[Freeipa-users] Replication status
Rich Megginson
rmeggins at redhat.com
Fri May 18 16:21:06 UTC 2012
On 05/18/2012 10:06 AM, Dan Scott wrote:
> On Fri, May 18, 2012 at 10:29 AM, Rich Megginson<rmeggins at redhat.com> wrote:
>> On 05/18/2012 08:13 AM, Dan Scott wrote:
>>> Hi,
>>>
>>> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden<rcritten at redhat.com>
>>> wrote:
>>>> Rich Megginson wrote:
>>>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>>>
>>>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>>>> check replication status?
>>>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>>>> suffix.
>>>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>>>> any pointers?
>>>>>>
>>>>>> Cheers,
>>>>>> Ian
>>>>>>
>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>>>
>>>> We already have some delegated permissions for replication but none
>>>> granting
>>>> only read access. Off the cuff, something like this might work:
>>>>
>>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>>> changetype: modify
>>>> add: aci
>>>> aci:
>>>>
>>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>>>> compare) groupdn = "ldap:///cn=Read Replication
>>>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>>>
>>>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>>>> changetype: add
>>>> objectClass: top
>>>> objectClass: groupofnames
>>>> objectClass: ipapermission
>>>> cn: Read Replication Agreements
>>>> ipapermissiontype: SYSTEM
>>>>
>>>> Note that you'll need to replace $SUFFIX with your base dn
>>>> (dc=example,dc=com).
>>>>
>>>> This is untested so YMMV. If you find that it works and is useful please
>>>> let
>>>> us know, maybe we can add this for everyone to enjoy :-)
>>> Is it safe to allow anonymous access to read this attribute? I added
>>> the following ACI:
>>>
>>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>>> changetype: modify
>>> add: aci
>>> aci:
>>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>>> 3.0; aci "permission:Read Replication Agreements"; allow (read,
>>> search, compare) groupdn = "ldap:///anyone";)
>>
>> It would be better to restrict the list of attributes to only those needed
>> by the app e.g. (targetattr="foo || bar || baz || ...")
> OK, thanks. I had a look through the available data and I think these
> would be best:
>
> nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress
>
>>> And I can now get the replication status using an anonymous bind. I
>>> also modified the nagios perl script to make an anonymous bind and
>>> check the replication status - it's working OK.
>>>
>>> I don't know if the aci should be a standard feature, option to
>>> enable, or just to provide the ldif for anyone who wants it.
>>
>> Sure. If you think it should be a standard feature, just file a ticket.
> OK, will do, once I've figured out a few more things. I want to enable
> this for the PKI-CA directory too. I changed the dn to "dn:
> cn="o=ipaca",cn=mapping tree,cn=config" and added this to my server on
> port 7389. Using targetattr=*, everything works fine, but when I
> restrict it to the list of attributes above, I don't get any results.
> Is there another attribute I need to add?
Not sure why it would be any different for CA replication . . .
>
> Thanks,
>
> Dan
More information about the Freeipa-users
mailing list