Rich Megginson wrote: >> but searching as cn=replication,cn=config or similar results doesn't >> return any results. >> Can someone point me at the ACI I need to modify (or do I need to >> create a new one?) to add read-only access to cn=config on our master >> servers for monitoring purposes? Thanks! > The setup-ds-admin.pl script creates ACIs for the console admin user - > look at the ACIs on the cn=config entry for the uid=admin,..... user. > You can probably just duplicate those - change the user to be your > monitoring user, and change the allow() to just read,search,compare. > Ahah. Just in case anybody else is curious, this is effectively what I ended up setting up for the check_ldap_replication script for nagios, on the cn=config tree: (targetattr = "*") (version 3.0; acl "Monitoring Script"; allow (read,compare,search)(userdn = "ldap:///uid=nagiosmonitoring,ou=Resource Accounts,dc=itasoftware,dc=com") ;) I may see if I can restrict it down a little further, but that makes me much happier than using the Directory Manager user. Thanks for your help! -- ,___, {o,o} Anne "Juniper" Cross (___) Senior Linux Systems Engineer and Extropic Crusader -"-"-- Information Technology, ITA Software /^^^
