrettyNormal: ,

Nov 13 09:42:14 mfause slapd[29105]: SRCH "dc=adminauth,dc=abccompany,dc=ca" 2 3

Nov 13 09:42:14 mfause slapd[29105]: 0 0 0

Nov 13 09:42:14 mfause slapd[29105]: begin get_filter

Nov 13 09:42:14 mfause slapd[29105]: EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: end get_filter 0

Nov 13 09:42:14 mfause slapd[29105]: filter: (USERid=testuser)

Nov 13 09:42:14 mfause slapd[29105]: attrs:

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 SRCH base="dc=adminauth,dc=abccompany,dc=ca" scope=2 deref=3 filter="(USERid=testuser)"

Nov 13 09:42:14 mfause slapd[29105]: => bdb_search

Nov 13 09:42:14 mfause slapd[29105]: bdb_dn2entry("dc=adminauth,dc=abccompany,dc=ca")

Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(dc=adminauth,dc=abccompany,dc=ca)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "dc=adminauth,dc=abccompany,dc=ca" "entry" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: search_candidates: base="dc=adminauth,dc=abccompany,dc=ca" (0x00000001) scope=2

Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates

Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (objectClass)

Nov 13 09:42:14 mfause slapd[29105]: => key_read

Nov 13 09:42:14 mfause slapd[29105]: bdb_idl_fetch_key: [01872a84]

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_index_read: failed (-30988)

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: id=0, first=0, last=0

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=0 first=0 last=0

Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2idl("dc=adminauth,dc=abccompany,dc=ca")

Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates

Nov 13 09:42:14 mfause slapd[29105]: #011AND

Nov 13 09:42:14 mfause slapd[29105]: => bdb_list_candidates 0xa0

Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates

Nov 13 09:42:14 mfause slapd[29105]: #011OR

Nov 13 09:42:14 mfause slapd[29105]: => bdb_list_candidates 0xa1

Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates

Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (objectClass)

Nov 13 09:42:14 mfause slapd[29105]: => key_read

Nov 13 09:42:14 mfause slapd[29105]: bdb_idl_fetch_key: [b49d1940]

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_index_read: failed (-30988)

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: id=0, first=0, last=0

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=0 first=0 last=0

Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates

Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (USERid)

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: (USERid) not indexed

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_list_candidates: id=-1 first=1 last=91

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_list_candidates: id=-1 first=1 last=91

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91

Nov 13 09:42:14 mfause slapd[29105]: bdb_search_candidates: id=-1 first=1 last=91

Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca)

Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2id("email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca")

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_dn2id: got id=0x58

Nov 13 09:42:14 mfause slapd[29105]: => test_filter

Nov 13 09:42:14 mfause slapd[29105]: EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 6

Nov 13 09:42:14 mfause slapd[29105]: => send_search_entry: conn 1001 dn="email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "entry" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (objectClass)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "objectClass" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result was in cache (objectClass)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (cn)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "cn" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isams)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isams" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isrosi)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isrosi" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isauthadmin)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isauthadmin" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (rosilogin)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "rosilogin" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (amslogin)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "amslogin" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isdb2all)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isdb2all" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isrosisys)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isrosisys" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isCalendarApp)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isCalendarApp" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (email)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "email" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (etokensmartcardid)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "etokensmartcardid" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (etokenadminpassword)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "etokenadminpassword" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (USERid)

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 ENTRY dn="email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: <= send_search_entry: conn 1001 exit.

Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "ou=groups,dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(ou=groups,dc=adminauth,dc=abccompany,dc=ca)

Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2id("ou=groups,dc=adminauth,dc=abccompany,dc=ca")

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_dn2id: got id=0x5a

Nov 13 09:42:14 mfause slapd[29105]: => test_filter

Nov 13 09:42:14 mfause slapd[29105]: EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "ou=groups,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 5

Nov 13 09:42:14 mfause slapd[29105]: bdb_search: 90 does not match filter

Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca"

Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca)

Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2id("cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca")

Nov 13 09:42:14 mfause slapd[29105]: <= bdb_dn2id: got id=0x5b

Nov 13 09:42:14 mfause slapd[29105]: => test_filter

Nov 13 09:42:14 mfause slapd[29105]: EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested

Nov 13 09:42:14 mfause slapd[29105]: <= root access granted

Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)

Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 5

Nov 13 09:42:14 mfause slapd[29105]: bdb_search: 91 does not match filter

Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: conn=1001 op=2 p=3

Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: err=0 matched="" text=""

Nov 13 09:42:14 mfause slapd[29105]: send_ldap_response: msgid=3 tag=101 err=0

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor

Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:

Nov 13 09:42:14 mfause slapd[29105]: 11r

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11

Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL

Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)

Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001

Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001

Nov 13 09:42:14 mfause slapd[29105]: op tag 0x63, time 1352817734

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=3 do_search

Nov 13 09:42:14 mfause slapd[29105]: >>> dnPrettyNormal:

Nov 13 09:42:14 mfause slapd[29105]: <<< dnPrettyNormal: ,

Nov 13 09:42:14 mfause slapd[29105]: SRCH "dc=adminauth,dc=abccompany,dc=ca" 2 3

Nov 13 09:42:14 mfause slapd[29105]: 0 0 0

Nov 13 09:42:14 mfause slapd[29105]: begin get_filter

Nov 13 09:42:14 mfause slapd[29105]: EQUALITY

Nov 13 09:42:14 mfause slapd[29105]: end get_filter 0

Nov 13 09:42:14 mfause slapd[29105]: filter: (USERid=testuser)

Nov 13 09:42:14 mfause slapd[29105]: attrs:

Nov 13 09:42:14 mfause slapd[29105]:

Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=3 SRCH base="dc=adminauth,dc=abccompany,dc=ca" scope=2 deref=3 filter="(USERid=testuser)"