diff options
author | Martin Basti <mbasti@redhat.com> | 2014-06-25 17:24:45 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-01 12:43:55 +0200 |
commit | c655aa28321f3a0ef00de89dd4c726f39f62653e (patch) | |
tree | ab1c0e19940ee0b959ea4b6366ba8b1fd8993ac7 /install/updates | |
parent | 8e911fcabc2c07cce42e32554cf8c9bcc6a544f5 (diff) | |
download | freeipa-c655aa28321f3a0ef00de89dd4c726f39f62653e.tar.gz freeipa-c655aa28321f3a0ef00de89dd4c726f39f62653e.tar.xz freeipa-c655aa28321f3a0ef00de89dd4c726f39f62653e.zip |
Fix ACI in DNS
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/40-dns.update | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index f0dbc9ce3..68f654d5c 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -10,6 +10,7 @@ addifexist: aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl | dn: cn=dns, $SUFFIX replace:aci:'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX");)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)' replace:aci:'(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)' +replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || nsec3paramrecord || dlvrecord || idnssecinlinesigning ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)' # add DNS plugin dn: cn=IPA DNS,cn=plugins,cn=config |