On Tue, 15 Jan 2013 12:56:35 GMT email@example.com wrote
It seems that operational attributes generated by slapo-allowed are replicated.
Works as designed. These attributes are directoryOperation, not DSA-specific. Closing this ITS.
The fact that slapo-allowed in contrib/ does not declare the attribute types as DSA-specific does not mean that they are not DSA-specific. I guess MS AD does not care about subschema DSA-specific or not so we have to apply common sense here.
The allowed* attr values are supposed to be generated based on the local access control configuration. Since with OpenLDAP local configuration and therefore local ACLs can differ on different replicas these attrs MUST NOT be replicated.
Please re-open the ITS.