From 979947f7f21749b45176c39f66060564e19466e3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 18 May 2015 22:11:52 -0400
Subject: Add usercertificate attribute to user plugin

Part of: https://fedorahosted.org/freeipa/tickets/4938

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 install/updates/20-aci.update | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'install/updates')

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index fde3afeee..4a8b67c65 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -79,3 +79,7 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
+
+# User certificates
+dn: $SUFFIX
+add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
-- 
cgit