Hi, we've also made a special account with a random password ("cn=Backup, cn=config") . The following aci is positioned on "cn=tasks,cn=config" : aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl "Backup user can launch export tasks";allow (add) ((userdn = "ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS' ));) And the script for the backups in cron is like this : db2ldif.pl -D "cn=Backup, cn=config" -w 1ffd702ed7560c805483489bd928c3da878c2adf -n userRoot -a /Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif Here is a snippet of the bash script to make all this : mkdir -p /Backup chown -R ldap:ldap /Backup PWD_BACKUP=`(ps auxww ; w ; date) | sha1sum | awk '{print $1}'` HASHED_PWD_BACKUP=`$FDS_BASE_DIR/bin/pwdhash -s SSHA $PWD_BACKUP`; echo "dn: cn=Backup, cn=config" > /tmp/fds_backup.ldif echo "objectClass: top" >> /tmp/fds_backup.ldif echo "objectClass: person" >> /tmp/fds_backup.ldif echo "cn: Backup" >> /tmp/fds_backup.ldif echo "sn: Backup" >> /tmp/fds_backup.ldif echo "userPassword: $HASHED_PWD_BACKUP" >> /tmp/fds_backup.ldif echo "description: Backup User" >> /tmp/fds_backup.ldif echo 'dn: cn=tasks,cn=config' > /tmp/fds_backup_acl.ldif echo 'changetype: modify' >> /tmp/fds_backup_acl.ldif echo 'add: aci' >> /tmp/fds_backup_acl.ldif echo 'aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl "Backup user can launch export tasks";allow (add) ((userdn = "ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS' ));)' >> /tmp/fds_backup_acl.ldif $MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D "cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup.ldif $MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D "cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup_acl.ldif rm -fr /tmp/fds_backup.ldif rm -fr /tmp/fds_backup_acl.ldif 2009/9/24 Jonas Courteau <jonas@xxxxxxxxxxxx>: > Hi: > > I was wondering how to go about setting up an ACI to allow a different > user to add specific tasks. For example, say I created a special user > cn=backups,cn=config (or similar) and I wanted that user to be able to > add cn=backup,cn=tasks,cn=config entries to schedule backups, but not > allow them to do any other tasks. > > The idea here is to have a specific user to trigger the backups remotely > without having to be including the directory manager password in > scripts. > > I've been poking around with various ACIs but so far I'm kinda feeling > around in the dark. I'm sure someone else has done something along > these lines - any suggestions? Also, if you think this idea is silly > and you wish to share your backup best practices, I'd love to hear! > > Thanks! > > Jonas > > -- > 389 users mailing list > 389-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users