diff options
-rw-r--r-- | ipalib/util.py | 18 | ||||
-rw-r--r-- | ipaserver/install/bindinstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/plugins/dns.py | 25 |
3 files changed, 40 insertions, 7 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index eb6702dc9..395bf0cf0 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -439,3 +439,21 @@ def parse_time_duration(value): raise ValueError('no time duration found in "%s"' % value) return duration + +def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): + """ + Generate update policy for a DNS zone (idnsUpdatePolicy attribute). Bind + uses this policy to grant/reject access for client machines trying to + dynamically update their records. + + :param realm: A realm of the of the client + :param rrtypes: A list of resource records types that client shall be + allowed to update + """ + policy_element = "grant %(realm)s krb5-self * %(rrtype)s" + policies = [ policy_element % dict(realm=realm, rrtype=rrtype) \ + for rrtype in rrtypes ] + policy = "; ".join(policies) + policy += ";" + + return policy diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 9dc12e276..a37a29303 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -32,7 +32,7 @@ from ipapython import sysrestore from ipapython import ipautil from ipalib.constants import DNS_ZONE_REFRESH from ipalib.parameters import IA5Str -from ipalib.util import validate_zonemgr, normalize_zonemgr +from ipalib.util import validate_zonemgr, normalize_zonemgr, gen_dns_update_policy from ipapython.ipa_log_manager import * import ipalib @@ -185,7 +185,7 @@ def read_reverse_zone(default, ip_address): def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_address=None, update_policy=None): if update_policy is None: - update_policy = "grant %(realm)s krb5-self * A; grant %(realm)s krb5-self * AAAA; grant %(realm)s krb5-self * SSHFP;" % dict(realm=api.env.realm) + update_policy = gen_dns_update_policy(api.env.realm) if zonemgr is None: zonemgr = 'hostmaster.%s' % name diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 6d72db43c..04f6e2bec 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -20,10 +20,13 @@ from ipaserver.install.plugins import MIDDLE from ipaserver.install.plugins.baseupdate import PostUpdate from ipaserver.install.plugins import baseupdate -from ipalib import api, errors +from ipalib import api, errors, util -class update_dnszone_acls(PostUpdate): +class update_dnszones(PostUpdate): """ + Update all zones to meet requirements in the new FreeIPA versions + + 1) AllowQuery and AllowTransfer Set AllowQuery and AllowTransfer ACLs in all zones that may be configured in an upgraded FreeIPA instance. @@ -34,6 +37,14 @@ class update_dnszone_acls(PostUpdate): This plugin disables the zone transfer by default so that it needs to be explicitly enabled by FreeIPA Administrator. + + 2) Update policy + SSH public key support includes a feature to automatically add/update + client SSH fingerprints in SSHFP records. However, the update won't + work for zones created before this support was added as they don't allow + clients to update SSHFP records in their update policies. + + This module extends the original policy to allow the SSHFP updates. """ order=MIDDLE @@ -41,7 +52,7 @@ class update_dnszone_acls(PostUpdate): ldap = self.obj.backend try: - zones = api.Command.dnszone_find()['result'] + zones = api.Command.dnszone_find(all=True)['result'] except errors.NotFound: self.log.info('No DNS zone to update found') return (False, False, []) @@ -56,10 +67,14 @@ class update_dnszone_acls(PostUpdate): # do not open zone transfers by default update['idnsallowtransfer'] = u'none;' + old_policy = util.gen_dns_update_policy(api.env.realm, ('A', 'AAAA')) + if zone.get('idnsupdatepolicy', [''])[0] == old_policy: + update['idnsupdatepolicy'] = util.gen_dns_update_policy(\ + api.env.realm) + if update: api.Command.dnszone_mod(zone[u'idnsname'][0], **update) - return (False, False, []) -api.register(update_dnszone_acls) +api.register(update_dnszones) |