I am able to hide the userPassword and any other single/unique fields on a query, but I cannot figure out the pwdHistory and how to disable it from anonymous queries. I keep getting syntax errors and am unsure what the syntax is.
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword by self write by anonymous auth by * none
Here is what my my query looks like
/usr/bin/ldapsearch -h 1.2.3.4 -x -b 'ou=People,dc=company,dc=com' '(uid=myuser)' '*' '+' # extended LDIF # # LDAPv3 # base <ou=People,dc=copmany,dc=com> with scope subtree # filter: (uid=myuser) # requesting: * + #
# myuser, People, company dn: uid=myuser,ou=People,dc=company,dc=com uidNumber: 31518 gidNumber: 100 shadowExpire: 99999 shadowMax: 90 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount uid: myuser pwdHistory: 20180718212202Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}bTWu9btdOzp pwdHistory: 20181015214815Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Ys8LvXcdnsr pwdHistory: 20181016164512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}nQLIieWGwt7 pwdHistory: 20190114155333Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}j3d+hxGalnC pwdHistory: 20190412183313Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7r2E2DdryKa pwdHistory: 20190412185409Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZbqMWB0x4v+
On 6/21/19 2:50 AM, Kyle Sloan wrote:
I am able to hide the userPassword and any other single/unique fields on a query, but I cannot figure out the pwdHistory and how to disable it from anonymous queries. I keep getting syntax errors and am unsure what the syntax is.
Please post what you did and which error message you got.
In general ACL syntax is always the same for all attributes like defined in the man-page slapd.access(5):
https://www.openldap.org/software/man.cgi?query=slapd.access
In Æ-DIR I'm using something similar to this:
# grant manage, search and delete access (no read!) # to attribute pwdHistory only for password admins access to attrs=pwdHistory by group="cn=password admins,dc=example,dc=com" =szm by * none
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword by self write by anonymous auth by * none
As you can see it's not that different.
BTW: You can make your access rights write-only for password changes by using "=w" instead of "write":
access to attrs=userPassword by self =w by anonymous auth by * none
Ciao, Michael.
--On Friday, June 21, 2019 1:50 AM +0000 Kyle Sloan ksloan@athenahealth.com wrote:
I am able to hide the userPassword and any other single/unique fields on a query, but I cannot figure out the pwdHistory and how to disable it from anonymous queries. I keep getting syntax errors and am unsure what the syntax is.
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword by self write by anonymous auth by * none
Hi,
This is clearly not your entire ACL set. When discussing ACLs, its generally important to provide your full ACL set, since order is important.
Generally, if you want to restrict access to pwdHistory, you would do something like:
access to attrs=pwdHistory by self write by *none
The "self write" is likely unnecessary since it's an overlay that manages (slapo-ppolicy). I would note that if some other ACL takes precedence over this ACL (since you've failed to list all of them), it won't get applied.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:
Generally, if you want to restrict access to pwdHistory, you would do something like:
access to attrs=pwdHistory by self write by *none
Making pwdHistory writeable by user him/herself is almost a security issue. User would additionally need manage privilege to really remove the attribute but still the above ACL is not good practice.
Ciao, Michael.
--On Friday, June 21, 2019 5:33 PM +0200 Michael Ströder michael@stroeder.com wrote:
On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:
Generally, if you want to restrict access to pwdHistory, you would do something like:
access to attrs=pwdHistory by self write by *none
Making pwdHistory writeable by user him/herself is almost a security issue. User would additionally need manage privilege to really remove the attribute but still the above ACL is not good practice.
Sure, it's a theoretical example. As I also noted already in my reply:
"The "self write" is likely unnecessary since it's an overlay that manages (slapo-ppolicy). I would note that if some other ACL takes precedence over this ACL (since you've failed to list all of them), it won't get applied."
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Kyle Sloan -
Michael Ströder -
Quanah Gibson-Mount