Bug 180515 (chainBIND)

Summary:	Chain BIND requests with chain on update + global pw policy
Product:	[Retired] 389	Reporter:	Rich Megginson <rmeggins>
Component:	Replication - General	Assignee:	Rich Megginson <rmeggins>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Viktor Ashirov <vashirov>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	1.0	CC:	amsharma, jgalipea
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:	1.0.2
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-12-07 16:49:41 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	183369, 639035

Description Rich Megginson 2006-02-08 19:01:45 UTC

The BIND request must be chained back to a master in order for the password
policy op attrs to be updated in the user's entry and replicated to all servers.
 Otherwse, password policy is local to each server, meaning that if you have set
your account lockout tries to 3, that's 3 per server rather than 3 for all servers.

Comment 1 Rich Megginson 2006-02-08 19:03:44 UTC

*** replutil.c.~1.7.~	2006-01-16 12:06:03.000000000 -0700
--- replutil.c	2006-02-08 10:47:16.000000000 -0700
***************
*** 889,895 ****
  	op_type = slapi_op_get_type(op);
  	if (local_online &&
  		((op_type == SLAPI_OPERATION_SEARCH) ||
- 	    (op_type == SLAPI_OPERATION_BIND) ||
  	    (op_type == SLAPI_OPERATION_UNBIND) ||
  	    (op_type == SLAPI_OPERATION_COMPARE))) {
  #ifdef DEBUG_CHAIN_ON_UPDATE
--- 889,894 ----
***************
*** 930,935 ****
--- 929,946 ----
  		return local_backend;
  	}
  
+     /* if using global password policy, chain the bind request so that the 
+        master can update and replicate the password policy op attrs */
+ 	if (op_type == SLAPI_OPERATION_BIND) {
+         if (!config_get_pw_is_global_policy()) {
+ #ifdef DEBUG_CHAIN_ON_UPDATE
+             slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"repl_chain_on_update: conn=%d op=%d using "
+                             "local backend for local password policy\n",
connid, opid);
+ #endif
+             return local_backend;
+         }
+     }
+ 
  	/* all other case (update while not directory manager) :
  	 * or any normal non replicated client operation while local is disabled
(import) :
  	 * use the chaining backend

Comment 2 Rich Megginson 2006-02-08 19:08:22 UTC

*** replutil.c.~1.7.~	2006-01-16 12:06:03.000000000 -0700
--- replutil.c	2006-02-08 12:10:49.000000000 -0700
***************
*** 889,895 ****
  	op_type = slapi_op_get_type(op);
  	if (local_online &&
  		((op_type == SLAPI_OPERATION_SEARCH) ||
- 	    (op_type == SLAPI_OPERATION_BIND) ||
  	    (op_type == SLAPI_OPERATION_UNBIND) ||
  	    (op_type == SLAPI_OPERATION_COMPARE))) {
  #ifdef DEBUG_CHAIN_ON_UPDATE
--- 889,894 ----
***************
*** 930,935 ****
--- 929,947 ----
  		return local_backend;
  	}
  
+     /* if using global password policy, chain the bind request so that the 
+        master can update and replicate the password policy op attrs */
+ 	if (op_type == SLAPI_OPERATION_BIND) {
+         extern int config_get_pw_is_global_policy();
+         if (!config_get_pw_is_global_policy()) {
+ #ifdef DEBUG_CHAIN_ON_UPDATE
+             slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"repl_chain_on_update: conn=%d op=%d using "
+                             "local backend for local password policy\n",
connid, opid);
+ #endif
+             return local_backend;
+         }
+     }
+ 
  	/* all other case (update while not directory manager) :
  	 * or any normal non replicated client operation while local is disabled
(import) :
  	 * use the chaining backend

Comment 3 Rich Megginson 2006-02-08 21:48:36 UTC

Reviewed by: Nathan, Pete (Thanks!)
Files: ldapserver/ldap/servers/plugins/replication/replutil.c
Branch: HEAD
Fix Description: When using global password policy, we need to chain the 
BIND request back to a master so that it can update the pw policy op 
attrs in the user's entry and replicate them to all other servers.  The 
call to config_get_pw_is_global_policy() is expensive (acquires a lock) 
so we delay it as long as possible.
The reason we have to use config_get_pw_is_global_policy() is because the entry
distribution plugin interface is poor - we have no way to register an init or
start function to get the config, and no way to register a statechange callback
to be notified of changes to the global password policy.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

Checking in replutil.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/replication/replutil.c,v  <-- 
replutil.c
new revision: 1.8; previous revision: 1.7
done

Comment 4 Jenny Severance 2011-06-06 18:50:47 UTC

Please add steps to reproduce and verify thanks

Comment 5 Rich Megginson 2011-06-06 20:32:16 UTC

Note - this may already be tested by chain on update testing.

1) setup replication with chain on update - 1 master 1 read-only consumer
2) set http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Managing_Replication-Replicating-Password-Attributes
13.2.3.2. Configuring Directory Server to Replicate Password Policy Attributes
passwordIsGlobalPolicy: on

3) bind to the consumer as a regular user (not directory manager or console admin)
4) check the access log on the master to see if there is a bind request from the consumer

Comment 6 Amita Sharma 2011-09-15 12:53:51 UTC

[root@snmaptest ~]# ldapmodify -D "cn=directory manager" -w Secret123 -p 34202 -x -h localhost << EOF
> dn: cn=config
> changetype: modify
> replace: passwordIsGlobalPolicy
> passwordIsGlobalPolicy: on
> EOF
modifying entry "cn=config"


[root@snmaptest ~]# ldapsearch -x -h localhost -p 34202 -D "uid=ams,ou=People,o=airius.com" -w Secret123 -b "cn=config"

[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-s1/access
[15/Sep/2011:18:15:45 +051800] conn=11 op=0 BIND dn="cn=uid=ams,ou=People,o=airius.com" method=128 version=3
[15/Sep/2011:18:15:45 +051800] conn=11 op=0 RESULT err=32 tag=97 nentries=0 etime=0
[15/Sep/2011:18:15:45 +051800] conn=11 op=-1 fd=64 closed - B1
[15/Sep/2011:18:15:51 +051800] conn=12 fd=64 slot=64 connection from ::1 to ::1
[15/Sep/2011:18:15:51 +051800] conn=12 op=0 BIND dn="uid=ams,ou=People,o=airius.com" method=128 version=3
[15/Sep/2011:18:15:51 +051800] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ams,ou=people,o=airius.com"
[15/Sep/2011:18:15:51 +051800] conn=12 op=1 SRCH base="cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[15/Sep/2011:18:15:51 +051800] conn=12 op=1 RESULT err=0 tag=101 nentries=2 etime=0
[15/Sep/2011:18:15:51 +051800] conn=12 op=2 UNBIND
[15/Sep/2011:18:15:51 +051800] conn=12 op=2 fd=64 closed - U1

[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
[15/Sep/2011:18:14:48 +051800] conn=12 op=4 EXT oid="2.16.840.1.113730.3.5.12"
[15/Sep/2011:18:14:48 +051800] conn=12 op=4 RESULT err=0 tag=120 nentries=0 etime=0
[15/Sep/2011:18:14:48 +051800] conn=12 op=5 SRCH base="cn=replica,cn=o\3Dairius.com,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsDS5ReplicaId"
[15/Sep/2011:18:14:48 +051800] conn=12 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[15/Sep/2011:18:14:48 +051800] conn=12 op=6 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[15/Sep/2011:18:14:48 +051800] conn=12 op=6 RESULT err=0 tag=120 nentries=0 etime=0
[15/Sep/2011:18:15:47 +051800] conn=11 op=6 UNBIND
[15/Sep/2011:18:15:47 +051800] conn=11 op=6 fd=64 closed - U1
[15/Sep/2011:18:15:48 +051800] conn=12 op=7 UNBIND
[15/Sep/2011:18:15:48 +051800] conn=12 op=7 fd=65 closed - U1

Comment 7 Rich Megginson 2011-09-15 13:21:46 UTC

(In reply to comment #6)
> [root@snmaptest ~]# ldapmodify -D "cn=directory manager" -w Secret123 -p 34202
> -x -h localhost << EOF
> > dn: cn=config
> > changetype: modify
> > replace: passwordIsGlobalPolicy
> > passwordIsGlobalPolicy: on
> > EOF
> modifying entry "cn=config"
> 
> 
> [root@snmaptest ~]# ldapsearch -x -h localhost -p 34202 -D
> "uid=ams,ou=People,o=airius.com" -w Secret123 -b "cn=config"
> 
> [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-s1/access
> [15/Sep/2011:18:15:45 +051800] conn=11 op=0 BIND
> dn="cn=uid=ams,ou=People,o=airius.com" method=128 version=3
> [15/Sep/2011:18:15:45 +051800] conn=11 op=0 RESULT err=32 tag=97 nentries=0
> etime=0
> [15/Sep/2011:18:15:45 +051800] conn=11 op=-1 fd=64 closed - B1
> [15/Sep/2011:18:15:51 +051800] conn=12 fd=64 slot=64 connection from ::1 to ::1
> [15/Sep/2011:18:15:51 +051800] conn=12 op=0 BIND
> dn="uid=ams,ou=People,o=airius.com" method=128 version=3
> [15/Sep/2011:18:15:51 +051800] conn=12 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn="uid=ams,ou=people,o=airius.com"
> [15/Sep/2011:18:15:51 +051800] conn=12 op=1 SRCH base="cn=config" scope=2
> filter="(objectClass=*)" attrs=ALL
> [15/Sep/2011:18:15:51 +051800] conn=12 op=1 RESULT err=0 tag=101 nentries=2
> etime=0
> [15/Sep/2011:18:15:51 +051800] conn=12 op=2 UNBIND
> [15/Sep/2011:18:15:51 +051800] conn=12 op=2 fd=64 closed - U1
> 
> [root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
> [15/Sep/2011:18:14:48 +051800] conn=12 op=4 EXT oid="2.16.840.1.113730.3.5.12"
> [15/Sep/2011:18:14:48 +051800] conn=12 op=4 RESULT err=0 tag=120 nentries=0
> etime=0
> [15/Sep/2011:18:14:48 +051800] conn=12 op=5 SRCH
> base="cn=replica,cn=o\3Dairius.com,cn=mapping tree,cn=config" scope=0
> filter="(objectClass=*)" attrs="nsDS5ReplicaId"
> [15/Sep/2011:18:14:48 +051800] conn=12 op=5 RESULT err=0 tag=101 nentries=1
> etime=0
> [15/Sep/2011:18:14:48 +051800] conn=12 op=6 EXT oid="2.16.840.1.113730.3.5.5"
> name="Netscape Replication End Session"
> [15/Sep/2011:18:14:48 +051800] conn=12 op=6 RESULT err=0 tag=120 nentries=0
> etime=0
> [15/Sep/2011:18:15:47 +051800] conn=11 op=6 UNBIND
> [15/Sep/2011:18:15:47 +051800] conn=11 op=6 fd=64 closed - U1
> [15/Sep/2011:18:15:48 +051800] conn=12 op=7 UNBIND
> [15/Sep/2011:18:15:48 +051800] conn=12 op=7 fd=65 closed - U1

Is 34202 slapd-c1 or slapd-s1?  Note that the access log is buffered, and the reason why there is nothing in the slapd-c1 access log at around the time of the bind in the slapd-s1 access log [15/Sep/2011:18:15:51 +051800] could be because it is buffered.

Comment 8 Amita Sharma 2011-09-16 06:53:21 UTC

S1PORT=34202
S1PORTS=34212
S2PORT=34204
S2PORTS=34214
C1PORT=34206
C1PORTS=34216
C2PORT=34208
C2PORTS=34218


[root@snmaptest ~]# ldapsearch -x -h localhost -p 34208 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep passwordisglobalpolicy
passwordisglobalpolicy: off
[root@snmaptest ~]# ldapsearch -x -h localhost -p 34206 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep passwordisglobalpolicy
passwordisglobalpolicy: on
[root@snmaptest ~]# ldapsearch -x -h localhost -p 34204 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep passwordisglobalpolicy
passwordisglobalpolicy: off
[root@snmaptest ~]# ldapsearch -x -h localhost -p 34202 -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep passwordisglobalpolicy
passwordisglobalpolicy: off

ldapmodify -D "cn=directory manager" -w Secret123 -p 34206 -x -h localhost << EOF
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
EOF
modifying entry "cn=config"


ldapsearch -x -h localhost -p 34202 -D "uid=ams,ou=People,o=airius.com" -w Secret123 -b "cn=config"

[34202]
======
[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-s1/access
[16/Sep/2011:12:14:57 +051800] conn=46 op=1 RESULT err=0 tag=101 nentries=2 etime=0
[16/Sep/2011:12:14:57 +051800] conn=46 op=2 UNBIND
[16/Sep/2011:12:14:57 +051800] conn=46 op=2 fd=64 closed - U1
[16/Sep/2011:12:15:09 +051800] conn=47 fd=64 slot=64 connection from ::1 to ::1
[16/Sep/2011:12:15:09 +051800] conn=47 op=0 BIND dn="uid=ams,ou=People,o=airius.com" method=128 version=3
[16/Sep/2011:12:15:09 +051800] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ams,ou=people,o=airius.com"
[16/Sep/2011:12:15:09 +051800] conn=47 op=1 SRCH base="o=airius.com" scope=2 filter="(objectClass=*)" attrs=ALL
[16/Sep/2011:12:15:09 +051800] conn=47 op=1 RESULT err=0 tag=101 nentries=165 etime=0 notes=U
[16/Sep/2011:12:15:09 +051800] conn=47 op=2 UNBIND
[16/Sep/2011:12:15:09 +051800] conn=47 op=2 fd=64 closed - U1

[34206]
===========
[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
[16/Sep/2011:12:10:02 +051800] conn=35 op=2 UNBIND
[16/Sep/2011:12:10:02 +051800] conn=35 op=2 fd=64 closed - U1
[16/Sep/2011:12:10:02 +051800] conn=35 op=1 RESULT err=0 tag=103 nentries=0 etime=0
[16/Sep/2011:12:10:09 +051800] conn=36 fd=64 slot=64 connection from ::1 to ::1
[16/Sep/2011:12:10:09 +051800] conn=36 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[16/Sep/2011:12:10:09 +051800] conn=36 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[16/Sep/2011:12:10:09 +051800] conn=36 op=1 SRCH base="cn=config" scope=2 filter="(objectClass=*)" attrs=ALL
[16/Sep/2011:12:10:09 +051800] conn=36 op=1 RESULT err=0 tag=101 nentries=192 etime=0
[16/Sep/2011:12:10:09 +051800] conn=36 op=2 UNBIND
[16/Sep/2011:12:10:09 +051800] conn=36 op=2 fd=64 closed - U1
[16/Sep/2011:12:20:02 +051800] conn=37 fd=64 slot=64 connection from ::1 to ::1
[16/Sep/2011:12:20:02 +051800] conn=37 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[16/Sep/2011:12:20:02 +051800] conn=37 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[16/Sep/2011:12:20:02 +051800] conn=37 op=1 SRCH base="o=airius.com" scope=2 filter="(objectClass=*)" attrs=ALL
[16/Sep/2011:12:20:02 +051800] conn=37 op=1 RESULT err=0 tag=101 nentries=166 etime=0 notes=U
[16/Sep/2011:12:20:02 +051800] conn=37 op=2 UNBIND
[16/Sep/2011:12:20:02 +051800] conn=37 op=2 fd=64 closed - U1

Please guide.

Comment 9 Rich Megginson 2011-09-16 15:02:20 UTC

I only see the bind request for cn=directory manager in the slapd-c1 access log.  Could it be that the bind request for "uid=ams,ou=People,o=airius.com" was buffered?

Comment 10 Amita Sharma 2011-09-20 08:08:02 UTC

Rich, Can you please guide me how should I check the buffered one?

Comment 11 Rich Megginson 2011-09-20 14:47:50 UTC

For the purposes of testing, you can disable access log buffering:

ldapmodify -x -D "cn=directory manager" -w thepassword <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-logbuffering
nsslapd-accesslog-logbuffering: off
EOF

Comment 13 Rich Megginson 2011-09-21 15:13:01 UTC

Please provide the exact ldapsearch command line you are using.  From what I understand, you are attempting to test if you can ldapsearch to slapd-c1 and have the bind request chained to slapd-s1.  When you do this, you should see a bind request for the user in the access log for slapd-c1, and a bind request for the same user (could be proxied) in the access log for slapd-s1.

Comment 14 Amita Sharma 2011-09-21 16:04:34 UTC

(In reply to comment #13)
> Please provide the exact ldapsearch command line you are using.  From what I
> understand, you are attempting to test if you can ldapsearch to slapd-c1 and
> have the bind request chained to slapd-s1.  When you do this, you should see a
> bind request for the user in the access log for slapd-c1, and a bind request
> for the same user (could be proxied) in the access log for slapd-s1.

[root@snmaptest ~]# ldapsearch -x -h localhost -p 34202 -D
"uid=ams,ou=People,o=airius.com" -w Secret123 -b "cn=config"

Comment 15 Amita Sharma 2011-09-21 16:14:21 UTC

(In reply to comment #13)
> Please provide the exact ldapsearch command line you are using.  From what I
> understand, you are attempting to test if you can ldapsearch to slapd-c1 and
> have the bind request chained to slapd-s1.  When you do this, you should see a
> bind request for the user in the access log for slapd-c1, and a bind request
> for the same user (could be proxied) in the access log for slapd-s1.

[root@snmaptest ~]# ldapsearch -x -h localhost -p 34202 -D
"uid=ams,ou=People,o=airius.com" -w Secret123 -b "cn=config"

Comment 16 Rich Megginson 2011-09-21 16:17:02 UTC

(In reply to comment #15)
> (In reply to comment #13)
> > Please provide the exact ldapsearch command line you are using.  From what I
> > understand, you are attempting to test if you can ldapsearch to slapd-c1 and
> > have the bind request chained to slapd-s1.  When you do this, you should see a
> > bind request for the user in the access log for slapd-c1, and a bind request
> > for the same user (could be proxied) in the access log for slapd-s1.
> 
> [root@snmaptest ~]# ldapsearch -x -h localhost -p 34202 -D
> "uid=ams,ou=People,o=airius.com" -w Secret123 -b "cn=config"

Ok.  That ldapsearch is against slapd-s1, so chaining is not involved at all, so you won't be verifying the bug.

Comment 17 Rich Megginson 2011-09-28 14:38:06 UTC

Steps to reproduce:

1) set up replication with chain on update
2) on one of the consumers, turn on global password policy:

ldapmodify -D "cn=directory manager" -w Secret123 -p 34206 -x -h localhost << EOF
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
EOF

3) as a non-root user, execute an ldapsearch operation against the consumer in the replicated subtree:

ldapsearch -x -h localhost -p 34206 -D "uid=amsharma1,ou=People,o=airius.com" -w Secret123 -b "ou=People,o=airius.com" 

4) check the access log on the consumer for a bind operation
5) check the access log on the supplier for a bind operation from the consumer

Comment 18 Amita Sharma 2011-09-30 06:25:28 UTC

followed steps in comment#17
=================================

[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-c1/access
[30/Sep/2011:11:50:17 +051800] conn=1 op=2 UNBIND
[30/Sep/2011:11:50:17 +051800] conn=1 op=2 fd=64 closed - U1
[30/Sep/2011:11:50:17 +051800] conn=1 op=1 RESULT err=0 tag=103 nentries=0 etime=0
[30/Sep/2011:11:50:27 +051800] conn=2 fd=64 slot=64 connection from ::1 to ::1
[30/Sep/2011:11:50:27 +051800] conn=2 op=0 BIND dn="uid=amsharma1,ou=People,o=airius.com" method=128 version=3
[30/Sep/2011:11:50:27 +051800] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=amsharma1,ou=people,o=airius.com"
[30/Sep/2011:11:50:27 +051800] conn=2 op=1 SRCH base="ou=People,o=airius.com" scope=2 filter="(objectClass=*)" attrs=ALL
[30/Sep/2011:11:50:27 +051800] conn=2 op=1 RESULT err=0 tag=101 nentries=152 etime=0 notes=U
[30/Sep/2011:11:50:27 +051800] conn=2 op=2 UNBIND
[30/Sep/2011:11:50:27 +051800] conn=2 op=2 fd=64 closed - U1
^C

[root@snmaptest ~]# tail -f /var/log/dirsrv/slapd-s1/access
[29/Sep/2011:17:35:55 +051800] conn=23 op=40 SRCH base="cn=changelog5,cn=config" scope=0 filter="(cn=*)" attrs=ALL
[29/Sep/2011:17:35:55 +051800] conn=23 op=40 RESULT err=0 tag=101 nentries=1 etime=0
[29/Sep/2011:17:35:55 +051800] conn=23 op=41 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[29/Sep/2011:17:35:55 +051800] conn=23 op=41 RESULT err=0 tag=101 nentries=1 etime=0
[29/Sep/2011:17:35:55 +051800] conn=23 op=42 UNBIND
[29/Sep/2011:17:35:55 +051800] conn=23 op=42 fd=65 closed - U1
[29/Sep/2011:17:36:06 +051800] conn=22 op=-1 fd=64 closed - B1
[30/Sep/2011:11:50:27 +051800] conn=1 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[30/Sep/2011:11:50:27 +051800] conn=1 op=0 BIND dn="uid=amsharma1,ou=people,o=airius.com" method=128 version=3
[30/Sep/2011:11:50:27 +051800] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=amsharma1,ou=people,o=airius.com"


Hence VERIFIED.