Hi Michael.
Am 05.02.21 um 17:31 schrieb Michael Ströder:
On 2/5/21 8:40 AM, Uwe Sauter wrote:
I'm trying to restrict access to the operational attributes that are provided by the ppolicy overlay (e.g. pwdChangedTime, pwdHistory).
When I add the following to my ACL configuration file and try to verify the configuration an error occurs:
#### ACL access to attrs=pwdHistory by * none ########
#### slaptest output 601cf554 /etc/openldap/acl.conf: line 96: unknown attr "pwdHistory" in to clause
The above error means you did not load ppolicy schema.
Add to slapd.conf:
include /etc/openldap/schema/ppolicy.schema
Adjust the path to match the exact path of your local OpenLDAP build.
I would totally agree with you if that wasn't already the case.
### /etc/openldap/slapd.conf ### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/kerberos.schema include /etc/openldap/schema/freeradius.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/sudo.schema
# ACL definitions include /etc/openldap/acl.conf [many more lines] ################################
#### /etc/openldap/acl.conf #### access to dn.base="" by * read
access to attrs=userPassword,sambaLMPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by dn="cn=radius-lookup,dc=example,dc=com" read by self write by * auth
[more acl entries]
## ppolicy # man 5 slapo-ppolicy access to dn.subtree="ou=Policies,dc=hlrs,dc=de" by dn="cn=Manager,dc=hlrs,dc=de" write by * none
access to attrs=pwdHistory by * none
[even more entries] ##################################
# slaptest 601d92d6 /etc/openldap/acl.conf: line 84: unknown attr "pwdHistory" in to clause […] slaptest: bad configuration file!
This is on CentOS with openldap-servers-2.4.44-22.el7.
Thanks,
Uwe
Ciao, Michael.