[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Check synchro : access only to contextcsn

To: openldap-technical@openldap.org, Lirien Maxime <maxime.lirien@gmail.com>
Subject: Re: Check synchro : access only to contextcsn
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 16 Oct 2018 09:30:57 -0700
Content-disposition: inline
In-reply-to: <20181016175446.7c844158@pink.fritz.box>
References: <CAFkMs3NG7RcUFY4gTRArn=dHZDSrD15-sW4r6NeAjf+tAX_M4g@mail.gmail.com> <20181016175446.7c844158@pink.fritz.box>

--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter<dieter@dkluenter.de> wrote:

Am Tue, 16 Oct 2018 15:51:50 +0200
schrieb Lirien Maxime <maxime.lirien@gmail.com>:

Hi all,
thanks for reading.
I have a "supervision" account on all my ldap servers. With the plugin
nagios , it check the synchro.  I would like this account read only
contextcsn to check synchro. And only contextcsn not the other
entries. (plugin check nagios).
Can someone help me to write the right ACL ?

Here what I tried but not really right :-/
# ContextCSN
access to dn.subtree="dc=fr" attrs=contextCSN
     by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
     by * none


access to dn.base=dc=fr
   attrs=entry,children,contextCSN read

I'd also be careful of doing "by * none" to the contextCSN, etc, as thatcan break replication depending on the DN that binds to the master(s),since the replication DN must be able to read the contextCSN.


--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Check synchro : access only to contextcsn
  - From: Lirien Maxime <maxime.lirien@gmail.com>
- Re: Check synchro : access only to contextcsn
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: Check synchro : access only to contextcsn
Next by Date: OpenLDAP and Google Cloud Directory Sync
Index(es):
- Chronological
- Thread