diff options
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/dns.py | 18 | ||||
-rw-r--r-- | ipalib/util.py | 29 |
2 files changed, 40 insertions, 7 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 1bf754272..a48262794 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -32,7 +32,8 @@ from ipalib.parameters import Flag, Bool, Int, Decimal, Str, StrEnum, Any from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.util import (validate_zonemgr, normalize_zonemgr, - validate_hostname, validate_dns_label, validate_domain_name) + validate_hostname, validate_dns_label, validate_domain_name, + get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy) from ipapython.ipautil import valid_ip, CheckedIPAddress, is_host_resolvable from ldap import explode_dn @@ -75,8 +76,11 @@ EXAMPLES: --admin-email=admin@example.com Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: - ipa dnszone-mod example.com --dynamic-update=TRUE \\ - --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA;" + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \\ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" Modify the zone to allow zone transfers for local network only: ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8 @@ -1510,6 +1514,12 @@ def dns_container_exists(ldap): return False return True +def default_zone_update_policy(zone): + if zone_is_reverse(zone): + return get_dns_reverse_zone_update_policy(api.env.realm, zone) + else: + return get_dns_forward_zone_update_policy(api.env.realm) + class dnszone(LDAPObject): """ DNS Zone, container for resource records. @@ -1611,6 +1621,8 @@ class dnszone(LDAPObject): cli_name='update_policy', label=_('BIND update policy'), doc=_('BIND update policy'), + default_from=lambda idnsname: default_zone_update_policy(idnsname), + autofill=True ), Bool('idnszoneactive?', cli_name='zone_active', diff --git a/ipalib/util.py b/ipalib/util.py index 50da74327..039ffb06d 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -427,11 +427,11 @@ def parse_time_duration(value): return duration -def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): +def get_dns_forward_zone_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): """ - Generate update policy for a DNS zone (idnsUpdatePolicy attribute). Bind - uses this policy to grant/reject access for client machines trying to - dynamically update their records. + Generate update policy for a forward DNS zone (idnsUpdatePolicy + attribute). Bind uses this policy to grant/reject access for client + machines trying to dynamically update their records. :param realm: A realm of the of the client :param rrtypes: A list of resource records types that client shall be @@ -445,6 +445,27 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')): return policy +def get_dns_reverse_zone_update_policy(realm, reverse_zone, rrtypes=('PTR',)): + """ + Generate update policy for a reverse DNS zone (idnsUpdatePolicy + attribute). Bind uses this policy to grant/reject access for client + machines trying to dynamically update their records. + + :param realm: A realm of the of the client + :param reverse_zone: Name of the actual zone. All clients with IPs in this + sub-domain will be allowed to perform changes + :param rrtypes: A list of resource records types that client shall be + allowed to update + """ + policy_element = "grant %(realm)s krb5-subdomain %(zone)s %(rrtype)s" + policies = [ policy_element \ + % dict(realm=realm, zone=reverse_zone, rrtype=rrtype) \ + for rrtype in rrtypes ] + policy = "; ".join(policies) + policy += ";" + + return policy + def validate_rdn_param(ugettext, value): try: rdn = RDN(value) |