Ok, might be something having to do with IPA. I’ll play more with it. Thanks!! Sergei
> On Aug 17, 2018, at 4:51 PM, Mark Reynolds <[email protected]> wrote: > > > > On 08/17/2018 04:59 PM, Sergei Gerasenko wrote: >> Hi Mark, >> >> I have a test instance of 389-ds running on a vm. I’ve tried updating the >> aci like this: >> >> dn: cn=mapping tree,cn=config >> changetype: modify >> replace: aci >> aci: (targetattr = "cn || nsuniqueid || createtimestamp || description || >> entryusn || modify >> timestamp || nsds50ruv || MORE STUFF)(targetfilter = >> "(|(objectclass=nsds5Replic >> >> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA >> greement)(objectClass=nsMappingTree)(objectClass=nsTombstone))")(version >> 3.0;acl "permission:Read Repl >> ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read >> <ldap:///cn=Read> Re >> plication Agreements,cn=permissions,cn=pbac,dc=MYREALM,dc=net”;) >> >> >> But still executing the command below produces no output. Executing the >> command as admin does work: >> >> ldapsearch -h localhost -LLL -x -D >> 'uid=ipamonitor,cn=users,cn=accounts,dc=sgerasenko,dc=net' -w PWD >> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))’ >> nsds50ruv >> >> I’ve verified that “ipamonitor" does have "Read Replication Agreements" >> assigned. > Works for me if I add this aci: > > dn: cn=mapping tree,cn=config > aci: (targetattr = "*")(version 3.0; acl "All user to read agreements"; allow > (read,compare,search) (userdn = "ldap:///uid=mark,o=mark"; > <ldap:///uid=mark,o=mark>) > > ldapsearch -h localhost -LLL -x -D 'uid=mark,o=mark' -w password -b o=mark > "(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))" > dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config > objectClass: nsDS5Replica > objectClass: top > nsDS5ReplicaRoot: o=mark > nsDS5ReplicaType: 3 > nsDS5Flags: 1 > nsDS5ReplicaId: 1 > nsds5ReplicaPurgeDelay: 604800 > cn: replica > nsState:: AQAAAAAAAADwQHdbAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAA== > nsDS5ReplicaName: e8f8e603-a24111e8-9b9de135-a578ede1 > nsds50ruv: {replicageneration} 5b770413000000010000 > nsds50ruv: {replica 1 ldap://localhost.localdomain:389 > <ldap://localhost.localdomain:389>} 5b773c20000000010000 5 > b7740f0000200010000 > nsds5agmtmaxcsn: o=mark;f;localhost.localdomain;4444;unavailable > nsruvReplicaLastModified: {replica 1 ldap://localhost.localdomain:389 > <ldap://localhost.localdomain:389>} 0000000 > 0 > nsds5ReplicaChangeCount: 6 > nsds5replicareapactive: 0 > >> >> Any ideas what could be missing? >> >> Thanks, >> Sergei >> >> >> _______________________________________________ >> 389-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> <https://getfedora.org/code-of-conduct.html> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> <https://fedoraproject.org/wiki/Mailing_list_guidelines> >> List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected]/message/MCJ7KRVAYEKGFDZJ2K5EE5HYSPAYGCEF/ >> >> <https://lists.fedoraproject.org/archives/list/[email protected]/message/MCJ7KRVAYEKGFDZJ2K5EE5HYSPAYGCEF/> >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/IPU6PHOMBXTHR2624IOXQL6ACDFRIEL4/
