Am 06.02.21 um 00:29 schrieb Quanah Gibson-Mount:
--On Saturday, February 6, 2021 12:06 AM +0100 Uwe Sauter uwe.sauter.de@gmail.com wrote:
Yes it is. Account locking after failed attempts, password changes honoring configured rules, password history etc. all works since this was set up in 2017. Back then I just forgot to hide the pwd* attributes that are managed by the ppolicy overlay.
Just to confirm, you're not using the rootdn to test the ACL right? Because the rootdn is never subject to ACL restraints. I'd also advise upgrading to the current release, there are a number of ppolicy fixes made since 2.4.44.
I'm not sure I understand the question.
I am unable to configure the ACL because slaptest won't accept it and if I restart the running service it will fail during startup due to the bad configuration. So I cannot test the ACL.
Never the less, the current situation is that an anonymous query will list the pwd* attributes (ldapsearch -x '(uid=myuser)' +). I want to restrict access to these attributes so that only the manager account can access them (lapdsearch -xWD cn=manager,dc=example,dc=com '(uid=myuser)' +).
Regards,
Uwe
2.4.47: Fixed slapo-ppolicy with multi-provider replication (ITS#8927)
2.4.48: Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
2.4.49: Fixed slapo-ppolicy when used with slapauth (ITS#8629) Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126)
2.4.50: Fixed slapo-ppolicy callback (ITS#9171)
2.4.51: Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
2.4.53: Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
I'd note again, Symas provides free drop-in replacement builds for CentOS/RHEL 7 that are current:
https://repo.symas.com/sofl/rhel7/
You will want to reload the database to account for the 2.4.49 fix for ITS#9126 (it requires a reload of the db via slapcat/slapadd to fix the internal normalization of pwdChangedTime).
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com