[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hide pwdHistory field from anonymous

To: Kyle Sloan <ksloan@athenahealth.com>, openldap-technical@openldap.org
Subject: Re: Hide pwdHistory field from anonymous
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Fri, 21 Jun 2019 06:52:51 -0700
Content-disposition: inline
In-reply-to: <9D71BDDC-F5D1-4DD2-868C-2C708F35ADBB@athenahealth.com>
References: <9D71BDDC-F5D1-4DD2-868C-2C708F35ADBB@athenahealth.com>

--On Friday, June 21, 2019 1:50 AM +0000 Kyle Sloan<ksloan@athenahealth.com> wrote:

I am able to hide the userPassword and any other single/unique fields on
a query, but I cannot figure out the pwdHistory and how to disable it
from anonymous queries.  I keep getting syntax errors and am unsure what
the syntax is.

This works for userPassword, but fails when I replace or add pwdHistory

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

Hi,

This is clearly not your entire ACL set. When discussing ACLs, itsgenerally important to provide your full ACL set, since order is important.

Generally, if you want to restrict access to pwdHistory, you would dosomething like:


access to attrs=pwdHistory by self write by *none

The "self write" is likely unnecessary since it's an overlay that manages(slapo-ppolicy). I would note that if some other ACL takes precedence overthis ACL (since you've failed to list all of them), it won't get applied.


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Hide pwdHistory field from anonymous
  - From: Michael Ströder <michael@stroeder.com>

References:
- Hide pwdHistory field from anonymous
  - From: Kyle Sloan <ksloan@athenahealth.com>

Prev by Date: Re: Hide pwdHistory field from anonymous
Next by Date: Re: Hide pwdHistory field from anonymous
Index(es):
- Chronological
- Thread