trust: allow trust agents to read POSIX identities of trust
    
    SSSD and Samba on IPA masters need to be able to look up POSIX
    attributes of trusted domain objects in order to allow Active Directory
    domain controllers from trusted forests to connect to LSA and NETLOGON
    pipes.
    
    We only have access to read POSIX attributes in cn=accounts,$SUFFIX
    subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
    
    Fixes: https://pagure.io/freeipa/issue/6077
    (cherry picked from commit 8908b5085179d07cff45ebb11d498b872d28eee7)
    
    Reviewed-By: Christian Heimes <cheimes@redhat.com>