Hi,
we've also made a special account with a random password ("cn=Backup,
cn=config") . The following aci is positioned on "cn=tasks,cn=config"
:
aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl
"Backup user can launch export tasks";allow (add) ((userdn =
"ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS'
));)
And the script for the backups in cron is like this :
db2ldif.pl -D "cn=Backup, cn=config" -w
1ffd702ed7560c805483489bd928c3da878c2adf -n userRoot -a
/Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif
Here is a snippet of the bash script to make all this :
mkdir -p /Backup
chown -R ldap:ldap /Backup
PWD_BACKUP=`(ps auxww ; w ; date) | sha1sum | awk '{print $1}'`
HASHED_PWD_BACKUP=`$FDS_BASE_DIR/bin/pwdhash -s SSHA $PWD_BACKUP`;
echo "dn: cn=Backup, cn=config" > /tmp/fds_backup.ldif
echo "objectClass: top" >> /tmp/fds_backup.ldif
echo "objectClass: person" >> /tmp/fds_backup.ldif
echo "cn: Backup" >> /tmp/fds_backup.ldif
echo "sn: Backup" >> /tmp/fds_backup.ldif
echo "userPassword: $HASHED_PWD_BACKUP" >> /tmp/fds_backup.ldif
echo "description: Backup User" >> /tmp/fds_backup.ldif
echo 'dn: cn=tasks,cn=config' >
/tmp/fds_backup_acl.ldif
echo 'changetype: modify' >>
/tmp/fds_backup_acl.ldif
echo 'add: aci'
> /tmp/fds_backup_acl.ldif
echo 'aci: (target
="ldap:///cn=export,cn=tasks,cn=config")(version
3.0;acl "Backup user can launch export tasks";allow (add) ((userdn =
"ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS'
));)'
> /tmp/fds_backup_acl.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D
"cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D
"cn=Directory Manager" -w '<pwd>' -f /tmp/fds_backup_acl.ldif
rm -fr /tmp/fds_backup.ldif
rm -fr /tmp/fds_backup_acl.ldif
2009/9/24 Jonas Courteau <jonas(a)bravenet.com>:
Hi:
I was wondering how to go about setting up an ACI to allow a different
user to add specific tasks. For example, say I created a special user
cn=backups,cn=config (or similar) and I wanted that user to be able to
add cn=backup,cn=tasks,cn=config entries to schedule backups, but not
allow them to do any other tasks.
The idea here is to have a specific user to trigger the backups remotely
without having to be including the directory manager password in
scripts.
I've been poking around with various ACIs but so far I'm kinda feeling
around in the dark. I'm sure someone else has done something along
these lines - any suggestions? Also, if you think this idea is silly
and you wish to share your backup best practices, I'd love to hear!
Thanks!
Jonas
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users