From Ulrich.Windl@rz.uni-regensburg.de Tue Feb 15 14:54:05 2022
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: openldap-technical@openldap.org
Subject: Antw: [EXT] Re: How to restrict access to pwdHistory attributes
Date: Tue, 15 Feb 2022 08:49:18 +0100
Message-ID: <620B5AFE020000A100047C5D@gwsmtp.uni-regensburg.de>
In-Reply-To:
 <CAHecg0nmvzBkcfs7uDbYKU2R4QE+ok=5WKSB24Hxf8aAsBZZPw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4077137457709043773=="

--===============4077137457709043773==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

>>> Chandeshwar Mishra <kumarchandeshwar99(a)gmail.com> schrieb am 14.02.2022=
 um
23:26 in Nachricht
<CAHecg0nmvzBkcfs7uDbYKU2R4QE+ok=3D5WKSB24Hxf8aAsBZZPw(a)mail.gmail.com>:
> Hi Quanah,
>=20
> Thanks for your response.  Our setup is a very old one and we are planning
> to migrate it to the latest stable version but Since this openldap is
> deployed in Production
> it is not possible for us to upgrade it suddenly.
>=20
> As you mentioned that ppolicy schema is missing in configuration, so is it
> possible that without having ppolicy schema, Openldap will remember the
> pwdHistory of the user ?

My guess is that unconfiguring ppolicy does not make the entries created by p=
policy go away.
You probably have to remove them if you want them to go away, or re-confiugur=
e ppolicy if you want to use them.

Regards,
Ulrich

>=20
> In my case pwdHistory is visible to users, for which I want to apply ACL so
> that a user can only see his/her pwdHistory , not other users pwdHistory.
>=20
> Below are my configuration related to ppolicy configuration in config file:-
>=20
> include         /etc/openldap/schema/ppolicy.schema
> --- more include directive related to schema
>=20
> ----
> moduleload ppolicy.la
> moduleload memberof.la
> overlay memberof
> overlay syncprov
> overlay auditlog
> #overlay accesslog
> overlay ppolicy
> ppolicy_default "cn=3DpasswordDefault,dc=3Dexample,dc=3Dcom"
>=20
> Thanks & Regards,
> Chandeshwar Kumar
>=20
>=20
>=20
>=20
>=20
> On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount <quanah(a)fast-mail.or=
g>
> wrote:
>=20
>>
>>
>> --On Saturday, February 12, 2022 5:22 AM +0000
>> kumarchandeshwar99(a)gmail.com=20
>> wrote:
>>
>> > Hi,
>> >  I am trying to restrict access to pwdHistory attributes provided by
>> > ppolicy overlay. I have applied the below ACL
>> >
>> > access to attrs=3DpwdHistory
>> >      by * none
>> >  but while doing slaptest,  its throwing below error:-
>> > /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to
>> clause
>> > <access clause> ::=3D access to <what> [ by <who> [ <access> ] [ <contro=
l>
>> > ] ]+ <what> ::=3D * | dn[.<dnstyle>=3D<DN>] [filter=3D<filter>]
>> > [attrs=3D<attrspec>] <attrspec> ::=3D <attrname>
>> > [val[/<matchingRule>][.<attrstyle>]=3D<value>] | <attrlist> <attrlist> :=
:=3D
>> > <attr> [ , <attrlist> ]
>> > <attr> ::=3D <attrname> | @<objectClass> | !<objectClass> | entry |
>> children
>> > <who> ::=3D [ * | anonymous | users | self | dn[.<dnstyle>]=3D<DN> ]
>> >         [ realanonymous | realusers | realself | realdn[.<dnstyle>]=3D<D=
N>
>> ]
>> >         [dnattr=3D<attrname>]
>> >         [realdnattr=3D<attrname>]
>> >         [group[/<objectclass>[/<attrname>]][.<style>]=3D<group>]
>> >         [peername[.<peernamestyle>]=3D<peer>] [sockname[.<style>]=3D<nam=
e>]
>> >         [domain[.<domainstyle>]=3D<domain>] [sockurl[.<style>]=3D<url>]
>> >         [ssf=3D<n>] [transport_ssf=3D<n>] [tls_ssf=3D<n>] [sasl_ssf=3D<n=
>]
>> >
>> > Before posting here I searched archive and found one similar, issue , but
>> > it did not resolve my issue. I have running openldap-servers-2.4.23 on
>> > RHEL-6.5.
>>
>> You are missing the ppolicy schema in your configuration.
>>
>> However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no
>> longer in support.  I'd strongly advise upgrading to both an OS that is
>> under support and a version of OpenLDAP that's under support.
>>
>> Regards,
>> Quanah
>>
>>
>>
>>




--===============4077137457709043773==--