--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter dieter@dkluenter.de wrote:

Am Tue, 16 Oct 2018 15:51:50 +0200 schrieb Lirien Maxime maxime.lirien@gmail.com:

...

Hi all, thanks for reading. I have a "supervision" account on all my ldap servers. With the plugin nagios , it check the synchro. I would like this account read only contextcsn to check synchro. And only contextcsn not the other entries. (plugin check nagios). Can someone help me to write the right ACL ?

Here what I tried but not really right :-/ # ContextCSN access to dn.subtree="dc=fr" attrs=contextCSN by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read by * none

access to dn.base=dc=fr attrs=entry,children,contextCSN read

I'd also be careful of doing "by * none" to the contextCSN, etc, as that can break replication depending on the DN that binds to the master(s), since the replication DN must be able to read the contextCSN.

--Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com