diff options
-rw-r--r-- | install/share/dns.ldif | 12 | ||||
-rw-r--r-- | install/updates/40-dns.update | 4 | ||||
-rw-r--r-- | ipaserver/install/plugins/dns.py | 35 |
3 files changed, 50 insertions, 1 deletions
diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 5a60bc11b..3fd8cfb87 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -10,7 +10,8 @@ changetype: modify add: aci aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";) dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add @@ -54,3 +55,12 @@ cn: update dns entries description: Update DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX + +dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX +changetype: add +objectClass: groupofnames +objectClass: top +cn: Write DNS Configuration +description: Write DNS Configuration +member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index ef2627bd7..02af8e467 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -23,3 +23,7 @@ add: ttl: 10 # add idnsConfigObject if it is not there already dn: cn=dns, $SUFFIX addifexist: objectClass: idnsConfigObject + +# update DNS acis with new idnsRecord attributes +dn: $SUFFIX +replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 04f6e2bec..84b7b23a5 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -21,6 +21,8 @@ from ipaserver.install.plugins import MIDDLE from ipaserver.install.plugins.baseupdate import PostUpdate from ipaserver.install.plugins import baseupdate from ipalib import api, errors, util +from ipalib.dn import DN +from ipalib.plugins.dns import dns_container_exists class update_dnszones(PostUpdate): """ @@ -78,3 +80,36 @@ class update_dnszones(PostUpdate): return (False, False, []) api.register(update_dnszones) + +class update_dns_permissions(PostUpdate): + """ + New DNS permissions need to be added only for updated machines with + enabled DNS. LDIF loaded by DNS installer would fail because of duplicate + entries otherwise. + """ + def execute(self, **options): + ldap = self.obj.backend + + if not dns_container_exists(ldap): + return (False, False, []) + + dnsupdates = {} + dn = str(DN('cn=Write DNS Configuration', api.env.container_permission, api.env.basedn)) + entry = ['objectClass:groupofnames', + 'objectClass:top', + 'cn:Write DNS Configuration', + 'description:Write DNS Configuration', + 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' % api.env.basedn, + 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' % api.env.basedn] + # make sure everything is str or otherwise python-ldap will complain + entry = map(str, entry) + dnsupdates[dn] = {'dn' : str(dn), 'default' : entry} + + dn = str(DN(api.env.basedn)) + entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)] + entry = map(str, entry) + dnsupdates[dn] = {'dn' : dn, 'updates' : entry} + + return (False, True, [dnsupdates]) + +api.register(update_dns_permissions) |