From 73d8db6d92d2c1b44b6d7f07d28eef13c344aa8a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 18 Feb 2014 18:15:49 +0100
Subject: Allow IPA master hosts to update CA certificate in LDAP.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 install/updates/40-delegation.update | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'install')

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index b54efdbd9..10579b759 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -71,6 +71,8 @@ add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
 dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
 add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
 
+dn: cn=ipa,cn=etc,$SUFFIX
+add:aci:'(target = "ldap:///cn=CAcert,cn=ipa,cn=etc,$SUFFIX")(targetattr = cACertificate)(version 3.0; acl "Modify CA Certificate"; allow (write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
 
 # Automember tasks
 dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
-- 
cgit