2 files changed, 5 insertions, 5 deletions

diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index f4e96139f..8c0bc8ec3 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -1,10 +1,5 @@
 # Replica administration
 
-dn: cn=config
-changetype: modify
-add: aci
-aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
-
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 changetype: modify
 add: aci
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index d9dcad2e5..f31c20177 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -46,3 +46,8 @@ add:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sa
 add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
 # Read-only
 add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
+
+# Removal of obsolete ACIs
+dn: cn=config
+# Replaced by 'System: Read Replication Agreements'
+remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'