From 0d3d6838a23e2dc9111eb95b4b87e6abed568816 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 3 Jan 2017 10:54:17 +0000
Subject: [PATCH] Disable default permissions that would break our privacy
 policy

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/ipa/server/files/configure-ipa.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/ipa/server/files/configure-ipa.sh b/roles/ipa/server/files/configure-ipa.sh
index 33515910eb..0b62940a97 100644
--- a/roles/ipa/server/files/configure-ipa.sh
+++ b/roles/ipa/server/files/configure-ipa.sh
@@ -15,3 +15,8 @@ do
     echo "Removing $line"
     ipa selfservice-del "$line"
 done
+
+# Disable default permissions so we don't break our privacy policy
+ipa permission-mod "System: Read User Addressbook Attributes" --bindtype=permission
+
+# TODO: Add custom permissions to grant specific access to user attributes