From 48785a5af1a2dbabd6da4cfaee000d3100260f4d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 2 Oct 2009 09:27:08 -0400
Subject: Loosen the ACI for the KDC to allow adds/deletes

Password policy entries must be a child of the entry protected by this
ACI.

Also change the format of this because in DS it was stored as:
\n(target)\n so was base64-encoded when it was retrieved.
---
 ipaserver/install/krbinstance.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index a6caa81eb..f45075cf2 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -44,9 +44,7 @@ import pyasn1.codec.ber.encoder
 import pyasn1.codec.ber.decoder
 import struct
 
-KRBMKEY_DENY_ACI = """
-(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
-"""
+KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)'
 
 def update_key_val_in_file(filename, key, val):
     if os.path.exists(filename):
-- 
cgit