From dfea5989f7edeb9ebc2d4fe42641e8818222761a Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akrivoka@redhat.com>
Date: Nov 15 2013 11:46:06 +0000
Subject: Add a privilege and a permission needed for automember rebuild command


Design: http://www.freeipa.org/page/V3/Automember_rebuild_membership
https://fedorahosted.org/freeipa/ticket/3752

---

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 64a6432..3fabdf9 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -373,3 +373,22 @@ add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
 
 dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
 add: member: 'cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX'
+
+# Automember tasks
+dn: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: Automember Task Administrator
+default:description: Automember Task Administrator
+
+dn: cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:objectClass: top
+default:cn: Add Automember Rebuild Membership Task
+default:member: cn=Automember Task Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:ipapermissiontype: SYSTEM
+
+dn: cn=config
+add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'