2 files changed, 12 insertions, 0 deletions

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 88269d282..586ec61fc 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -79,3 +79,11 @@ dn: cn=sudo,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
+
+# This is used for the host/service one-time passwordn and keytab indirectors.
+# We can do a query on a DN to see if an attribute exists.
+dn: cn=accounts,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)
+
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 42f1e9fe6..41d35da35 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -2,3 +2,7 @@
 dn: cn=ng,cn=alt,$SUFFIX
 add:aci: '(targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";)'
 
+# This is used for the host/service one-time passwordn and keytab indirectors.
+# We can do a query on a DN to see if an attribute exists.
+dn: cn=accounts,$SUFFIX
+add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";)