Hi, We're looking to add monitoring to our IPA replicas and want to provide a user with the minimum possible permissions to do so.
Allowing the user to have the Replication Administrators role works but for monitoring the ability to add/modify/remove is overkill by a long shot. There's no existing permission for Read Replication Agreements - only add, remove and modify. I've tried to use ipa perimssion-add with --filter to allow access to objectClass=nsds5replicationagreement but checking the status via: ldapsearch -Y GSSAPI -h c6test2.c6ipa.local -b cn=config '(objectclass=nsds5replicationagreement)' Does not show anything unless the account being tested with gets replication administrator privileges... I've tried using subtree as well but the ipa command errors that the base of cn=config is not $SUFFIX ... and out of scope. What am I missing to set this up - or is this not possible with the role/privilege/permission mechanism within IPA? I can see how the replication administration permissions are added in replica-acis.ldif but I'm concerned that if I manually add an ACI via pure LDIF commands it will cause issues with future IPA upgrades due to schema differences - so was hoping to remain within the IPA command side of things... 1) Is this even possible with the ipa command? 2) If I use ldapmodify to add a new permission by hand via ldif for "Read Replication Agreements" will this likely break on IPA upgrades in future? Cheers, James
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
