Ludwig, ----- Original Message ----- > From: "Ludwig Krispenz" <lkris...@redhat.com> > To: 389-us...@lists.fedoraproject.org > Sent: Wednesday, March 6, 2013 12:49:26 PM > Subject: Re: [389-users] How can I grant read access to the attributes of a > nsDS5ReplicationAgreement object? > > > On 03/06/2013 06:49 PM, Jon Detert wrote: > > I want to check the status of replication agreements, but I don't > > want to use the directory manager's credentials to do so. I want > > to use bind credentials for a dn that only has read access. > > > > Is an ACI what I need? If so, how? I've tried several, but they > > don't work as I intended. > > > > One thing I'm uncertain of, is which dn to associate the aci > > attribute with. I've tried these: > > > > cn=config > > cn=mapping tree,cn=config > > dc=example,dc=com > > and the actual dn of the replication agreement object. > except dc=example,dc=com all should work > > > > I'm also not certain of the target to use in the aci. I've tried > > these: > > > > (targetfilter = "(objectClass=nsds5ReplicationAgreement)") > > and > > (target="ldap:///cn=*,cn=replica,cn=*,cn=mapping tree,cn=config") > both should work. > > > > Any ideas what I'm doing wrong? > What does the complete aci look like ?
aci: (targetattr="*") (version 3.0; acl "CheckReplStatus2"; allow (read,search,compare) userdn = "ldap:///uid=jd,ou=people,dc=example,dc=com";;) The error I get when trying to add this to the dn of the replication agreement is '(53) Unwilling to perform'. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
