Re: How can I grant read access to the attributes of a nsDS5ReplicationAgreement object?

Jon Detert <jdetert@xxxxxxxxxxxxxxxxxxxxxx> · Thu, 7 Mar 2013 08:37:41 -0600 (CST)

----- Original Message -----
> From: "Ludwig Krispenz" <lkrispen@xxxxxxxxxx>
> To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Sent: Thursday, March 7, 2013 2:29:58 AM
> Subject: Re:  How can I grant read access to the attributes of a nsDS5ReplicationAgreement object?
> 
> 
> On 03/06/2013 09:59 PM, Jon Detert wrote:
> > Ludwig,
> >
> > ----- Original Message -----
> >> From: "Ludwig Krispenz" <lkrispen@xxxxxxxxxx>
> >> To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> >> Sent: Wednesday, March 6, 2013 12:49:26 PM
> >> Subject: Re:  How can I grant read access to the
> >> attributes of a nsDS5ReplicationAgreement object?
> >>
> >>
> >> On 03/06/2013 06:49 PM, Jon Detert wrote:
> >>> I want to check the status of replication agreements, but I don't
> >>> want to use the directory manager's credentials to do so.  I want
> >>> to use bind credentials for a dn that only has read access.
> >>>
> >>> Is an ACI what I need?  If so, how?  I've tried several, but they
> >>> don't work as I intended.
> >>>
> >>> One thing I'm uncertain of, is which dn to associate the aci
> >>> attribute with.  I've tried these:
> >>>
> >>> cn=config
> >>> cn=mapping tree,cn=config
> >>> dc=example,dc=com
> >>> and the actual dn of the replication agreement object.
> >> except dc=example,dc=com all should work
> >>> I'm also not certain of the target to use in the aci.  I've tried
> >>> these:
> >>>
> >>> (targetfilter = "(objectClass=nsds5ReplicationAgreement)")
> >>> and
> >>> (target="ldap:///cn=*,cn=replica,cn=*,cn=mapping tree,cn=config")
> >> both should work.
> >>> Any ideas what I'm doing wrong?

-- snip --

> I think the updates to the replication entries are handled by the
> replication pluging and reject (some) modifications. You could place
> the
> aci unde cn=config, the following works:
> 
> ldapmodify ......................
> dn: cn=config
> changetype: modify
> add: aci
> aci:
> (targetattr="*")(targetfilter="objectclass=nsds5replicationagreement")(version
> 3.0; acl "access replagreement";
>   allow(read,search)
> userdn="ldap:///cn=Mr00005,ou=People,dc=example,dc=com";;)

I found an example that allowed anonymous querying of the status, and it worked for me.  Very similar to what Ludwig gave above, but using anonymous bind instead:

ldapmodify -ax -D "cn=directory manager" -h localhost -W <<BYE
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";;)
BYE

I would prefer to use an authenticated, non-privileged bind-dn instead, but am tired of struggling with this issue, so I'm settling with this solution.

Thanks all
-- 
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users