Hi:
I was wondering how to go about setting up an ACI to allow a different user to add specific tasks. For example, say I created a special user cn=backups,cn=config (or similar) and I wanted that user to be able to add cn=backup,cn=tasks,cn=config entries to schedule backups, but not allow them to do any other tasks.
The idea here is to have a specific user to trigger the backups remotely without having to be including the directory manager password in scripts.
I've been poking around with various ACIs but so far I'm kinda feeling around in the dark. I'm sure someone else has done something along these lines - any suggestions? Also, if you think this idea is silly and you wish to share your backup best practices, I'd love to hear!
Thanks!
Jonas
Hi,
we've also made a special account with a random password ("cn=Backup, cn=config") . The following aci is positioned on "cn=tasks,cn=config" :
aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl "Backup user can launch export tasks";allow (add) ((userdn = "ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS' ));)
And the script for the backups in cron is like this :
db2ldif.pl -D "cn=Backup, cn=config" -w 1ffd702ed7560c805483489bd928c3da878c2adf -n userRoot -a /Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif
Here is a snippet of the bash script to make all this :
mkdir -p /Backup chown -R ldap:ldap /Backup
PWD_BACKUP=`(ps auxww ; w ; date) | sha1sum | awk '{print $1}'` HASHED_PWD_BACKUP=`$FDS_BASE_DIR/bin/pwdhash -s SSHA $PWD_BACKUP`;
echo "dn: cn=Backup, cn=config" > /tmp/fds_backup.ldif echo "objectClass: top" >> /tmp/fds_backup.ldif echo "objectClass: person" >> /tmp/fds_backup.ldif echo "cn: Backup" >> /tmp/fds_backup.ldif echo "sn: Backup" >> /tmp/fds_backup.ldif echo "userPassword: $HASHED_PWD_BACKUP" >> /tmp/fds_backup.ldif echo "description: Backup User" >> /tmp/fds_backup.ldif
echo 'dn: cn=tasks,cn=config' > /tmp/fds_backup_acl.ldif echo 'changetype: modify' >> /tmp/fds_backup_acl.ldif echo 'add: aci'
/tmp/fds_backup_acl.ldif
echo 'aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl "Backup user can launch export tasks";allow (add) ((userdn = "ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS' ));)' >> /tmp/fds_backup_acl.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D "cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup.ldif $MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D "cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup_acl.ldif
rm -fr /tmp/fds_backup.ldif rm -fr /tmp/fds_backup_acl.ldif
2009/9/24 Jonas Courteau jonas@bravenet.com:
Hi:
I was wondering how to go about setting up an ACI to allow a different user to add specific tasks. For example, say I created a special user cn=backups,cn=config (or similar) and I wanted that user to be able to add cn=backup,cn=tasks,cn=config entries to schedule backups, but not allow them to do any other tasks.
The idea here is to have a specific user to trigger the backups remotely without having to be including the directory manager password in scripts.
I've been poking around with various ACIs but so far I'm kinda feeling around in the dark. I'm sure someone else has done something along these lines - any suggestions? Also, if you think this idea is silly and you wish to share your backup best practices, I'd love to hear!
Thanks!
Jonas
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
Ivanov Andrey (M.) -
Jonas Courteau