This bug is created as a clone of upstream ticket:
We want to be able to have non-DM manage replication agreements. As part of the cleanallruv process it is recommended that the replica being deleted be put into read-only mode.
We delegate permissions for managing replication so need to create an aci granting write permission to nsslapd-readonly. To do this it needs to be added to the schema
We want to add an aci like:
aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
It fails with:
Invalid syntax: targetattr "nsslapd-readonly" does not exist in schema. Please add attributeTypes "nsslapd-readonly" to schema if necessary.
[jrusnack@dstet dstet]$ grep "nsslapd-readonly" /etc/dirsrv/slapd-dstet/schema/*
/etc/dirsrv/slapd-dstet/schema/01core389.ldif:attributeTypes: ( 2.16.840.1.113722.214.171.1248 NAME 'nsslapd-readonly' DESC 'Netscape defined attribute type' SYNTAX 126.96.36.199.4.1.14188.8.131.52.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
[jrusnack@dstet dstet]$ rpm -qa | grep 389
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.