[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=Log,cn=Monitor



> Pierangelo Masarati wrote:
>>
>> the values are internally converted to their numerical
>> representation and ORed;
>
> Great.
>
>> Of course you need write permission on that entry and on
>> that value, which is easily obtained by means of ACLs.
>>
>> I don't remenber if a rootdn/rootpw is honored
>
> rootdn does not seem to work. If the access rights are insufficient I'd
> like  to get another error code.
>
>> backend; however it'd be of little use; my usual strategy
>> is to add ACLs that allow regular users belonging to other
>> databases to operate on monitor entries.
>
> Makes sense to me. I'll try with ACLs. Can you please post an example?

database bdb # any other database ...
suffix "dc=example,dc=com"
# ...

database monitor
access to *
    by dn.exact="uid=Administrator,ou=People,dc=example,dc=com" write
    by dn="uid=[^,]+,ou=People,dc=example,dc=com" read
    by * none

I checked out that you can also add a rootdn/rootpw pair
and bypass acl checks; the naming context of the rootdn,
of course, must be "cn=Monitor".

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it