It semes to be working if I add the replication DN to all the ACLs, so I think I'll just stick with that.
A viable workaround is to add, as the first rule
access to * by dn.exact=<your replicator's DN> write by * break
which basically means: your replicator's DN will have write privileges; anyone else won't have any privileges, but access control checking will move to following rules instead of stopping there.
That seems to work. I'll roll it out tonight. Thanks!
Brian
( bcwhite@precidia.com )-------------------------------------------------------------------------------
Relationships go through seasons. Winter often comes before Spring.