summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--install/share/dns.ldif12
-rw-r--r--install/updates/40-dns.update4
-rw-r--r--ipaserver/install/plugins/dns.py35
3 files changed, 50 insertions, 1 deletions
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 5a60bc11b..3fd8cfb87 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -10,7 +10,8 @@ changetype: modify
add: aci
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,$SUFFIX")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
@@ -54,3 +55,12 @@ cn: update dns entries
description: Update DNS entries
member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
+changetype: add
+objectClass: groupofnames
+objectClass: top
+cn: Write DNS Configuration
+description: Write DNS Configuration
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update
index ef2627bd7..02af8e467 100644
--- a/install/updates/40-dns.update
+++ b/install/updates/40-dns.update
@@ -23,3 +23,7 @@ add: ttl: 10
# add idnsConfigObject if it is not there already
dn: cn=dns, $SUFFIX
addifexist: objectClass: idnsConfigObject
+
+# update DNS acis with new idnsRecord attributes
+dn: $SUFFIX
+replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 04f6e2bec..84b7b23a5 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -21,6 +21,8 @@ from ipaserver.install.plugins import MIDDLE
from ipaserver.install.plugins.baseupdate import PostUpdate
from ipaserver.install.plugins import baseupdate
from ipalib import api, errors, util
+from ipalib.dn import DN
+from ipalib.plugins.dns import dns_container_exists
class update_dnszones(PostUpdate):
"""
@@ -78,3 +80,36 @@ class update_dnszones(PostUpdate):
return (False, False, [])
api.register(update_dnszones)
+
+class update_dns_permissions(PostUpdate):
+ """
+ New DNS permissions need to be added only for updated machines with
+ enabled DNS. LDIF loaded by DNS installer would fail because of duplicate
+ entries otherwise.
+ """
+ def execute(self, **options):
+ ldap = self.obj.backend
+
+ if not dns_container_exists(ldap):
+ return (False, False, [])
+
+ dnsupdates = {}
+ dn = str(DN('cn=Write DNS Configuration', api.env.container_permission, api.env.basedn))
+ entry = ['objectClass:groupofnames',
+ 'objectClass:top',
+ 'cn:Write DNS Configuration',
+ 'description:Write DNS Configuration',
+ 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' % api.env.basedn,
+ 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' % api.env.basedn]
+ # make sure everything is str or otherwise python-ldap will complain
+ entry = map(str, entry)
+ dnsupdates[dn] = {'dn' : str(dn), 'default' : entry}
+
+ dn = str(DN(api.env.basedn))
+ entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]
+ entry = map(str, entry)
+ dnsupdates[dn] = {'dn' : dn, 'updates' : entry}
+
+ return (False, True, [dnsupdates])
+
+api.register(update_dns_permissions)
generated by cgit (git 2.34.1) at 2024-06-13 15:45:50 +0000