trust: allow trust agents to read POSIX identities of trust
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
Fixes: https://pagure.io/freeipa/issue/6077
(cherry picked from commit 8908b5085179d07cff45ebb11d498b872d28eee7)
Reviewed-By: Christian Heimes <cheimes@redhat.com>