After some more investigation, it appears that there may be more ACIs missing.

I added the missing permission (System: Read Replication Agreements) on all my 
masters, and then the installation failed at this point :
---------------------------
[28/43]: setting up initial replication
Starting replication, please wait until this has completed.
  [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 
'nsds5BeginReplicaRefresh' attribute of entry 
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping
 tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    {'info': 
"Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of 
entry 
'cn=metodc2-ipa-dev-van.mydomain.net,cn=replica,cn=dc\\3dmydomain\\2cdc\\3dnet,cn=mapping
 tree,cn=config'.\n", 'desc': 'Insufficient access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information

Because of that and a comparison of my earlier version of ldif files from 
earlier versions of FreeIPA, I noticed the following ACI also missing from the 
mapping tree :
--------------------------------------
# dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
 low (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=
 pbac,dc=mydomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
 s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
 ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
 nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
 reements,cn=permissions,cn=pbac,dc=mydomain,dc=net";)

After I added that, I attempted my replica installation again this time it 
failed on the o=ipaca branch
----------------------------------------
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 
seconds
  [1/23]: creating certificate server user
  [2/23]: creating certificate server db
  [3/23]: setting up initial replication
  [error] INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 
'nsDS5ReplicaBindDN' attribute of entry 'cn=replica,cn=o\\3dipaca,cn=mapping 
tree,cn=config'.\n", 'desc': 'Insufficient access'}
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    {'info': 
"Insufficient 'write' privilege to the 'nsDS5ReplicaBindDN' attribute of entry 
'cn=replica,cn=o\\3dipaca,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient 
access'}
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The 
ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information

Looking at that branch of the ldap tree, I noticed some differences
---------------------------------------------------------------------------
In the cn=yourdomain,cn=mapping tree,cn=config you will find the following 
permissions :
permission:Add Replication Agreements
In the cn=o=ipaca,cn=mapping tree,cn=config you will find the following 
permissions :
cert manager: Add Replication Agreements

=========================
So I think there are actually 3 issues :
===========================
1. Missing aci on base cn=config entry
2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch
3. acis are on the o=ipaca branch, but they are wrong as they only apply to 
cert manager, and not all users

-----Original Message-----
From: Martin Basti [mailto:mba...@redhat.com] 
Sent: January-25-16 4:57 AM
To: Nathan Peters; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
DuplicateEntry: This entry already exists

Thank you,

I found root cause why "System: Read Replication Agreements" ACI is not on 
replica.

https://fedorahosted.org/freeipa/ticket/5631

I have to figure out why this permission is added on centos7.2, because IMO 
this bug is there from 4.0.


On 24.01.2016 03:22, Nathan Peters wrote:
> I can now confirm that this is a 100% reproducible bug, and a pretty severe 
> one at that.  You should be able to reproduce this issue at will if you 
> follow these steps.  It may actually be possible with less servers and less 
> steps, but here is what I did in a test lab today:
>
> 1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 
> servers, dc1, dc2, dc3, replicating any way you want.
> 3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the 
> server / vm / whatever you have it running on
> 3. Install Fedora 23 on the same IP address and hostname 
> (dc2.ipatestdomain.net).  Install FreeIPA server 4.2.3 from replica file 
> created on CA master (dc1).
>
> Check aci on dc2.  You will notice it's now missing a bunch of stuff.  So 
> basically, all it takes to lose that ACL is to create a Fedora FreeIPA server 
> and join it to a CentOS domain.
> After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no 
> longer existed on any server because there were no CentOS servers left.
>
> I'm assuming since this is so easy to reproduce, that you don't actually need 
> my log files.
>
> ACL comparisons below for reference :
> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists 
> of only CentOS servers
> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now 
> a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS 
> ACL hasn't changed yet)
> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server created from a 
> replica file made from dc1, the centOS 7.2 CA master(missing some stuff)
> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing 
> some stuff)
>
> ============================================================================
> 1. ACL on dc1 when its on FreeIPA 4.2.0 on CentOS 7.2 and the domain consists 
> of only CentOS servers
> ============================================================================
> [root@dc1 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
> "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
>   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
>   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership 
> T
>   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership 
> Task
>   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
>   jectclass || passsyncmanagersdns*")(target = 
> "ldap:///cn=ipa_pwd_extop,cn=plu
>   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
> Configura
>   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync 
> Manager
>   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
>   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers 
> C
>   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers 
> Co
>   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
>   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm 
> databas
>   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database 
> Confi
>   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM 
> Databas
>   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
>   roupdn = "ldap:///cn=Add Configuration 
> Sub-Entries,cn=permissions,cn=pbac,dc=
>   ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
>   timestamp || nsds50ruv || nsds5beginreplicarefresh || 
> nsds5debugreplicatimeou
>   t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || 
> n
>   sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || 
> nsds
>   5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
>   nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
> nsds5replicacl
>   eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
> nsds5repl
>   icahost || nsds5replicaid || nsds5replicalastinitend || 
> nsds5replicalastinits
>   tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
> nsds5repli
>   calastupdatestart || nsds5replicalastupdatestatus || 
> nsds5replicalegacyconsum
>   er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
>   nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || 
> nsds5re
>   plicasessionpausetime || nsds5replicastripattrs || 
> nsds5replicatedattributeli
>   st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
> nsds5replic
>   atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || 
> n
>   sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || 
> nsd
>   s7directoryreplicasubtree || nsds7dirsynccookie || 
> nsds7newwingroupsyncenable
>   d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
> nsds7windowsreplicas
>   ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync 
> ||
>    winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
> winsyncsub
>   treepair || winsyncwindowsfilter")(targetfilter = 
> "(|(objectclass=nsds5Replic
>   
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>   greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: 
> R
>   ead Replication Agreements";allow (compare,read,search) groupdn = 
> "ldap:///cn
>   =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
>   n,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
>   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
>   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
> Agreements,cn=permis
>   sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
>   -initialization"; allow (add) userdn = 
> "ldap:///uid=pkidbuser,ou=people,o=ipa
>   ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
>   , compare, search) groupdn = 
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>   atestdomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
>   p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember 
> Ta
>   sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read 
> Automembe
>   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
>   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
>   d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
>    search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
>   low (add) groupdn = "ldap:///cn=Add Replication 
> Agreements,cn=permissions,cn=
>   pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication 
> Agreeme
>   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication 
> Ag
>   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
> "permission:Rem
>   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove 
> Repli
>   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
>   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication 
> Agre
>   ements"; allow (read, write, search) userdn = 
> "ldap:///uid=pkidbuser,ou=peopl
>   e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
>   Remove Replication Agreements";allow (delete) userdn = 
> "ldap:///uid=pkidbuser
>   ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
>   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
>   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
>   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
>   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA 
> Range";
>   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
> Range,cn=permiss
>   ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
>   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
> Agreement
>   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
> ============================================================================
> 2. ACL on dc1 when its still on FreeIPA 4.2.0 on CentOS 7.2 but there is now 
> a Fedora 23 FreeIPA 4.2.3 server in the domain (for reference that the CentOS 
> ACL hasn't changed yet)
> ============================================================================
> ================ after reinstallation of dc2 in fedora 23 / ipa 4.2.3 
> =========================
>
> [root@dc1 ~]# ldapsearch -b "cn=config" -D 
> "uid=admin,cn=users,cn=accounts,dc=ipatestdomain,dc=net" -W
> Enter LDAP Password:
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
>   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
>   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership 
> T
>   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership 
> Task
>   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
>   jectclass || passsyncmanagersdns*")(target = 
> "ldap:///cn=ipa_pwd_extop,cn=plu
>   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
> Configura
>   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync 
> Manager
>   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
>   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers 
> C
>   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers 
> Co
>   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
>   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm 
> databas
>   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database 
> Confi
>   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM 
> Databas
>   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
>   roupdn = "ldap:///cn=Add Configuration 
> Sub-Entries,cn=permissions,cn=pbac,dc=
>   ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
>   timestamp || nsds50ruv || nsds5beginreplicarefresh || 
> nsds5debugreplicatimeou
>   t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || 
> n
>   sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || 
> nsds
>   5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
>   nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
> nsds5replicacl
>   eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
> nsds5repl
>   icahost || nsds5replicaid || nsds5replicalastinitend || 
> nsds5replicalastinits
>   tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
> nsds5repli
>   calastupdatestart || nsds5replicalastupdatestatus || 
> nsds5replicalegacyconsum
>   er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
>   nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || 
> nsds5re
>   plicasessionpausetime || nsds5replicastripattrs || 
> nsds5replicatedattributeli
>   st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
> nsds5replic
>   atombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || 
> n
>   sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || 
> nsd
>   s7directoryreplicasubtree || nsds7dirsynccookie || 
> nsds7newwingroupsyncenable
>   d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
> nsds7windowsreplicas
>   ubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync 
> ||
>    winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
> winsyncsub
>   treepair || winsyncwindowsfilter")(targetfilter = 
> "(|(objectclass=nsds5Replic
>   
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
>   greement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: 
> R
>   ead Replication Agreements";allow (compare,read,search) groupdn = 
> "ldap:///cn
>   =System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipatestdomai
>   n,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
>   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
>   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
> Agreements,cn=permis
>   sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
>   -initialization"; allow (add) userdn = 
> "ldap:///uid=pkidbuser,ou=people,o=ipa
>   ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
>   , compare, search) groupdn = 
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>   atestdomain,dc=net";)
> aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membershi
>   p,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember 
> Ta
>   sks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read 
> Automembe
>   r Tasks,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
>   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
>   d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
>    search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
>   low (add) groupdn = "ldap:///cn=Add Replication 
> Agreements,cn=permissions,cn=
>   pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication 
> Agreeme
>   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication 
> Ag
>   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
> "permission:Rem
>   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove 
> Repli
>   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
>   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication 
> Agre
>   ements"; allow (read, write, search) userdn = 
> "ldap:///uid=pkidbuser,ou=peopl
>   e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
>   Remove Replication Agreements";allow (delete) userdn = 
> "ldap:///uid=pkidbuser
>   ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
>   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
>   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
>   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
>   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA 
> Range";
>   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
> Range,cn=permiss
>   ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
>   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
> Agreement
>   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
>
> ============================================================================
> 3. ACL on dc2 when it's now a Fedora 23 FreeIPA 4.2.3 server and the replica 
> file was made from dc1 which is a CentOS server that still has the 
> acls(missing some stuff)
> ============================================================================
> aci list on dc2
>
> [root@dc2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" 
> "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
>   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
>   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership 
> T
>   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership 
> Task
>   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
>   jectclass || passsyncmanagersdns*")(target = 
> "ldap:///cn=ipa_pwd_extop,cn=plu
>   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
> Configura
>   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync 
> Manager
>   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
>   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers 
> C
>   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers 
> Co
>   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
>   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm 
> databas
>   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database 
> Confi
>   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM 
> Databas
>   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
>   roupdn = "ldap:///cn=Add Configuration 
> Sub-Entries,cn=permissions,cn=pbac,dc=
>   ipatestdomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
>   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
>   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
> Agreements,cn=permis
>   sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
>   -initialization"; allow (add) userdn = 
> "ldap:///uid=pkidbuser,ou=people,o=ipa
>   ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
>   , compare, search) groupdn = 
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>   atestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
>   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
>   d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
>    search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
>   low (add) groupdn = "ldap:///cn=Add Replication 
> Agreements,cn=permissions,cn=
>   pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication 
> Agreeme
>   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication 
> Ag
>   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
> "permission:Rem
>   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove 
> Repli
>   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
>   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication 
> Agre
>   ements"; allow (read, write, search) userdn = 
> "ldap:///uid=pkidbuser,ou=peopl
>   e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
>   Remove Replication Agreements";allow (delete) userdn = 
> "ldap:///uid=pkidbuser
>   ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
>   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
>   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
>   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
>   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA 
> Range";
>   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
> Range,cn=permiss
>   ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
>   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
> Agreement
>   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
> ============================================================================
> 4. ACL on dc1 when it's now a Fedora 23 FreeIPA 4.2.3 server (now missing 
> some stuff)
> ============================================================================
> [root@dc1 yum.repos.d]# ldapsearch -D "cn=directory manager" -W -b 
> "cn=config" "(aci=*)" aci
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (aci=*)
> # requesting: aci
> #
>
> # config
> dn: cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
>   ead, search, compare) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
>   targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership 
> T
>   ask";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership 
> Task
>   ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
>   jectclass || passsyncmanagersdns*")(target = 
> "ldap:///cn=ipa_pwd_extop,cn=plu
>   gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
> Configura
>   tion";allow (compare,read,search) groupdn = "ldap:///cn=Read PassSync 
> Manager
>   s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
>   cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers 
> C
>   onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync Managers 
> Co
>   nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
>   slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm 
> databas
>   e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database 
> Confi
>   guration";allow (compare,read,search) groupdn = "ldap:///cn=Read LDBM 
> Databas
>   e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
>   roupdn = "ldap:///cn=Add Configuration 
> Sub-Entries,cn=permissions,cn=pbac,dc=
>   ipatestdomain,dc=net";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 3.0;acl
>   "snmp";allow (read, search, compare)(userdn = "ldap:///anyone";);)
>
> # tasks, config
> dn: cn=tasks,cn=config
> aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initializatio
>   n"; allow (add) groupdn = "ldap:///cn=Modify Replication 
> Agreements,cn=permis
>   sions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re
>   -initialization"; allow (add) userdn = 
> "ldap:///uid=pkidbuser,ou=people,o=ipa
>   ca";)
> aci: (targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read
>   , compare, search) groupdn = 
> "ldap:///cn=admins,cn=groups,cn=accounts,dc=grip
>   atestdomain,dc=net";)
>
> # csusers, config
> dn: ou=csusers,cn=config
> aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication use
>   rs"; allow (all) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # 1.3.6.1.4.1.4203.1.9.1.1, features, config
> dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( rea
>   d, search ) userdn = "ldap:///all";;)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read,
>    search, compare, proxy) userdn = "ldap:///anyone";; )
>
> # dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config
> dn: cn=dc\3Dipatestdomain\2Cdc\3Dnet,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";al
>   low (add) groupdn = "ldap:///cn=Add Replication 
> Agreements,cn=permissions,cn=
>   pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication 
> Agreeme
>   nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication 
> Ag
>   reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl 
> "permission:Rem
>   ove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove 
> Repli
>   cation Agreements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # o\3Dipaca, mapping tree, config
> dn: cn=o\3Dipaca,cn=mapping tree,cn=config
> aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements"
>   ;allow (add) userdn = "ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsd
>   
> s5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectCl
>   ass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication 
> Agre
>   ements"; allow (read, write, search) userdn = 
> "ldap:///uid=pkidbuser,ou=peopl
>   e,o=ipaca";)
> aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(ob
>   jectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager:
>   Remove Replication Agreements";allow (delete) userdn = 
> "ldap:///uid=pkidbuser
>   ,ou=people,o=ipaca";)
>
> # ldbm database, plugins, config
> dn: cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; a
>   llow (read) userdn="ldap:///uid=pkidbuser,ou=people,o=ipaca";;)
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl
>   "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
>   Range,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
> aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThre
>   shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA 
> Range";
>   allow (read, search, compare) groupdn = "ldap:///cn=Read DNA 
> Range,cn=permiss
>   ions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # userRoot, ldbm database, plugins, config
> dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the databas
>   e readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication 
> Agreement
>   s,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 12
> # numEntries: 11
>
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmegg...@redhat.com]
> Sent: January-22-16 10:24 AM
> To: Nathan Peters; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with 
> DuplicateEntry: This entry already exists
>
> On 01/22/2016 11:04 AM, Nathan Peters wrote:
>> Wow, strange stuff, the search I linked in the last email for our non 
>> working dev environment seems short some entries.
>>
>> For comparison, here is the same search run against our currently working 
>> prod environment.
>>
>> As you can see, our prod environment has a huge aci on the config tree.
>>
>>    For reference, our prod and dev environments were identical (FreeIPA 
>> 4.1.4/CentOS7.1) before I updated our dev environment to 
>> CentOS7.2/FreeIPA4.2.0 -> Fedora23/FreeIPA4.2.3 -> Fedora23/FreeIPA4.3.0.  
>> So at some point during this upgrade process I assume maybe one of the 
>> installers deleted acis on our tree?  That sounds like the kind of thing 
>> that would happen when introducing the new domain level functionality in 
>> 4.3, like if someone accidentally thought "oh this replica branch is now in 
>> a globally replicated section, we can remove these acis for this local 
>> stuff..." and then put that logic into the installer or something...
>>
>> The real question is, is there some good way of getting those aci's back, 
>> like a fixaci command?
> I don't know.
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to