>>> Chandeshwar Mishra <[email protected]> schrieb am 14.02.2022 um 23:26 in Nachricht <CAHecg0nmvzBkcfs7uDbYKU2R4QE+ok=5wksb24hxf8aasbz...@mail.gmail.com>: > Hi Quanah, > > Thanks for your response. Our setup is a very old one and we are planning > to migrate it to the latest stable version but Since this openldap is > deployed in Production > it is not possible for us to upgrade it suddenly. > > As you mentioned that ppolicy schema is missing in configuration, so is it > possible that without having ppolicy schema, Openldap will remember the > pwdHistory of the user ?
My guess is that unconfiguring ppolicy does not make the entries created by ppolicy go away. You probably have to remove them if you want them to go away, or re-confiugure ppolicy if you want to use them. Regards, Ulrich > > In my case pwdHistory is visible to users, for which I want to apply ACL so > that a user can only see his/her pwdHistory , not other users pwdHistory. > > Below are my configuration related to ppolicy configuration in config file:- > > include /etc/openldap/schema/ppolicy.schema > --- more include directive related to schema > > ---- > moduleload ppolicy.la > moduleload memberof.la > overlay memberof > overlay syncprov > overlay auditlog > #overlay accesslog > overlay ppolicy > ppolicy_default "cn=passwordDefault,dc=example,dc=com" > > Thanks & Regards, > Chandeshwar Kumar > > > > > > On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount <[email protected]> > wrote: > >> >> >> --On Saturday, February 12, 2022 5:22 AM +0000 >> [email protected] >> wrote: >> >> > Hi, >> > I am trying to restrict access to pwdHistory attributes provided by >> > ppolicy overlay. I have applied the below ACL >> > >> > access to attrs=pwdHistory >> > by * none >> > but while doing slaptest, its throwing below error:- >> > /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to >> clause >> > <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> >> > ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] >> > [attrs=<attrspec>] <attrspec> ::= <attrname> >> > [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= >> > <attr> [ , <attrlist> ] >> > <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | >> children >> > <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] >> > [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> >> ] >> > [dnattr=<attrname>] >> > [realdnattr=<attrname>] >> > [group[/<objectclass>[/<attrname>]][.<style>]=<group>] >> > [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] >> > [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] >> > [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] >> > >> > Before posting here I searched archive and found one similar, issue , but >> > it did not resolve my issue. I have running openldap-servers-2.4.23 on >> > RHEL-6.5. >> >> You are missing the ppolicy schema in your configuration. >> >> However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no >> longer in support. I'd strongly advise upgrading to both an OS that is >> under support and a version of OpenLDAP that's under support. >> >> Regards, >> Quanah >> >> >> >>
