Thanks, Mark. I think I will have to do this directly in dse.ldif by stopping the server, editing the ldif and starting it again? Looks like there’s already an ACI for it, but it doesn’t include those attrs. So I think I will need to add them. Currently it looks like this:
dn: cn=mapping tree,cn=config aci: (targetattr = "cn || createtimestamp || description || entryusn || modify timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds 5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re plicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributeli st || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replic atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || n sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsd s7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenable d || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicas ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsub treepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replic a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Repl ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Re plication Agreements,cn=permissions,cn=pbac,dc=MYDC,dc=net";) But I think I will also need to add the object class of objectClass=nsTombstone to the targetFilter? Thanks, Sergei > On Aug 17, 2018, at 12:23 PM, Mark Reynolds <[email protected]> wrote: > > Add an ACI to this entry (using your suffix of course) allowing the user or > group to read/search/compare: > > dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config > > That should do it :-)
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/47NT5T2TN5UJJIX27PWJJTNHOZ4SLNPH/
