>> Chandeshwar Mishra <kumarchandeshwar99(a)gmail.com>
schrieb am 14.02.2022 um
23:26 in Nachricht
Thanks for your response. Our setup is a very old one and we are planning
to migrate it to the latest stable version but Since this openldap is
deployed in Production
it is not possible for us to upgrade it suddenly.
As you mentioned that ppolicy schema is missing in configuration, so is it
possible that without having ppolicy schema, Openldap will remember the
pwdHistory of the user ?
My guess is that unconfiguring ppolicy does not make the entries created by ppolicy go
You probably have to remove them if you want them to go away, or re-confiugure ppolicy if
you want to use them.
In my case pwdHistory is visible to users, for which I want to apply ACL so
that a user can only see his/her pwdHistory , not other users pwdHistory.
Below are my configuration related to ppolicy configuration in config file:-
--- more include directive related to schema
Thanks & Regards,
On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
> --On Saturday, February 12, 2022 5:22 AM +0000
> > Hi,
> > I am trying to restrict access to pwdHistory attributes provided by
> > ppolicy overlay. I have applied the below ACL
> > access to attrs=pwdHistory
> > by * none
> > but while doing slaptest, its throwing below error:-
> > /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to
> > <access clause> ::= access to <what> [ by <who> [
<access> ] [ <control>
> > ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>]
> > [attrs=<attrspec>] <attrspec> ::= <attrname>
> > [val[/<matchingRule>][.<attrstyle>]=<value>] |
<attrlist> <attrlist> ::=
> > <attr> [ , <attrlist> ]
> > <attr> ::= <attrname> | @<objectClass> | !<objectClass>
| entry |
> > <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN>
> > [ realanonymous | realusers | realself |
> > [dnattr=<attrname>]
> > [realdnattr=<attrname>]
> > [peername[.<peernamestyle>]=<peer>]
> > [domain[.<domainstyle>]=<domain>]
> > [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>]
> > Before posting here I searched archive and found one similar, issue , but
> > it did not resolve my issue. I have running openldap-servers-2.4.23 on
> > RHEL-6.5.
> You are missing the ppolicy schema in your configuration.
> However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no
> longer in support. I'd strongly advise upgrading to both an OS that is
> under support and a version of OpenLDAP that's under support.