From d3c36fb83314c3fd1b87572a1c80687f06d7e2d5 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Mon, 23 Oct 2017 14:06:20 +0200
Subject: [PATCH] ldap: limit the retro changelog to dns subtree

The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.

Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 install/updates/20-syncrepl.update | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index faa13f645f492ea35824fe57632b56d52afa8a6e..318eda16870afa06d6c6d9098cbffdc085f2dba2 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -4,7 +4,7 @@ only:nsslapd-pluginEnabled: on
 # Remember original nsuniqueid for objects referenced from cn=changelog
 add:nsslapd-attribute: nsuniqueid:targetUniqueId
 add:nsslapd-changelogmaxage: 2d
-add:nsslapd-exclude-suffix: o=ipaca
+add:nsslapd-include-suffix: cn=dns,$SUFFIX
 
 # Keep memberOf and referential integrity plugins away from cn=changelog.
 # It is necessary for performance reasons because we don't have appropriate
-- 
2.9.5