Menu Close
Settings Close

Language and Page Formatting Options

Chapter 11. Enabling members of a group to export data and performing the export as one of the group members

You can configure that members of a group have permissions to export data. This increases the security because you no longer need to set the credentials of cn=Directory Manager in your scripts. Additionally, you can easily grant and revoke the export permissions by modifying the group.

11.1. Enabling a group to export data

Use this procedure to add the cn=export_users,ou=groups,dc=example,dc=com group and enable members of this group to create export tasks.

Procedure

  1. Create the cn=export_users,ou=groups,dc=example,dc=com group:

    # dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" group create --cn export_users
  2. Add an access control instruction (ACI) that allows members of the cn=export_users,ou=groups,dc=example,dc=com group to create export tasks:

    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com
    
    dn: cn=config
    changetype: modify
    add: aci
    aci: (target = "ldap:///cn=export,cn=tasks,cn=config")
     (targetattr="*") (version 3.0 ; acl "permission:
      Allow export_users group to export data" ;
      allow (add, read, search) groupdn
      = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    -
    add: aci
    aci: (target = "ldap:///cn=config")(targetattr =
      "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")
      (version 3.0 ; acl "permission: Allow export_users
      group to access ldifdir attribute" ; allow
      (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
  3. Create a user:

    1. Create a user account:

      # dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" user create --uid="example" --cn="example" --uidNumber="1000" --gidNumber="1000" --homeDirectory="/home/example/" --displayName="Example User"
    2. Set a password on the user account:

      # dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" account reset_password "uid=example,ou=People,dc=example,dc=com" "password"
  4. Add the uid=example,ou=People,dc=example,dc=com user to the cn=export_users,ou=groups,dc=example,dc=com group:

    # dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" group add_member export_users uid=example,ou=People,dc=example,dc=com

Verification

  • Display the ACIs set on the cn=config entry:

    # ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -W -H ldap://server.example.com -b cn=config aci=* aci -s base
    dn: cn=config
    aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")(version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")(version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    ...

11.2. Performing an export as a regular user

You can perform exports as a regular user instead of cn=Directory Manager.

Prerequisites

  • You enabled members of the cn=export_users,ou=groups,dc=example,dc=com group to export data.
  • The user you use to perform the export is a member of the cn=export_users,ou=groups,dc=example,dc=com group.

Procedure

  • Create a export task using one of the following methods:

    • Using the dsconf backend export command:

      # dsconf -D "uid=example,ou=People,dc=example,dc=com" ldap://server.example.com backend export userRoot
    • By manually creating the task:

      # ldapadd -D "uid=example,ou=People,dc=example,dc=com" -W -H ldap://server.example.com
      
      dn: cn=userRoot-2021_07_23_12:55_00,cn=export,cn=tasks,cn=config
      changetype: add
      objectClass: extensibleObject
      nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/None-userroot-2021_07_23_12:55_00.ldif
      nsInstance: userRoot
      cn: export-2021_07_23_12:55_00

Verification

  • Verify that the backup was created:

    # ls -l /var/lib/dirsrv/slapd-instance_name/ldif/*.ldif
    total 0
    -rw-------. 1 dirsrv dirsrv 10306 Jul 23 12:55 None-userroot-2021_07_23_12_55_00.ldif
    ...

Additional resources