On 08/17/2018 02:07 PM, Sergei Gerasenko wrote:
Thanks, Mark. I think I will have to do this directly in dse.ldif by
stopping the server, editing the ldif and starting it again?
In this case that would be the easiest way to edit this aci, but
typically I would suggest using ldapmodify instead.
Looks like there’s already an ACI for it, but it doesn’t include those
attrs. So I think I will need to add them. Currently it looks like this:
dn: cn=mapping tree,cn=config
aci: (targetattr = "cn || createtimestamp || description || entryusn
|| modify
timestamp || nsds50ruv || nsds5beginreplicarefresh ||
nsds5debugreplicatimeou
t || nsds5flags || nsds5replicaabortcleanruv ||
nsds5replicaautoreferral || n
sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn
|| nsds
5replicabindmethod || nsds5replicabusywaittime ||
nsds5replicachangecount ||
nsds5replicachangessentsincestartup || nsds5replicacleanruv ||
nsds5replicacl
eanruvnotified || nsds5replicacredentials || nsds5replicaenabled ||
nsds5repl
icahost || nsds5replicaid || nsds5replicalastinitend ||
nsds5replicalastinits
tart || nsds5replicalastinitstatus || nsds5replicalastupdateend ||
nsds5repli
calastupdatestart || nsds5replicalastupdatestatus ||
nsds5replicalegacyconsum
er || nsds5replicaname || nsds5replicaport ||
nsds5replicaprotocoltimeout ||
nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot ||
nsds5re
plicasessionpausetime || nsds5replicastripattrs ||
nsds5replicatedattributeli
st || nsds5replicatedattributelisttotal || nsds5replicatimeout ||
nsds5replic
atombstonepurgeinterval || nsds5replicatransportinfo ||
nsds5replicatype || n
sds5replicaupdateinprogress || nsds5replicaupdateschedule ||
nsds5task || nsd
s7directoryreplicasubtree || nsds7dirsynccookie ||
nsds7newwingroupsyncenable
d || nsds7newwinusersyncenabled || nsds7windowsdomain ||
nsds7windowsreplicas
ubtree || nsruvreplicalastmodified || nsstate || objectclass ||
onewaysync ||
winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction ||
winsyncsub
treepair || winsyncwindowsfilter")(targetfilter =
"(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl
"permission:Read Repl
ication Agreements";allow (compare,read,search) groupdn =
"ldap:///cn=Read Re
plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";)
But I think I will also need to add the object class
of objectClass=nsTombstone to the targetFilter?
Not sure, one way to find out ;-) The "tombstone" entry is a funny
thing and behaves a little differently, but it should be an easy test
though.
Regards,
Mark
Thanks,
Sergei
On Aug 17, 2018, at 12:23 PM, Mark Reynolds <mreyno...@redhat.com
<mailto:mreyno...@redhat.com>> wrote:
Add an ACI to this entry (using your suffix of course) allowing the
user or group to read/search/compare:
dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config
That should do it :-)
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/MTNV6NY4KI236JX7VNFFLIVHQYWDE6XP/
