Hi,
we've also made a special account with a random password ("cn=Backup,
cn=config") . The following aci is positioned on "cn=tasks,cn=config"
:
aci: (target ="ldap:///cn=export,cn=tasks,cn=config";)(version 3.0;acl
"Backup user can launch export tasks";allow (add) ((userdn =
"ldap:///cn=Backup,cn=config";) and (ip='$LDAP_SERVER_IP_ADRESS'
));)
And the script for the backups in cron is like this :
db2ldif.pl -D "cn=Backup, cn=config" -w
1ffd702ed7560c805483489bd928c3da878c2adf -n userRoot -a
/Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif
Here is a snippet of the bash script to make all this :
mkdir -p /Backup
chown -R ldap:ldap /Backup
PWD_BACKUP=`(ps auxww ; w ; date) | sha1sum | awk '{print $1}'`
HASHED_PWD_BACKUP=`$FDS_BASE_DIR/bin/pwdhash -s SSHA $PWD_BACKUP`;
echo "dn: cn=Backup, cn=config" > /tmp/fds_backup.ldif
echo "objectClass: top" >> /tmp/fds_backup.ldif
echo "objectClass: person" >> /tmp/fds_backup.ldif
echo "cn: Backup" >> /tmp/fds_backup.ldif
echo "sn: Backup" >> /tmp/fds_backup.ldif
echo "userPassword: $HASHED_PWD_BACKUP" >> /tmp/fds_backup.ldif
echo "description: Backup User" >> /tmp/fds_backup.ldif
echo 'dn: cn=tasks,cn=config' >
/tmp/fds_backup_acl.ldif
echo 'changetype: modify' >>
/tmp/fds_backup_acl.ldif
echo 'add: aci'
>> /tmp/fds_backup_acl.ldif
echo 'aci: (target ="ldap:///cn=export,cn=tasks,cn=config";)(version
3.0;acl "Backup user can launch export tasks";allow (add) ((userdn =
"ldap:///cn=Backup,cn=config";) and (ip='$LDAP_SERVER_IP_ADRESS'
));)' >> /tmp/fds_backup_acl.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D
"cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D
"cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup_acl.ldif
rm -fr /tmp/fds_backup.ldif
rm -fr /tmp/fds_backup_acl.ldif
2009/9/24 Jonas Courteau <jonas at bravenet.com>:
> Hi:
>
> I was wondering how to go about setting up an ACI to allow a different
> user to add specific tasks. ?For example, say I created a special user
> cn=backups,cn=config (or similar) and I wanted that user to be able to
> add cn=backup,cn=tasks,cn=config entries to schedule backups, but not
> allow them to do any other tasks.
>
> The idea here is to have a specific user to trigger the backups remotely
> without having to be including the directory manager password in
> scripts.
>
> I've been poking around with various ACIs but so far I'm kinda feeling
> around in the dark. ?I'm sure someone else has done something along
> these lines - any suggestions? ?Also, if you think this idea is silly
> and you wish to share your backup best practices, I'd love to hear!
>
> Thanks!
>
> Jonas
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
