diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-10-05 17:16:05 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-10-09 23:44:22 -0400 |
| commit | 7bd3b3e12147b794c4cf2f4457df5e20638c7b0e (patch) | |
| tree | 1f57dd008e2edf1e2e94bb9d0b88200d8720c132 /install/share/dns.ldif | |
| parent | ae65c0193271b70929f8d011f2a1aa5dff99f426 (diff) | |
| download | freeipa-7bd3b3e12147b794c4cf2f4457df5e20638c7b0e.tar.gz freeipa-7bd3b3e12147b794c4cf2f4457df5e20638c7b0e.tar.xz freeipa-7bd3b3e12147b794c4cf2f4457df5e20638c7b0e.zip | |
Fix DNS permissions and membership in privileges
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
Diffstat (limited to 'install/share/dns.ldif')
| -rw-r--r-- | install/share/dns.ldif | 46 |
1 files changed, 23 insertions, 23 deletions
diff --git a/install/share/dns.ldif b/install/share/dns.ldif index dc7922218..1ffadb5a9 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,6 +4,29 @@ objectClass: nsContainer objectClass: top cn: dns +dn: $SUFFIX +changetype: modify +add: aci +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) + +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames @@ -30,26 +53,3 @@ cn: update dns entries description: Update DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -changetype: modify -add: aci -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers |