Am 05.02.21 um 20:03 schrieb Michael Ströder:
On 2/5/21 7:55 PM, Uwe Sauter wrote:
Am 05.02.21 um 17:31 schrieb Michael Ströder:
On 2/5/21 8:40 AM, Uwe Sauter wrote:
I'm trying to restrict access to the operational attributes that are
provided by the ppolicy overlay
(e.g. pwdChangedTime, pwdHistory).
When I add the following to my ACL configuration file and try to
verify the configuration an error
occurs:
#### ACL
access to attrs=pwdHistory
by * none
########
#### slaptest output
601cf554 /etc/openldap/acl.conf: line 96: unknown attr "pwdHistory"
in to clause
The above error means you did not load ppolicy schema.
Add to slapd.conf:
include /etc/openldap/schema/ppolicy.schema
Adjust the path to match the exact path of your local OpenLDAP build.
I would totally agree with you if that wasn't already the case.
Ah, forgot that this was changed to be hard-coded in slapo-ppolicy. So
you have to load overlay ppolicy.
This is also already loaded, sorry I forgot to mention that.
The server is running this setup since 2017, with ppolicy in place. I just now realised that these pwd* attributes were
open to everyone and wanted to restrict access to the manager account.
Regards,
Uwe
Ciao, Michael.
