From 7bd3b3e12147b794c4cf2f4457df5e20638c7b0e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 5 Oct 2011 17:16:05 -0400 Subject: Fix DNS permissions and membership in privileges This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898 --- install/updates/40-delegation.update | 6 ++++++ install/updates/40-dns.update | 22 ++++++++++++++++++++++ install/updates/Makefile.am | 1 + 3 files changed, 29 insertions(+) create mode 100644 install/updates/40-dns.update (limited to 'install/updates') diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 66c62ed54..a23521166 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -262,3 +262,9 @@ add:member: 'cn=admins,cn=groups,cn=accounts,$SUFFIX' # Don't allow admins to update enrolledBy dn: $SUFFIX replace:aci:'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)' + +# The original DNS permissions lacked the tag. +dn: $SUFFIX +replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:add dns entries";allow (add) groupdn = "ldap:///cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:remove dns entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)' +replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update new file mode 100644 index 000000000..7b1c45754 --- /dev/null +++ b/install/updates/40-dns.update @@ -0,0 +1,22 @@ +# Add missing member values to attach permissions to their respective +# privileges and run a memberOf task. +dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' +addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' +addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' +addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' + +dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config +add: objectClass: top +add: objectClass: extensibleObject +add: cn: IPA PBAC memberOf $TIME +add: basedn: 'cn=privileges,cn=pbac,$SUFFIX' +add: filter: (objectclass=*) +add: ttl: 10 + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index bf4d9af96..99b7c56c7 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -19,6 +19,7 @@ app_DATA = \ 20-winsync_index.update \ 21-replicas_container.update \ 40-delegation.update \ + 40-dns.update \ 45-roles.update \ 50-lockout-policy.update \ 50-groupuuid.update \ -- cgit