From 0bea7bc245fe1471008d20c78626c2fa2572e91c Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Mon, 19 Jan 2015 12:42:11 +0100
Subject: [PATCH] Replication Administrators cannot remove replication
 agreements

Replication agreement deletion requires read access to DNA range
setting. The read access was accidently removed during PermissionV2
refactoring.

Add the read ACI back as a special SYSTEM permission.

https://fedorahosted.org/freeipa/ticket/4848

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 install/updates/40-replication.update | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update
index 619d14663eeb6f692864c960dfd3542fc22cb581..f46ab19f0090ba313880e6d99636f50397f8d33b 100644
--- a/install/updates/40-replication.update
+++ b/install/updates/40-replication.update
@@ -14,3 +14,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 add:aci: '(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Read DNA Range
+default:ipapermissiontype: SYSTEM
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+add:aci: '(targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)'
-- 
2.1.0