On 03/09/2016 08:12 PM, William Brown wrote:

On Wed, 2016-03-09 at 20:05 -0500, Mark Reynolds wrote:

On 03/09/2016 05:37 PM, William Brown wrote:

On Wed, 2016-03-09 at 12:06 +0100, wodel youchi wrote:

Hi,

Is it possible to create a specific user to use to backup 389DS server
other than the Directory Manager, to use the db2bak.pl with a cronjob
without exposing the DM password.

Try using db2bak rather than db2bak.pl. db2bak should operate just on the
named
instance, without needing a directory manager account. You can run it from
cron
as root then.

You can also specify the DM password via a file (-j option).

I think the difference is db2bak.pl is a script that adds a task to
cn=tasks,cn=config. db2bak actually just calls ns-slapd to run the backup
directly. That's why you need the different details. 

Also, you can add aci's to cn=config to allow a different user to 
perform these tasks.  For example if you just want a different user to 
be able to perform backups you would set an allow(all) aci on "dn: 
cn=backup,cn=tasks,cn=config".

As in:

allow(all) userdn="cn=backupuser,ou=serviceaccounts,dc=example,dc=com" ? 

Then cn=backupuser could create the task?

Yes

Also, wouldn't it only need write permissions? 

Correct "all" is not necessary, but it would need "add, search, read" rights

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org