[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hide pwdHistory field from anonymous

To: Kyle Sloan <ksloan@athenahealth.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Hide pwdHistory field from anonymous
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 21 Jun 2019 15:52:27 +0200
Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
In-reply-to: <9D71BDDC-F5D1-4DD2-868C-2C708F35ADBB@athenahealth.com>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <9D71BDDC-F5D1-4DD2-868C-2C708F35ADBB@athenahealth.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2

On 6/21/19 2:50 AM, Kyle Sloan wrote:
> I am able to hide the userPassword and any other single/unique fields
> on a query, but I cannot figure out the pwdHistory and how to disable
> it from anonymous queries.  I keep getting syntax errors and am
> unsure what the syntax is.
Please post what you did and which error message you got.

In general ACL syntax is always the same for all attributes like defined
in the man-page slapd.access(5):

https://www.openldap.org/software/man.cgi?query=slapd.access

In Æ-DIR I'm using something similar to this:

# grant manage, search and delete access (no read!)
# to attribute pwdHistory only for password admins
access to
  attrs=pwdHistory
    by group="cn=password admins,dc=example,dc=com" =szm
    by * none

> This works for userPassword, but fails when I replace or add pwdHistory
> 
> access to attrs=userPassword
>         by self write
>         by anonymous auth
>         by * none

As you can see it's not that different.

BTW: You can make your access rights write-only for password changes by
using "=w" instead of "write":

access to
  attrs=userPassword
    by self =w
    by anonymous auth
    by * none

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Hide pwdHistory field from anonymous
  - From: Kyle Sloan <ksloan@athenahealth.com>

Prev by Date: Re: How to filter all entries by multi-value attributes?
Next by Date: Re: Hide pwdHistory field from anonymous
Index(es):
- Chronological
- Thread