From quanah@fast-mail.org Mon Feb 14 17:54:05 2022
From: Quanah Gibson-Mount <quanah@fast-mail.org>
To: openldap-technical@openldap.org
Subject: Re: How to restrict access to pwdHistory attributes
Date: Mon, 14 Feb 2022 09:54:00 -0800
Message-ID: <5DB120E21F27075FF7BDF544@[192.168.1.12]>
In-Reply-To: <20220212052218.5262.73458@hypatia.openldap.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1241123114172004322=="

--===============1241123114172004322==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit



--On Saturday, February 12, 2022 5:22 AM +0000 kumarchandeshwar99(a)gmail.com 
wrote:

> Hi,
>  I am trying to restrict access to pwdHistory attributes provided by
> ppolicy overlay. I have applied the below ACL
>
> access to attrs=pwdHistory
>      by * none
>  but while doing slaptest,  its throwing below error:-
> /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to clause
> <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control>
> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>]
> [attrs=<attrspec>] <attrspec> ::= <attrname>
> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::=
> <attr> [ , <attrlist> ]
> <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
> <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
>         [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
>         [dnattr=<attrname>]
>         [realdnattr=<attrname>]
>         [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
>         [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
>         [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
>         [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
>
> Before posting here I searched archive and found one similar, issue , but
> it did not resolve my issue. I have running openldap-servers-2.4.23 on
> RHEL-6.5.

You are missing the ppolicy schema in your configuration.

However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no 
longer in support.  I'd strongly advise upgrading to both an OS that is 
under support and a version of OpenLDAP that's under support.

Regards,
Quanah



--===============1241123114172004322==--