On Wed, 2016-03-09 at 20:05 -0500, Mark Reynolds wrote: > > On 03/09/2016 05:37 PM, William Brown wrote: > > > > On Wed, 2016-03-09 at 12:06 +0100, wodel youchi wrote: > > > > > > Hi, > > > > > > Is it possible to create a specific user to use to backup 389DS server > > > other than the Directory Manager, to use the db2bak.pl with a cronjob > > > without exposing the DM password. > > > > > Try using db2bak rather than db2bak.pl. db2bak should operate just on the > > named > > instance, without needing a directory manager account. You can run it from > > cron > > as root then. > You can also specify the DM password via a file (-j option). I think the difference is db2bak.pl is a script that adds a task to cn=tasks,cn=config. db2bak actually just calls ns-slapd to run the backup directly. That's why you need the different details. > > Also, you can add aci's to cn=config to allow a different user to > perform these tasks. For example if you just want a different user to > be able to perform backups you would set an allow(all) aci on "dn: > cn=backup,cn=tasks,cn=config". As in: allow(all) userdn="cn=backupuser,ou=serviceaccounts,dc=example,dc=com" ? Then cn=backupuser could create the task? Also, wouldn't it only need write permissions? -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
