Jon, You're on the right track. However an ACI cannot grant access to an object that is higher than itself so you must create an ACI at the root suffix and because cn=config is a non searchable OU. IMO it's best to create a user at the top level and then grant them read access to specific attributes, so your target will be * and has read to the following attributes and object classes, nsds5ReplicationAgreement. Let me ask you this though, why don't you just use SNMP? dirsrv-snmp and you can view the status and create a trap that way? Dan On Mar 6, 2013, at 12:49 PM, Jon Detert <jdetert@xxxxxxxxxxxxxxxxxxxxxx> wrote: > I want to check the status of replication agreements, but I don't want to use the directory manager's credentials to do so. I want to use bind credentials for a dn that only has read access. > > Is an ACI what I need? If so, how? I've tried several, but they don't work as I intended. > > One thing I'm uncertain of, is which dn to associate the aci attribute with. I've tried these: > > cn=config > cn=mapping tree,cn=config > dc=example,dc=com > and the actual dn of the replication agreement object. > > I'm also not certain of the target to use in the aci. I've tried these: > > (targetfilter = "(objectClass=nsds5ReplicationAgreement)") > and > (target="ldap:///cn=*,cn=replica,cn=*,cn=mapping tree,cn=config") > > Any ideas what I'm doing wrong? Thanks > -- > Jon Detert > Sr. Systems Administrator > Infinity Healthcare > Milwaukee, Wisconsin > 414-290-6759 > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
