From c2e6b74029e08a4eadb7a14a4c711febfc83b5be Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 24 Jun 2014 18:24:32 +0200
Subject: trusts: Allow reading system trust accounts by adtrust agents

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/trust.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'ipalib')

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 25755d7a4..99acfb8f8 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -330,6 +330,17 @@ class trust(LDAPObject):
                 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'
             },
         },
+
+        'System: Read system trust accounts': {
+            'non_object': True,
+            'ipapermlocation': DN(container_dn, api.env.basedn),
+            'replaces_global_anonymous_aci': True,
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'uidnumber', 'gidnumber', 'krbprincipalname'
+            },
+            'default_privileges': {'ADTrust Agents'},
+        },
     }
 
     label = _('Trusts')
-- 
cgit