[Date Prev][Date Next] [Chronological] [Thread] [Top]

Hide pwdHistory field from anonymous

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Hide pwdHistory field from anonymous
From: Kyle Sloan <ksloan@athenahealth.com>
Date: Fri, 21 Jun 2019 00:50:19 +0000
Accept-language: en-US
Content-id: <DF3A0296D157434DB963E0A71C6C0192@namprd19.prod.outlook.com>
Content-language: en-US
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=athenahealth.com; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=ahDEC17; bh=3Z0JmbsqOtpjjmfCQiZKyXKsmX1GQFlCgmo3RA/LVqk=; b=V1v6VEJw7SDL8Q+i98mTRFZfsWXiscgUhH1hWTyIzP0kcVj1VYMP9s6diA40KASz6cVN uQ1ekXCX8OEDCF7o2kJkuxOVEv3mdP68kuHQ8p42UG+GvRuoxJj54NhxGmkVkIgvrAfQ wZ//EPEazvFcLBJKXjv4D68kjgoc3VnCDbizHoT+sOgK3ffMnuaoVbz+15E9bTOsGE4g orAvsVrj9HzG8ZxWSnkVgoBsF1fGjXdfRA7dZgvXxmEvYOlV29RI21/AdRgE9UqoxJ7z Uk4s1ogjZqJiRhX4XT8ay3wbUAB3zc+WP5Ktn28v+YJdB4RQ1ahLoqO9J1tHvlMLgk0J 6w==
Thread-index: AQHVJ8tMGbZc6v1xmkuZ34RphL6Cnw==
Thread-topic: Hide pwdHistory field from anonymous

I am able to hide the userPassword and any other single/unique fields on a query, but I cannot figure out the pwdHistory and how to disable it from anonymous queries.  I keep getting syntax errors and am unsure what the syntax is.

This works for userPassword, but fails when I replace or add pwdHistory

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none


Here is what my my query looks like

/usr/bin/ldapsearch -h 1.2.3.4 -x -b 'ou=People,dc=company,dc=com' '(uid=myuser)' '*' '+' 
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=copmany,dc=com> with scope subtree
# filter: (uid=myuser)
# requesting: * +
#

# myuser, People, company
dn: uid=myuser,ou=People,dc=company,dc=com
uidNumber: 31518
gidNumber: 100
shadowExpire: 99999
shadowMax: 90
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: myuser
pwdHistory: 20180718212202Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}bTWu9btdOzp
pwdHistory: 20181015214815Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Ys8LvXcdnsr
pwdHistory: 20181016164512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}nQLIieWGwt7
pwdHistory: 20190114155333Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}j3d+hxGalnC
pwdHistory: 20190412183313Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7r2E2DdryKa
pwdHistory: 20190412185409Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZbqMWB0x4v+

Follow-Ups:
- Re: Hide pwdHistory field from anonymous
  - From: Michael Ströder <michael@stroeder.com>
- Re: Hide pwdHistory field from anonymous
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: LDAP with TLS Enable/Disable not working
Next by Date: How to filter all entries by multi-value attributes?
Index(es):
- Chronological
- Thread