[389-users] Re: user privileges needed to run repl-monitor.pl

On 08/17/2018 02:07 PM, Sergei Gerasenko wrote:

Thanks, Mark. I think I will have to do this directly in dse.ldif by stopping the server, editing the ldif and starting it again?

In this case that would be the easiest way to edit this aci, but typically I would suggest using ldapmodify instead.

Looks like there's already an ACI for it, but it doesn't include those attrs. So I think I will need to add them. Currently it looks like this:

dn: cn=mapping tree,cn=config

aci: (targetattr = "cn || createtimestamp || description || entryusn || modify

 timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou

 t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n

 sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds

 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||

 nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl

 eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl

 icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits

 tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli

 calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum

 er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||

 nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re

 plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli

 st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic

 atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n

 sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd

 s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable

 d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas

 ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync ||

  winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub

 treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic

 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA

 greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Repl

 ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re

 plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";)

But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter?

Not sure, one way to find out ;-)  The "tombstone" entry is a funny thing and behaves a little differently, but it should be an easy test though.

Regards,
Mark

Thanks,

  Sergei

On Aug 17, 2018, at 12:23 PM, Mark Reynolds <mreynolds@redhat.com> wrote:

Add an ACI to this entry (using your suffix of course) allowing the user or group to read/search/compare:

dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config

That should do it :-)