5:50 p.m.
I am able to hide the userPassword and any other single/unique fields on a query, but I
cannot figure out the pwdHistory and how to disable it from anonymous queries. I keep
getting syntax errors and am unsure what the syntax is.
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword
by self write
by anonymous auth
by * none
Here is what my my query looks like
/usr/bin/ldapsearch -h 1.2.3.4 -x -b 'ou=People,dc=company,dc=com'
'(uid=myuser)' '*' '+'
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=copmany,dc=com> with scope subtree
# filter: (uid=myuser)
# requesting: * +
#
# myuser, People, company
dn: uid=myuser,ou=People,dc=company,dc=com
uidNumber: 31518
gidNumber: 100
shadowExpire: 99999
shadowMax: 90
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: myuser
pwdHistory: 20180718212202Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}bTWu9btdOzp
pwdHistory: 20181015214815Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Ys8LvXcdnsr
pwdHistory: 20181016164512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}nQLIieWGwt7
pwdHistory: 20190114155333Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}j3d+hxGalnC
pwdHistory: 20190412183313Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7r2E2DdryKa
pwdHistory: 20190412185409Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZbqMWB0x4v+
6:52 a.m.
On 6/21/19 2:50 AM, Kyle Sloan wrote:
I am able to hide the userPassword and any other single/unique
fields
on a query, but I cannot figure out the pwdHistory and how to disable
it from anonymous queries. I keep getting syntax errors and am
unsure what the syntax is.
Please post what you did and which error message you
got.
In general ACL syntax is always the same for all attributes like defined
in the man-page slapd.access(5):
https://www.openldap.org/software/man.cgi?query=slapd.access
In Æ-DIR I'm using something similar to this:
# grant manage, search and delete access (no read!)
# to attribute pwdHistory only for password admins
access to
attrs=pwdHistory
by group="cn=password admins,dc=example,dc=com" =szm
by * none
This works for userPassword, but fails when I replace or add
pwdHistory
access to attrs=userPassword
by self write
by anonymous auth
by * none
As you can see it's not that different.
BTW: You can make your access rights write-only for password changes by
using "=w" instead of "write":
access to
attrs=userPassword
by self =w
by anonymous auth
by * none
Ciao, Michael.
6:52 a.m.
--On Friday, June 21, 2019 1:50 AM +0000 Kyle Sloan
<ksloan(a)athenahealth.com> wrote:
I am able to hide the userPassword and any other single/unique fields
on
a query, but I cannot figure out the pwdHistory and how to disable it
from anonymous queries. I keep getting syntax errors and am unsure what
the syntax is.
This works for userPassword, but fails when I replace or add pwdHistory
access to attrs=userPassword
by self write
by anonymous auth
by * none
Hi,
This is clearly not your entire ACL set. When discussing ACLs, its
generally important to provide your full ACL set, since order is important.
Generally, if you want to restrict access to pwdHistory, you would do
something like:
access to attrs=pwdHistory by self write by *none
The "self write" is likely unnecessary since it's an overlay that manages
(slapo-ppolicy). I would note that if some other ACL takes precedence over
this ACL (since you've failed to list all of them), it won't get applied.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
7:33 a.m.
On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:
Generally, if you want to restrict access to pwdHistory, you would
do
something like:
access to attrs=pwdHistory by self write by *none
Making pwdHistory writeable by user him/herself is almost a security
issue. User would additionally need manage privilege to really remove
the attribute but still the above ACL is not good practice.
Ciao, Michael.
7:40 a.m.
--On Friday, June 21, 2019 5:33 PM +0200 Michael Ströder
<michael(a)stroeder.com> wrote:
On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:
> Generally, if you want to restrict access to pwdHistory, you would do
> something like:
>
> access to attrs=pwdHistory by self write by *none
Making pwdHistory writeable by user him/herself is almost a security
issue. User would additionally need manage privilege to really remove
the attribute but still the above ACL is not good practice.
Sure, it's a theoretical example. As I also noted already in my reply:
"The "self write" is likely unnecessary since it's an overlay that
manages
(slapo-ppolicy). I would note that if some other ACL takes precedence over
this ACL (since you've failed to list all of them), it won't get applied."
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
663
days inactive
663
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
Kyle Sloan -
Michael Ströder -
Quanah Gibson-Mount