[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hide pwdHistory field from anonymous

To: Michael Ströder <michael@stroeder.com>, Kyle Sloan <ksloan@athenahealth.com>, openldap-technical@openldap.org
Subject: Re: Hide pwdHistory field from anonymous
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Fri, 21 Jun 2019 07:40:51 -0700
Content-disposition: inline
In-reply-to: <c8377dc5-280b-37a2-bfc4-32a9c607ad79@stroeder.com>
References: <9D71BDDC-F5D1-4DD2-868C-2C708F35ADBB@athenahealth.com> <5CF54C11B9F695FCC9066381@[192.168.1.39]> <c8377dc5-280b-37a2-bfc4-32a9c607ad79@stroeder.com>

--On Friday, June 21, 2019 5:33 PM +0200 Michael Ströder<michael@stroeder.com> wrote:

On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:

Generally, if you want to restrict access to pwdHistory, you would do
something like:

access to attrs=pwdHistory by self write by *none


Making pwdHistory writeable by user him/herself is almost a security
issue. User would additionally need manage privilege to really remove
the attribute but still the above ACL is not good practice.


Sure, it's a theoretical example.  As I also noted already in my reply:

"The "self write" is likely unnecessary since it's an overlay that manages(slapo-ppolicy). I would note that if some other ACL takes precedence overthis ACL (since you've failed to list all of them), it won't get applied."



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Hide pwdHistory field from anonymous
  - From: Kyle Sloan <ksloan@athenahealth.com>
- Re: Hide pwdHistory field from anonymous
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Hide pwdHistory field from anonymous
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Hide pwdHistory field from anonymous
Next by Date: Re: debug incoming modify operations
Index(es):
- Chronological
- Thread