We're looking to add monitoring to our IPA replicas and want to provide a
user with the minimum possible permissions to do so.

Allowing the user to have the Replication Administrators role works but for
monitoring the ability to add/modify/remove is overkill by a long shot.

There's no existing permission for Read Replication Agreements - only add,
remove and modify.

I've tried to use ipa perimssion-add with --filter to allow access to
objectClass=nsds5replicationagreement but checking the status via:

ldapsearch -Y GSSAPI -h c6test2.c6ipa.local  -b cn=config

Does not show anything unless the account being tested with gets
replication administrator privileges...

I've tried using subtree as well but the ipa command errors that the base
of cn=config is not $SUFFIX ... and out of scope.

What am I missing to set this up - or is this not possible with the
role/privilege/permission mechanism within IPA? I can see how the
replication administration permissions are added in replica-acis.ldif but
I'm concerned that if I manually add an ACI via pure LDIF commands it will
cause issues with future IPA upgrades due to schema differences - so was
hoping to remain within the IPA command side of things...

1) Is this even possible with the ipa command?
2) If I use ldapmodify to add a new permission by hand via ldif for "Read
Replication Agreements" will this likely break on IPA upgrades in future?


Freeipa-users mailing list

Reply via email to