On 08/17/2018 02:07 PM, Sergei Gerasenko wrote:
Thanks, Mark. I think I will have to do this directly in dse.ldif by stopping the server, editing the ldif and starting it again?
In this case that would be the easiest way to edit this aci, but typically I would suggest using ldapmodify instead.
Looks like there’s already an ACI for it, but it doesn’t include those attrs. So I think I will need to add them. Currently it looks like this:

dn: cn=mapping tree,cn=config
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify  timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou  t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n  sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds  5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||  nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl  icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits  tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli  calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum  er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||  nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re  plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli  st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic  atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n  sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd  s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable  d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas  ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub  treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
 greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Repl  ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re
 plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";)

But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter?
Not sure, one way to find out ;-)  The "tombstone" entry is a funny thing and behaves a little differently, but it should be an easy test though.

Regards,
Mark
Thanks,
  Sergei

On Aug 17, 2018, at 12:23 PM, Mark Reynolds <mreyno...@redhat.com <mailto:mreyno...@redhat.com>> wrote:

Add an ACI to this entry (using your suffix of course) allowing the user or group to read/search/compare:

dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config

That should do it :-)


_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/MTNV6NY4KI236JX7VNFFLIVHQYWDE6XP/

Reply via email to