Page created: 6 Nov 2019
|
Page updated: 25 Mar 2020
Exec tasks allow administrators and external users to execute a specified command on the server once or as recurring tasks. The server has a number of restrictions to safeguard the use of these commands and ensure that they cannot be used by unauthorized individuals. The set of commands that can be executed is also limited. One of these restrictions is that the absolute path to the command to execute must be listed in the <server-root>/config/exec-command-whitelist.txt file. Other safeguards and requirements include:
- The global configuration must be updated to allow the exec task. The
server does not permit it by default. The following configuration change
enables this:
$ bin/dsconfig set-global-configuration-prop \ --add allowed-task:com.unboundid.directory.server.tasks.ExecTask
- The user scheduling the task must have the exec-task privilege.
The server does not grant permission to run this task to any user by default,
not even root users. The following configuration changes grant the
exec-task privilege to a single root user, all root users,
or a single non-root user:
$ bin/dsconfig set-root-dn-user-prop --user-name "{username}" \ --add privilege:exec-task
$ bin/dsconfig set-root-dn-prop \ --add default-root-privilege-name:exec-task
dn: {userdn} changetype: modify add: ds-privilege-name ds-privilege-name: exec-task
The schedule-exec-task tool can be used to create an exec task from the
command line. For example, the following command can be used to schedule an
exec task to run the verify-index tool to check the integrity
of the cn index in the backend that hosts
"dc=example,dc=com", assuming that the server is installed in /ds:
$ bin/schedule-exec-task --hostname directory.example.com \
--port 389 \
--bindDN uid=admin,dc=example,dc=com \
--promptForBindPassword \
--waitForCompletion \
--logCommandOutput \
/ds/bin/verify-index --baseDN dc=example,dc=com --index cn