--On Friday, June 21, 2019 1:50 AM +0000 Kyle Sloan ksloan@athenahealth.com wrote:
I am able to hide the userPassword and any other single/unique fields on a query, but I cannot figure out the pwdHistory and how to disable it from anonymous queries. I keep getting syntax errors and am unsure what the syntax is.
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword by self write by anonymous auth by * none
Hi,
This is clearly not your entire ACL set. When discussing ACLs, its generally important to provide your full ACL set, since order is important.
Generally, if you want to restrict access to pwdHistory, you would do something like:
access to attrs=pwdHistory by self write by *none
The "self write" is likely unnecessary since it's an overlay that manages (slapo-ppolicy). I would note that if some other ACL takes precedence over this ACL (since you've failed to list all of them), it won't get applied.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com