Hi, On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden <[email protected]> wrote: > Rich Megginson wrote: >> >> On 05/02/2012 07:36 PM, Ian Levesque wrote: >>> >>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote: >>> >>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass >>>>> to a less privileged account; i.e., an account solely designed to >>>>> check replication status? >>>> >>>> You also need to expose the RUV tombstone entry at the base of each >>>> suffix. >>> >>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; >>> any pointers? >>> >>> Cheers, >>> Ian >>> >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html > > > We already have some delegated permissions for replication but none granting > only read access. Off the cuff, something like this might work: > > dn: cn="$SUFFIX",cn=mapping tree,cn=config > changetype: modify > add: aci > aci: > (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version > 3.0; aci "permission:Read Replication Agreements"; allow (read, search, > compare) groupdn = "ldap:///cn=Read Replication > Agreements,cn=permissions,cn=pbac,$SUFFIX";) > > dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX > changetype: add > objectClass: top > objectClass: groupofnames > objectClass: ipapermission > cn: Read Replication Agreements > ipapermissiontype: SYSTEM > > Note that you'll need to replace $SUFFIX with your base dn > (dc=example,dc=com). > > This is untested so YMMV. If you find that it works and is useful please let > us know, maybe we can add this for everyone to enjoy :-)
Is it safe to allow anonymous access to read this attribute? I added the following ACI: dn: cn="$SUFFIX",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";;) And I can now get the replication status using an anonymous bind. I also modified the nagios perl script to make an anonymous bind and check the replication status - it's working OK. I don't know if the aci should be a standard feature, option to enable, or just to provide the ldif for anyone who wants it. Thanks, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
