On Thu, Dec 04, 2008 at 12:57:13PM +1000, Brett @Google wrote:
I needed to add more attributes, but primarily only to make my ldap browser happy, allow syncrepl, and some handy informational attributes for the carbon based lifeforms who maintain the data.
# allow replicator to read all access to * by dn.exact="cn=replicator,dc=example,dc=com" read by * break
That should be enough for syncreply (assuming you remove the time and size limits as Gavin pointed out). No rules below this will apply to the replicator user.
# restrcted set of non-operational attributes access to attr=c,o,ou,cn,sn,givenName,mail,entry by dn.exact="cn=limited,dc=example,dc=com" read by * break
# for browsing / syncrepl access to attr=objectClass,hasSubordinates,entryDN,entryCSN,entryUUID by dn.exact="cn=limited,dc=example,dc=com" read by * break
objectclass would certainly be needed by most LDAP browsers. The others may not be relevant unless you are running a replica whose content is defined by the ACLs that apply to "cn=limited,dc=example,dc=com"
Andrew