From d03d338f990586b9fc0d8a623ecaa7c9fa4db665 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Oct 27 2017 08:39:52 +0000
Subject: ldap: limit the retro changelog to dns subtree


The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.

Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update
index faa13f6..318eda1 100644
--- a/install/updates/20-syncrepl.update
+++ b/install/updates/20-syncrepl.update
@@ -4,7 +4,7 @@ only:nsslapd-pluginEnabled: on
 # Remember original nsuniqueid for objects referenced from cn=changelog
 add:nsslapd-attribute: nsuniqueid:targetUniqueId
 add:nsslapd-changelogmaxage: 2d
-add:nsslapd-exclude-suffix: o=ipaca
+add:nsslapd-include-suffix: cn=dns,$SUFFIX
 
 # Keep memberOf and referential integrity plugins away from cn=changelog.
 # It is necessary for performance reasons because we don't have appropriate