[Freeipa-users] Replication status
Rob Crittenden
rcritten at redhat.com
Thu May 3 03:13:21 UTC 2012
Rich Megginson wrote:
> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>
>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>> to a less privileged account; i.e., an account solely designed to
>>>> check replication status?
>>> You also need to expose the RUV tombstone entry at the base of each
>>> suffix.
>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>> any pointers?
>>
>> Cheers,
>> Ian
>>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
We already have some delegated permissions for replication but none
granting only read access. Off the cuff, something like this might work:
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn = "ldap:///cn=Read Replication
Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Read Replication Agreements
ipapermissiontype: SYSTEM
Note that you'll need to replace $SUFFIX with your base dn
(dc=example,dc=com).
This is untested so YMMV. If you find that it works and is useful please
let us know, maybe we can add this for everyone to enjoy :-)
rob
More information about the Freeipa-users
mailing list