Fedora directory users - Oct 2009 - [389-users] Searching cn=config as a user other than cn=Directory Manager?

I''m working on setting up nagios monitoring of our multi-master 
replication, and given the occasional problems that are plaguing our 
network, we need replication monitoring.  The script on 
http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring#Monitoring_replication_with_Nagios
is very helpful, but it assumes logging in as the Directory Manager.

We''ve had sufficient problems with "helpful" people becoming
root and
doing things that I''m *really* wary of putting the Directory Manager 
password in plaintext in a monitoring script, but searching as 
cn=replication,cn=config  or similar results doesn''t return any
results.

Can someone point me at the ACI I need to modify (or do I need to create 
a new one?) to add read-only access to cn=config on our master servers 
for monitoring purposes?  Thanks!

    -- juniper

-- 
,___,
{o,o}  Anne "Juniper" Cross
(___)  Senior Linux Systems Engineer and Extropic Crusader
-"-"-- Information Technology, ITA Software
/^^^

Anne Cross wrote:
> I''m working on setting up nagios monitoring of our multi-master 
> replication, and given the occasional problems that are plaguing our 
> network, we need replication monitoring.  The script on 
>
http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring#Monitoring_replication_with_Nagios
> is very helpful, but it assumes logging in as the Directory Manager.
>
> We''ve had sufficient problems with "helpful" people
becoming root and
> doing things that I''m *really* wary of putting the Directory
Manager
> password in plaintext in a monitoring script,
As well you should be.
> but searching as cn=replication,cn=config  or similar results
doesn''t
> return any results.
> Can someone point me at the ACI I need to modify (or do I need to 
> create a new one?) to add read-only access to cn=config on our master 
> servers for monitoring purposes?  Thanks!
The setup-ds-admin.pl script creates ACIs for the console admin user - 
look at the ACIs on the cn=config entry for the uid=admin,..... user.  
You can probably just duplicate those - change the user to be your 
monitoring user, and change the allow() to just read,search,compare.

See also 
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Access_Control.html
>
>    -- juniper
>

Rich Megginson wrote:
>> but searching as cn=replication,cn=config  or similar results
doesn''t
>> return any results.
>> Can someone point me at the ACI I need to modify (or do I need to 
>> create a new one?) to add read-only access to cn=config on our master 
>> servers for monitoring purposes?  Thanks!
> The setup-ds-admin.pl script creates ACIs for the console admin user - 
> look at the ACIs on the cn=config entry for the uid=admin,..... user.  
> You can probably just duplicate those - change the user to be your 
> monitoring user, and change the allow() to just read,search,compare.
>
Ahah.  Just in case anybody else is curious, this is effectively what I 
ended up setting up for the check_ldap_replication script for nagios, on 
the cn=config tree:

(targetattr = "*") (version 3.0;
acl "Monitoring Script";
allow (read,compare,search)(userdn = 
"ldap:///uid=nagiosmonitoring,ou=Resource
Accounts,dc=itasoftware,dc=com")
;)

I may see if I can restrict it down a little further, but that makes me 
much happier than using the Directory Manager user.

Thanks for your help!

-- 
,___,
{o,o}  Anne "Juniper" Cross
(___)  Senior Linux Systems Engineer and Extropic Crusader
-"-"-- Information Technology, ITA Software
/^^^