Hi Quanah,
Thanks for your response. Our setup is a very old one and we are planning to migrate it to the latest stable version but Since this openldap is deployed in Production it is not possible for us to upgrade it suddenly.
As you mentioned that ppolicy schema is missing in configuration, so is it possible that without having ppolicy schema, Openldap will remember the pwdHistory of the user ?
In my case pwdHistory is visible to users, for which I want to apply ACL so that a user can only see his/her pwdHistory , not other users pwdHistory.
Below are my configuration related to ppolicy configuration in config file:-
include /etc/openldap/schema/ppolicy.schema --- more include directive related to schema
---- moduleload ppolicy.la moduleload memberof.la overlay memberof overlay syncprov overlay auditlog #overlay accesslog overlay ppolicy ppolicy_default "cn=passwordDefault,dc=example,dc=com"
Thanks & Regards, Chandeshwar Kumar
On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Saturday, February 12, 2022 5:22 AM +0000 kumarchandeshwar99@gmail.com wrote:
Hi, I am trying to restrict access to pwdHistory attributes provided by ppolicy overlay. I have applied the below ACL
access to attrs=pwdHistory by * none but while doing slaptest, its throwing below error:- /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to
clause
<access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry |
children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN>
]
[dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
Before posting here I searched archive and found one similar, issue , but it did not resolve my issue. I have running openldap-servers-2.4.23 on RHEL-6.5.
You are missing the ppolicy schema in your configuration.
However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no longer in support. I'd strongly advise upgrading to both an OS that is under support and a version of OpenLDAP that's under support.
Regards, Quanah
Chandeshwar Mishra kumarchandeshwar99@gmail.com schrieb am 14.02.2022 um
23:26 in Nachricht CAHecg0nmvzBkcfs7uDbYKU2R4QE+ok=5WKSB24Hxf8aAsBZZPw@mail.gmail.com:
Hi Quanah,
Thanks for your response. Our setup is a very old one and we are planning to migrate it to the latest stable version but Since this openldap is deployed in Production it is not possible for us to upgrade it suddenly.
As you mentioned that ppolicy schema is missing in configuration, so is it possible that without having ppolicy schema, Openldap will remember the pwdHistory of the user ?
My guess is that unconfiguring ppolicy does not make the entries created by ppolicy go away. You probably have to remove them if you want them to go away, or re-confiugure ppolicy if you want to use them.
Regards, Ulrich
In my case pwdHistory is visible to users, for which I want to apply ACL so that a user can only see his/her pwdHistory , not other users pwdHistory.
Below are my configuration related to ppolicy configuration in config file:-
include /etc/openldap/schema/ppolicy.schema --- more include directive related to schema
moduleload ppolicy.la moduleload memberof.la overlay memberof overlay syncprov overlay auditlog #overlay accesslog overlay ppolicy ppolicy_default "cn=passwordDefault,dc=example,dc=com"
Thanks & Regards, Chandeshwar Kumar
On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Saturday, February 12, 2022 5:22 AM +0000 kumarchandeshwar99@gmail.com wrote:
Hi, I am trying to restrict access to pwdHistory attributes provided by ppolicy overlay. I have applied the below ACL
access to attrs=pwdHistory by * none but while doing slaptest, its throwing below error:- /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to
clause
<access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry |
children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN>
]
[dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
Before posting here I searched archive and found one similar, issue , but it did not resolve my issue. I have running openldap-servers-2.4.23 on RHEL-6.5.
You are missing the ppolicy schema in your configuration.
However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no longer in support. I'd strongly advise upgrading to both an OS that is under support and a version of OpenLDAP that's under support.
Regards, Quanah
--On Tuesday, February 15, 2022 3:56 AM +0530 Chandeshwar Mishra kumarchandeshwar99@gmail.com wrote:
Hi Quanah,
Thanks for your response. Our setup is a very old one and we are planning to migrate it to the latest stable version but Since this openldap is deployed in Production it is not possible for us to upgrade it suddenly.
As you mentioned that ppolicy schema is missing in configuration, so is it possible that without having ppolicy schema, Openldap will remember the pwdHistory of the user ?
In my case pwdHistory is visible to users, for which I want to apply ACL so that a user can only see his/her pwdHistory , not other users pwdHistory.
If the user entries have pwdHistory attribute value pairs, and you've removed the ppolicy schema file from your configuration, then your server configuration is invalid. There must be a corresponding schema definition for all data stored in your server.
If you're trying to remove the ppolicy functionality, then you will need to clean the data from your system.
You will not be able to set ACLs on attributes that slapd is unaware of. You either need to (a) fix your slapd configuration so the ppolicy schema is loaded or (b) remove the ppolicy specific attributes from your dataset and reload the DB.
--Quanah
Hi,
Thanks for suggestion. I will work on the way suggested by you and update here.
Thanks & Regards, Chandeshwar
openldap-technical@openldap.org