Chapter 11. Enabling members of a group to export data and performing the export as one of the group members
You can configure that members of a group have permissions to export data. This increases the security because you no longer need to set the credentials of cn=Directory Manager
in your scripts. Additionally, you can easily grant and revoke the export permissions by modifying the group.
11.1. Enabling a group to export data
Use this procedure to add the cn=export_users,ou=groups,dc=example,dc=com
group and enable members of this group to create export tasks.
Procedure
Create the
cn=export_users,ou=groups,dc=example,dc=com
group:#
dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" group create --cn export_users
Add an access control instruction (ACI) that allows members of the
cn=export_users,ou=groups,dc=example,dc=com
group to create export tasks:#
ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com
dn: cn=config changetype: modify add: aci aci: (target = "ldap:///cn=export,cn=tasks,cn=config") (targetattr="*") (version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";) - add: aci aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir") (version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)Create a user:
Create a user account:
#
dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" user create --uid="example" --cn="example" --uidNumber="1000" --gidNumber="1000" --homeDirectory="/home/example/" --displayName="Example User"
Set a password on the user account:
#
dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" account reset_password "uid=example,ou=People,dc=example,dc=com" "password"
Add the
uid=example,ou=People,dc=example,dc=com
user to thecn=export_users,ou=groups,dc=example,dc=com
group:#
dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" group add_member export_users uid=example,ou=People,dc=example,dc=com
Verification
Display the ACIs set on the
cn=config
entry:#
ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -W -H ldap://server.example.com -b cn=config aci=* aci -s base
dn: cn=config aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")(version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";) aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")(version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";) ...
11.2. Performing an export as a regular user
You can perform exports as a regular user instead of cn=Directory Manager
.
Prerequisites
-
You enabled members of the
cn=export_users,ou=groups,dc=example,dc=com
group to export data. -
The user you use to perform the export is a member of the
cn=export_users,ou=groups,dc=example,dc=com
group.
Procedure
Create a export task using one of the following methods:
Using the
dsconf backend export
command:#
dsconf -D "uid=example,ou=People,dc=example,dc=com" ldap://server.example.com backend export userRoot
By manually creating the task:
#
ldapadd -D "uid=example,ou=People,dc=example,dc=com" -W -H ldap://server.example.com
dn: cn=userRoot-2021_07_23_12:55_00,cn=export,cn=tasks,cn=config changetype: add objectClass: extensibleObject nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/None-userroot-2021_07_23_12:55_00.ldif nsInstance: userRoot cn: export-2021_07_23_12:55_00
Verification
Verify that the backup was created:
#
ls -l /var/lib/dirsrv/slapd-instance_name/ldif/*.ldif
total 0 -rw-------. 1 dirsrv dirsrv 10306 Jul 23 12:55 None-userroot-2021_07_23_12_55_00.ldif ...
Additional resources