Fix systemd-user HBAC rule

2ef6e14c5a added an invalid HBAC rule that
encoded the service wrongly.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

install/share/default-hbac.ldif

@@ -21,7 +21,7 @@ cn: allow_systemd-user
 accessruletype: allow
 usercategory: all
 hostcategory: all
-servicecategory: systemd-user
+memberService: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
 ipaenabledflag: TRUE
 description: Allow pam_systemd to run user@.service to create a system user session
 ipauniqueid: autogenerate

ipatests/test_integration/test_commands.py

@@ -500,12 +500,18 @@ class TestIPACommand(IntegrationTest):
         # https://pagure.io/freeipa/issue/7831
         tasks.kinit_admin(self.master)
         # check for presence
-        self.master.run_command(
-            ['ipa', 'hbacrule-show', 'allow_systemd-user']
-        )
         self.master.run_command(
             ['ipa', 'hbacsvc-show', 'systemd-user']
         )
+        result = self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
+        )
+        lines = set(l.strip() for l in result.stdout_text.split('\n'))
+        assert 'User category: all' in lines
+        assert 'Host category: all' in lines
+        assert 'Enabled: TRUE' in lines
+        assert 'Services: systemd-user' in lines
+        assert 'accessruletype: allow' in lines
 
         # delete both
         self.master.run_command(