[Freeipa-users] lowest-privilege method of checking for out of sync FreeIPA masters?
List dedicated to discussions about use, configuration and deployment of the IPA server.
freeipa-users at redhat.com
Tue Dec 6 23:09:11 UTC 2016
List dedicated to discussions about use, configuration and deployment of
the IPA server. wrote:
> Hello,
>
> There's a method to check the replication status of FreeIPA masters by
> looking at objectClass=nsDS5ReplicationAgreement in the "cn=mapping
> tree,cn=config" part of LDAP.
>
> Unfortunately that requires Directory Admin level privileges.
>
> Is there a method to check those replication agreement details that uses
> a much lower privilege? We'd like to add a replication test to our
> Zabbix monitoring system, and we don't want to use the directory admin
> user ID :)
Create a privilege containing the permission "Read Replication
Agreements", add that to a new role, and your user to that role and that
should do it.
rob
More information about the Freeipa-users
mailing list