6:51 a.m.
Hi all,
thanks for reading.
I have a "supervision" account on all my ldap servers. With the plugin
nagios , it check the synchro. I would like this account read only
contextcsn to check synchro. And only contextcsn not the other entries.
(plugin check nagios).
Can someone help me to write the right ACL ?
Here what I tried but not really right :-/
# ContextCSN
access to dn.subtree="dc=fr" attrs=contextCSN
by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
by * none
Thanks.
8:54 a.m.
Am Tue, 16 Oct 2018 15:51:50 +0200
schrieb Lirien Maxime <maxime.lirien(a)gmail.com>:
Hi all,
thanks for reading.
I have a "supervision" account on all my ldap servers. With the plugin
nagios , it check the synchro. I would like this account read only
contextcsn to check synchro. And only contextcsn not the other
entries. (plugin check nagios).
Can someone help me to write the right ACL ?
Here what I tried but not really right :-/
# ContextCSN
access to dn.subtree="dc=fr" attrs=contextCSN
by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
by * none
access to dn.base=dc=fr
attrs=entry,children,contextCSN read
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
9:30 a.m.
--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
<dieter(a)dkluenter.de> wrote:
Am Tue, 16 Oct 2018 15:51:50 +0200
schrieb Lirien Maxime <maxime.lirien(a)gmail.com>:
> Hi all,
> thanks for reading.
> I have a "supervision" account on all my ldap servers. With the plugin
> nagios , it check the synchro. I would like this account read only
> contextcsn to check synchro. And only contextcsn not the other
> entries. (plugin check nagios).
> Can someone help me to write the right ACL ?
>
> Here what I tried but not really right :-/
> # ContextCSN
> access to dn.subtree="dc=fr" attrs=contextCSN
> by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
> by * none
access to dn.base=dc=fr
attrs=entry,children,contextCSN read
I'd also be careful of doing "by * none" to the contextCSN, etc, as that
can break replication depending on the DN that binds to the master(s),
since the replication DN must be able to read the contextCSN.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1872
days inactive
1872
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Dieter Klünter -
Lirien Maxime -
Quanah Gibson-Mount