From kumarchandeshwar99@gmail.com Tue Feb 15 00:45:27 2022 From: Chandeshwar Mishra To: openldap-technical@openldap.org Subject: Re: How to restrict access to pwdHistory attributes Date: Tue, 15 Feb 2022 03:56:35 +0530 Message-ID: In-Reply-To: <5DB120E21F27075FF7BDF544@192.168.1.12> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8257070714882019713==" --===============8257070714882019713== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi Quanah, Thanks for your response. Our setup is a very old one and we are planning to migrate it to the latest stable version but Since this openldap is deployed in Production it is not possible for us to upgrade it suddenly. As you mentioned that ppolicy schema is missing in configuration, so is it possible that without having ppolicy schema, Openldap will remember the pwdHistory of the user ? In my case pwdHistory is visible to users, for which I want to apply ACL so that a user can only see his/her pwdHistory , not other users pwdHistory. Below are my configuration related to ppolicy configuration in config file:- include /etc/openldap/schema/ppolicy.schema --- more include directive related to schema ---- moduleload ppolicy.la moduleload memberof.la overlay memberof overlay syncprov overlay auditlog #overlay accesslog overlay ppolicy ppolicy_default "cn=passwordDefault,dc=example,dc=com" Thanks & Regards, Chandeshwar Kumar On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount wrote: > > > --On Saturday, February 12, 2022 5:22 AM +0000 > kumarchandeshwar99(a)gmail.com > wrote: > > > Hi, > > I am trying to restrict access to pwdHistory attributes provided by > > ppolicy overlay. I have applied the below ACL > > > > access to attrs=pwdHistory > > by * none > > but while doing slaptest, its throwing below error:- > > /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to > clause > > ::= access to [ by [ ] [ > > ] ]+ ::= * | dn[.=] [filter=] > > [attrs=] ::= > > [val[/][.]=] | ::= > > [ , ] > > ::= | @ | ! | entry | > children > > ::= [ * | anonymous | users | self | dn[.]= ] > > [ realanonymous | realusers | realself | realdn[.]= > ] > > [dnattr=] > > [realdnattr=] > > [group[/[/]][.