Fix the change_password permissions and the DNS access controls.

The change_password permission was too broad, limit it to users.

The DNS access controls rolled everything into a single ACI. I broke
it out into separate ACIs for add, delete and add. I also added a new
dns type for the permission plugin.

ticket 628

2 files changed, 3 insertions, 2 deletions

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 5a57a309a..1dcba926c 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -135,6 +135,7 @@ _type_map = {
     'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn),
     'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn),
     'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn),
+    'dns': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn),
 }
 
 _valid_permissions_values = [
@@ -378,7 +379,7 @@ class aci(Object):
             cli_name='type',
             label=_('Type'),
             doc=_('type of IPA object (user, group, host, hostgroup, service, netgroup)'),
-            values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup'),
+            values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
         ),
         Str('memberof?',
             cli_name='memberof',
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 18dd577e7..0587564ed 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -120,7 +120,7 @@ class permission(LDAPObject):
             cli_name='type',
             label=_('Type'),
             doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup)'),
-            values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup'),
+            values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
         ),
         Str('memberof?',
             cli_name='memberof',