On 05/20/2019 01:34 AM, squadri wrote:
> Hello Aaron, Thanks for your response. I understand that there is an
> option of making a security equivalent to admin but that would be then
> no different than just another admin user I suppose!! The point is that

Yes, sorry; I took your request too literally I suppose. You not only
want to use your default tree admin account, but you do not want to use an
account with those rights at all.

> we are looking not to give admin equivalent but of a limited scope
> account which should be able to perform the needed operations for using
> imonitor,NRM etc as well with only certain required rights only.

I think iMonitor at least requires a user with tons of rights to the
server object, so you could try creating a user, giving that user
Supervisor rights just to the NCP Server object, and see if that works for
iMonitor. It is probably prudent to note that if you give somebody access
to the NCP Server and/or iMonitor, they inherently have access to do
things which impact the whole tree. iMonitor is primarily meant as a
troubleshooting tool, with a lot more features than things like
dsrepair/ndsrepair, but as a result it can still do things impacting the
whole tree like changing schema, causing replica ring inconsistencies, and
so on. It's great to have, but if you give somebody access to JUST
iMonitor on one server, they can still do things that are outside the
scope of that one server.

Before going down this too far, though, your need to do obituary cleanup
is likely just because your eDirectory versions are really old (as Massimo
mentioned already).

If the problem stems from the sub-ref replicas, perhaps we should figure
out why you have a [root] replica on this machine, but no other replicas.
It sounds like you have a partitioning setup that could be adjusted to
possibly help this out. If you care to do so, start a thread to find out
the best way to resolve those, or even the best way to partition things.
Lots of details around why you have the partitions defined (perhaps WAN
links, or maybe because you have always had them, or maybe because they
were recommended at some point), why this server has [root] but no other
partitions (including its own), and what problems have resulted, may help
us help you resolve the root problem. Even eDirectory 8.8.x should be
able to handle obituaries reliably, and that it cannot for you may imply
something else amiss in the environment (bad network links, an inability
to replicate reliably to one or more servers, etc.).

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.