Re: user privileges needed to run repl-monitor.pl

Mark Reynolds <mreynolds@xxxxxxxxxx> · Fri, 17 Aug 2018 17:51:55 -0400



    On 08/17/2018 04:59 PM, Sergei
      Gerasenko wrote:

    
      Hi Mark,
      

      I have a test instance of 389-ds running on a vm.
        I’ve tried updating the aci like this:
      

        dn: cn=mapping
            tree,cn=config
        changetype: modify
        replace: aci
        aci: (targetattr =
            "cn || nsuniqueid || createtimestamp || description ||
            entryusn || modify
         timestamp || nsds50ruv || MORE STUFF)(targetfilter =
            "(|(objectclass=nsds5Replic
         a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
         greement)(objectClass=nsMappingTree)(objectClass=nsTombstone))")(version
            3.0;acl "permission:Read Repl
         ication
            Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read
            Re
         plication
            Agreements,cn=permissions,cn=pbac,dc=MYREALM,dc=net”;)
      
      
      But still executing the command below produces no
        output. Executing the command as admin does work:
      

      ldapsearch -h
          localhost -LLL -x -D
          'uid=ipamonitor,cn=users,cn=accounts,dc=sgerasenko,dc=net' -w
          PWD
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))’
          nsds50ruv
      

      I’ve verified that “ipamonitor" does have "Read
        Replication Agreements" assigned.
    
    Works for me if I add this aci:

    
    dn: cn=mapping tree,cn=config

    aci: (targetattr = "*")(version 3.0; acl "All user to read
    agreements"; allow

     (read,compare,search) (userdn = "ldap:///uid=mark,o=mark")

    
    ldapsearch -h localhost -LLL -x -D 'uid=mark,o=mark' -w password -b
    o=mark
"(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))"

    dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config

    objectClass: nsDS5Replica

    objectClass: top

    nsDS5ReplicaRoot: o=mark

    nsDS5ReplicaType: 3

    nsDS5Flags: 1

    nsDS5ReplicaId: 1

    nsds5ReplicaPurgeDelay: 604800

    cn: replica

    nsState:: AQAAAAAAAADwQHdbAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAA==

    nsDS5ReplicaName: e8f8e603-a24111e8-9b9de135-a578ede1

    nsds50ruv: {replicageneration} 5b770413000000010000

    nsds50ruv: {replica 1 ldap://localhost.localdomain:389}
    5b773c20000000010000 5

     b7740f0000200010000

    nsds5agmtmaxcsn: o=mark;f;localhost.localdomain;4444;unavailable

    nsruvReplicaLastModified: {replica 1
    ldap://localhost.localdomain:389} 0000000

     0

    nsds5ReplicaChangeCount: 6

    nsds5replicareapactive: 0

    
      Any ideas what could be missing?
      

      Thanks,
        Sergei
      

      _______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/MCJ7KRVAYEKGFDZJ2K5EE5HYSPAYGCEF/

    
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/ORWONLZOCKGH2LP2PS4HJJ5B22PWMNHH/