|
On 03/09/2016 08:12 PM, William Brown
wrote:
YesOn Wed, 2016-03-09 at 20:05 -0500, Mark Reynolds wrote:On 03/09/2016 05:37 PM, William Brown wrote:On Wed, 2016-03-09 at 12:06 +0100, wodel youchi wrote:Hi, Is it possible to create a specific user to use to backup 389DS server other than the Directory Manager, to use the db2bak.pl with a cronjob without exposing the DM password.Try using db2bak rather than db2bak.pl. db2bak should operate just on the named instance, without needing a directory manager account. You can run it from cron as root then.You can also specify the DM password via a file (-j option).I think the difference is db2bak.pl is a script that adds a task to cn=tasks,cn=config. db2bak actually just calls ns-slapd to run the backup directly. That's why you need the different details.Also, you can add aci's to cn=config to allow a different user to perform these tasks. For example if you just want a different user to be able to perform backups you would set an allow(all) aci on "dn: cn=backup,cn=tasks,cn=config".As in: allow(all) userdn="cn=backupuser,ou=serviceaccounts,dc=example,dc=com" ? Then cn=backupuser could create the task? Correct "all" is not necessary, but it would need "add, search, read" rightsAlso, wouldn't it only need write permissions?
|
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
