From 251c97cf96edccaec5ce034007068609ad69227f Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Mon, 19 Jan 2015 12:42:11 +0100
Subject: Replication Administrators cannot remove replication agreements

Replication agreement deletion requires read access to DNA range
setting. The read access was accidently removed during PermissionV2
refactoring.

Add the read ACI back as a special SYSTEM permission.

https://fedorahosted.org/freeipa/ticket/4848

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 install/updates/40-replication.update | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'install')

diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update
index 619d14663..f46ab19f0 100644
--- a/install/updates/40-replication.update
+++ b/install/updates/40-replication.update
@@ -14,3 +14,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Read DNA Range
+default:ipapermissiontype: SYSTEM
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
-- 
cgit