[389-users] Searching cn=config as a user other than cn=Directory Manager?
Anne Cross
across at itasoftware.com
Mon Oct 19 21:36:16 UTC 2009
Rich Megginson wrote:
>> but searching as cn=replication,cn=config or similar results doesn't
>> return any results.
>> Can someone point me at the ACI I need to modify (or do I need to
>> create a new one?) to add read-only access to cn=config on our master
>> servers for monitoring purposes? Thanks!
> The setup-ds-admin.pl script creates ACIs for the console admin user -
> look at the ACIs on the cn=config entry for the uid=admin,..... user.
> You can probably just duplicate those - change the user to be your
> monitoring user, and change the allow() to just read,search,compare.
>
Ahah. Just in case anybody else is curious, this is effectively what I
ended up setting up for the check_ldap_replication script for nagios, on
the cn=config tree:
(targetattr = "*") (version 3.0;
acl "Monitoring Script";
allow (read,compare,search)(userdn =
"ldap:///uid=nagiosmonitoring,ou=Resource Accounts,dc=itasoftware,dc=com")
;)
I may see if I can restrict it down a little further, but that makes me
much happier than using the Directory Manager user.
Thanks for your help!
--
,___,
{o,o} Anne "Juniper" Cross
(___) Senior Linux Systems Engineer and Extropic Crusader
-"-"-- Information Technology, ITA Software
/^^^
More information about the Fedora-directory-users
mailing list