On 03/09/2016 08:12 PM, William Brown wrote:
On Wed, 2016-03-09 at 20:05 -0500, Mark Reynolds wrote:
> On 03/09/2016 05:37 PM, William Brown wrote:
>> On Wed, 2016-03-09 at 12:06 +0100, wodel youchi wrote:
>>> Hi,
>>>
>>> Is it possible to create a specific user to use to backup 389DS server
>>> other than the Directory Manager, to use the db2bak.pl with a cronjob
>>> without exposing the DM password.
>>>
>> Try using db2bak rather than db2bak.pl. db2bak should operate just on the
>> named
>> instance, without needing a directory manager account. You can run it from
>> cron
>> as root then.
> You can also specify the DM password via a file (-j option).
I think the difference is db2bak.pl is a script that adds a task to
cn=tasks,cn=config. db2bak actually just calls ns-slapd to run the backup
directly. That's why you need the different details.
> Also, you can add aci's to cn=config to allow a different user to
> perform these tasks. For example if you just want a different user to
> be able to perform backups you would set an allow(all) aci on "dn:
> cn=backup,cn=tasks,cn=config".
As in:
allow(all) userdn="cn=backupuser,ou=serviceaccounts,dc=example,dc=com" ?
Then cn=backupuser could create the task?
Yes
Also, wouldn't it only need write permissions?
Correct "all" is not
necessary, but it would need "add, search, read" rights