Allow to setup the CA when promoting a replica

This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 3da9eaee1..8c9998cbc 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -11,5 +11,10 @@ default: ipaReplTopoConfRoot: o=ipaca
 default: cn: ipaca
 
 # Update CA replication settings
+dn: cn=o\3Dipaca,cn=mapping tree,cn=config
+add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX