From c82596249017cc09ebe858f61eb20b75cac2cff7 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 15 Feb 2026 13:43:02 +1100
Subject: [PATCH] chore: add default_user_password credentials policy

- fix the comment for ldap_admin_password
- add policy to read default_user_password
---
 .../service/openldap/default_user_password/read.yaml   | 10 ++++++++++
 .../kv/service/openldap/ldap_admin_password/read.yaml  |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 policies/kv/service/openldap/default_user_password/read.yaml

diff --git a/policies/kv/service/openldap/default_user_password/read.yaml b/policies/kv/service/openldap/default_user_password/read.yaml
new file mode 100644
index 0000000..8cf866f
--- /dev/null
+++ b/policies/kv/service/openldap/default_user_password/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading openldap default-user credentials
+---
+rules:
+  - path: "kv/data/service/openldap/default_user_password"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_ldap
diff --git a/policies/kv/service/openldap/ldap_admin_password/read.yaml b/policies/kv/service/openldap/ldap_admin_password/read.yaml
index ac90f6d..ede3b98 100644
--- a/policies/kv/service/openldap/ldap_admin_password/read.yaml
+++ b/policies/kv/service/openldap/ldap_admin_password/read.yaml
@@ -1,4 +1,4 @@
-# Allow reading Radarr configuration
+# Allow reading openldap admin credentials
 ---
 rules:
   - path: "kv/data/service/openldap/ldap_admin_password"
-- 
2.47.3