Hi,

We're looking to add monitoring to our IPA replicas and want to provide a
user with the minimum possible permissions to do so.

Allowing the user to have the Replication Administrators role works but for
monitoring the ability to add/modify/remove is overkill by a long shot.

There's no existing permission for Read Replication Agreements - only add,
remove and modify.

I've tried to use ipa perimssion-add with --filter to allow access to
objectClass=nsds5replicationagreement but checking the status via:

ldapsearch -Y GSSAPI -h c6test2.c6ipa.local  -b cn=config
'(objectclass=nsds5replicationagreement)'

Does not show anything unless the account being tested with gets
replication administrator privileges...

I've tried using subtree as well but the ipa command errors that the base
of cn=config is not $SUFFIX ... and out of scope.

What am I missing to set this up - or is this not possible with the
role/privilege/permission mechanism within IPA? I can see how the
replication administration permissions are added in replica-acis.ldif but
I'm concerned that if I manually add an ACI via pure LDIF commands it will
cause issues with future IPA upgrades due to schema differences - so was
hoping to remain within the IPA command side of things...

1) Is this even possible with the ipa command?
2) If I use ldapmodify to add a new permission by hand via ldif for "Read
Replication Agreements" will this likely break on IPA upgrades in future?

Cheers,

James
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to