[Freeipa-users] Replication status

Dan Scott danieljamesscott at gmail.com
Fri May 18 14:13:17 UTC 2012


Hi,

On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Rich Megginson wrote:
>>
>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>
>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>
>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>> to a less privileged account; i.e., an account solely designed to
>>>>> check replication status?
>>>>
>>>> You also need to expose the RUV tombstone entry at the base of each
>>>> suffix.
>>>
>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>> any pointers?
>>>
>>> Cheers,
>>> Ian
>>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>
>
> We already have some delegated permissions for replication but none granting
> only read access. Off the cuff, something like this might work:
>
> dn: cn="$SUFFIX",cn=mapping tree,cn=config
> changetype: modify
> add: aci
> aci:
> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
> compare) groupdn = "ldap:///cn=Read Replication
> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>
> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
> changetype: add
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> cn: Read Replication Agreements
> ipapermissiontype: SYSTEM
>
> Note that you'll need to replace $SUFFIX with your base dn
> (dc=example,dc=com).
>
> This is untested so YMMV. If you find that it works and is useful please let
> us know, maybe we can add this for everyone to enjoy :-)

Is it safe to allow anonymous access to read this attribute? I added
the following ACI:

dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read,
search, compare) groupdn = "ldap:///anyone";)

And I can now get the replication status using an anonymous bind. I
also modified the nagios perl script to make an anonymous bind and
check the replication status - it's working OK.

I don't know if the aci should be a standard feature, option to
enable, or just to provide the ldif for anyone who wants it.

Thanks,

Dan




More information about the Freeipa-users mailing list