Thanks, Mark. I think I will have to do this directly in dse.ldif by stopping the server, editing the ldif and starting it again? Looks like there's already an ACI for it, but it doesn't include those attrs. So I think I will need to add them. Currently it looks like this:
But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter?
dn: cn=mapping tree,cn=config
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli
st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic
atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n
sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd
s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable
d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas
ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||
winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub
treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic
a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Repl
ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re
plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";)
But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter?
Thanks,
Sergei
On Aug 17, 2018, at 12:23 PM, Mark Reynolds <mreynolds@redhat.com> wrote:Add an ACI to this entry (using your suffix of course) allowing the user or group to read/search/compare:
dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config
That should do it :-)
No comments:
Post a Comment