1 files changed, 10 insertions, 2 deletions

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 9ca3eac6c..1fbfd9993 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -40,13 +40,13 @@ dict of the same format is defined in this module.
 The permission name must start with the "System:" prefix.
 
 The template dictionary can have the following keys:
-* ipapermtarget, ipapermtargetfilter, ipapermlocation, ipapermright, objectclass
+* ipapermtarget, ipapermtargetfilter, ipapermlocation, ipapermright, ,ipapermtargetto, ipapermtargetfrom, objectclass
   - Directly used as attributes on the permission.
   - Replaced when upgrading an existing permission
   - If not specified, these default to the defaults of a permission of the
     corresponding --type, or, if non_object is specified, or if not on an
     object, to general permission defaults .
-  - ipapermlocation and ipapermtarget must be DNs
+  - ipapermlocation, ipatargetto, ipapermtargetfrom, ipapermtarget must be DNs
   - ipapermtargetfilter and objectclass must be iterables of strings
 * ipapermbindruletype
   - Directly used as attribute on the permission.
@@ -670,6 +670,14 @@ class update_managed_permissions(Updater):
         if ipapermtarget is not None:
             entry['ipapermtarget'] = ipapermtarget
 
+        ipapermtargetto = template.pop('ipapermtargetto', None)
+        if ipapermtargetto is not None:
+            entry['ipapermtargetto'] = ipapermtargetto
+
+        ipapermtargetfrom = template.pop('ipapermtargetfrom', None)
+        if ipapermtargetfrom is not None:
+            entry['ipapermtargetfrom'] = ipapermtargetfrom
+
         # Attributes from template
         bindruletype = template.pop('ipapermbindruletype', 'permission')
         if is_new: