Anne Cross wrote: > I'm working on setting up nagios monitoring of our multi-master > replication, and given the occasional problems that are plaguing our > network, we need replication monitoring. The script on > http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring#Monitoring_replication_with_Nagios > is very helpful, but it assumes logging in as the Directory Manager. > > We've had sufficient problems with "helpful" people becoming root and > doing things that I'm *really* wary of putting the Directory Manager > password in plaintext in a monitoring script, As well you should be. > but searching as cn=replication,cn=config or similar results doesn't > return any results. > Can someone point me at the ACI I need to modify (or do I need to > create a new one?) to add read-only access to cn=config on our master > servers for monitoring purposes? Thanks! The setup-ds-admin.pl script creates ACIs for the console admin user - look at the ACIs on the cn=config entry for the uid=admin,..... user. You can probably just duplicate those - change the user to be your monitoring user, and change the allow() to just read,search,compare. See also http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Access_Control.html > > -- juniper > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20091019/9bea125f/attachment.bin
