Allow permissions with 'self' bindruletype

Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.

Example
-------

Allow users to modify their own fasTimezone and fasIRCNick attributes:

```
managed_permissions = {
    "System: Self-Modify FAS user attributes": {
        "ipapermright": {"write"},
        "ipapermtargetfilter": ["(objectclass=fasuser)"],
        "ipapermbindruletype": "self",
        "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
    }
}
```

See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipaserver/install/plugins/update_managed_permissions.py

@@ -635,6 +635,10 @@ class update_managed_permissions(Updater):
 
         # Attributes from template
         bindruletype = template.pop('ipapermbindruletype', 'permission')
+        if bindruletype not in {"all", "anonymous", "self", "permission"}:
+            raise ValueError(
+                f"Invalid ipapermbindruletype '{bindruletype}'"
+            )
         if is_new:
             entry.single_value['ipapermbindruletype'] = bindruletype