[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: adding access control for replication user

To: "Robin M." <robin@primus.ca>
Subject: Re: adding access control for replication user
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 17 Apr 2004 18:50:36 +0200
Cc: openldap-software@OpenLDAP.org
References: <Pine.LNX.4.58.0404171228250.18303@hephaestus.tor.primus.ca>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Robin M. wrote:

Hi I am new to ldap and am just using the default acl, where my config
file does not specify any acl's. This is working fine for me for postfix,
pureftp, cyrus etc

Now I want to allow a replication account ,ie I have a master and slave
and have created a new dn called replicator.

I have tried adding various types of rules to allow this account to update
the slave, but it seems to reset the default rules so that my other things
like webmail, postfix, cyrus no longer work as expected.

Can someone post an example of a default ruleset with alowing a replicator account to update slaves.


There are two choices:
1) if you plainly want your replicator to be able to write everything,
in all of your access rules add, as first <who> clause, the line

by dn.exact="<your replicator's DN>" write

followed by the other <who> clauses.

So, a line

access to attrs=userPassword
by self write
by * auth

would become

access to attrs=userPassword
by dn.exact="<your replicator's DN>" write
by self write
by * auth

As a default rule, at the end of the ones you might already have set, add:

access to *
by dn.exact="<your replicator's DN>" write

2) [not recommended] use the slave's rootdn as replicator's DN

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- adding access control for replication user
  - From: "Robin M." <robin@primus.ca>

Prev by Date: adding access control for replication user
Next by Date: Re: Call For Assistance #4 - slapd won't die gracefully, multiple versions.
Index(es):
- Chronological
- Thread