[Freeipa-users] Replication status

Rich Megginson rmeggins at redhat.com
Fri May 18 14:29:06 UTC 2012 

On 05/18/2012 08:13 AM, Dan Scott wrote:
> Hi,
>
> On Wed, May 2, 2012 at 11:13 PM, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Rich Megginson wrote:
>>> On 05/02/2012 07:36 PM, Ian Levesque wrote:
>>>> On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
>>>>
>>>>>> Is there any way to expose the nsDS5ReplicationAgreement objectClass
>>>>>> to a less privileged account; i.e., an account solely designed to
>>>>>> check replication status?
>>>>> You also need to expose the RUV tombstone entry at the base of each
>>>>> suffix.
>>>> Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
>>>> any pointers?
>>>>
>>>> Cheers,
>>>> Ian
>>>>
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html
>>
>> We already have some delegated permissions for replication but none granting
>> only read access. Off the cuff, something like this might work:
>>
>> dn: cn="$SUFFIX",cn=mapping tree,cn=config
>> changetype: modify
>> add: aci
>> aci:
>> (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
>> 3.0; aci "permission:Read Replication Agreements"; allow (read, search,
>> compare) groupdn = "ldap:///cn=Read Replication
>> Agreements,cn=permissions,cn=pbac,$SUFFIX";)
>>
>> dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
>> changetype: add
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: ipapermission
>> cn: Read Replication Agreements
>> ipapermissiontype: SYSTEM
>>
>> Note that you'll need to replace $SUFFIX with your base dn
>> (dc=example,dc=com).
>>
>> This is untested so YMMV. If you find that it works and is useful please let
>> us know, maybe we can add this for everyone to enjoy :-)
> Is it safe to allow anonymous access to read this attribute? I added
> the following ACI:
>
> dn: cn="$SUFFIX",cn=mapping tree,cn=config
> changetype: modify
> add: aci
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
> 3.0; aci "permission:Read Replication Agreements"; allow (read,
> search, compare) groupdn = "ldap:///anyone";)

It would be better to restrict the list of attributes to only those 
needed by the app e.g. (targetattr="foo || bar || baz || ...")

>
> And I can now get the replication status using an anonymous bind. I
> also modified the nagios perl script to make an anonymous bind and
> check the replication status - it's working OK.
>
> I don't know if the aci should be a standard feature, option to
> enable, or just to provide the ldif for anyone who wants it.

Sure.  If you think it should be a standard feature, just file a ticket.

>
> Thanks,
>
> Dan

More information about the Freeipa-users mailing list