Add missing permissions to Host Administrators privilege

The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.

https://fedorahosted.org/freeipa/ticket/3585

1 files changed, 8 insertions, 0 deletions

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 5c14a703..64a6432a 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -365,3 +365,11 @@ replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=account
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
 add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)'
+
+# Add permissions "Retrieve Certificates from the CA" and "Revoke Certificate"
+# to privilege "Host Administrators"
+dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
+add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
+
+dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
+add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'