From b53f2d28fdc64a99c16b6e9434911da0058c9f58 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: Add managed read permissions to krbtpolicy

Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.

Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/40-delegation.update | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'install/updates/40-delegation.update')

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 27e605789..6ab849bf8 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -408,3 +408,10 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: Password Policy Readers
 default:description: Read password policies
+
+dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Kerberos Ticket Policy Readers
+default:description: Read global and per-user Kerberos ticket policy
-- 
cgit