freeipa/install/updates/20-syncrepl.update

# Enable Retro changelog - it is necessary for SyncRepl
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on
# Remember original nsuniqueid for objects referenced from cn=changelog
add:nsslapd-attribute: nsuniqueid:targetUniqueId
add:nsslapd-changelogmaxage: 2d
add:nsslapd-include-suffix: cn=dns,$SUFFIX

# Keep memberOf and referential integrity plugins away from cn=changelog.
# It is necessary for performance reasons because we don't have appropriate
# indices for cn=changelog.
dn: cn=MemberOf Plugin,cn=plugins,cn=config
add:memberofentryscope: $SUFFIX
add:memberofentryscopeexcludesubtree: cn=compat,$SUFFIX
add:memberofentryscopeexcludesubtree: cn=provisioning,$SUFFIX
add:memberofentryscopeexcludesubtree: cn=topology,cn=ipa,cn=etc,$SUFFIX

dn: cn=referential integrity postoperation,cn=plugins,cn=config
add:nsslapd-plugincontainerscope: $SUFFIX
add:nsslapd-pluginentryscope: $SUFFIX
add:nsslapd-pluginExcludeEntryScope: cn=provisioning,$SUFFIX

# Enable SyncRepl
dn: cn=Content Synchronization,cn=plugins,cn=config
only:nsslapd-pluginEnabled: on

# Make sure IPA UUID does not generate ipaUniqueID for Stage/Delete entries
dn: cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config
add:ipaUuidExcludeSubtree: cn=provisioning,$SUFFIX