Hi: I was wondering how to go about setting up an ACI to allow a different user to add specific tasks. For example, say I created a special user cn=backups,cn=config (or similar) and I wanted that user to be able to add cn=backup,cn=tasks,cn=config entries to schedule backups, but not allow them to do any other tasks. The idea here is to have a specific user to trigger the backups remotely without having to be including the directory manager password in scripts. I''ve been poking around with various ACIs but so far I''m kinda feeling around in the dark. I''m sure someone else has done something along these lines - any suggestions? Also, if you think this idea is silly and you wish to share your backup best practices, I''d love to hear! Thanks! Jonas
Andrey Ivanov
2009-Sep-25 08:55 UTC
Re: [389-users] Using different bind user to add tasks
Hi,
we''ve also made a special account with a random password
("cn=Backup,
cn=config") . The following aci is positioned on
"cn=tasks,cn=config"
:
aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl
"Backup user can launch export tasks";allow (add) ((userdn
"ldap:///cn=Backup,cn=config") and
(ip=''$LDAP_SERVER_IP_ADRESS''
));)
And the script for the backups in cron is like this :
db2ldif.pl -D "cn=Backup, cn=config" -w
1ffd702ed7560c805483489bd928c3da878c2adf -n userRoot -a
/Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif
Here is a snippet of the bash script to make all this :
mkdir -p /Backup
chown -R ldap:ldap /Backup
PWD_BACKUP=`(ps auxww ; w ; date) | sha1sum | awk ''{print
$1}''`
HASHED_PWD_BACKUP=`$FDS_BASE_DIR/bin/pwdhash -s SSHA $PWD_BACKUP`;
echo "dn: cn=Backup, cn=config" > /tmp/fds_backup.ldif
echo "objectClass: top" >>
/tmp/fds_backup.ldif
echo "objectClass: person" >>
/tmp/fds_backup.ldif
echo "cn: Backup" >>
/tmp/fds_backup.ldif
echo "sn: Backup" >>
/tmp/fds_backup.ldif
echo "userPassword: $HASHED_PWD_BACKUP" >> /tmp/fds_backup.ldif
echo "description: Backup User" >>
/tmp/fds_backup.ldif
echo ''dn: cn=tasks,cn=config''
>
/tmp/fds_backup_acl.ldif
echo ''changetype: modify''
>>
/tmp/fds_backup_acl.ldif
echo ''add: aci''>> /tmp/fds_backup_acl.ldif
echo ''aci: (target
="ldap:///cn=export,cn=tasks,cn=config")(version
3.0;acl "Backup user can launch export tasks";allow (add) ((userdn
"ldap:///cn=Backup,cn=config") and
(ip=''$LDAP_SERVER_IP_ADRESS''
));)'' >> /tmp/fds_backup_acl.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D
"cn=Directory Manager" -w ''<pwd>'' -f
/tmp/fds_backup.ldif
$MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D
"cn=Directory Manager" -w ''<pwd>'' -f
/tmp/fds_backup_acl.ldif
rm -fr /tmp/fds_backup.ldif
rm -fr /tmp/fds_backup_acl.ldif
2009/9/24 Jonas Courteau <jonas@bravenet.com>:> Hi:
>
> I was wondering how to go about setting up an ACI to allow a different
> user to add specific tasks. For example, say I created a special user
> cn=backups,cn=config (or similar) and I wanted that user to be able to
> add cn=backup,cn=tasks,cn=config entries to schedule backups, but not
> allow them to do any other tasks.
>
> The idea here is to have a specific user to trigger the backups remotely
> without having to be including the directory manager password in
> scripts.
>
> I''ve been poking around with various ACIs but so far I''m
kinda feeling
> around in the dark. I''m sure someone else has done something
along
> these lines - any suggestions? Also, if you think this idea is silly
> and you wish to share your backup best practices, I''d love to
hear!
>
> Thanks!
>
> Jonas
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>