On 6/21/19 2:50 AM, Kyle Sloan wrote:
I am able to hide the userPassword and any other single/unique fields on a query, but I cannot figure out the pwdHistory and how to disable it from anonymous queries. I keep getting syntax errors and am unsure what the syntax is.
Please post what you did and which error message you got.
In general ACL syntax is always the same for all attributes like defined in the man-page slapd.access(5):
https://www.openldap.org/software/man.cgi?query=slapd.access
In Æ-DIR I'm using something similar to this:
# grant manage, search and delete access (no read!) # to attribute pwdHistory only for password admins access to attrs=pwdHistory by group="cn=password admins,dc=example,dc=com" =szm by * none
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword by self write by anonymous auth by * none
As you can see it's not that different.
BTW: You can make your access rights write-only for password changes by using "=w" instead of "write":
access to attrs=userPassword by self =w by anonymous auth by * none
Ciao, Michael.