On 6/21/19 2:50 AM, Kyle Sloan wrote:
I am able to hide the userPassword and any other single/unique
fields
on a query, but I cannot figure out the pwdHistory and how to disable
it from anonymous queries. I keep getting syntax errors and am
unsure what the syntax is.
Please post what you did and which error message you
got.
In general ACL syntax is always the same for all attributes like defined
in the man-page slapd.access(5):
https://www.openldap.org/software/man.cgi?query=slapd.access
In Æ-DIR I'm using something similar to this:
# grant manage, search and delete access (no read!)
# to attribute pwdHistory only for password admins
access to
attrs=pwdHistory
by group="cn=password admins,dc=example,dc=com" =szm
by * none
This works for userPassword, but fails when I replace or add
pwdHistory
access to attrs=userPassword
by self write
by anonymous auth
by * none
As you can see it's not that different.
BTW: You can make your access rights write-only for password changes by
using "=w" instead of "write":
access to
attrs=userPassword
by self =w
by anonymous auth
by * none
Ciao, Michael.