diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-06-04 17:53:34 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-06-05 08:41:46 +0200 |
commit | c06cbb12ac2080e75578645b5e74adf7496de1fa (patch) | |
tree | 021a48a1886b192f444e0384ad0aee432f17b2b7 /ipalib/util.py | |
parent | 7d9abecbb6b2779e074616ca5563714d165bb49b (diff) | |
download | freeipa-c06cbb12ac2080e75578645b5e74adf7496de1fa.tar.gz freeipa-c06cbb12ac2080e75578645b5e74adf7496de1fa.tar.xz freeipa-c06cbb12ac2080e75578645b5e74adf7496de1fa.zip |
Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.
The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.
https://fedorahosted.org/freeipa/ticket/2441
Diffstat (limited to 'ipalib/util.py')
-rw-r--r-- | ipalib/util.py | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index 50da74327..039ffb06d 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -427,11 +427,11 @@ def parse_time_duration(value): return duration -def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): +def get_dns_forward_zone_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): """ - Generate update policy for a DNS zone (idnsUpdatePolicy attribute). Bind - uses this policy to grant/reject access for client machines trying to - dynamically update their records. + Generate update policy for a forward DNS zone (idnsUpdatePolicy + attribute). Bind uses this policy to grant/reject access for client + machines trying to dynamically update their records. :param realm: A realm of the of the client :param rrtypes: A list of resource records types that client shall be @@ -445,6 +445,27 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): return policy +def get_dns_reverse_zone_update_policy(realm, reverse_zone, rrtypes=('PTR',)): + """ + Generate update policy for a reverse DNS zone (idnsUpdatePolicy + attribute). Bind uses this policy to grant/reject access for client + machines trying to dynamically update their records. + + :param realm: A realm of the of the client + :param reverse_zone: Name of the actual zone. All clients with IPs in this + sub-domain will be allowed to perform changes + :param rrtypes: A list of resource records types that client shall be + allowed to update + """ + policy_element = "grant %(realm)s krb5-subdomain %(zone)s %(rrtype)s" + policies = [ policy_element \ + % dict(realm=realm, zone=reverse_zone, rrtype=rrtype) \ + for rrtype in rrtypes ] + policy = "; ".join(policies) + policy += ";" + + return policy + def validate_rdn_param(ugettext, value): try: rdn = RDN(value) |