Hi,
I’ve been using repl-monitor.pl for monitoring replication problems. I would like to use an account with a minimal set of permissions needed for the functionality. I created a user and added the permission to Read Replication Agreements. Now the user can read the agreements but fails on:
$ruv = $conn->search($replicaroot, "one”, "(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))”, 0, qw(nsds50ruv nsruvReplicaLastModified nsds5AgmtMaxCSN));
Rather, the $ruv is empty after that call. When running with a privileged account, everything works.
What are the permissions needed for that search to work for a brand new account?
Thanks, Sergei
On 08/17/2018 11:51 AM, Sergei Gerasenko wrote:
Hi,
I’ve been using repl-monitor.pl for monitoring replication problems. I would like to use an account with a minimal set of permissions needed for the functionality. I created a user and added the permission to Read Replication Agreements. Now the user can read the agreements but fails on:
$ruv = $conn->search($replicaroot, "one”, "(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))”, 0, qw(nsds50ruv nsruvReplicaLastModified nsds5AgmtMaxCSN));
Rather, the $ruv is empty after that call. When running with a privileged account, everything works.
What are the permissions needed for that search to work for a brand new account?
Add an ACI to this entry (using your suffix of course) allowing the user or group to read/search/compare:
dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config
That should do it :-)
Mark
Thanks, Sergei
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Thanks, Mark. I think I will have to do this directly in dse.ldif by stopping the server, editing the ldif and starting it again? Looks like there’s already an ACI for it, but it doesn’t include those attrs. So I think I will need to add them. Currently it looks like this:
dn: cn=mapping tree,cn=config aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Repl ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";)
But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter?
Thanks, Sergei
On Aug 17, 2018, at 12:23 PM, Mark Reynolds mreynolds@redhat.com wrote:
Add an ACI to this entry (using your suffix of course) allowing the user or group to read/search/compare:
dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config
That should do it :-)
On 08/17/2018 02:07 PM, Sergei Gerasenko wrote:
Thanks, Mark. I think I will have to do this directly in dse.ldif by stopping the server, editing the ldif and starting it again?
In this case that would be the easiest way to edit this aci, but typically I would suggest using ldapmodify instead.
Looks like there’s already an ACI for it, but it doesn’t include those attrs. So I think I will need to add them. Currently it looks like this:
dn: cn=mapping tree,cn=config aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Repl ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";)
But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter?
Not sure, one way to find out ;-) The "tombstone" entry is a funny thing and behaves a little differently, but it should be an easy test though.
Regards, Mark
Thanks, Sergei
On Aug 17, 2018, at 12:23 PM, Mark Reynolds <mreynolds@redhat.com mailto:mreynolds@redhat.com> wrote:
Add an ACI to this entry (using your suffix of course) allowing the user or group to read/search/compare:
dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config
That should do it :-)
Hi Mark,
I have a test instance of 389-ds running on a vm. I’ve tried updating the aci like this:
dn: cn=mapping tree,cn=config changetype: modify replace: aci aci: (targetattr = "cn || nsuniqueid || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || MORE STUFF)(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree)(objectClass=nsTombstone))")(version 3.0;acl "permission:Read Repl ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re plication Agreements,cn=permissions,cn=pbac,dc=MYREALM,dc=net”;)
But still executing the command below produces no output. Executing the command as admin does work:
ldapsearch -h localhost -LLL -x -D 'uid=ipamonitor,cn=users,cn=accounts,dc=sgerasenko,dc=net' -w PWD '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))’ nsds50ruv
I’ve verified that “ipamonitor" does have "Read Replication Agreements" assigned.
Any ideas what could be missing?
Thanks, Sergei
On 08/17/2018 04:59 PM, Sergei Gerasenko wrote:
Hi Mark,
I have a test instance of 389-ds running on a vm. I’ve tried updating the aci like this:
dn: cn=mapping tree,cn=config changetype: modify replace: aci aci: (targetattr = "cn || nsuniqueid || createtimestamp || description || entryusn || modify timestamp || *nsds50ruv* || /MORE STUFF/)(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree)(objectClass=nsTombstone))")(version 3.0;acl "permission:Read Repl ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re plication Agreements,cn=permissions,cn=pbac,dc=MYREALM,dc=net”;)
But still executing the command below produces no output. Executing the command as admin does work:
ldapsearch -h localhost -LLL -x -D 'uid=ipamonitor,cn=users,cn=accounts,dc=sgerasenko,dc=net' -w PWD '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))’ nsds50ruv
I’ve verified that “ipamonitor" does have "Read Replication Agreements" assigned.
Works for me if I add this aci:
dn: cn=mapping tree,cn=config aci: (targetattr = "*")(version 3.0; acl "All user to read agreements"; allow (read,compare,search) (userdn = "ldap:///uid=mark,o=mark")
ldapsearch -h localhost -LLL -x -D 'uid=mark,o=mark' -w password -b o=mark "(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))" dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: o=mark nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 1 nsds5ReplicaPurgeDelay: 604800 cn: replica nsState:: AQAAAAAAAADwQHdbAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAA== nsDS5ReplicaName: e8f8e603-a24111e8-9b9de135-a578ede1 nsds50ruv: {replicageneration} 5b770413000000010000 nsds50ruv: {replica 1 ldap://localhost.localdomain:389} 5b773c20000000010000 5 b7740f0000200010000 nsds5agmtmaxcsn: o=mark;f;localhost.localdomain;4444;unavailable nsruvReplicaLastModified: {replica 1 ldap://localhost.localdomain:389} 0000000 0 nsds5ReplicaChangeCount: 6 nsds5replicareapactive: 0
Any ideas what could be missing?
Thanks, Sergei
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Ok, might be something having to do with IPA. I’ll play more with it.
Thanks!! Sergei
On Aug 17, 2018, at 4:51 PM, Mark Reynolds mreynolds@redhat.com wrote:
On 08/17/2018 04:59 PM, Sergei Gerasenko wrote:
Hi Mark,
I have a test instance of 389-ds running on a vm. I’ve tried updating the aci like this:
dn: cn=mapping tree,cn=config changetype: modify replace: aci aci: (targetattr = "cn || nsuniqueid || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || MORE STUFF)(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree)(objectClass=nsTombstone))")(version 3.0;acl "permission:Read Repl ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read ldap:///cn=Read Re plication Agreements,cn=permissions,cn=pbac,dc=MYREALM,dc=net”;)
But still executing the command below produces no output. Executing the command as admin does work:
ldapsearch -h localhost -LLL -x -D 'uid=ipamonitor,cn=users,cn=accounts,dc=sgerasenko,dc=net' -w PWD '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))’ nsds50ruv
I’ve verified that “ipamonitor" does have "Read Replication Agreements" assigned.
Works for me if I add this aci:
dn: cn=mapping tree,cn=config aci: (targetattr = "*")(version 3.0; acl "All user to read agreements"; allow (read,compare,search) (userdn = "ldap:///uid=mark,o=mark" ldap:///uid=mark,o=mark)
ldapsearch -h localhost -LLL -x -D 'uid=mark,o=mark' -w password -b o=mark "(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))" dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: o=mark nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 1 nsds5ReplicaPurgeDelay: 604800 cn: replica nsState:: AQAAAAAAAADwQHdbAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAA== nsDS5ReplicaName: e8f8e603-a24111e8-9b9de135-a578ede1 nsds50ruv: {replicageneration} 5b770413000000010000 nsds50ruv: {replica 1 ldap://localhost.localdomain:389 ldap://localhost.localdomain:389} 5b773c20000000010000 5 b7740f0000200010000 nsds5agmtmaxcsn: o=mark;f;localhost.localdomain;4444;unavailable nsruvReplicaLastModified: {replica 1 ldap://localhost.localdomain:389 ldap://localhost.localdomain:389} 0000000 0 nsds5ReplicaChangeCount: 6 nsds5replicareapactive: 0
Any ideas what could be missing?
Thanks, Sergei
389-users mailing list -- 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org mailto:389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/MCJ7KRVAYEKGFDZJ2K5EE5HYSPAYGCEF/
389-users@lists.fedoraproject.org