Ok, might be something having to do with IPA. I’ll play more with it.
Thanks!!
Sergei
On Aug 17, 2018, at 4:51 PM, Mark Reynolds
<mreynolds(a)redhat.com> wrote:
On 08/17/2018 04:59 PM, Sergei Gerasenko wrote:
> Hi Mark,
>
> I have a test instance of 389-ds running on a vm. I’ve tried updating the aci like
this:
>
> dn: cn=mapping tree,cn=config
> changetype: modify
> replace: aci
> aci: (targetattr = "cn || nsuniqueid || createtimestamp || description ||
entryusn || modify
> timestamp || nsds50ruv || MORE STUFF)(targetfilter =
"(|(objectclass=nsds5Replic
> a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
> greement)(objectClass=nsMappingTree)(objectClass=nsTombstone))")(version
3.0;acl "permission:Read Repl
> ication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read
<ldap:///cn=Read> Re
> plication Agreements,cn=permissions,cn=pbac,dc=MYREALM,dc=net”;)
>
>
> But still executing the command below produces no output. Executing the command as
admin does work:
>
> ldapsearch -h localhost -LLL -x -D
'uid=ipamonitor,cn=users,cn=accounts,dc=sgerasenko,dc=net' -w PWD
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))’
nsds50ruv
>
> I’ve verified that “ipamonitor" does have "Read Replication
Agreements" assigned.
Works for me if I add this aci:
dn: cn=mapping tree,cn=config
aci: (targetattr = "*")(version 3.0; acl "All user to read
agreements"; allow
(read,compare,search) (userdn = "ldap:///uid=mark,o=mark"
<ldap:///uid=mark,o=mark>)
ldapsearch -h localhost -LLL -x -D 'uid=mark,o=mark' -w password -b o=mark
"(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectClass=nsTombstone))"
dn: cn=replica,cn=o\3Dmark,cn=mapping tree,cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: o=mark
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsDS5ReplicaId: 1
nsds5ReplicaPurgeDelay: 604800
cn: replica
nsState:: AQAAAAAAAADwQHdbAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAA==
nsDS5ReplicaName: e8f8e603-a24111e8-9b9de135-a578ede1
nsds50ruv: {replicageneration} 5b770413000000010000
nsds50ruv: {replica 1 ldap://localhost.localdomain:389
<ldap://localhost.localdomain:389>} 5b773c20000000010000 5
b7740f0000200010000
nsds5agmtmaxcsn: o=mark;f;localhost.localdomain;4444;unavailable
nsruvReplicaLastModified: {replica 1 ldap://localhost.localdomain:389
<ldap://localhost.localdomain:389>} 0000000
0
nsds5ReplicaChangeCount: 6
nsds5replicareapactive: 0
>
> Any ideas what could be missing?
>
> Thanks,
> Sergei
>
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
<
https://getfedora.org/code-of-conduct.html>
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<
https://fedoraproject.org/wiki/Mailing_list_guidelines>
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
<
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...