11-09-2012 01:47 PM
Hi,
I modified the original post, as I found there are similar issues which describe the problem more clearly.
In short, does anyone have success to get the memberOf overlay attribute working with openLDAP and Cisco ASA?
I have configured the openLDAP with memberOf overlay and ldapsearch also returns the memberOf value.
However, when I try and query this information from Cisco it did not pick up on the memberOf attribute.
If there is no way to do that, what would be the work around to setup authorization base upon user's group?
Any help much appreciated,
Jin
11-12-2012 11:50 AM
Can anyone help? I have been stucked in the problem for quite some time
11-12-2012 05:57 PM
Can you pls share the ASA configuration, and the output of "debug ldap 255" when you are trying to authenticate. Thx.
11-13-2012 07:50 AM
Thank you Jennifer for your reply. Here is output of debug ldap 255
asa# AAA API: In aaa_open
AAA session opened: handle = 36
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: LOCAL)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: testuser
Resp:
In localauth_ioctl
Local authentication of user testuser
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 36, pAcb = 0x00007ffec81bbc58
aaa_backend_callback: Error:
AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Authentication Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT
AAA_NextFunction: authen svr = LOCAL, author svr = test_ldap, user pol = , tunn pol = RemoteAccess_Grp
AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,
AAA FSM: In AAA_InitTransaction
Initiating authorization query (Svr Grp: test_ldap)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 128.x.x.x
AAA FSM: In AAA_SendMsg
User: testuser
Resp:
[98] Session Start
[98] New request Session, context 0x00007ffec91999f8, reqType = Other
[98] Fiber started
[98] Creating LDAP context with uri=ldap://128.x.x.x:10001
[98] Connect to LDAP server: ldap://128.x.x.x:10001, status = Successful
[98] supportedLDAPVersion: value = 3
[98] Binding as Manager
[98] Performing Simple authentication for Manager to 128.x.x.x
[98] LDAP Search:
Base DN = [dc=adminauth,dc=abccompany,dc=ca]
Filter = [USERid=testuser]
Scope = [SUBTREE]
[98] User DN = [email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca]
[98] Server type for 128.x.x.x unknown - no password policy
[98] LDAP Search:
Base DN = [dc=adminauth,dc=abccompany,dc=ca]
Filter = [USERid=testuser]
Scope = [SUBTREE]
[98] Retrieved User Attributes:
[98] objectClass: value = top
[98] objectClass: value = adminauthsession
[98] cn: value = Jin Fang
[98] isams: value = FALSE
[98] isrosi: value = FALSE
[98] isauthadmin: value = FALSE
[98] rosilogin: value = null
[98] amslogin: value = null
[98] isdb2all: value = FALSE
[98] isrosisys: value = FALSE
[98] isCalendarApp: value = FALSE
[98] email: value = jin.fang@abccompany.ca
[98] etokensmartcardid: value = 23 11 b8 0d 2a 23
[98] etokenadminpassword: value = U2FsdGVkX1/ksAOeY+OsN4XlTJ4sqthq/p+6/9UqABiG37EUMvEN0B6ZBv1+sQjQ
[98] USERid: value = testuser
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 36, pAcb = 0x00007ffec81bbc58
[98] Fiber exit Tx=360 bytes Rx=1137 bytes, status=1
[98] Session End
AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Authorization Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT
AAA_NextFunction: author svr = test_ldap, user pol = , tunn pol = RemoteAccess_Grp
AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(RemoteAccess_Grp)
Got server ID 0 for group policy DB
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: RemoteAccess_Grp
Resp:
grp_policy_ioctl(0x0000000003d84220, 114698, 0x00007ffebbe50e80)
grp_policy_ioctl: Looking up RemoteAccess_Grp
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 36, pAcb = 0x00007ffec81bbc58
AAA task: aaa_process_msg(0x00007ffebbe519c0) received message ty
pe 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
Checking simultaneous login restriction (max allowance=254) for user testuser
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 8 "testuser"
2 User-Password(2) 10 (hidden)
3 AAA-AVP-Table(4243) 691 "[B3][02][00][00][0F][00][00][00][D0][00][00][00][E7][00]"
user policy attributes:
None
tunnel policy attributes:
1 Simultaneous-Logins(4098) 4 254
2 Primary-DNS(4101) 4 IP: 128.x.x.x
3 Secondary-DNS(4102) 4 IP: 0.0.0.0
4 Primary-WINS(4103) 4 IP: 0.0.0.0
5 Secondary-WINS(4104) 4 IP: 0.0.0.0
6 Tunnelling-Protocol(4107) 4 124
7 Group-Policy(4121) 16 "RemoteAccess_Grp"
8 Split-Tunnel-Inclusion-List(4123) 8 ""
9 Default-Domain-Name(4124) 15 "eis.abccompany.ca"
10 Split-Tunneling-Policy(4151) 4 0
11 List of address pools to assign addresses from(4313) 9 "adminpool"
Auth Status = ACCEPT
AAA API: In aaa_close
AAA task: aaa_process_msg(0x00007ffebbe519c0) received message type 3
In aaai_close_session (36)
ASA configuration, from output of show running
Cryptochecksum: 64b0ab89 44e6a9a7 a9cff433 5b067d13
: Saved
: Written by enable_15 at 10:14:24.509 EST Tue Nov 13 2012
!
ASA Version 8.6(1)2
!
hostname asa
domain-name eis.abccompany.ca
enable password RkhyZU9MUju8T6lM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 128.x.x.x 255.255.255.0 standby 128.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 0
ip address 192.x.x.x 255.255.255.0
!
interface GigabitEthernet0/1.100
vlan 307
nameif BFD
security-level 0
ip address 192.x.x.x 255.255.255.0
!
interface GigabitEthernet0/1.101
vlan 2150
no nameif
security-level 0
ip address 142.x.x.x 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 0
ip address 142.x.x.x 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 10
ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 128.x.x.x
name-server 128.x.x.x
domain-name eis.abccompany.ca
object network 142.x.x.x
host 142.x.x.x
object network 172.x.x.x
host 172.x.x.x
object network testdestination
subnet 172.x.x.x 255.255.255.0
object network 192.x.x.x
host 192.x.x.x
object network 142.x.x.x
host 142.x.x.x
access-list testacl standard permit 172.x.x.0 255.255.255.0
access-list qaacl extended permit ip any object 172.x.x.x log debugging
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu BFD 1500
mtu management 1500
ip local pool adminpool 10.20.50.1-10.20.50.254 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface failover-link GigabitEthernet0/7
failover link failover-link GigabitEthernet0/7
failover interface ip failover-link 192.168.1.250 255.255.255.0 standby 192.168.1.251
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (outside,outside) source static any any destination static ldap ldap
nat (outside,BFD) source static any any destination static 172.x.x.x 192.x.x.x
route outside 0.0.0.0 0.0.0.0 128.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_memberOf
map-name memberOf Group-Policy
map-value memberOf CN=rosi,OU=groups,DC=adminauth,DC=abccompany,DC=ca RemoteAccess_Grp
dynamic-access-policy-record DfltAccessPolicy
user-message "match default"
action terminate
dynamic-access-policy-record ldapaccess
network-acl qaacl
aaa-server test_ldap protocol ldap
aaa-server test_ldap (outside) host 128.x.x.x
server-port 10001
ldap-base-dn dc=adminauth,dc=abccompany,dc=ca
ldap-scope subtree
ldap-naming-attribute USERid
ldap-login-password xxxxx
ldap-login-dn cn=Manager,dc=adminauth,dc=abccompany,dc=ca
user-identity domain abccompany.ca aaa-server test_ldap
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.x.x.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-DES-SHA ESP-3DES-SHA ESP-DES-MD5 ESP-AES-192-MD5 ESP-3DES-MD5 ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-128-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal 3DES DES AES AES192 AES256
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 128.x.x.0 255.255.255.0 outside
telnet timeout 5
ssh scopy enable
ssh 192.x.x.x 255.255.255.0 management
ssh timeout 60
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.x.x.x source management
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy NoAccess internal
group-policy NoAccess attributes
wins-server none
dns-server value 128.x.x.x
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value eis.abccompany.ca
address-pools none
group-policy DfltGrpPolicy attributes
dns-server value 128.x.x.x
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value eis.abccompany.ca
group-policy RemoteAccess_Grp internal
group-policy RemoteAccess_Grp attributes
wins-server none
dns-server value 128.x.x.x
vpn-simultaneous-logins 254
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value eis.abccompany.ca
address-pools value adminpool
username testuser password rt2fVDL0E7VRYMBa encrypted
username testuser attributes
service-type remote-access
tunnel-group DefaultRAGroup webvpn-attributes
group-alias DefaultRAGroup enable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (outside) adminpool
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNprofile enable
tunnel-group RemoteAccess_TunnelGroup type remote-access
tunnel-group RemoteAccess_TunnelGroup general-attributes
address-pool adminpool
authorization-server-group test_ldap
default-group-policy RemoteAccess_Grp
authorization-required
tunnel-group RemoteAccess_TunnelGroup webvpn-attributes
group-alias RemoteAccess_TunnelGroup enable
tunnel-group-map default-group DefaultWEBVPNGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:64b0ab8944e6a9a7a9cff4335b067d13
: end
I also attached the LDAP log entry, from which you can see how Cisco call for the LDAP queries.
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 fd=11 ACCEPT from IP=128.X.X.X (Cisco ASA):31569 (IP=0.0.0.0:10001)
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]: 11r
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001
Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001
Nov 13 09:42:14 mfause slapd[29105]: op tag 0x60, time 1352817734
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 do_bind
Nov 13 09:42:14 mfause slapd[29105]: >>> dnPrettyNormal:
Nov 13 09:42:14 mfause slapd[29105]: <<< dnPrettyNormal:
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 BIND dn="cn=Manager,dc=adminauth,dc=abccompany,dc=ca" method=128
Nov 13 09:42:14 mfause slapd[29105]: do_bind: version=3 dn="cn=Manager,dc=adminauth,dc=abccompany,dc=ca" method=128
Nov 13 09:42:14 mfause slapd[29105]: ==> bdb_bind: dn: cn=Manager,dc=adminauth,dc=abccompany,dc=ca
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 BIND dn="cn=Manager,dc=adminauth,dc=abccompany,dc=ca" mech=SIMPLE ssf=0
Nov 13 09:42:14 mfause slapd[29105]: do_bind: v3 bind: "cn=Manager,dc=adminauth,dc=abccompany,dc=ca" to "cn=Manager,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: conn=1001 op=1 p=3
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: err=0 matched="" text=""
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_response: msgid=2 tag=97 err=0
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=1 RESULT tag=97 err=0 text=
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]: 11r
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001
Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001
Nov 13 09:42:14 mfause slapd[29105]: op tag 0x63, time 1352817734
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 do_search
Nov 13 09:42:14 mfause slapd[29105]: >>> dnPrettyNormal:
Nov 13 09:42:14 mfause slapd[29105]: <<< dnPrettyNormal:
Nov 13 09:42:14 mfause slapd[29105]: SRCH "dc=adminauth,dc=abccompany,dc=ca" 2 3
Nov 13 09:42:14 mfause slapd[29105]: 0 0 0
Nov 13 09:42:14 mfause slapd[29105]: begin get_filter
Nov 13 09:42:14 mfause slapd[29105]: EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: end get_filter 0
Nov 13 09:42:14 mfause slapd[29105]: filter: (USERid=testuser)
Nov 13 09:42:14 mfause slapd[29105]: attrs:
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 SRCH base="dc=adminauth,dc=abccompany,dc=ca" scope=2 deref=3 filter="(USERid=testuser)"
Nov 13 09:42:14 mfause slapd[29105]: => bdb_search
Nov 13 09:42:14 mfause slapd[29105]: bdb_dn2entry("dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(dc=adminauth,dc=abccompany,dc=ca)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "dc=adminauth,dc=abccompany,dc=ca" "entry" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: search_candidates: base="dc=adminauth,dc=abccompany,dc=ca" (0x00000001) scope=2
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => key_read
Nov 13 09:42:14 mfause slapd[29105]: bdb_idl_fetch_key: [01872a84]
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_index_read: failed (-30988)
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: id=0, first=0, last=0
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=0 first=0 last=0
Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2idl("dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011AND
Nov 13 09:42:14 mfause slapd[29105]: => bdb_list_candidates 0xa0
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011OR
Nov 13 09:42:14 mfause slapd[29105]: => bdb_list_candidates 0xa1
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => key_read
Nov 13 09:42:14 mfause slapd[29105]: bdb_idl_fetch_key: [b49d1940]
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_index_read: failed (-30988)
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: id=0, first=0, last=0
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=0 first=0 last=0
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (USERid)
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: (USERid) not indexed
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_list_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_list_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: bdb_search_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca)
Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2id("email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_dn2id: got id=0x58
Nov 13 09:42:14 mfause slapd[29105]: => test_filter
Nov 13 09:42:14 mfause slapd[29105]: EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 6
Nov 13 09:42:14 mfause slapd[29105]: => send_search_entry: conn 1001 dn="email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "entry" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "objectClass" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result was in cache (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (cn)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "cn" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isams)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isams" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isrosi)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isrosi" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isauthadmin)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isauthadmin" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (rosilogin)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "rosilogin" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (amslogin)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "amslogin" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isdb2all)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isdb2all" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isrosisys)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isrosisys" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isCalendarApp)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isCalendarApp" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (email)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "email" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (etokensmartcardid)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "etokensmartcardid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (etokenadminpassword)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "etokenadminpassword" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (USERid)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 ENTRY dn="email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: <= send_search_entry: conn 1001 exit.
Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "ou=groups,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(ou=groups,dc=adminauth,dc=abccompany,dc=ca)
Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2id("ou=groups,dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_dn2id: got id=0x5a
Nov 13 09:42:14 mfause slapd[29105]: => test_filter
Nov 13 09:42:14 mfause slapd[29105]: EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "ou=groups,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 5
Nov 13 09:42:14 mfause slapd[29105]: bdb_search: 90 does not match filter
Nov 13 09:42:14 mfause slapd[29105]: entry_decode: "cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: <= entry_decode(cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca)
Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2id("cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_dn2id: got id=0x5b
Nov 13 09:42:14 mfause slapd[29105]: => test_filter
Nov 13 09:42:14 mfause slapd[29105]: EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "cn=rosi,ou=groups,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 5
Nov 13 09:42:14 mfause slapd[29105]: bdb_search: 91 does not match filter
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: conn=1001 op=2 p=3
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: err=0 matched="" text=""
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_response: msgid=3 tag=101 err=0
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]: 11r
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001
Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001
Nov 13 09:42:14 mfause slapd[29105]: op tag 0x63, time 1352817734
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=3 do_search
Nov 13 09:42:14 mfause slapd[29105]: >>> dnPrettyNormal:
Nov 13 09:42:14 mfause slapd[29105]: <<< dnPrettyNormal:
Nov 13 09:42:14 mfause slapd[29105]: SRCH "dc=adminauth,dc=abccompany,dc=ca" 2 3
Nov 13 09:42:14 mfause slapd[29105]: 0 0 0
Nov 13 09:42:14 mfause slapd[29105]: begin get_filter
Nov 13 09:42:14 mfause slapd[29105]: EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: end get_filter 0
Nov 13 09:42:14 mfause slapd[29105]: filter: (USERid=testuser)
Nov 13 09:42:14 mfause slapd[29105]: attrs:
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=3 SRCH base="dc=adminauth,dc=abccompany,dc=ca" scope=2 deref=3 filter="(USERid=testuser)"
Nov 13 09:42:14 mfause slapd[29105]: => bdb_search
Nov 13 09:42:14 mfause slapd[29105]: bdb_dn2entry("dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "dc=adminauth,dc=abccompany,dc=ca" "entry" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: search_candidates: base="dc=adminauth,dc=abccompany,dc=ca" (0x00000001) scope=2
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => key_read
Nov 13 09:42:14 mfause slapd[29105]: bdb_idl_fetch_key: [01872a84]
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_index_read: failed (-30988)
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: id=0, first=0, last=0
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=0 first=0 last=0
Nov 13 09:42:14 mfause slapd[29105]: => bdb_dn2idl("dc=adminauth,dc=abccompany,dc=ca")
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011AND
Nov 13 09:42:14 mfause slapd[29105]: => bdb_list_candidates 0xa0
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011OR
Nov 13 09:42:14 mfause slapd[29105]: => bdb_list_candidates 0xa1
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => key_read
Nov 13 09:42:14 mfause slapd[29105]: bdb_idl_fetch_key: [b49d1940]
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_index_read: failed (-30988)
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: id=0, first=0, last=0
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=0 first=0 last=0
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: => bdb_filter_candidates
Nov 13 09:42:14 mfause slapd[29105]: #011EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => bdb_equality_candidates (USERid)
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_equality_candidates: (USERid) not indexed
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_list_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_list_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: <= bdb_filter_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: bdb_search_candidates: id=-1 first=1 last=91
Nov 13 09:42:14 mfause slapd[29105]: => test_filter
Nov 13 09:42:14 mfause slapd[29105]: EQUALITY
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: search access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: <= test_filter 6
Nov 13 09:42:14 mfause slapd[29105]: => send_search_entry: conn 1001 dn="email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "entry" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "objectClass" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result was in cache (objectClass)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (cn)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "cn" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isams)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isams" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isrosi)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isrosi" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isauthadmin)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isauthadmin" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (rosilogin)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "rosilogin" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (amslogin)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "amslogin" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isdb2all)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isdb2all" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isrosisys)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isrosisys" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (isCalendarApp)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "isCalendarApp" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (email)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "email" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (etokensmartcardid)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "etokensmartcardid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (etokenadminpassword)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "etokenadminpassword" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: result not in cache (USERid)
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access to "email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca" "USERid" requested
Nov 13 09:42:14 mfause slapd[29105]: <= root access granted
Nov 13 09:42:14 mfause slapd[29105]: => access_allowed: read access granted by manage(=mwrscxd)
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=3 ENTRY dn="email=jin.fang@abccompany.ca,dc=adminauth,dc=abccompany,dc=ca"
Nov 13 09:42:14 mfause slapd[29105]: <= send_search_entry: conn 1001 exit.
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: conn=1001 op=3 p=3
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_result: err=0 matched="" text=""
Nov 13 09:42:14 mfause slapd[29105]: send_ldap_response: msgid=4 tag=101 err=0
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]: 11r
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: read active on 11
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11)
Nov 13 09:42:14 mfause slapd[29105]: connection_get(11): got connid=1001
Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): checking for input on id=1001
Nov 13 09:42:14 mfause slapd[29105]: op tag 0x42, time 1352817734
Nov 13 09:42:14 mfause slapd[29105]: ber_get_next on fd 11 failed errno=0 (Success)
Nov 13 09:42:14 mfause slapd[29105]: connection_read(11): input error=-2 id=1001, closing.
Nov 13 09:42:14 mfause slapd[29105]: connection_closing: readying conn=1001 sd=11 for close
Nov 13 09:42:14 mfause slapd[29105]: connection_close: deferring conn=1001 sd=11
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=4 do_unbind
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 op=4 UNBIND
Nov 13 09:42:14 mfause slapd[29105]: connection_resched: attempting closing conn=1001 sd=11
Nov 13 09:42:14 mfause slapd[29105]: connection_close: conn=1001 sd=11
Nov 13 09:42:14 mfause slapd[29105]: daemon: removing 11
Nov 13 09:42:14 mfause slapd[29105]: conn=1001 fd=11 closed
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on 1 descriptor
Nov 13 09:42:14 mfause slapd[29105]: daemon: activity on:
Nov 13 09:42:14 mfause slapd[29105]:
Nov 13 09:42:14 mfause slapd[29105]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
11-13-2012 10:04 PM
Base on the debugs, it doesn't seem to be providing the memberOf attribute to the ASA.
It provides the following attributes but memberOf is not one of them:
[98] Retrieved User Attributes:
[98] objectClass: value = top
[98] objectClass: value = adminauthsession
[98] cn: value = Jin Fang
[98] isams: value = FALSE
[98] isrosi: value = FALSE
[98] isauthadmin: value = FALSE
[98] rosilogin: value = null
[98] amslogin: value = null
[98] isdb2all: value = FALSE
[98] isrosisys: value = FALSE
[98] isCalendarApp: value = FALSE
[98] email: value = jin.fang@abccompany.ca
[98] etokensmartcardid: value = 23 11 b8 0d 2a 23
[98] etokenadminpassword: value = U2FsdGVkX1/ksAOeY+OsN4XlTJ4sqth/p+6/9UqABiG37EUMvEN0B6ZBv1+sQjQ
[98] USERid: value = testuser
11-14-2012 06:38 AM
Yes. That is what I pointed out before:
I have configured the openLDAP with memberOf overlay and ldapsearch also returns the memberOf value.
However, when I try and query this information from Cisco it did not pick up on the memberOf attribute.
I saw some other people having similar problem with openLDAP and wondering how it was be solved in the end.
By the way, if I create a aaa server and using memberOf as naming attribute and test connection works fine. From LDAP debug, I see ASA asked explicitly for memberOf and that value returns as well. But it doesn't get memberOf if I do attribute mapping or DAP.
Jin
11-16-2012 04:04 AM
The previous version indeed has issue with OpenLDAP, however, the version that you are running should have the fix.
From the debug output, I didn't even see the memberOf attributes being presented to the ASA. The ASA should see the actual memberOf attribute before it is capable of performing the ldap attribute map.
Here is the bug that i mentioned earlier that should have been fixed in your version:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq00144
and if you check the details, the ASA is picking up the memberOf attribute but incorrectly, however, it is presented in the debugs. In your case, i don't even see the memberOf attributes in the debugs that you have attached previously.
11-19-2012 07:49 AM
Hi Jennifer,
Yes. ASA is not picking up the memberOf attribute. It is interesting that if I use memberOf as naming attribute for ldap server, and giving correct memberOf value as username for authorization test, ASA will pickup memberOf and test connection is OK. Would you think it is ASA problem or LDAP issue?
Jin
11-21-2012 03:13 AM
I would suggest that you open a TAC case, so an engineer can further assist you to troubleshoot.
Seems that the bug mentioned above might not have been fixed, or a new bug has been introduced in that version.
09-14-2023 06:12 AM
I found the problem to be java related. Using ASDM 7.6.1-150 and earlier allows the attribute to query AD and choose the AD group. Any ASDM package later it doesn't work but does allow CLI creation of the attribute mapping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide