How to restrict access to operational attributes?

Fri, 05 Feb 2021 08:05:26 -0800 

Good morning,

I'm trying to restrict access to the operational attributes that are provided 
by the ppolicy overlay
(e.g. pwdChangedTime, pwdHistory).

When I add the following to my ACL configuration file and try to verify the 
configuration an error
occurs:

#### ACL
access to attrs=pwdHistory
        by * none
########

#### slaptest output
601cf554 /etc/openldap/acl.conf: line 96: unknown attr "pwdHistory" in to clause
601cf554 <access clause> ::= access to <what> [ by <who> [ <access> ] [ 
<control> ] ]+
<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | 
<attrlist>
<attrlist> ::= <attr> [ , <attrlist> ]
<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
        [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
        [dnattr=<attrname>]
        [realdnattr=<attrname>]
        [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
        [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
        [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
        [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]
        [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<style> ::= exact | regex | base(Object)
<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex
<attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children
<peernamestyle> ::= exact | regex | ip | ipv6 | path
<domainstyle> ::= exact | regex | base(Object) | sub(tree)
<access> ::= [[real]self]{<level>|<priv>}
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
<control> ::= [ stop | continue | break ]
dynacl:
        <name>=ACI      <pattern>=<attrname>

slaptest: bad configuration file!
####################

My questions:

* How can I restrict access to operational attributes? Does this depend on the 
specific overlay?

* Is this a bug in the ppolicy overlay? One might consider the pwd* attributes 
confidential but at
the same time allowing anonymous queries might be necessary.

* Is there anything I miss (besides still using configuration files – they are 
way easier to handle)?

Best,

        Uwe

Reply via email to