--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
Am Tue, 16 Oct 2018 15:51:50 +0200
schrieb Lirien Maxime <maxime.lirien(a)gmail.com>:
> Hi all,
> thanks for reading.
> I have a "supervision" account on all my ldap servers. With the plugin
> nagios , it check the synchro. I would like this account read only
> contextcsn to check synchro. And only contextcsn not the other
> entries. (plugin check nagios).
> Can someone help me to write the right ACL ?
> Here what I tried but not really right :-/
> # ContextCSN
> access to dn.subtree="dc=fr" attrs=contextCSN
> by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
> by * none
access to dn.base=dc=fr
I'd also be careful of doing "by * none" to the contextCSN, etc, as that
can break replication depending on the DN that binds to the master(s),
since the replication DN must be able to read the contextCSN.
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: