Re: How to restrict access to operational attributes?

Mon, 08 Feb 2021 12:41:41 -0800 

Hi all,
just to wrap this up. It turned out that this was caused by a wrong order of including ACLs from a second file and loading the ppolicy plugin. 


With the correct order the pwd* attributes provided by the ppolicy module (not the schema file!) are available when the 
ACLs are parsed and thus the test succeeds.



Regards,

        Uwe

Am 05.02.21 um 08:40 schrieb Uwe Sauter:

Good morning,

I'm trying to restrict access to the operational attributes that are provided 
by the ppolicy overlay
(e.g. pwdChangedTime, pwdHistory).

When I add the following to my ACL configuration file and try to verify the 
configuration an error
occurs:

#### ACL
access to attrs=pwdHistory
         by * none
########

#### slaptest output
601cf554 /etc/openldap/acl.conf: line 96: unknown attr "pwdHistory" in to clause
601cf554 <access clause> ::= access to <what> [ by <who> [ <access> ] [ 
<control> ] ]+
<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]
<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | 
<attrlist>
<attrlist> ::= <attr> [ , <attrlist> ]
<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
         [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]
         [dnattr=<attrname>]
         [realdnattr=<attrname>]
         [group[/<objectclass>[/<attrname>]][.<style>]=<group>]
         [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
         [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
         [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]
         [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]
<style> ::= exact | regex | base(Object)
<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex
<attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children
<peernamestyle> ::= exact | regex | ip | ipv6 | path
<domainstyle> ::= exact | regex | base(Object) | sub(tree)
<access> ::= [[real]self]{<level>|<priv>}
<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
<control> ::= [ stop | continue | break ]
dynacl:
         <name>=ACI      <pattern>=<attrname>

slaptest: bad configuration file!
####################

My questions:

* How can I restrict access to operational attributes? Does this depend on the 
specific overlay?

* Is this a bug in the ppolicy overlay? One might consider the pwd* attributes 
confidential but at
the same time allowing anonymous queries might be necessary.

* Is there anything I miss (besides still using configuration files – they are 
way easier to handle)?

Best,

        Uwe



























					Reply via email to